Previous month:
July 2014
Next month:
September 2014

August 2014

Top 5 #InfoSec Reads: August 18-27

by Matt Piscitello

Buggy ransomware, more China hacking, innovation in Android security, social media acceptable use, and a lesson in phishing URL composition are this week's top infosec reads.

ZeroLocker – a new destructive encrypting ransomware

Hot on the heels of newGOZ is ZeroLocker, the latest incarnation of cryptolocker. This nasty variant will infect and encrypt personal data on your C: \. To make matters worse, ZeroLocker’s developers made a particularly devastating bungle that can leave you without a decryption key, regardless of whether you pay the ransom (which can be paid in bitcoin!). While ZeroLocker has disastrous implications, we should focus on the insights that this design snafu offers us. Popular media often paints hackers as hyper-intelligent, sometimes megalomaniac, masterminds of the web, able to outsmart their law enforcement antagonists at every turn. Events like this present security experts with yet another example to debunk that misconception.

China may be targeting medical firms for IP data

A state-sponsored Chinese group may be attacking medical and pharmaceutical companies for intellectual property. This is the first reported incident of China’s activity with consumer data. According to the article, the healthcare sector is well known for underinvesting in security, which makes it an easy target for criminals that appear to be organized, well funded and sophisticated. Security experts quoted in the aritlcle point out that that China is unlikely to be the only country operating like this (cyber criminals concerned with personal information usually originate in Eastern Europe), that SMBs have no real way to stop state-funded cyber-attacks through conventional means, and that less democratic countries engage in this kind cyber espionage to protect their country’s corporations.

CISO’s offered new way to secure Android devices

North Carolina State University and Germany’s Darmstadt Technical University have developed the Android Security Modules (ASM), a software that creates a way for developers to “plug-in” security features to make the Android market safer for users. Researchers say it will be a small effort to keep the ASM updated alongside the Android OS changes, and could make Android a viable option for BYOD projects. The only hitch is that Google needs to get on board. ASM also faces the uphill task of making over Android’s reputation for poor security. ASM has stiff competition with existing BYOD products, and people can be insufferably resistant to changes when it comes to security, regardless of how innovative and promising the changes are. Consultants speculate that while ASM may not see immediate integration with the current Android model, there’s hope that it will find its niche in the future.

21 Must Haves in Your Social Media Policy

This list is chiefly concerned with acceptable use for professional social media, and most of these guidelines are good practice and etiquette for personal accounts as well. Recommendation 11, however applies universally:  “Google has a long memory. Be smart about what you post.” The article also points at the lack of clear laws relating to social media use, leaving grey areas for employees, employers, or individuals to interpret. In addition to the consequences listed in the article, there are other ramifications that may not immediately be apparent.  Social media companies are also big data collectors or companies that monetize private information, so it’s no stretch to imagine that future employers include social media activity in a background check. Check out The Security Skeptic’s STH blog post for more social media AUP insights.

Is It a Phish? Common Deceptions in Phishing URL composition

Visual deception remains an important weapon in a phisher’s arsenal. In this Security Skeptic post, Dave uses data from the APWG’s eCrime eXchange to illustrate the many ways that phishers attempt to convince recipients that the hyperlinks they “see” are legitimate. Sleight of hand? You bet.


Is it a Phish? Common Deceptions in Phishing URL composition

Phishers take advantage of common user behavior. Phishers know that people often see what they want to read rather than what is actually displayed in a message or hyperlink. They know that when we read in haste, we may pay less attention to punctuation marks. They know, too, that we are generously tolerant of typos, that we often "skip over" strings in haste, or that we may not continue to read scrupulously to conclusion once we encounter the word or name that we expect.

Visual deception has often been used by fraudsters or scammers to phish Paypal, including an iconic homographic attack where the phishers used a visually similar string, PayPaI. Other deceptions - obfuscation, imitation of URLs dynamically generated by content management systems, SSL protection - often accompany visual deception.

I searched the APWG's eCrime Exchange (eCX) block list to find hyperlinks associated with phishing campaigns that substituted the string peypal somewhere in the domain names or hyperlinks for the brand Paypal. Figure 1 shows  hyperlinks from recent phishing campaigns against Paypal that were reported to the block list.

Peypalphishurls

Figure 1. APWG Ecrime Exchange Data Search Results for "peypal"

These results suggest that visual deceptions are still common. Let's consider what forms of deception these hyperlinks employ (Note: I use a security mail list convention "hxxp" to emphasize that readers should treat these links as malicious):

hxxp://confirmation-login.services-peypal.com/paypal/ - This hyperlink uses several deceptions. It uses peypal in the domain name to thwart online brand protection efforts  to identify domain name registrations that infringe on the Paypal brand. It also uses the brand /paypal/ in a directory, which also happens to be the last string of characters Latin-script, "left-to-right" readers encounter. Ample use of slashes, periods and hyphens add distraction to the deception.

hxxp://www.appspeypal.url.ph/paypal.com_it_home.html - This hyperlink also uses multiple deceptions and obfuscation. peypal is again in the domain name. Familiar strings - "apps" and "url"-  are present as well (think "comfort foods"). Notice that paypal.com is present in the URL.  It's not the domain name - it's a component of the web page name (html) - but it is "dead center", a prominent element in the URL. Note how difficult it is to overlook: look away, then return your eyes to the URL: do you see "peypal" or "paypal" first?

hxxp://peypal.tips, http://peypal.today, hxxp://peypal.solutions, hxxp://peypal.guru, hxxp://peypal.center - These hyperlinks substitute peypal for paypal in new Top Level Domain delegations (tips, solutions, guru, and center are new TLDs). This is a fairly simple deception to detect and block. It is quite possible that phishers are testing new TLDs to see whether blocking or suspension practices are different from legacy TLDs. 

hxxps://www.nurturalhorse.com/wp/peypal/cgi-bin/ - This hyperlink uses peypal to name a subdirectory of what appears to be a legitimate (or possibly abandoned) business domain. The site was unreachable as I compose this post. It also uses SSL (https) to instill confidence that the link is trusted and secure.

hxxp://peypal.com.confirmation.86a4261d849a6e99b3c3a38f7585e3c7d4a91823.ouq.jmlt.ca/9f3885a038f82d43730038c8d9043a43/Login.php, and hxxp://peypal.com.confirmation.86a4261d849a6e99b3c3a38f7585e3c7d4a91823.ouq.jmlt.ca/727b219497204cedb818ed9a818cee8b/Login.php?login - Even pros have to look carefully to determine that the domain names in these URLs are registered in dot CA (Canada) not dot COM. These  are most likely "messy URLs". The phishers mimic the URLs that some web content management systems dynamically create: the average user sees such URLs all the time and has become desensitized to unreadable strings.

What should you take away from this modest dive into phishing URL data?

  1. Deceptions remain a common phisher convention.
  2. Visual deception - strings that look like a brand or familiar name - remain popular.
  3. Phishers are agnostic when it comes to Top Level Domains.
  4. Phishers appear to be experimenting with new Top Level Domains.
  5. Phishers obfuscate URLs; in particular, phishers mimic content delivery systems to generate "messy URLs" to deceive you (and to defeat antispam measures).

And the lessons to learn?

  • Read the entire URL.
  • Read what is displayed, not what you expect to be displayed.
  • Take the time to distinguish the domain name from the URL.
  • Resist the temptation to stop reading once you've encountered a brand or familiar string of characters in URLs and only use this to conclude the URL is safe.

Be patient and careful with URLs.

Shameless plug: the APWG eCrime Exchange (eCX) is an excellent source of phishing data and collaboration. You can contact me or matt at apwg.org to learn about membership levels that include access to these valuable resources.