Phishing – A Master Anglers Toolbox

Phishing – A Master Anglers Toolbox

No Comments

We recently came across a researchers gold mine of phishing sites. It all started with a PDF file received via an email called Post-Label.  The file itself is harmless, but it links to the USPS scam shown below in the screenshots.

USPS-Phishing

Further analysis of this IP found that it belongs to QuadraNet a colocation provider who’s only involved in hosting physical servers for its clients. The service is being provided to AlphaRacks a VPS provider that rents out computing space by offering hosting to it’s clients.

VirusTotal has a ton of sites being hosted off this box, and almost an unbelievable amount of phishing pages and malware. We found more than 60 different brands being phished off this one IP address. The activity goes back to March 2018. It’s a phenomenon I call ‘hiding in plain sight,’ and that’s because vendors have been detecting the issue for many months, but no one has taken the initiative to file an abuse report.

We filed an abuse report and QuadraNet is now aware of the issue. They’ve committed to cutting off access from this IP if the client does not respond within a period of time and clean up the phishing sites. We’ve included numerous updates below as to the progress of the cleanup below just before the screenshots we have collected over a period of months.

https://www.virustotal.com/#/ip-address/162.220.11.2

https://www.virustotal.com/#/ip-address/167.160.188.2 (Added 10/2018. New IP with an equivalent amount of activity owned by Alpharacks)

URLScan provides regular screenshots of the activity hosted on various domains at this IP address. I’ve seen hundreds and potentially thousands of domains pointing to this location over the last several months.

https://urlscan.io/ip/162.220.11.2

https://urlscan.io/ip/167.160.188.2

https://www.abuseipdb.com/check/162.220.11.2

https://checkphish.ai reports 1,945 phishing URLs have been observed off of this address.

Brands being phished include CIBC Bank, DHL, GoDaddy, Microsoft Live, Office 365, OneDrive, Outlook Web Access, PayPal, USPS, 50+  others all on a single IP. This is a master angler at work, folks!

Victims we’ve seen phishing attempts against the companies below. This is is not a confirmation that they were compromised only that they scanned a URL with an e-mail inside of it so we presume that the owner received it via inbound phishing e-mail. Keep in mind this list only represents a small portion of the recipients and just a couple of days worth of URLs being scanned on VirusTotal:

Australia and New Zealand Bank
Aditya Birla Group
Conrad Hotels
Ericsson
Fox Broadcasting
Huawei
KPMG
Owens Corning
PotashCorp
QBE Insurance Group
Reebok
Regus
Seagate
State of Minnesota
Tetra Pak
Toyota
The Linde Group
VF Corporation
Volvo

NOTE: Some of this research is incomplete and should be investigated further by other researchers. I tend to post these kinds of ‘live’ hacks quickly, to get the word out and let folks experiment a bit before the hackers are shut down. The first thing I did was notify the hosting provider, so the clock is ticking. Or maybe it’s not, depending on how well they handle abuse complaints.

E-mail possibly associated with activity: [email protected] 

Dozens of the sites have login pages for the Pony Botnet:


Updates:

11/19 – New IP address observed 167.160.188.2 owned by Alpharacks and has an equivalent amount of scam websites up and running.

10/16 – We will allow the provider Quadranet to continue working with its client to remediate the issue.

9/17 – Activity continues and no response from ‘[email protected]‘ or Quadranet.

8/21 – Quadranet has reportedly taken action against AlphaRacks by null-routing it’s IP again due to the abuse. IP was responding again a short time later.

 8/14 – IP still has dozens of phishing sites, malware binaries and botnet communication files hosted on it. I’ve been e-mailing this information to the upstream provider who is QuadraNet. The co-location customer this IP belongs to either doesn’t have the time to keep an eye on this, or doesn’t know how to stop these phisherman. It’s also possible the server is compromised or that the operator AlphaRacks is complicit in the activity. I found that the blocks used to be owned by Crissic Solutions (Skylar MacMinn, Germany) who both worked at Quadranet and occupied the same IP space. An unknown entity was selling AlphaRacks on a web forum about 4 years ago at post#1 post#2.

8/7 – IP continues to host phishing activity. We have reported additional sites to QuadraNet who will presumably notify the colocation client again. Keep in mind we noticed this activity start trending upward in March of 2018. Obviously, they’ve been outsmarting both of these parties for a good deal of time nearly half of 2018.

7/23QuadraNet has notified me that they are going to “null-route the IP address and reach out to our customer, they may not have been aware of the number of domains involved.” after they had repeatedly asked the customer to disable these services. IP went down and was back up within a few hours. We confirmed it still had 5+ phishing sites live on it and reported that back to QuadraNet. We suspect the client is Alpharacks Hosting and that up to 1,200 domains may be on this server most of the malicious.

Screenshots below:

I’ve reported this to the Quadranet, and PhishTank. Google Chrome warned against visiting many of these sites hosted on this IP.

Phishing – New Tactics and Techniques

Phishing – New Tactics and Techniques

We’ve recently observed a new trend with phishing and targeted malware attacks that use domains to bypass anti-spam. The attackers are using valid domains, SPF, SMTP, and reply addresses that mimic newsletter bouncebacks. These tactics allow the messages to bypass reputational and other types of checks.

The attachments are typical droppers, highly obfuscated and using Microsoft Word macros. Attachments were known under names such as Trojan-Downloader, VBA.Agent, and Exploit.Siggen leveraging Office CVE-2017-0199.

Domains w/ Virustotal link:

DocuSign – docusign.delivery

Bank Of America – securemsg-bankofamerica.com

Internal Revenue Service – irsinvoice.com

Dunn & Bradstreet – dnbdocuments.com

Tactics and Techniques:

Attackers are using return addresses that resemble a real newsletter bounceback.

SPF records exist for the domain, and they match the servers that send the targeted emails. They are online, answering to SMTP connections that use the appropriate banner for the website.

Attackers are using VPS or full service hosting accounts to launch attacks like LeaseWeb and Secure Servers LLC. Devices have remote administration ports and services open.

Incoming emails are highly obfuscated by a randomly generated Word document with macros. Attackers will change payload if a “virus” message is received. If it’s a RBL message, they will switch to another SMTP address and continue to hammer the system until it allows a delivery. Messages are modified near real-time after each rejection, until one is accepted.

Fighting Back:

If I had not configured a HOLD on documents with macros, these would have been delivered by my spam provider. I had an option configured to recognize “Newly Observed Domain,” but it didn’t recognize them, and it wasn’t set to block them. It may be a good idea to inspect these manually, or you could put in some kind of workflow for content examination to alert you when they are delivered. I’m looking for keywords like the ones below, and I’m also scanning some of the messages:

Account Locked
EFax
Hello Dear
Parcel
Password Reset
Shipment
Suspended Account
Unusual Sign-In

 

Domain #1

docusign.delivery

 

Domain record shows that it was registered today:

Here’s the SPF record for docusign.delivery:

SMTP server at the host answers on behalf of this domain as well for spam filters that form a connection back to the system during validation:

The sender passes SPF checks because they’re using a legitimate domain:

spf=pass (spfCheck: domain of docusign.delivery designates 95.211.148.208 as permitted sender) client-ip=95.211.148.208; [email protected]y; helo=docusign.delivery
Content-Type: multipart/mixed;

 

Nmap results show smtp/25 is open, and proxy/8080 is listening. Neither is an open relay, so we assume the attacker configured for quick remote access and spamming:

 

Email content was a word document:

Content-Disposition: attachment; filename="3873JDSB987391.doc"
Content-Transfer-Encoding: base64
Content-Type: application/msword; name="3873JDSB987391.doc"

Domain #2

securemsg-bankofamerica.com

 

SPF:

 

Domain #3

IRSInvoice.com

 

SPF:

Domain #4

DNBDocuments.com

 

SWIFT E-mail Leads To Evasive Gootkit

SWIFT E-mail Leads To Evasive Gootkit

No Comments

 

We follow the trail of another spam e-mail. It’s delivering a malware downloader that’s 0/63 on Virustotal, not unheard of these days. The e-mail had a PDF attachment SWIFT-MT103.pdf which itself was innocuous and simply displayed a fuzzy scan image, purportedly a SWIFT request that linked to a file hosted on Box.com.

Tactics of the downloader/dropper:

Contains functionality for read data from the clipboard
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Sample file is different than original file name gathered from version info
Internet Provider seen in connection with other malware
Icon mismatch, PE includes an icon from a different legit application
Reads the hosts file

…and many other warning signs shown by the software in deeper debugging in included in the report.

Received: from vps39646.inmotionhosting.com (vps39646.inmotionhosting.com
(envelope-from <[email protected]>)

Reply-To: <[email protected]>
Date: Tue, 12 Jun 2018 01:42:52 +0000

A copy of the original e-mail received to a honeypot spam account:

Download the attached PDF, and examine it finding a link:

SWIFT MT103 PDF from E-mail 

 

Download the file from a box.com link, and unzip the contents:

hxxps://cambridgecommodities.box.com/shared/static/4yr4v2uaa43835jqi0lawo204oydj2d0.zip

Analysis on the dropper downloaded from this link:

SWIFT MT103 Joe Sandbox Report

or directly from Joe Sandbox if you don’t trust my PDF.

 

 

 

Dexter Malware attacks POS

POS Malware Dexter

Dexter Malware attacks POS

Dexter Malware (POS Systems Attack)

 

In an article titled “Dexter – Draining blood out of Point of Sales” an Israel-based security firm Seculert has identified Malware programmed to attack POS systems. The targeting of POS systems appears to help attackers extract card data from aggregation points versus targeting end-user machines or physically installing a skimmer.

Dexter has reportedly targeted systems in 40 countries over the past 2-3 months.

According to Spiderlabs, a team of ethical hackers working for security-software analysis firm Trustwave, Dexter has an unusual nature. Spiderlabs blogger Josh Grunzweig noted: “I can’t remember the last time I saw a piece of malware that targeted Point of Sale systems that had a nice C&C structure to it.”

Bank Fraud had evolved to a billion dollar industry world wide and Dexter is just another example of how attackers are choosing the targets with the most lucrative cyber bounty.

Digital bank robbers make off with $6.7 million

Digital bank robbers make off with $6.7 million

No Comments

During the holidays cybercriminals kept themselves busy, hacking websites and stealing all the data they could find. South African Postbank, a financial institution owned by SA Post Office, is one of the victims.

 

South African bank Postbank was robbed of $6.7 million earlier this month. But the thieves didn’t need masks and guns to pull off the job — just computers.

 

To pull off the heist, the hackers created a backdoor into one of the bank’s computers. From that hacked computer, they were able to access the rest of the network and issue the commands to distribute the $6.7 million to different accounts owned by the thieves. Those accounts were promptly emptied via ATM visits. Preliminary reports revealed that the cybercrime ring responsible for the theft opened a number of Postbank accounts all across the country and then, in the period between January 1 and January 3, they managed to access a Post Office employee’s computer from where they deposited money from other accounts into their own.

Since the crime didn’t raise any red flags with its automated fraud-detection programs, bank employees failed to notice the money was missing until the bank re-opened after the New Year’s holiday.

The irony is that 3 years ago the institution invested a large amount of money in their anti-fraud systems. However, as we can clearly see, anti-fraud systems aren’t worth much if the company doesn’t have a strict policy for the way their employees handle computers.

If the reports are true, then it is very likely that an employee with privileged rights must have fallen victim to a scam email designed to spread a malicious Trojan.


Fin24 reports that the National Intelligence Agency, which offers assistance when a government institution is compromised, has launched an investigation to precisely determine the causes that allowed for the incident to occur.

Bank representatives state that none of their customers are affected by the breach, but security experts believe that Postbank’s systems desperately need an upgrade.

Crooks don’t necessarily have to hack into a bank’s systems to gain access as it may be much easier to manipulate someone into handing over some information that can be utilized to just waltz in without being detected.

Lately, we’re presented with many cases in which a little bit of social engineering can perform much more efficiently than even the most sophisticated piece of malware. Take the thieves who stole 9 million dollars from payroll debit cards issued by RBS Worldpay.

The New Reality of Stealth Crimeware

The New Reality of Stealth Crimeware

No Comments

Anyone who has been in information security recently knows that it has gotten easier for cybercriminals to build stealth crimeware. The malware we deal with on a regular basis grows ever more difficult to find, while high-end targeted attacks such as Stuxnet and other advanced persistent threats (APTs, the abbreviation I hate) are using ever more advanced rootkit techniques to avoid detection.

Cybercriminals use clever stealth techniques to evade detection because it allows their malware to be more effective, live on a machine or network longer, and thus maximize the compromise. McAfee Labs is now at the point where we detect more than 110,000 new unique rootkits per quarter.

To make matters worse, there is another issue that many fail to recognize:

Today’s current OS-based security model is not adequate; cybercriminals know how to get past these defenses every time.

The security industry has to find a new vantage point on cybercriminal behavior to stop and uncover their stealth techniques. It is time for our industry to start looking at security beyond the operating system to gain a more effective view of how cybercriminals operate.

We delve into these and many other issues in our latest report: “The New Reality of Stealth Crimeware,” written by myself and Thom Sawicki of Intel. Download it here.

[wp-pdf-view swf=”https://www.infostruction.com/wp-content/uploads/2011/07/wp-reality-of-stealth-crimeware.pdf” width=”500″ height=”400″ /]

Introduction

Stealth is the art of travelling undetected, of being invisible. Stealth technology allows military aircraft,
Ninjas, and malware to sneak up on the enemy to launch an attack, gain intelligence, or take over
systems and data.

Although stealth techniques are used in sophisticated attacks like Conficker and Operation Aurora, the
Stuxnet attack offers a new blueprint—and benchmark—for how committed criminals can use stealth
techniques to steal data or target computing systems. Stuxnet innovations included a combination of
five zero-day vulnerabilities, three rootkits, and two stolen digital certificates. Powerful toolkits, like what is available in the Zeus Crimeware Toolkit, make stealth malware development a “point- and-click” endeavor, no longer restricted to the most knowledgeable programmers. While there are no definitive industry figures, McAfee Labs estimates that about 15 percent of malware uses sophisticated stealth technique to hide and spread malicious threats that can cause significant damage.1 These attacks form the cornerstone—the “persistent” part—of advanced persistent threats (APTs).

Malware being sent in job applications

Malware being sent in job applications

If you’re in any kind of business there’s a good chance you have to deal with resumes on a daily basis, especially if you’re a manager or Human Resources professional. While you probably delete that Viagra ad and ignore the promise of Nigerian riches, when a resume hits your inbox, you read it.

Spammers know this and have been increasingly presenting Malware as if it were a resume, hoping that the recipient will be so curious about a potential applicant that they open or run something that they shouldn’t. This practice of using rigged document files goes back to the early 2000’s where exploits for Microsoft’s document format existed even before Office 2000.

Let’s not forget when we could encoded Malware into a MIME header or .eml file and make IE/Outlook execute it… without even opening it. 🙂

These waves of Malware use obfuscation and “dropper” payloads to avoid detection. A dropper serves only to pull a payload, and a backdoor down for Botnet control. It rarely is detected as malicious because of its simple nature. The Antivirus products may continuously delete the Malware payloads, but as time passes with the dropper alive and well. The Malware creators are given the opportunity of changing the package and evading detection.

The Internet Crime Complaint Center (IC3) is reporting that businesses have received Bredolab variants in email attachments masquerading as job applications.

“Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online,” IC3 said in a news release.

They also said: “The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions.”

It’s called “spear phishing” – malicious code sent specifically to someone in a company who would be expecting that type of email (job applications in attachments in this case.)

“Recently, more than $150,000 was stolen from a US business via unauthorized wire
transfer as a result of an e-mail the business received that contained malware. The
malware was embedded in an e-mail response to a job posting the business placed on
an employment website and allowed the attacker to obtain the online banking credentials
of the person who was authorized to conduct financial transactions within the company.
The malicious actor changed the account settings to allow the sending of wire transfers,
one to the Ukraine and two to domestic accounts. The malware was identified as a
Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan,
which is commonly used by cyber criminals to defraud US businesses.”

“Anyone who believes they have been a target this type of attack should immediately
contact their financial institutions and local FBI office, and promptly report it
to the IC3’s website at www.IC3.gov. The IC3’s
complaint database links complaints together to refer them to the appropriate law
enforcement agency for case consideration. The IC3 also uses complaint information
to identify emerging trends and patterns.”

Trusteer Rapport – Protects Online Banking against Botnets

Trusteer Rapport – Protects Online Banking against Botnets

Rapport is a lightweight security software solution that protects web communication between enterprises, such as banks, and their customers and employees. The product is free for the customers of over 70 different banks, AND can also be downloaded independently of those services for FREE. You can protect any web site you choose outside of the network, and also use the tool with Chrome, IE and Firefox.

Rapport implements a completely new approach to protecting customers and employees. By locking down customer browsers and creating a tunnel for safe communication with the online website, Rapport prevents Man-in-the-Browser malware and Man-in-the-Middle attacks. Rapport also prevents phishing via website authentication to ensure that account credentials are passed to genuine sources only.

Rapport’s unique technology blocks advanced Trojans including Zeus, Silon, Torpig and Yaludle without the need to constantly update and chase the different variants of these Trojans. Its proprietary browser lockdown technology simply prevents unauthorized access to information that flows between customer and employee websites regardless of whether these attempts were generated by new or known Trojan variants. Rapport is also capable of preventing very targeted and under the radar phishing attacks.

Enterprises such as banks can easily configure the system to protect customers and employees and begin offering them Rapport software for quick download from their website. Following a simple one time installation process, Rapport begins securing browsers, works in the background and does not call for a change in user behavior – customers and employees can bank and use the internet as usual – thus enabling fast adoption. Rapport comes with a rich management application that enables enterprises to effectively trigger alerts, view and analyze data as well as manage security.

Rapport is focused on preventing online fraud committed by financial malware and differs from Anti-Virus because it:

* Locks down access to financial and private data instead of looking for malware signatures

* Communicates with your online banking website to provide feedback on security level and report unauthorized access attempts

* Allows for immediate action to be taken against changes in the threat landscape.

Features

* Blocks Zeus, Torpig, Silent Banker and other Man-in-the-Browser attacks
* Blocks Keyloggers and screen grabbing
* Blocks Man-in-the Middle attacks
* Blocks Phishing attacks
* Works on both Windows and Mac
* Protects immediately upon install
* Complements other security software
* Transparent to customers and employees unless a threat is detected
* Delivers advanced reporting on current and new threats including zero-day attacks
* Comes with pre-packaged marketing tools and materials
* 24×7 support option

Benefits

* Prevents wire and ACH fraud
* Protects against account takeover attacks
* Deployment within weeks, requires no change to enterprise applications
* Fast notification of threats affecting your customers and employees
* Fast adoption by customers using proven tools
* Added security with no change in user behavior
* Proactive rather than reactive to threats and incidents

Browser Lockdown – This technology specifically prevents unauthorized access to sensitive information in the browser. Before launching the browser, Rapport verifies its integrity, preventing unauthorized modifications to the browser’s executable. Rapport locks down all programmatic interfaces to sensitive information inside the browser while it is connected to a protected website. This prevents browser add-ons and other pieces of software from accessing login information, financial information and transactions based on customized policy created with the enterprise. Additionally, Rapport protects the browser’s memory and prevents any pieces of code injected into the browser’s memory from capturing or modifying sensitive information.

Keystroke Lockdown – Rapport prevents tampering and reading of data by encrypting sensitive information from the moment it is typed into the keyboard until it reaches the browser. Trusteer encrypts keystrokes very low in the operating system’s kernel and keeps them encrypted inside the kernel and user space to achieve this goal.

Communication Lockdown – This technology enables Rapport to verify the legitimacy of the website that the customer or employee is currently using, preventing the submission of sensitive information to fraudulent websites. What’s more, verification of a direct connection with the website and assurance of encryption are also confirmed to prevent Man-in-the-Middle attacks. This technology prevents many ACH FRAUD transactions and efforts of trojans such as Torpig & Zeus.

Actionable Intelligence – All policy violations, such as attempts to read password fields and change web page content are reported to the Trusteer cloud-based fraud analysis service. Trusteer’s team of fraud analysts works 24×7, analyzing information from customers all over the world in order to identify new attack patterns. Advanced automatic update mechanisms allow Trusteer to react immediately to new threats. Organizations are immediately alerted regarding new attacks as they occur, instead of days, weeks, and even months after the fact.

These are not the days of the Nimda Virus, so get protected!

PC users: https://download.trusteer.com/Gcur4Wtnu/RapportSetup.exe

Mac users: https://download.trusteer.com/Gcur4Wtnu/leopard/Rapport.dmg

Ping web site