Dyre Wolf is an ongoing and complex attack that combines multiple types of attacks into one large scam that has managed to make the attackers millions of dollars from companies. The attack consists of an initial spear phishing attack on a company. Contained within the email is an installer that will install the program upatre that is commonly disguised as pdf or some other file type. Once installed the attacker is allowed access to the computer by the installed software. The attacker installs Dyre onto the victims computer which allows the attacker to modify information when he chooses. The attack really ramps up when the victim goes to log into the bank. Dyre allows the attacker to modify the page returned to show a fake phone number and a message telling the user to call the number to resolve the issues. At this point it is up to the attacker to use social engineering to coerce the proper banking information out of the user. Once this happens the attacker will go and transfer the money to an account that is offshore commonly. Then the attacker will run a DDoS attack against the company to try and throw the company off from what happened and slow the companies ability to figure out who the attacker was.
Some steps to help prevent this would include making sure that people know to report anything that seems suspicious. Run mock phishing attacks against your users to help train them to look for the suspicious emails.
Google is taking some flack after a defect in Google Apps accidentally leaked a large number of customers’ domain registration WHOIS information. Over 282,000 domains registered using Google Apps for Work since mid 2013 have been exposed, opening up the potential that victims could become targets of spear phishing attacks, or even identity theft. The leak was first discovered by Cisco’s Talos Security Intelligence and Research Group on February 19, who quickly notified Google of their findings.
The attack exposes these customers’ names, phone numbers, email addresses, and even physical addresses. The alarming part of this leak is that the effected customers payed extra for a service that specifically keeps domain registration WHOIS information hidden from public view. Google was partnered with a company called eNom to mange domains registered by Google Apps for Work customers, and was tasked with maintaining the hidden WHOIS data. Domain registrants fell victim to this leak when their domains were automatically renewed the following year. eNom’s domain renewal system did not recognize that the domain registrant had previously payed for the unlisted WHOIS service, and went ahead and publicly renewed the domains with the hidden registrant information, allowing the WHOIS information to be archived in the public directory.
After being notified by Cisco Talos of the defect in Google Apps, Google patched it five days later. Strangely, Google waited until March 12th, almost three weeks later, to inform the effected customers that their WHOIS information had been leaked. Cisco Talos, in their public statement regarding the finding, encouraged effected customers to take the necessary actions to protect themselves from danger as a result of their domain registration being leaked. Actions recommended for victims include monitoring their email accounts for suspicious mail that might be highly sophisticated and targeted phishing attempts, as well as to monitor things that might indicate identity theft, such as credit scores or bank statements.
OpenDNS, a company in San Francisco, has released a new model for threat detection called NLPRank. This is a predictive model that uses natural language processing to flag domains that may be involved with malicious activity such as phishing attacks. To accomplish this, the model looks at many different aspects of a site including autonomous system number (ASN) mappings, HTML tags, whois patterns and domain spoofing analysis. The goal is to protect companies from phishing attacks by possibly flagging fraudulent sites before they are even used.
The model builds a lexicon to identify malicious sites by analyzing legitimate sites and known spoofing’s of these sites. This gives a reference to flag new domains that contain patterns seen before in malicious sites. For example, there may be patterns in the whois data of spoofing sites created by a particular attacker or group.
One of the techniques used by this model to flag illegitimate domains is a minimum distance algorithm. This algorithm measures the number of edits using the operations insert, delete, and substitution to assign a value to a domain name. This value equates to the amount of changes needed to transform one into the other. The lower this number is the more likely it is to be a spoofed name. For example, the distance between google.com and g00gle.com would be 2 because 2 substitutions are required to change the name. This technique would be similar to something used for spell-checking and can provide a reference on the validity of a site.
This model has already shown to produce results. Kaspersky released a report about a group that has stolen $1 billion from banks in many countries. Before this report was released, they asked OpenDNS for information on the domains that were used in these attacks. Some of the domains had already been flagged by NLPRank without knowledge of these attacks.
Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.
Image of malicious iframe scripts used to hi-jack the router and DNS
This type of attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.
The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.
There was a story published in The New York Times, a few weeks ago about a organized group of cybercriminals that pulled off one of the largest bank heists, digitally, ever. This group, named by Kaspersky, Carbanak, is responsible for deploying malware to gain access to computers at more than 100 banks and steal well over $300 million.
There were 300 IP addresses targeted and the attack spanned nearly 30 countries worldwide. And the method used:
I’d hope that a bank would have better sense not to fall for a simple phising attack, but this wasn’t very simple. Most times, phishing attacks are aimed at the customers, trying to gain sensitive information. Carbanak targeted the machines in the banks directly, and finding ways to steal cash directly from the financial institution.
This same group is also thought to be behind several credit/debit card breaches at retail stores around the world, including Staples, however there has not been any noticable activity since the bank heists, which the story was covered by Brian Krebs back in December 2014.