The single largest vulnerability in any computer system is between the keyboard and the seat.
This is what happened:
Patient Zero gets an email something along the lines like:
Dear Customer,
Courier was unable to deliver the parcel to you.
You can review complete details of your order in the find attached.
Yours faithfully,
Greg Marks,
Sr. Support Agent.
Which naturally has an attached zip file for you to open and examine this package you didn’t get.
Patient Zero tries to open the zip…except they haven’t upgraded WinZip or WinRar recently and it’s a spoofed name. It isn’t a zip file at all, it’s just named that.
The trojan is now on your system and here it gets more complicated based on the attackers, the variants of the virus, etc. Some will provide a point of entry for crackers to investigate the system/s, others will silently monitor the traffic for a while, the earlier variants will immediately start encrypting your system and any other network share attached to the system for which the user has write permissions. The later variants watch for backup processes to execute so that they can learn how to toast your backups too. (Which takes me on a separate rant on how using Windows/NFS shares for push backups without checking authentication is asking for trouble.)
So, PZ has toasted their system, toasted the company backups, toasted the company wide network share, because s/he was the accountant the Financial share is also toast. IT just ran basic backups to a Windows share instead of things like rsync over ssh to a root only mount and so the last three months of backups are also encrypted. Worst case scenario, the MIS system or production systems get done too.
What does the company do? You can’t ‘unencrypt’ it without the key. You get an email or a pop up telling you to send $20k worth of bit-coins to the attackers.
How to stop this
Lesson one: NEVER OPEN EMAIL ATTACHMENTS FROM YOUR EMAIL PROGRAM.
Obviously ignore them from anyone you don’t personally know, but secondly save them on your system and scan them with your anti-virus before you open them. Usually you right click on the file and can select ‘Scan with xyz anti-virus’.
Lesson two: Turn off your darned shares. If you access ‘Calgary Office Share’ once per week, you don’t need a network share on your desktop to it. Learn how to mount it on demand. Hint: type \\machine\share in the URL bar in your file browser.
Lesson three: Companies need to start firing people over this instead of just the IT people who enabled it.
Lesson four: Start using the ‘Junk’ or ‘Spam’ tag on your email program. ‘Mark as Junk’ in Thunderbird. They are fairly advanced Bayesian filters that learn over time. But you have to teach them. If you don’t mark an email as Junk or Spam, it won’t learn and can’t identify subsequent spam. This must be a habit.
Lesson Five: Never trust the company/internet provider anti-virus on the mail server, if it even has one.
No need for zip files. Or block those attachments. Lots of options, but agreed, must educate the (L)users.
“Bayesian”
Did you just get fired?
Heh. Thanks Jan.
To answer your question, no.
Interesting post!
lance, can you explain how this one works?
A friend of mine — really, this did not happen to me! I did not fall for this one! — receives both an email and a text to his phone saying to visit this site and create an account:
http://www.paymentsolutions.bmo.com
He does so and enters all sorts of personal information. The site seems legit as it seems to already know a lot about him — full name, address, cell number, and other info. I think it is clear that he’s been identity hacked somewhere else and this site is using that info. Now he’s confirmed a lot of the info by entering more stuff at the site. When the site asks him for an immediate payment of $2400 on an account that he knows has a far smaller limit, he realises that he has been phished.
What really seems to bug him and what I am wondering about is how this site is using the bmo.com domain. Is this a case of DNS cache poisoning? Shouldn’t BMO be able to shut this phishing site down?
How is the site faking its certificate? If faking a certificate a hard thing to do?
BMO seems to be aware of the site but the site has been around for some time. My friend has contacted BMO about this but they were not particularly helpful — they said he should not have entered info on the site (duh!) but that there was not much else they could do about it. They offered him some rewards points on a loyalty card/account as a consolation prize.
Just wondering how the technical bits on this one work.
I totally agree with you when you say that the key problem is between the keyboard and the seat. I cannot believe that my friend fell for it — he’s usually pretty savvy about this sort of nonsense.
Also if the company had everyone using linux terminals the typical computer know-nothing behind the keyboard wouldn’t have caused all that by trying to open the attachment. People need to realize that if you have a windows only solution you’re just asking for trouble. Windows should be kept to the bare minimum of what you need in your IT structure.
Typical phishing attack stack, script kiddie stuff.
Obviously it started with a trojan/virus; clicking a misdirecting link in an email, facebook game, mobile app, porn, pirated stuff, email attachment, Adobe Flash, whatever.
The virus then would have indexed email for cell/mobile number and other personal information (the real treasure trove). It reported this back to a central server the information about a.b.c.d external IP. This info is data-based for the attack and to later sell.
The virus would have edited the machines hosts file, yes, all machines have one. The virus may have also set up an internet proxy on the machine.
The centralized server used an online mobile texting form to text the user and sent out the email with a link. When the server got a request from a recognized IP address (i.e. in it’s database) it served up the false BMO pages.
Sorry to say, but other than getting the user to execute the original payload, none of this is hard.
This is neither realistic or reasonable.
Thanks for the notes.
I’m not sure that I understand how the http://www.paymentsolutions.bmo.com address works.
One can get there from any machine, so I don’t think it’s something on the machine misdirecting the browser to a fake address. Unless every machine we’ve tried this on — including display machines at BestBuy — is infected.
bmo.com is real — that’s Bank of Montreal.
But how are the phishers tacking http://www.paymentsolutions on to bmo.com?
Thanks!
Anon cowboy, unfortunately just blocking zips doesn’t really work. Most mail systems actually look at the type of file rather than the name. (see file)
Blocking zips won’t stop a MS Word file with a macro virus that’s just +named+ .zip. And good luck convincing mgmt. that you need to block all attachments.
It’s only humans that are susceptible to that kind of misdirection.
Hi Lick.
See this. That’s why I said it had to manipulate the hosts file.
The host file is an old unix system from before there was DNS and is still widely used today. Every machine has one.
Scenario: you have an ad-hoc network, just a few machines on a separate privately addressed network. You can’t just throw a DNS server in there to let each machine know what and where the other machines are.
Solution: edit the hosts file on each machine.
Standard host file example:
192.168.45.1 router router.domain.com
192.168.45.2 desktop desktop.domain.com
192.168.45.3 laptop laptop.domain.com
192.168.45.4 printer printer.domain.com
With it filled in like that, the machine will instantly recognize that if I type in ‘printer’, or ‘printer.domain.com’, it will actually send the request to 192.168.45.4.
Most machines are by default setup to use the hosts file as a priority over DNS.
So the virus on your friends machine edited his machines host file to say:
http://www.paymentsolutions.bmo.com
This is why Anti-virus usually locks host files from editing.
Second: If the virus just setup the proxy to go to the bad guys, then it wouldn’t matter, all of your outgoing traffic goes to them. I’ve seen way more proxy based viruses than host file based viruses. It’s easier, but it’s more noticeable because the ‘surfing delay’ causes victims to call people like me.
Third: if the virus just changed the DNS on the machine to query the bad guys instead of your ISP’s DNS servers the same could happen.
IT just ran basic backups to a Windows share instead of things like rsync over ssh to a root only mount
BWA HA HA HA HA HA HA HA
How to stop this
Lesson one: get competent IT staff.
Unfortunately, that scenario is far too common and not always the fault of IT.
Several over-the-shelf, plug and play systems have in their licensing/support agreements items specific to how backups are done and it’s usually the lowest common denominator.
i.e. copy to \\backup\IfThisIsCompromisedWereBroke\
Thanks again for the notes. I’ve pinged my friend with instructions to take a look at his hosts file.
I am curious to know how we are able to get to the bogus site from other machines, like the display machines at BestBuy. Looking at the source code for the page each time we hit it, it looks to me like we are getting to the phishing site from any machine we attempt to use — I don’t think we’re getting to a bogus site from my friend’s infected machine and a legit BMO site from other machines: that address always seems to go to the phishing site.
I still think there is DNS spoofing — https://en.wikipedia.org/wiki/DNS_spoofing — going on.
I’ll reiterate: get competent MIS[1] staff. The overwhelming majority of people in the MIS field are demonstrably incompetent.
Trojans that can escalate their own privilege exist, but are rare; the simple doctrine of least privilege will prevent most of them from doing any harm that can’t be mitigated within minutes.
Let’s take the typical ransomware example: a user opens a cryptolocker trojan that made it through both the firewall’s malware scanner and the mail server’s attachment scanner and spam trap. Since no competent MIS department allows users to have administrative privileges on their workstation, this limits the damage to those user-space files the user has direct write access to. The helpdesk staff isolates the infected workstation and restores the encrypted files from the last Shadow Copy snapshot (by default, no more than six hours old). The infected workstation is wiped and redeployed using the automated OS deployment system. RTO two hours, RPO six (max). Less if the workstations use SSDs.
[1] This is more accurate, as “IT” covers a lot of other things, like software development blah blah blah.
Lick, it’s trivial, like I mean +anyone+ could do it. I’m willing to bet there’s no way this is DNS spoofing.
1. Cracks like that get a lot of attention.
2. They are mostly zero-day cracks so they are out of most phishers leagues.
3. They command a whole lot more than $2500 a pop worth.
4. They are patched by programmers and competent admins quickly.
5. They are not ubiquitous on all of the different DNS implementations on the ‘net.
Here, let me show you how it’s done. Do this, no I meant, really do this:
Open up up this page to view the source code.
Hit Ctrl-a and then Ctrl-c
Open up a new document in notepad
Type Ctrl-v
Save the new document as ‘spoofSDA.html’
Open up spoofSDA.html in your web browser. (File->Open)
Voila, you’ve got a local version of SDA and it looks exactly like SDA, because it +is+ SDA.
Now if you’ve a malicious mind-set change all the links to go to your machine instead. That’s just a find and replace, pretty simple.
You’ll have to d/load all the pics and stuff, but no big deal for $2.5k a pop, no? It’s only 1.5G or so for the complete history, comments, stories, pictures. That’s what web spiders are for. It’s how the way back machine works.
Repeat that Find and replace on the whole directory. See sed and awk to automate that. Half an hour later or so congrats, you’re now redirecting locally too and have statically duplicated everything on SDA up to that moment, now change the comment submission script to something malicious.
That really cool password checker you wrote in python? You know, the one that queries the entire conservative blogosphere with username/password combos you picked up? Or, maybe now that you have the users one password, you can google the user name and maybe, just maybe s/he uses the same password on those other sites with that username?
Woot, you’ve built a phishing SDA. Now you need a virus/trojan to have the victim redirected to your site and it’s game on.
“Since no competent MIS department allows users to have administrative privileges on their workstation”
This. So this. And everyone should create a user with a password for themselves on their own desktops that doesn’t have Admin privs.
“Since no competent MIS department allows users to have administrative privileges on their workstation, this limits the damage to those user-space files the user has direct write access to.”
Except the latest ransomware doesn’t need admin privileges in order to run and infect all files and network shares. We had to switch to group policy blocking all files except for those on a whitelist.
Building that whitelist would have been fun. /sarc
It depends on exactly how kiosk-like you can afford to make your environment. If you can get away with a restrictive whitelist, at that point you may as well go straight to a WinTerm based architecture. It’s cheaper.
Oh, not at all. Just set it to c:\Program Files (x86)\ and c:\program files\. Anything properly installed can run, anything launching from anywhere else gets blocked (shades of mounting /usr read-only…).
If a trojan can escalate privilege, about the best you can do is hope your malware scanner catches it in time. Otherwise, you’re looking at containment and mitigation, not prevention.
Turn off your darned shares.
WTF does this mean? How do I know if I have ‘shares’ turned on?
How do I ensure that they’re always turned off, whatever they are?
typing “\\machine\share in the URL bar” does nothing.
lance:
Thanks again for the notes. I do not doubt that what you describe is easy to set up. I just don’t think that is what happened in this case. Friend checked his hosts file — it’s the default Windows file. I checked mine — it’s the default as well.
You know, the thought has occured to me that this is a legit site and my friend really does owe BMO $2400…
Being naturally paranoid, I use an old version of Eudora that requires manual opening of all attachments. For emails which show up as blank on Eudora, I forward them to my hospital email address where the system I use runs in a VM and I don’t care if I trash the VM version of outlook.
Spam is getting more sophisticated. Ran into the pseudo zip file spam a while back when a few of the doctors at the local hospital got their gmail addresses hacked and I suddenly started getting emails from them. The emails were curious in that they contained a *.zip file which, when I looked at it with a hex editor looked nothing like a zip file and was an exe file. Other “.zip” files that came through were actually obsfucated javascript. If I had more time, would run it in a throwaway VM to see what happens, but I just added the files to my virus collection (which I probably won’t have time to play with) and am glad that my emails require manual intervention for every attachment. I use text only emails which seems to annoy many people who seem to think that a trivial email should have multiple images and a movie or two attached.
My antivirus software consits of Wireshark, Process explorer and windoze debugger which have helped me clear the very rare infection that I get of which the last one was a nasty root kit in 2011 which would have gone unnoticed except something in my hacked windows layout made it announce itself. I know I should totally switch to Linux, but I have to deal with windoze medical software too often The captured rootkit wouldn’t run under emulation in a VM so yet another future project in the rare event I have some spare time to poke through the code.
Hi jean.
Unless you’re in a business environment, you +probably+ don’t need to worry about it too much.
A ‘share’ is just short for network share. It’s a file system stored on a machine somewhere that people with permissions can read and write files into for sharing with other people.
Most businesses will have many shares although they may not be thought of as shares, the one in the printer that stores faxes in PDF format or the ftp server, as examples.
It is common practise for people to create persistent connections to those shares, so that when they login to a computer, the remote share is available to them immediately.
When you ‘mount’ a share, it’s identified by the machine it’s on and the name of the share, thus ‘\\machine\share’ is just computer short-hand for saying, “The SMB/CIFS mount on 192.168.45.2 (assuming that was ‘machine’s IP address) called ‘share’.
It wasn’t a demonstration, it was an example.
If I wanted to mount the share called, “PDFS” on the printer at 192.168.2.8 and I knew it was a Windows share, I could access it by typing ‘\\192.168.2.8\PDFS’ in the URL bar of the file browser.
Thanks for clearing that up
…or you could just…oh I don’t know…turn ON Shadowcopy.
Keep an eye out for spelling and grammatical errors in suspected spam/phishing emails as well.
the *entire* spam, hack, phishing, 50,000 virus variations etc etc, arose because billyboy decided very early on it was advantageous to release ‘something’ to get the jump on the competition, and use the revenue to finance improvements. sadly, the improvements end wound up being mostly fancy interface, tweaking capabilities ad nausium, as well as pushing aside competition or buying them out. plus of course billyboys position as king of the castle, top of the heap.
security was and will ALWAYS be an issue with all versions of Microslop s/w. but, it’s the American way. capitalism thru and thru. the almighty market had its say and this was the result. this is how it unfolds sometimes, especially with a product with this kind of penetration in the marketplace. kinda like a variation on the old ‘you get the kind of gubbamint you deserve’. well, we also get the kind of software we deserve.
But but but, the subject line said “I send you this file in order to have your advice.” – what else was I supposed to do? /sarc
Hey guys , just sayin
PC MATIC is the biggest and best game in town right now they have a good handle on this ransom ware and trojan crap. i would recommend it.
If you’re a big institution, then shame on you for not securing your critical data.
If you’re a small fry like me, you don’t have a lot of data to back up. A few gigs at most, maybe 10s of gigs if you have photos or videos.
So do this: multiple independent backups. Verify that you can read from them after you write them. Write some to write-only media like DVD-Roms so they can’t be overwritten. Regularly store some offsite. Even a safe deposit box can do.
And, don’t trust the cloud with your critical data, at least not entirely. Keep your own backups in a place you can trust.
Finally, remember what Arthur C. Clarke said:
“Any technology sufficiently advanced is indistinguishable from magic.”
We’re rapidly moving towards a scenario where a small class of powerful technocrats will have power over everyone else, because either they understand and control the technology, or they can buy the services of the people (“wizards”) who do. So society is divided into mages (both good and evil), and thralls. How nice.
Few people think of the consequences when they develop or design technology. We’ll all pay deeply for this once the consequences arrive.
Use a Mac…