Phishing – A Master Anglers Toolbox

Phishing – A Master Anglers Toolbox

No Comments

We recently came across a researchers gold mine of phishing sites. It all started with a PDF file received via an email called Post-Label.  The file itself is harmless, but it links to the USPS scam shown below in the screenshots.

USPS-Phishing

Further analysis of this IP found that it belongs to QuadraNet a colocation provider who’s only involved in hosting physical servers for its clients. The client offers VPS servers and is likely not aware this is taking place. We filed an abuse report and QuadraNet is now aware. They’ve committed to cutting off access from this IP if the client does not respond within a period of time and clean up the phishing sites.

*** Update as of 8/14 – IP still has dozens of phishing sites, malware binaries and botnet communication files hosted on it. I’ve been e-mailing this information to the upstream provider who is QuadraNet. The co-location customer this IP belongs to either doesn’t have the time to keep an eye on this, or doesn’t know how to stop these phisherman. It’s also possible the server is compromised. One thing I noticed was an unknown entity was selling AlphaRacks on a web forum about 4 years ago at post#1 post#2.

*** Update as of 8/7 – IP continues to host phishing activity. We have reported additional sites to QuadraNet who will presumably notify the colocation client again. Keep in mind we noticed this activity start trending upward in March of 2018. Obviously, they’ve been outsmarting both of these parties for a good deal of time nearly half of 2018.

*** Update as of 7/23QuadraNet has notified me that they are going to “null-route the IP address and reach out to our customer, they may not have been aware of the number of domains involved.” after they had repeatedly asked the customer to disable these services. IP went down and was back up within a few hours. We confirmed it still had 5+ phishing sites live on it and reported that back to QuadraNet. We suspect the client is  Alpharacks Hosting and that up to 1,200 domains may be on this server.

VirusTotal has a ton of sites being hosted off this box, and almost an unbelievable amount of phishing pages and malware. We found more than 50 different brands being phished off this one IP address. The activity goes back to March 2018. It’s a phenomenon I call ‘hiding in plain sight,’ and that’s because vendors have been detecting the issue for many months, but no one has taken the initiative to file an abuse report.

https://www.virustotal.com/#/ip-address/162.220.11.2

Brands being phished include CIBC Bank, DHL, GoDaddy, Microsoft Live, Office 365, OneDrive, Outlook Web Access, PayPal, USPS, and many others all on a single IP. This is a master angler at work, folks!

NOTE: Some of this research is incomplete and should be investigated further by other researchers. I tend to post these kinds of ‘live’ hacks quickly, to get the word out and let folks experiment a bit before the hackers are shut down. The first thing I did was notify the hosting provider, so the clock is ticking. Or maybe it’s not, depending on how well they handle abuse complaints.

E-mail possibly associated with activity: islampoto44@gmail.com 

Screenshots below:

Dozens of the sites have login pages for the Pony Botnet:

I’ve reported this to the Quadranet, and PhishTank. Google Chrome warned against visiting many of these sites hosted on this IP.

wei

Phishing – New Tactics and Techniques

Phishing – New Tactics and Techniques

We’ve recently observed a new trend with phishing and targeted malware attacks that use domains to bypass anti-spam. The attackers are using valid domains, SPF, SMTP, and reply addresses that mimic newsletter bouncebacks. These tactics allow the messages to bypass reputational and other types of checks.

The attachments are typical droppers, highly obfuscated and using Microsoft Word macros. Attachments were known under names such as Trojan-Downloader, VBA.Agent, and Exploit.Siggen leveraging Office CVE-2017-0199.

Domains w/ Virustotal link:

DocuSign – docusign.delivery

Bank Of America – securemsg-bankofamerica.com

Internal Revenue Service – irsinvoice.com

Dunn & Bradstreet – dnbdocuments.com

Tactics and Techniques:

Attackers are using return addresses that resemble a real newsletter bounceback.

SPF records exist for the domain, and they match the servers that send the targeted emails. They are online, answering to SMTP connections that use the appropriate banner for the website.

Attackers are using VPS or full service hosting accounts to launch attacks like LeaseWeb and Secure Servers LLC. Devices have remote administration ports and services open.

Incoming emails are highly obfuscated by a randomly generated Word document with macros. Attackers will change payload if a “virus” message is received. If it’s a RBL message, they will switch to another SMTP address and continue to hammer the system until it allows a delivery. Messages are modified near real-time after each rejection, until one is accepted.

Fighting Back:

If I had not configured a HOLD on documents with macros, these would have been delivered by my spam provider. I had an option configured to recognize “Newly Observed Domain,” but it didn’t recognize them, and it wasn’t set to block them. It may be a good idea to inspect these manually, or you could put in some kind of workflow for content examination to alert you when they are delivered. I’m looking for keywords like the ones below, and I’m also scanning some of the messages:

Account Locked
EFax
Hello Dear
Parcel
Password Reset
Shipment
Suspended Account
Unusual Sign-In

 

Domain #1

docusign.delivery

 

Domain record shows that it was registered today:

Here’s the SPF record for docusign.delivery:

SMTP server at the host answers on behalf of this domain as well for spam filters that form a connection back to the system during validation:

The sender passes SPF checks because they’re using a legitimate domain:

spf=pass (spfCheck: domain of docusign.delivery designates 95.211.148.208 as permitted sender) client-ip=95.211.148.208; envelope-from=no-reply-msmith=infostruction.net@docusign.delivery; helo=docusign.delivery
Content-Type: multipart/mixed;

 

Nmap results show smtp/25 is open, and proxy/8080 is listening. Neither is an open relay, so we assume the attacker configured for quick remote access and spamming:

 

Email content was a word document:

Content-Disposition: attachment; filename="3873JDSB987391.doc"
Content-Transfer-Encoding: base64
Content-Type: application/msword; name="3873JDSB987391.doc"

Domain #2

securemsg-bankofamerica.com

 

SPF:

 

Domain #3

IRSInvoice.com

 

SPF:

Domain #4

DNBDocuments.com

 

Operation WireWire – ACH Fraud Takedown

Operation WireWire – ACH Fraud Takedown

No Comments
“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” (DOJ.gov)

Business Email Compromise (BEC) is one of the scams aimed at companies that conduct wire transfers and have suppliers abroad.  Corporate or publicly available email accounts of executives and high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised, through keyloggers or phishing attacks, to make fraudulent transfers, resulting in hundreds of thousands of dollars in losses. (Trend Micro).

I’ve seen recent comments in the media about how this DOJ crackdown wouldn’t put a big dent in or even make much of an impact on BEC, given the breadth of fraud associated with this outfit. I’d imagine the analysts in these quotes are looking at aggregate totals from the mile-high perspective and not the close-up, full scale of the damage to small businesses in our country. Companies have gone out of business, and schools have been attacked by these perpetrators. Personally, I don’t agree with or support the position that it’s just another routine arrest and it should be glazed over like it was picking off a few credit card skimmers.

The economies of scale with traditional Credit Card Fraud vs. Business E-mail Compromise cannot be directly compared, given who they impact and the average losses. This issue has never been about mitigating an impact on consumers as the criminals have always been focused on attacking small to medium-sized businesses. Typically, it’s the commercial accounts that are vulnerable to this kind of wire transfer fraud, unlike consumer credit cards that have built-in fraud protection that uses randomly generated numbers and a Visa or MasterCard logo. In these cases, the wires are facilitated directly from the account number being compromised.

Criminals obviously have a lot more to gain from raiding the digital coffers of businesses that handle millions in revenue, given that the average consumer credit card limit hovers around a measly $8,000. The average per-incident loss for a successful BEC scam is around $130,000; in comparison, robbing a bank will rake in about $3,800. The losses for traditional credit card fraud reported per incidence are much lower. Take a look at “23 Frightening Credit Card Fraud Statistics,” and you’ll see that in 2014, the median loss was $300 and the average reported loss was $1,343. If you’d ask someone who was ‘crushed’ by these low numbers to compare them to high-volume fraud numbers, you’d see how it wouldn’t make a dent. The reality, however, is that many BEC scams can net over a million dollars from a single source, something that seems unfathomable to people who are still living in the world of old-fashioned credit card fraud. This isn’t like the time somebody bought a $100 pair of sneakers using my debit card.

Not sure if this is a problem yet? Just ask Google and Facebook, who were both perpetrated almost entirely by a single individual in Lithuania. There are Nigerian men who stole almost 4 million dollars in a short time. If you really want to know, ask Leoni AG, a company that lost 44 million dollars in a single scam just a few years back. Are these extreme examples of BEC? No, many of these scams exceed a million dollars in losses in just a single incident. The collateral damage from ripping off employees’ social security numbers could take a long time to remediate. I don’t need to know the exact figures to make the connection that attackers with minimal sophistication are pulling it off for piles of cash. BEC scammers were operating mostly with impunity before this crackdown effort by the DOJ. If not, how could the losses possibly add up to 3 billion dollars? DOJ has been able to lock up a few here and there, but nothing like the 71 people from the Google/Facebook sweep.

Any law enforcement action would be welcomed, as long as it protects companies from scams and sends this clear message to the criminals abroad: If your activity trends upwards, so will our efforts to capture you. Not to mention that the hands of justice are now orienting themselves on how to efficiently take down these networks, thereby opening the door for streamlined enforcement for this type of crime.

The DOJ is doing a good job, and I don’t see it as a “dog and pony show” to expose these scammers in front of the world. It’s about justice and showing people in other countries that the internet may seem like a free plane ticket to communicate overseas, but you can still get arrested where that connection lands, just like you could in an airport. You’ve got to get started sometime, and today works well for tomorrow’s potential victims.

I think people who work on the ground in Cyber Security know that this day is long overdue, and it’s to be celebrated, not shrugged off as a waste of time. I’d never call it a waste of time – who in my industry would?

So let’s not turn the war on BEC into the war on Credit Card Fraud. Great work out there, folks!

Recent News:

Washinton Post – It’s time to stop laughing at Nigerian scammers — because they’re stealing billions of dollars

Boston Herald – Phishing theft of $93G at clean energy agency went unreported for months

Telstra – A silent cybercrime blitzkrieg as Aussie businesses robbed of millions

IC3 – 2017 Internet Crime Report featuring Business E-mail Compromise

Digital bank robbers make off with $6.7 million

Digital bank robbers make off with $6.7 million

No Comments

During the holidays cybercriminals kept themselves busy, hacking websites and stealing all the data they could find. South African Postbank, a financial institution owned by SA Post Office, is one of the victims.

 

South African bank Postbank was robbed of $6.7 million earlier this month. But the thieves didn’t need masks and guns to pull off the job — just computers.

 

To pull off the heist, the hackers created a backdoor into one of the bank’s computers. From that hacked computer, they were able to access the rest of the network and issue the commands to distribute the $6.7 million to different accounts owned by the thieves. Those accounts were promptly emptied via ATM visits. Preliminary reports revealed that the cybercrime ring responsible for the theft opened a number of Postbank accounts all across the country and then, in the period between January 1 and January 3, they managed to access a Post Office employee’s computer from where they deposited money from other accounts into their own.

Since the crime didn’t raise any red flags with its automated fraud-detection programs, bank employees failed to notice the money was missing until the bank re-opened after the New Year’s holiday.

The irony is that 3 years ago the institution invested a large amount of money in their anti-fraud systems. However, as we can clearly see, anti-fraud systems aren’t worth much if the company doesn’t have a strict policy for the way their employees handle computers.

If the reports are true, then it is very likely that an employee with privileged rights must have fallen victim to a scam email designed to spread a malicious Trojan.


Fin24 reports that the National Intelligence Agency, which offers assistance when a government institution is compromised, has launched an investigation to precisely determine the causes that allowed for the incident to occur.

Bank representatives state that none of their customers are affected by the breach, but security experts believe that Postbank’s systems desperately need an upgrade.

Crooks don’t necessarily have to hack into a bank’s systems to gain access as it may be much easier to manipulate someone into handing over some information that can be utilized to just waltz in without being detected.

Lately, we’re presented with many cases in which a little bit of social engineering can perform much more efficiently than even the most sophisticated piece of malware. Take the thieves who stole 9 million dollars from payroll debit cards issued by RBS Worldpay.

AT&T iPad site hacker to fight on in court

AT&T iPad site hacker to fight on in court

apple-ipad-hacker

 

A hacker facing trial on charges that he and a cohort conspired to break into an AT&T Web site for 3G iPad users told CNET today that he will fight the charges “to the end.”

Andrew “Escher” Auernheimer, 26, was indicted several months ago on one count of conspiracy to gain unauthorized access to computers and one count of identity theft. He faces up to 10 years in prison and $500,000 in fines. Co-defendant Daniel Spitler pleaded guilty in June and a judge put the case on hold, reportedly because of plea negotiations.

But Auernheimer, whose hacker handle is “weev,” says he’s not going to cop a plea.

“I did not fold the two previous times when the FBI tried to frame me as a terrorist” for allegedly calling in a bomb threat to a synagogue, which he denies, he said in an e-mail. “I will not fold now when they try to libel me as a thief. My indictment conveys a message that I am some sort of identity thief.”

In a follow-up phone interview, Auernheimer said he has done “nothing ethically wrong” and is being persecuted for “telling the truth” by exposing a security hole in AT&T’s Web site that was leaking e-mail addresses and unique device numbers for about 120,000 3G iPad users last year, including government and high-profile corporate customers.

weev-aurenheimer-hacker

Andrew Auernheimer, aka “Weev,” in a photo from earlier this year.(Credit: Anonymous)

“I contend there is no crime in telling the truth or using AT&T’s, or anybody’s, publicly accessible data, to cite it to talk about how they made people’s data public,” he said. “There’s a continuance until January. There may be a trial then…I just want to fight this thing to the end.”

A Department of Justice spokesman declined to comment because the court case is pending.

Asked his thoughts on Spitler’s guilty plea, Auernheimer said he was sure that Spitler would “cooperate in some way.” “I don’t blame him. He’s a good guy,” he said of his former hacking partner. “It’s probably terrifying for most people to go through this process. I’ve been fighting ‘The Man’ for years.”

Spitler wrote a script called the “iPad 3G Account Slurper” and used it against AT&T servers to harvest the iPad user data. The Justice Department contends that he and Auernheimer plotted on how to take advantage of the security hole for profit, but Auernheimer claims they were merely trying to protect consumers and waited until AT&T knew about the hole and fixed it before allowing Gawker to publish the details.

“I’ve never once made a dime off embarrassing a large corporation. I’ve never attempted to make a dime and AT&T is basically a public figure that is open to criticism. I think it’s fair,” he said. “Embarrassing somebody by telling the truth is not malice. It’s necessary speech.”

The Justice Department has released excerpts of Internet Relay Chat (IRC) logs in which the hackers discussed selling the e-mail addresses to spammers, shorting AT&T stock before releasing details of the breach, and destroying evidence.

In one exchange, Auernheimer writes: “This could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails,” to which Spitler responds: “ipad but yeah.” Asked to comment about statements from the logs that would appear to be damaging to his case, Auernheimer said “It’s easy to misconstrue a true statement as evidence of malice…our acts reveal no malice. I went straight to the press and I told exactly what needed to be told.”

When asked why he didn’t go directly to AT&T first, he said: “AT&T has a commercial interest in not having their negligence with consumer data spoken about, ever…I used the press as a proxy and I waited for (AT&T) to patch before going public.”

Auernheimer, 26, said he is barred from using IRC, communicating with anyone in his hacking group or any potential witnesses or co-defendants, and doing random Web browsing, but can use the Internet for “commerce.”

He was forced to leave his Fayetteville, Ark., home because of a bail condition requiring him to stay in the jurisdiction, he added, and as a result, he is living in Jersey City, N.J. (Meanwhile, drug charges he was arrested on last year after an FBI sweep of his home in the AT&T case have been dropped, he said.)

He has a public defender and has raised about $10,000 for his legal defense fund, he said. While he waits for trial, he is learning the Erlang programming language and is “open to security work.”

“I definitely have a habit of pissing people off. I’m not apologetic for that,” said the self-described Internet “troll.” “I think that the people that get pissed off probably deserve it. It serves a social function.”

I have known and spoken with Andrew over a number of years in the hacking scene. Hopefully this one works out for him!

Read more:

Trusteer Rapport – Protects Online Banking against Botnets

Trusteer Rapport – Protects Online Banking against Botnets

Rapport is a lightweight security software solution that protects web communication between enterprises, such as banks, and their customers and employees. The product is free for the customers of over 70 different banks, AND can also be downloaded independently of those services for FREE. You can protect any web site you choose outside of the network, and also use the tool with Chrome, IE and Firefox.

Rapport implements a completely new approach to protecting customers and employees. By locking down customer browsers and creating a tunnel for safe communication with the online website, Rapport prevents Man-in-the-Browser malware and Man-in-the-Middle attacks. Rapport also prevents phishing via website authentication to ensure that account credentials are passed to genuine sources only.

Rapport’s unique technology blocks advanced Trojans including Zeus, Silon, Torpig and Yaludle without the need to constantly update and chase the different variants of these Trojans. Its proprietary browser lockdown technology simply prevents unauthorized access to information that flows between customer and employee websites regardless of whether these attempts were generated by new or known Trojan variants. Rapport is also capable of preventing very targeted and under the radar phishing attacks.

Enterprises such as banks can easily configure the system to protect customers and employees and begin offering them Rapport software for quick download from their website. Following a simple one time installation process, Rapport begins securing browsers, works in the background and does not call for a change in user behavior – customers and employees can bank and use the internet as usual – thus enabling fast adoption. Rapport comes with a rich management application that enables enterprises to effectively trigger alerts, view and analyze data as well as manage security.

Rapport is focused on preventing online fraud committed by financial malware and differs from Anti-Virus because it:

* Locks down access to financial and private data instead of looking for malware signatures

* Communicates with your online banking website to provide feedback on security level and report unauthorized access attempts

* Allows for immediate action to be taken against changes in the threat landscape.

Features

* Blocks Zeus, Torpig, Silent Banker and other Man-in-the-Browser attacks
* Blocks Keyloggers and screen grabbing
* Blocks Man-in-the Middle attacks
* Blocks Phishing attacks
* Works on both Windows and Mac
* Protects immediately upon install
* Complements other security software
* Transparent to customers and employees unless a threat is detected
* Delivers advanced reporting on current and new threats including zero-day attacks
* Comes with pre-packaged marketing tools and materials
* 24×7 support option

Benefits

* Prevents wire and ACH fraud
* Protects against account takeover attacks
* Deployment within weeks, requires no change to enterprise applications
* Fast notification of threats affecting your customers and employees
* Fast adoption by customers using proven tools
* Added security with no change in user behavior
* Proactive rather than reactive to threats and incidents

Browser Lockdown – This technology specifically prevents unauthorized access to sensitive information in the browser. Before launching the browser, Rapport verifies its integrity, preventing unauthorized modifications to the browser’s executable. Rapport locks down all programmatic interfaces to sensitive information inside the browser while it is connected to a protected website. This prevents browser add-ons and other pieces of software from accessing login information, financial information and transactions based on customized policy created with the enterprise. Additionally, Rapport protects the browser’s memory and prevents any pieces of code injected into the browser’s memory from capturing or modifying sensitive information.

Keystroke Lockdown – Rapport prevents tampering and reading of data by encrypting sensitive information from the moment it is typed into the keyboard until it reaches the browser. Trusteer encrypts keystrokes very low in the operating system’s kernel and keeps them encrypted inside the kernel and user space to achieve this goal.

Communication Lockdown – This technology enables Rapport to verify the legitimacy of the website that the customer or employee is currently using, preventing the submission of sensitive information to fraudulent websites. What’s more, verification of a direct connection with the website and assurance of encryption are also confirmed to prevent Man-in-the-Middle attacks. This technology prevents many ACH FRAUD transactions and efforts of trojans such as Torpig & Zeus.

Actionable Intelligence – All policy violations, such as attempts to read password fields and change web page content are reported to the Trusteer cloud-based fraud analysis service. Trusteer’s team of fraud analysts works 24×7, analyzing information from customers all over the world in order to identify new attack patterns. Advanced automatic update mechanisms allow Trusteer to react immediately to new threats. Organizations are immediately alerted regarding new attacks as they occur, instead of days, weeks, and even months after the fact.

These are not the days of the Nimda Virus, so get protected!

PC users: https://download.trusteer.com/Gcur4Wtnu/RapportSetup.exe

Mac users: https://download.trusteer.com/Gcur4Wtnu/leopard/Rapport.dmg

Ping web site