New Phishing Research: 5 Most Dangerous Email Subjects, Top 10 Hosting Countries
Posted by Elisabeth Olsen on 11 December 2013 10:33 PM
With cloud infrastructure easily scalable and rented botnets coming on the cheap, the cost of conducting massive phishing campaigns continues to decline for cybercriminals. Even if the return rate is small or the campaign is poorly executed, phishing can result in serious money for criminals. Phishing will never simply go away—meaning ongoing headaches for security professionals.
Top 10 Countries Hosting Phishing
To shed some light on how targeted attacks and user education awareness are evolving, Websense Security Labs researchers investigated current phishing trends. We found that the percentage of phishing attempts within all email traffic dropped to 0.5 percent in 2013 (down from 1.12 percent in 2012). This may sound like good news, but certainly does not mean the coast is clear for businesses.
Today’s phishing campaigns are lower in volume but much more targeted. Cybercriminals aren’t simply throwing millions of emails over the fence. They are instead targeting their attack strategies with sophisticated techniques and integrating social engineering tactics. Scammers use social networks to conduct their recon and research their prey. Once the intelligence is harvested, they use that information to carefully construct email lures and yield maximum success.
In addition to social engineering, geographic location also plays an intricate role in phishing. By rank, here’s a list of the top 10 countries hosting phishing URLs: (Based on research conducted 1/1/13-9/30/13)
2. United States
4. United Kingdom
8. Hong Kong
Some interesting points about this list:
• China and Hong Kong made their debuts this year, having never before been included in our lists
• The UK moved up from the number six spot
• The U.S. dropped out of the number one spot, for the first time in a long, long time
• Russia moved up from the number 10 spot
• Egypt and the Bahamas have disappeared from the list, after recent appearances
Five Most Dangerous Subject Lines
As you can see, where you are in the world can influence how much your organization is at risk. However, geographic location is only one piece of the puzzle for detecting and stopping unwanted emails. How the emails are titled also plays a significant role in the success of a phishing campaign.
To further investigate, our security researchers took a closer look and determined that the top five subject lines in worldwide phishing emails are the following: (Based on research conducted 1/1/13-9/30/13)
1. Invitation to connect on LinkedIn
2. Mail delivery failed: returning message to sender
3. Dear <insert bank name here> Customer
4. Comunicazione importante
5. Undelivered Mail Returned to Sender
The list above portrays how cybercriminals are attempting to fool recipients into clicking a malicious link or downloading an infected file by using business-focused and legitimate-looking subject lines. Scammers will use any means necessary to increase the likelihood of an inspire-to-click campaign.
Phishing Security Tips and Infographic
To combat phishing attacks, be sure to adequately prepare yourself with a security solution that can expose advanced threats and alert your security team in real time. You can protect your organization by implementing web, data, email and sandboxing security solutions that share crucial intelligence to analyze potentially malicious content in real-time. Promoting and adhering to these tips can significantly decrease your organization’s chances of becoming a victim of a phishing campaign. Click here for a webcast on “Defending Against Today’s Targeted Phishing Attacks.” Below is also the Websense Security Labs infographic on this research:
How has your organization tackled the ominous and ever–present phish? Please feel free to drop us a line below. We would be happy to answer any question(s) you might have.
Read more »
Israeli Website for “international institute for counter-Terrorism” Waterhole Attack Serving CVE-2012-4969
Posted by Elad Sharf on 12 March 2013 12:59 PM
Websense® Security Labs™ and the Websense ThreatSeeker® Intelligence Cloud have detected that the government-related websites ict.org.il and herzliyaconference.org have been involved in a "waterhole" attack and are injected with malicious code that serves as an exploit for Internet Explorer vulnerability CVE-2012-4969. The first website describes itself as the “International Institute for Counter-Terrorism”. Both websites seem to be connected and governed by a leading Israeli academic institution called the IDC.
The malicious code found on the websites is identical and was identified as CVE-2012-4969 - an Internet Explorer vulnerability that was verified as a zero-day at the time and was found to be exploited in the wild on September 2012. It was found by Eric Romang from Zataz.
From our initial checks, the websites still serve the malicious code on specific paths, and have been serving the malicious code from as early as the 23rd of January 2013. At the time of this writing, the malicious code on ict.org.il appears to be fully functional, but the malicious code on herzliyaconference.org doesn't seem to be functional (the main page that initiates the exploit seems to have been removed; although subsequent pages are still available, on their own they won't serve a successful exploit).
The attack seems to be very similar to the spear-phishing attacks we reported on with the "Rotary Domains" (Part 1 & 2) that served CVE-2012-4792 - that's the same zero-day that was found on cfr.org. The attack on IDC uses a Flash file to conduct a "heap spray" attack. The Flash file appears to have the misspelled string "heapspary". According to Symantec, this string may be evidence that the "Elderwoord" group is behind this attack, because there's a similarity to the cfr.org attack, which held the same string "heapspary" in a Flash file as well. We're not completely convinced by this theory; this may indeed suggest a connection to the "Elderwoord" project, but may instead suggest the use of the same toolkit by different perpetrators.
Websense Security Labs™ has contacted the IDC to report the compromise; as of this writing we had not heard back yet from the IDC.
The Israeli website for the “International Institute for Counter-Terrorism” and its mission statement is shown here:
As described, the attacks on both websites are identical. The exploit chain starting point is in an HTML file on a dedicated directory. We're not certain if this specific path was sent in spear-phishing emails, or if the main page of each of the websites referred to this path. If you have any more details on this, please do let us know.
Here are the exploit chains for ict.org.il and herzliyaconference.org:
hxxp://www.ict.org.il/js/1.html -> Flash file loader (AceInsight report)
hxxp://www.ict.org.il/js/logo4969.swf -> Flash heap-spray + exploit.html loader
hxxp://www.ict.org.il/js/exploit.html -> Dropped file cache + Exploit Loader
hxxp://www.ict.org.il/js/Protect.html -> Exploit CVE-2012-4969
hxxp://www.herzliyaconference. org/_modules/80.html -> Flash file loader (AceInsight report)
hxxp://herzliyaconference .org/_modules/logo4969.swf -> Flash heap-spray + exploit.html loader
hxxp://herzliyaconference. org/_modules/exploit.html -> Dropped file cache + Exploit Loader
hxxp://herzliyaconference. org/_modules/Protect.html -> Exploit CVE-2012-4969
Let's have a look at the specific exploit chain on ict.org.il. The file 1.html is used just as a loader for the malicious file logo4969.swf. Besides the loading of the malicious file, there are no malicious indicators on the page, but just the HTML Flash container/loader:
Protect.html holds the exploit code to CVE-2012-4969. The exploit code is obfuscated with a simple obfuscation technique:
After the exploit is triggered by Protect.html, the code will jump to the sprayed shellcode on the heap. In return, the shellcode will scan the memory for the marker mentioned earlier: "KKONG". After the marker is found, the shellcode strips the stream following the marker and gets it de-XORed with the value 0XBF to form a valid executable file. That file is then written to the Windows local machine's temporary folder and executed to infect the machine with a persistent backdoor.
The executed file dw20.exe (MD5:d2354e9ce69985c1f55dbad2837099b8) acts as a dropper and has the same name as the file dropped with Rotary domains attack. The threat stays persistent on the system by dropping another file to the Windows directory called startup.dll (MD5: 4e1e2b9cd6b5bca2b1b935ddc97f2d7a) that registers as an auto-started service called WindowsUpdata. Check out this complete report from ThreatScope™. The backdoor service is actually installed under a registry key called "RAT", which is not very discreet, to say the least, and the backdoor connects to a C2 that is recognized by our service as suspicious hxxp://interfacet.oicp.net:88. It appears that oicp.net is a web host that is located in China. Custom hosts on the site have been found to be involved in targeted attacks in the past (1 2); however, the specific host actually points to an IP address of 126.96.36.199 located in Fremont, California, United States. Looking closer at this IP address, we could see that it hosts a lot of mayhem, as well as many other hosts that are associated that use host names on *.oicp.net that we have already classified in a security category:
One of the most interesting parts is that the IP address to which the C2 points is hosted on an IP address range that belong to Hurricane Electric, a US-based internet service provider that got some headlines lately for being the first Internet Backbone to Connect to 2,000 IPv6 Networks. An Interesting article from 'The Droid Tech Guy' illustrates how, although web traffic in China is very restrictive and censored, its architecture is actually one of the most advanced. According to the article, one of its advances is that it employs a security feature known as Source Address Validation Architecture (SAVA). To quote from the article: "This feature puts security checkpoints throughout the system and then builds up a database very systematically. This database will contain trusted computers and their IP addresses. This system will then authenticate who is sending what. This way, the possibility of sending malicious data becomes a lot more difficult, nearly impossible, like many say."
This is a good point that makes us ponder - could it be that threats that originate from China are actually safer, from the attacker's perspective, if hosted outside of China? That may well be the case.
In summary, we had a look at high profile government related website that got compromised in a 'waterhole' attack and employed some interesting technique. It looks as if targeted attacks have now been surfacing regularly and more frequently, with more attacks that are now exposed almost on a weekly basis. Those kinds of rapid discoveries may cause the players behind state-sponsored attacks or other miscreant groups to increase their level of sophistication. However, we believe that the sophistication of such attacks directly depends on the protection level employed by the target. If defense levels are mediocre or "just enough," then attackers will probably do just that much to get past them. The tough questions one should ask one's self in today's threat landscape is "what am I doing to not be the next victim?" and, even more importantly, "what am I going to do when I do become one?". We believe that post-infection mitigation plans should be given the same emphasis as prevention and putting adequate protection in place.
Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine). ACE protected against this threat in real-time and against the different stages of the attack progression, also known as the "kill chain". You can find in the next link more information about the 7 stages of advanced threats. Here is a recap how ACE protected against the different stages:
Lure stage: protection confirmed, the lure is the first stage of the attack and in this case it was those URLs that loaded a malicious flash file:
hxxp://www.ict.org.il/js/1.html -> Flash file loader (AceInsight report)
hxxp://www.herzliyaconference.org/_modules/80.html -> Flash file loader (AceInsight report)
Dropper stage: not applicable, the dropper is the stage where a file passes through the gateway and inspected in real-time, however, this is not applicable for this attack as the file was hidden and obfuscated in memory and reconstructed on the client side - this is a typical sandbox evasion technique.
Calling home stage: protection confirmed, the calling home stage is the destination that the malware connects to after getting successfully installed on the victim's machine. In this attack the malware initiated connection to a destination that is already known to us hxxp://interfacet.oicp.net:88 (AceInsight report).
For participation in data analysis, special thanks to: Gianluca Giuliani
Read more »