Phishing – New Tactics and Techniques

July 10, 2018July 25, 2018 by Infostruction

We’ve recently observed a new trend with phishing and targeted malware attacks that use domains to bypass anti-spam. The attackers are using valid domains, SPF, SMTP, and reply addresses that mimic newsletter bouncebacks. These tactics allow the messages to bypass reputational and other types of checks.

The attachments are typical droppers, highly obfuscated and using Microsoft Word macros. Attachments were known under names such as Trojan-Downloader, VBA.Agent, and Exploit.Siggen leveraging Office CVE-2017-0199.

Domains w/ Virustotal link:

DocuSign – docusign.delivery

Bank Of America – securemsg-bankofamerica.com

Internal Revenue Service – irsinvoice.com

Dunn & Bradstreet – dnbdocuments.com

Tactics and Techniques:

Attackers are using return addresses that resemble a real newsletter bounceback.

SPF records exist for the domain, and they match the servers that send the targeted emails. They are online, answering to SMTP connections that use the appropriate banner for the website.

Attackers are using VPS or full service hosting accounts to launch attacks like LeaseWeb and Secure Servers LLC. Devices have remote administration ports and services open.

Incoming emails are highly obfuscated by a randomly generated Word document with macros. Attackers will change payload if a “virus” message is received. If it’s a RBL message, they will switch to another SMTP address and continue to hammer the system until it allows a delivery. Messages are modified near real-time after each rejection, until one is accepted.

Fighting Back:

If I had not configured a HOLD on documents with macros, these would have been delivered by my spam provider. I had an option configured to recognize “Newly Observed Domain,” but it didn’t recognize them, and it wasn’t set to block them. It may be a good idea to inspect these manually, or you could put in some kind of workflow for content examination to alert you when they are delivered. I’m looking for keywords like the ones below, and I’m also scanning some of the messages:

Account Locked
EFax
Hello Dear
Parcel
Password Reset
Shipment
Suspended Account
Unusual Sign-In

Domain #1

docusign.delivery

Domain record shows that it was registered today:

Here’s the SPF record for docusign.delivery:

SMTP server at the host answers on behalf of this domain as well for spam filters that form a connection back to the system during validation:

The sender passes SPF checks because they’re using a legitimate domain:

spf=pass (spfCheck: domain of docusign.delivery designates 95.211.148.208 as permitted sender) client-ip=95.211.148.208; [email protected]y; helo=docusign.delivery
Content-Type: multipart/mixed;

Nmap results show smtp/25 is open, and proxy/8080 is listening. Neither is an open relay, so we assume the attacker configured for quick remote access and spamming:

Email content was a word document:

Content-Disposition: attachment; filename="3873JDSB987391.doc"
Content-Transfer-Encoding: base64
Content-Type: application/msword; name="3873JDSB987391.doc"

Domain #2

securemsg-bankofamerica.com

SPF:

Domain #3

IRSInvoice.com

SPF:

Domain #4

DNBDocuments.com

June 12, 2018December 8, 2018

Operation WireWire – ACH Fraud Takedown

June 12, 2018December 8, 2018 by Infostruction

No Comments

“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” (DOJ.gov)

Business Email Compromise (BEC) is one of the scams aimed at companies that conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives and high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised, through keyloggers or phishing attacks, to make fraudulent transfers, resulting in hundreds of thousands of dollars in losses. (Trend Micro).

I’ve seen recent comments in the media about how this DOJ crackdown wouldn’t put a big dent in or even make much of an impact on BEC, given the breadth of fraud associated with this outfit. I’d imagine the analysts in these quotes are looking at aggregate totals from the mile-high perspective and not the close-up, full scale of the damage to small businesses in our country. Companies have gone out of business, and schools have been attacked by these perpetrators. Personally, I don’t agree with or support the position that it’s just another routine arrest and it should be glazed over like it was picking off a few credit card skimmers.

The economies of scale with traditional Credit Card Fraud vs. Business E-mail Compromise cannot be directly compared, given who they impact and the average losses. This issue has never been about mitigating an impact on consumers as the criminals have always been focused on attacking small to medium-sized businesses. Typically, it’s the commercial accounts that are vulnerable to this kind of wire transfer fraud, unlike consumer credit cards that have built-in fraud protection that uses randomly generated numbers and a Visa or MasterCard logo. In these cases, the wires are facilitated directly from the account number being compromised.

Criminals obviously have a lot more to gain from raiding the digital coffers of businesses that handle millions in revenue, given that the average consumer credit card limit hovers around a measly $8,000. The average per-incident loss for a successful BEC scam is around $130,000; in comparison, robbing a bank will rake in about $3,800. The losses for traditional credit card fraud reported per incidence are much lower. Take a look at “23 Frightening Credit Card Fraud Statistics,” and you’ll see that in 2014, the median loss was $300 and the average reported loss was $1,343. If you’d ask someone who was ‘crushed’ by these low numbers to compare them to high-volume fraud numbers, you’d see how it wouldn’t make a dent. The reality, however, is that many BEC scams can net over a million dollars from a single source, something that seems unfathomable to people who are still living in the world of old-fashioned credit card fraud. This isn’t like the time somebody bought a $100 pair of sneakers using my debit card.

Not sure if this is a problem yet? Just ask Google and Facebook, who were the victims of a 100 million dollar fraud perpetrated almost entirely by a single individual in Lithuania. There are Nigerian men who stole almost 4 million dollars in a short time. If you really want to know, ask Leoni AG, a company that lost 44 million dollars in a single scam just a few years back. Are these extreme examples of BEC? No, many of these scams exceed a million dollars in losses in just a single incident. I don’t need to know the exact figures to make the connection that attackers with minimal sophistication are pulling it off for piles of cash. BEC scammers were operating mostly with impunity before this crackdown effort by the DOJ. If not, how could the losses possibly add up to 3 billion dollars? DOJ has been able to lock up a few here and there, but nothing like the 71 people from this most recent sweep.

Any law enforcement action would be welcomed, as long as it protects companies from scams and sends this clear message to the criminals abroad: If your activity trends upwards, so will our efforts to capture you. Not to mention that the hands of justice are now orienting themselves on how to efficiently take down these networks, thereby opening the door for streamlined enforcement for this type of crime.

The DOJ is doing a good job, and I don’t see it as a “dog and pony show” to expose these scammers in front of the world. It’s about justice and showing people in other countries that the internet may seem like a free plane ticket to communicate overseas, but you can still get arrested where that connection lands, just like you could in an airport. You’ve got to get started sometime, and today works well for tomorrow’s potential victims.

I think people who work on the ground in Cyber Security know that this day is long overdue, and it’s to be celebrated, not shrugged off as a waste of time. I’d never call it a waste of time – who in my industry would?

So let’s not turn the war on BEC into the war on Credit Card Fraud. Great work out there, folks!

2011 Verizon Data Breach Report

April 19, 2011March 22, 2018 by Infostruction

No Comments

Verizon’s 2011 Data Breach Investigations, a study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit.

Verizon’s 2010 Data Breach Report found that the number of data breaches quintupled from 2009, highlighting the shift as cyber-criminals target smaller businesses.

While the number of data breaches soared in 2010, the amount of information lost has dropped dramatically, according to Verizon’s latest data breach survey. The contradiction underscores what some security experts have been saying: attackers are increasingly targeting smaller companies because it’s easier.

Released April 19, the latest “2011 Verizon Data Breach Investigations Report” from Verizon Business counted 760 data breaches in 2010, compared to only 141 data breaches in 2009. Verizon noted a dramatic decline of 97 percent in the number of compromised records in 2010, as compared to 2009.

Among some of the report’s key findings:

Hacking, at 50 percent, and malware, at 49 percent, are the most prominent types of attack, with many incidents involving weak or stolen credentials and passwords;

Physical attacks, such as skimming at ATMs, pay-at-the-pump gas terminals and POS systems, for the first time rank among the three most common ways to steal information, comprising 29 percent of all investigated cases;

Outsiders are responsible for 92 percent of breaches, while the percentage of insider attacks dropped from 49 percent in 2009 to 16 percent in 2010.

Attacks Remain Easy
According to the report, 83 percent of the databases hit in 2010 were targets of opportunity; 92 percent of the attacks were classified as “not highly difficult.”

86 percent of the year’s breaches were discovered by third parties;

97 percent were avoidable through simple or intermediate controls;

89 percent of the corporate or organizational victims were not compliant with the Payment Card Industry Data Security Standard at the time of the hack.

Download the 2011 Data Breach.

December 3, 2010April 9, 2011

2010 Verizon Data Breach Report

December 3, 2010April 9, 2011 by Infostruction

No Comments

The 2010 Verizon and U.S. Secret Service breach report is full of enlightening facts, figures and statistics. I highly recommend you read it cover to cover. It breaks down the breaches by demographic, threat agents, threat actions, attack difficulty and targeting, vertical, and time span. It also compares how PCI compliance affected the number and severity of breaches. This is the first year that Verizon has teamed up with the Secret Service to expand reporting on breach incidents. This reporting is highly regarded as a source for intrusions into the customers of Verizon’s widely adopted communications services. DBIR series now spans six years, 900+ breaches, and over 900 million compromised records.

https://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

Highlights:

Who is behind Data Breaches?

70% resulted from external agents (-9%)
48% were caused by insiders (+26%)
11% implicated business partners (-23%)
27% involved multiple parties (-12%)

How Do Breaches Occur?

48% involved privilege misuse (+26%)
40% resulted from hacking (-24%)
38% utilized malware (<>)
28% employed social tactics (+16%)
15% comprised physical attacks (+6%)

What commonalities exist?

Older Reports:

2009: https://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

2008: https://www.verizonbusiness.com/resources/security/databreachreport.pdf