Has Your Yahoo Password Been Stolen?

Has your Yahoo password been stolen? Would you be aware if that was the case? Many people who have fallen for the latest Yahoo password stealing scam will be unaware that their account is no longer secure.

PhishMe researchers are always finding new tactics used by the top phishers to steal login credentials for popular on-line services, and attacks on Yahoo users are incredibly common. We recently found a very clever phisher using the idea of strengthening your password against you. Let’s explore this phishing scenario in detail.

Since the beginning of May, the URL:

hxxp://markspikes.com/2/us-mg5.mail.yahoo.com/

has loaded a page that asks the victim to confirm the strength of their Yahoo! Mail password.

What a great service! However, this request is not being made on the Yahoo! site. The activity takes place on MarkSpikes.com, as is shown in the screenshot below:

When someone falls for this Yahoo password stealing scam, a PHP script on the compromised MarkSpikes.com web server emails the password to the criminal.  By viewing the source code of the phishing page, we can see the name of the script is hellion.php, but we also find some interesting comments in the code, as seen below:

# HELLION PROUDLY PRESENTS, Auto Killer v1.0

# This program is free software brought to you by Hellion:
# You can redistribute it and/or modify it under the terms of
# the GNU General Public License as published by the Free Software Foundation,
# either version 3 of the License, or (at your option) any later version.

# However, the license header, copyright and author credits
# must not be modified in any form and always be displayed.

# This program is distributed in the hope that it will be useful
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# Contact me : [email protected] for more details.
# Skype: teamipwned
# Special greets to Shaif Lifax, Solaree, PaperBoi, Softwarewind, Emoney, and others who helped!
# WARNING: Do not touch anything here!

These comments give us a good deal of information about who designed this phishing attack and who may also be collecting the stolen Yahoo! account passwords.

The Yahoo! username “team_pgb” is tied to two recovery email accounts as seen in the captured Yahoo! Forgot Password screen below:

Yahoo! may want to check and see how their user “team_pgb” is sharing code for spoofing Yahoo! password strength checkers!

PhishMe Intelligence is useful for determining which other brands may be affected by this attack.  A search on the MarkSpikes.com domain reveals there have been several other phishing attacks hosted on the same domain recently.  A variation on the Yahoo password stealing attack above asks the victim to strengthen their account from threats by confirming the strength of their password.  A Microsoft version from May 2nd suggests, as seen below, that the password should be entered in order to verify the account.

Going back to March 1st, Google users were phished at another URL on the same domain:
hxxp://markspikes.com/all/2/i/g/connect_i.php

Another very similar Google phish was identified in the same timeframe as the one mentioned above.  From one of those phishing servers, PhishMe archived a phishing kit left behind by the criminals.  Inside, it reveals that the Google passwords were being sent by the phishing server in email messages from [email protected] to [email protected]  The domain blazerscyberteam.net was registered last October 24th using a privacy protection service.  There is a profile on Facebook for “Swift Opio DA Blazers” where the occupation is listed as “Director at Blazer Cyber Team”:
hxxps://www.facebook.com/swiftopio.dablazers

Though the Google phishing content has been removed from MarkSpikes.com, a perusal of the directory reveals that there is another type of phish at:
hxxp://markspikes.com/all/8/SHIPPING/

As can be seen in the screenshot below, this is a phish for an email address and password combo.  Once the details are entered, the victim is re-directed to the My Maersk Line login page on my.maerskline.com

Since February 1st, PhishMe has recorded thirteen other similar Maersk-style pages that phish for email addresses and passwords.

The hosting IP address for this domain is also interesting.  Since Sept. 11, 2013, PhishMe has recorded over 18 thousand attacks against hundreds of brands on the netblock 192.185.0.0/16, owned by Cyrus One and leased to HostGator’s WebsiteWelcome as “HGBLOCK-10”.

Let us know if you’ve seen similar phishing sites, if your Yahoo password has been stolen in a similar style attack, or would like us to look into a different tactics that you’ve recently observed, by using the comments section below.

Fighting Back Against a Fake Tech Support Call

’Tis the season for phishing emails, scams, and fake tech support calls. We recently investigated such a call received by one of PhishMe’s employees. After saying that he would call the “technician” back, the employee passed the number over to us and we began to investigate.

The number the technician provided us was “646-568-7609.” A quick Google search of the number shows that other users have received similar calls from the same number. In one example, “Peter from Windows” was the person calling. In our case, it was Alex Jordan from Seattle.

Top 10 Phishing Attacks of 2014

With December upon us and 2014 almost in the books, it’s a perfect time to take a look back at the year that was, from a phishing standpoint of course. If you’ve been following this blog, you know that we are constantly analyzing phishing emails received and reported to us by PhishMe employees. What was the most interesting phishing trend we observed in 2014? While attackers are loading up their phishing emails with new malware all the time, the majority of their phishing emails use stale, recycled content.

WordPress Phishing: Target of Cybercriminals Worldwide

WordPress phishing attacks are now commonplace, with the sites a target for cybercriminals worldwide. WordPress and Phishing now go hand in hand. WordPress sites are being used by cybercriminals to obtain a wide range of sensitive data from users. In some cases, those sites are created by cybercriminals. In other cases, vulnerabilities in WordPress sites are leveraged and new content is created – content that captures users’ information. Exploit kits are also loaded onto the sites that download malware.

Today’s technical press was full of headlines about the recent WordPress updates -eWeek’s WordPress 4.01 Updates Millions of Sites for 8 Flaws for example.

The WordPress.org website describes the latest WordPress 4.0.1 Security Release as a “Critical security release for all previous versions” and says we “strongly encourage you to update your sites immediately.”  According to the release, all versions of WordPress are affected by a critical cross-site scripting vulnerability that could allow anonymous users to compromise a site.

At PhishMe this is not big news. In fact, it’s not really news at all. Why? Well, we know that the great thing about WordPress is the platform makes it quick and easy for any user to make a website! We also know that worst thing about WordPress is that it makes it quick and easy for any user to make a website! Not only does it make it very quick and easy for cybercriminals to make new WordPress sites, the platform is used by legitimate users to create a site, that they then forget about maintaining. Having a website and then choosing not to maintain it, or perhaps not knowing enough about web security to be capable of maintaining it, is actually a very dangerous thing.

When people ask us about WordPress, we often tell them a story. Once upon a time, in the summer of 1983, my brother John and I went hiking in northern Michigan with a couple Eagle scout friends of ours called Philip and Michael. We assured our parents we would be safe in the woods for a week by ourselves, after all, our friends were Eagle Scouts! As we were hiking, dozens of miles from the nearest paved road, we came across a small shed in the woods and inside the shed was a shotgun and a big box full of shells!

Being extremely responsible children, we of course notified the nearest authorities (ahem).

Having a WordPress website and failing to maintain it is exactly the same, in cyber terms at least, as leaving a loaded shotgun unattended on your front porch in a neighborhood full of curious teenagers. A dramatically high number of websites that are compromised and then used to distribute malware, to host malware C&C servers, and to host phishing webpages are made malicious as a result of carelessness by webmasters. Essentially the same as leaving a loaded gun on the porch or going on holiday and leaving the front door wide open.

When a curious teen or a convict picks up the gun and does harm to people, or when the house is burgled, it is easy to say “It wasn’t my fault!  I didn’t know!”  But perhaps we should start educating webmasters so they know that is not a valid excuse. Since we now know that cybercriminals target WordPress sites, leaving the sites with known vulnerabilities is nothing short of negligence. Your website could easily be turned into a WordPress phishing site if vulnerabilities are left unaddressed. Your site may also be used to infect all of your customers with malware.

How often does this really happen? One way to find many of these WordPress phishing sites is to look at the URL used in a phishing attack for evidence that it is a WordPress site. Many of these phishing attacks take the form of a Remote File Inclusion attack that often allows the user to inject their phishing content into a subdirectory of either the “wp-admin” directory or the “wp-content” directory.

We ran some searches in through our threat intelligence system to find out how many such pages we’ve seen. Just today there were:

  • Alibaba phish on “bluribbon.com/wp-admin” and “ambitionthekid.com/wp-admin/”
  • credit card phish on “resepmasakanalaindonesia.com/wp-includes”
  • TD Bank phish on “mariabobrova.com/wp-content/” and “jaw-photo.com/wp-content/”
  • generic email phish (AOL/Google/Microsoft/Yahoo) on “osiedlaimiasta.pl/wp-includes/” and “mariogavazzi.it/wp-content”
  • Paypal phish on “deluxetravelviajes.com/wp-content/”
  • Standard Bank phish on “woodsidenylawyer.com/wp-admin/”
  • AOL phish on “arkansaswebsiterentals.com/wp-content/”
  • Yahoo phish on “fenwaymarketing.com/wp-content/” and “pierrefauchard.com.br/wp-content/”
  • MayBank2U phish on “cascalhoriopreto.com.br/wp-admin/”
  • Halifax phish on “ics.com.ph/wp-admin/”
  • Royal Bank of Canada on “ohtleathercrafts.com/wp-content/”
  • Bank of America phish on “secureserver.net/~cables/wp-admin/”
  • BT.com phish on “accionpreventiva.cl/wp-content/”

And the business day is only half-way done!

Since January 1, 2014 we have seen:

  • 12,416 confirmed phishing URLS that contained the string “wp-content”
  • 6,054 confirmed phishing URLs that contained the string “wp-includes”
  • 4,255 confirmed phishing URLs that contained the string “wp-admin”

Those URLs were on 6,627 different domain names on 4,947 different IP addresses, at 164 different hosting companies. Sadly, the statistics make it clear that WordPress phishing websites tend to be clustered at hosting companies that offer cheap hosting with poor technical support. Often this is the result of “resellers” who use servers in those hosting company data centers to offer even cheaper webhosting deals with even poorer technical support.

Our checks showed six hosting companies had more than 100 domains hacked using a WordPress Remote File Inclusion attack — and five of those are in the United States!

We can’t put all the blame on the hosting companies. Many of them are providing “do-it-yourself” web services where the webmasters have chosen to NOT do-it-themselves when it comes to security!

Do you know a WordPress webmaster?  If so, make sure you share this article with them and have them upgrade by following the WordPress 4.0.1 Security Release guidance. If you do, you are helping to keep all of us safer from WordPress phishing attacks and malware downloads from WordPress sites!

If it Looks Like a Phish, Acts Like a Phish, it Could Be Malware

Most of us are familiar with the common idiom “If it looks like a duck, swims like a duck, quacks like a duck, then it is probably a duck.” Despite criminals’ constant efforts to change their techniques and tactics, this idiom usually holds true for online crime. Phishers have characteristic techniques in just the same way that malware writers and distributors employ specific tactics. These two don’t often overlap.
However, when they do, it makes for a spectacularly effective attack.

This week, PhishMe’s analysts uncovered spam emails distributed by the Cutwail spamming botnet using a new JP Morgan Chase spam template in conjunction with hostile URLs to distribute two samples of the Dyre Trojan and a copy of the Kegotip information stealer malware. This was done with a two-step attack method that first presents victims with a fake login form. At first glance, this webpage resembles a credential phishing page put together by criminals to trick victims into entering their JPMorgan Chase sign in credentials.

However, a much more insidious attack was taking place as victims visited this page. Loading this page in a Web browser triggers online exploit resources to push a copy of the Upatre malware downloader and execute it on a victim’s machine. This malware was in turn used to obtain the Kegotip malware and one copy of Dyre. If a victim were to enter credentials into the fake sign-in page, he or she would then be presented with the opportunity to download a “Java update” which resulted in an infection involving a second, distinct sample of the Dyre Trojan.

In an interesting twist, the fake sign in does not actually submit victim’s credentials to any drop point or collection resource, passing instead a single email address hard-coded into the webpage as the log in value. Following the competed infection trajectory, seven files were left behind within the infected environment. These files included one compiled Java class, two copies of the Dyre Trojan, one “.db” file associated with the Dyre Trojan, one dropped Upatre executable, one empty .exe file believed to have temporarily contained the original Upatre executable binary, and one Kegotip executable.

Earlier this week, we discussed how 2014 has seen an evolution in the sophistication of the modern cybercriminal. This malware, posing as a phish, is no exception. The ability to catch these types of instances early, makes threat intelligence a must-have.

Update:

After some additional thought on this topic, we were reminded of the Verizon Breach Report, which stated that while only 8% of your employees will enter credentials on a phishing page, 18% percent would visit the page, thinking they would be smart enough to know whether it was real or not when they got there.

In this case, the employee would still be infected by the malware by simply visiting the page.

Small but powerful — shortened URLs as an attack vector

Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware.

Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report.

Phishing: Stop Paving the Cow Path

Paving the cow path—why are we still using the same technologies to combat modern phishing attacks?

When the city of Boston was new and unpaved, the city fathers decided against laying out a regular street plan. Instead, they merely paved the paths that had been worn by cattle. The results? A chaotic and inefficient street plan that lacks logic. The admonition not to “pave the cow path” is supposed to remind us not to enshrine an existing way of doing something.

However, when combating phishing, the #1 threat vector in security*, we are paving the cow path.

Let’s start with some facts about email-based threats and their effectiveness:

  • 144 Billion emails every day/120 per person
  • 1 out of every 2 emails contains a threat
  • 10% of all email threats get through current defenses
  • 1 out of every 200 are effective

If we were building cars, computers or producing a ‘widget’ and had a 10% ‘defect’ rate, we would be out of business. Period. And yet what do we do today?

We pave the cow path.

To some degree or another, major enterprises recognize the need for combating all types of email-based threats, including phishing, spam and email-based malware.  As a result, we have many existing technologies in the ‘food chain’ for providing protection against phishing, including:

  • Security Awareness Training (Education & Training)
  • Filters (spam, phishing)
  • Web filtering
  • Forensic services
  • Takedown services
  • Standards/DMARC

If we look at these technologies as anti-phishing solutions, they all have one thing in common: they deal with the symptoms of phishing. They do not address the root source/ root cause issues. As a result, each provides some deterrent or protection against phishing issues. None address the cause: the source and nature of the cyberattack. Therefore, none of the current technologies can holistically address the countermeasures to prevent, detect and respond to existing and future phishing attacks.

We recently spoke with one of world’s most phished companies/brands. How were they attempting to solve the ever-increasing phishing problem (up 87% since 2012 according to Kaspersky) that they (and most others) are experiencing?

They planned to do more of the same.

Specifically, they planned to continue with their take down strategy. (For those of you unfamiliar with takedown or mitigation, there are companies that offer banks and other organizations round-the-clock services to assist in shutting down phishing websites)

First, they enlisted external resources (vendor)s for takedown.

Then, they began taking care of their takedown efforts internally.

Then, they adopted a hybrid approach, using both internal and external resources.

And now, they were planning to do more of both.

Do you see a pattern?

Yes, that’s right, it’s not working. Yet, they are planning to increase the use of ineffective tactics.

The status quo is not solving the problem. Whether you are utilizing internal or external resources, you are paving the cow path. The dirty secret of takedown vendors that every security professional knows is that most credential theft occurs within the first four hours of a phishing campaign. If your takedown time is greater than two hours, the phisher has already collected enough information to consider his mission a success. In short, no matter how fast the takedown promises to be, the phishers are faster. The damage is done. And spending more time and money on a fundamentally broken process doesn’t make it better. Adding more people to a broken process doesn’t make it better either. Takedown doesn’t solve the problem. It could, if it was done intelligently. But today, these services are the one-eyed man in the land of the blind for those looking for eliminate phishing servers.

Phishing can’t be solved by one technology, so the good news is there are multiple processes and technology in existence today to address the challenge. However, cybercriminals are moving ahead of many of the existing layers of defense, and becoming more successful.  We read about it every day, from the Target attack to Bank of America, Comerica, PayPal, Wells Fargo, Michael’s stores (and many, many others we don’t hear about.)

I think it is a natural tendency to want to pave the cow path; after all, what is wrong with how we are doing business today? Or, we may look at it from the perspective: we don’t have time to look at improving our processes, so by default we will have to pave the cow path. But by paving the phishing cow path, you will lose. It’s that simple. Continuing to play ‘whac-a-mole’ with the cybercriminals, and using tools from the ‘last war’ is not a winning. It’s losing. And with the cost of each phishing attack approaching $150,000, can you afford to lose even once?

The E-ZPass Scam: More Information On This Week’s Attacks

Earlier this week, reports surfaced about a new E-Z Pass scam. The spam campaign used the E-ZPass branding to fool recipients into visiting a malicious website. E-Z Pass is the electronic toll collection system used by several state departments of transportation.

The E-Z Pass scam emails are likely to be sent to a large number of individuals who use the system, after all, the toll system is used in many cities. One of the emails we captured is shown in the image below. As you can see, the E-Z Pass scam emails use appropriate branding, and warn the recipient that they have not paid for driving on a tol road. A link to an invoice is included that will allow the recipient to view their invoice.

A quick search of PhishMe’s threat intelligence database shows that this is not the only email of this type that has been intercepted. The following related emails were also captured:

date    |                subject                |           sender_name
————+—————————————+———————————
2014-07-08 | In arrears for driving on toll road   | E-ZPass Collection Agency
2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
2014-07-08 | In arrears for driving on toll road   | E-ZPass Customer Service Center
2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Collection Agency
2014-07-08 | Indebted for driving on toll road     | E-ZPass Customer Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Info
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Pay for driving on toll road          | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info

As you can see, while the E-Z Pass scam uses appropriate branding, the destination websites of the links are certainly not genuine. None of these are used for E-Z Pass.

machine          |                               path
—————————+——————————————————————-
www.federalparts.com.ar   | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
www.fiestasnightclub.com  | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
www.fleavalley.com        | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
www.frazeryorke.com       | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
www.fsp-ugthuelva.org     | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
www.fyaudit.eu            | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
www.giedrowicz.pl         | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
www.gostudy.ca            | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
www.graphiktec.com        | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
www.h2oasisinc.com        | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
www.habicher.eu           | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
www.grupoancon.com        | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
www.happymaree.com.au     | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
www.headspokerfest.com    | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
www.headspokerfest.com    | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll

Naturally, we visited the one of the URLs to find out what would happen. Clicking on the link would result in a prompt to download a zip file, which presumably would contain the invoice. Instead of a Word file, Excel spreadsheet, or PDF file, the zip file contained an  executable (.exe) file.

Both are named for the city and ZIP code to which we are connected.

For example, this relates to an E-Z Pass charge in Birmingham, Alabama.

When we run this malware, it attempts to make contact command and control servers at the following locations:

76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080

PhishMe has been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnetand have been used for some time. In fact, this botnet was used to send the Holiday Delivery Failure spam emails that imitated Walmart, CostCo, and BestBuy during the holiday season, and also Court Related Malware in early 2014.