Posts tagged 'tips'

If phishing sites want data, they’ll get it!

Running a honeypot, you soon realise there are four types of spam. The first is basically just adverts. Next comes social engineering spam, which is mostly advanced fee fraud. There’s a ton of cash or a pretty girl waiting if you send a small processing fee. By far the largest category is ransomware, but this is closely followed by that perennial favourite, phishing spam.

Phishing works. Its “product” nets huge profits in two ways. First, by direct use of the stolen data. Second, from sales of that data to other criminals. This got me thinking about how to fight back.

Phishing sites tend to be static replicas of the real thing, with a set of input boxes and a submit button. That is their major weakness. Another is that, though the inputs might be scrubbed to remove the possibility of a sneaky SQL injection, the information being entered might not be checked. Who’s to say that the date of birth, password, bank details etc. that you enter are real? What if you were to enter a thousand different sets of bogus information? How about a million, or even ten million?

What I propose is that when a phishing site is discovered, it would be fun to deploy a script to flood it with random data of the appropriate format for each input field. Finding real data in the collected noise would become nearly impossible, and so would help protect the innocent. If such poor-quality data is sold on to third parties, then Mr Big will soon want his money back and probably a lot more besides.

Diluting phished data to homeopathic strengths is one thing, but the general idea could be applied in other ways. One of the main tasks in running a spam honeypot is “seeding”. This involves generating email addresses to accidentally-on-purpose leave in plain sight for later harvesting by spammers. If someone were to set up a honeypot with a huge number of domains pointing to it, and with a huge number of active login accounts, those accounts can be leaked or even sold (with all profits going to charity, naturally!) as being demonstrably live and real. If the buyer tests any of them, they’ll work. Set up the honeypot in enough interesting detail, and Mr Big won’t be able to tell he’s been duped for quite some time.

Phishing is popular because it’s easy, relatively safe for the perpetrator, and highly profitable. Frustrating the efforts of criminals, casting doubt on the phished data being sold, and hopefully causing wars between cybergangs is certainly one potentially very entertaining way of fighting back.

Of course, flooding phishing sites with bogus data may already be quietly happening. I certainly hope so…

Posted on December 5th, 2016 by admin and tagged cybersecurity, online banking, passwords, phishing, targeted attacks, tips

The 2016 US Presidential Election may not be the first held in the shadow of Wikileaks, but it is the most entertaining.

When John Podesta received an email apparently from Google in March this year warning that someone had used his password to sign into his account, events began to resemble an episode of Veep, with Chinese whispers quickly replacing information.

Not knowing any better, Podesta forwarded the email to a member of staff to deal with. After a hop or two, the email was passed to the Clinton campaign’s IT Helpdesk Manager. He in turn made the rookie mistake of not inspecting the message’s header or checking the Bit.ly  link it contained. Both would have shown this to be a phishing attack. 

Instead, the Helpdesk Manager concluded that the email was real, and Mr Podesta should change his password right away. However, the reply also contained the advice that Podesta should ignore the email and log in directly to Google. He even supplied the correct URL to do this and explicitly said that Podesta should turn on 2-factor authentication at the same time.

The Helpdesk Manager has since been somewhat unfairly vilified in the press. The fact is that his explicit advice was lost in favour of a simpler message as his reply began to filter back up the chain of command.

According Wikileaks, Sara Latham seems to have been the person who actually contacted the helpdesk on Podesta’s behalf. She also received the Manager’s reply, and added her own endorsement of the phishing link.

Having been told it was real, it seems that either Special Assistant Milia Fisher or Podesta himself then clicked on the original phishing link and attempted to change the password. The rest has been pundit fodder ever since.

You can bet that the Clinton campaign  spent money on insurance, health and safety training, and other measures to ensure a safe working environment, so why not basic cybersecurity training? Maybe it did, and the people concerned simply didn’t attend. It seems sensible that in future campaigns, no one should get access to devices without first demonstrating that they can spot a simple phishing email, IT helpdesk Managers included.

Posted on November 7th, 2016 by admin and tagged education, passwords, phishing, targeted attacks, tips

Uncover dodgy connections and malicious activity with this handy, free utility.

If you’ve ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections. Written and maintained by Nir Sofer, Currports gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer. Unlike Process Monitor, which is part of the excellent Windows Sysinternals suite, Currports isn’t a massive firehose of events that needs taming to be of any use.

You can download Currports from its homepage. The link is near the bottom. If you run a 64-bit architecture, be sure to download the 64-bit version. You can run Currports from anywhere including the desktop. It will create a configuration file called cports.cfg in whichever folder you run it from (including the desktop).

Setting Up
Run Currports and expand the display. By default, the listing is unsorted and doesn’t automatically update, but we can change that. Press Alt + 1 to set an update time of one second, Alt + 2 for two seconds and so on.

Scroll across the display to see the information offered on each connection. Each time you press CTRL+Plus (on the keypad) the columns will auto-resize themselves.

If you double click on a line, a pop-up appears giving details of the process. This basically summarises the data in each of the columns. You can highlight a piece of information, then copy and paste it into other documents etc.

If you grab a column header with the mouse, you can pull it to wherever you want. I advise pulling “Process Created On” to the very left of the display because this acts as a handy time index to events. You can also go to View -> Choose Columns and re-order them, or switch off those you don’t require. If you find it difficult to follow lines across the screen, you can also mark every other line in light grey, and add gridlines from this menu.

There’s another useful column way over to the right of the display. It’s the Remote IP Country column. This will give you the country each remote IP address is assigned to, but it doesn’t display anything until we download the legacy GeoLite City Database. Download the Binary/xz version of the file and place it in the same directory as the same folder as Currports. Re-run Currports, move the Remote IP Country column to a place where you can see it, and you should see the column start to populate as connections are made. If not, you probably downloaded the wrong database. It’s the Binary/xz format you need. You don’t have to unpack it; just place it in the same directory as Currports.

To test the setup, open the Edge browser to generate lots of connections. Sure enough, the screen fills with new connections to different IP addresses as it accesses news, adverts and lots of other guff from multiple countries. The names of servers are resolved into host names where possible, as are city and country names if you downloaded the GeoLite City Database.

Setting Options
Currports has a range of useful options. Most control what’s displayed. Particularly useful is Mark Ports of Unidentified Applications, which is set by default. Any suspicious ports are coloured pink. Suspicious in this context means no icon, no version information, and so on.

To save you from having to sit and actively monitor Currports waiting for an infection to make its move, you can set the Beep on New Ports option. This can become quite noisy on a busy system, but if you just need to know if a suspect process on a specially prepared victim system is making outside connections without you having to stare at the screen for hours, this is the option for you.

You can also log activity by selecting File -> Log Changes. This begins writing to cports.log, which is a plain text file. It logs new connections and connections that close. The log file is written to the same folder from which you started Currports.

You can also filter Currports’ on-screen output. The format of a filter varies slightly depending on what you filter.

For example, to remove all instances of svchost.exe from the display, enter the following line:

exclude:process:svchost.exe

To only show HTTP and HTTPS traffic and exclude all other connected processes:

include:remote:tcp:80
include:remote:tcp:443

You can use local, remote or both to define which end of the connection you’re interested in.  Similarly, the allowed protocols are TCP, UDP and TCPUDP (both).

The include directive means that everything else is excluded, so you’ll need to build up the output using multiple include lines.

Nice Touches
The icon bar gives you quick access to some useful functionality. For example, select a process, hit the red cross, and its connections will drop. This isn’t recommended in normal use, but if you want to see if a piece of malware automatically re-establishes its connection it’s what you need.

Select one or more processes and hit the floppy disk icon. This allows you to save all the data from those lines as a text file.

Drag and drop the target icon onto an application and it should highlight the processes for you. On a fresh installation of Windows 10 Home this didn’t work, but your mileage may vary.

You can set and toggle the display filter with the next two icons. This second option is very useful in cases where you need to clear down the display to just the processes that interest you, then open it back up to all processes. 

The next two icons deal with copying the details for one or more processes into the paste buffer for inclusion in another document, and viewing a process’ properties (double clicking also displays the properties).

Searching for strings is accomplished with the binoculars icon, which allows you to specify case sensitivity.

Finally, you can export the entire display into HTML format, which is then opened in your default browser.

All pretty interesting stuff, but what can you do with Currports other than satisfy your curiosity?

Using Currports
Currports comes into its own as part of the behavioural analysis of potential malware. If you’ve downloaded a piece of older, unsupported application, it’s immensely useful to see if it’s leaking information or calling home.

Depending on the type of infection, several things may happen. A botnet client will try to contact its command server for instructions, a payload and a target list. Ransomware might also call home for an encryption key, but much of it also explores your network looking for other machines with unprotected shares to hold hostage. If it does so, you’ll see multiple connection attempts to lots of other addresses on the subnet.

It’s not unusual for some forms of malware to open connections to the site router while attempting to find vulnerabilities to exploit. It’s easier to attack your router from the inside of the network than from the (supposedly) hardened public side. If it can install a fake certificate or subvert DNS caching, it can redirect traffic to attack servers.

Many drive-by infections need somewhere to download and run their payloads. They can’t use the system directories, so tend to use your temporary directory. In a similar vein, much of today’s malware likes to masquerade as legitimate system processes, such as svchost.exe. A Svchost with a process path leading to your temporary directory instead of WINDOWSSystem32 is clearly not legitimate, for example. Anything out of the ordinary (Excel making connections to Romania?) should be investigated.

There are also times where all hell seems to let loose, but which are completely benign. Windows Update, for example. For this reason, it’s useful to install Windows in a VM, download and set Currports running, and just get a feel for what happens during various major operating system events. Also, install an antivirus product and watch the connections fly as it updates itself.

So, there we have it: a simple, useful utility to give you a clear 1,000-foot view of the connections being made. I may have missed one or two options, but if you have any interesting uses for Currports, please feel free to post them in the comments.

Posted on October 31st, 2016 by admin and tagged education, monitoring, ransomware, security testing, TCP, tips

Pundits pontificating about online fraud is all well and good, but what do the banks think, and how do they protect us? 

To find the truth, we talked candidly to a branch manager from UK bank NatWest.

SE: First of all, what’s the scale of the online fraud problem from the bank’s perspective?

I won’t lie. It’s massive. We’re always being told about phishing emails, and you can report them to us online. Scam phone calls pretending to be the bank and asking for your account details and passwords are also huge. Just to be sure, we never ask for passwords. No one does Well, no one legitimate anyway.



SE: If you’re scammed can you get your money back?
  
It all depends. The basic thing is if it’s not a transaction you’ve made, its fraud and we can help. If it’s something you’ve done yourself that’s it, the money’s gone. Where it gets tricky is when you think you’re signing up to a one-off payment but the small print says it’s every month and you don’t realise. It might be cleverly worded, but it’s up to you to read what it is you’re buying.  If there’s any doubt, don’t do it or bring it in for us to check.

SE: How do you protect people’s money in general? 
The monitoring systems now are really good. They put blocks on cards when something suspicious happens, and block dodgy transactions while we find out if they’re legitimate. Tell us you’re going to France for the week and we’ll know not to block your cards if we see a cash withdrawal from Paris. If you tell us you usually go to France about now then we can keep the card active for you. It’s just when we see things out of the ordinary that the system will react. A lot of the time people get their cards blocked on holiday because they forgot to tell us. It’s a pain for them, but if you tell us what you’re doing it’s usually fine.

We see a lot of “Make $2000 a month from home”-style spam. What’s the scam there?

It’s usually money laundering. A foreign gang wants your bank details to put money into your account, then you send it on to someone either at home or abroad but keep an agreed percentage as commission. It’s an old one, that. Sometimes, they want you to physically receive and send on stolen bank cards as well, or ones that have been obtained fraudulently. But you’re being used. Basically, if you’re caught acting as a money mule, then you’re as guilty as the bloke who gave you the money to carry. We have a legal obligation to report anything over a certain amount transferred from abroad into people’s accounts. Again, it’s one of the things the system looks for that’s out of the ordinary.


Can the banks stop people being duped into sending money to scammers abroad?

You mean like rich Nigerian princes and lottery wins that need a processing fee? At the end of the day, it’s their money. We can only advise. We can say: look, we think this looks like a scam. But if they want to send it abroad then we have to do it for them. If it’s a large amount, we’ll ask them in to sit down and think is this really what they want. [We try to] find out how well they understand what they’re doing and where they’re sending it. We have had cases where people have lost considerable amounts because they’re convinced it’s real.

What’s the most outrageous thing you’ve seen?

I was asked to look at the cash machine outside the branch I was managing once, and there was a piece of wire hanging out of the card slot. That’s all it was. But it prevented the card from being returned, so people walk off thinking the machine’s swallowed it. You pull on the wire and the card pops out. It’s called a Lebanese Loop.  Simple and easy. Once you’ve got the card you’ve got the expiry date and the CVV number on the back and you can go shopping.


What’s your personal message to customers?

Basically, it’s always a scam. If it looks like something where you think you can get one over on the sender, it’s still a scam. These people aren’t stupid. No one wants to give you free money. You haven’t won a foreign lottery, either. There’s no pot of gold. They may only want a small processing fee, but if they get a lot of fees, it’s very profitable for them. Start with the idea that everything’s a scam, ask us to confirm anything you get that you don’t understand and you’ll be alright.

What other guidance is there for people?

There’s lots about but it’s a bit scattered. Barclays did a good TV advert about phone scams. We’ve published a really comprehensive leaflet about online scams in conjunction with the police that covers all the different frauds. You can download that, and we have a web site for reporting scams. But if you have any questions the best thing is to just call the bank or walk into a branch and ask. That’s the best thing.

Posted on October 14th, 2016 by admin and tagged education, interview, online banking, passwords, phishing, targeted attacks, tips

Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware.

The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious “upgrade“ to a Windows component.

Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, “All your file are belong to us“.

Posted on September 15th, 2016 by admin and tagged javascript, ransomware, tips

The FBI’s Joseph Bonavolonta had some shocking news about ransomware for Boston’s Cyber Security Summit last October. “To be honest,” he said, “we often advise people to just pay the ransom.”

Cyber-security blogs everywhere exploded at the advice, but a lot has changed in the past six months. A constantly-evolving array of ransomware campaigns roam free, “taxing” online life. One big problem is that there’s no way of knowing what the ransom payments are being used for.

Is the money funding a criminal’s easy life? The development of even worse malware? ISIS, perhaps? After further thinking the FBI is now telling people not to pay up.

The question for most of us is, what happens if you don’t pay? To find out, we infected a specially-prepared Windows test system.

Infection time

When we test anti-malware products we find the latest threats that we believe affect most people. These are often automatic ‘drive-by’ attacks, that use exploits to install malware such as ransomware on victims’ computers without requiring user interaction. You just have to visit the site and the attack starts and runs to completion. No clicking required.

For this demonstration we exposed our target, which was not running anti-malware software, to an infected website. After a few minutes of apparent inactivity a pop-up message explained that svchost.exe needed to be installed. We clicked to accept the change and… Bingo! An infection swiftly ensued, turning all of our important files to gibberish and leaving them sporting the dreaded .crypt file extension.

In the background the malware also scanned the local subnet for any other unprotected file shares. This being a test network, there were none, but in a real situation every file you can access on your local network can also potentially be accessed by ransomware. Your movie collections or business files stored on a Network Attached Storage (NAS) device are definitely at risk.

This knowledge is vital when assessing the extent of an attack. If your smartphone is plugged in, it could be at risk. Your carefully curated media server could also be affected, as could your cloud storage.

Reboot!

Assessing the Damage

Posted on June 3rd, 2016 by admin and tagged demo, ransomware, tips