Obscure E-Mail Vulnerability

This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses — if they’re even valid.) Netflix doesn’t ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.

I was almost fooled into perpetually paying for Eve’s Netflix access, and only paused because I didn’t recognize the declined card. More generally, the phishing scam here is:

  • Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
  • Create a Netflix account with address james.hfisher.
  • Sign up for free trial with a throwaway card number.
  • After Netflix applies the “active card check”, cancel the card.
  • Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
  • Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
  • Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
  • Use Netflix free forever with Jim’s card **** 1234!

Obscure, yes? A problem, yes?

James Fisher, who wrote the post, argues that it’s Google’s fault. Ignoring dots might give people an enormous number of different email addresses, but it’s not a feature that people actually want. And as long as other sites don’t follow Google’s lead, these sorts of problems are possible.

I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.

Go to Source
Author: Bruce Schneier

Maybe you shouldn’t use LinkedIn

For users in outward-facing professions like sales or marketing, social media—in particular, LinkedIn—is a highly popular means of connecting to new opportunities in the field and staying current with industry peers.

For the rest of us, LinkedIn is an outstanding means of aggregating personal information without significant safety controls, irritating all your email contacts, and providing an endless stream of phishes, honeytraps, and scams to security personnel.

While many of us do not have the luxury of severing from social media without a second thought, we do think it’s worth knowing what’s happening with your data at LinkedIn and making an informed decision—just as we suggested for users of Facebook confronting the Cambridge Analytica fiasco.

The privacy controls

Originally, LinkedIn started with not much concern for privacy. If you’re on a social media platform, you want to share, right? Well, typically that’s at your discretion, not an algorithm’s (and certainly not one that loves to share indiscriminately).

Today, LinkedIn has done quite a bit better at making their privacy controls accessible and easier to understand, but it still has a few problems baked into the core of the service.

Google indexing

Currently, new profiles default to allow search engine crawlers to access your name, title, current company, and picture. While you can switch that option off easily, if you don’t do it quick enough, that info will be indexed and public, irrespective of any subsequent privacy changes you make.

Searching within Linkedin based on information you get from Google Cache will often yield profiles of people who thought they set their data to private.

Relationship weighting yields increased access automatically

One thing the late, unlamented Google Plus did right is sever symmetric access levels for connections. While you could choose to disclose everything to a connection, the other person wasn’t obligated to do the same to communicate with you.

This is not the case with LinkedIn. Reducing trust to a “yes” or “no” question reduces the barrier to entry for information thieves. It’s a trivial matter to observe a target’s position within the network, join their peripheral interests or third-degree connections, then use the automatic increase in access to appear more trusted in a later attack. There really isn’t an effective defense against this sort of social network attack because it depends on every single member of the network being forever vigilant.

Relationship weighting is arbitrary with no user control

LinkedIn has three levels of relationship weighting: first-, second-, and third-degree connections. The end user has no control over who gets which category, and all three categories are based on network proximity.

Why is this a problem? Because relationships aren’t symmetric. You might have a need for a contact’s email without wanting to disclose full info on yourself. However, network proximity weighting presumes equivalence for all contacts in each class. On the contrary, a second-degree connection might be of only occasional interest, while a first-degree connection might have utility for only a limited time.

With cookie cutter policies determining the weight of all of your connections, it robs the end user of setting controls appropriate to each relationship. A great example of this is profile phishing. An attacker only needs to succeed once to become a first-degree connection and gain access to everything.  

A very successful honeytrap profile targeting infosec employees

LinkedIn’s security history

LinkedIn has an extensive history of breaches, vulnerabilities, and personal data leaks for both their web and iOS platforms going back many years. At present, they patch quite quickly upon disclosure, but the slow and steady drip of sometimes serious vulnerabilities over years raises some concerns as to whether or not the platform has a culture of security.

Breaches and vulnerabilities happen to everyone. But if they happen publicly and almost annually, the end user might want to think hard before trusting a third party with their data.

The data hoarding

Like some other third party services, LinkedIn doesn’t delete your account. You can “close” it, but the service retains the right to your information indefinitely. So if you “close” your account, and LinkedIn sustains a breach in the future, your data will be there.

Did you forget to opt out of ad targeting before closing? Your data might still be made available for third-party use. The hallmark of a reasonably secure social media platform is control over your own data, and LinkedIn falls short on this. If you’d like to know more about which services will actually delete your data, check out this list from Secured.fyi.

But I HAVE to use LinkedIn!

You probably don’t. Unless you belong to the handful of industries for which LinkedIn use is standard, a significant number of opportunities still redirect you toward proprietary recruiting platforms, same as always.

If, however, you’re stuck with the service, make sure to log out after each session. Logging out prevents scraping of your network activity, and limits tracking to what you do on the platform. As with most online irritations, ad blockers and anti-tracker extensions can help you keep control of most of your data.

Remember that one of the best defenses against a third-party breach is to think very hard on if you want to trust that third party with your data to begin with. In the case of LinkedIn, the choice is yours. We just want to make sure it’s an informed one.

The post Maybe you shouldn’t use LinkedIn appeared first on Malwarebytes Labs.

Go to Source
Author: William Tsing

Gozi ISFB Remains Active in 2018, Leverages “Dark Cloud” Botnet For Distribution

This blog post was authored by Edmund Brumaghin and Holger Unterbrink, with contributions from Adam Weller.

EXECUTIVE SUMMARY

Gozi ISFB is a well-known and widely distributed banking trojan, and has been in the threat landscape for the past several years. Banking trojans are a widely distributed type of malware that attackers leverage in an attempt to obtain banking credentials from customers of various financial institutions. The source code associated with Gozi ISFB has been leaked several times over the years, and the robust features available within the Gozi ISFB code base have since been integrated into additional malware, such as GozNym. Talos published detailed research about GozNym in a September 2016 blog post. Talos has been monitoring Gozi ISFB activity since then, and has discovered a series of campaigns over the past six month that have been making use of the elusive “Dark Cloud” botnet for distribution. In investigating the infrastructure associated with Dark Cloud, we identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity. Talos is publishing details related to ongoing Gozi ISFB activity, the Dark Cloud botnet, as well as the additional threats we have observed using this infrastructure over the past couple of years.

CAMPAIGN DETAILS

Talos has observed several distribution campaigns over the past few months that exhibit unusual characteristics. These campaigns appear to be relatively low-volume, with the attackers choosing to target specific organizations. They do not appear to send large amounts of spam messages to the organizations being targeted, instead choosing to stay under the radar while putting extra effort into the creation of convincing emails, in an attempt to evade detection while maximizing the likelihood that the victim will open the attached files.

Our engineers have discovered that while the Gozi ISFB campaigns are ongoing, the distribution and C2 infrastructure does not appear to stay active for extended periods, making analysis of older campaigns and samples more difficult. The attackers appear to be very quickly moving to new domains and IP addresses, not only for each campaign, but also for individual emails that are part of the same campaign. The campaigns that Talos analyzed took place during the fourth quarter of 2017, and have continued into 2018, with new campaigns being launched every week in an attempt to ensnare more victims and generate revenue for the attackers.

MALICIOUS SPAM CAMPAIGNS

This malware is distributed using malicious spam email campaigns, which feature Microsoft Word file attachments that function as malware downloaders. The emails appear targeted in nature, an example of which is shown below.

Interestingly, the attackers chose to create emails that appear to be part of an existing email thread, likely in an attempt to convince the victim of their legitimacy. In addition to crafting the email delivering the malicious Word document, they also create additional email subjects and accompanying bodies, which were included with the malicious email. This is not something that is typically seen in most malicious email campaigns, and shows the level of effort the attackers put into making the emails seem legitimate to maximize the likelihood that the victim would open the attached file.

Figure 1: Example Email Message

When opened, the attached Word document displays the following decoy image that makes it appear as if the attachment is a document that was created using Office 365. It instructs the user to “Enable Editing” and then “Enable Content.”

Figure 2: Malicious Word Document

In the case that the victim follows the instructions, macros embedded within the Word document will execute, facilitating the download and executing the malware from an attacker-controlled server. The infection process associated with these emails is described in the following section.

INFECTION PROCESS

As mentioned above, the Word documents come with an embedded, obfuscated visual basic for applications, or VBA, macro, which in most cases, is executed when the document is closed by the victim, as shown in the following screenshot. Executing the macro when the document is closed is a clever trick to bypass some sandbox systems, which only open the documents, but never close them during analysis.

Figure 3: Obfuscated VBA Macro

Once deobfuscated, the macro does nothing more than simply download an HTA file from a web server. Figure 4 shows the deobfuscated final call from the script above. In other documents, they are using different or slightly modified VBA macros, but deobfuscated, they all do a similar final call, similar to what is shown in Figures 4 and 5.

Figure 4: Final Macro Call
Figure 5: Alternate Macro Call

Due to the fact that HTA files are seen as local applications, the content is executed as a fully trusted application. Therefore, no security-related questions are asked to the user. The content that is downloaded from qdijqwdunqwiqhwew[.]com is an obfuscated JavaScript script (see Figure 6)

Figure 6: Obfuscated JavaScript

The lopomeriara variable is a very long obfuscated string which we have shortened (…) in the screenshot. Deobfuscated, it resolves to:

Figure 7: Deobfuscated Javascript

In other words, it is using ActiveX to execute a PowerShell script, which downloads and executes the malware to be installed on the victim’s machine. In this case the filename was 84218218.exe.

We have analyzed more than 100 malicious Word documents from this campaign, and it appears that the vast majority of them are individualized. The individualized ones all appear similar, but all their hashes are different, and their VBA code is either completely different or at least slightly modified. Even the image that the adversaries are using in these documents (see Figure 8) is not the same — it differs by slightly changed color values and pixels as you can see in Figure 9.

Figure 8: Document Image
Figure 9: Image Comparison

An example of the slightly changed VBA code skeleton can be seen in Figure 10. The adversaries are changing variables, function names, arrays, etc. for more or less every single Word document. Nevertheless, in the majority of documents, the basic code structure stays the same. Sometimes they are re-ordering the functions, or they add or remove a few lines of code. But as shown in Figures 10 and 11, the main algorithms stay the same.

Figure 10: VBA Skeleton Comparison
Figure 11: Additional Comparison

As mentioned above, there are some documents where the VBA script is completely different. The rightmost image in Figure 12 is an example of this. Deobfuscated, it is doing the same known “http://<some server>/…php?utma=….” HTTP request which we have seen before.

Figure 12: VBA Code Differences

We focused the majority of our investigation on campaigns between the fourth quarter of 2017 until the present, but based on other reports and our telemetry data, they have likely been going on for a couple of years. Within the data that we collected, the adversaries have changed the images within the Word documents from time to time (Figures 13 and 14) and used different VBA code in their malicious macros. The schema stays the same, the pixels and color values of the pictures inside the different campaigns are slightly changed, but the message stays the same.

Figure 13: Earlier Document Image
Figure 14: Document Image Font Differences

An interesting point is that some of them are even localized, as you can see below in Figure 15. This matches the corresponding phishing emails we talked about before. The separate attacks are highly customized and targeted.

Figure 15: Document Image Localization

PAYLOAD

The payload (e.g. 84218218.exe as described above), is different depending on the specific campaign. The vast majority of payloads are banking trojans based on the Gozi ISFB code base, but we have also seen executables identified by AV products as belonging to other malware families, such as CryptoShuffler, Sennoma and SpyEye. We have looked closer into the payload mentioned above, and we can clearly identify it as ISFB. Its functionality is very similar to the one described in this report by the Polish Computer Emergency Response Team (CERT). For example, the sample is using the same rolling XOR algorithm to protect its strings.

The anti-VM methods used within this sample are also identical — the BSS section encryption and the dropper payload setup are very similar. The dropper is also obfuscated with useless strings. It is interesting to note that in the sample we analyzed, the DGA code mentioned in the paper above is included, but it is never used due to its configuration. The sample we analyzed was using a hardcoded domain to communicate with the C2 server. This domain is tmeansmderivinclusionent[.]net. The sample was not configured to use TOR.

Regarding the decryption of the BSS section, this sample presents a particularity. It has a loop, which creates small temporary files with a random file name. After creating the files, it queries their creation file time. Then, it applies some transformations to the four least significant bytes of this timestamp to generate a one-byte value. Due to the transformation algorithm, this will result in a value between 0x00000008 and 0x000000FF. See the pseudocode below:

t = t >> 16
t = t & 0x000000F7
t = t + 8

This one-byte value is then added to the decryption key. With this key, the malware tries to decrypt the BSS section. If the decryption fails, it starts the loop again, and creates the next file until the section has been properly decoded. This technique seems to replace the anti-sandbox technique based on mouse movement mentioned in previous reports. Although this approach would not hinder dynamic analysis in a full-system VM, we believe it could be an attempt to bypass simpler application-level emulators that may not properly implement the Windows API (e.g., those which might return a fixed timestamp).

The malware loader contains two versions of the same DLL. One is a 32-bit DLL, and the other is a 64-bit DLL, both of which contain the malware’s hardcoded configuration. The way they store the DLLs and configuration values is by leveraging a set of structures indexed in an array located right after the section table (referred to as FJ-struct in the report mentioned above). After the decryption, depending on the victim machine, either the 32-bit or the 64-bit DLL is injected into the explorer.exe process running on the victim machine.

THE DARK CLOUD BOTNET

In analyzing the domains and associated infrastructure used to distribute this malware, as well as the associated C2 domains, Talos identified significant overlap between the infrastructure used in these campaigns and what has been described as being associated with a botnet referred to as “Dark Cloud.” This botnet was initially described in 2016 in a blog post here. This botnet is interesting, as it was reportedly initially created to provide a “bulletproof” way to host several carding sites. It has since expanded, and is also being used for the distribution and administration of various malware families. During our analysis of the infrastructure being used, we identified significant Gozi ISFB and Nymaim distribution and command-and-control, adult dating spam, various carding resources and other malicious activities from this infrastructure.

There are several interesting characteristics associated with this particular botnet. One of the most prominent is the use of fast flux techniques, which makes tracking the backend infrastructure more difficult. By frequently changing the DNS records associated with the malicious domains, attackers can make use of an extensive network of proxies, continuously changing the address of the IP being used to handle communications to the web servers the attacker controls.

Talos observed that the time-to-live (TTL) value for DNS records associated with domains used in these malware campaigns were typically set to 150, allowing the attackers to issue DNS record updates every three minutes.

Figure 16: Sample DNS TTL Values

As we began investigating the domains and IP addresses associated with the distribution and post-infection C2 of Gozi ISFB, we noticed that in most of the cases the same infrastructure was being used by the various carding forums referenced in the KrebsOnSecurity article mentioned above. Using passive DNS data, we collected every IP address that the domains under investigation had been seen resolving to. We also performed the reverse operation, collecting every domain that had ever been seen resolving to the IP addresses we previously collected in an attempt to get the most complete picture of the infrastructure.

Once we had this information collected, we began to investigate all of the activity that had been observed associated with this infrastructure. What we discovered was a laundry list of cybercriminal activities, all being conducted using this same infrastructure over the past couple of years.

One of the most notable carding forums leveraging this fast flux botnet is known as Uncle Sam.

Figure 17: Uncle Sam Website

In addition to Uncle Sam, we also observed the following carding sites and forums also making use of this infrastructure:

  • Paysell
  • Try2Swipe
  • CVVShop
  • Csh0p
  • RoyalDumps
  • McDuck
  • Prvtzone
  • Verified

Note that in several cases, the site owners had registered their domains using multiple TLDs (such as .BZ, .WS and .LV TLDs, for example).

We wrote a script that captured all of the IP addresses that the Uncle Sam website resolved to over a 24-hour period. We determined that over this period, the website had resolved to 287 unique IP addresses. This equates to an IP rotation of approximately 12 times per hour, or every five minutes. This demonstrates just how fluid the DNS configuration associated with these domains is and how much infrastructure is being used by these attackers.

In addition to various carding websites, we also identified a significant number of Nymaim samples which were beaconing out to IP addresses within this botnet. Nymaim is a malware family that functions as a downloader for additional malware, most commonly seen associated with the delivery of ransomware.

Talos also observed that over the past couple of years, several of the domains we investigated were hosting fake mail generator applications, primarily used to generate spam messages associated with various adult dating websites.

GEOGRAPHIC DISTRIBUTION

In analyzing all of the infrastructure associated with this botnet, we identified that the attackers appear to be actively avoiding using proxies and hosts located in Western Europe, Central Europe and North America. The majority of the systems we analyzed were located in Eastern Europe, Asia, and the Middle East. Below is a graphic showing where the largest number of systems were located globally.

Figure 18: Geographic Heat Map

Additionally, the following bar graph shows the hosting providers around the world that were most heavily used for hosting the systems used by this botnet.

Figure 19: Most Impacted ASNs

Talos is continuing to investigate and track the operations of this botnet to ensure customers remain protected from the various threats that are associated with it.

CONCLUSION

Gozi ISFB is a banking trojan that has been used extensively by attackers who are targeting organizations around the world. It has been around for the past several years, and ongoing campaigns indicate that it will not be going away any time soon. Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult. Talos has identified the Dark Cloud botnet being used for a multitude of malicious purposes. We will continue to monitor these threats as they continue to evolve over time to ensure that customers remain protected and the public is informed with regards to continued use of threats such as Gozi ISFB, Nymaim and others.

Go to Source
Author: Talos Group

Panic attack: Apple scams apply pressure

We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.

Fake receipt emails

First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:

[ New Statement ] Your receipt from Apple [ 02 February 2018 ]

In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.

fake apple cloud purchase

Click to enlarge

The general rule of thumb is to try and be as inconspicuous as possible, so we’re not really sure why the scammers went with one of the most well-known privacy advocates on the planet to fill in the personal information box. Not only that, but they used a randomly-grabbed address from a property website sporting nine bedrooms and four bathrooms.

Maybe the plan is to hit the potential victim with something so utterly ludicrous, that they’ve already clicked the link before they’ve had time to think about it. For a lot of people, simply seeing a “Thanks for the order of this thing that costs you money” would be enough to have panic set in.

The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page.

That link is down

Click to enlarge

The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.

Someone else logged in

Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.

ipod login

Click to Enlarge

The email reads as follows:

[Reminder] [Notification Update] Statement new log-in your Apple account with other device

Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari

If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.

Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.

Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.

Apple care scare

There’s also some dubious texts going around claiming to be from Apple Care:

final notification

It reads as follows:

Final Notification

Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at

appleid-revise(dot)com

Apple Inc

As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.

Fake app purchases

We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.

While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.

If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.

The post Panic attack: Apple scams apply pressure appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

ReelPhish: A Real-Time Two-Factor Phishing Tool

Social Engineering and Two-Factor Authentication

Social engineering campaigns are a constant threat to businesses
because they target the weakest chain in security: people. A typical
attack would capture a victim’s username and password and store it for
an attacker to reuse later. Two-Factor Authentication (2FA) or
Multi-Factor Authentication (MFA) is commonly seen as a solution to
these threats.

2FA adds an extra layer of authentication on top of the typical
username and password. Two common 2FA implementations are one-time
passwords and push notifications. One-time passwords are generated by
a secondary device, such as a hard token, and tied to a specific user.
These passwords typically expire within 30 to 60 seconds and cannot be
reused. Push notifications involve sending a prompt to a user’s mobile
device and requiring the user to confirm their login attempt. Both of
these implementations protect users from traditional phishing
campaigns that only capture username and password combinations.

Real-Time Phishing

While 2FA has been strongly recommended by security professionals
for both personal and commercial applications, it is not an infallible
solution. 2FA implementations have been successfully defeated using real-time
phishing techniques
. These phishing attacks involve interaction
between the attacker and victims in real time.

A simple example would be a phishing website that prompts a user for
their one-time password in addition to their username and password.
Once a user completes authentication on the phishing website, they are
presented with a generic “Login Successful” page and the one-time
password remains unused but captured. At this point, the attacker has
a brief window of time to reuse the victim’s credentials before expiration.

Social engineering campaigns utilizing these techniques are not new.
There have been reports of real-time
phishing in the wild
as early as 2010. However, these types of
attacks have been largely ignored due to the perceived difficulty of
launching such attacks. This article aims to change that perception,
bring awareness to the problem, and incite new solutions.

Explanation of Tool

To improve social engineering assessments, we developed a tool –
named ReelPhish – that simplifies the real-time phishing technique.
The primary component of the phishing tool is designed to be run on
the attacker’s system. It consists of a Python script that listens for
data from the attacker’s phishing site and drives a locally installed
web browser using the Selenium
framework
. The tool is able to control the attacker’s web browser
by navigating to specified web pages, interacting with HTML objects,
and scraping content.

The secondary component of ReelPhish resides on the phishing site
itself. Code embedded in the phishing site sends data, such as the
captured username and password, to the phishing tool running on the
attacker’s machine. Once the phishing tool receives information, it
uses Selenium to launch a browser and authenticate to the legitimate
website. All communication between the phishing web server and the
attacker’s system is performed over an encrypted SSH tunnel.

Victims are tracked via session tokens, which are included in all
communications between the phishing site and ReelPhish. This token
allows the phishing tool to maintain states for authentication
workflows that involve multiple pages with unique challenges. Because
the phishing tool is state-aware, it is able to send information from
the victim to the legitimate web authentication portal and vice versa.

Examples

We have successfully used ReelPhish and this methodology on numerous
Mandiant
Red Team
engagements. The most common scenario we have come
across is an externally facing VPN portal with two-factor
authentication. To perform the social engineering attack, we make a
copy of the real VPN portal’s HTML, JavaScript, and CSS. We use this
code to create a phishing site that appears to function like the original.

To facilitate our real-time phishing tool, we embed server-side code
on the phishing site that communicates with the tool running on the
attacker machine. We also set up a SSH tunnel to the phishing server.
When the authentication form on the phishing site is submitted, all
submitted credentials are sent over the tunnel to the tool on the
attacker’s system. The tool then starts a new web browser instance on
the attacker’s system and submits credentials on the real VPN portal.
Figure 1 shows this process in action.


Figure 1: ReelPhish Flow Diagram

We have seen numerous variations of two-factor authentication on VPN
portals. In some instances, a token is passed in a “secondary
password” field of the authentication form itself. In other cases, the
user must respond to a push request on a mobile phone. A user is
likely to accept an incoming push request after submitting credentials
if the phishing site behaved identically to the real site.

In some situations, we have had to develop more advanced phishing
sites that can handle multiple authentication pages and also pass
information back and forth between the phishing web server and the
tool running on the attacking machine. Our script is capable of
handling these scenarios by tracking a victim’s session on the
phishing site and associating it with a particular web browser
instance running on the attacker’s system. Figure 1 shows a general
overview of how our tool would function within an attack scenario.

We are publicly releasing the tool on the FireEye GitHub
Repository
. Feedback, pull requests, and issues can also be
submitted to the Git repository.

Conclusion

Do not abandon 2FA; it is not a perfect solution, but it does add a
layer of security. 2FA is a security mechanism that may fail like any
other, and organizations must be prepared to mitigate the impact of
such a failure.

Configure all services protected by 2FA to minimize attacker impact
if the attacker successfully bypasses the 2FA protections. Lowering
maximum session duration will limit how much time an attacker has to
compromise assets. Enforcing a maximum of one concurrent session per
user account will prevent attackers from being active at the same time
as the victim. If the service in question is a VPN, implement strict
network segmentation. VPN users should only be able to access the
resources necessary for their respective roles and responsibilities.
Lastly, educate users to recognize, avoid, and report social
engineering attempts.

By releasing ReelPhish, we at Mandiant hope to highlight the need
for multiple layers of security and discourage the reliance on any
single security mechanism. This tool is meant to aid security
professionals in performing a thorough penetration test from beginning
to end.

During our Red Team engagements at Mandiant, getting into an
organization’s internal network is only the first step. The tool
introduced here aids in the success of this first step. However, the
overall success of the engagement varies widely based on the target’s
internal security measures. Always work to assess and improve your
security posture as a whole. Mandiant provides a variety of services
that can assist all types of organizations in both of these activities.

Go to Source
Author: Pan Chan

Fake Spectre and Meltdown patch pushes Smoke Loader malware

The Meltdown and Spectre bugs have generated a lot of media attention, and users have been urged to update their machines with fixes made available by various vendors.

While some patches have created more issues than they fixed, we came across a particular one targeted at German users that actually is malware. In fact, German authorities recently warned about phishing emails trying to take advantage of those infamous bugs.

We identified a recently registered domain that is offering an information page with various links to external resources about Meltdown and Spectre and how it affects processors. While it appears to come from the German Federal Office for Information Security (BSI), this SSL-enabled phishing site is not affiliated with any legitimate or official government entity.

Moreover, those same fraudulent domains have links to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) containing the so-called patch (Intel-AMD-SecurityPatch-10-1-v1.exe), which really is a piece of malware.

Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information:

The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.

We immediately contacted Comodo and CloudFlare to report on this abuse and within minutes the site did not resolve anymore thanks to CloudFlare’s quick response. Malwarebytes users were already protected at zero-hour against this malware.

Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.

It’s always important to be cautious, especially when urged to perform an action (i.e. calling Microsoft on a toll-free number, or updating a piece of software) because there’s a chance that such requests are fake and intended to either scam you or infect your computer. There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first.

Also, remember that sites using HTTPS aren’t necessarily trustworthy. The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam.

Indicators of compromise

Fraudulent site:

sicherheit-informationstechnik[.]bid

Fake patch (Smoke Loader):

sicherheit-informationstechnik.bid/Download/Sicherheitsupdate/Intel-AMD-SecurityPatch-11-01bsi.zip
CD17CE11DF9DE507AF025EF46398CFDCB99D3904B2B5718BFF2DC0B01AEAE38C

Smoke Loader callbacks:

coolwater-ltd-supportid[.]ru
localprivat-support[.]ru
service-consultingavarage[.]ru

The post Fake Spectre and Meltdown patch pushes Smoke Loader malware appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

Facebook phishers want you to “Connect with Facebook”

As we edge toward Christmas, scammers are throwing their own party—in the form of Facebook phishing pages linked to and from bogus landing pages hosted on sites(dot)google(dot)com URLs.

These landing pages, adorned with very large and very fake “Login with Facebook” buttons, may be extra convincing to the unwary, due to a combination of the trusted Google name and the fact that the sites are HTTPS rather than standard HTTP.

HTTPS is becoming increasingly popular with scammers as it adds an extra air of authenticity to the whole operation. As a result, you can’t just assume a “secure” site is also a safe one. There could well be a phisher lurking in the distance.

The landing pages are all themed around loss of Facebook access, with potential victims most likely directed there by phishing emails. (We haven’t seen any associated with this particular campaign, but given the messaging on the sites and the typical methods used to steer someone to them, it seems a reasonable bet to make.)

The bulk of the fakeouts look like either of the two examples below, with zero additional content on the page except for a big blue box asking you to “Login to Facebook” to “comfirmation your account!!!” [sic]

facebook phish landing page

Click to Enlarge

…or

another phish landing page

Click to Enlarge

…”Connect with Facebook.”

There’s a few other designs out there, but they’re nowhere near as common as the two above. Here’s one of the alt-designs:

Fake Facebook warning page

Click to Enlarge

The word salad on the fake Facebook security page reads as follows:

Dear Facebook users

Your account is reported to have violated the policies that are considered annoying or insulting Facebook users. Please confirm your account with accurate data to avoid blocking. Note: if you do not verify your account permanently disabled automatically. Thanks, the Facebook team

Regardless of which landing page you kickstart the process from, the end result is the same—you’ll be directed to a number of secondary websites hosting the pages where user data will be phished. First, scammers will ask for login details:

fake lock landing pageClick to Enlarge

After that, they go straight for security questions:

fake lock

Click to Enlarge

The text on the page reads as follows:

We will temporarily lock your account. Please answer a few security questions to ensure that the actual owner of your account. We will provide 1X24 hours, to verify the identity of your account. If you do not confirm, the system will automatically shut down your Facebook account permanently.

This information will help us to restore your Facebook account

Upon hitting the “Protect your account” button, victims will be sent to the legit Facebook login page, another common trick to make the victim think all is well—right up to the point the login mysteriously alters and they lose access. We’ve seen Facebook scams a lot less complicated than this also ask for payment information, so we’re a little surprised that none of the sites across both sets of websites— the landing pages, and the sites playing host to data collection—do this.

We’re certainly not complaining, mind.

At time of writing, many of the secondary sites appear to have been taken down, though there’s still a fair few landing pages still up and running. As such, it would be easy for the scammers to set up new phish pages and point the landing URLs to them instead.

URLs you should avoid:

sites.google.com/site/wwwpagesinfoterms12/

sites.google.com/site/info30021033700i/

sites.google.com/site/policyclaming767005/

sites.google.com/site/recoveryfbunblockingcenter/

(leads to) help-unblocking-fb(dot)site/contact/2017/index(dot)php

sites.google.com/site/wwwpagesconfirms1202/

sites.google.com/site/noticereportslogsinfoo050/

sites.google.com/site/wwwpagesinfonet/

sites.google.com/site/help151054141104105140/

sites.google.com/site/info20012001320i1/

We’re working on having the last of these sites taken offline, but please be careful around any websites claiming they’ll confirm, review, or connect your Facebook account, especially in relation to supposed security alerts or “bad behaviour” on your part. If in doubt, visit the official Facebook site directly and take things from there. There’s a good chance it’s just someone trying to ruin your festive fun, and that definitely doesn’t fall under the season for giving.

The post Facebook phishers want you to “Connect with Facebook” appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market

Bitcoin! Black gold! Texas tea!

Only one of these is currently worth ridiculous amounts of money (and technically numbers two and three are the same thing). Whether you’re in possession of lots of Bitcoins, or in full bandwagon panic “must buy 20 graphics cards before the bubble bursts” mode, you should be aware that lots of awful people want in on your precious haul. Indeed, the past week or so has seen an explosion of Bitcoin-centric scams, fakeouts, and all-around bad behaviour as scammers look to cash in at your expense.

The huge value of Bitcoin, plus the launch of Bitcoin futures, has attracted so many scammers that it’s difficult to keep up, whether it’s fake endorsements from well-known traders or plain-old RATs targeting would-be investors. Fake news, malware, bogus wallets, and even Bitcoin laundering via self-made music loaded onto the iTunes store—everyone seems to have gone a little Bitcoin crazy.

Bitcoin is here to stay—but what is it?

Bitcoin is a digital currency created by someone claiming to be Satoshi Nakamoto (which may well be an alias), and it’s all about digital wallets, mining, and hoping someone doesn’t steal millions overnight. It’s even being used as a volatile talking point related to ads, scripts, and blocking—from random websites to free wi-fi services, everyone is getting in on the action.

In this chaotic mess of bubbles, adverts, scams, and mistaken identities, the price of Bitcoin has gone through the roof. The reasons for which are multifaceted and also involve people endlessly talking about it. It may well be something off in the distance for many people, or some weird Internet thing you keep hearing people mention in horribly confusing terms, but make no mistake, it’s becoming mainstream. In fact, Bitcoin is rising so suddenly that people are taking out mortgages so they can get in on the Bitcoin action .(Tip: You probably don’t want to do this).

An avalanche of chicanery

This past week, we’ve seen quite a few things you may want to steer clear of—from mobile to survey scams. It’s frankly overwhelming and for many of us, there’s simply no way to tell the good from the bad from the mildly shoulder shrugging.

For example, someone has taken ye olde survey scam and remixed it for the coin collective:

Coins and Youtube, oh my

Advertised on Youtube (until the video was pulled down, anyway), this site claims to generate Bitcoins with a 100 percent success rate. Sure does beat all that cumbersome mining and electricity use, and this is a definite boon for someone trying to jam a GTX1080 graphics card into a netbook. The site itself, located at bitcoingenerator(dot)space, is exactly what you’d expect a survey scam to look like, except it’s asking for Bitcoin addresses instead of how many Xbox Live points you want.

Coin survey

Users need to be verified by filling in a selection of geotargeted surveys. You don’t need me to tell you that survey scams are junk. They’ve been around forever, and are the absolute bottom rung of unimaginative, cookie-cutter fakeouts that never give you what you want. They’re the first thing to fall out of the “In case of scam emergency, break glass” box.

Seeing one suddenly throwing itself on the Bitcoin bandwagon is a bit of an eye-opener though, and something we should take notice of. People will seemingly do pretty much anything to nab some free coins, including clicking this shortened link roughly 34k times to play a game of snake-as-Bitcoin-faucet.

Snake coin

Sadly, the landing page is dead at time of writing, so we have no way of knowing if this one ever got off the ground. It could well be legit, but keep in mind that sites and videos will claim to offer up all manner of faucets. Not all of them will play nice, so on your own snakey visage be it, and be especially cautious around any downloadable executables.

Repackaging the tech support scam

Elsewhere, we have our old friend the tech support scam marching in the direction of coin-related antics. Or at least, scammers using some of the hallmarks of the tech support scam in an effort to part Bitcoin traders using Kraken from their digital currency. A good while ago, I covered fake EA support accounts who wait for the real thing to go “out of office,” then slide into conversations before directing victims to phishing links. This has a bit of a similar feel, with scammers waiting for trading sites to go offline due to maintenance/bad luck/DDoS/whatever, then jump into hashtags on social media with links to fake support sites, including phony “support” over the phone. It all ends in phishing and vanished coins.

Old tricks, new victims, unfortunately.

Ignore that part of your brain that says, “Well, it’s just one coin or whatever,” because the problem is these things are so highly-valued right now that takes just one being swiped to cause major problems. And that, in turn, makes coins the absolute number one hot target on the block right now. Or, to put it another way:

Ouch

That is an astonishing amount of cash to be cheated out of, and it’ll only get worse as scammers come up with the path of least resistance for obtaining illicit Bitcoins. It also seems like this has been going on for a while, so sites dealing in and around coins should consider bulking out their security hints and tips for new (and even experienced) Bitcoiners.

If you’re feeling a little swamped with the perils of Bitcoin, that’s understandable. Potential bubble + massive bandwagon + huge array of services + large corporations taking an interest + hordes of newcomers who have no idea what’s legit and what isn’t charging into the fray = please pass me the headache tablets.

Something we’ve been seeing recently is sites offering “crypto debit cards” if visitors invest certain amounts into their linked wallets. Is that real? Fake? A good deal? What’s the benefit for doing this? What on earth does this mean in the terms and conditions?

Help

Why do you have to be in a SEPA country? What is a SEPA country? All of these questions and more can be yours, for the low, low price of total and utter confusion. Make no mistake: if you want to make serious cash, you’re going to have to do some serious research.

Cornering the market on best practices

If you’re totally new to Bitcoin, your most likely first port of call may well be one of the numerous exchanges out there. You’d do well to heed the following advice from digital crime writer Joseph Cox:

  • use unique password
  • create a new email account (don’t share it)
  • put 2FA on both the email and the exchange account (if SMS, don’t share number, but preferably Google Auth)
  • don’t trade over PayPal (scam)

— Joseph Cox (@josephfcox) December 8, 2017

  • Don’t log into exchanges over Tor, unless you really have to for some reason, and can use a hidden service (malicious exit nodes to steal logins, etc)Verification on exchanges helps you and the seller, do it
  • Keep trades through the exchange’s system, to ensure you get $$

— Joseph Cox (@josephfcox) December 8, 2017

Whatever your way in, please take some time to read up on the pros and cons of digital currency. Unless you understand the basics, even the simplest of easy-to-spot Bitcoin scams may well elude your radar until it’s too late. Considering the huge sums at play, and the breakneck pace being set by all things digital currency, it’s never been more important to be fully aware of the risks as well as the benefits of cashing in your crypto-chips.

The post There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Seamless campaign serves RIG EK via Punycode

The Seamless campaign is one of the most prolific malvertising chains pushing the RIG exploit kit and almost exclusively delivering the Ramnit Trojan. Identification of Seamless is typically easy, due to its use of static strings and an IP literal URLs. However, for over a week now we have been seeing another Seamless campaign running in parallel, making use of special characters.

Rather than using an IP address, this Seamless chain uses a Cyrillic-based domain name, which is transcribed into recognizable characters via Punycode, a visual representation of Unicode. In this blog post, we’ll do a quick historical review of the Seamless gate and describe this latest iteration in a new format.

History

We noted redirections via adult sites around March 2017 (as pictured below) that were going through a new gate targeting Canada. Due to the presence of the string of the same name in its code, Cisco named this new campaign “Seamless.” Seamless dropped the Ramnit banking Trojan from the very beginning and still continues to do so.

The URL patterns were typically:

194.58.39.195/flow2.php
194.58.42.235/flow335.php
185.31.160.55/flow336.php
193.124.18.78/signup2.php
194.58.38.54/canadajapan.php
194.58.38.31/japan.php
194.58.92.34/usa.php
194.58.47.235/signup1.php
194.58.47.235/signup2.php
194.58.47.235/signup3.php
194.58.47.235/signup4.php
194.58.40.48/signu3.php

These days, web traffic to Seamless still comes from adult portals serving malvertising, eventually redirecting to the same IP literal URLs containing the string test followed by three digits:

Seamless and Punycode

It wasn’t until recent years that domain registrars began to allow for non-English (ASCII) characters in domain names, defined by the Internationalized Domain Names (IDNs) for Applications framework. This allowed for countries to customize services with their own alphabets, which include what we’d otherwise call “special characters,” but have in fact existed long before the Internet was born.

Punycode is a representation of Unicode characters into ASCII used for hostnames, which allows for IDNs, while DNS lookups can still be performed using ASCII characters. The threat actors behind Seamless have been using a domain name containing Cyrillic characters (mostly found in Eastern European countries), which we noticed in our honeypot captures via its Punycode representation.

The call to the Seamless gate was initiated by a malvertising redirection:



It is worth noting that Punycode has been exploited by scammers crafting phishing domain names resembling official brands, as sometimes certain Unicode characters are hard to distinguish from ASCII ones.

It is unclear whether this was a deliberate attempt to bypass intrusion detection systems or if it is simply an odd case similar to previous ones such as the Decimal IP campaign. Time will tell if the Seamless operators maintain it or abandon it in favor of the long-used IP literal URLs.

Indicators of compromise (IOCs)

Note: These IOCs are specific to the Punycode Seamless campaign.

URLs:

xn--80af6acaaaj9h .xn--p1acf/test441.php
xn--80af6acaaaj9h .xn--p1acf/test551.php

IP address:

31.31.196.171

Payloads:

1609ab905f2ebbfe23b1111789cf8cade8b303642ecc5002ea63a3be24d2a07e
1a82f19a88827586a4dd959c3ed10c2c23f62a1bb3980157d9ba4cd3c0f85821
555f2d1665910e5d47ba45b0c8ec9eafaeb7c12868c5b76d52fcd0e17da248ec
58fb6436df51c59f8efe67b82e2a8a3af10faf798e9f4f047bac2fab1c1b0541
5943564ab3d38d4a9a0df32352dd5d2b04ccb76294e68a5efcbad5745d397de3
6fc5375161decbb23391e8302693437740765cf3e5e6f17afee9d720c22a1fac
79754c3bf6d5e40d89d2d81ba5a124b9ee13d924994fddeb170a50abd7f2be62
85c3822ab9254c8b52515869ca7430165142b37d05d4a41fe0293177098d44f2
888c88d190776cbf6bb010c2613c31428fb0779ed90f4f2bb8611a754a6bd44a
a5d557f02bbf6454e912f7295f641985ec5535443a58bb163d7beadade854783
afe98c589e78abf76080ecdd1640f8e6e64f1f0244cfd4a1c216a4c0f8a9df24
b6c18ec6499e9671e0d80107e27485dee0ece626220a701570037407423f25c1
bba607dcf8d747daa2cb8d60986240caa932300dcf12da7073238822b3a1f42f
bbea73e7b0d57969e45ef34667a016992f9295932e5b901858e3417593e080a2
d7b0ea1593eee67d43f5cd0a4472ac2cd12920a9ae2e87f29b02fafc98b00321
ec82f488d2c0c5f69f01c7d051081e8404f883cd4b63e57506d461c3e3926b0e
f71411642bb2cdc1bb3da39d44d8f157bda0bdb853632174ec3796b9d3b500f5
f766d034b8579922fceb9a0c50b7ea7799ed6d9ed79acc8fcc08abea129b6f4a

The post Seamless campaign serves RIG EK via Punycode appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

PayPal phish asks to verify transactions—don’t do it

There’s a number of fake PayPal emails going around right now claiming that a recent transaction can’t be verified. If your response to this is, “What transaction?” read on. If your response to this is, “Oh no, not my recent transaction!” you should still read on. Why? Because scammers have both eyes and at least one virtual hand on your cash, assuming you follow their direction.

Here’s two examples of how these mails are being named from one of our mailboxes:

paypal phish mails

Click to enlarge

[New Transaction Statements] we’re letting you know : We couldn’t verify your recent transactions

[New Activity Statements] [Account Hold] Re : Your payments processed cannot completed

Here’s the most recent email in question:

paypal phish mail

Click to enlarge

We couldn’t verify your recent transaction Dear Client,We just wanted to confirm that you’ve changed your password. If you didn’t make this change, please check information in here. It’s important that you let us know because it helps us prevent unauthorised persons from accessing the PayPal network and your account information.
We’ve noticed some changes to your unsual selling activities and will need some more information about your recent sales.

Verify Information Now
Thank you for your understanding and cooperation. If you need further assistance, please click Contact at the bottom of any PayPal page.Sincerely,PayPal

Clicking the button takes potential victims to a fake PayPal landing page, which tries very hard to direct them to a “resolution center.” The URL is:

myaccounts-webapps-verify-updated-informations(dot)epauypal(dot)com/myaccount/e6abe

fake paypal landing page

Click to enlarge

ΡayΡaI is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, To help us
provide you with a secure service. We would like to return your account to regular standing as soon as possible. We apologise for the inconvenience.
Why is my account access limited?

Your account access has been limited for the following reason(s)

December 1, 2017: We notice some unusualy activity on your PayPaI account.

As a security precaution to protect your account until we have more details from you, we’ve place a limitation on your account
( Your case ID for this reason is PP-003-523- 280- 570 )
How can I help resolve the issue on my account?

It’s usually easy to resolve issues like this. Most of the time, we just need a little more information about your account transactions
To help us resolve this issue, please log in to your account and go to the ResoIution Center to find out what information
You need to provide. We’ll review the information you provide and email you if we need more details.
Completing all the checklist items will automatically restore your account access.

From here, it’s a quick jump to two pages that ask for the following slices of personal information and payment data:

  1. Name, street address, city, state, zip, country, phone number, mother’s maiden name, and date of birth
  2. Credit card information (name, number, expiration code, security code)

paypal phish website personal info request

Click to enlarge

paypal phish website card request

Click to enlarge

Sadly, anyone submitting their information to this scam will have more to worry about than a fictional declined payment, and may well wander into the land of multiple actual not-declined-at-all payments instead. With a tactic such as the above, scammers are onto a winner—there’ll always be someone who panics and clicks through on a “payment failed” missive, just in case. It’s an especially sneaky tactic in the run up to December, as many people struggle to remember the who/what/when/where/why of their festive spending.

Whatever your particular spending circumstance, wean yourself away from clicking on any email link where claims of payment or requests for personal information are concerned. Take a few seconds to manually navigate to the website in question. and log in directly instead. If there are any payment hiccups happening behind the scenes, you can sort things out from there. Scammers are banking on the holiday rush combined with the convenience of “click link, do thing” to steal cash out from under your nose.

Make it an (early) New Year’s resolution to make things as difficult for the scammers as possible. You can report PayPal phishing attempts here. And if in doubt, at least delete the email.

The post PayPal phish asks to verify transactions—don’t do it appeared first on Malwarebytes Labs.

Go to Source
Author: Christopher Boyd

Powered by WPeMatico