Monday, August 19, 2013

Cross Brand Intelligence and Phishing

While there is certainly a reason to shut down any site imitating your company as fast as possible, we have to always consider what the implications are of understanding the Cross-Brand Intelligence aspects of any site being abused to imitate an organization. A rare open directory shared by our friend, security researcher Tom Shaw, gives a perfect example of this.

The website on the IP address 38.64.138.118 has an open directory on it's root, showing the dates of creation of a number of phishing campaigns:

July 23, 2013 @ 23:47 == "v3/"
August 8, 2013 @ 11:58 == "picture.png/"
August 9, 2013 @ 01:56 == "apple.png/"
August 14, 2013 @ 17:42 == "paypal.png/"
August 15, 2013 @ 06:49 == "contar.png/"
Attempting to visit the "/apple.png/" page on that server results in a 302 redirection to the address "http://venenolabs.activo.in/h5-apple"

Similarly, attempting to visit the "/picture.png/" page on that server results in a 302 redirection to the address "http://venenolabs.activo.in/h6-vbv/" The Apple page redirects to pearstech.com where an Apple phishing page is displayed: The Visa page redirects to rajeshwasave.com where a Visa Argentina phishing page is displayed: venenolabs.activo.in is on the IP address 174.36.29.21.

Both Pearstech.com and Rajeshwasave.com are on the IP address 174.37.147.184.

The "paypal.png" site no longer resolves to a Paypal server, although it did. It has now been repurposed to also redirect to: The "contar.png" page is an interesting one, after showing what appears to be an AdFly link for a pay-per-click affiliate program run by "theunifiedwealthteam.com" we are forwarded to the Facebook page of "Veneno Labs" who seem to primarily boast in Spanish about the various websites they have hacked and defaced. No idea if V3NEN0 LABS, whose facebook posts are mostly from the area of Lima Peru, has anything to do with the phishing sites or not until we review some logs. Veneno uses the email address "venenolabs@yahoo.com", according to his Facebook page.

MAD666 and #d3xt3rH4ck seem to be members of the T34M. (SO elite! Did you see how they spelled Team?)

As with most defacers, it's often interesting to look at their very first actions. In this case, as soon as Veneno had a facebook page, "Jesusedus" Jesus Edu Soto Meza, was clicking Like on his images. A Computer Science student from Lima, Peru attending IDAT Computacion?

(Perhaps Dexter Hack? ==> https://www.facebook.com/dexterhackperu.defaced.3 )

The Veneno Labs group has more than 500 members, and a gmail account ==> venenolabs@Gmail.com ( https://www.facebook.com/groups/419870534733048/ )

Perhaps the most interesting is the "lol.exe" which is a Zeus malware installer.

It seems that our Peruvian website defacers have moved across the line from Hacktivism to Phishing and Malware distribution!

Monday, August 12, 2013

Anonymous, #OpBankster, and the Too Many Nancy's Problem

The current Anonymous "#OpBanksters" seems to have very little in common with the original operation by the Anonymous Portuguese group that was originally posted on YouTube back on April 14, 2013. However, the beginning of the current round started with an August 8th post by @AnonLegionPT (Anonymous Legion PT) inviting people to view the original video and then log on to AnonNet and join the "#opbanksters" chat room on Friday the 9th at 10 PM to discuss.

www.youtube.com/watch?v=9ZdMlgnvaqQ&feature=youtu.be

While we don't know what happened in the chat room, the result was that we began to see posts on PasteBin listing the email addresses and internet-facing IP addresses and hostnames of Portuguese banks.

An English translation of the Portuguese video reads:


Published on Apr 14, 2013

Greetings. We are Anonymous Portugal and this is the # banksters operation, a protest action against banks around the world, who have created a corrupt financial system based on debt-interest, speculation large sums with large multinationals and made the money a lucrative business that benefits a minority, but enslaves the rest of the population.

Banks extend credit to slashing with money created out of thin air, causing a snowball effect on the shortcomings of the banking system relative to the overall debt. With this system, banks enrich immeasurably, pay low interest on that deposit and charge high interest loans they make.

With this system of interest, speculation of the value of money and inflated product, it is easy to see where they come from debt, not only of companies and governments, but also emerge as the personal debt of each family. For years, banks eased lending by attracting people with the illusion of being able to have great purchasing power by easy access to money, and creating a debt trap from which many now can not get out. The social stratification, poverty, hunger and unemployment are therefore a consequence of the existing financial system, fatalities that may not disappear while this persists.

Banks in Portugal receive 8 billion state budget since 1999, are recapitalized with $ 12 billion in 2012 and are still saying that the people are having to endure? Portuguese people must know the true and the real gangsters responsible for the crisis, beyond the state. # OpBanksters: Portuguese and international banks, your time has come!

We are Anonymous!
We are Legion!
We do not forgive!
We do not forget!
Expect us!


While the original Twitter posts this week WERE from Anonymous Portugal, and the original PasteBin posts were also about Portuguese bank Credito Agricola, the Op quickly grew beyond its original intention of punishing Portuguese banks for being poor custodians of public funds.

The first three banks posted to the Operation's PasteBin page were:
Banco dos Espiritos Santos (BES) Portugal (110 emails / 62 hosts)
CreditoAgricola Portugal (136 emails)
and BBVA Portugal/Spain

On August 10th, with the exception of the European banking Authority (europa.eu) only Portuguese banks had their employee email addresses and hosts listed, including:

Cetelem PT
Credibom PT
Cofidis PT
Montepio PT
Banif PT
Bancobic PT
Banco BPI PT
Millennium BCP PT
Banco Popular PT/ES

On August 11th the information disclosure activity spread beyond the borders of Portugal.

Bank of America
Barclays
Lincoln State Bank
Deutsche Bank AG US
Dun & Bradstreet
FDIC
Federal Mortage Association
Federal Reserve Banks of Atlanta, New York, Richmond, and San Francisco
Fitch Rating
Goldman Sachs
Hartford Financial
Huntington Bank
Imperial Bank of Canada
London Stock Exchange

On August 12th (so far) we have seen added:

Moody's
Nasdaq
National Australian Bank
PNC
Royal Bank of Canada
Standard & Poors
SunTrust
M&T Bank
Royal Bank of Scotland
TD (Toronto Dominion)
Union Bank
Wall Street Insurance
Wall Street Journal
Citibank
JP Morgan Chase
Zurich Financial
were all added to the list. In the case of Bank of America, as one extreme example, more than 3700 named employees, with titles and emails, were listed.

At that point, we thought there may be a major problem with email-based security about to be unleashed!

As I discussed on Hacker HotShots this week, the Verizon Data Breach Investigations Report quotes "ThreatSim.com" as saying that when a hostile email is sent to three employees of an organization, there is a 50% chance that someone will click on it, but when an email is sent to TEN employees, there is nearly a "Guarantee" that someone will click on it! I couldn't imagine how bad things could go if 3700 employees were being targeted by hand-crafted malicious emails!

That seemed to be the what was happening already in Portugal, as we began to see defacements appear, such as this one hosted on the website "www.cie.com.pt" which is the "Centro de Intervenção Empresarial" showing "#opBankster" branded defacements:

The Anonymous Portugal Blog is here:

anonymouspt.blogspot.com/2013/08/op-banksters-part-ii.html

Their Facebook page is here:

https://www.facebook.com/AnonymousLegionPt

They claim to have successfullly DDOSed:

www.complemento-vintage.pt
www.lusonegocio.com
www.credibom.pt
www.flexibom.pt
www.cofidis.pt
www.cetelem.pt
and have confirmed that they are behind the PasteBin handle "#opBanksters"

The Too Many Nancy's Problem

As I started looking through the list of so many leaked addresses for all of these North American banks, I realized there might be a problem. The naming convention for each of the banks was "First Name, Last Initial" @ domain.com, so if I were on the lists, Gary Warner, my email would be given as "garyw@zurichna.com" or "garyw@frbatlanta.org" or "garyw@tdbank.ca". Obviously there would be collisions if that were the case, but I didn't see any attempt to avoid them. I also correspond regularly with many of the brands attacked, and realized that in many cases the domain listed is NOT the domain name where individuals who work for that organization receive their emails.

I decided to do a frequency distribution on the first names and look for "over-represented" names that seemed unlikely to me. I won't go into all the details here, but I looked at female first names from the 1990 US Census and compared them to distributions here. (A 1990 census person would be at least 23, so may be well represented in the work force. Anyone older than 23 would also be listed in the 1990 census, so it seemed as good a source as any.

MARY           2.629  2.629      1
PATRICIA       1.073  3.702      2
LINDA          1.035  4.736      3
BARBARA        0.980  5.716      4
ELIZABETH      0.937  6.653      5
JENNIFER       0.932  7.586      6
MARIA          0.828  8.414      7
SUSAN          0.794  9.209      8
MARGARET       0.768  9.976      9
DOROTHY        0.727 10.703     10
LISA           0.704 11.407     11
NANCY          0.669 12.075     12
On the first file I reviewed, I had, instead of the distribution above:
6 Mary's
1 Patricia
10 Linda's
7 Barbara's
9 Elizabeth's
14 Jennifer's
5 Maria's
7 Susan's
3 Margaret's
2 Dorothy's
6 Lisa's 
14 Nancy's
Now that may not be the most scientific of comparisons, but as a genealogist, I was confident I was dealing with TOO MANY NANCY'S!

Focusing in on the Nancy's the problem really started showing up. In each of the bank email lists I reviewed, the distribution of names was wildly out of line, and for popular names included many duplicate email addresses that would further confirm these were fakes. For example, just at Toronto Dominion, we had people with the email address "nancym@tdbank.ca" in the following positions and locations:

nancym@tdbank.ca == A Financial Planner in Richmand Hill, Ontario
nancym@tdbank.ca == A Merchant Risk Analyst II in Lewiston, Maine
nancym@tdbank.ca == A Recruitment manager in Toronto, Ontario
nancym@tdbank.ca == A Senior Compliance Officer in Hagersville, Ontario

Malcovery Security specializes in dealing with Email-based threat intelligence. We've got some great ideas for dealing with this current situation. Please reach out to us if you'd like to discuss.

Saturday, August 10, 2013

When Parked Domains Still Infect - Internet.bs and ZeroPark

This summary is not available. Please click here to view the post.