When reversing malware samples, one of the things that we as analysts look for are places where the attackers slip up. This can be anywhere from using the same strings, to weak obfuscation routines, or re-using the same snippet of code. When we talk about the attackers, there is this misconception that they are these super villains who can only do evil, but keep in mind they are humans too.
In March of this year, reports of malspam campaigns utilizing an email attached “.doc.js” files, which tied back to the Kovter and Boaxxe clickfraud trojans. The analysis of these malware families have already been well documented here and here. Therefore, this post will concentrate on the botnet behind the malspam delivery and subsequent download for these recent malspam campaigns. It is believed that the miscreants behind the development of these trojans use an affiliate model to have their malicious wares infect victims via botnet or exploit kit operators.
Welcome and good luck on the CTF!
Password: “Go forth and hack!!##one1”, no quotes.
One of the challenges is to write an exploit, so please exercise responsible disclosure on this one! We will be working with the developers to get the code patched ASAP!
Please note: Challenge #4 contains a typo, it needs a Yara rule, not a key. Sorry for the error.
Deadline for submissions: We will close the contest at 8 AM (PDT) on Thursday, August 6.
People are often curious about what percentage of users will fall for a phishing attack, and it’s tempting to try to create this kind of statistic. At PhishMe, we’ve found that trying to assign a blanket statistic is counterproductive – however this hasn’t stopped others in the industry from trying to do so. The most recent company to try is Intel Security (formerly McAfee), which declared that 97% of people globally were unable to correctly identify phishing emails. While this statistic certainly makes for a nice headline, it is broad-based and flawed in a number of ways. [Read more…]
When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter). [Read more…]
Most of you have probably heard about the “RSA hack” by now. It was hot news three weeks ago when an employee at RSA fell prey to a targeted phishing attack as explained in this blog post: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ . A couple of issues highlighted in this article really caught my attention.
The article states – “These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?“. That tells me that technology by-itself is not the answer to combating spear phishing attacks, it’s also about training the end user to get better at how to be suspicious. Don’t get me wrong, I don’t think education is a silver bullet, but it’s more effective than filters and shiny, blinking boxes. I like technologies that give the human another piece of trusted information they can use to evaluate the authenticity of an email. One example is Iconix’s SP Guard. We trained over 1.5 million (using PhishMe). The results show that perioidic training that immersed the subjects in the concept through mock phishing was successful in bringing down susceptibility rates in excess of 60% on average within a few months.
The article aslo discussed how the attackers targeted employees that ” you wouldn’t consider…particularly high profile or high value targets.” There’s a lesson here; security awareness programs should not focus only on executives and systems administrators, but on the entire organization. “Low profile” employees can severely undermine the organization’s assets too, just through a couple of clicks.
Oh yes, and finally, the phishing email was caught by the email client’s junk filter; the victim went out of their way to retrieve the email into the inbox and act on it.
IMHO, end-point security technologies are to phishing attacks (or *APTs) what radars are to a stealth bomber.
*APT term used facetiously 😉
I was adding a little special sauce to Phishme.com this past week and thought this might be fun to share. We have a few different ways a user can craft their phishing links. If he/she chooses the IP address option, then there is also the choice of encoding options. This lets you mask the IP address in an attempt to trick the user into thinking part of the sub directory is perhaps the host name. Or as in the case with my mom… she thinks it is just the phone number so the computer knows where to call. And it’s hard to blame her when you see a decimal encoded IP address.