SE Labs

Posts tagged 'tips'

How To Really Stop Phishing

If phishing sites want data, they’ll get it!
phishing-3415461
Running a honeypot, you soon realise there are four types of spam. The first is basically just adverts. Next comes social engineering spam, which is mostly advanced fee fraud. There’s a ton of cash or a pretty girl waiting if you send a small processing fee. By far the largest category is ransomware, but this is closely followed by that perennial favourite, phishing spam.

Phishing works. Its “product” nets huge profits in two ways. First, by direct use of the stolen data. Second, from sales of that data to other criminals. This got me thinking about how to fight back.

Phishing sites tend to be static replicas of the real thing, with a set of input boxes and a submit button. That is their major weakness. Another is that, though the inputs might be scrubbed to remove the possibility of a sneaky SQL injection, the information being entered might not be checked. Who’s to say that the date of birth, password, bank details etc. that you enter are real? What if you were to enter a thousand different sets of bogus information? How about a million, or even ten million?

paypal-6108084
What I propose is that when a phishing site is discovered, it would be fun to deploy a script to flood it with random data of the appropriate format for each input field. Finding real data in the collected noise would become nearly impossible, and so would help protect the innocent. If such poor-quality data is sold on to third parties, then Mr Big will soon want his money back and probably a lot more besides.

Diluting phished data to homeopathic strengths is one thing, but the general idea could be applied in other ways. One of the main tasks in running a spam honeypot is “seeding”. This involves generating email addresses to accidentally-on-purpose leave in plain sight for later harvesting by spammers. If someone were to set up a honeypot with a huge number of domains pointing to it, and with a huge number of active login accounts, those accounts can be leaked or even sold (with all profits going to charity, naturally!) as being demonstrably live and real. If the buyer tests any of them, they’ll work. Set up the honeypot in enough interesting detail, and Mr Big won’t be able to tell he’s been duped for quite some time.

Phishing is popular because it’s easy, relatively safe for the perpetrator, and highly profitable. Frustrating the efforts of criminals, casting doubt on the phished data being sold, and hopefully causing wars between cybergangs is certainly one potentially very entertaining way of fighting back.

Of course, flooding phishing sites with bogus data may already be quietly happening. I certainly hope so…

How The Clinton Campaign Was Really Hacked

hillary-clinton-3961580The 2016 US Presidential Election may not be the first held in the shadow of Wikileaks, but it is the most entertaining.

When John Podesta received an email apparently from Google in March this year warning that someone had used his password to sign into his account, events began to resemble an episode of Veep, with Chinese whispers quickly replacing information.

Not knowing any better, Podesta forwarded the email to a member of staff to deal with. After a hop or two, the email was passed to the Clinton campaign’s IT Helpdesk Manager. He in turn made the rookie mistake of not inspecting the message’s header or checking the Bit.ly  link it contained. Both would have shown this to be a phishing attack. 

phish-5291731

Instead, the Helpdesk Manager concluded that the email was real, and Mr Podesta should change his password right away. However, the reply also contained the advice that Podesta should ignore the email and log in directly to Google. He even supplied the correct URL to do this and explicitly said that Podesta should turn on 2-factor authentication at the same time.

The Helpdesk Manager has since been somewhat unfairly vilified in the press. The fact is that his explicit advice was lost in favour of a simpler message as his reply began to filter back up the chain of command.

podesta-it-email-1-8250640

According Wikileaks, Sara Latham seems to have been the person who actually contacted the helpdesk on Podesta’s behalf. She also received the Manager’s reply, and added her own endorsement of the phishing link.

Having been told it was real, it seems that either Special Assistant Milia Fisher or Podesta himself then clicked on the original phishing link and attempted to change the password. The rest has been pundit fodder ever since.

reply-2589288

You can bet that the Clinton campaign  spent money on insurance, health and safety training, and other measures to ensure a safe working environment, so why not basic cybersecurity training? Maybe it did, and the people concerned simply didn’t attend. It seems sensible that in future campaigns, no one should get access to devices without first demonstrating that they can spot a simple phishing email, IT helpdesk Managers included.

Malicious Connections monitoring with Currports

malicious connections

Uncover dodgy and malicious connections on your network with this handy, free utility.

If you’ve ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections.

Written and maintained by Nir Sofer, Currports gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer.

Read more >

Interview With The Bank Manager

barclays-2502387Pundits pontificating about online fraud is all well and good, but what do the banks think, and how do they protect us? 

To find the truth, we talked candidly to a branch manager from UK bank NatWest.

SE: First of all, what’s the scale of the online fraud problem from the bank’s perspective?

I won’t lie. It’s massive. We’re always being told about phishing emails, and you can report them to us online. Scam phone calls pretending to be the bank and asking for your account details and passwords are also huge. Just to be sure, we never ask for passwords. No one does Well, no one legitimate anyway.




SE: If you’re scammed can you get your money back?

  
It all depends. The basic thing is if it’s not a transaction you’ve made, its fraud and we can help. If it’s something you’ve done yourself that’s it, the money’s gone. Where it gets tricky is when you think you’re signing up to a one-off payment but the small print says it’s every month and you don’t realise. It might be cleverly worded, but it’s up to you to read what it is you’re buying.  If there’s any doubt, don’t do it or bring it in for us to check.

SE: How do you protect people’s money in general? 
102bgolden2brules-3149731The monitoring systems now are really good. They put blocks on cards when something suspicious happens, and block dodgy transactions while we find out if they’re legitimate. Tell us you’re going to France for the week and we’ll know not to block your cards if we see a cash withdrawal from Paris. If you tell us you usually go to France about now then we can keep the card active for you. It’s just when we see things out of the ordinary that the system will react. A lot of the time people get their cards blocked on holiday because they forgot to tell us. It’s a pain for them, but if you tell us what you’re doing it’s usually fine.

We see a lot of “Make $2000 a month from home”-style spam. What’s the scam there?

It’s usually money laundering. A foreign gang wants your bank details to put money into your account, then you send it on to someone either at home or abroad but keep an agreed percentage as commission. It’s an old one, that. Sometimes, they want you to physically receive and send on stolen bank cards as well, or ones that have been obtained fraudulently. But you’re being used. Basically, if you’re caught acting as a money mule, then you’re as guilty as the bloke who gave you the money to carry. We have a legal obligation to report anything over a certain amount transferred from abroad into people’s accounts. Again, it’s one of the things the system looks for that’s out of the ordinary.



Can the banks stop people being duped into sending money to scammers abroad?

nat2bwest2bsite-6365254


You mean like rich Nigerian princes and lottery wins that need a processing fee? At the end of the day, it’s their money. We can only advise. We can say: look, we think this looks like a scam. But if they want to send it abroad then we have to do it for them. If it’s a large amount, we’ll ask them in to sit down and think is this really what they want. [We try to] find out how well they understand what they’re doing and where they’re sending it. We have had cases where people have lost considerable amounts because they’re convinced it’s real.

What’s the most outrageous thing you’ve seen?

I was asked to look at the cash machine outside the branch I was managing once, and there was a piece of wire hanging out of the card slot. That’s all it was. But it prevented the card from being returned, so people walk off thinking the machine’s swallowed it. You pull on the wire and the card pops out. It’s called a Lebanese Loop.  Simple and easy. Once you’ve got the card you’ve got the expiry date and the CVV number on the back and you can go shopping.



What’s your personal message to customers?


Basically, it’s always a scam. If it looks like something where you think you can get one over on the sender, it’s still a scam. These people aren’t stupid. No one wants to give you free money. You haven’t won a foreign lottery, either. There’s no pot of gold. They may only want a small processing fee, but if they get a lot of fees, it’s very profitable for them. Start with the idea that everything’s a scam, ask us to confirm anything you get that you don’t understand and you’ll be alright.

What other guidance is there for people?

little2bbook2bof2bbig2bscams-4102409


There’s lots about but it’s a bit scattered. Barclays did a good TV advert about phone scams. We’ve published a really comprehensive leaflet about online scams in conjunction with the police that covers all the different frauds. You can download that, and we have a web site for reporting scams. But if you have any questions the best thing is to just call the bank or walk into a branch and ask. That’s the best thing.

All Your File…

petya-7835478

Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware.

The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious upgrade to a Windows component.

Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, All your file are belong to us.

By hiding the true nature of the file with a second, benign extension, JavaScript attachment attacks become even more likely to detonate. Spew millions of such emails from a rented botnet for a few days at a time, and then simply wait for the Bitcoins to come rolling in.

It’s little wonder that ransomware gangs are setting up customer helplines for bemused punters queuing up to get their files back.

But surely your browser’s sandbox should contain any malicious JavaScript? Sadly, this is not so for JavaScript email attachments. JavaScript downloaded as part of a browsed web page is run in the browser. Email attachments are nothing to do with a web page. Double click them and they’re passed to the Windows Based Script Host, which is obviously outside the browser’s authority and control.

It is, however, very simple for you as an end user to stop JavaScript email attachments from automatically being accidentally run. Simply open notepad and create a new file. Save it as dummy.js. Notepad will complain about the extension, but continue anyway. Next, right click the .js file and select Open With…. As you can see from the image below, by default Windows will open all such files with Windows Based Script Host, which is what we need to prevent.
capture-7097448

To do so, first click More Apps and select Notepad from the list. Tick the check box for Always use this app to open .js files and click OK. Now, whenever you absent-mindedly click on a JavaScript email attachment it will safely open in Notepad and display its bad self.

You can also selectively prevent the JavaScript downloaded as part of a web page from running in your browser. This gives you more control over your browsing experience and can speed up web page loading.

For Firefox, the go-to solution here is the NoScript plugin (which is the one I’m most familiar with). By default, NoScript blocks everything on a domain-by-domain basis. It’s easy and quick to unblock trusted domains as you go, while leaving all others (including those called by the primary domain) securely blocked. This not only serves as an extra line of defence, but also prevents some adverts from being displayed without sites accusing you of using an ad blocker. It’s also very interesting, and sometimes worrying, to see just how many secondary domains some of your favourite web sites rely on to deliver content.

Ransomware: Can pay, won’t pay

don't pay the ransom

The FBI’s Joseph Bonavolonta had some shocking news about ransomware for Boston’s Cyber Security Summit last October. “To be honest,” he said, “we often advise people to just pay the ransom.”

Cyber-security blogs everywhere exploded at the advice, but a lot has changed in the past six months. A constantly-evolving array of ransomware campaigns roam free, “taxing” online life. One big problem is that there’s no way of knowing what the ransom payments are being used for.

Is the money funding a criminal’s easy life? The development of even worse malware? ISIS, perhaps? After further thinking the FBI is now telling people, “don’t pay the ransom”.

The question for most of us is, what happens if you don’t pay the ransom? To find out, we infected a specially-prepared Windows test system.

Infection time

When we test anti-malware products we find the latest threats that we believe affect most people. These are often automatic ‘drive-by’ attacks, that use exploits to install malware such as ransomware on victims’ computers without requiring user interaction. You just have to visit the site and the attack starts and runs to completion. No clicking required.

don't pay the ransom

For this demonstration we exposed our target, which was not running anti-malware software, to an infected website. After a few minutes of apparent inactivity a pop-up message explained that svchost.exe needed to be installed. We clicked to accept the change and… Bingo! An infection swiftly ensued, turning all of our important files to gibberish and leaving them sporting the dreaded .crypt file extension.

In the background the malware also scanned the local subnet for any other unprotected file shares. This being a test network, there were none, but in a real situation every file you can access on your local network can also potentially be accessed by ransomware. Your movie collections or business files stored on a Network Attached Storage (NAS) device are definitely at risk.

This knowledge is vital when assessing the extent of an attack. If your smartphone is plugged in, it could be at risk. Your carefully curated media server could also be affected, as could your cloud storage.

Reboot!

don't pay the ransom

Rebooting revealed the full horror of the machine’s plight. As soon as the Desktop appeared, so did a pop-up unexpectedly asking us to run an installation package. Running, cancelling or dismissing the installation always led to the same result: a ransom note displayed in both the web browser and Windows Photo Viewer. The note explained what had happened and threatened what will happen if we didn’t do exactly as instructed (spoiler: the price goes up!). It also contained a set of links to the data-nappers’ web site to read detailed instructions for how to pay.

Assessing the damage

Annual Report 2020

The object of the exercise was to find out what would happen if I were to simply ignore the ransom note and carry on using the machine, so it was time to take stock.

All of our files had been turned to cryptographic porridge. However, the operating system still seemed to be running smoothly. Screen dumps of the ransom note could still be saved and read, as could the other documents we created, implying that there was nothing in the background encrypting newly-created files. The kidnapping part of the ransom operation was seemingly over.

Of course, there may have been a rootkit lurking somewhere, ready to spring into life if no ransom was paid after a certain date. To test this hypothesis, we set the system clock forwards several weeks and rebooted. Nothing new happened, but without running some forensic tests we’d never be sure. All that seemed to be left was the demand for money, triggered from the Startup menu every time we logged in. Deleting the relevant Startup entries stopped the ransom note from appearing, but that still left us with no way to access any of the encrypted files, and we couldn’t truly trust the operating system any more. Ransomware doesn’t have to hang around causing more trouble for its hapless victim. It’s done its foul work and the criminals behind the campaign simply had to wait for the Bitcoins to come rolling in.

Other than paying up, our only hope would be that a researcher or anti-malware company has developed a decryption tool for our particular infestation. The development of decryption tools, however, is causing some ransomware developers to revert to locking the entire computer rather than allowing you to see the locked files for yourself.

Don’t pay the ransom

The FBI is right to change its stance on ransomware. Paying up fuels the epidemic and the easy money is attracting criminals like flies around you-know-what. There are other reasons too. Don’t pay the ransom or risk breaking the law. You don’t know who the criminals are, and where they live. You could break sanctions laws.

The number of ransomware domains, according to reports, increased by 3,500% in Q1 of 2016 alone and the situation looks like getting worse. For example, in the past few days Microsoft announced the existence of a ‘ransomworm’ called ZCryptor. Its payload is contained within emailed Microsoft Office documents. Once delivered, it also installs itself on any USB devices it finds plugged into the victim’s computer and alters the autorun information on the device. It will then try to infect any system into which the USB drive is subsequently plugged.

10 ways to stay safe

As usual with online security, prevention is far better than trying to find a cure, but such measures only make sense if you take steps before the fact:

  1. Install a good anti-virus product. Our reports show which are the most effective for businesses and home users. Our work is independent and we only test against current threats, which we catch ourselves in-house.
  2. Educate yourself to treat everything in your inbox as a lie. Even if the sender is known to you, double-check with them before opening attachments.
  3. Switch on automatic updates for all software, including Windows, your antivirus software, your browser, Java, Adobe products, etc.
  4. Regularly download a boot-able rescue disk from your chosen anti-malware provider and let it run overnight to thoroughly examine your computer. Most rescue disks will boot from USB.
  5. Never install ‘updates’ just because a website tells you to. This type of trickery is a very common infection vector for ransomware.
  6. Consider installing a browser plug-in such as the excellent NoScript for Firefox to prevent JavaScript from automatically running from unknown domains without your explicit say-so. And consider disabling Java in your browser.
  7. Don’t download cracked copies of commercial software, ebooks or media. Again, this is a very common infection vector.
  8. Never use a USB drive you find in a public place. You simply can’t trust them or their content. 
  9. Ransomware will try to infect every share to which it can write. Only mount shares as and when needed, and always protect them with passwords. If you don’t need write access, mount as read only.
  10. Above all, get into the habit of performing regular backups to removable media. For a home user, a backup is as simple as dragging and dropping a folder structure (and ejecting afterwards!) onto a freshly quick-formatted USB drive. Use two USB drives and swap between them.

Find out more

Our latest reports, for enterprise, small business and home users are now available for free. Please download them and follow us on Twitter and/or LinkedIn to receive news, comment, updates and future reports.

Sign up to our monthly business and personal security newsletters.

See all blog posts relating to test results.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press