Malware RSS Feed

The Tip of the Iceberg: An Unexpected Turn in the xDedic Story

Malware Alerts - Mon, 06/20/2016 - 07:32

Introduction

Last week we reported on the xDedic underground marketplace that facilitated the selling and buying of access to compromised RDP servers. We counted over 70,000 hacked server accounts from 173 countries for sale on the marketplace. After the public announcement the xDedic website very quickly went offline, thanks to the cooperation of several major ISPs. However, it seems that this was not the end of the story.

The day after the announcement, an anonymous source from a Lithuanian IP address posted an unusual comment on our blog using the alias “AngryBirds.”

We usually take such comments with a pinch of salt and generally don’t pay too much attention to comments with strange links. However, this time the links pointed to a series of pastes on the popular resource Pastebin, which in turn contained long lists of IP addresses and date information.

One such paste contains about 19,000 records. The author of the comment mentioned that the list of pastes is related to hacked servers from the xDedic marketplace. At first glance it looked real – the earliest date was close to the time when the first servers were listed on xDedic (according to our records the first server was added in November 2014). However, we were slightly sceptical and decided to validate the list before making use of it. With this blogpost we share the results of that validation and our thoughts on the data we received.

We have collected and concatenated all the pastes in one list: it contains around 176,000 unique records from October 2014 to February 2016.

Validation Challenge

The first problem we faced is that we didn’t have full IP addresses from the xDedic marketplace, because the marketplace revealed only first two octets of each IP. We had some data from the sinkhole, but this was just part of the full xDedic dataset and related to the operation of a single criminal (group) relying on the SSCLIENT backdoor that we managed to sinkhole. The problem becomes even worse when you consider the fact that our sinkhole data starts from the end of March 2016 while the Pastebin dataset ends at the end of February 2016. Theoretically, we can’t provide a strong validation of the submitted data. Nevertheless, we decided to do our best.

One way of comparing the datasets was to check the correlation between the numbers of servers added monthly, so we combined them into one chart, seen below:

The orange bars show the number of servers added to the marketplace while the blue bars show the IPs found on Pastebin. There is a weak but still recognizable correlation between the two datasets starting from June 2015. We have no solid theory as to why this began in June 2015, but one thought is that the developers of xDedic introduced a major change to the platform code around that time which somehow affected the server information displayed.

Another check we did was to see how much the Pastebin dataset overlaps with our data from the sinkhole. As mentioned above, the sinkhole data started coming in at the end of March 2016 while Pastebin data ends in February, leaving a one month gap between the two datasets. However, we should still see an element of overlap considering that some servers could have been resold on the marketplace. And so it turned out: 1,303 unique IP addresses were found both in our sinkhole data and in the Pastebin data.

Next, we decided to check how many of the reported IP addresses from the Pastebin dataset were RDP servers. So we simply scanned known IPs for the most popular RDP ports. The results were quite impressive: 71,784 IPs had the RDP service running on port range 3300-3400 (most of them were on standard port 3389).

Finally, we decided to compare the list of subnets, based on the first two octets we had from the marketplace before March 2016 and check to see if these subnets were part of the Pastebin data too. The results were astonishing:

Subnets from marketplace before March’16 Subnets that matched Pastebin dataset 8,721 8,718

There were only three IPs on the marketplace which didn’t make it into Pastebin dump. We checked those and found that they were added on 29th of February 2016. We assume that these three IPs (subnets) were added at the end of the day, right after the Pastebin dump ended.

Aftermath

We sorted the Pastebin IPs by the country they belong to and got a different picture compared to what we saw previously. Here is the new TOP 10 (new countries marked in bold):

Marketplace TOP 10 Pastebin TOP 10 (NEW) # Country Compromised Servers Country Compromised Servers 1 Brazil 6,540 USA 60,081 2 China 5,023 United Kingdom 8,817 3 Russia 4,020 Brazil 8,770 4 India 3,488 Canada 6,112 5 Spain 3,155 France 5,973 6 Italy 3,119 Spain 5,954 7 France 2,474 Australia 5,855 8 Australia 2,448 Russia 5,608 9 South Africa 2,438 Italy 5,536 10 Malaysia 2,140 Germany 4,988

If we compare visually what we saw on the marketplace and on Pastebin:

Interestingly, the number of servers hosted in the USA and the UK jump into the TOP 10 to rank first and second respectively. Also, Canada and Germany now appear in the TOP 10. This may make more sense when you consider that the marketplace data concerns only unsold offerings, while the huge Pastebin dataset could reflect a more realistic picture of all compromised servers. This suggests that the source of the data is either high-frequency monitoring of the xDedic marketplace (with access to full IP information) or someone had advanced access to the backend (be it a hosting provider or one of the developers). Meanwhile our charts from the sinkhole also had the USA, the UK and Germany in the TOP 10, which supports the fact that the real picture should have these major countries in the TOP 10.

Extra Note

In our earlier report we mentioned that the average server on the xDedic marketplace cost around $7-8 USD. However, many journalists asked us: “What was the most expensive server for sale on xDedic?”

When we looked at the data again we saw one server that cost $6,000 USD. In fact, only around 50 servers cost more than $50 USD, and all of them were located in the USA, from Alaska to Florida. The TOP 10 most expensive servers on xDedic marketplace were offered by a single criminal (group) with the alias “Narko“:

Subnet State City OS Date Price, USD 72.69.*.* Illinois Chicago Windows 7 03.04.2016 $6,000 50.195.*.* Massachusetts New Bedford Windows 7 12.05.2016 $4,000 173.10.*.* Washington Bellevue Server 2012 R2 29.04.2016 $4,000 162.233.*.* Mississippi Lucedale Windows 7 05.04.2016 $4,000 104.57.*.* Oklahoma Stratford Windows 7 10.05.2016 $4,000 97.87.*.* Michigan Davison Windows 7 24.12.2015 $2,500 50.255.*.* Michigan Ypsilanti Server 2012 R2 18.03.2016 $2,000 108.58.*.* New York Hicksville Server 2008 R2 11.04.2016 $2,000 74.124.*.* North Carolina Randleman Windows 7 18.04.2016 $1,500 24.178.*.* Georgia Gainesville Windows 7 08.04.2016 $1,500

We can only speculate as to why these servers cost more than others, but there is no objective way to find their exact IPs because they were added to xDedic after the period covered by the Pastebin dataset.

Conclusions

If we consider the newly obtained Pastebin data as authentic this can help many organizations, companies and individuals to identify compromised servers they own. For us it was yet another confirmation that when it comes to cybercrime, we often see just the tip of the iceberg. The reason why the xDedic marketplace looked smaller to the buyer is because the most desirable servers were often sold almost as soon as they were added to marketplace, leaving only the least interesting and unwanted servers for sale.

After all the analysis we still have many questions:

  • Where does the data come from?
  • Why does the dataset from Pastebin not include more data from March to June 2016? That would make validation far easier.
  • How many of these IPs are still compromised now?

What we can tell for sure is that the Pastebin dataset:

  • Matches the timeline of the xDedic operation.
  • Contains the IPs of many RDP servers.
  • Contains many IPs of known compromised RDP servers.
  • Shows a correlation with the dynamics of the xDedic marketplace offering.
  • Contains 100% of the subnetworks we saw on the xDedic marketplace within the same timeframe.

In any case, whatever unanswered questions remain, it makes sense for the system administrators of the listed IP addresses to check carefully for a potential past compromise of their servers.

Since much of this information has already become public through the open comment on our blog post, we are releasing for national CERTs a full combined list of IPs with country code based on the GeoIP.

On the assumption that the Pastebin data provided by AngryBirds is genuine, we would like to say a formal thank you for sharing this data with us. However, there is one thing that can be improved next time, namely responsible disclosure. Making this data fully public may encourage other criminals to attack easy targets or result in the undeserved public shaming of administrators who run currently secure systems.

Had we received this information via a private channel (email, private URL, etc.), we would have been happy to relay it to CERTs and local authorities of affected countries via our established channels and partners. So we would ask that in future those who respond to our research refrain from dumping such data into the public domain. Thank you!

A full combined list of IPs with country code based on the GeoIP (.csv file)

Browse With Encryption

SANS Tip of the Day - Mon, 06/20/2016 - 01:00
When browsing online, encrypting your online activities is one of the best ways to protect yourself. Make sure your online connection is encrypted by making sure HTTPS is in the website address and that there is a green lock next to it.

Operation Daybreak

Malware Alerts - Fri, 06/17/2016 - 02:00

Earlier this year, we deployed new technologies in Kaspersky Lab products to identify and block zero-day attacks. This technology already proved its effectiveness earlier this year, when it caught an Adobe Flash zero day exploit (CVE-2016-1010). Earlier this month, our technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe the attacks are launched by an APT Group we track under the codename “ScarCruft”.

ScarCruft is a relatively new APT group; victims have been observed in Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations, utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

This exploit caught by our technologies highlights a few very interesting evasion methods, some of which we haven’t seen before. We describe them below.

Operation Daybreak general information

Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails. To date, we have observed more than two dozen victims for these attacks.

Although the exact attack vector remains unknown, the targets appear to receive a malicious link which points to a hacked website where the exploitation kit is hosted. The hacked web server hosting the exploit kit is associated with the ScarCruft APT and used in another line of attacks. Certain details, such as using the same infrastructure and targeting, make us believe that Operation Daybreak is being done by the ScarCruft APT group.

The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time. In general, their work is very professional and focused. Their tools and techniques are well above the average. Prior to the discovery of Operation Daybreak, we observed the ScarCruft APT launching a series of attacks in Operation Erebus. Operation Erebus leverages another Flash Player exploit (CVE-2016-4117) through the use of watering hole attacks.

In the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland.

The main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JS.

The parameters sent to the “ap.php” script are randomly generated on each hit, so the second stage payload gets encrypted differently each time. This prevents easy detection by MD5 or signatures of the second stage payload.

The exploitation process consists of three Flash objects. The Flash object that triggers the vulnerability in Adobe Flash Player is located in second SWF delivered to the victim.

At the end of the exploitation chain, the server sends a legitimate PDF file to user – “china.pdf”. The “china.pdf” file shown to the victims in the last stage of the attack seems to be written in Korean:

Decoy document shown to victims

The document text talks about disagreements between China and “The North” over nuclear programs and demilitarization.

Vulnerability technical details

The vulnerability (CVE-2016-4171) is located in the code which parses the ExecPolicy metadata information.

This is what the structure looks like:

This structure also contains an array of item_info structures:

The documentation says the following about these structures:

“The item_info entry consists of item_count elements that are interpreted as key/value pairs of indices into the string table of the constant pool. If the value of key is zero, this is a keyless entry and only carries a value.”

In the exploit used by the ScarCruft group, we have the following item_info structures:

Item_info array in exploit object

The code that triggers the vulnerability parses this structure and, for every key and value members, tries to get the respective string object from string constant pool. The problem relies on the fact that the “.key” and “.value” members are used as indexes without any kind of boundary checks. It is easy to understand that if key or value members are larger than string constant pool array, a memory corruption problem appears. It is also important to mention that this member’s (value, key) are directly read from SWF object, so an attacker can easily use them to implement arbitrary read/write operations.

Getting object by index from constant pool without any checks

Using this vulnerability, the exploit implements a series of writes at specified addresses to achieve full remote code execution.

Bypassing security solutions through DDE

The Operation Daybreak attack employs multiple stages, which are all outstanding in some way. One of them attracted our attention because it implements a bypass for security solutions we have never seen before.

In the first stage of the attack, the decrypted shellcode executed by the exploit downloads and executes a special DLL file. This is internally called “yay_release.dll”:

Second stage DLL internal name and export

The code of this module is loaded directly into the exploited application and has several methods of payload execution. One of method uses a very interesting technique of payload execution which is designed mostly to bypass modern anti-malware products. This uses an interesting bug in the Windows DDE component. It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute.

For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console.

To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way. First, they register a special window for it:

In the window procedure, they post WM_DDE_EXECUTE messages with commands:

Sending WM_DDE_EXECUTE message to window

The attackers used the following commands:

The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed. This is an undocumented behavior in Microsoft Windows.

In our case, a malicious VBS was executed, which installs a next stage payload stored in CAB file:

Malicious VBS used in the attack

We have reported this “creative” abuse of DDE to Microsoft’s security team.

The final payload of the attack is a CAB file with the following MD5:

  • 8844a537e7f533192ca8e81886e70fbc

The MS CAB file (md5: 8844a537e7f533192ca8e81886e70fbc) contains 4 malicious DLL files:

MD5 Filename a6f14b547d9a7190a1f9f1c06f906063 cfgifut.dll e51ce28c2e2d226365bc5315d3e5f83e cldbct.dll 067681b79756156ba26c12bc36bf835c cryptbase.dll f8a2d4ddf9dc2de750c8b4b7ee45ba3f msfte.dll

The file cldbct.dll (e51ce28c2e2d226365bc5315d3e5f83e) connects to the following C2:

  • hXXp://webconncheck.myfw[.]us:8080/8xrss.php

The modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificates:

  • 5d 06 88 f9 04 0a d5 22 87 fc 32 ad ec eb 85 b0
  • 71 70 bd 93 cf 3f 18 9a e6 45 2b 51 4c 49 34 0e

Invalid digital signature on malware samples

The malware deployed in this attack is extremely rare and apparently reserved only for high profile victims. Our products detect it as well as other malware from ScarCruft as HEUR:Trojan.Win32.ScarCruft.gen.

Victims:

Although our visibility is rather limited, some of the victims of these attacks include:

  • A law enforcement agency in an Asian country
  • One of the largest trading companies in Asia and in the world
  • A mobile advertising and app monetization company in the USA
  • Individuals related to the International Association of Athletics Federations
  • A restaurant located in one of the top malls in Dubai

Some of these were compromised over the last few days, indicating the attackers are still very active.

Conclusions:

Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky.

Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult.

Nevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets.

As usual, the best defense against targeted attacks is a multi-layered approach. Windows users should combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets.

Kaspersky products detect flash exploit as HEUR:Exploit.SWF.Agent.gen also our AEP (Automatic Exploit Prevention) component can successfully detect this attack. Payloads are detected with HEUR:Trojan.Win32.ScarCruft.gen verdict.

* More information about the ScarCruft APT group is available to customers of Kaspersky Intelligent Services.

Indicators of compromise: Malicious IPs and hostnames:
  • 212.7.217[.]10
  • reg.flnet[.]org
  • webconncheck.myfw[.]us
MD5s:

3e5ac6bbf108feec97e1cc36560ab0b6
a6f14b547d9a7190a1f9f1c06f906063
e51ce28c2e2d226365bc5315d3e5f83e
067681b79756156ba26c12bc36bf835c
f8a2d4ddf9dc2de750c8b4b7ee45ba3f
8844a537e7f533192ca8e81886e70fbc

xDedic – the shady world of hacked servers for sale

Malware Alerts - Wed, 06/15/2016 - 06:59

Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.

The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.

xDedic forum login

From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything. And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6.

The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.

Server purchase forum

To investigate xDedic, Kaspersky Lab teamed up with a European ISP. The research allowed us to collect data about the victims and the way the marketplace operates.

In May 2016, we counted 70,624 servers available for purchase, from 416 unique sellers in 173 affected countries. In March 2016, the number was about 55,000, a clear indication that the database of users and servers is carefully maintained and updated.

Top countries with servers on sale

Interestingly, the developers of xDedic are not selling anything themselves – instead, they have created a marketplace where a network of affiliates can sell access to compromised servers. If the truth be told, the people behind xDedic have created what appears to be a “quality” service – the forum even includes live technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database.

Top 10 sellers – May 2016

So who are the xDedic sellers listed above? We have been able to identify a very specific piece of malware (SCCLIENT) which is used by one of them, and to sinkhole its C&Cs. This provided a glimpse into the operations of one of these entities, which, based on the number of victims, we suspect is either Narko, xLeon or sirr.

SCCLIENT Trojan: victims’ information from sinkholing (first 12 hours)

The profiling software created by the xDedic developers also collects information about the software installed on the server, such as online gambling, trading and payments.

Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters:

Spam and Attacking Tools Gambling and Financial Software POS Software

Advanced Mass Sender
Bitvise Tunnelier
DU Brute
LexisNexis Spam Soft
LexisNexis Proxifier
Proxifier
Spam Soft

Full Tilt Poker
iPoker Network
UltraTax 2010 (2011,..,2015)
Abacus Tax Software
CCH tax14 (tax15)
CCH Small Firm Services
ChoicePoint
ProSeries TAX (2014,2015)
ProSystem fx Tax
TAX Software
2015 Tax Praparation
Tax Management Inc.
Lacerte Tax

PosWindows
BrasilPOS
POS AccuPOS
POS Active-Charge
POS Amigo
POS Catapult
POS Firefly
POS ePOS
POS EasiPos
POS Revel
POS Software (Generic)
POS Toast
POS QBPOS
PosTerminal
POS kiosk.exe
POS roi.exe
POS PTService.exe
POS pxpp.exe
POS w3wp.exe
POS DpsEftX.ocx
POS AxUpdatePortal.exe
POS callerIdserver.exe
POS PURCHASE.exe
POS XPS.exe
POS XChgrSrv.exe

During our research, we counted 453 servers from 67 countries with PoS software installed:

Servers for sale with Point-of-Sale software – May 2016

For instance, a malicious user could go to the xDedic forum, register an account, top it up with Bitcoins and then purchase a number of servers which have PoS software installed. Then, they can install PoS malware, such as Backoff to harvest credit card numbers. The possibilities are truly endless.

Kaspersky Lab has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation.

To read our full report on xDedic which includes IOCs, download the xDedic Marketplace Analysis PDF here.

* For more information about Kaspersky Lab Intelligence Services, Threat Reports and custom threat analysis contact intelreports@kaspersky.com

CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks

Malware Alerts - Tue, 06/14/2016 - 14:38

Earlier today, Adobe published the security advisory APSA16-03, which describes a critical vulnerability in Adobe Flash Player version 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS:

A few of months ago, we deployed a new set of technologies into our products designed to identify and block zero day attacks. These technologies already proved its effectiveness earlier this year, when they caught an Adobe Flash zero day exploit, CVE-2016-1010. Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks.

We believe these attacks are launched by an APT Group we call “ScarCruft”.

ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

We will publish more details about the attack once Adobe patches the vulnerability, which should be on June 16. Until then, we confirm that Microsoft EMET is effective at mitigating the attacks. Additionally, our products detect and block the exploit, as well as the malware used by the ScarCruft APT threat actor.

* More information about the ScarCruft APT and Operation Daybreak is available to customers of Kaspersky Intelligence Services. Contact: intelreports@kaspersky.com

 

IT threats during the 2016 Olympic Games in Brazil

Malware Alerts - Mon, 06/13/2016 - 07:47

Olympic threats designed to trick you

Are you planning to visit Brazil during the Olympic Games? Or watch it online? In this blog post we discuss the threats to visitors aiming to travel to Brazil to watch the games and to those planning to watch it online. In the first part we’ll talk about phishing attacks, including one against the organizers of the Games; in the second we highlight WiFi security and the results of the wardriving we did on the streets of Rio, visiting the same places as tourists and the athletes. In the third and final part we touch upon physical security that involves the usage of USB charging spots at airports, the problem of credit card cloning and ATM skimmers that will directly affect visitors to this summer’s Olympic Games in Rio.

It is clear that using the Olympic Games theme is very attractive to the bad guys. Cybercriminals always use popular sports events as bait for their attacks, as they did it in the 2014 World Cup – an event we monitored very closely due to the impressive amount of attacks registered at the time, mainly in Brazil. But the forthcoming Olympic Games has been a bit different. The number of attacks has been low, compared with the World Cup. There are many reasons to explain it one of which is that the International Olympic Committee (IOC) keeps a very active Security Operations Center (SOC), working and treating the security incidents, reporting phishing and malware campaigns. As a result, the number of “in-the-wild” attacks targeting users at this time are low.

However, the bad guys have no limit when it comes to creating new attacks. We were able to track and block several of them, such as the registration of malicious domains, fake giveaways promoted on social networks and, of course, websites selling fake tickets, using all possible ways to trick users.

The rise of bad domains

Most of the attacks start with the registration of a domain that clearly shows its malicious intent. Since the beginning of the year, we monitored the creation of new domains registered with the name of the city that will held the games. In fact, we found that the bad guys are constantly registering new creations at the start of every attack. Our blacklist contains more than 230 of these bad domains.

Several of these domains were registered via a free webmail account or use domains as protection to hide the real identity of the owner. Some of these domains are hibernating, waiting for the right moment to start an attack (especially those promising free streaming). Others were used to host fake ecommerce sites selling tickets, hosting phishing, malware, or even used to spread fake ticket giveaways. Another interesting point is that several of these domains are already using the new gTLD approved by ICANN (such as .tech and others).

The phishing phenomenon

It’s not only end-users who are targets of phishing attacks. Brazil tops the list as the most attacked country with this type of scam, and employees of the Games organization were also targeted for their potentially lucrative credentials. In February we identified a very interesting targeted campaign, on our domain monitoring system, against the IOC using the malicious domain masquerade as their Intranet portal. The purpose of the attackers was to steal credentials of IOC employees working in Brazil. The fake site looked like this when it was live and we are also aware of several other attacks including this one:

IOC employees were the target of phishing campaigns to steal credentials

The most common attacks are those that aim to phish the final user – stealing credentials is a very easy attack that even a non-skilled criminal can do. We saw phishing scams with different goals, in several colors and guises. This one was very popular in Brazil and aims to clone your credit card using the name of a Brazilian company and promising to giveaway a new car and tickets to the Games:

Free tickets and car giveaway. All fake promises.

Fake tickets, fake giveaways, real losses

As happened during the last World Cup, most of the malicious e-mails sent by the Brazilian bad guys used free tickets to watch the Games in Rio as the bait. Some of these messages also pointed to fake websites. This is a good example of a very well done campaign, promising the direct sales of tickets without applications to the official lotteries, that take place for people living in Brazil:

Why bother to participate in the official lottery when you can buy a ticket direct from a fraudster?

Other fake websites also offered tickets with a very low price, to attract people looking to buy tickets at the last hour. This website, targeting Brazilians, looks good but on closer inspection it is written in poor Portuguese:

The purpose here was to sell fake tickets with the victim paying but receiving nothing. The payment method selected by the fraudster was Brazilian boletos, a very popular payment system, used mostly for people that don’t have credit cards.

The bait to attract the attention was very low prices. The ticket to the inaugural ceremony cost U$500.00 and a match of the Brazilian National Football Team cost only U$ 50.00. Of course everything was fake:

“Watch the Male Football match paying only U$ 50,00”

Bad guys also used social media to spread their attacks. Facebook was the most used network in these cases, such as this fraudulent page announcing a fake ticket giveaway. The page is still online:

If you want to watch the games, it’s too late to buy tickets via the official channels. We do not recommend buying through unofficial markets as there is a high possibility that you are buying a pig in a poke. To make sure you don’t get caught out, the best thing is to watch the games on TV or online – but be aware of malicious streaming websites, as they will undoubtedly appear in a last ditch attempt by the bad guys to try and infect your computer and steal your data.

WiFi security

When we travel, we usually access the Internet more to help stay in touch, tweet, post status updates and share pictures. However, international data plans are usually very expensive and this is why we look for WiFi hotspots. Cybercriminals know this and every year set up fake access points or compromise legitimate WiFi networks to intercept and manipulate their victim’s browsing. Their focus for the attack is user’s passwords, credit cards and other sensitive personal information. Open and misconfigured WiFi networks are actually preferred vehicles for criminals.

To identify the extent of the problem in Brazil, we drove by three major areas of the Olympic games and passively monitored the available networks which visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, Olympic Park and the stadiums (Maracanã, Maracanãzinho and Engenhão).

Beautiful beaches, bossa nova and insecure WiFi

Running a fast recognition over two days and on the map marked with a star sign, we were able to find about 4,500 unique access points located in the aforementioned areas.

Most of the networks actually work on the 802.11n standard:

That means that most of the hardware used to build the WiFi access points is new and works especially well for multimedia streaming, reaching speeds of up to 600Mbps and working not just on 2.4Ghz and 2.5Ghz but also 5Ghz.

However, when it comes to their security, 18% of all available WiFi networks in the area are insecure and openly configured. That means that all data sent and received in such networks is not protected by any encryption access key.

We can see that additionally 7% of all networks are WPA-personal protected. That algorithm is actually obsolete today and can be broken with minimal effort. In our opinion this is especially concerning as users who connect to their “trusted” networks may believe that they are actually connecting to a secure network, when in reality it could be compromised by an attacker, who could deliver different kind of attacks to manipulate network traffic with user’s data.

So, about a quarter of all WiFi networks in the areas of the Olympic games are insecure or configured with weak encryption protocols. This means that the attackers can break them first and then develop technical circumstances to sniff victim’s navigation data and steal their sensitive data.

Is it possible to use an open WiFi network and still have a secure Internet connection? The answer is yes, however only when using a VPN connection.

We strongly recommend, regardless of any WiFi network you use while travelling, to use a VPN connection, so the data from your end-point travels to the Internet through an encrypted data channel. This way even if you work from a compromised WiFi network, the attacker might not get access to your data.

However not all VPN providers actually offer the same good service. Some of them are vulnerable to DNS leak attacks. That means that even if your immediate sensitive data is sent via VPN, your DNS queries or requests are sent in plain text to the DNS servers set by the access point hardware. In this scenario the attacker can still at least know what servers you are browsing and then, if it has access to the access point of the compromised WiFi network, can define malicious DNS servers. That would essentially mean, next time you type the name of your bank in the browser, the IP address where it goes to will be a malicious one. So, even some experienced users may become an easy victim for the attackers. There is almost no limit from the attackers’ point of view when they have control of your DNS servers.

So, before you use your VPN connection, make sure it does not have a DNS leak problem. If your VPN provider doesn’t support its own DNS servers, you might consider another VPN provider or a DNSCrypt service, so your DNS requests will make external and encrypted queries to secure DNS servers. Remember that what starts as a small security issue could have big security implications.

A simple formula must be this: any network you connect to, use your VPN connection with its own DNS servers. Don’t rely on any local settings since you can’t be sure if the WiFi access point you connect to is compromised or not.

Physical security

Another point that requires vigilance when travelling is physical security – not everything that is useful is exactly what it seems. Criminals often use tactics to deliver malicious attacks on situations where you do not necessarily think there is a risk. Let’s look at some common situations where this could happen.

USB charging spot

As mentioned before, using a mobile phone when traveling is crucial and it can be a big challenge to keep it sufficiently charged all day long. In order to help tourists, most cities are investing in charging points that can be easily found in shopping malls, airport and taxis. Most of them provide connectors for the majority of phone models as well as a USB connector that can be used with your own cable.

Charging spot provided in a Brazilian cab

Some models usually found in shopping malls and airports also provide a traditional power supply that can be used with your own charger.

Charging spot at Rio International Airport. Which one do you think is the most secure?

While connected via USB, the attacker can execute commands in order get information about the device including the model, IMEI, phone number and battery status. With that information it is possible to run an attack for the specific phone model and then successfully infect the device and collect personal information.

This doesn’t mean that we should never charge our devices when away from home, but by following these simple rules you can protect yourself from this kind of attack:

  • Always use your own charger and avoid buying one from unknown sources;
  • Use the power outlet instead of USB socket when using an unknown charging point;
  • Don’t use the charging cables at a public charging spot.
ATM skimmer

The ATM skimmer attack, also known as “Chupa-cabra” in Brazil and other countries in Latin America, is a very popular type of attack that is still being used by criminals in Brazil. From time to time a new gang appears on the news delivering this attack somewhere across the country, mainly in places commonly frequented by tourists, such as the Rio International Airport. In 2014 a gang installed 14 ATM skimmers there.

There are different types of ATM skimmers in Brazil, the most common just installs a reader for the card and a camera in order to record the password as it is typed.

An ATM skimmer which installs a camera to record the typed password

For this type of skimmer you can protect yourself by hiding the keypad while typing the password which will avoid your password from being recorded by the installed camera.

Unfortunately, this method will not help in all cases, as there is another type of skimmer where criminals replace the entire ATM, including the keypad and screen. In this case, the typed password will be stored on the fake ATM system.

ATM Skimmer which replaces the entire ATM

In order to avoid this type of attack it is important to be aware of any suspicious behavior while using the ATM.

  • Check if the green light on the card reader is on. Usually they replace the reader with a version where there is no light or it is off.
  • Before starting the transaction, check if there is anything suspicious on the ATM such as missing or badly fixed parts;
  • Hide the keypad while typing your password.
Credit Card Cloning

Unfortunately, Brazil is well known for its credit card cloning activities and it is not hard to find someone who had their card cloned while visiting the country.

Credit and debit cards are widely used in Brazil and almost everywhere accepts cards as payment methods – including street vendors. Actually most of them prefer credit card payments in order to avoid problems with the change.

Brazilian banks are referenced across the world regarding their fight against credit card cloning as well as their pioneer status in adopting chip-based cards to protect customers from this type of attack by making it much harder to clone the card. However, it was only a matter of time before Brazilian criminals would find a way to start cloning the chip-based cards, by exploiting flaws in the EMV transaction implementation.

We could see Brazilian criminals exchanging information about how to execute an attack on a chip-based card in order to extract the information and then write it back to another card using some tools.

Tool used to save the information to the smart card

It is really hard to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the information, to be collected later by the criminals. Sometimes they don’t need physical access to extract the stolen information as it is collected via bluetooth.

One good solution from the banks is SMS notifications for each transaction made using your card. Even though it does not avoid card cloning, the victim will be notified about the fraudulent transaction as soon as it happens then it can contact the bank in order to block future transactions.

To reduce the chances of having your card cloned, there are some simple steps to take:

  • Never give your card to the retailer. If for some reason they cannot bring the machine to you, you must go to the machine;
  • If the machine looks suspicious, change the payment method. It is always good to have some money with you as a back-up;
  • Before typing your PIN make sure you are on the correct payment screen and that your PIN is not going to be shown on the screen.

For everybody visiting Brazil to watch the games, we wish you safe flights and a safe stay. To our readers we wish you safe online surfing and for the Olympic athletes, may the best one win!