Posts tagged ‘Phishing’

« Previous Entries

Symantec Report on Chemical Industry Phishing

November 2, 2011, 12:33 am

Symantec published a report earlier this week about an attack on the Chemical Industry.   They call this attack Nitro.

In one example of the attack, an encrypted 7zip file is used.   Encryption prevents scanners from examining the contents of the file.

Some SMTP gateways, block encrypted files by default.   Most places find that hurts productivity more than it helps.

PhishMe asks if your employees have been trained on how to respond to password protected files.   Their phishing training can cover this.

A third option is to look at a vender who will use every word in the message body as a password on the encrypted file.   This doesn’t help in attacks where the password is in a second email.   One could also wonder if you’re specifically targeted will the attacker try to obfuscate the password in some manner so it one pattern is visible to the user while a computer would read it a different way.   Would a passphrase confound this type of attack?   Obviously the file must be detectable as a virus by whatever Antivirus you are using as well.

The most basic phishing awareness would foil the pictured email.   No major vender would be mailing you patches.

Tags: ,
Category: Antivirus  |  Comment

Epsilon Breach will Lead to Phishing Season Security Companies Predict

April 5, 2011, 3:39 pm

Over the weekend, email marketing firm Epsilon revealed that it had been hacked and that some of their client customer lists had been stolen.

Names and email addresses were stolen.  With the link between your email address and the particular client of Epsilon, it is now much easier to create a targeted phishing email.

Phishing emails are a type of spam that pose as emails from legitimate institutions such as your bank or phone company.  When you receive an email regarding issues with your account at ”TCF Credit Union” you hit delete.   You know it is spam because you don’t have an account there.  When they know you have an existing relationship, the attacker can create an email that is much more likely to get past your skepticism.

Source: Much of this article is taken from the Barracuda Labs Internet Security Blog.

Epsilon Customers Include:

  • 1800-Flowers
  • Abe Books
  • American Express
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Bebe Stores Inc.
  • Benefit Cosmetics
  • BestBuy
  • Brookstone
  • Capital One
  • Citibank
  • City Market
  • The College Board
  • Dillons
  • Disney Vacations
  • Eddie Bauer
  • Food 4 Less
  • Fred Meyer
  • Fry’s
  • Hilton Honors
  • The Home Shopping Network
  • Jay C
  • JP Morgan Chase
  • King Soopers
  • Kroger
  • LL Bean
  • Marriott Rewards
  • McKinsey Quarterly
  • New York & Co.
  • QFC
  • Ralphs
  • Red Roof Inns Inc.
  • Ritz Carlton
  • Robert Half
  • Smith Brands
  • Target
  • TIAA CREF
  • TD Ameritrade
  • TiVo
  • US Bank
  • Walgreens

Epsilon customer list compiled by Brian Krebs

To protect yourself from phishing attacks
1.  Have a good spam filter in place.   Either you or your ISP should have a spam filter.
2.  Enable your browser-based phishing filter.  This is available in most major browsers.
3.  Use other URL filters such as BlueCoat K9 is a free effective URL filter.
4.  Be aware of how your bank will contact you.  Banks will generally not be asking you to log in from an email link.
5.  Only use known links and phone numbers.  Consider links and phone numbers in email to be very suspicious.
6.  If you use Google Mail, enable the “authentication icon for verified senders” Lab.
7.  Consider installing Iconix Phishing Protection (for personal computers)
8.  Think

Tags: ,
Category: General  |  Comment

Magazine Publisher Phished for Millions

April 5, 2011, 8:03 am

Magazine publisher Conde Nast received a email from a company with a name similar to their regular printers asking them to update their payment information.   Conde Nast dutifully began sending their monthly payments electronically to a bank account in Houston Texas.

$8 million was collected before the printers contacted the publisher to ask why they hadn’t been paid.  Surprisingly the money was still in the account.  No word on whether the person opening the account was a money mule or a the perpetrator.   The surprising part is all the money still remaining in the account.

Source: Reuters

Tags: ,
Category: General  |  Comment

Firefox to Suggest Flash Updates

September 6, 2009, 6:29 pm

Firefox recently announced that a soon to be released version will check for Flash updates in addition to updating Firefox. That should be helpful for end users.
As with any news people of course have their own axe to grind and put their own spin on things. Wolfgang Kandek writes about this development in a Qualys blog adding “Now we just need to convince Hillary Clinton to let the Department of State use Firefox.”
I dont see how this change would cause an enterprise to switch browsers. In an enterprise this Firefox Flash update reminder should be pretty much worthless. If an Enterprise has deployed Firefox then it has probably deployed Flash for Firefox. If its deployed Flash for Firefox, than the company should be deploying updates for it. Enterprises have patch cycles and testing. They often disable built in update mechanisms and deploy updates through SMS/Patchlink/Bigfix/etc. Is it possible for enterprises to disable this functionality, perhaps through FirefoxADM?
Far from being the crowning achievement in Firefox security, I think this Flash update checker could potentially be a problem. I notice the screenshot taken by Wolfgang does not show a SSL site in use when the user is prompted to upgrade. It seems to me that this Flash update mechanism is prime for Phishing. Spyware for Firefox has already masqueraded recently as a Flash update. I think this update mechanism’s delivery method as shown in Wolfgang’s screenshot primes phishing victims.

Tags: , ,
Category: General  |  Comment

BlueCoat ProxyClient

March 9, 2009, 3:05 pm

I’ve been interested in extending HTTP security out to our remote users. When users are in the office their HTTP traffic is antivirus scanned and URL filtered. When remote, they only have desktop antivirus to protect them. As more and more users are mobile, I think it is important to address this.

BlueCoat offers a ProxyClient that can provide traffic acceleration and URL filtering. The URL filtering occurs the same way as with K9 or with a Phishing filter. The URL is sent to their servers and categorized then allowed or blocked accordingly.

Location based rules are created so that acceleration or URL filtering is enabled as appropriate.

I quickly found that the release notes weren’t kidding. SMB signing is incompatible with CIFS acceleration. I was hoping that the traffic would still be accelerated through compression and byte caching. My tests seemed to show that traffic was a bit slower when acceleration was enabled.

Tags: , ,
Category: General  |  1 Comment

Shmoocon 2009 Day 2

February 8, 2009, 9:01 pm

I really shouldn’t have to wake up at 7:30 am on a Saturday and take the Metro into DC. Fortunately I thought the 10am talk was worth it.
Phishing Statistics and Intuitive Enumeration of Hosts and Roles
by Sean Palka
This talk is about a tool he created/uses in corporate engagements. But as with most things developed on company time, its not free to be released. The presentation is to give you ideas. And it does make me realize that could be a fun side project if I can’t get money for Phishme and I cant get ahold of Lunker.
The motivation for this tool is to justify to clients that phishing is a useful exercise. He also wanted the tool to gather reliable stats for reporting.
When phishing a company you may find that distribution lists are hit. You may find email forwarded from one user to another. Just as with a marketing campaign, webbugs, images and unique identifiers in URLs are used to determine who is following a link. Most mail clients no longer load images by default, so that cuts down somewhat on the capability to determine a message was read but the link was not clicked on. However, some companies may whitelist their own domain name allowing images to load automatically.
A bad guy phishing doesn’t care who responds. He just wants the credentials. But whitehat phsihing needs reports and attribution. You want to know who just visited the site without providing the phished for information. Your phishing site could have contained a browser exploit just as easily.
Tagging or using unique identifiers in URLs does not solve the problem of message forwarding or when a single user has logged in at multiple locations. While time can be used to determine the person probably didn’t drive home, that person could have used remote desktop. You just dont know if the message was forwarded or if the user is going from computer to computer trying the URL.
An audience member pointed out that you could use images and the client cache to determine if the same computer visits more than once. (I’m not sure how that would work if a proxy is used).
You may be able to determine “important” systems by the responses as well. If one computer has a higher than normal amount of responses it might be a helpdesk or admin checking our user reports. Obviously if NAT is involved, you need to do your phishing from internal.
Additionally you can determine social networks by seeing to whom the email is forwarded.
When a internal system is used for a phishing attack the following are pros/cons
- The firewall prevents external connections. Email may be forwarded externally and responses cannot get to your internal site.
- People may trust the internal IP and act differently.
- You don’t have to worry about your other security filtering getting in the way. This isn’t a test of your spam filter.
- you can build focused attack on victims.
Whitehat phishing attacks where the website is external have little ability to get the client IP. He said he hasn’t had a lot consistent success using PHP. This limits reporting capabilities when NAT is used.
I didn’t ask if he did customization to use the users names in the target emails.
He doesn’t include training in the tools (as Phishme does) because the focus of his tool is pentesting not security training. While this is understandable given his role at BAH, I think most people looking to do whitehat phishing are going to want to provide the immediate user feedback/training that has been proven to be effective.
Stranger in a Strange Land: Reflections on a Linux guy’s First Year at Microsoft
by Crispan Cowan
A lot of the talk, I felt I’d seen in either the SDL blog or from Jeff Jones’ blog. Basically slides pointing out the success of the Security Development Lifecycle at Microsoft. Security at Microsoft comes down to before the 2002 Bill Gates Memo and after. For those who don’t know, Microsoft shut down coding for a month and re-trained employees in secure coding practices. They then followed up and made sure people did it.
One of the big problems that isn’t going away is legacy. There are a lot of applications that rely on doing dangerous stupid things that they have been allowed to do. There is so much breakage you can do before people start to push back. (side comment, it was a huge deal for Microsoft to disable IIS by default in a desktop operating system. Their application vendors expected it to be there). It is hard to fix architecture issues without screwing old applications. The application base is the value in Windows.
One of the big problems is the massive dependence on local admin. UAC is the stick used to cause programs to write their application so it doesn’t require local admin rights. Its not UAC that sucks, its the crappy application that needs admin rights just to run.
88% of users participating in the feedback program leave UAC enabled.
Another metric they use is sessions that are UAC prompt free.
In Vista RTM, this was 50%.
With SP1, consumer desktops were at 65% and computers joined to a domain (work computers) was at 80%.
I assume this means the applications are getting improved to not need admin rights. It could mean people stopped using the crappy app.
Middling Everything with Middler
by Jay Beale
Obviously MITM is nothing new. What this project does is

  1. Inject javascript into HTTP
  2. Store session ID
  3. Intercept logout requests (even if you think you’ve logged out you haven’t
  4. Replace https links with http links (your http bank site which only uses https for login is now logging in in clear text)

The purpose of the tool is:

  • Inject javascript into every page
  • inject temp or permanent redirects
  • Take over website with Browser exploitation framework
  • Compromise user with metasploit

Middler is available on the InGuardians website.
The Agreement
A group of friends set up a framework of rules to govern as they attempt to 0wn each others computers. When no one else will set up a capture the flag exercise for you, you hack on each other.
http://www.jointheagreement.com/
The Fast-Track Suite
by David Kennedy
The Fast Track suite will be available in Backtrack 4. Or check out the Fast Track website..
All I seem to remember is “pop a box.” ;)
Very interesting point and click hacking. As I understand it, some Metasploit attacks were only available for old specific service packs, he has made the attacks more universal.
In Pen Testing, I believe people use Windows debug to convert the uploaded hex into binary. There is a built in 64 kb limit. He automates a way to get around that by supplying a new debug util (at least that is how I understood it).
In the demos he’d run an exploit upload vnc server and connect to it.
I didn’t get a chair during this talk so I dont have a lot of notes.

Tags: , , , ,
Category: General  |  Comment

Shmoocon 2009 Day 1

February 8, 2009, 7:41 pm

The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I’m not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.
Opening Remarks
by Bruce Potter
People are getting owned a lot.
Trends

  • Increased success in getting past our defenses
  • Increasingly malicious motivations. The bad guys aren’t after web defacements
  • In spite of the above, we haven’t changed our methods. Its a lot of the same
  • Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?
Digging ourselves out
As with most security talks and papers I felt like a solution wasn’t really there. Fixing fundamental problems. I’m not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.

The other talks on day one were quick 25 minute talks, I didn’t always have notes.
Open Vulture – Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O’Toole and Matt David
I didn’t take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.
Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you’ll have problems with PVC tubing not being rated for the PSI.
The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.
The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.
Under U.S. law they felt they could not send out a “uninstall” command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.
No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.
Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.
Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.
I found the talk interesting. When you’re doing manual static analysis of files, this could come in handy.
Decoding the Smartkey
by Shane Lawson
Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.
Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.

Tags: , , , , , ,
Category: Antivirus, General  |  Comment

SANS Newsbites on Phishing your Company

February 7, 2009, 11:22 pm

SANS Newsbites is a summary of the most important news articles published on computer security in the past week. It includes commentary from an editorial board.
In Volume 11 Number 9, they reported on the DOJ self-phishing exercises that has been in the news. I was a little surprised that Marcus Ranum wrote “This sort of test generally serves only to embarrass people and hasn’t been shown to have any useful long-term effect. When I see someone trying this kind of stuff, I think it’s just a case of some auditor or pen-tester trying to prove their worth by having something about which they can scream “GOTCHA!”"
It is true that phishing does have a great chance of success for pentesters. But I’ve seen numbers from phishme.com showing a marked improvement from initial tests to followup tests. That is what Alan Paller said in reply to Ranum in the Newsbites as well.
I agree with what Paller wrote, Phishing your own company is a core component of increasing security awareness
Any such testing should have the appropriate approval of course. The contents of the phish should be considered carefully. You don’t want users to think you’ve gathered their credit card information and you dont want them notifying external fraud alert services. There is plenty of education opportunities without attempting to harvest Paypal accounts for example.

Tags: ,
Category: Awareness  |  Comment

EV Certs and IE7

January 24, 2009, 9:30 pm

I ran into an interesting problem on Tuesday.
I installed Extended Validation SSL certificates on three of our IIS servers, and the ISA front end. Yes, yes, I know. “EV SSL is a scam.” They weren’t that expensive at Digicert and I thought it would be cool to turn the address bar green.
After implementing, I found Firefox computers and non-corporate computers with IE 7 could see the address bar turn green successfully when I browsed to my newly secured site. Surprisingly, IE7 from corporate owned computers could not.
What I realized is that IE7 on XP uses the phishing filter to verify that the site is EV validated. The phishing filter is not on by default for the Internet Explorer Intranet zone. We have *.ourdomain.org in the Intranet zone, therefore no green bar for IE7 XP users.
Vista and IE7 works fine because it supports OCSP.
This is where it got kind of annoying. I expected group policy to be able to enable the phishing filter for the intranet zone. Unfortunately, Microsoft hasn’t provided that for XP. This blog seems to be accurate – http://www.frickelsoft.net/blog/?p=80
So my choices are create an ADM and import it, or open my XP group policy in Vista. This will upgrade the policy, I”ll be able to see the option to enable the phishing filter in the intranet zone, and it will apply to IE7 on XP computers. I’ve been a bit leery of “upgrading” my policies in this way ever since I opened Group Policy from a XP computer and then I couldn’t open the policies at the Windows 2000 Domain Controller (until a patch was deployed from Microsoft).

Tags: , ,
Category: Microsoft  |  2 Comments

User Education

January 16, 2009, 12:16 pm

Over at the impactalabs blog, Kevin Lam comments about a company that sent an all employee email waring users about a IKEA phishing/malware email.
This hit something that I’ve been forced to re-examine this week. Is it effective to send all employee emails warning about the latest virus attack on the internet.
I believe that if you find yourself sending all employee emails about security to users regularly then you should examine the technology you’ve chosen. Why is it leaking like a sieve. To send an emergency email about a security threat, the email should be timely and actionable. In our case, if we dont know of a single email getting through to the users is it really necessary to warn them? The only answer I see is that they may infect us through using the ISPs webmail or checking personal email when outside our firewall.
Is it really necessary to raise security awareness through dire warnings about things that dont effect the user anyway? It seems more appropriate for a Security Awareness newsletter or website. That is assuming users are trainable, which is a whole ‘nother story.

Tags: ,
Category: Awareness  |  1 Comment
« Previous Entries