Phishing – A Master Anglers Toolbox

Phishing – A Master Anglers Toolbox

No Comments

We recently came across a researchers gold mine of phishing sites. It all started with a PDF file received via an email called Post-Label.  The file itself is harmless, but it links to the USPS scam shown below in the screenshots.

USPS-Phishing

Further analysis of this IP found that it belongs to QuadraNet a colocation provider who’s only involved in hosting physical servers for its clients. The client offers VPS servers and is likely not aware this is taking place. We filed an abuse report and QuadraNet is now aware. They’ve committed to cutting off access from this IP if the client does not respond within a period of time and clean up the phishing sites.

*** Update as of 8/14 – IP still has dozens of phishing sites, malware binaries and botnet communication files hosted on it. I’ve been e-mailing this information to the upstream provider who is QuadraNet. The co-location customer this IP belongs to either doesn’t have the time to keep an eye on this, or doesn’t know how to stop these phisherman. It’s also possible the server is compromised. One thing I noticed was an unknown entity was selling AlphaRacks on a web forum about 4 years ago at post#1 post#2.

*** Update as of 8/7 – IP continues to host phishing activity. We have reported additional sites to QuadraNet who will presumably notify the colocation client again. Keep in mind we noticed this activity start trending upward in March of 2018. Obviously, they’ve been outsmarting both of these parties for a good deal of time nearly half of 2018.

*** Update as of 7/23QuadraNet has notified me that they are going to “null-route the IP address and reach out to our customer, they may not have been aware of the number of domains involved.” after they had repeatedly asked the customer to disable these services. IP went down and was back up within a few hours. We confirmed it still had 5+ phishing sites live on it and reported that back to QuadraNet. We suspect the client is  Alpharacks Hosting and that up to 1,200 domains may be on this server.

VirusTotal has a ton of sites being hosted off this box, and almost an unbelievable amount of phishing pages and malware. We found more than 50 different brands being phished off this one IP address. The activity goes back to March 2018. It’s a phenomenon I call ‘hiding in plain sight,’ and that’s because vendors have been detecting the issue for many months, but no one has taken the initiative to file an abuse report.

https://www.virustotal.com/#/ip-address/162.220.11.2

Brands being phished include CIBC Bank, DHL, GoDaddy, Microsoft Live, Office 365, OneDrive, Outlook Web Access, PayPal, USPS, and many others all on a single IP. This is a master angler at work, folks!

NOTE: Some of this research is incomplete and should be investigated further by other researchers. I tend to post these kinds of ‘live’ hacks quickly, to get the word out and let folks experiment a bit before the hackers are shut down. The first thing I did was notify the hosting provider, so the clock is ticking. Or maybe it’s not, depending on how well they handle abuse complaints.

E-mail possibly associated with activity: islampoto44@gmail.com 

Screenshots below:

Dozens of the sites have login pages for the Pony Botnet:

I’ve reported this to the Quadranet, and PhishTank. Google Chrome warned against visiting many of these sites hosted on this IP.

wei

Phishing – New Tactics and Techniques

Phishing – New Tactics and Techniques

We’ve recently observed a new trend with phishing and targeted malware attacks that use domains to bypass anti-spam. The attackers are using valid domains, SPF, SMTP, and reply addresses that mimic newsletter bouncebacks. These tactics allow the messages to bypass reputational and other types of checks.

The attachments are typical droppers, highly obfuscated and using Microsoft Word macros. Attachments were known under names such as Trojan-Downloader, VBA.Agent, and Exploit.Siggen leveraging Office CVE-2017-0199.

Domains w/ Virustotal link:

DocuSign – docusign.delivery

Bank Of America – securemsg-bankofamerica.com

Internal Revenue Service – irsinvoice.com

Dunn & Bradstreet – dnbdocuments.com

Tactics and Techniques:

Attackers are using return addresses that resemble a real newsletter bounceback.

SPF records exist for the domain, and they match the servers that send the targeted emails. They are online, answering to SMTP connections that use the appropriate banner for the website.

Attackers are using VPS or full service hosting accounts to launch attacks like LeaseWeb and Secure Servers LLC. Devices have remote administration ports and services open.

Incoming emails are highly obfuscated by a randomly generated Word document with macros. Attackers will change payload if a “virus” message is received. If it’s a RBL message, they will switch to another SMTP address and continue to hammer the system until it allows a delivery. Messages are modified near real-time after each rejection, until one is accepted.

Fighting Back:

If I had not configured a HOLD on documents with macros, these would have been delivered by my spam provider. I had an option configured to recognize “Newly Observed Domain,” but it didn’t recognize them, and it wasn’t set to block them. It may be a good idea to inspect these manually, or you could put in some kind of workflow for content examination to alert you when they are delivered. I’m looking for keywords like the ones below, and I’m also scanning some of the messages:

Account Locked
EFax
Hello Dear
Parcel
Password Reset
Shipment
Suspended Account
Unusual Sign-In

 

Domain #1

docusign.delivery

 

Domain record shows that it was registered today:

Here’s the SPF record for docusign.delivery:

SMTP server at the host answers on behalf of this domain as well for spam filters that form a connection back to the system during validation:

The sender passes SPF checks because they’re using a legitimate domain:

spf=pass (spfCheck: domain of docusign.delivery designates 95.211.148.208 as permitted sender) client-ip=95.211.148.208; envelope-from=no-reply-msmith=infostruction.net@docusign.delivery; helo=docusign.delivery
Content-Type: multipart/mixed;

 

Nmap results show smtp/25 is open, and proxy/8080 is listening. Neither is an open relay, so we assume the attacker configured for quick remote access and spamming:

 

Email content was a word document:

Content-Disposition: attachment; filename="3873JDSB987391.doc"
Content-Transfer-Encoding: base64
Content-Type: application/msword; name="3873JDSB987391.doc"

Domain #2

securemsg-bankofamerica.com

 

SPF:

 

Domain #3

IRSInvoice.com

 

SPF:

Domain #4

DNBDocuments.com

 

SWIFT E-mail Leads To Evasive Gootkit

SWIFT E-mail Leads To Evasive Gootkit

No Comments

 

We follow the trail of another spam e-mail. It’s delivering a malware downloader that’s 0/63 on Virustotal, not unheard of these days. The e-mail had a PDF attachment SWIFT-MT103.pdf which itself was innocuous and simply displayed a fuzzy scan image, purportedly a SWIFT request that linked to a file hosted on Box.com.

Tactics of the downloader/dropper:

Contains functionality for read data from the clipboard
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Sample file is different than original file name gathered from version info
Internet Provider seen in connection with other malware
Icon mismatch, PE includes an icon from a different legit application
Reads the hosts file

…and many other warning signs shown by the software in deeper debugging in included in the report.

Received: from vps39646.inmotionhosting.com (vps39646.inmotionhosting.com
(envelope-from <info@globalrustrade.com>)

Reply-To: <sunshineslisa1@yahoo.com>
Date: Tue, 12 Jun 2018 01:42:52 +0000

A copy of the original e-mail received to a honeypot spam account:

Download the attached PDF, and examine it finding a link:

SWIFT MT103 PDF from E-mail 

 

Download the file from a box.com link, and unzip the contents:

hxxps://cambridgecommodities.box.com/shared/static/4yr4v2uaa43835jqi0lawo204oydj2d0.zip

Analysis on the dropper downloaded from this link:

SWIFT MT103 Joe Sandbox Report

or directly from Joe Sandbox if you don’t trust my PDF.

 

 

 

Dexter Malware attacks POS

POS Malware Dexter

Dexter Malware attacks POS

Dexter Malware (POS Systems Attack)

 

In an article titled “Dexter – Draining blood out of Point of Sales” an Israel-based security firm Seculert has identified Malware programmed to attack POS systems. The targeting of POS systems appears to help attackers extract card data from aggregation points versus targeting end-user machines or physically installing a skimmer.

Dexter has reportedly targeted systems in 40 countries over the past 2-3 months.

According to Spiderlabs, a team of ethical hackers working for security-software analysis firm Trustwave, Dexter has an unusual nature. Spiderlabs blogger Josh Grunzweig noted: “I can’t remember the last time I saw a piece of malware that targeted Point of Sale systems that had a nice C&C structure to it.”

Bank Fraud had evolved to a billion dollar industry world wide and Dexter is just another example of how attackers are choosing the targets with the most lucrative cyber bounty.

Digital bank robbers make off with $6.7 million

Digital bank robbers make off with $6.7 million

No Comments

During the holidays cybercriminals kept themselves busy, hacking websites and stealing all the data they could find. South African Postbank, a financial institution owned by SA Post Office, is one of the victims.

 

South African bank Postbank was robbed of $6.7 million earlier this month. But the thieves didn’t need masks and guns to pull off the job — just computers.

 

To pull off the heist, the hackers created a backdoor into one of the bank’s computers. From that hacked computer, they were able to access the rest of the network and issue the commands to distribute the $6.7 million to different accounts owned by the thieves. Those accounts were promptly emptied via ATM visits. Preliminary reports revealed that the cybercrime ring responsible for the theft opened a number of Postbank accounts all across the country and then, in the period between January 1 and January 3, they managed to access a Post Office employee’s computer from where they deposited money from other accounts into their own.

Since the crime didn’t raise any red flags with its automated fraud-detection programs, bank employees failed to notice the money was missing until the bank re-opened after the New Year’s holiday.

The irony is that 3 years ago the institution invested a large amount of money in their anti-fraud systems. However, as we can clearly see, anti-fraud systems aren’t worth much if the company doesn’t have a strict policy for the way their employees handle computers.

If the reports are true, then it is very likely that an employee with privileged rights must have fallen victim to a scam email designed to spread a malicious Trojan.


Fin24 reports that the National Intelligence Agency, which offers assistance when a government institution is compromised, has launched an investigation to precisely determine the causes that allowed for the incident to occur.

Bank representatives state that none of their customers are affected by the breach, but security experts believe that Postbank’s systems desperately need an upgrade.

Crooks don’t necessarily have to hack into a bank’s systems to gain access as it may be much easier to manipulate someone into handing over some information that can be utilized to just waltz in without being detected.

Lately, we’re presented with many cases in which a little bit of social engineering can perform much more efficiently than even the most sophisticated piece of malware. Take the thieves who stole 9 million dollars from payroll debit cards issued by RBS Worldpay.

The New Reality of Stealth Crimeware

The New Reality of Stealth Crimeware

No Comments

Anyone who has been in information security recently knows that it has gotten easier for cybercriminals to build stealth crimeware. The malware we deal with on a regular basis grows ever more difficult to find, while high-end targeted attacks such as Stuxnet and other advanced persistent threats (APTs, the abbreviation I hate) are using ever more advanced rootkit techniques to avoid detection.

Cybercriminals use clever stealth techniques to evade detection because it allows their malware to be more effective, live on a machine or network longer, and thus maximize the compromise. McAfee Labs is now at the point where we detect more than 110,000 new unique rootkits per quarter.

To make matters worse, there is another issue that many fail to recognize:

Today’s current OS-based security model is not adequate; cybercriminals know how to get past these defenses every time.

The security industry has to find a new vantage point on cybercriminal behavior to stop and uncover their stealth techniques. It is time for our industry to start looking at security beyond the operating system to gain a more effective view of how cybercriminals operate.

We delve into these and many other issues in our latest report: “The New Reality of Stealth Crimeware,” written by myself and Thom Sawicki of Intel. Download it here.

[wp-pdf-view swf=”https://www.infostruction.com/wp-content/uploads/2011/07/wp-reality-of-stealth-crimeware.pdf” width=”500″ height=”400″ /]

Introduction

Stealth is the art of travelling undetected, of being invisible. Stealth technology allows military aircraft,
Ninjas, and malware to sneak up on the enemy to launch an attack, gain intelligence, or take over
systems and data.

Although stealth techniques are used in sophisticated attacks like Conficker and Operation Aurora, the
Stuxnet attack offers a new blueprint—and benchmark—for how committed criminals can use stealth
techniques to steal data or target computing systems. Stuxnet innovations included a combination of
five zero-day vulnerabilities, three rootkits, and two stolen digital certificates. Powerful toolkits, like what is available in the Zeus Crimeware Toolkit, make stealth malware development a “point- and-click” endeavor, no longer restricted to the most knowledgeable programmers. While there are no definitive industry figures, McAfee Labs estimates that about 15 percent of malware uses sophisticated stealth technique to hide and spread malicious threats that can cause significant damage.1 These attacks form the cornerstone—the “persistent” part—of advanced persistent threats (APTs).

Malware being sent in job applications

Malware being sent in job applications

If you’re in any kind of business there’s a good chance you have to deal with resumes on a daily basis, especially if you’re a manager or Human Resources professional. While you probably delete that Viagra ad and ignore the promise of Nigerian riches, when a resume hits your inbox, you read it.

Spammers know this and have been increasingly presenting Malware as if it were a resume, hoping that the recipient will be so curious about a potential applicant that they open or run something that they shouldn’t. This practice of using rigged document files goes back to the early 2000’s where exploits for Microsoft’s document format existed even before Office 2000.

Let’s not forget when we could encoded Malware into a MIME header or .eml file and make IE/Outlook execute it… without even opening it. 🙂

These waves of Malware use obfuscation and “dropper” payloads to avoid detection. A dropper serves only to pull a payload, and a backdoor down for Botnet control. It rarely is detected as malicious because of its simple nature. The Antivirus products may continuously delete the Malware payloads, but as time passes with the dropper alive and well. The Malware creators are given the opportunity of changing the package and evading detection.

The Internet Crime Complaint Center (IC3) is reporting that businesses have received Bredolab variants in email attachments masquerading as job applications.

“Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online,” IC3 said in a news release.

They also said: “The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions.”

It’s called “spear phishing” – malicious code sent specifically to someone in a company who would be expecting that type of email (job applications in attachments in this case.)

“Recently, more than $150,000 was stolen from a US business via unauthorized wire
transfer as a result of an e-mail the business received that contained malware. The
malware was embedded in an e-mail response to a job posting the business placed on
an employment website and allowed the attacker to obtain the online banking credentials
of the person who was authorized to conduct financial transactions within the company.
The malicious actor changed the account settings to allow the sending of wire transfers,
one to the Ukraine and two to domestic accounts. The malware was identified as a
Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan,
which is commonly used by cyber criminals to defraud US businesses.”

“Anyone who believes they have been a target this type of attack should immediately
contact their financial institutions and local FBI office, and promptly report it
to the IC3’s website at www.IC3.gov. The IC3’s
complaint database links complaints together to refer them to the appropriate law
enforcement agency for case consideration. The IC3 also uses complaint information
to identify emerging trends and patterns.”