Showing posts with label phishing. Show all posts
Showing posts with label phishing. Show all posts

Tuesday, September 15, 2015

An IRS tax refund phishing scam illustrates the widespread failure of hosting and antivirus providers' security measures

Scams focused on stealing tax refunds remain highly profitable, despite the fact that they are well known and understood by security professionals and the general public, and have been for years. A variety of distribution methods are used, with the common threads being the use of IRS logos and bureaucratic-sounding language to convince users to click a link, download and execute a file and/or send personally identifying information like a Social Security number. A recent example of one such a scam that I came across is a damning illustration of the failure of online service providers to protect users from obvious and simple malware distribution methods.

In the example I wish to discuss today, the distribution method was a spammed email that on a small ISP's installation of SpamAssassin (note: I am not an admin or employee of this system; I'm a customer) received an X-Spam-Status score of 5.3 after being flagged with the following variables:

X-Spam-Status: No, score=5.3 required=10.0 tests=AM_TRUNCATED,CK_419SIZE,
 CK_KARD_SIZE,ENV_FROM_DIFF,ENV_FROM_DIFF0,FROM_SECURITY,HAS_REPLY_TO,
 HEADER_FROM_DIFFERENT_DOMAINS,JUNKE_IXHASH,LINK_NR_TOP,MAILPHISH_REPLYTO,
 PSTOCK_PART,TO_NOREAL,XPRIO,ZIP_ATTACH shortcircuit=no  
        autolearn=disabled version=3.4.0 

While the default SpamAssassin threshold for marking a message as spam is 5.0, few admins leave this default value. SpamAssassin itself recommends that admins of multiple user mail servers use a threshold of 8 to 10. I don't have this ISP's spamassassin.conf file, and its obviously been customized. My point here isn't to take issue with SpamAssassin, which I have used for many years, but to demonstrate how this message made its way to mailboxes through pretty solid security software despite these being included in the headers:

From: "Internal Revenue Service" <office@irs.gov> 
Reply-To: "Internal Revenue Service" <office@irs.gov>  
Return-Path: <servers@abitindia.com>

Here's another depressing bonus. In addition to SpamAssassin, the recipient mail server had clamav installed. The message had a .ZIP file attachment, and the mail server's clamav install marked it as clean:

X-Virus-Scanned: clamav-milter 0.98.7 at mx1.riseup.net
X-Virus-Status: Clean


The attachment does in fact have a javascript nasty-ware. And clamav is not alone in its failure to pick up the file. According to Virustotal, 31 out of 56 AV platforms failed to detect this file - including Symantec, TrendMicro, Panda, Malwarebytes, Avast and Avira. In defense of these AV heavyweights, the file used a single basic obfuscation function to disguise its purpose - which at the moment is apparently enough to fool these AV packages.


One round through Einar Lielmanis' JS Beautifier later, and we have this:


The script creates an EXE file in the %TEMP% directory - usually something like C:\Users\UserName\AppData\Local\Temp - that is named some random string, and fills it with a bunch of garbage that it retrieves from one of the three domain names listed: dickinsonwrestlingclub.com, syscomm.smartlanka.net or les-eglantiers.fr.

There are a number of domains and hosts associated with this scam.



Malware domains
Domain IP Host Registrant Contact DNS IPs
dickinsonwrestlingclub.com 72.20.64.58 Consolidated Telcom Perfect Privacy, LLC N/A 72.20.64.11, 72.20.64.12
syscomm.smartlanka.net 69.89.31.73 box273.bluehost.com / Bluehost / Unified Layer Dilhan Seneviratne prabhath247@gmail.com 74.220.195.31, 69.89.16.4
les-eglantiers.fr 76.74.242.190 hp92.hostpapa.com / Peer 1 Network / Cogeco John Huisman / Camping Beau Rivag huisman.huisman@orange.fr 69.90.36.133, 204.15.193.53



Spam domains
Domain IP Host Email Provider Contact DNS IPs
abitindia.com 54.165.102.41 Amazon EC2 Gmail accounts@abitindia.com 50.23.136.229, 50.23.75.96, 162.251.82.118, 184.173.150.57
mail.netspaceindia.com 74.54.133.186 The Planet N/A help@netspaceindia.com 205.251.196.41, 205.251.192.135, 205.251.199.124, 205.251.195.214
netspaceindia.com 104.131.68.147 Digital Ocean N/A help@netspaceindia.com 205.251.196.41, 205.251.192.135, 205.251.199.124, 205.251.195.214



Taking a look at the hosts involved in this scam provides even further disappointment. abitindia.com, whose email is managed by Gmail, is providing the return-path for the spam messages but not the reply-to. Replies, incredibly, go directly to the IRS support email address. The reply-to header is commonly forged so that backscatter goes to some random sucker. In this case, abitindia.com is affiliated with the sender domain netspaceindia.com:

Domain Name: ABITINDIA.COM
Updated Date: 2014-11-24T05:21:07Z
Creation Date: 2006-11-23T19:31:19Z
Registrar Registration Expiration Date: 2015-11-23T19:31:19Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrant Name: Netspaceindia
Registrant Organization: Netspaceindia
Registrant Street: Hall no 3, Wing B, Parshuram apt Above Woodlands Showroom College Road Nashik
Registrant City: Nashik
Registrant State/Province: Maharashtra
Registrant Postal Code: 422005
Registrant Country: IN
Registrant Phone: +91.9975444464
Registrant Email: accounts@abitindia.com
Name Server: dns1.netspaceindia.com
Name Server: dns2.netspaceindia.com
Name Server: dns3.netspaceindia.com
Name Server: dns4.netspaceindia.com


In other words, in many circumstances backscatter recipients are innocent victims. That is not the case here - the sender is managing the backscatter recipient address, likely to keep their mailing lists updated. As such, Google could play a role in putting a stop to this scam - a review of the backscatter would make the relationship between sender and backscatter recipient obvious, and in an ideal world would precipitate the suspension of the Google Apps account for "abitindia.com".

To be fair, Google's responsibility here is minimal - particularly when compared to the role that every other hosting provider plays in this. The Planet and Digital Ocean are providing the infrastructure for the spam campaign, while Bluehost, Cogeco and Consolidated Telcom are providing the infrastructure for hosting the malware. Its likely that the accounts for these providers were created using fraudulent/stolen payment information, or legitimate accounts were compromised. This sort of thing is an everyday occurrence for hosting providers; for providers who do not invest in abuse response, these types of scams can use the same accounts with the same hosting providers for months if not years. When I come across this sort of scam, I do my best to inform the hosting providers involved using the abuse contact information that is required to be associated with IP/DNS registrations, along with enough evidence for the provider to confirm Im not a nut. It is unusual to receive a response and even more unusual to receive a non-automated response. It is just as unusual for hosting provider staff to review their abuse@ contacts, let alone resolve the issues they receive.

Hemming and hawing over the need for state intervention to prevent "cyber-attacks" (vomit) and scams like the ones described here are all over the place. Many of those who support such a view make it a point to justify government intervention because of the incredible sophistication and technical complexity of the scams that plague internet users. However, the overwhelming volume of the scams I have encountered over the course of my career involved well known techniques and software. There is significant room for improvement in security practices with applying what we already know: like how to prevent (or rapidly stop) a 30 year old scam using 20 year old spam techniques to circulate 10 year old malware.

Monday, September 14, 2015

Electronic Arts sending out phishing alerts for Origin accounts

I received a somewhat horrifying email from Electronic Arts in reference to my Origin account yesterday :

I pissed my pants a little.
The email definitely originated from EA, and there is very little resembling a phishing scam in the process they use to update security setting.

I haven't used my Origin account for anything other than playing games on Xbox that require one... I haven't played my Xbox in months. There is no payment information associated with my Origin account, and the login information for it is not associated with any other accounts. There is nothing in the account activity to suggest purchases have been made.

I would be a lot more comfortable with this sort of thing if the email was specific about what the issue was. So I am wondering a bit as to why I received this email. Has anyone else been receiving these emails?

This whole "standard systems analysis" strikes me as .... suspicious.

UPDATE: I've confirmed that I am not the only Origin user who received one of these. I have tweeted @EA and asked them flat-out if there has been a security compromise:


UPDATE 2: In the email, EA mentions specifically that "We have no reason to believe at this time that the suspicious activity is the result of unauthorised access to EA’s databases". Pointing out databases specifically, rather than using a more general term like "system" or similar, leads me to wonder if someone hasn't tried to tamper with something else; like a systematic attempt to reset passwords. 

Tuesday, September 1, 2015

Nasty little Dropbox phishing spam

This morning I received an interesting message from someone I haven't heard from in a while through email. The subject line was "FIND PDF COPY" (in all caps). Inside the body of the message, embedded within the normal garbage footer attached by their email client, was this:

Joshua Wieder dropbox spam phishing embedded image

I may very well have gotten suckered into this one if it weren't for the all caps subject line. The person who ostensibly sent me this message is, somewhat ironically, the type of person to include all caps text in their email - but there was something a little too weird about the grammatical solipsism intrinsic to the phrase "FIND PDF COPY" even for this supposed sender.

So I took the two seconds out of my day to hover my mouse over the link and, what would you know, dropbox was not the target at all. The link forwarded to "goto-saketen.com" instead.

Just to be sure I took a look at the headers of the message. This did in fact come from the sender it claimed to, although I'm quite certain he had no idea his computer is sending these messages. I was a bit relieved; this sender is one of my contacts, so at least I knew that *his* email account was screwed, and not mine (by for example someone enumerating my contacts and sending messages to me with forged From: fields). And it does look like its just the guy's email account; the headers originated from Yahoo's email servers.

Whoever at Yahoo decided to add a custom header called the Newman ID deserves a raise btw. Newman, of course, was the mailman on Seinfeld. Get it?

Joshua Wieder - Newman
Neeeeeewwwman. ID.
Anyway, I won't drag this out very long because there's not much interesting here. Its just phishing, no malware. Plain, silly phishing. You get to a sign-on page that will never allow you to login:

function validation(){

        if(!document.docContainer.username.value.match(/^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/) || document.docContainer.password.value.lengt
h < 4){ $('#usernameError').fadeIn(50); $('#passwordError').fadeIn(50); return false;}



        if(!document.docContainer.username.value.match(/^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/)){ $('#usernameError').fadeIn(50);  return fal
se;}



        if(document.docContainer.password.value.length < 4){ $('#passwordError').fadeIn(50);  return false;}


        return true;

}


"goto-saketen.com" is, as you might have guessed, a website that sells sake (you can check out some of their booze on their Twitter account). I suspect they are just patsies. Their domain is registered from an hosted in Japan, and their website is entirely in Japanese, which sounds like NBD except snowshoe spam domains almost never meet the basic requirement of being where they say they should be.

Keep an eye out for Dropbox notifications over the next few weeks so you don't get burned.

Wednesday, December 12, 2012

Phishing Alert - NACHA Spam with BONUS: How to Read Headers to Identify the Source of Fraudulent Email

A few million of the emails below are making the rounds. The phishing emails attempt to be from NACHA, an ACH trade organization, and tell readers that a recent direct deposit was declined and to just DOWNLOAD THIS SOFTWARE to CLAIM YOUR FREE CASH NOW!!!11!


NACHA itself is aware of the tomfoolery:


The From: and Reply To: headers are both forged in this email. Because of this, I suspect that jamnaytac.com, who is included in the Reply To: but now the From: is going to be receiving some grief / spam complaints that have nothing to do with them.

So who is responsible for this? Below I have included the email headers for this spam message. This one is mildly interesting because it makes some shallow attempts at being deceptive to a lazy reader. When reading headers, what we are interested in mostly are the Received: lines. Almost every other item (mouth breathers: note the almost) can be forged. Received: lines can be forged to, but only by adding lines that should not be there. Received: lines that should be there cannot be removed. When reading these lines from top to bottom, we are retracing the steps that the email took to reach us. The first lines are for the recipient - the last email server in the chain is the email server that received the email. In this case, the email was received by my gmail account (I've replaced my email address with a phony one - the other email addresses I have not modified because they were fake to begin with). 

Delivered-To: 1coolguy@yomamahouse.com****NOTAREALADDRESS****DERP
Received: by 10.194.0.225 with SMTP id 1csp142932wjh;
        Tue, 11 Dec 2012 13:31:16 -0800 (PST)
Received: by 10.69.16.100 with SMTP id fv4mr52027767pbd.135.1355261475662;
        Tue, 11 Dec 2012 13:31:15 -0800 (PST)
Return-Path: <vegetatesgh0@planetsegur.com>
Received: from dalerojo.ning.com ([83.70.178.81])
        by mx.google.com with ESMTP id yl9si26859320pbc.272.2012.12.11.13.31.14;
        Tue, 11 Dec 2012 13:31:15 -0800 (PST)
Received-SPF: neutral (google.com: 83.70.178.81 is neither permitted nor denied by best guess record for domain of vegetatesgh0@planetsegur.com) client-ip=83.70.178.81;
Authentication-Results: mx.google.com; spf=neutral (google.com: 83.70.178.81 is neither permitted nor denied by best guess record for domain of vegetatesgh0@planetsegur.com) smtp.mail=vegetatesgh0@planetsegur.com
Received: from rbdrhasvgdrhjataahsc (192.168.1.8) by rbdrhasvgdrhjataahsc.barronheating.com (83.70.178.81) with Microsoft SMTP Server id 8.0.685.24; Tue, 11 Dec 2012 14:32:23 +0000
Message-ID: <50C7837A.901050@planetsegur.com>
Date: Tue, 11 Dec 2012 14:32:23 +0000
From: "noreply@direct.nacha.org" <limbereds64@jamnaytac.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100328 Thunderbird/2.0.0.24
MIME-Version: 1.0
To: <1coolguy@yomamahouse.com****NOTAREALADDRESS****DERP>
Subject: Direct Deposit payment was declined
Content-Type: multipart/alternative;
 boundary="------------05090300301030906090103"

We want to typically ignore the hostnames in these lines as irrelevant. These hostnames are provided by the email server and can be anything the administrator wants them to be. In cases where the originating sender is a computer and not an email server (AKA a Mail Transfer Agent or MTA), in other words when someone uses Outlook on their desktop computer and not webmail, you'll often see a Windows machine name there that is not a Fully Qualified Domain Name (FQDN). So again, the IP is what is important, the hostnames aren't.
I stress the hostnames in this case because they are deliberately deceptive in this case. The spammer has used hostnames for other legitimate mail servers as the hostnames on their mail servers to make it look to the casual reader as though someone else was responsible. Hostnames included below like "rbdrhasvgdrhjataahsc.barronheating.com" - barronheating.com is a regular business, and one that appears to have been harassed as the result of this. Their mail server is 173.10.124.129, which has nothing to do with the 83.70.178.81 that rbdrhasvgdrhjataahsc.barronheating.com was assigned. rbdrhasvgdrhjataahsc.barronheating.com is not even an A record / forward DNS entry, and 83.70.178.81 contains no reverse. A quick bit of help from ARIN, and it appears that 83.70.178.81 is registered to a Internet Service Provider in Cork, Ireland named Eircom Limited. Most likely this message was sent after some poor sap in Ireland click on the spam, downloaded a nasty bit of business that turned their crappy PC into a tiny mail server, and there you go.
Other hostnames involved that have nothing to do with this are planetsegur.com and ning.com. Why would a spammer involve innocent third party mailers like this? Largely, to be obnoxious. When blacklists filter email for legitimate email servers, it wastes everyone's time and decreases faith in those services (there are good reasons to ignore a large number of modern RBL services, but that's a post for another day).
So what is to be done? Unfortunately, not much. 83.70.178.81 is a broadband IP address, meaning it is almost certainly assigned as part of a dynamic range of IPs - IPs that are not assigned to a specific user or organization, and whose assignment changes regularly using something like DHCP for example. Any email administrator worth even part of their paycheck would have sent this to the Junk Email box or rejected it before even touching the mailbox. Worthwhile RBLs like Spamhaus publish lists of dynamically assigned IPs to be filtered be email administrators - Spamhaus publishes these numbers as part of their PBL [Full disclosure: I provided data center support for and was at one time a coworker of the creator of NJABL. NJABL has since been acquired and merged with Spamhaus.] Recipient email administrators should filter dynamically assigned IPs, because email servers hosted on commercial internet connections are almost exclusively regular computers that have been compromised. Even those who opt not to host in a data center (pttthhhbbbtttt) can at least scrape together a few dollars for a dedicated IP address and associated reverse DNS / PTR entry. Email readers should stop downloading software from emails that promise them FREE MONEY!!1!1! Email has been around for 40 years now. My 90 year old grandmother has email. There's no longer any reason to be a dupe. 
Finally, and most importantly, Internet Police, Email Vigilantes and Armchair Warriors need to take a deep breath and stop what they are doing. Just - stop. Please. After a number of years working at this email business, I feel comfortable saying that we have begun to reach a critical mass where the Internet Police are a larger waste of time and money than the spammers are. Why? Internet Police are the ones who make bizarre phone calls and send threatening emails over spam. They blacklist hosting companies and data centers, preventing normal email communication for tens of thousands of people, after identifying one or two spam emails. They force companies who *do not send spam* to release statements like this one. If this is you - please know that you are the problem for those of us whose job it is to make email work for people. If that is not your goal in fighting spam, what is your goal?
Remember - all data is posted on this website with the hopes that sharing data and an increased understanding of the internet and how it works will result in a better, safer internet for all of us. Thanks for reading!

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outle...