Macro documents with XOR Encoded Payloads

When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up. This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code. When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.

Business Email Compromise Phishing Attacks Soaring

Business email compromise phishing attacks are soaring. The profits that can be made from these types of attacks have made them highly popular with cybercriminals. That should be of major concern for all business leaders.

When people ask me “What’s going on with Phishing?” these days I tell them that 2015 will be remembered as the Year of the Email Phish.  Not Email Phish as in “someone sent me a link to a malicious website by email”, but rather Email Phish as in “the goal of this phishing attack is to steal my email password.”  During the calendar month of September 2015, we’ve received nearly 23,000 phishing reports for nearly 7,000 distinct domains that hosted a phishing attack intended primarily to lure the victim into revealing their userid and password.

Here are just a sampling from the 2,150 domains seen this week.  While Dropbox phish were very popular at the beginning of the month, we continue to see multi-brand targeting attacks also for Google Docs, Google Drive, and most recently Adobe ID.

 

 

We also continue to see stand-alone AOL, Gmail, Hotmail, Outlook, Outlook Web Access, and Yahoo phish as well.

Targeting email accounts with phishing is certainly not new.  The very first Phishing Trends report from the Anti-Phishing Working Group, in January of 2004, only contained evidence of 176 phishing attacks, but of the 24 brands represented, four were Email service providers — 34 AOL phish, 9 Earthlink phish, 3 Microsoft phish, and 2 Yahoo phish.

The dramatic shift this year might be best demonstrated though by comparing the top 20 phishing brands targeted in September 2014 to the top 20 phishing brands targeted in September 2015.

In September 2014, only 21% of the phishing reports we received at PhishMe were primarily targeting an Email Service Provider. Of 22,000 confirmed phishing reports on 7160 different domains, 257 different brands were being imitated.  But only two of the top ten brands were Email Service Providers, and those trailed dramatically behind the leading phishing targets.

 

In September 2015, 62.5% of the phishing reports we received at PhishMe were primarily targeting an Email Service Provider!  Of 47,800 confirmed phishing reports on 12,127 different domains, 333 different brands were being imitated.  While the vast majority of these were financial services industry brands, the Top ten brands were led by five Email Service Providers!  52% of all the domains we saw abused for phishing this month contained attacks designed to steal your email address and password!

What the criminals have realized, but our employees seem to have forgotten, is that your email account is the Keys to the Kingdom!   Criminals are definitely focusing on compromised email accounts as a favorite attack vehicle.  The FBI’s Internet Crime and Complaint Center (ic3.gov) shared an Advisory at the end of August warning that more than 7,000 US-based businesses had lost as much as $700 MILLION due to what is being called “Business Email Compromise” scams.  The key to many of these scams begins when a criminal phishes one of your employees to begin studying the nature and structure of your company.

  • How do you reset a forgotten password for your bank, credit card, or online store?  They send you an email!
  • How do the criminals learn the types of email that you are accustomed to exchanging in your workplace?  They READ YOUR EMAIL!
  • How do criminals know when you are traveling?   They READ YOUR EMAIL!
  • How do criminals send an email to your friends and co-workers that they are CERTAIN TO OPEN?   They USE YOUR EMAIL TO SEND IT!

So, phishing is on the rise in all of its forms — more financial institutions are targeted than ever before, more phishing websites are created than ever before, and more malware is being delivered than ever before.   But the newest trick that we must all be wary of is that the email we just received from our co-worker?   It may be from your co-worker, or it may be that your co-worker has already fallen for an Email Phishing attack!

So now what?

  1. Be certain if you use a File-sharing site, such as DropBox, Microsoft OneDrive, Google Drive, or Google Docs, that the email you are following is really from your co-worker!  Warn your co-workers of this type of attack by sharing a link to this blog post!
  2. SET ACCOUNT ALERTING or Two-Step Verification for your email accounts.  If a strange device logs in to your Gmail account, Google can let you know!  Microsoft and Yahoo have similar features as well.  If possible, require Two-Step Verification for access to Email accounts.  Follow the correct link below to learn how to set this feature up for your email!
  1. NEVER RE-USE PASSWORDS!  REMIND YOUR EMPLOYEES that they should never use a password from their business accounts on a non-business account.  Your personal email address and your business email address should have different passwords, as should your bank account, your credit card account, your cell phone provider account, etc.

 

 

Vistaprint Abuse – Free Phish for All

Over the last few months, we’ve been seeing a huge influx of attackers using VistaPrint for business email compromise (BEC) scams. Losses due to account takeovers total over a billion dollars, and given the nature of these wire fraud attempts, it’s pretty easy to get the money, unless you’re the VP of finance for PhishMe. Why are attackers using VistaPrint, and what makes them such a middle-man for these attacks?

VIDEO UPDATE: Wire Fraud Phisher attempts to phish PhishMe, instead gets phished by PhishMe

(VIDEO UPDATE LINK: Defending Against Phishing Attacks: Case Studies and Human Defenses by Jim Hansen
• A human centric method of defense
• Attack case studies & attacker technique analysis
• Proactive simulation methods: educating workforces & detecting / thwarting attacks) 

(^ say that title ten time fast)

Every year PhishMe Simulator sends millions of phishing emails to its 500+ enterprise customers’ employees worldwide. PhishMe is hands down the most robust and sophisticated phishing platform in existence. To say that we are a little obsessive about Phishing is a bit of an understatement. In fact, we are sitting on innovations in phishing that the bad guys have yet to figure out.

The difference in PhishMe emails versus the bad guys, is that ours are carefully crafted to deliver a memorable experience. Our experiences are masterfully designed to change human behavior to avoid phishing. So what happens when one of our own employees is on the receiving end of a wire fraud phish? Read on…

A Peek Inside an Affiliate’s Malspam Operation: Kovter and Miuref/Boaxxe Infections

In March of this year, reports of malspam campaigns utilizing an email attached “.doc.js” files, which tied back to the Kovter and Boaxxe clickfraud trojans. The analysis of these malware families have already been well documented here and here. Therefore, this post will concentrate on the botnet behind the malspam delivery and subsequent download for these recent malspam campaigns. It is believed that the miscreants behind the development of these trojans use an affiliate model to have their malicious wares infect victims via botnet or exploit kit operators.

Yara CTF, Blackhat 2015

Welcome and good luck on the CTF!

Password: “Go forth and hack!!##one1”, no quotes.

PM_Yara_CTF_2015

One of the challenges is to write an exploit, so please exercise responsible disclosure on this one! We will be working with the developers to get the code patched ASAP!

Please note: Challenge #4 contains a typo, it needs a Yara rule, not a key. Sorry for the error.

Deadline for submissions: We will close the contest at 8 AM (PDT) on Thursday, August 6.

The Danger of Sensationalizing Phishing Statistics

People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways.

DNS Abuse by Cybercriminals – RATs, Phish, and ChickenKillers

This week in our malware intelligence meeting, our analysts brought up DNS abuse by cybercriminals. Two malware samples were seen this week which had the domain “chickenkiller.com” in their infrastructure.

I thought this sounded familiar, but my first guess was wrong.  Chupacabra means “goat sucker” not “chicken killer”.  So, we did a search in the PhishMe Intelligence database and were surprised to see not only that “chickenkiller.com” was used in two different malware samples in the past week, but that there were also more than sixty phishing sites that linked to that domain!

What we’re seeing here is a combination of “Free subdomains” and “Dynamic DNS.”

The Anti-Phishing Working Group reports on the use of Subdomain Services for Phishing in its twice yearly Global Phishing Survey.  In their last report, released on May 27, 2015, they found that free Subdomain services were used for phishing in approximately 6% of all reports.  About half (49.5%) of all those occurrences involve DNS abuse by cybercriminals, specifically, free “altervista.org” subdomains.

PhishMe’s Phishing Operations team would certainly agree that Altervista.org hosts a large quantity and variety of phishing subdomains!  Already in 2015, we’ve seen altervista.org used in eleven different malware campaigns delivered via spam email, the majority of which distributed fake antivirus software and CryptoLocker ransomware. Additionally, 724 phishing sites on 424 different hostnames have been identified. Those phishing sites spoof 42 different online brands, and all are freely provided by Altervista.org.

When a “Free subdomain” is provided, it just means that rather than registering your own domain name and having to pay for it, you can add a hostname to an existing domain name that the free subdomain provider is giving out.  Often the quid pro quo for the free subdomain is that advertising may appear on the website that offers the free service.

Dynamic DNS

“Dynamic DNS” is something else.  For various reasons, people may want to have a name for their computer which follows them wherever they go.  This is common, for instance, with the online gaming community.  If I’d like my fellow gamers to be able to use a gaming server on my computer and I have DHCP, it is possible that my IP address might change from time to time. I could therefore register my computer with a Dynamic DNS service.  If I were to register a box for gaming, I may name it something like “GaryGamingBox.hopto.org”.   Each time my computer came online, it would reach out to the Dynamic DNS service at “hopto.org” and let that Dynamic DNS service know my current IP address.  The Dynamic DNS service would then publish a record so that anyone looking for “GaryGamingBox.hopto.org” would know my current IP address and could play a game.

While the service is valuable, it is open to DNS abuse by cybercriminals.  Rather than having to risk exposing their identity by purchasing a domain name, cybercriminals can set up a phishing site on a laptop computer, link that computer to a Dynamic DNS service, and visit a nearby Internet café or hack someone’s Wi-Fi and connect anonymously to the Internet.  The problem is also very common with cybercriminals who run a class of malware called Remote Administration Trojans or RATs.

In June of 2014, there was a great deal of controversy when the Microsoft Digital Crimes Unit disrupted two very large Remote Administration Trojan groups which they called Bladabinid (more commonly known as njRAT) and Jenxcus (better known as H-Worm.)

In order to disrupt the RATs, the Microsoft Digital Crimes Unit obtained a court order allowing them to seize control of the Dynamic DNS service Vitalwerks Internet Solutions, d/b/a NO-IP.com.  While the seizure was quickly reversed due to public outcry, the truth remained that many hacking websites and documents on how to set up your own RAT begin with instructions on how to link your Botnet Controller to a Dynamic DNS service.

The “builder” that lets a malware author create his own customized RAT prompts the criminal for the hostname that an infected victim should “call back” to in order to provide the Botnet criminal with remote control of the targeted machine.  These RATs are used for a variety of purposes, including in many cases, controlling the webcam and microphone of the victim which can lead to “sextortion” and blackmail.

ChickenKiller?

While the Microsoft takedown and the APWG report identify many of the most popular domain names used for Dynamic DNS, ChickenKiller.com is a gateway to a much larger and more varied community.  When we visit “ChickenKiller.com” we are provided with this screen, informing us that ChickenKiller.com is one of the 90,000 Free DNS domains operated by Afraid.org, currently serving 3.7 million subdomains and processing 2,000 DNS queries per second.

The Afraid.org domain list provides 91,647 domains that users can choose to host their free subdomain.  Since they are ordered by popularity, we checked the most popular ones against our phishing database:

mooo.com = 21 phishing campaigns, the most recent of which was a Wells Fargo phish wellsfargo.com-login-online.mooo.com. Others included Poste Italiene, Paypal, Carta Si, Bank of America, QuickBooks (Malware), Netflix, and Banco de Reservas.

chickenkiller.com = 59 phishing campaigns for a variety of brands, most recently Poste Italiane and Taobao.

us.to = 311 phishing campaigns, most of which were Paypal related, including some PayPal phishing campaigns from today on info-limit.us.to. Others included Facebook (warnku.us.to) and National Australia Bank.

strangled.net= 10 phishing campaigns, most recently a PayPal phish on www.paypal.service.com.strangled.net, but also Apple, Sicredi, Visa, MasterCard, and Taobao.

crabdance.com = 8 phishing campaigns, most recently an Apple iTunes phish.

info.tm = 75 phishing campaigns, including a Paypal phish from this week, paypal-serviced.info.tm and paypal.verfield.info.tm

While many of the phishers are taking advantage of Afraid.org’s offer of “Free subdomain AND domain hosting!” others are being more subtle with their use of the free services.  For example, a recent Paypal phisher used the host “pplitalyppl.chickenkiller.com” in order to avoid having the true location of his phishing site shared in the spam emails that he was sending.  The spam contained the ChickenKiller link, which had a simple PHP forwarder that redirected the user to the phisher’s hacked website in the Netherlands.  In other cases the phishing page is on a “normal” hacked website, but the ACTION script that processes the stolen credentials, usually emailing them to a criminal, is hosted on a Free or Dynamic DNS subdomain.

The bottom line is that business customers need to be aware of DNS abuse by cybercriminals. Free subdomain and dynamic DNS services are often used by criminals for their Trojans AND their phishing pages.  These types of domains are also fairly unlikely to be used for legitimate B2B purposes, so their presence in your log files are likely to be highly suspect.  Also, be aware that Afraid.org is a white hat hacking group.  Josh Anderson who runs a wide variety of interesting DNS services at that site, hates to have his domains abused as much as anyone else.  If you see a suspicious subdomain address and the nameservers are set to “NS1.AFRAID.ORG” be sure to report it by emailing “[email protected]”. It could be yet another case of DNS abuse by cybercriminals.