Google is taking some flack after a defect in Google Apps accidentally leaked a large number of customers’ domain registration WHOIS information. Over 282,000 domains registered using Google Apps for Work since mid 2013 have been exposed, opening up the potential that victims could become targets of spear phishing attacks, or even identity theft. The leak was first discovered by Cisco’s Talos Security Intelligence and Research Group on February 19, who quickly notified Google of their findings.
The attack exposes these customers’ names, phone numbers, email addresses, and even physical addresses. The alarming part of this leak is that the effected customers payed extra for a service that specifically keeps domain registration WHOIS information hidden from public view. Google was partnered with a company called eNom to mange domains registered by Google Apps for Work customers, and was tasked with maintaining the hidden WHOIS data. Domain registrants fell victim to this leak when their domains were automatically renewed the following year. eNom’s domain renewal system did not recognize that the domain registrant had previously payed for the unlisted WHOIS service, and went ahead and publicly renewed the domains with the hidden registrant information, allowing the WHOIS information to be archived in the public directory.
After being notified by Cisco Talos of the defect in Google Apps, Google patched it five days later. Strangely, Google waited until March 12th, almost three weeks later, to inform the effected customers that their WHOIS information had been leaked. Cisco Talos, in their public statement regarding the finding, encouraged effected customers to take the necessary actions to protect themselves from danger as a result of their domain registration being leaked. Actions recommended for victims include monitoring their email accounts for suspicious mail that might be highly sophisticated and targeted phishing attempts, as well as to monitor things that might indicate identity theft, such as credit scores or bank statements.
OpenDNS, a company in San Francisco, has released a new model for threat detection called NLPRank. This is a predictive model that uses natural language processing to flag domains that may be involved with malicious activity such as phishing attacks. To accomplish this, the model looks at many different aspects of a site including autonomous system number (ASN) mappings, HTML tags, whois patterns and domain spoofing analysis. The goal is to protect companies from phishing attacks by possibly flagging fraudulent sites before they are even used.
The model builds a lexicon to identify malicious sites by analyzing legitimate sites and known spoofing’s of these sites. This gives a reference to flag new domains that contain patterns seen before in malicious sites. For example, there may be patterns in the whois data of spoofing sites created by a particular attacker or group.
One of the techniques used by this model to flag illegitimate domains is a minimum distance algorithm. This algorithm measures the number of edits using the operations insert, delete, and substitution to assign a value to a domain name. This value equates to the amount of changes needed to transform one into the other. The lower this number is the more likely it is to be a spoofed name. For example, the distance between google.com and g00gle.com would be 2 because 2 substitutions are required to change the name. This technique would be similar to something used for spell-checking and can provide a reference on the validity of a site.
This model has already shown to produce results. Kaspersky released a report about a group that has stolen $1 billion from banks in many countries. Before this report was released, they asked OpenDNS for information on the domains that were used in these attacks. Some of the domains had already been flagged by NLPRank without knowledge of these attacks.
Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.
Image of malicious iframe scripts used to hi-jack the router and DNS
This type of attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.
The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.
There was a story published in The New York Times, a few weeks ago about a organized group of cybercriminals that pulled off one of the largest bank heists, digitally, ever. This group, named by Kaspersky, Carbanak, is responsible for deploying malware to gain access to computers at more than 100 banks and steal well over $300 million.
There were 300 IP addresses targeted and the attack spanned nearly 30 countries worldwide. And the method used:
I’d hope that a bank would have better sense not to fall for a simple phising attack, but this wasn’t very simple. Most times, phishing attacks are aimed at the customers, trying to gain sensitive information. Carbanak targeted the machines in the banks directly, and finding ways to steal cash directly from the financial institution.
This same group is also thought to be behind several credit/debit card breaches at retail stores around the world, including Staples, however there has not been any noticable activity since the bank heists, which the story was covered by Brian Krebs back in December 2014.
The Scoular Company, located in Omaha, Nebraska fell victim to an attack that cost them millions of dollars. The Scoular Company is ranked by Forbes Magazine as the 55th largest privately-held corporation in the United States in 2014. Scoular is a 120 year old company with sales that span over $6 billion every year. Scoular’s primary focus is to provide transportation for end-users and suppliers. Transportation includes food ingredients, grains, and feed ingredients as well as their focus on buying, selling, handling, and storing these products.
This fortune company seemed to have taken all of the proper precautions when it comes to cyber-security and security as a whole for a company. Yet even by taking these precautions, earlier this week it was discovered that the company fell victim to a spear phishing attack by clever fraudsters. This attack ended up losing the company $17.2 million dollars simply by tricking a controller into wiring that amount of money to a bank in China. The attacker(s) sent emails pretending to be the CEO of the Scoular company to one of the controllers of the company, stating that they were going to be buying out a company in China. Even worse, the emails coming from the “CEO” were not even from his official email address. To prevent this employee from reaching out to others in the company and speaking up about the big transfer, the attacker said that this was not to be mentioned in other channels to avoid infringing on SEC regulations. In the controllers defense, and I say this extremely lightly, the company was discussing its expansion to China and is primarily the reason the controller fell for the emails and sent the money. The attacker clearly did his research as he instructed the controller to get the wire instructions from the companies accounting firm, KPMG, that included a phone number and was answered by someone with the correct name. The attacker clearly found a real employee’s information that worked for KPMG, but gave a fake phone number and pretended to be the employee, as when the real employee was questioned he had never heard of Scoular. The fake email address was a kpmg-office.com name which once again fooled the Scoular controller. The kpmg-office.com was actually found to be a server located in Russia and the fake phone number provided was through a skype account with an IP address registered in Israel.
This case is currently under investigation by the FBI and is said that they are working on getting search and seizure warrants against the Shangai-based Dadi Co.Ltd. company which is said to have received the funds in the end. This company is a professional import and export agency mostly dealing with auto parts. If the seizure is granted then it will be carried out and executed by Chinese authorities, with cooperation with American authorities of course.