An untapped resource to improve threat detection

Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.”  Despite its value, many organizations don’t have a way to get timely threat intelligence.

How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.

Royal Baby Spam and Malware Attack Happening Now

It’s unfortunate, but when the general public is captivated by a certain news story, cybercriminals are hard at work exploiting the publicity that the news attracts. Exploitation can take many forms. In the cybersecurity space, we often see fake news stories about trending topics floating around. Fake news is becoming a serious problem. It is becoming harder to differentiate fake news from real news. Those fake news stories often have one sole purpose. To trick Internet users into clicking on a malicious link.

Such is the case right now. The public is captivated by content about the new royal baby – His Royal Highness Prince George of Cambridge – born to the Duke and Duchess of Cambridge on Tuesday.

This was the topic of a spam email campaign that purported to have been sent by CNN Breaking News. When users click on the link contained in the email, they are infected with a malicious Trojan. That Trojan steals financial data from the user.

As Gary Warner explains in his blog post this morning, “As many sources reported earlier today, an email claiming to be from CNN’s “Scribbler” provided a link to “Watch Live Hospital Updates” of the Royal Baby.”

What do Harrison Ford, President Obama, and Edward Snowden have in common with The Royal Baby?

They were all subjects of fake “CNN Breaking News” stories delivered by spam email today. Those messages all contained links to malicious websites which automatically downloaded malware to users’ computers when clicked. In fact, PhishMe maintains a database of hundreds of copies of these and other similar emails, a small selection of the subject lines used in yesterday’s spam emails are listed below:

“Snowden able to leave Moscow airport” – BreakingNews CNN
“Harrison Ford on ‘Ender’s Game’ controversy: ‘Not an issue for me'”
“Obama speech to urge refocus ”
“Perfect gift for royal baby … a tree?” – BreakingNews CNN

To demonstrate the relatedness of the spam, a list of the URLs that were used by each of the four campaigns is listed at the end of this article, labeled either “Snowden”, “Ender”, “Obama”, or “Tree”, corresponding to each of the four campaigns. We threw all of the advertised URLs into a fetcher and found that there were malicious files found at each of the destinations. The first link (from earlier in the day) pointed to two Javascript files that were used to redirect the visitor to an Exploit Kit that would cause malware to be dropped onto their computer. The second (later in the day, and still live at the time of writing) pointed to three Javascript files that redirected the user to a different Exploit Kit site.

I’ve added spaces to the URLs for your protection – DO NOT VISIT ANY OF THOSE URLS!!! – Doing so will result in infection with malware.

(early morning version <== redirects to nphscards.com / topic / accidentally-results-stay.php )
index.html with MD5 = 958a887fcfcad89b3fdeea4b58e55905
- which loads two Javascript files:
ftp.thermovite.de / kurile / teeniest.js
traditionalagoonresort.com / prodded / televised.js
(afternoon version <== redirects to deltaboatraces.net / topic / accidentally-results-stay.php )
index.html with MD5 = bc73afe28fc6b536e675cea4ac468b7d
- which loads three Javascript files:
thealphatechnologies.com / advantageously / autopilots.js
atlas247.com / mussiest /syndicating.js
www.mshc.in /drubbing / mouthful.js

Since it was late in the day by the time I was able to review these myself, I infected myself with the afternoon version.
deltaboatraces.net == 173.246.104.136 and is still an active infector as of this timestamp.
I got a randomly named 297,472 byte file, detected by 11 of 46 Anti-Virus vendors at VirusTotal.com as Zeus.

Adobe Flash Player Update?

After infecting an end user, the website tries to trick the user into “upgrading Adobe Flash Player”, but while it appeared that I was on the correct Adobe site from the graphics, I was not.

After “installing” my Adobe update, my sandbox went crazy and also fetched malware from a number of different locations.

After the second infection, my sandbox went to “deltarivehouse.net / forum / viewtopic.php” (173.246.104.136) which caused a string of additional infections to occur. The initial infection was Zeus. Zeus is a well-known financial information-stealing malware, but also provides criminals with full remote-control capabilities of the infected computer. The purpose of the additional malware was for another form of malicious income generation.

“sainitravels.in” (204.11.58.185) to fetch “f7Qsfao.exe”
(VirusTotal: 8 of 46)) – “Tepfor” or “Medfos” malware
”server1.extra-web.cz” (212.80.69.55) to fetch “dbm.exe”
(VirusTotal: 8 of 46)
”www.MATTEPLANET.com” (208.86.184.10) to fetch “q7ojEH7.exe”
(VirusTotal: 4 of 46)
”ictsolutions.net.au” (27.124.120.1) to fetch “SAQjaWu.exe”
(VirusTotal: 8 of 46)

Medfos, one of the malware names given to several of the above, is an “Advertisement redirection” malware campaign. Microsoft did a great job explaining how Medfos works in their blog post, Medfos – Hijacking Your Daily Search on the Microsoft Malware Protection Center – back in September. Some of the sites that seem to be related to this Medfos installation include “bidpenniesforgold.net” (IP: 50.63.25.37) and “webpayppcclick.com” (IP: 85.17.147.34).

According to our friends at Domain Tools, that last IP address is associated with a whole world of “Pay Per Click” fraud domains, including:

advertisingclickfeed.com
allfeedppcadvertising.com
clickppcadvertisingone.com
clickwebppcpay.com
csuperclick.com
feedppcadvertisingdirect.com
feedppcadvertisinginfo.com
feedyourppcdirect.com
firstfeedppcadvertising.com
newpaywebclick.com
onlineppcclick.com
paymittelsclick.com
payonlineppc.com
payppcclickonline.com
paywebclick.com
paywebclicksite.com
perclickguide.com
perclicksite.com
perclickworld.com
ppcadvertisingfeed.com
ppcadvertisingworld.com
ppcclickonlineppc.com
ppcnewfeed.com
ppcperclickadvertising.com
ppcperpayadvertising.com
ppcwebclickpay.com
streamppcadvertising.com
webpayppcclick.com
Hopefully, tying these malware samples to that activity can help someone clean up that mess! (Attention: Leaseweb!)

What is definition of phishing?

According to a recent infographic produced by via resource, 37.3 million users were subject to phishing attacks in 2012, but what definition of phishing is being used? What does phishing actually mean?

As consumers increase the amount of time that they spend online, cybercriminals are ramping up their productivity – launching larger, more efficient and increasingly targeted attacks against brands both in and outside the financial services industry.

PhishMe delivers email-based anti-phishing solutions. Through our interactions with prospects and customers, we’ve realized that there are several different definitions of phishing floating around and that often the term “phishing” is used interchangeably with terms like “malware” and “spam”.

What’s in a word? Well, it’s an important distinction. While both phishing, malware and spam are rampant in today’s threatscape, they are not one and the same. Pure phishing threats are analyzed and acted upon differently than spam and malware.

A general definition of phishing by Wikipedia:

“Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”

Phishing is, admittedly, a wide-reaching term. There are several ways to carry out a phishing attack, which is likely where some of the confusion comes into play. In the broad sense, you could say that phishing is any attempt on behalf of a cybercriminal to steal credentials. This can be carried out via a phishing website where the victim is prompted to enter his credentials or via a malicious executable.

At PhishMe, we categorize a malicious threat as phishing according to the following two rules:

  1. If the page is representing a brand and asks for any login/personal information.
  2. If the URL is not say “companyname.com, and if you do a Whois on it, the domain is not registered to that company name. So, if the URL is ilikepuppies.com and displays the logo of a major brand, it is trying to make itself look like that major brand.

What’s the difference between Phishing and Malware?

The relationship between phishing and malware is a bit blurry, mostly because they often work together to achieve the goal of the cybercriminal. In fact, the term “malware” is often included in phishing discussions.

Now that being said, here is Wikipedia’s malware definition:

“Malware, short for malicious software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.”

“….Malware includes computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or Trojans rather than viruses…”

One key distinction is that not all malware is delivered via email. Malware converges with phishing when it is being used as an accessory to execute the phishing attempt.

When it comes to defining today’s malicious threats, where do you encounter confusion? How do you differentiate between them? Share your thoughts in the comments section below.

Allan Carey Joins PhishMe as Vice President of Marketing

CHANTILLY, Va., July 18, 2013 — PhishMe®, Inc., the leading provider of security behavior management services that improve employees’ resilience towards spear phishing, malware, and drive-by attacks, today announced that Allan Carey has joined as Vice President of Marketing. Carey brings more than 13 years of information security industry experience to PhishMe, including progressive marketing, sales and partner development expertise. In his new role, Carey will be responsible for the global strategy and execution of PhishMe’s marketing initiatives, expanding its market share and supporting the growing success of PhishMe’s sales team and partner alliances.

The Double Barrel Throwdown 2013

One of the great things about the IT Security industry is the intelligent, creative, and interesting people who work in this field. PhishMe challenges you to show just how witty you really are by submitting us your best idea for a Double Barrel phishing scenario. Read below for contest details:

Double Barrel Throwdown Contest Terms and Conditions

Please read before entering, as entry in this contest constitutes acceptance of these rules.

No purchase is necessary to participate. The contest is open to all entrants who submit a valid entry form using a qualified email address.

ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE OFFICIAL RULES

The Double Barrel Throwdown (the “Contest”) is a competition to produce the most original, persuasive, and realistic Double Barrel phishing scenarios. PhishMe’s panel – composed of PhishMe employees – will select the best entry according to those criteria, with the winner receiving a Google Nexus tablet. To submit a valid entry into the contest, an individual must complete and submit the web form available on PhishMe’s website, ensuring to complete all required fields.

Submission Guidelines:

All submissions become the property of PhishMe, Inc. and we reserve the right to use any and all submission content in future PhishMe products, services, or marketing efforts.

All submissions must come from a qualified email address (such as corporate, government, or other recognized organizational emails).

All submissions must be received no later than 12 AM EDT on Thursday, July 25, 2013.

A valid entry must comply with the following content limitations:

  • Entries may not use trademarked material, logos, domains, images and any content that does not belong to the entrant. Any use of unauthorized content will automatically disqualify the entry.
  • Entries that are lewd, obscene, pornographic, or otherwise contain objectionable material will be disqualified at PhishMe’s discretion.

Prize

The contest winner will be announced on July 31, 2013 at PhishMe’s booth at the Black Hat Expo and simultaneously via PhishMe’s Twitter and LinkedIn accounts. The contest winner must reply to our Twitter or LinkedIn accounts to be eligible to claim the prize, a Google Nexus tablet.