Craig Hays

How Phishing Websites Use Captcha to Fool Browsers and People

By Leave a Comment

Reading Time: 5 minutes

Evading detection and building trust with Captcha challenges and Smishing attacks.

EE Smishing, phishing and a captcha form
The latest SMS Phishing message I’ve received from not-my-real phone company

This week I received another SMS Phishing attack which was almost identical to the previous Smishing attack covered. There were two things that struck me as particularly interesting this time:

  1. The attack used the s.id Indonesian link shortening service
  2. The attack used a Captcha page to limit access to the phishing page to real people only

Thinking about the first point, it’s clear that s.id, the “World’s shortest URL shortener”, has been chosen to minimise the size of the links in the phishing text message. I would guess that they’re also not particularly quick about removing malicious links (but I could be wrong).

The second point, the use of a Captcha form after clicking on the link in the text message, is interesting to me in three ways.

Phishing site asking you to ‘please prove that you are not a robot’

1. Using Captcha to Block Malware Detection

Without a doubt, preventing the automatic detection of the phishing page on the website is the primary reason for hiding it behind a Captcha challenge.

Captcha is almost short for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. This is a convoluted way of saying ‘if you can read this sign you’re a human and I’ll let you in.’ The premise is that computer image recognition is still not good enough to accurately decipher the words in the image and therefore only people can pass the test.

What that means for automated malware scanners is that they can’t see the phishing pages that innocent people are being sent links to.

Automated Phishing Site Detection

There are a lot of people trying really hard to detect and block phishing pages in as many places as possible before they cause actual people actual harm. Tools such as Microsoft ATP and Google Safe Browsing to name just two automatically fetch and scan web pages and score them against a constantly evolving set of rules in order to determine if they’re real or fake.

When a malicious website is detected it is added to the naughty-list and any time someone tries to access that site it is either blocked or they are shown a warning message like this:

Google Chrome deceptive site ahead warning message
A suspicious website warning from the Google Chrome browser

Phishing sites usually run on commodity phishing kits – pre-packaged software bundles designed specifically for stealing and saving sensitive information without getting caught. As they’re so widely and consistently used, they’re really easy to detect. When a website has replica EE branding all over it and it isn’t the real EE domain, it’s obviously a fake site.

Fake EE phishing site hidden behind a Captcha form

By hiding the phishing kit behind a Captcha page it prevents automated scanners from analysing it. This means they can’t be automatically added to the naughty-list and users could be Captcha-ing themselves into an unsafe site without realising it.

As soon as a user sees a warning message like the one ‘Deceptive Site’ one above, it’s usually game over for that particular phishing attack. Staying under the radar by evading detection means that once the user passes the Captcha challenge, there’s a high probability of a successful phish attack being completed.

2. Captcha as an Accidental Credibility Indicator

As a weird byproduct of blocking automated scanners, adding a Captcha page gives a phishing site a weird sense of credibility in the eyes of some users. Most of the time, when we see Captcha forms, it’s to protect something we care about from harmful robots. For example, Captcha is used to prevent bots from brute-forcing our passwords and gaining access to our online accounts.

When we see Captcha forms we have a habitual response to trust what they’re doing. It’s not particularly strong, but it’s there. For many, the context within which it appears will be enough to override any sense of ‘this is fine’. Some of the less cyber-aware people on the internet won’t see what we see. This is the target market for a phishing campaign like this.

3. It Isn’t Even Mobile-Ready!

This is the bit I find the most infuriating. The attack could have been so much better but it let itself down!

The phishing or smishing attack was delivered by text message directly to my smartphone. It’s a mobile-only attack vector and yet the Captcha part of phishing kit isn’t even mobile ready!

While I cropped the image to make it readable in the earlier screenshot, I left the alignment and spacing as is. In fact, on my smartphone it actually looked like this:

I’ve still cropped the bottom of the image as it was ridiculously long and with a very small font…

Look how small that is!

It baffles me how attackers can be so on-the-money about one thing such as evading automatic detection and yet be clueless about how the attack is presented to the end-user. Had this been mobile-ready with a responsive layout that matched the shape and size of the screen, this entry point would have been so much more effective.

We can see that attackers and their tactics are evolving and improving over time. Next time the Captcha form might be better integrated. Next time they might even attempt to fake ‘Multi-Factor Authentication’ me since they already had my phone number to begin with. All I know is that they’re willing to experiment and get creative about future attacks in order to increase the likelihood of a payout as much as possible.

Also, Sorry DataHubClub!

(It looks like your CMS was compromised and used for this attack. I hope you get that sorted quickly. From Googling the name and domain, I suspect it’s just a dead DNS entry that’s pointing to a cloud server that someone has spun back up and taken advantage of. You’ve probably not been hacked at all… but who knows…)

Phishing Email to Company Devastating Ransomware in 5 Hours

By 2 Comments

Reading Time: 6 minutes

How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

It started with a phish ransomware in 5 hours
Photo by Pixabay from Pexels

(This article aims to contextualise an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victims inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company CEO. It looked identical to many of other emails received that same day.

The company email servers scanned it and allowed it straight through to the victim’s inbox. It was sent through a legitimate and well-known email delivery service with a good reputation. There were no attachments to be scanned for malware. All it contained was a politely written request and a link to a web page.

The web page didn’t ask them to log in. It wasn’t trying to steal their password by masquerading as a trusted login page. All the victim saw was a message saying: ‘Oops! The document preview isn’t available. Click here to download’, or words to that effect. This is the sort of error message that we’ve all seen many times over the years. Most of us wouldn’t think twice about clicking that link, myself included.

Malware In Disguise

The browser downloaded a file named something like PreviewReport.DOC.exe. A warning message came up at the bottom of their browser asking if the user wanted to keep or discard the file as it could be harmful.

Regrettably, our unfortunate user downloads all sorts of documents all day every day and many of them give the exact same warning. They’ve learned that this warning message is just a regular part of online life. One more thing they must click on in order to get work done. Out of habit, they clicked on ‘keep’, then opened the file.

The executable was signed with a trusted certificate from a well-known vendor. It was malicious, and yet it was signed. The thing is, anyone can buy legitimate and trusted software signing certificates on the internet these days if you know where to look. The user’s PC had AppLocker configured to block unsigned executables but it made no difference. The trusted, signed malware executed without a problem.

Their local antivirus software had the latest virus signatures downloaded and available. As the malware was unique to this victim, the signature didn’t match anything on record. Nothing was blocked.

As far as the user was concerned, the file did nothing. Perhaps it was corrupted. Nevermind…

Sadly, it wasn’t corrupted. It sent a message out to a command and control server on the internet to say, ‘Hello, I’m here, And I’m waiting’, then opened a backdoor into the heart of the company network. It checked-in using standard, encrypted, HTTPS traffic, and notified the ransomware gang that it was active and waiting for instructions. From the outside, it looked exactly the same as the device’s owner viewing any other secure web page on the internet.

[Read more…] about Phishing Email to Company Devastating Ransomware in 5 Hours

How An Investigator Can Find Your Location From One Photograph

By Leave a Comment

Reading Time: 7 minutes

Every image you post online leaks information about you. This is how anyone can find your location using Open Source Intelligence (OSINT).

How An Investigator Finds Your Location From One Photograph
Let’s find the exact location of this photograph together.

Open Source Intelligence In Action – Geolocating a Photograph

Open Source Intelligence (OSINT) is the practice of using public or ‘open source’ information available on the internet to gather intelligence and gain insights on given targets. By combining data sources available online you can find answers to a variety of questions that most people wouldn’t think is possible.

For example, the sunset photo above is one I took a couple of years ago while travelling for work. It’s not an instantly recognisable location. It’s probably not even that recognisable to the people who live nearby. But a motivated investigator can find the exact spot where I was stood when I captured it using this one photograph and information freely available online.

For the rest of this walk-through, I’ll pretend that this is the first time I’ve seen this photograph. I’ll show you how I approach the challenge of finding where any camera stood on Earth when taking any photograph. While methods and results may vary, this is an example of what the OSINT process looks like for this type of scenario.

[Read more…] about How An Investigator Can Find Your Location From One Photograph

Phishing with Worms – The Greatest Password Theft I’ve Ever Seen

By 4 Comments

Reading Time: 6 minutes

I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.

Photo by Miguel Á. Padriñán from Pexels

A long time ago in a world without Multi-Factor Authentication…

The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.

The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage that had been caused. Applications used, data downloaded, emails sent, etc.

The second report came in at 10:10 am. This wasn’t uncommon. Emails that made it through the filtering rules tended to hit a number of people at the same time. If you land enough phishing emails of reasonable quality it’s almost inevitable that one or two people will fall for them.

The third report came in at 10:14. As did the forth, the fifth, and the sixth. Now, this was unusual.

[Read more…] about Phishing with Worms – The Greatest Password Theft I’ve Ever Seen

Five Life Lessons Learned by Learning to Cook

By Leave a Comment

Reading Time: 4 minutes

Cooking is a tough teacher and a harsh critic. Either your food is delicious, or it isn’t.

Five Life Lessons Learned by Learning to Cook
Photo by Lukas from Pexels

I used to be a terrible cook. Insert your stereotypical bad home cooking annecdote here… that was me. Then my wife and I signed up for a popular cook at home subscription box and suddenly things started to change.

Having struggled with cookbooks for years, being handed a Lego-style assembly kit for restaurant-quality food just seemed to click with me for some reason. The barrier of entry, preparing a shopping list and not forgetting anything while at the supermarket, was gone. I had everything I needed in order to start.

Over the coming months, I gradually learned how to cook. I developed knife skills. I learned the fundamentals of combining ingredients to enhance the overall flavour. Patterns started to emerge. Not only did I learn some valuable lessons about cooking, but cooking taught me some valuable lessons about life.

So here they are.

1. Prepare Everything Before Food Meets Heat

Mise en place is a beautiful French culinary term which quite literally means “put in place”. Everything a chef needs to cook a delicious meal is prepared in advance and positioned ready to be used at just the right time. Salmon is sliced. Herbs are picked, washed, and chopped. Potatoes are peeled. Knives, frying pans, oils, and seasonings are all where they’re supposed to be.

For a meal to turn out right every time you cook it, you can’t be hunting through drawers looking for a lemon zester while your sauce burns on the hob.

For years I refused to do this. “Why should I waste extra time before I start cooking when I can do all of that while I’m waiting for…”. I was missing the point. It was very short-term thinking.

Trying to prepare ingredients while jostling pots and pans is like trying to put on a parachute after you’ve already jumped out of the plane. Yeah, it’s possible to pull it off, but why take the risk?

Cooking when you’re fully prepared, when your ‘mise en place’ is just right, is rewarding, relaxing, and even enjoyable. There will be times when you can pause and reflect, watching what you’re creating take shape. Pour yourself a glass of wine. Enjoy a fresh cup of coffee. Check Facebook… whatever makes you happy. When you’re prepared you can enjoy your experiences.

Cooking while unprepared is like commuting to the office after you’ve slept in and missed your usual train. The whirlwind performance of a TV chef is food-theatre. Fun to watch but stressful to recreate.

Now when I cook I take time to prepare. I’d rather spend 5 extra minutes before starting to ensure I get it right than save the 5 minutes and waste the next hour as my evening goes up in smoke.

2. Figure Out the Bigger Picture

Whatever it is you’re doing, it’s important to know how your current task fits into the end result. If you understand what you’re trying to achieve, when things go wrong you can adapt and improvise within the constraints of the goal and still make it work.

Following a recipe step-by-step like a robot following instructions might result in a delicious meal but you probably won’t take much away from the experience. Unless you step back and look at what is going on you risk missing the lessons that are right in front of you.

As Chuck Palahniuk said, “the trick to forgetting the big picture is to look at everything close-up.”

3. Understand The Whole Process

Something I try to do when cooking a new recipe or attempting a new task for the first time is to read through all of the instructions from start to finish a couple of times before doing anything at all. At first, it can be a daunting set of instructions that are impossible to remember, but in time, especially with cooking, you’ll start to detect common patterns between recipes.

As you gain experience you will be able to condense instructions into sequences of ‘another one of those things I’ve done before’. Separate leaves and stems then roughly chop the herbs. Cube the root vegetables for faster cooking. Make a rue for the sauce with fat and flour then add flavour. Cookbooks don’t usually break cooking down into common themes. Every recipe is a standalone set of instructions. The bridge between them all is in your own understanding.

Only when you detach and review the whole process in full will reusable learnings become clear.

4. Sometimes Things Burn

We all make mistakes. We apply our attention to the wrong thing at the right time. Dishes burn. We try and we fail. Things go in the bin.

That’s part of learning. The takeaway here is to reflect on why it burned. What were we doing that we shouldn’t have, and what should we have been doing instead? How can we improve next time?

5. Creativity is a Risk, But One You Should Take

Sometimes you tweak a recipe and magic happens. Other times it sucks and everything goes in the bin. Taking risks is fine, essential even, as long as you do it at the appropriate time with the right risk mitigation in place.

Add a squeeze of lemon if you feel like it might work, just don’t do it in Christmas day when the in-laws are on their way. Save your failures for when it’s OK to fail and learn when to play it safe.

Craig Hays