Cross Brand Intelligence and Phishing

While there is certainly a reason to shut down any site imitating your company as fast as possible, we have to always consider what the implications are of understanding the Cross-Brand Intelligence aspects of any site being abused to imitate an organization. A rare open directory shared by our friend, security researcher Tom Shaw, gives a perfect example of this.

The website on the IP address 38.64.138.118 has an open directory on it's root, showing the dates of creation of a number of phishing campaigns:

July 23, 2013 @ 23:47 == "v3/"
August 8, 2013 @ 11:58 == "picture.png/"
August 9, 2013 @ 01:56 == "apple.png/"
August 14, 2013 @ 17:42 == "paypal.png/"
August 15, 2013 @ 06:49 == "contar.png/"

Attempting to visit the "/apple.png/" page on that server results in a 302 redirection to the address "http://venenolabs.activo.in/h5-apple"

Similarly, attempting to visit the "/picture.png/" page on that server results in a 302 redirection to the address "http://venenolabs.activo.in/h6-vbv/" The Apple page redirects to pearstech.com where an Apple phishing page is displayed: The Visa page redirects to rajeshwasave.com where a Visa Argentina phishing page is displayed: venenolabs.activo.in is on the IP address 174.36.29.21.

Both Pearstech.com and Rajeshwasave.com are on the IP address 174.37.147.184.

The "paypal.png" site no longer resolves to a Paypal server, although it did. It has now been repurposed to also redirect to: The "contar.png" page is an interesting one, after showing what appears to be an AdFly link for a pay-per-click affiliate program run by "theunifiedwealthteam.com" we are forwarded to the Facebook page of "Veneno Labs" who seem to primarily boast in Spanish about the various websites they have hacked and defaced. No idea if V3NEN0 LABS, whose facebook posts are mostly from the area of Lima Peru, has anything to do with the phishing sites or not until we review some logs. Veneno uses the email address "venenolabs@yahoo.com", according to his Facebook page.

MAD666 and #d3xt3rH4ck seem to be members of the T34M. (SO elite! Did you see how they spelled Team?)

As with most defacers, it's often interesting to look at their very first actions. In this case, as soon as Veneno had a facebook page, "Jesusedus" Jesus Edu Soto Meza, was clicking Like on his images. A Computer Science student from Lima, Peru attending IDAT Computacion?

(Perhaps Dexter Hack? ==> https://www.facebook.com/dexterhackperu.defaced.3 )

The Veneno Labs group has more than 500 members, and a gmail account ==> venenolabs@Gmail.com ( https://www.facebook.com/groups/419870534733048/ )

Perhaps the most interesting is the "lol.exe" which is a Zeus malware installer.

It seems that our Peruvian website defacers have moved across the line from Hacktivism to Phishing and Malware distribution!

Anonymous, #OpBankster, and the Too Many Nancy's Problem

The current Anonymous "#OpBanksters" seems to have very little in common with the original operation by the Anonymous Portuguese group that was originally posted on YouTube back on April 14, 2013. However, the beginning of the current round started with an August 8th post by @AnonLegionPT (Anonymous Legion PT) inviting people to view the original video and then log on to AnonNet and join the "#opbanksters" chat room on Friday the 9th at 10 PM to discuss.

www.youtube.com/watch?v=9ZdMlgnvaqQ&feature=youtu.be

While we don't know what happened in the chat room, the result was that we began to see posts on PasteBin listing the email addresses and internet-facing IP addresses and hostnames of Portuguese banks.

An English translation of the Portuguese video reads:

---

Published on Apr 14, 2013

Greetings. We are Anonymous Portugal and this is the # banksters operation, a protest action against banks around the world, who have created a corrupt financial system based on debt-interest, speculation large sums with large multinationals and made the money a lucrative business that benefits a minority, but enslaves the rest of the population.

Banks extend credit to slashing with money created out of thin air, causing a snowball effect on the shortcomings of the banking system relative to the overall debt. With this system, banks enrich immeasurably, pay low interest on that deposit and charge high interest loans they make.

With this system of interest, speculation of the value of money and inflated product, it is easy to see where they come from debt, not only of companies and governments, but also emerge as the personal debt of each family. For years, banks eased lending by attracting people with the illusion of being able to have great purchasing power by easy access to money, and creating a debt trap from which many now can not get out. The social stratification, poverty, hunger and unemployment are therefore a consequence of the existing financial system, fatalities that may not disappear while this persists.

Banks in Portugal receive 8 billion state budget since 1999, are recapitalized with $ 12 billion in 2012 and are still saying that the people are having to endure? Portuguese people must know the true and the real gangsters responsible for the crisis, beyond the state. # OpBanksters: Portuguese and international banks, your time has come!

We are Anonymous!
We are Legion!
We do not forgive!
We do not forget!
Expect us!

---

While the original Twitter posts this week WERE from Anonymous Portugal, and the original PasteBin posts were also about Portuguese bank Credito Agricola, the Op quickly grew beyond its original intention of punishing Portuguese banks for being poor custodians of public funds.

The first three banks posted to the Operation's PasteBin page were:
Banco dos Espiritos Santos (BES) Portugal (110 emails / 62 hosts)
CreditoAgricola Portugal (136 emails)
and BBVA Portugal/Spain

On August 10th, with the exception of the European banking Authority (europa.eu) only Portuguese banks had their employee email addresses and hosts listed, including:

Cetelem PT
Credibom PT
Cofidis PT
Montepio PT
Banif PT
Bancobic PT
Banco BPI PT
Millennium BCP PT
Banco Popular PT/ES

On August 11th the information disclosure activity spread beyond the borders of Portugal.

Bank of America
Barclays
Lincoln State Bank
Deutsche Bank AG US
Dun & Bradstreet
FDIC
Federal Mortage Association
Federal Reserve Banks of Atlanta, New York, Richmond, and San Francisco
Fitch Rating
Goldman Sachs
Hartford Financial
Huntington Bank
Imperial Bank of Canada
London Stock Exchange

On August 12th (so far) we have seen added:

Moody's
Nasdaq
National Australian Bank
PNC
Royal Bank of Canada
Standard & Poors
SunTrust
M&T Bank
Royal Bank of Scotland
TD (Toronto Dominion)
Union Bank
Wall Street Insurance
Wall Street Journal
Citibank
JP Morgan Chase
Zurich Financial

were all added to the list. In the case of Bank of America, as one extreme example, more than 3700 named employees, with titles and emails, were listed.

At that point, we thought there may be a major problem with email-based security about to be unleashed!

As I discussed on Hacker HotShots this week, the Verizon Data Breach Investigations Report quotes "ThreatSim.com" as saying that when a hostile email is sent to three employees of an organization, there is a 50% chance that someone will click on it, but when an email is sent to TEN employees, there is nearly a "Guarantee" that someone will click on it! I couldn't imagine how bad things could go if 3700 employees were being targeted by hand-crafted malicious emails!

That seemed to be the what was happening already in Portugal, as we began to see defacements appear, such as this one hosted on the website "www.cie.com.pt" which is the "Centro de Intervenção Empresarial" showing "#opBankster" branded defacements:

The Anonymous Portugal Blog is here:

anonymouspt.blogspot.com/2013/08/op-banksters-part-ii.html

Their Facebook page is here:

https://www.facebook.com/AnonymousLegionPt

They claim to have successfullly DDOSed:

www.complemento-vintage.pt
www.lusonegocio.com
www.credibom.pt
www.flexibom.pt
www.cofidis.pt
www.cetelem.pt
and have confirmed that they are behind the PasteBin handle "#opBanksters"

The Too Many Nancy's Problem

As I started looking through the list of so many leaked addresses for all of these North American banks, I realized there might be a problem. The naming convention for each of the banks was "First Name, Last Initial" @ domain.com, so if I were on the lists, Gary Warner, my email would be given as "garyw@zurichna.com" or "garyw@frbatlanta.org" or "garyw@tdbank.ca". Obviously there would be collisions if that were the case, but I didn't see any attempt to avoid them. I also correspond regularly with many of the brands attacked, and realized that in many cases the domain listed is NOT the domain name where individuals who work for that organization receive their emails.

I decided to do a frequency distribution on the first names and look for "over-represented" names that seemed unlikely to me. I won't go into all the details here, but I looked at female first names from the 1990 US Census and compared them to distributions here. (A 1990 census person would be at least 23, so may be well represented in the work force. Anyone older than 23 would also be listed in the 1990 census, so it seemed as good a source as any.

MARY           2.629  2.629      1
PATRICIA       1.073  3.702      2
LINDA          1.035  4.736      3
BARBARA        0.980  5.716      4
ELIZABETH      0.937  6.653      5
JENNIFER       0.932  7.586      6
MARIA          0.828  8.414      7
SUSAN          0.794  9.209      8
MARGARET       0.768  9.976      9
DOROTHY        0.727 10.703     10
LISA           0.704 11.407     11
NANCY          0.669 12.075     12

On the first file I reviewed, I had, instead of the distribution above:

6 Mary's
1 Patricia
10 Linda's
7 Barbara's
9 Elizabeth's
14 Jennifer's
5 Maria's
7 Susan's
3 Margaret's
2 Dorothy's
6 Lisa's 
14 Nancy's

Now that may not be the most scientific of comparisons, but as a genealogist, I was confident I was dealing with TOO MANY NANCY'S!

Focusing in on the Nancy's the problem really started showing up. In each of the bank email lists I reviewed, the distribution of names was wildly out of line, and for popular names included many duplicate email addresses that would further confirm these were fakes. For example, just at Toronto Dominion, we had people with the email address "nancym@tdbank.ca" in the following positions and locations:

nancym@tdbank.ca == A Financial Planner in Richmand Hill, Ontario
nancym@tdbank.ca == A Merchant Risk Analyst II in Lewiston, Maine
nancym@tdbank.ca == A Recruitment manager in Toronto, Ontario
nancym@tdbank.ca == A Senior Compliance Officer in Hagersville, Ontario

Malcovery Security specializes in dealing with Email-based threat intelligence. We've got some great ideas for dealing with this current situation. Please reach out to us if you'd like to discuss.

When Parked Domains Still Infect - Internet.bs and ZeroPark

Last night I was discussing the Kelihos botnet with some friends. There had been several previous attempts to “Kill Kelihos” and I decided to refresh myself on those. In doing so, I ran across the CrowdStrike listing of the “backup C&C domains” that were serviced by Fast Flux hosting in case the Kelihos node was unable to contact any Peer to Peer bots.

I decided to start by doing a status check on these domains. I was surprised that some of the domains were returning three IP addresses that were serving up the domain name. Here, for example, is what a "dig boomsco.com" revealed:

;; QUESTION SECTION:
;boomsco.com.                   IN      A

;; ANSWER SECTION:
boomsco.com.            120     IN      A       50.19.245.100
boomsco.com.            120     IN      A       107.20.135.159
boomsco.com.            120     IN      A       107.20.141.27

The list mentioned by CrowdStrike all had an active IP resolution, but I assumed they were most likely after such a long time part of somone's sinkhole. A sinkhole is a security researcher community technique of taking over a botnet's domain name so that any infected computers will report to the researcher rather than reporting to a criminal. This information can then be used to better document the botnet as well as being used to do clean up. I was pleased to see that SOME of the domains were sinkholed by friends. Others however, were more interesting.

Boomsco.com (50.19.245.100 / 107.20.135.159 / 107.20.141.27)
Flowsre.com (87.255.51.229)
Kamisca.com  (66.152.109.110 / 69.16.143.110)
Larstor.com  (87.255.51.229)
Needhed.com  (50.19.245.100 / 107.20.135.159 / 107.20.141.27)
Newrect.com (62.116.143.18)
Oparle.com (66.152.109.110 / 69.16.143.110)

The grouping I focused on was the (50.19.245.100 / 107.20.135.159 / 107.20.141.27) group, because getting three IP addresses back from a name query is sometimes an indication of Fast Flux. In this case, the three IP addresses are all hosted on Amazon's cloud.

At least 1600 other domain names are also hosted on this group of three IP addresses, which seems to have gone active as a trio somewhere about July 8, 2013. All of the domain names we noticed were either clearly "registered for abuse" names, in a variety of fraud categories from counterfeit luxury goods (cheap-watch.org, blackuggsbootssale.com, luxurybags4u.com), pharma spam domains (sildenafilviagravviagrapharmacy.com, fkcialis-dosage.com, cialiswithoutprescriptioncialispillser.com), pornography domains (thaisextalk.com, favoritepornbabes.com, femdomsexxx.org), financial scams (master-visa-amex.de, bankruptcyinformationco.com, tax-preparation.us, alliancebankmy.com, capitaloneautoloan.org), typo domains (match.cm, eharmony.cm, fabook.pl, facebooki.pl, twiiter.com, youtibe.pl), tech-related scams (laptoprunningslow.com, updateservermicrosoft.net) or casino programs (casinoperfect.com).

I've included a list of Dangerous Domains related to those three Amazon IPs. The point is that ALL of those domains sound like the kinds of things people may have complained about, and had someone "park" the domain or "suspend" the domain, which should stop big things from happening, right?

Wrong.

Many of these domains were registered at the Registrar "Internet.BS" which many researchers believe is a good name for a company that willingly registers so many domains for the criminals who spread so much BullShip on the internet. If you do a WHOIS query on any of the domains above, you will see a WHOIS record like this:

Domain Name:                                 TRXT.BIZ
Domain ID:                                   D50889714-BIZ
Sponsoring Registrar:                        INTERNET.BS CORP.
Sponsoring Registrar IANA ID:                814
Registrar URL (registration services):       www.internet.bs
Domain Status:                               clientTransferProhibited
Registrant ID:                               INTEDHXH6ZUE54VB
Registrant Name:                             Suspended Domain
Registrant Organization:                     Suspended by Registrar
Registrant Address1:                         98 Hampshire Street
Registrant Address2:                         Suspended domain
Registrant City:                             Nassau
Registrant Postal Code:                      4892
Registrant Country:                          Bahamas
Registrant Country Code:                     BS
Registrant Phone Number:                     +1.23456789
Registrant Email:                            suspended.domain@topdns.com
Name Server:                                 NS2.ZEROPARK.COM
Name Server:                                 NS3.ZEROPARK.COM
Name Server:                                 NS1.ZEROPARK.COM
Created by Registrar:                        INTERNET.BS CORP.
Last Updated by Registrar:                   INTERNET.BS CORP.
Domain Registration Date:                    Sat Jul 28 18:52:09 GMT 2012
Domain Expiration Date:                      Sat Jul 27 23:59:59 GMT 2013
Domain Last Updated Date:                    Mon May 13 19:30:34 GMT 2013

ZeroPark.com, Let Me Infect You, and then Get Paid?

The big take-aways here are two things that ALL of the domains have in common:

The Registrant Email is "suspended.domain@topdns.com"

The Nameservers are "NS(1|2|3).ZeroPark.com"

Now, let's get into what happens if we VISIT one of these domains! First, ask yourself what you think SHOULD happen if you visit a "Suspended Domain?" Unfortunately what often happens is that you get sent to a website that makes money for the Registrar by showing you advertisements. But would you expect that it would infect you with malware?

I've been puzzling over what to do with this information for the past couple days. Unfortunately, there are at least three "variants" of malware that get installed when you visit, and the COOLEST of those variants, I have been unable to replicate. I start by visiting the "parked" domain associated with the old Kelihos C&C, boomsco.com.

Boomsco.com redirects me to "a.zeroredirect2.com" which then forwards me to "download.wwwqwikster.com". This is consistent with the behavior I observed last night.

This warns me that I need to update my Flash Player:

Which takes me to an Install page:

Which prompts me to run a Setup.exe program:

This is our first piece of trouble. That file is detected by 6 of 45 Antivirus engines at VirusTotal as being malicious. It is called "AirInstaller" by those that detect it (Avast, Comodo, ESET-NOD32, Ikarus, Malwarebytes, VIPRE). Note that this is a DIFFERENT file than I received on August 8. I've run through this process at least a dozen times, and each received file has had a different MD5.

Running "setup.exe" SAYS it is running a Flash Installer for me:

But, the program crashes. How sad.

Why did it crash? Well, as soon as I started running the SETUP.EXE, I received a file from "trk.airinstaller.com" that my sandbox fetched using the user-agent "AirInstaller Detection RulesXML". This downloaded an XML file that is checking for the existence of various registry keys. The things it's checking for are interesting in themselves. In order, it looks for: Norton, Kaspersky, Windows Defender, Avast (3), AVG (5), NOD32 (2), PC Tools Spyware Doctor, AdAware (2), InstallIQ, McAfee (4), SiteAdvisor (3), Symantec (5), Windows Defender Enabled, Freeze Toolbar, Administrator, Not Administrator, StartNow in Path, Zugo, YontooLayers, ShopToWin, Babylon, Trend Micro Antivirus, enteo NetInstall, Lavasoft Adaware, DrWeb Antivirus, AniVir, Funmoods, Imininent64bit, Iminent32bit, IE6, 7, 8, 9, FireFox_Babylong, FireFox_Funmoods, Default Browser Chrome (or FireFox or IE), 50onRed (looking for Uninstall tags for things like RewardsArcade, TextEnhance, DropinSavings, VidSaver, IWantThis), Blekko Toolbar, Conduit Toolbar, ASK Toolbar, AVG Toolbar, Yahoo Toolbar, Wajam, YontooLayers, InfoAtoms, PCSpeedFix, Sendori, BlekkoMonti, and . . . a bunch more stuff. 373 "detect rule" tags in all.

(I've included a link to the AirInstaller Detection XML Rules here ... interesting reading ... note the large number of Lyrics sites and programs that are checked for, such as LyricsMonkey, LyricsPal, LyricsTube, AutoLyrics, AddLyrics, SingAlong, findlyrics, CoolLyrics, EZLyrics, GetLyrics, LyricsFan, LyricsOn, LyricsShout, M-Lyrics, Lyrmix, SuperLyrics, LyricsKid ... hmmm...a puzzle for another day.)

The wwwQwikster redirection has an interesting disclaimer regarding their so-called Flash Player Update:

download.wwwqwikster.com is distributing custom installers which are different from the originally available distribution. These new installers comply with the original software manufacturers’ policies and terms & conditions. These installers are install managers, which manages the installation of your chosen software. In addition to managing your download and installation, they will offer free popular software that you may be interested in. Additional software may include toolbars, browser add-ons, game applications, anti-virus applications, and other types of applications. You are not required to install any additional software to complete your installation of your selected software. You can always completely remove the programs at any time in Windows’ Add/Remove Programs.

The program this time was called "Flash Player 12.exe" and as before, VirusTotal detected this as "AirAdInstaller" with 6 of 45 detections, although this time it was a different MD5.

On August 10th, Ikarus is now naming the current "Flash Player 12.exe" "not-a-virus:AdWare.Win32.AirAdInstaller". Perhaps they would like to tell us why the malware claims to be installing Adobe Flash Player?

The FlashPlayer version is being dropped from:

download.wwwqwikster.com/?sov=229964806&hid=gookgumqqsok&ctrl1=noiframe&id=aRON-verid60

The "sov" and "hid" values change every time the file is fetched. The "id=aRON-verid60" has been consistent.

An Odd Norton install

The third option for what gets installed starts with being told you need a new FLV player instead of the Flash Player. You get forwarded to "www.greatappsdownload.com" where the file "FlvPlayerSetup.exe" is downloaded. GreatAppsDownload has an affiliate program where they reward people for forcing file downloads. Apparently our friends at ZeroPark are members.

I'm going to run through the series of screen shots that I took from that . . .

After clicking on ANY of the parked domains, there is a chance (I don't know the determining factors) that you will be redirected to GreatAppsDownload.com

Note the exact same disclaimer language that we had on wwwqwister.com, saying that the Installers have been customized.

FlvPlayerSetup.exe downloads . . .

Claiming to be published by "Coolapptech"

The install wizard runs . . .

The install won't complete unless you load Flash Player. The link really does take you to Adobe.

At the end of the FLV Player Setup, we are offered a Free Norton Security Scan! Of course we said "Yes!"

It turns out that FLV Player is a trojaned version that also installs "Delta Search". Delta causes random phrases on your web pages to be underlined providing absolutely unrelated links if you click on them. Here we click the link for "Video Player" and get taken to an AOL CareerBuilder website.

This screen shows us that the Delta Search is actually forwarding us THROUGH "click.sureonlinefind.com" where "affiliate=63051" is getting the credit for our referral to CareerBuilder.

The Norton System Scan SEEMS to be a legitimate product. It runs from this path:

"C:\Program Files\Norton Security Scan\Engine\4.0.1.16\Nss.exe"

Ending with a visit to the Norton AntiVirus store (my exact URL, from August 10, 2013 at about 3:15 PM Central Time:

buy-static.norton.com/norton/ps/loem/AfterD/afdown_us_en_3up_navnisn360_ch1.html?numscans=1&threatlevel=high&pversionid=4.0.1&dgaff=aff_afterdld9&linkid=006_nis_hr&mid=bf32c510-d797-4cc9-91a6-9051d288cf81

If I click one of the Buy Now links, the URL, listed below, may have some information about the Affiliate that would be useful to our Norton friends:

http://buy.norton.com/partneroffer?ctry=US&lang=en&selSKU=21234107&tppc=4BE32C67-71DA-AFFC-CCE5-4195F6F2F424&ptype=cart&trf_id=nortonsecurityscan&VENDORID=AFTER_DOWNLOAD&numscans=1&threatlevel=high&pversionid=4.0.1&dgaff=aff_afterdld9&linkid=006_nis_hr&mid=bf32c510-d797-4cc9-91a6-9051d288cf81