Once again, another popular website is facing the consequences of a phishing attack, although this time it is a little different. Normally when you think of a phishing attack you come to the conclusion that some clueless individual clicked a link in an email and corrupted the system, or gave away important information to a phony account and cost their business millions of dollars. The blame isn’t as easily directed on certain individuals this time around.
For anyone who doesn’t know what careerbuilder.com is or has never heard of it, it is a popular job searching service website. Tons of companies post job advertisements on this website such as open positions, then users can browse these job postings by area or category and apply. Generally you are able to just apply right from the website and upload your resume and attach it as a word document. Whenever a job seeker uploads their resume to a job posting, careerbuilder then notifies the company of the uploaded document. The people behind these attacks just simply title the document things such as “resume.doc” or “cv.doc” and employers open them as if it was just another typical resume. The employees download these attachments which on the surface appear to be just another applicant, but the files then go on to exploit a memory corruption vulnerability in Word RTF. This causes the infected machine to download a payload, which downloads a .zip file containing an image file which then drops a rootkit, Sheldor, on the machine. An image file is used because anti-virus programs tend to look past image files as they are expected to be nothing more than that. This is a dangerous peace of malware working its way into the organizations seeking new employees. Although the methods behind these attacks require a lot more work from the attackers due to having to find job posting and actually apply to them manually with their documents, the benefit is that it is very likely the majority of their attempts will indeed be successful. Typically, these kind of phishing attacks are just attempted with fake email accounts trying to fool people and is much less likely to work.
Researchers from a firm known as Proofpoint uncovered the information behind these malware attacks stating that the malicious documents were created in a program called Microsoft Word Intruder (MWI), a FireEye tool that was created in April of this year. This tool is sold on underground forums and serves up CVE-weaponized docs and costs around $2000-$3500 to purchase. Proofpoint also claims that careerbuilder took swift action against these attacks, but didn’t state exactly how. The bigger issue here is the fact that these attacks are always going to be a risk on job search websites and other alike websites with file attachments for attackers to parse out malware.
Dyre Wolf is an ongoing and complex attack that combines multiple types of attacks into one large scam that has managed to make the attackers millions of dollars from companies. The attack consists of an initial spear phishing attack on a company. Contained within the email is an installer that will install the program upatre that is commonly disguised as pdf or some other file type. Once installed the attacker is allowed access to the computer by the installed software. The attacker installs Dyre onto the victims computer which allows the attacker to modify information when he chooses. The attack really ramps up when the victim goes to log into the bank. Dyre allows the attacker to modify the page returned to show a fake phone number and a message telling the user to call the number to resolve the issues. At this point it is up to the attacker to use social engineering to coerce the proper banking information out of the user. Once this happens the attacker will go and transfer the money to an account that is offshore commonly. Then the attacker will run a DDoS attack against the company to try and throw the company off from what happened and slow the companies ability to figure out who the attacker was.
Some steps to help prevent this would include making sure that people know to report anything that seems suspicious. Run mock phishing attacks against your users to help train them to look for the suspicious emails.
Google is taking some flack after a defect in Google Apps accidentally leaked a large number of customers’ domain registration WHOIS information. Over 282,000 domains registered using Google Apps for Work since mid 2013 have been exposed, opening up the potential that victims could become targets of spear phishing attacks, or even identity theft. The leak was first discovered by Cisco’s Talos Security Intelligence and Research Group on February 19, who quickly notified Google of their findings.
The attack exposes these customers’ names, phone numbers, email addresses, and even physical addresses. The alarming part of this leak is that the effected customers payed extra for a service that specifically keeps domain registration WHOIS information hidden from public view. Google was partnered with a company called eNom to mange domains registered by Google Apps for Work customers, and was tasked with maintaining the hidden WHOIS data. Domain registrants fell victim to this leak when their domains were automatically renewed the following year. eNom’s domain renewal system did not recognize that the domain registrant had previously payed for the unlisted WHOIS service, and went ahead and publicly renewed the domains with the hidden registrant information, allowing the WHOIS information to be archived in the public directory.
After being notified by Cisco Talos of the defect in Google Apps, Google patched it five days later. Strangely, Google waited until March 12th, almost three weeks later, to inform the effected customers that their WHOIS information had been leaked. Cisco Talos, in their public statement regarding the finding, encouraged effected customers to take the necessary actions to protect themselves from danger as a result of their domain registration being leaked. Actions recommended for victims include monitoring their email accounts for suspicious mail that might be highly sophisticated and targeted phishing attempts, as well as to monitor things that might indicate identity theft, such as credit scores or bank statements.
OpenDNS, a company in San Francisco, has released a new model for threat detection called NLPRank. This is a predictive model that uses natural language processing to flag domains that may be involved with malicious activity such as phishing attacks. To accomplish this, the model looks at many different aspects of a site including autonomous system number (ASN) mappings, HTML tags, whois patterns and domain spoofing analysis. The goal is to protect companies from phishing attacks by possibly flagging fraudulent sites before they are even used.
The model builds a lexicon to identify malicious sites by analyzing legitimate sites and known spoofing’s of these sites. This gives a reference to flag new domains that contain patterns seen before in malicious sites. For example, there may be patterns in the whois data of spoofing sites created by a particular attacker or group.
One of the techniques used by this model to flag illegitimate domains is a minimum distance algorithm. This algorithm measures the number of edits using the operations insert, delete, and substitution to assign a value to a domain name. This value equates to the amount of changes needed to transform one into the other. The lower this number is the more likely it is to be a spoofed name. For example, the distance between google.com and g00gle.com would be 2 because 2 substitutions are required to change the name. This technique would be similar to something used for spell-checking and can provide a reference on the validity of a site.
This model has already shown to produce results. Kaspersky released a report about a group that has stolen $1 billion from banks in many countries. Before this report was released, they asked OpenDNS for information on the domains that were used in these attacks. Some of the domains had already been flagged by NLPRank without knowledge of these attacks.
Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.
Image of malicious iframe scripts used to hi-jack the router and DNS
This type of attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.
The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.