What is Actionable Intelligence?

Do you know what is actionable intelligence? Do you know the difference between threat intelligence and actionable intelligence? If not, read on.

The term actionable intelligence has joined the ranks of threat intelligence, big data and more words that are used in well-meaning ways, but are ultimately meaningless.

Don’t get us wrong, like many other vendors, we use these phrases to describe what we do. However, because there are so many companies out there using these terms with their own meanings attached to them, we feel the need to write this blog post and hopefully do right by the technology and service offerings that are transforming the way that we approach today’s cyber threats.

In fact, there was a recent LinkedIn discussion on this very topic. A LinkedIn user posted this question:

What exactly is “actionable intelligence”? I see a lot of start-ups being created by MBA persons who have no background or credentials in IT security. The product they offer for big fees is known as “actionable intelligence”. They are trying to duplicate for businesses what the NSA, CIA, FBI, and DHS are doing for, and within, the federal government. My question is: how can these companies have the manpower and the resources to provide services like the NSA, CIA, FBI, DHS. We all have heard of the failures in intel coming from the best intel services in the world, i.e. NSA, CIA, etc. Those big boys have failures. What should we expect from these start-ups and your companies that are jumping on the bandwagon.? And these companies do not know of the ordinary IT security practices like defense in depth, hardening systems. They are providing intelligence about the “bad guys”. How do they go about getting this intelligence? It is so secretive how does a CISO know if it is worth anything?

As the following definition from businessdictionary.com provides, actionable intelligence is not relegated to security; maybe that’s why ‘MBA person with no security credentials’ feel they can use it or may actually know something about it from usage in a different field:

“Any intelligence can be used to boost a company’s strategic position against industry peers. The acquired intelligence must be transferred into real actions which can be used to either launch a preemptive strike or prepare a counter strategy. Examples include the competitors’ price range, marketing budget, target demographic, advertising campaign and strengths over a company’s own product. Overly aggressive attempts to gather intelligence from competitors may be illegal and constitute corporate espionage.”

Now onto some of the other questions posited: Let’s get into the context of security. Here is one definition that’s pretty good:

“Actionable Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”

Not perfect, but not bad.

As for the vendors’ size, not everyone in the market of ‘threat intelligence’ is small – by the way, the industry analyst group The 451 estimates there will be $1.2B in spending this year and IDC thinks spending will be $1.8B. Symantec, Cisco, Intel/McAfee, IBM and many other large traditional security vendors have acquired threat intelligence offerings.

As for the startups and whether or not they can compete, the question isn’t one about manpower as you refer to with major security agencies; instead it’s about their technology and its ability to provide value. If they can provide that value with one person their ‘actionable intelligence’ will be purchased. And yes, just like traditional defense in depth systems, threat intelligence is not a panacea for the woes of security. However, the reality of failures of current defense in depth, hardening and other current security techniques has to be acknowledged. Many organizations realize that ‘defending’ and ‘responding’ is no longer as effective as it used to be, and that being intelligence led is required. Why? The hackers, the bad guys, are winning more and more.

As for traditional security (defense in depth, hardening, Etc.), I don’t think anyone would ever suggest that you not use these and other network defenses. And these threat intelligence vendors don’t either. The traditional security systems and methods play a vital role in securing your network, even if they have their individual shortcomings. Their efficacy can be raised, however, when given the right kind of intelligence that has an immediate impact on network security. Threat intelligence can make these devices smarter and the security professionals who are too few and overworked, ‘smarter’ about how to stop and prevent attacks.

As for how they get their intelligence, its different by vendor and it’s a great question to ask them if you evaluate their offerings.  And try before you buy—just like anything else—and that way you will know if it has value—and so will your CISO!

Business Email Compromise Phishing Attacks Soaring

Business email compromise phishing attacks are soaring. The profits that can be made from these types of attacks have made them highly popular with cybercriminals. That should be of major concern for all business leaders.

When people ask me “What’s going on with Phishing?” these days I tell them that 2015 will be remembered as the Year of the Email Phish.  Not Email Phish as in “someone sent me a link to a malicious website by email”, but rather Email Phish as in “the goal of this phishing attack is to steal my email password.”  During the calendar month of September 2015, we’ve received nearly 23,000 phishing reports for nearly 7,000 distinct domains that hosted a phishing attack intended primarily to lure the victim into revealing their userid and password.

Here are just a sampling from the 2,150 domains seen this week.  While Dropbox phish were very popular at the beginning of the month, we continue to see multi-brand targeting attacks also for Google Docs, Google Drive, and most recently Adobe ID.



We also continue to see stand-alone AOL, Gmail, Hotmail, Outlook, Outlook Web Access, and Yahoo phish as well.

Targeting email accounts with phishing is certainly not new.  The very first Phishing Trends report from the Anti-Phishing Working Group, in January of 2004, only contained evidence of 176 phishing attacks, but of the 24 brands represented, four were Email service providers — 34 AOL phish, 9 Earthlink phish, 3 Microsoft phish, and 2 Yahoo phish.

The dramatic shift this year might be best demonstrated though by comparing the top 20 phishing brands targeted in September 2014 to the top 20 phishing brands targeted in September 2015.

In September 2014, only 21% of the phishing reports we received at PhishMe were primarily targeting an Email Service Provider. Of 22,000 confirmed phishing reports on 7160 different domains, 257 different brands were being imitated.  But only two of the top ten brands were Email Service Providers, and those trailed dramatically behind the leading phishing targets.


In September 2015, 62.5% of the phishing reports we received at PhishMe were primarily targeting an Email Service Provider!  Of 47,800 confirmed phishing reports on 12,127 different domains, 333 different brands were being imitated.  While the vast majority of these were financial services industry brands, the Top ten brands were led by five Email Service Providers!  52% of all the domains we saw abused for phishing this month contained attacks designed to steal your email address and password!

What the criminals have realized, but our employees seem to have forgotten, is that your email account is the Keys to the Kingdom!   Criminals are definitely focusing on compromised email accounts as a favorite attack vehicle.  The FBI’s Internet Crime and Complaint Center (ic3.gov) shared an Advisory at the end of August warning that more than 7,000 US-based businesses had lost as much as $700 MILLION due to what is being called “Business Email Compromise” scams.  The key to many of these scams begins when a criminal phishes one of your employees to begin studying the nature and structure of your company.

  • How do you reset a forgotten password for your bank, credit card, or online store?  They send you an email!
  • How do the criminals learn the types of email that you are accustomed to exchanging in your workplace?  They READ YOUR EMAIL!
  • How do criminals know when you are traveling?   They READ YOUR EMAIL!
  • How do criminals send an email to your friends and co-workers that they are CERTAIN TO OPEN?   They USE YOUR EMAIL TO SEND IT!

So, phishing is on the rise in all of its forms — more financial institutions are targeted than ever before, more phishing websites are created than ever before, and more malware is being delivered than ever before.   But the newest trick that we must all be wary of is that the email we just received from our co-worker?   It may be from your co-worker, or it may be that your co-worker has already fallen for an Email Phishing attack!

So now what?

  1. Be certain if you use a File-sharing site, such as DropBox, Microsoft OneDrive, Google Drive, or Google Docs, that the email you are following is really from your co-worker!  Warn your co-workers of this type of attack by sharing a link to this blog post!
  2. SET ACCOUNT ALERTING or Two-Step Verification for your email accounts.  If a strange device logs in to your Gmail account, Google can let you know!  Microsoft and Yahoo have similar features as well.  If possible, require Two-Step Verification for access to Email accounts.  Follow the correct link below to learn how to set this feature up for your email!
  1. NEVER RE-USE PASSWORDS!  REMIND YOUR EMPLOYEES that they should never use a password from their business accounts on a non-business account.  Your personal email address and your business email address should have different passwords, as should your bank account, your credit card account, your cell phone provider account, etc.



Upatre Malware Anti-Sandboxing Mechanism Uncovered

Researchers have been studying the Upatre malware anti-sandboxing mechanism over the course of the past few days, after capturing a number of samples of the malware.

The Upatre malware anti-sandboxing mechanism involves a delay in activity. A 12-minute delay to be precise. That is how long it takes before the malware downloads its malicious payload. The delay is an anti-sandboxing tactic to ensure that the malware is not being executed in a sandbox environment where its actions can be analyzed and studied by security researchers. An early example of this technique can be found in any of the binaries delivered by the spam messages profiled in PhishMe Intelligence database (Threat 4301) using spam email content like that shown in the image below:

Sandbox and analysis evasion is not a new technique for malware. Many of the mechanisms utilized by malware to detect that they are under analysis are exceedingly complex. Those anti-sandboxing mechanisms look for evidence of a sandbox hidden deep in the environment.

This often takes two forms—searching for traces that would indicate that the malware is being run on a virtual machine or searching for tools used by malware researchers to analyze the sample. These tasks require comparison of registry entries, device names, and running processes against known values that would reflect that the environment in which the malware is being run is not a real computer. However, as a result of the ongoing arms race between researchers and threat actors, analysis techniques have been developed that allow for researchers to avoid giving away their presence to the malware’s runtime. In fact, many of these analysis techniques have been implemented in automated and inline sandboxing tools, where advanced and sophisticated virtual machines are used to screen content for malware.

However, the Upatre malware anti-sandboxing mechanism is somewhat different to highly technical anti-sandboxing and analysis techniques. Instead, Upatre malware exploits characteristics of researcher behavior in creating and utilizing analysis environments. A similar tactic is employed by the Dyre Trojan, in that the malware interrogates the number of cores in the computer’s processor, refusing to execute in cases where there is only one. The Dyre Trojan makes the assumption that many analysis sandboxes will utilize a virtualized processor with only one core while nearly all real, consumer-grade computers will have at least two cores in their processors.

A similar line of thinking is employed in the Upatre malware anti-sandboxing mechanism. The assumption made by the threat actor is that no real computer in use by a human being will be booted immediately before executing the malware binary. Instead, this behavior would be characteristic of a sandbox being started immediately before the introduction and execution of a malware binary.

Upatre malware utilizes the Windows GetTickCount function, used to enumerate the number of milliseconds that have passed since the Windows system was started. This is an effective means of tracking the system’s uptime, providing the malware binary an insight into the duration for which the system has been running. This anti-sandboxing mechanism is a simple branch in the malware’s execution logic. If the GetTickCount function returns a value that is too small—less than approximately 720 seconds or twelve minutes—the malware takes a branch that leads directly to a process exit. However, if GetTickCount returns a value greater than the twelve-minute uptime the malware will proceed to download and deobfuscate its Dyre malware payload.

Figure 2 shows the assembly code passed to the processor by an Upatre sample utilizing this uptime constraint. The red-highlighted breakpoint is the beginning of the code section where the value returned by GetTickCount is handled, while the black-highlighted line shows this value stored in the processor’s eax register as the hexadecimal value 0x001EA5E. That corresponds to a decimal value of 125,534 representing the approximately 125,000 milliseconds of uptime for the analysis system. After the return, immediately below the black-highlighted entry, the malware branches to either terminate the process or continue with the download and execution of a Dyre sample.

By denying researchers or sandboxing tools the ability to observe the malware’s runtime behavior, except under certain specific circumstances, the threat actor preserves an element of secrecy for his or her operations. The indicators by which an Upatre sample can be identified are not revealed, thereby preventing those resources from being shared widely among researchers. Furthermore, since the malware’s hostile behavior lies beyond the crucial uptime-dependent branch, many sandbox tools would not provide visibility into the malware’s fully completed runtime, thereby missing crucial intelligence on this rapidly evolving threat.

PhishMe customers have access to the special report on this topic in their documents folder on PhishMe Intelligence. If you are not currently a PhishMe Intelligence customer and would like further information, please contact the PhishMe team today.

Deriving Malware Context Requires Human Analysis

Man versus machine is one of the oldest technology tropes. In the modern tech economy, it represents one of the largest driving forces in many industries in which processes are streamlined by the inclusion of robotics and automated processes. For the threat intelligence industry, the automated malware sandbox represents the machine that has been put in place to replace the work done by analysts. However, while producing high quality threat intelligence can be enhanced with the inclusion of some automation, completely replacing the human aspect greatly impacts the quality of your analysis.

The automated sandbox provides a snapshot of a malware’s behavior—what it does and how—but it often leaves out important context such as why. Another way to describe this is to consider much of what a sandbox collects as quantitative data that lacks qualitative explanation. Quantitative characteristics of indicators include facts such as the type of indicator (URL, IPv4 Address, etc.) while qualitative characteristics provide insight into the role this indicator plays in the malware’s lifecycle and botnet infrastructure. It is these qualitative characteristics that provide the most insight into how the malware operates and how organizations leveraging threat intelligence can mitigate the threat.

For example, even the longest-lived malware families and types can be subject to sudden change at the whim of a threat actor. The characteristics and traits that represent established indicators for a certain malware type can change overnight. When a change like this takes place, automated sandboxes will not produce the expected analysis results. If these results do not match existing rules, the machine may not know that something bad will come of running that application. This may allow new malware binaries to slip past automated defenses.

However, having humans have a greater ability to identify unwanted behavior even if that behavior does not match any known rules. In these cases, an analyst can know an application is hostile and define what makes it hostile even if the malware has not been previously defined.

Identifying these qualitative characteristics can be a complex task. The process by which this definition takes place must consider the unique context of every malware sample analyzed while at the same time provide a consistent framework for identifying the role each associated indicator plays in a malware’s lifecycle. PhishMe’s malware analysis is driven by human beings who manipulate the malware’s execution within a specialized environment. This human-driven analysis process gives PhishMe analysts an intimate and contextual understanding of the malware’s lifecycle.

Having analysts involved in this process means that communications between malware samples and their supporting infrastructure are subject to scrutiny in real-time. This in turn means that analysis results include a one-to-one parity between observations of a malware’s behavior and its use of supporting infrastructure. This has two implications. First, it allows for the detailed classification and qualification for a malware’s infrastructure. Secondly, it reduces the incidence of false positives since each quantitative indicator is matched to a behavior adding a vetting process to malware analysis.

Given the controlled nature of PhishMe’s analysis, it is easy to construct a distinct ontology for each malware sample based on the parity that can be drawn between infrastructure usage and resulting behavior. It is this understanding of cause-effect relationships that provides the context for categorizing the qualitative characteristics of malware indicators. Those characteristics, vetted by human analysts form the core of the rich intelligence provided by PhishMe.

CERT Researchers Examine Domain Blacklists

After researching everything you want to know about domain blacklists, Jonathan Spring and Leigh Metcalf – two members of the technical staff at the CERT Division of Carnegie Mellon University’s Software Engineering Institute – performed an additional analysis and case study on the Domain Blacklist Ecosystem.

Their research supports a hypothesis regarding how the difference in the threat indicators available from a range of different sources is related to sensor vantage and detection strategy. To facilitate this, they required a source of intelligence that varied the detection strategy without changing the sensor vantage.

University research continues to play an important role in how we develop and deliver our threat intelligence services today. As such, we are very pleased to assist Jonathan and Leigh in their on-going analysis of the cyber threat landscape and the intelligence being leveraged to protect networks, employees, and data from threat actors.

An indicator detection process enables us to specify whether the network touchpoint is a mail sender, an initial infection vector, or a location derived during malware runtime. Our intelligence feed further specifies how IP addresses, domains, and URLs are being used in support of an attack. This provides insight into where overlap is occurring and if components are being used for multiple purposes, both of which were key aspects of the CERT analysis.

PhishMe’s Indicators

Compared to 26 domain-based lists and 53 IP-address-based lists provided by other threat intelligence providers, we reported unique threat indicators 50% – 77% of the time.

Payload server:   77% unique
C2 server:           59% unique
Infection URL:     58% unique
Spam sender:     50% unique

Table 1: Sub-list intersections with all other indicator sources. (From CERT blog)

These data demonstrate that our threat intelligence exposes significant unique indicators while adding context and validity to duplicate indicators being collected from other sources. If a threat provider’s data have little overlap with 79 other blacklists, one should consider the applicability of those data. Are they stale? Are they regional? Do they apply to my business? Conversely, if a threat provider offered nothing unique, it would have little additive value. We believe this analysis demonstrates the ideal blend of confirmation and uniqueness of our data.

Bad Intelligence Is Costly Intelligence

Based on the premise that more is better, there was a rush over the past few years to collect as much threat intelligence as possible. However, it’s costly to analyze data on the way into security appliances to ensure that unreliable indicators are removed. It is even more expensive to filter and chase false positives triggered as a result of mediocre data sets. Choosing reliable providers that facilitate an effective response is therefore critical. The Ponemon Institute recently calculated that it costs the companies they surveyed $1.2M per year in time wasted chasing false positives. The Ponemon chart below shows that companies don’t even respond to most of the alerts that are generated – information overload is another problem altogether.

Chart 1: 2015 Ponemon Institute Cost of Data Breach Study

Data Quality

We filtered out benign domains, IP Addresses, and URLs during our malware and phishing analysis. This is one reason why you see less overlap between our intelligence and that of other sources. The high-signal aspect of our intelligence service makes it a viable source for automated rules designed for blocking network communication and escalating events. Furthermore, while the spam sender’s IP is useful for forensics, we don’t recommend automating actions using this indicator.

We use the MITRE STIX Campaign definition as the primary way of publishing threat intelligence in machine-readable format, including impact scores for each element. The full campaign file contains a rich set of vetted indicators collected using a combination of proprietary analytics and malware analyses. Portions of threat intelligence service are published in formats optimized for SIEMs and other security appliances. We also provide the intelligence in JSON format for data scientists and the data hungry among us.

From Research to Production

The CERT analysis required a multi-faceted detection strategy with structured reporting of malware campaigns. This same approach is critical to deriving threat intelligence that is reliable, consumable, and contextual – all requirements for InfoSec teams relying on more automation to keep up with increasing volumes of incidents and alerts. It’s much easier to respond when you know what caused an alert or what’s at the other end of a network request. Similarly, finding value in threat intelligence is much easier after finding the right source of threat intelligence.

Has Your Yahoo Password Been Stolen?

Has your Yahoo password been stolen? Would you be aware if that was the case? Many people who have fallen for the latest Yahoo password stealing scam will be unaware that their account is no longer secure.

PhishMe researchers are always finding new tactics used by the top phishers to steal login credentials for popular on-line services, and attacks on Yahoo users are incredibly common. We recently found a very clever phisher using the idea of strengthening your password against you. Let’s explore this phishing scenario in detail.

Since the beginning of May, the URL:


has loaded a page that asks the victim to confirm the strength of their Yahoo! Mail password.

What a great service! However, this request is not being made on the Yahoo! site. The activity takes place on MarkSpikes.com, as is shown in the screenshot below:

When someone falls for this Yahoo password stealing scam, a PHP script on the compromised MarkSpikes.com web server emails the password to the criminal.  By viewing the source code of the phishing page, we can see the name of the script is hellion.php, but we also find some interesting comments in the code, as seen below:


# This program is free software brought to you by Hellion:

# You can redistribute it and/or modify it under the terms of

# the GNU General Public License as published by the Free Software Foundation,

# either version 3 of the License, or (at your option) any later version.

# However, the license header, copyright and author credits

# must not be modified in any form and always be displayed.

# This program is distributed in the hope that it will be useful

# but WITHOUT ANY WARRANTY; without even the implied warranty of


# Contact me : team_pbg@yahoo.com for more details.
# Skype: teamipwned
# Special greets to Shaif Lifax, Solaree, PaperBoi, Softwarewind, Emoney, and others who helped!
# WARNING: Do not touch anything here!

These comments give us a good deal of information about who designed this phishing attack and who may also be collecting the stolen Yahoo! account passwords.

The Yahoo! username “team_pgb” is tied to two recovery email accounts as seen in the captured Yahoo! Forgot Password screen below:

Yahoo! may want to check and see how their user “team_pgb” is sharing code for spoofing Yahoo! password strength checkers!

PhishMe Intelligence is useful for determining which other brands may be affected by this attack.  A search on the MarkSpikes.com domain reveals there have been several other phishing attacks hosted on the same domain recently.  A variation on the Yahoo password stealing attack above asks the victim to strengthen their account from threats by confirming the strength of their password.  A Microsoft version from May 2nd suggests, as seen below, that the password should be entered in order to verify the account.

Going back to March 1st, Google users were phished at another URL on the same domain:


Another very similar Google phish was identified in the same timeframe as the one mentioned above.  From one of those phishing servers, PhishMe archived a phishing kit left behind by the criminals.  Inside, it reveals that the Google passwords were being sent by the phishing server in email messages from results@blazerscyberteam.net to thisisopio@gmail.com.  The domain blazerscyberteam.net was registered last October 24th using a privacy protection service.  There is a profile on Facebook for “Swift Opio DA Blazers” where the occupation is listed as “Director at Blazer Cyber Team”:

Though the Google phishing content has been removed from MarkSpikes.com, a perusal of the directory reveals that there is another type of phish at:

As can be seen in the screenshot below, this is a phish for an email address and password combo.  Once the details are entered, the victim is re-directed to the My Maersk Line login page on my.maerskline.com

Since February 1st, PhishMe has recorded thirteen other similar Maersk-style pages that phish for email addresses and passwords.

The hosting IP address for this domain is also interesting.  Since Sept. 11, 2013, PhishMe has recorded over 18 thousand attacks against hundreds of brands on the netblock, owned by Cyrus One and leased to HostGator’s WebsiteWelcome as “HGBLOCK-10”.

Let us know if you’ve seen similar phishing sites, if your Yahoo password has been stolen in a similar style attack, or would like us to look into a different tactics that you’ve recently observed, by using the comments section below.

Dyre Trojan Expands to Career Website Targets

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The PDF file is the Upatre executable, the TXT file is the Upatre-encoded version of the binary, while the “cube icon” file is the Dyre Trojan.

Career Sites Now Targeted

The Dyre Trojan uses a special configuration file to prioritize the credentials that it desires to steal.  PhishMe Intelligence subscribers will be familiar with several previous Dyre reports on how these configuration files work.  The current version is the first time that we have seen “Career Sites” targeted by Dyre.  The criminals have posed as employers on the following sites:

SimplyHired, Indeed.com, Monster.com, GlassDoor, CareerBuilder.

The URL substrings that will trigger Dyre’s special actions are listed below:





Non-Career Sites Also Added Today

We’re not sure why the following were also added.  Perhaps the NewEgg indicates a desire to do a little shopping, or perhaps something more sinister may be occurring.


The criminals also are targeting the administrators of mailing lists hosted by MailChimp, which could allow them to deliver malicious emails on behalf of a “trusted” source, helping the criminals to bypass spam filtering controls.

  • mailchimp.com
  • *.admin.mailchimp.com/campaigns*
  • *.admin.mailchimp.com/lists*
  • *.admin.mailchimp.com/account/domains*
  • *.admin.mailchimp.com/reports*
  • mailchimp.com/v/favicon.ico[?]*

GoDaddy accounts would allow creation of domains and also modification of existing domains for malicious purposes.


Lastly, Accurint refers to the LexisNexis Accurint database.  This is a very rich collection of Public Records with more than 37 billion entries that can be used for verifying identities.

  • accurint.com/app/bps/main
  • accurint.com/1/favicon.ico[?]*
  • accurint.com



Forbes.com, Adobe Flash Player, and Your Email

What do the three topics in today’s title have in common?  Quite a bit if you are in the malware business!  Near the top of the Tech news today is the story that Forbes.com, the 61st most popular website in the United States, has been distributing malware through it’s “Thought Of The Day” advertisements application.

When first visiting Forbes, regardless of which article link you have clicked on from your websearch, newsreader, Facebook/Twitter link, or email recommendation, you don’t go directly to the article.  Instead you are taken to a “Thought Of The Day” page, where Forbes is able to sell some of their most valuable advertisements.

Those advertising spaces are valuable. They are displayed to all visitors to the website. That’s a lot of traffic and exposure for the advertisers. However, not all of those advertisers are genuine companies looking to promote their products or brands. Cybercriminals have also taken advantage of these ad blocks and have been using them for their own forms of adverts – Otherwise known as malvertising. These malvertising advertisements link to phishing websites or sites containing exploit kits that silently download malware.

The Patching Myth

The story, which was first shared with the media by Andrea Peterson via her technology policy blog at the Washington Post. She interviewed iSight Partners’ Steve Ward and was told that from at least November 28th to December 1st, two specific vulnerabilities were used in this attack.  The first was a vulnerability in Adobe Flash Player known in the industry as CVE-2014-9163.  Many Windows users faithfully patch their Microsoft software, including Windows and Internet Explorer, but fail to patch other applications that interact with their web browser.   In this case, unless the user had patched their version of Adobe Flash Player AFTER December 9th, the day that Adobe released their patch, APSB14-27, they would have been vulnerable to attack. The website was delivering their attack until December 1st.  That means EVERYONE WAS VULNERABLE!  This condition, called a 0-day, is when hackers are actively exploiting a vulnerability for which there is no patch.

Many websites require the use of Adobe Flash in order to deliver animated advertisements, or to enable certain functionality of their websites.  Apple Computers took a great deal of heat by refusing to allow Flash to be used in the iOS operating system used on iPhones and iPads.  Their claim that this was a security feature is regularly proven.

The second exploit used in this attack was a vulnerability in Internet Explorer versions 9 and higher, known by its Common Vulnerabilities and Exposures id CVE-2015-0071.  A patch for this vulnerability was released by Microsoft – MS15-009 – on February 10, 2015. It was another 0-day vulnerability that was being actively exploited in the wild.

Exploit Kits

An Exploit Kit is a way of delivering not just two exploits, but in some cases dozens.  In the Forbes situation, a very advanced actor used two previously unpublished vulnerabilities to attack computers.  If a visitor to the Forbes.com site was using Internet Explorer on a current version of Windows, the IE9 vulnerability was exploited. If they had Adobe Flash Player installed and were using an older version of Windows, that was the path of attack.

Exploit kits do that on steroids.  Three of the most popular exploit kits today are the Angler Exploit Kit, the Rig Exploit Kit, and the Sweet Orange Exploit Kit.  Criminals who run these malware delivery systems allow other criminals to subscribe to them so that whenever a new vulnerability is made public, these kits can take advantage of that vulnerability. Additional exploits are uploaded to the kit. For example, late last year, Rig was updated to include CVE-2014-0515 (another Flash Exploit, patched by Adobe in April 2014) and CVE-2014-0569 (another Flash Exploit, patched by Adobe in October 2014).  Sweet Orange did both of those, and also CVE-2014-6332, a Microsoft Windows exploit patched in Critical Security Patch MS14-064.

The way the Exploit Kits work is they search for vulnerabilities on web visitors’ computers that can be exploited. When a vulnerability is discovered, it is used to push the payload of the criminals’ choice.  So ANY malware that a criminal wants to deliver can be silently downloaded as the payload of an Exploit Kit.  But first, they have to get a visitor to go to the site that is hosting the Exploit Kit.

After purchasing access to an Exploit Kit, criminals place their “license” to the Exploit Kit on a distribution page. They must then determine how they will drive traffic to that website.  Some criminals do that by introducing malicious advertisements into ad networks (malvertising), causing their ads to show up on high-ranking websites such as Yahoo, the New York Times, Amazon.com, and YouTube.  They can also place their malware on any website where they manage to acquire the userid and password of the webmaster. Sometimes that password gathering happens via a targeted phishing attack, such as those used to take over the Twitter accounts of CNN and Time Magazine.  Other times the passwords are harvested through regular password-stealing software, such as the Dyre Trojan or GameOver Zeus.

Of course, millions of websites have their own vulnerabilities that allow massive exploitation, such as the WordPress exploits in December 2014 where more than 100,000 websites began distributing malware called SoakSoak, leading Google to temporarily block access to more than 10,000 WordPress sites in their search results!  (According to Tripwire’s State of Security report, 23% of all websites run WordPress!)

A new explosion in Exploit Kit variants is likely after today’s revelation that the RIG Exploit Kit source code has been leaked online.

Exploit Kits and Spam

If a criminal doesn’t have the means to break in to sophisticated advertising networks, and doesn’t have ready access to webmaster passwords, the old reliable delivery mechanism is spam email. It’s not as sophisticated, but spam is still one of the most successful malware-delivery methods!  Cisco’s 2015 Annual Security Report shared the surprising news that spam volumes had risen by 250% in 2014. Perimeter security and web filtering are often effective at preventing users from visiting websites hosting Exploit Kits. In the case of the former, it can be difficult for criminals to bypass those security controls. In the case of the latter, not all organizations have web filters in place. The leading theory behind the rise in spamming is the realization by cybercriminals that the attack vector is still highly effective. Targeting end users allows cybercriminals to bypass perimeter security by attacking the weakest link in the security chain: End users.

Other sources have reached a contrary but equally harmful conclusion.  For example, PhishMe Intelligence shows there was a 56% DROP in spam volume in 2014; however, the percentage of emails that were deemed malicious increased to an average of 10%, with spikes as high as 40%!  (See InfoSecurity magazine – Spam Volumes Drop but Unsolicited Emails Get More Malicious).

All too often, malware authors use multiple delivery mechanisms to infect end users. One of the most famous examples of recent “dual-delivery” malware is the CryptoWall malware that proved to be so popular in 2014. As Phil Muncaster shared in Infosecurity magazine last month, links to CryptoWall 3.0 are commonly found both in spam and drive-by forms of Exploit Kits. It doesn’t matter which delivery method is used, the underlying architecture of the payload malware is identical.

The Ad-Blocking Controversy

Several popular security products either specifically block online advertising, or block the ads as a side-effect of not allowing code to execute from unapproved pages.  For example, see the Forbes “Home USA” news index page from today, as viewed in Chrome, and as viewed in Firefox with “NoScript” running.

In the top image, visiting the Forbes webpage results in top and bottom ads and an Adobe Flash Player-based video ad on the left of the page.  Visiting with FireFox with NoScript running prevents all of those ads from being displayed. That means malvertising is blocked, but so are legitimate adverts.

Where is the controversy?  The ethical question is that I am allowed to read Forbes magazine for free as a result of the contracts that Forbes has to display their ads to their customers.  When I choose not to view ads for free content, am I not breaking the implied economy of the online world?  As the saying goes “If you are not paying for something, you are not the customer, you are the product!”  Online web pages sell our advertising market eyeballs to their vendors, but in viewing these ads are we exposing ourselves to risk?

Some online sources have revealed there were 5.3 trillion online advertisements displayed last year.  “Only” a few million of those were malicious. On the same list we see that 50% of the clicks on mobile ads are accidental. Interestingly, Solve Media claims you are more likely to survive a plane crash than click a banner ad.

I’ll end this post with an amusing news story about the Flash malware at Forbes.  NBC News had a video story about the article.  I couldn’t see it, because my Firefox won’t play the Flash Player unless I specifically allow it. However, they published the story about the malware attack on Forbes users, and included a Flash advertising block underneath.

Anthem and Post-breach phishing awareness

The Anthem data breach on February 5, 2015 raised the high-water mark on healthcare data breaches. The Anthem breach smashed all previous records, exposing close to 80 million members’ records. It was the largest healthcare data breach ever discovered by a considerable distance. Only a very small number of healthcare data breaches have been reported that have exceeded 2 million records.

In the United States, data breaches impacting the protected health information of patients and health plan members are required to be reported to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). OCR maintains a searchable data base of all healthcare data breaches that have impacted 500 or more individuals. Many of those data breaches were relatively minor; a misdirected batch of emails for example. Not all of those healthcare data breaches required such extensive actions and mitigations as the latest Anthem ‘mega’ breach.

Anthem’s CEO has now established the website “AnthemFacts.com” containing a Frequently Asked Questions document about the data breach, but the media offers plenty of alternative sources of Facts and FAQs.

Previous Largest Healthcare Data Breaches

The previous largest ever healthcare data breach occurred in 2011. The records of 4.6 million active and retired military personnel were reported stolen after back-up tapes of their health records disappeared from a data contractor’s car in San Antonio, Texas.  SAIC, the contractor involved, had no reason to believe the tapes were the target of the theft, or whether the thief even knew what he or she was stealing. (see Records of 4.9 mln stolen from car in Texas data breach ).

The second largest healthcare data breach occurred in 2014. Tennessee-based Community Health Systems experienced an “external criminal cyber-attack” in April and June of 2014 that resulted in the theft of the protected health information of its patients.  CHS’s Media Notice said it had worked closely with Federal law enforcement and believed they were the victim of an “Advanced Persistent Threat” group originating from China.  The HHS database indicates 4.5 million patient records were exposed in that breach.

The third largest healthcare data breach ever reported to OCR by a HIPAA-covered entity affected Advocate Medical Group.  4 million patient records were stolen from the company on July 15, 2013.  The unencrypted patient health records were stored on four laptop computers. It was unclear whether the laptops were stolen for their value or for the data that may have been stored on them.

The lawsuits filed on behalf of the potential victims were dismissed. In order “to claim injury, whether actual or threatened, the plaintiffs must establish it is ‘distinct and palpable’ and ‘fairly traceable’ to the defendant’s actions and that the requested relief would substantially redress the loss.”  (See Illinois court dismisses claims of potential loss from Advocate data breach ). The plaintiffs were unable to provide sufficient evidence to prove that was the case.

Other than the Xerox data breach, which cost the company the State of Texas Medicare contract in 2014, no other healthcare data breach listed on the OCR breach portal has resulted in the theft or exposure of more than two million records.

Healthcare Data Breach Lawsuits

As Forbes magazine recently explained, the number of records stolen in the Anthem cyberattack exceeds the sum of all the healthcare data breaches reported in the previous five years!   Anthem, which fell from its 52-week high stock price of $143.65 to $134.79 today following the announcement of the cyberattack, has already had four class action lawsuits filed against it. (See Cohen and Malad Anthem Lawsuit, Morris v. Anthem, Juliano v. Anthem (Alabama-based), and D’Angelo et. al. v. Anthem )

What all of these lawsuits claim, is the theft of current and former Anthem customers’ electronic protected health information puts plaintiffs and class members at an increased risk of suffering identity theft and fraud.  Specifically, the following data elements:

  • Full names
  • Birthdates
  • Email addresses
  • Employment details
  • Social Security numbers
  • Incomes
  • Home addresses

Anthem only has 34 million current customers and almost 80 million records were exposed. The breach therefore likely affects former customers and other family members included on the health plans.

The lawsuits make much of the fact that the U.S. Department of Health and Human Services’ Office for Civil Rights has previously fined Anthem for using “inadequate safeguards” to protect customer records. The California Attorney General has also taken action against Anthem, and specifically pointed at the fact that the company was storing customers’ Social Security numbers in an unencrypted format. (A 2013 report by the California OAG about 131 separate data breach incidents outlines that 1.4 million Californians would have been protected had their data been encrypted.)  Critics of Anthem have pointed out that the company was previously warned about the potential for breaches of ePHI in an FBI Private Industry Notification dated 8 April 2014 titled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain.”

Anthem is also accused of “failing to provide timely and accurate notice of the Anthem data breach” in violation of state data breach statutes in California, Colorado, Connecticut, Georgia, Kentucky, Virginia, and Wisconsin.

Be Alert for Phishing and Related Scams

While the theft of credit card data may seem harmful, credit monitoring is usually offered and credit card companies quickly re-issue cards that have been stolen in a cyberattack. Most victims of credit card fraud are also reimbursed for any fraudulent charges on their cards. Unfortunately, Social Security numbers are never re-issued. There is also unlikely to be any reimbursement or refunds if identities are stolen and financial losses are suffered.  Customers who have their SSN and personal data stolen are especially vulnerable to scams and face an elevated risk of identity theft and fraud for a lifetime. Anthem will certainly not be offering a lifetime of identity theft protection and credit monitoring services to breach victims.

Anthem services customers in the following states:

California Colorado Connecticut
Georgia Indiana Kentucky
Maine Missouri Nevada
New Hampshire New York Ohio
Virginia Wisconsin

Any company also servicing customers in those states should warn their Customer Service personnel to be on the alert for social engineering scams, possibly by telephone. Once the stolen Anthem data has been sold on, there will likely be many scammers who attempt to gain access to accounts or try to reset password on Anthem members’ other accounts that use their email addresses as their username.

Several reports have already been received of phishing emails claiming to be advising potential victims of how to take advantage of data monitoring offers from Anthem. Security journalist Brian Krebs has already published reports on some of the phishing scams. ( Phishers Pounce on Anthem Breach ).  Krebs refers to Steve Ragan’s Salted Hash article in which he shared an internal memo explaining the data breach was not discovered until an employee noted that their account had been being used without their authorization to perform queries in a database.  Eventually it was determined those queries had been on-going since December 10, 2014, although they were not discovered until January 27, 2015 and not verified until January 29, 2015.

Several news sources have made much of the fact that Anthem’s customers include defense contractors such as Northrop Grumman Corporation and The Boeing Company in Missouri.  Several sources reported to Bloomberg that this attack fits the nature of attacks from the People’s Liberation Army’s Unit 61398; a Shanghai-based hacking group whose members were indicted by Federal prosecutors last year.  If this is proven to be true, the cyberattack may have been conducted for espionage reasons. Data stolen in the attack would therefore be unlikely to be sold on to scammers. However, if that is the case, the data could be used in spear phishing attacks to obtain even more sensitive information on the victims.

CTB-Locker: The Latest Crypto Malware Coming to you Via Email Spam

The latest crypto malware threat – CTB-Locker – promises to be one of the most serious security threats seen in recent years. The latest crypto malware is one of many of its ilk that have emerged in the past two years. This form of malware encrypts files on victims’ computers and will not unlock them until a ransom is paid. Only then will the key to decrypt data be provided.

Crypto malware has been around for some time, although its popularity has been increasing over the past couple of years. One of the first major crypt malware variants was CryptoLocker. CryptoLocker first emerged in late 2013 and has been particularly active throughout the first half of 2014.

CryptoLocker malware was a major concern for many businesses and individuals.  In June of 2014, the FBI was able to successfully disrupt CryptoLocker, along with Game Over Zeus, but according to the figures in their legal complaint against Evgeniy Bogachev, not before his malware had encrypted more than 230,000 computers, 120,000 of which were in the United States.

The second major crypto malware variant was CryptoWall. PhishMe documented 24 separate spam campaigns in Q3 that pushed CryptoWall.  But that number declined sharply in quarter 4, with only 10 CryptoWall spam campaigns seen in October, only 4 in November, and none at all in December.

The latest crypto malware threat emerged today. This new wave of crypto malware is being distributed via spam email.

PhishMe detected this new threat today when spam messages were intercepted containing an attachment that appeared to be some form of faxed document.  There were many variants of the spam messages including the one below:

  • Fax from RAMP Industries Ltd
  • [Fax server]= +07955-168045
  • [Fax server] : LPY.5705BBC7.1118
  • Incoming fax, NB-112420319-8448
  • New incoming fax message from +07829 062999
  • [Operational Support Ltd] Fax transmission=U2W9MABD921532EC5


The messages themselves contained very simple text explaining that your inbound fax was attached.
No.: +07434 20 65 74

Date: 2015/01/18 14:56:54 CST

Pages: 5

ID: TVZ.79483B95A.8086

Filename: headband.zip

Peter Brett Associates

Eun Gransberry

The attached file used a seemingly random dictionary word.  Some of the .zip files observed by PhishMe were:

  • zip
  • zip
  • zip
  • zip
  • zip
  • zip
  • zip

Many anti-spam tools now unzip .zip attachments to check for the presence of an .exe within the compressed file.  This spam attempts to avoid tripping spam filtering solutions by containing a .zip file, which also contains a .zip file, which includes an .scr file.

No two files that we reviewed had the same malware hash.  One of the many ways the anti-virus industry inflates their numbers is to count each unique hash as a separate file.  PhishMe prefers to refer to the malware by the campaign name.  Since every .scr file was unique, we could claim that each was a new malware variant; however, that would have no meaningful value since each of these samples performs the same action and is structurally identical, if not actually identical. The only thing different in each is the hash.

The “.scr” file, which will be named with the same dictionary word as the .zip file from which it was extracted, is a downloader known as Dalexis.

Dalexis performs a similar role to the more common UPATRE malware.  Its job is to covertly download additional malware, unpack it, and execute it.  In this case, it does so by retrieving a file named “pack.tar.gz” from a variety of websites, such as:

  • breteau-photographe.com   /  tmp   / pack.tar.gz
  • com  / assets  / pack.tar.gz
  • asso.fr   / piwigotest   / pack.tar.gz
  • org   / histoiredesarts    / pack.tar.gz
  • voigt-its.de   /   fit  / pack.tar.gz

These files are not actually .tar.gz archive files, they are copies of the latest crypto malware – CTB-Locker – which have been XOR’ed in a special way that Dalexis knows how to reverse.  By passing through the network perimeter in an encoded format, the download is not scanned, since the file is not an executable or commonly known file type.

At that point, CTB-Locker takes over.  CTB is an acronym for Curve Tor Bitcoin.  Curve refers to the fact that the malware uses Eliptical Curve Encryption, which the author claims is the equivalent of RSA-encryption with a 3072 bit key.  The first time we saw CTB being described was by the malware blogger Kaffeine back in July 2014.  At that time, CTB was primarily associated with the Angler Exploit Kit.

The author of the malware announced CTB to the criminal underworld in June, with a couple interesting points.

The criminal, who uses the handle Tapkin, was offering his malware for $3,000, with a discount of 50% to the first purchaser.  He also advertised that he was planning to offer his/her latest crypto malware under an affiliate model. Under such a scheme, Tapkin or another criminal would host CTB, while affiliates could earn commission by infecting people. When a ransom demand is paid, the affiliate gets a cut of the profits, as does Tapkin. It is a common online marketing tactic used by retailers. They get others to do the hard work of getting sales. The retailer gets a smaller cut of the profits, although since they get sales that they would unlikely have otherwise made, everyone is a winner.

We are not sure yet whether today’s spam will be revealed to be part of such an affiliate program, or if this is just one of Tapkin’s customers.  We believe that the Angler Exploit Kit will continue to be used to deliver some forms of CTB-Locker, but expect that this will be the beginning of a long series of similar spam messages.  The challenge is criminals may find the TOR network requirement to be a barrier to their efforts.

Regardless of how it is distributed, the sequence of infection with this latest crypto malware is as follows:

  1. After CTB has been downloaded, it encrypts files on the local machine.  Many filetypes that have not been encrypted by previous Crypto Malware have been added into this latest crypto malware. Most interestingly, several extensions related to computer source code have been added. Extensions that would likely be found on a programmer’s computer.

2. Once the encryption process is completed, the Count Down Begins! There is a payment window for sending the ransom payment. Failure to pay on time will see files encrypted forever.

(2A). Choosing the “View” screen displays a list of the victim’s encrypted files.

  1. When the victim is ready to decrypt their files, clicking NEXT results in a request for the Private Decryption Key:

  1. But of course they aren’t going to give that to you for FREE!

  1. The only payment type accepted is BitCoin, but several helpful links are included to educate the victim on how they can buy Bitcoin.  The latest crypto malware requires a substantial payment – The highest price we’ve seen in crypto malware to date.  This version asks for EIGHT BitCoin, which have a current value of around $1520 USD:

  1. The addresses offered for contacting the criminal’s website requires the use of the TOR network.  If you have TOR installed, you can use the “.onion.cab” address. If you don’t have TOR, you can use a “tor2web.org” gateway.

A more detailed analysis of this report has been provided PhishMe Intelligence subscribers. The campaign ID is #2644.