Yara CTF, Blackhat 2015

Welcome and good luck on the CTF!

Password: “Go forth and hack!!##one1”, no quotes.

PM_Yara_CTF_2015

One of the challenges is to write an exploit, so please exercise responsible disclosure on this one! We will be working with the developers to get the code patched ASAP!

Please note: Challenge #4 contains a typo, it needs a Yara rule, not a key. Sorry for the error.

Deadline for submissions: We will close the contest at 8 AM (PDT) on Thursday, August 6.

The Danger of Sensationalizing Phishing Statistics

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.

DNS Abuse by Cybercriminals – RATs, Phish, and ChickenKillers

This week in our malware intelligence meeting, our analysts brought up DNS abuse by cybercriminals. Two malware samples were seen this week which had the domain “chickenkiller.com” in their infrastructure.

I thought this sounded familiar, but my first guess was wrong.  Chupacabra means “goat sucker” not “chicken killer”.  So, we did a search in the PhishMe Intelligence database and were surprised to see not only that “chickenkiller.com” was used in two different malware samples in the past week, but that there were also more than sixty phishing sites that linked to that domain!

What we’re seeing here is a combination of “Free subdomains” and “Dynamic DNS.”

The Anti-Phishing Working Group reports on the use of Subdomain Services for Phishing in its twice yearly Global Phishing Survey.  In their last report, released on May 27, 2015, they found that free Subdomain services were used for phishing in approximately 6% of all reports.  About half (49.5%) of all those occurrences involve DNS abuse by cybercriminals, specifically, free “altervista.org” subdomains.

PhishMe’s Phishing Operations team would certainly agree that Altervista.org hosts a large quantity and variety of phishing subdomains!  Already in 2015, we’ve seen altervista.org used in eleven different malware campaigns delivered via spam email, the majority of which distributed fake antivirus software and CryptoLocker ransomware. Additionally, 724 phishing sites on 424 different hostnames have been identified. Those phishing sites spoof 42 different online brands, and all are freely provided by Altervista.org.

When a “Free subdomain” is provided, it just means that rather than registering your own domain name and having to pay for it, you can add a hostname to an existing domain name that the free subdomain provider is giving out.  Often the quid pro quo for the free subdomain is that advertising may appear on the website that offers the free service.

Dynamic DNS

“Dynamic DNS” is something else.  For various reasons, people may want to have a name for their computer which follows them wherever they go.  This is common, for instance, with the online gaming community.  If I’d like my fellow gamers to be able to use a gaming server on my computer and I have DHCP, it is possible that my IP address might change from time to time. I could therefore register my computer with a Dynamic DNS service.  If I were to register a box for gaming, I may name it something like “GaryGamingBox.hopto.org”.   Each time my computer came online, it would reach out to the Dynamic DNS service at “hopto.org” and let that Dynamic DNS service know my current IP address.  The Dynamic DNS service would then publish a record so that anyone looking for “GaryGamingBox.hopto.org” would know my current IP address and could play a game.

While the service is valuable, it is open to DNS abuse by cybercriminals.  Rather than having to risk exposing their identity by purchasing a domain name, cybercriminals can set up a phishing site on a laptop computer, link that computer to a Dynamic DNS service, and visit a nearby Internet café or hack someone’s Wi-Fi and connect anonymously to the Internet.  The problem is also very common with cybercriminals who run a class of malware called Remote Administration Trojans or RATs.

In June of 2014, there was a great deal of controversy when the Microsoft Digital Crimes Unit disrupted two very large Remote Administration Trojan groups which they called Bladabinid (more commonly known as njRAT) and Jenxcus (better known as H-Worm.)

In order to disrupt the RATs, the Microsoft Digital Crimes Unit obtained a court order allowing them to seize control of the Dynamic DNS service Vitalwerks Internet Solutions, d/b/a NO-IP.com.  While the seizure was quickly reversed due to public outcry, the truth remained that many hacking websites and documents on how to set up your own RAT begin with instructions on how to link your Botnet Controller to a Dynamic DNS service.

The “builder” that lets a malware author create his own customized RAT prompts the criminal for the hostname that an infected victim should “call back” to in order to provide the Botnet criminal with remote control of the targeted machine.  These RATs are used for a variety of purposes, including in many cases, controlling the webcam and microphone of the victim which can lead to “sextortion” and blackmail.

ChickenKiller?

While the Microsoft takedown and the APWG report identify many of the most popular domain names used for Dynamic DNS, ChickenKiller.com is a gateway to a much larger and more varied community.  When we visit “ChickenKiller.com” we are provided with this screen, informing us that ChickenKiller.com is one of the 90,000 Free DNS domains operated by Afraid.org, currently serving 3.7 million subdomains and processing 2,000 DNS queries per second.

The Afraid.org domain list provides 91,647 domains that users can choose to host their free subdomain.  Since they are ordered by popularity, we checked the most popular ones against our phishing database:

mooo.com = 21 phishing campaigns, the most recent of which was a Wells Fargo phish wellsfargo.com-login-online.mooo.com. Others included Poste Italiene, Paypal, Carta Si, Bank of America, QuickBooks (Malware), Netflix, and Banco de Reservas.

chickenkiller.com = 59 phishing campaigns for a variety of brands, most recently Poste Italiane and Taobao.

us.to = 311 phishing campaigns, most of which were Paypal related, including some PayPal phishing campaigns from today on info-limit.us.to. Others included Facebook (warnku.us.to) and National Australia Bank.

strangled.net= 10 phishing campaigns, most recently a PayPal phish on www.paypal.service.com.strangled.net, but also Apple, Sicredi, Visa, MasterCard, and Taobao.

crabdance.com = 8 phishing campaigns, most recently an Apple iTunes phish.

info.tm = 75 phishing campaigns, including a Paypal phish from this week, paypal-serviced.info.tm and paypal.verfield.info.tm

While many of the phishers are taking advantage of Afraid.org’s offer of “Free subdomain AND domain hosting!” others are being more subtle with their use of the free services.  For example, a recent Paypal phisher used the host “pplitalyppl.chickenkiller.com” in order to avoid having the true location of his phishing site shared in the spam emails that he was sending.  The spam contained the ChickenKiller link, which had a simple PHP forwarder that redirected the user to the phisher’s hacked website in the Netherlands.  In other cases the phishing page is on a “normal” hacked website, but the ACTION script that processes the stolen credentials, usually emailing them to a criminal, is hosted on a Free or Dynamic DNS subdomain.

The bottom line is that business customers need to be aware of DNS abuse by cybercriminals. Free subdomain and dynamic DNS services are often used by criminals for their Trojans AND their phishing pages.  These types of domains are also fairly unlikely to be used for legitimate B2B purposes, so their presence in your log files are likely to be highly suspect.  Also, be aware that Afraid.org is a white hat hacking group.  Josh Anderson who runs a wide variety of interesting DNS services at that site, hates to have his domains abused as much as anyone else.  If you see a suspicious subdomain address and the nameservers are set to “NS1.AFRAID.ORG” be sure to report it by emailing “abuse@afraid.org”. It could be yet another case of DNS abuse by cybercriminals.

Has Your Yahoo Password Been Stolen?

Has your Yahoo password been stolen? Would you be aware if that was the case? Many people who have fallen for the latest Yahoo password stealing scam will be unaware that their account is no longer secure.

PhishMe researchers are always finding new tactics used by the top phishers to steal login credentials for popular on-line services, and attacks on Yahoo users are incredibly common. We recently found a very clever phisher using the idea of strengthening your password against you. Let’s explore this phishing scenario in detail.

Since the beginning of May, the URL:

hxxp://markspikes.com/2/us-mg5.mail.yahoo.com/


has loaded a page that asks the victim to confirm the strength of their Yahoo! Mail password.

What a great service! However, this request is not being made on the Yahoo! site. The activity takes place on MarkSpikes.com, as is shown in the screenshot below:

When someone falls for this Yahoo password stealing scam, a PHP script on the compromised MarkSpikes.com web server emails the password to the criminal.  By viewing the source code of the phishing page, we can see the name of the script is hellion.php, but we also find some interesting comments in the code, as seen below:

# HELLION PROUDLY PRESENTS, Auto Killer v1.0

# This program is free software brought to you by Hellion:

# You can redistribute it and/or modify it under the terms of

# the GNU General Public License as published by the Free Software Foundation,

# either version 3 of the License, or (at your option) any later version.

# However, the license header, copyright and author credits

# must not be modified in any form and always be displayed.

# This program is distributed in the hope that it will be useful

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

# Contact me : team_pbg@yahoo.com for more details.
# Skype: teamipwned
# Special greets to Shaif Lifax, Solaree, PaperBoi, Softwarewind, Emoney, and others who helped!
# WARNING: Do not touch anything here!

These comments give us a good deal of information about who designed this phishing attack and who may also be collecting the stolen Yahoo! account passwords.

The Yahoo! username “team_pgb” is tied to two recovery email accounts as seen in the captured Yahoo! Forgot Password screen below:

Yahoo! may want to check and see how their user “team_pgb” is sharing code for spoofing Yahoo! password strength checkers!

PhishMe Intelligence is useful for determining which other brands may be affected by this attack.  A search on the MarkSpikes.com domain reveals there have been several other phishing attacks hosted on the same domain recently.  A variation on the Yahoo password stealing attack above asks the victim to strengthen their account from threats by confirming the strength of their password.  A Microsoft version from May 2nd suggests, as seen below, that the password should be entered in order to verify the account.

Going back to March 1st, Google users were phished at another URL on the same domain:

hxxp://markspikes.com/all/2/i/g/connect_i.php

Another very similar Google phish was identified in the same timeframe as the one mentioned above.  From one of those phishing servers, PhishMe archived a phishing kit left behind by the criminals.  Inside, it reveals that the Google passwords were being sent by the phishing server in email messages from results@blazerscyberteam.net to thisisopio@gmail.com.  The domain blazerscyberteam.net was registered last October 24th using a privacy protection service.  There is a profile on Facebook for “Swift Opio DA Blazers” where the occupation is listed as “Director at Blazer Cyber Team”:
hxxps://www.facebook.com/swiftopio.dablazers

Though the Google phishing content has been removed from MarkSpikes.com, a perusal of the directory reveals that there is another type of phish at:
hxxp://markspikes.com/all/8/SHIPPING/

As can be seen in the screenshot below, this is a phish for an email address and password combo.  Once the details are entered, the victim is re-directed to the My Maersk Line login page on my.maerskline.com

Since February 1st, PhishMe has recorded thirteen other similar Maersk-style pages that phish for email addresses and passwords.

The hosting IP address for this domain is also interesting.  Since Sept. 11, 2013, PhishMe has recorded over 18 thousand attacks against hundreds of brands on the netblock 192.185.0.0/16, owned by Cyrus One and leased to HostGator’s WebsiteWelcome as “HGBLOCK-10”.

Let us know if you’ve seen similar phishing sites, if your Yahoo password has been stolen in a similar style attack, or would like us to look into a different tactics that you’ve recently observed, by using the comments section below.

Fighting Back Against a Fake Tech Support Call

’Tis the season for phishing emails, scams, and fake tech support calls. We recently investigated such a call received by one of PhishMe’s employees. After saying that he would call the “technician” back, the employee passed the number over to us and we began to investigate.

The number the technician provided us was “646-568-7609.” A quick Google search of the number shows that other users have received similar calls from the same number. In one example, “Peter from Windows” was the person calling. In our case, it was Alex Jordan from Seattle.

Top 10 Phishing Attacks of 2014

With December upon us and 2014 almost in the books, it’s a perfect time to take a look back at the year that was, from a phishing standpoint of course. If you’ve been following this blog, you know that we are constantly analyzing phishing emails received and reported to us by PhishMe employees. What was the most interesting phishing trend we observed in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content.

WordPress Phishing: Target of Cybercriminals Worldwide

WordPress phishing attacks are now commonplace, with the sites a target for cybercriminals worldwide. WordPress and Phishing now go hand in hand. WordPress sites are being used by cybercriminals to obtain a wide range of sensitive data from users. In some cases, those sites are created by cybercriminals. In other cases, vulnerabilities in WordPress sites are leveraged and new content is created – content that captures users’ information. Exploit kits are also loaded onto the sites that download malware.

Today’s technical press was full of headlines about the recent WordPress updates -eWeek’s WordPress 4.01 Updates Millions of Sites for 8 Flaws for example.

The WordPress.org website describes the latest WordPress 4.0.1 Security Release as a “Critical security release for all previous versions” and says we “strongly encourage you to update your sites immediately.”  According to the release, all versions of WordPress are affected by a critical cross-site scripting vulnerability that could allow anonymous users to compromise a site.

At PhishMe this is not big news. In fact, it’s not really news at all. Why? Well, we know that the great thing about WordPress is the platform makes it quick and easy for any user to make a website! We also know that worst thing about WordPress is that it makes it quick and easy for any user to make a website! Not only does it make it very quick and easy for cybercriminals to make new WordPress sites, the platform is used by legitimate users to create a site, that they then forget about maintaining. Having a website and then choosing not to maintain it, or perhaps not knowing enough about web security to be capable of maintaining it, is actually a very dangerous thing.

When people ask us about WordPress, we often tell them a story. Once upon a time, in the summer of 1983, my brother John and I went hiking in northern Michigan with a couple Eagle scout friends of ours called Philip and Michael. We assured our parents we would be safe in the woods for a week by ourselves, after all, our friends were Eagle Scouts! As we were hiking, dozens of miles from the nearest paved road, we came across a small shed in the woods and inside the shed was a shotgun and a big box full of shells!

Being extremely responsible children, we of course notified the nearest authorities (ahem).

Having a WordPress website and failing to maintain it is exactly the same, in cyber terms at least, as leaving a loaded shotgun unattended on your front porch in a neighborhood full of curious teenagers. A dramatically high number of websites that are compromised and then used to distribute malware, to host malware C&C servers, and to host phishing webpages are made malicious as a result of carelessness by webmasters. Essentially the same as leaving a loaded gun on the porch or going on holiday and leaving the front door wide open.

When a curious teen or a convict picks up the gun and does harm to people, or when the house is burgled, it is easy to say “It wasn’t my fault!  I didn’t know!”  But perhaps we should start educating webmasters so they know that is not a valid excuse. Since we now know that cybercriminals target WordPress sites, leaving the sites with known vulnerabilities is nothing short of negligence. Your website could easily be turned into a WordPress phishing site if vulnerabilities are left unaddressed. Your site may also be used to infect all of your customers with malware.

How often does this really happen? One way to find many of these WordPress phishing sites is to look at the URL used in a phishing attack for evidence that it is a WordPress site. Many of these phishing attacks take the form of a Remote File Inclusion attack that often allows the user to inject their phishing content into a subdirectory of either the “wp-admin” directory or the “wp-content” directory.

We ran some searches in through our threat intelligence system to find out how many such pages we’ve seen. Just today there were:

  • Alibaba phish on “bluribbon.com/wp-admin” and “ambitionthekid.com/wp-admin/”
  • credit card phish on “resepmasakanalaindonesia.com/wp-includes”
  • TD Bank phish on “mariabobrova.com/wp-content/” and “jaw-photo.com/wp-content/”
  • generic email phish (AOL/Google/Microsoft/Yahoo) on “osiedlaimiasta.pl/wp-includes/” and “mariogavazzi.it/wp-content”
  • Paypal phish on “deluxetravelviajes.com/wp-content/”
  • Standard Bank phish on “woodsidenylawyer.com/wp-admin/”
  • AOL phish on “arkansaswebsiterentals.com/wp-content/”
  • Yahoo phish on “fenwaymarketing.com/wp-content/” and “pierrefauchard.com.br/wp-content/”
  • MayBank2U phish on “cascalhoriopreto.com.br/wp-admin/”
  • Halifax phish on “ics.com.ph/wp-admin/”
  • Royal Bank of Canada on “ohtleathercrafts.com/wp-content/”
  • Bank of America phish on “secureserver.net/~cables/wp-admin/”
  • BT.com phish on “accionpreventiva.cl/wp-content/”

And the business day is only half-way done!

Since January 1, 2014 we have seen:

  • 12,416 confirmed phishing URLS that contained the string “wp-content”
  • 6,054 confirmed phishing URLs that contained the string “wp-includes”
  • 4,255 confirmed phishing URLs that contained the string “wp-admin”

Those URLs were on 6,627 different domain names on 4,947 different IP addresses, at 164 different hosting companies. Sadly, the statistics make it clear that WordPress phishing websites tend to be clustered at hosting companies that offer cheap hosting with poor technical support. Often this is the result of “resellers” who use servers in those hosting company data centers to offer even cheaper webhosting deals with even poorer technical support.

Our checks showed six hosting companies had more than 100 domains hacked using a WordPress Remote File Inclusion attack — and five of those are in the United States!

We can’t put all the blame on the hosting companies. Many of them are providing “do-it-yourself” web services where the webmasters have chosen to NOT do-it-themselves when it comes to security!

Do you know a WordPress webmaster?  If so, make sure you share this article with them and have them upgrade by following the WordPress 4.0.1 Security Release guidance. If you do, you are helping to keep all of us safer from WordPress phishing attacks and malware downloads from WordPress sites!

If it Looks Like a Phish, Acts Like a Phish, it Could Be Malware

Most of us are familiar with the common idiom “If it looks like a duck, swims like a duck, quacks like a duck, then it is probably a duck.” Despite criminals’ constant efforts to change their techniques and tactics, this idiom usually holds true for online crime. Phishers have characteristic techniques in just the same way that malware writers and distributors employ specific tactics. These two don’t often overlap.
However, when they do, it makes for a spectacularly effective attack.

This week, PhishMe’s analysts uncovered spam emails distributed by the Cutwail spamming botnet using a new JP Morgan Chase spam template in conjunction with hostile URLs to distribute two samples of the Dyre Trojan and a copy of the Kegotip information stealer malware. This was done with a two-step attack method that first presents victims with a fake login form. At first glance, this webpage resembles a credential phishing page put together by criminals to trick victims into entering their JPMorgan Chase sign in credentials.

However, a much more insidious attack was taking place as victims visited this page. Loading this page in a Web browser triggers online exploit resources to push a copy of the Upatre malware downloader and execute it on a victim’s machine. This malware was in turn used to obtain the Kegotip malware and one copy of Dyre. If a victim were to enter credentials into the fake sign-in page, he or she would then be presented with the opportunity to download a “Java update” which resulted in an infection involving a second, distinct sample of the Dyre Trojan.

In an interesting twist, the fake sign in does not actually submit victim’s credentials to any drop point or collection resource, passing instead a single email address hard-coded into the webpage as the log in value. Following the competed infection trajectory, seven files were left behind within the infected environment. These files included one compiled Java class, two copies of the Dyre Trojan, one “.db” file associated with the Dyre Trojan, one dropped Upatre executable, one empty .exe file believed to have temporarily contained the original Upatre executable binary, and one Kegotip executable.

Earlier this week, we discussed how 2014 has seen an evolution in the sophistication of the modern cybercriminal. This malware, posing as a phish, is no exception. The ability to catch these types of instances early, makes threat intelligence a must-have.

Update:

After some additional thought on this topic, we were reminded of the Verizon Breach Report, which stated that while only 8% of your employees will enter credentials on a phishing page, 18% percent would visit the page, thinking they would be smart enough to know whether it was real or not when they got there.

In this case, the employee would still be infected by the malware by simply visiting the page.

Small but powerful — shortened URLs as an attack vector

Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware.

Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report.