Phishing

How Phishing Websites Use Captcha to Fool Browsers and People

October 30, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

Evading detection and building trust with Captcha challenges and Smishing attacks.

EE Smishing, phishing and a captcha form — The latest SMS Phishing message I’ve received from not-my-real phone company

This week I received another SMS Phishing attack which was almost identical to the previous Smishing attack covered. There were two things that struck me as particularly interesting this time:

The attack used the s.id Indonesian link shortening service
The attack used a Captcha page to limit access to the phishing page to real people only

Thinking about the first point, it’s clear that s.id, the “World’s shortest URL shortener”, has been chosen to minimise the size of the links in the phishing text message. I would guess that they’re also not particularly quick about removing malicious links (but I could be wrong).

The second point, the use of a Captcha form after clicking on the link in the text message, is interesting to me in three ways.

Phishing site asking you to ‘please prove that you are not a robot’

1. Using Captcha to Block Malware Detection

Without a doubt, preventing the automatic detection of the phishing page on the website is the primary reason for hiding it behind a Captcha challenge.

Captcha is almost short for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. This is a convoluted way of saying ‘if you can read this sign you’re a human and I’ll let you in.’ The premise is that computer image recognition is still not good enough to accurately decipher the words in the image and therefore only people can pass the test.

What that means for automated malware scanners is that they can’t see the phishing pages that innocent people are being sent links to.

Automated Phishing Site Detection

There are a lot of people trying really hard to detect and block phishing pages in as many places as possible before they cause actual people actual harm. Tools such as Microsoft ATP and Google Safe Browsing to name just two automatically fetch and scan web pages and score them against a constantly evolving set of rules in order to determine if they’re real or fake.

When a malicious website is detected it is added to the naughty-list and any time someone tries to access that site it is either blocked or they are shown a warning message like this:

Google Chrome deceptive site ahead warning message — A suspicious website warning from the Google Chrome browser

Phishing sites usually run on commodity phishing kits – pre-packaged software bundles designed specifically for stealing and saving sensitive information without getting caught. As they’re so widely and consistently used, they’re really easy to detect. When a website has replica EE branding all over it and it isn’t the real EE domain, it’s obviously a fake site.

Fake EE phishing site hidden behind a Captcha form

By hiding the phishing kit behind a Captcha page it prevents automated scanners from analysing it. This means they can’t be automatically added to the naughty-list and users could be Captcha-ing themselves into an unsafe site without realising it.

As soon as a user sees a warning message like the one ‘Deceptive Site’ one above, it’s usually game over for that particular phishing attack. Staying under the radar by evading detection means that once the user passes the Captcha challenge, there’s a high probability of a successful phish attack being completed.

2. Captcha as an Accidental Credibility Indicator

As a weird byproduct of blocking automated scanners, adding a Captcha page gives a phishing site a weird sense of credibility in the eyes of some users. Most of the time, when we see Captcha forms, it’s to protect something we care about from harmful robots. For example, Captcha is used to prevent bots from brute-forcing our passwords and gaining access to our online accounts.

When we see Captcha forms we have a habitual response to trust what they’re doing. It’s not particularly strong, but it’s there. For many, the context within which it appears will be enough to override any sense of ‘this is fine’. Some of the less cyber-aware people on the internet won’t see what we see. This is the target market for a phishing campaign like this.

3. It Isn’t Even Mobile-Ready!

This is the bit I find the most infuriating. The attack could have been so much better but it let itself down!

The phishing or smishing attack was delivered by text message directly to my smartphone. It’s a mobile-only attack vector and yet the Captcha part of phishing kit isn’t even mobile ready!

While I cropped the image to make it readable in the earlier screenshot, I left the alignment and spacing as is. In fact, on my smartphone it actually looked like this:

I’ve still cropped the bottom of the image as it was ridiculously long and with a very small font…

Look how small that is!

It baffles me how attackers can be so on-the-money about one thing such as evading automatic detection and yet be clueless about how the attack is presented to the end-user. Had this been mobile-ready with a responsive layout that matched the shape and size of the screen, this entry point would have been so much more effective.

We can see that attackers and their tactics are evolving and improving over time. Next time the Captcha form might be better integrated. Next time they might even attempt to fake ‘Multi-Factor Authentication’ me since they already had my phone number to begin with. All I know is that they’re willing to experiment and get creative about future attacks in order to increase the likelihood of a payout as much as possible.

Also, Sorry DataHubClub!

(It looks like your CMS was compromised and used for this attack. I hope you get that sorted quickly. From Googling the name and domain, I suspect it’s just a dead DNS entry that’s pointing to a cloud server that someone has spun back up and taken advantage of. You’ve probably not been hacked at all… but who knows…)

Phishing Email to Company Devastating Ransomware in 5 Hours

October 25, 2020 By Craig Hays 2 Comments

Reading Time: 6 minutes

How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

It started with a phish ransomware in 5 hours — Photo by Pixabay from Pexels

(This article aims to contextualise an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victims inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company CEO. It looked identical to many of other emails received that same day.

The company email servers scanned it and allowed it straight through to the victim’s inbox. It was sent through a legitimate and well-known email delivery service with a good reputation. There were no attachments to be scanned for malware. All it contained was a politely written request and a link to a web page.

The web page didn’t ask them to log in. It wasn’t trying to steal their password by masquerading as a trusted login page. All the victim saw was a message saying: ‘Oops! The document preview isn’t available. Click here to download’, or words to that effect. This is the sort of error message that we’ve all seen many times over the years. Most of us wouldn’t think twice about clicking that link, myself included.

Malware In Disguise

The browser downloaded a file named something like PreviewReport.DOC.exe. A warning message came up at the bottom of their browser asking if the user wanted to keep or discard the file as it could be harmful.

Regrettably, our unfortunate user downloads all sorts of documents all day every day and many of them give the exact same warning. They’ve learned that this warning message is just a regular part of online life. One more thing they must click on in order to get work done. Out of habit, they clicked on ‘keep’, then opened the file.

The executable was signed with a trusted certificate from a well-known vendor. It was malicious, and yet it was signed. The thing is, anyone can buy legitimate and trusted software signing certificates on the internet these days if you know where to look. The user’s PC had AppLocker configured to block unsigned executables but it made no difference. The trusted, signed malware executed without a problem.

Their local antivirus software had the latest virus signatures downloaded and available. As the malware was unique to this victim, the signature didn’t match anything on record. Nothing was blocked.

As far as the user was concerned, the file did nothing. Perhaps it was corrupted. Nevermind…

Sadly, it wasn’t corrupted. It sent a message out to a command and control server on the internet to say, ‘Hello, I’m here, And I’m waiting’, then opened a backdoor into the heart of the company network. It checked-in using standard, encrypted, HTTPS traffic, and notified the ransomware gang that it was active and waiting for instructions. From the outside, it looked exactly the same as the device’s owner viewing any other secure web page on the internet.

[Read more…]

Phishing with Worms – The Greatest Password Theft I’ve Ever Seen

September 29, 2020 By Craig Hays 4 Comments

Reading Time: 6 minutes

I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.

Photo by **Miguel Á. Padriñán** from **Pexels**

A long time ago in a world without Multi-Factor Authentication…

The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.

The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage that had been caused. Applications used, data downloaded, emails sent, etc.

The second report came in at 10:10 am. This wasn’t uncommon. Emails that made it through the filtering rules tended to hit a number of people at the same time. If you land enough phishing emails of reasonable quality it’s almost inevitable that one or two people will fall for them.

The third report came in at 10:14. As did the forth, the fifth, and the sixth. Now, this was unusual.

[Read more…]

Why Hackers Love User Accounts and How They Hack Them

September 4, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

User accounts are still the number one target for criminals. This is why they are so desirable and how hackers hack user accounts every day.

Why hackers love and hack user accounts — Photo by Kelly Sikkema on Unsplash

When we think of cyber attacks we often think of scenes resembling those from Hollywood movies. Cybercriminals, slouched over a keyboard, furiously typing, and hunting for vulnerabilities in a piece of software exposed to the internet.

Security vendors leverage this perception in their marketing efforts. I still find it amazing how much fear selling takes place from companies like Tenable, Rapid7, and Qualys, to name a few. Granted, they’re selling software designed to detect known vulnerabilities in other pieces of software, but they exploit the common perception that the sky is falling and that hackers are seconds away from compromising your IT systems.

In reality, most of the cybercrime committed today is done through legitimate user accounts. Real user accounts belonging to real people which have been taken over by hackers with criminal intent. Why is this the case?

Hacking People is Easy. Hacking Software is Hard

People are vulnerable by design. Human nature makes us susceptible to being hacked in any number of ways.

When we use software and computer systems we typically login using a unique username and password that identifies us, proves that we are who we say we are (authentication), and confirms that we’re permitted to do what we’re asking to do (authorization). When a hacker logs in with our user account they instantly get access to do all of the things we are allowed to do.

Software, on the other hand, can be very difficult to manipulate. Even once you’ve found a vulnerability and created an exploit to gain access to something you shouldn’t, you still need to figure out a way to make it do what you want. This is a very time consuming and expensive process. The question hackers ask themselves all the time is ‘why would I waste all of that effort hacking into a computer system when I could just log in as a legitimate user instead?’

This is why user accounts are such a big target. The right account in the wrong hands can move millions of dollars between banks in a few minutes. Trying to do the same thing with a software exploit could take months or even years and isn’t always possible.

Three Ways Hackers Steal Your User Accounts

1. Guessing Your Password

The first way for hackers to break into one or more of your user accounts is to simply guess your password.

The top 10 password s for 2019, based on publicly known password breaches, are:

123456
123456789
qwerty
password
1234567
12345678
12345
iloveyou
111111
123123

Based on these passwords it is a reasonable assumption to state that most of these have been created on mobile devices. The top 10 passwords has changed over the last decade from common words to common number patterns as the ubiquity of smartphones has steadily increased.

Do you use any of these passwords for any of your accounts? Do you have anything similar?

For anyone not using one of the most commonly used passwords, with a little research into an individual it is easy to guess other password formats that people use. Combinations of the following make up the vast majority of the passwords in use today: names of partners, children, pets, football teams, cities, countries, dates of birth, seasons, years, and colours.

I’ve cracked a lot of passwords in my career and I’ve analyzed 1.4 billion clear-text passwords to improve my understanding of how people think about password creation. With a good enough wordlist, you don’t even need to find a Facebook page to guess most people’s passwords.

2. Finding Your Password In Someone Else’s Data Breach

As mentioned in the previous point, there’s a publicly available list of 1.4 billion usernames and passwords on the internet for anyone to download. That’s just one list out of many out there. Every day, additional websites are hacked and new username and password combinations are leaked to buyers on the black market.

Just as your web browser offers to remember and fill in your passwords for you, there’s a password completin g browser extension that criminals can use to makes life easier for them when taking advantage of your stolen passwords.

3. Asking You For Your Password (And You Giving It To Them!)

Phishing is an attack where criminals send you an email or SMS text message pretending to be someone else. Typically a company, organisation, friend, or some authority figure that would convince you to do as they say. The message will contain a link to a website asking you to log in, or it could include an attachment. The attachment will then take you to a website, again asking you to log in, or it will run something harmful on your device which could allow it to steal your personal data, including passwords.

Linking to a login form is the most common. It’s surprising how many people still fall for phishing emails today, but phishing emails are often well written and designed specifically to invoke an emotional response in the reader. Emotions overpower logic and reason. People do strange things in a panic.

What Can We Do To Fight Back?

Here are a few things we can do to defend against password theft.

Use Multi-Factor Authentication

Multi-Factor Authentication, or MFA for short, is the use of something in addition to your password to prove that you are who you say you are. In order for multi-factor you need to use a combination of two or more of the following:

Something you know (your password)
Something you have (your smartphone)
Something you are (your fingerprint)

Smartphone apps or SMS text messages are the most commonly used form of the second factor. While it is possible to bypass MFA protected logins that use SMS messages, it takes a lot more effort and involves contacting your mobile phone provider and convincing them that you’ve lost your phone. Without a second authentication factor, as soon as someone has your password, they’re in and your account has been hacked.

Use Strong Passwords

The stronger your password is, the harder it is to guess. Google recommends:

“Long passwords are stronger, so make your password at least 8 characters long. These tips can help you create longer passwords that are easier to remember. Try to use:

A lyric from a song or poem
A meaningful quote from a movie or speech
A passage from a book
A series of words that are meaningful to you
An abbreviation: Make a password from the first letter of each word in a sentence”

Use Different Passwords on Every Website

As shown in the 1.4 billion usernames and password list, as soon as one website is hacked, any other accounts on other websites you use with the same username and password are vulnerable to a takeover by a hacker.

We’ve all done it in the past, including me. We pick a handful of memorable passwords and use them across a range of sites. If you ever forget which one you’ve used you can always try them all until you get in. Eventually, it works. This is what hackers do too.

Use a different password on every website. That way, if your password ever gets leaked, it won’t be usable on any other website. As a bonus, if you know which site a password was used on, you’ll know which site’s have been hacked when your passwords do become public.

Use a Password Manager

Let’s be realistic… Having a separate password for every account is unmanageable for most of us. We can’t remember that many unique password combinations. Instead, use a password manager to store unique, strong passwords for all of your accounts.

Modern web browsers have password managers built-in. Companies like 1Password, LastPass, and Dashlane all offer free or paid-for alternatives. There are many options out there and you’re free to choose whichever you prefer. But please, use one and you’ll only need to remember one, very, very strong password to keep all your accounts safe.

3 Tips To Run The Best Phishing Tests In The World

July 3, 2020 By Craig Hays Leave a Comment

Reading Time: 3 minutes

If you want to run the best phishing simulation tests possible that actually make your people more risk-aware, do these three things.

best phishing test tips — Photo by Jonathan delange on Unsplash

1. Make Phishing Tests Real

Make your phishing tests as real as possible. As the military maxim goes, ‘train as you fight, fight as you train’. While training for the D-Day landings, soldiers were instructed to make pretend gunshot sounds instead of pulling the trigger to conserve ammo (blanks still need casings) for the real event. When the real event came, soldiers would occasionally revert back to their training and shout ‘Bang, Bang!’ instead of pulling the trigger.

Don’t send those awful phishing emails that so many vendors push on you. Forget the Microsift and Goggle emails and logos. Don’t be afraid to use all of the official logos, style guides, and trademarks. Criminals don’t care about trademark infringement. When organised crime comes after your colleagues it will be branded like the real thing.

The best phishing tests use either real emails from real companies and replace the original links with phishing links or real, high-quality phishing emails sent by actual criminals and run the same scenarios that criminals are running for real.

[Read more…]