CareerBuilder Phishing Attacks

Once again, another popular website is facing the consequences of a phishing attack, although this time it is a little different. Normally when you think of a phishing attack you come to the conclusion that some clueless individual clicked a link in an email and corrupted the system, or gave away important information to a phony account and cost their business millions of dollars. The blame isn’t as easily directed on certain individuals this time around.

For anyone who doesn’t know what careerbuilder.com is or has never heard of it, it is a popular job searching service website. Tons of companies post job advertisements on this website such as open positions, then users can browse these job postings by area or category and apply. Generally you are able to just apply right from the website and upload your resume and attach it as a word document. Whenever a job seeker uploads their resume to a job posting, careerbuilder then notifies the company of the uploaded document. The people behind these attacks just simply title the document things such as “resume.doc” or “cv.doc” and employers open them as if it was just another typical resume. The employees download these attachments which on the surface appear to be just another applicant, but the files then go on to exploit a memory corruption vulnerability in Word RTF. This causes the infected machine to download a payload, which downloads a .zip file containing an image file which then drops a rootkit, Sheldor, on the machine. An image file is used because anti-virus programs tend to look past image files as they are expected to be nothing more than that. This is a dangerous peace of malware working its way into the organizations seeking new employees. Although the methods behind these attacks require a lot more work from the attackers due to having to find job posting and actually apply to them manually with their documents, the benefit is that it is very likely the majority of their attempts will indeed be successful. Typically, these kind of phishing attacks are just attempted with fake email accounts trying to fool people and is much less likely to work.

Researchers from a firm known as Proofpoint uncovered the information behind these malware attacks stating that the malicious documents were created in a program called Microsoft Word Intruder (MWI), a FireEye tool that was created in April of this year. This tool is sold on underground forums and serves up CVE-weaponized docs and costs around $2000-$3500 to purchase. Proofpoint also claims that careerbuilder took swift action against these attacks, but didn’t state exactly how. The bigger issue here is the fact that these attacks are always going to be a risk on job search websites and other alike websites with file attachments for attackers to parse out malware.

careerbuilder_malware

Sources:

https://threatpost.com/attackers-peddling-malware-via-careerbuilder/112553

http://www.tripwire.com/state-of-security/latest-security-news/new-malware-campaign-on-careerbuilder-com-blends-phishing-with-social-engineering/

Additional Information:

http://www.esecurityplanet.com/network-security/careerbuilder.com-leveraged-to-launch-phishing-attacks.html

http://www.toptechnews.com/article/index.php?story_id=0020002934CO

-Liam Ellis

Six ways to make them say yes.

Rather than a listing of a new security threat, I wanted to give an in depth talk and social engineering and how to get your target to say yes. Based on Robert Cialdini’s book, Influence: The Psychology of Persuasion, this article has listed six solid techniques.

The first principle is reciprocity. This is the idea of I scratch your back, you scratch mine. To use this principle, you must initiate giving something to someone in order to get something in return. By doing this you gain a psychological power over them by them ‘owing you one.’ An example would be on a job interview, you prove to them that you are a value to the company. The reciprocation is that they will give you a job. The downside to this is that it’s dependent on the target’s personality, if they expect you to do something for them or are selfish and accept your offer with no intention of reciprocation, this principle will not work. The key is finding what they want and giving it to them.

The second principle is scarcity. This idea is that if you make a resource appear scarce, it gives it more value making them want it. An example would be saying that you’re selling something and there are only 5 items left and you won’t be restocking them. You may have only started with 5 items but they are unaware of that and they may jump on the track and get it so they don’t miss out. This principle can be used in tandem with reciprocity in order to give value to what you’re offering. One downside would be if you make something out to be more scarce than it is and they call your bluff, it could backfire right in your face. But I mean De Beers has been doing this with diamonds for years.

The next principle is authority. Authority is the idea that people will trust you if they think you are in a position of authority. This was proven in the Milgram experiments where good people would be told to effectively kill people and they would do it. Authority can come from tonality, appearance, any non-verbal communication really.

Consistency is the next principle. This one is a little abstract but the gist is that if you say that you’ll do something and then do it, you’re extremely likely to do it again with more conviction.

The fifth principle is consensus. Basically, if you view that many other people like something, then you will like it too, even if you weren’t going to like it initially. This is why you see 4/5 doctor’s recommend this toothpaste. Even though you don’t know the doctor’s at all, you are more likely to buy that toothpaste because a consensus of people like it. This also moves into people constantly looking for approval. The weakness to this is if the target thinks about the decision long enough, or likes to go against the grain, consensus principle will be ineffective.

The sixth and final principle is liking. We like people who are similar to us, people who pay us compliments, and people with similar goals as us. That’s it, try to make the person view that your goals are inevitably the same as theirs.

Follow the six principles, reciprocity, scarcity, authority, consistency, consensus, and liking the next time you’re trying to get someone to say yes to you. If you’re interested in social engineering I would highly recommend checking out Influence: The Psychology of Persuasion by Robert Cialdini.

– Bryon Wilkins

Sources:

http://editeddaily.com/six-ways-to-get-them-to-say-yes-the-art-of-persuasion/

http://www.simplypsychology.org/milgram.html

Influence: The Psychology of Persuasion by Robert Cialdini

Dyre Wolf

Dyre Wolf is an ongoing and complex attack that combines multiple types of attacks into one large scam that has managed to make the attackers millions of dollars from companies. The attack consists of an initial spear phishing attack on a company. Contained within the email is an installer that will install the program upatre that is commonly disguised as pdf or some other file type. Once installed the attacker is allowed access to the computer by the installed software. The attacker installs Dyre onto the victims computer which allows the attacker to modify information when he chooses. The attack really ramps up when the victim goes to log into the bank. Dyre allows the attacker to modify the page returned to show a fake phone number and a message telling the user to call the number to resolve the issues. At this point it is up to the attacker to use social engineering to coerce the proper banking information out of the user. Once this happens the attacker will go and transfer the money to an account that is offshore commonly. Then the attacker will run a DDoS attack against the company to try and throw the company off from what happened and slow the companies ability to figure out who the attacker was.

Some steps to help prevent this would include making sure that people know to report anything that seems suspicious. Run mock phishing attacks against your users to help train them to look for the suspicious emails.

Samuel Mosher

http://securityintelligence.com/dyre-wolf/#.VTVUByFVhBc

http://phishme.com/evolution-upatre-dyre/

Android SMS Malware

According to SOPHOS’ ‘naked security’ blog, there are fake Android Applications making the rounds, which uses SMS (Text messages) to act similarly to a worm and infect as many people as possible. Applications such as ‘Heart App’ and ‘Self-time’ have been discussed and fixed previously, but the most recent malicious app (as of March 6th) goes by the name Gazon.

So how does one become infected by Gazon? It starts with having a friend (or other contact) that has been infected with it already. You would receive an SMS from this person which would contain an introduction, some message stating that they are sending you an amazon gift card, followed by a ‘link’ to where you can claim it. These links are usually obscured by URL shortening services such as Bitly, so they generally wouldn’t look like a normal domain name. If you were to follow this link, it would direct you to download and install Gazon, masquerading as an Amazon Rewards Application. Upon downloading and running this app, every contact that a user has becomes a viable target, as Gazon doesn’t limit itself to the amount contacts it will attempt to reach like Heart App and Self-time do. On top of this, pop-up ads will be displayed when using browsers, advertising games, vouchers and rewards (according to the article).

There are two things that I find interesting about this ordeal. The first is that this this app is not certified by Google, and thus does not appear on the Google Play store. The only way that this app can spread is through SMS, meaning that if you’ve ever gotten a message similar to this, than one of your contacts has fallen for this tactic and downloaded it. Furthermore, I could not find an ‘Amazon Rewards’ app on the Google Play store, legitimate or otherwise, meaning that its likely no such application exists. The second thing that I found interesting is how many ways that infection could be avoided with this app, which are not taken by the victims. For example, simply responding to the message by asking the contact what its all about would likely result in the contact confirming its spam. Similarly, someone upon being prompted to download the app could look it up on Google Play to check its legitimacy, and find that it is not legitimate. However, neither of these actions are taken, and thus the worm has proceeded to spread quickly.

The author of the malicious app has yet to be identified. Previous iterations of these kinds have apps are able to be tracked, such as the Heart App which was traced to a bored Chinese college student, but it depends on how well the authors are attempting to stay hidden. On that note the Self-time App, which is close to half a year old at this point, still has not been traced to any definitive creator.

Written By Jeff Gruttadauria

Articles Used:

https://nakedsecurity.sophos.com/2015/03/06/gazon-android-virus-smses-everyone/

https://nakedsecurity.sophos.com/2014/06/29/anatomy-of-an-android-sms-virus-watch-out-for-text-messages-even-from-your-friends/

https://nakedsecurity.sophos.com/2014/08/11/android-heart-app-virus-spreads-quickly-author-arrested-within-17-hours/

Tabloid Phone Hacking

Scores of celebrities are claiming damages from Mirror Group Newspapers resulting from phone and voice mail hacking incidents.  Address books, messages, and voice mails were stolen, and stories were published using the information.  Four Sunday Mirror journalists have been arrested, and in November of 2014, former Sunday Mirror investigations editor Graham Johnson pleaded guilty to intercepting voicemail messages.  He was the second Mirror Group Newspapers journalist to admit to phone hacking.

In September of 2014 the owner and publisher of the Daily Mirror and the Sunday Mirror, Trinity Mirror admitted that some of its “journalists” had been involved in phone hacking, and apologized for the unlawful activity.  MGM also printed the following apology:

“It was unlawful and should never have happened, and fell far below the standards our readers expect and deserve.  We are taking this opportunity to give every victim a sincere apology for what happened.”

MGN has informed its shareholders that it would set aside funds to pay for the cost of settling phone hacking claims as costs have exceeded initial estimates.  Both criminal and civil penalties are expected.

As I dug into this story I found that this was more widespread.  It would appear that journalists began to rely on phone hacking to make news throughout the 2000s.  Several resources were used including black hat hackers and private investigators.  One journalist admitted to hacking one hundred celebrities every day for eighteen months.

http://www.bbc.com/news/uk-england-24059941

http://en.wikipedia.org/wiki/List_of_alleged_victims_of_the_News_International_phone_hacking_scandal

Bill Edwards