Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Intel CPUs Undermined By Fresh Speculative Execution Flaws

Threatpost - 14 Srpen, 2018 - 21:24
'Foreshadow" and other vulnerabilities in Intel processors can be exploited to steal sensitive information stored inside personal computers or personal clouds.
Kategorie: Hacking & Security

Intel’s SGX blown wide open by, you guessed it, a speculative execution attack

Ars Technica - 14 Srpen, 2018 - 21:18

Foreshadow explained in a video.

Another day, another speculative execution-based attack. Data protected by Intel's SGX—data that's meant to be protected even from a malicious or hacked kernel—can be read by an attacker thanks to leaks enabled by speculative execution.

Since publication of the Spectre and Meltdown attacks in January this year, security researchers have been taking a close look at speculative execution and the implications it has for security. All high-speed processors today perform speculative execution: they assume certain things (a register will contain a particular value, a branch will go a particular way) and perform calculations on the basis of those assumptions. It's an important design feature of these chips that's essential to their performance, and it has been for 20 years.

But Meltdown and Spectre showed that speculative execution has security implications. Meltdown (on most Intel and some ARM processors) allows user applications to read the contents of kernel memory. Spectre (on most Intel, AMD, and ARM chips) can be used to attack software sandboxes used for JavaScript in browsers and, under the right conditions, can allow kernel memory or hypervisor memory to be read. In the months since they were first publicized, we've seen new variants: speculative store bypass, speculative buffer overflows, and even a remotely exploitable version of Spectre.

Read 22 remaining paragraphs | Comments

Kategorie: Hacking & Security

Microsoft Releases Patches for 60 Flaws—Two Under Active Attack

The Hacker News - 14 Srpen, 2018 - 20:36
Get your update caps on. Just a few minutes ago Microsoft released its latest monthly Patch Tuesday update for August 2018, patching a total of 60 vulnerabilities, of which 19 are rated as critical. The updates patch flaws in Microsoft Windows, Edge Browser, Internet Explorer, Office, ChakraCore, .NET Framework, Exchange Server, Microsoft SQL Server and Visual Studio. Two of these
Kategorie: Hacking & Security

Microsoft Flaw Allows Full Multi-Factor Authentication Bypass

Threatpost - 14 Srpen, 2018 - 19:09
This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building.
Kategorie: Hacking & Security

Google Services Track User Movements In Privacy Faux Pas

Threatpost - 14 Srpen, 2018 - 19:04
A recent report found that Google services - with functions like checking maps, the weather, and search - are tracking users even when they deny permission.
Kategorie: Hacking & Security

Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege

Project Zero - 14 Srpen, 2018 - 19:00
Posted by James Forshaw, Project Zero
And we’re back again for another blog in my series on Windows Exploitation tricks. This time I’ll detail how I was able to exploit Issue 1550 which results in an arbitrary object directory being created by using a useful behavior of the CSRSS privileged process. Once again by detailing how I’d exploit a particular vulnerability I hope that readers get a better understanding of the complexity of the Windows operating system as well as giving Microsoft information on non-memory corruption exploitation techniques so that they can mitigate them in some way.Quick Overview of the VulnerabilityObject Manager directories are unrelated to normal file directories. The directories are created and manipulated using a separate set of system calls such as NtCreateDirectoryObject rather than NtCreateFile. Even though they’re not file directories they’re vulnerable to many of the same classes of issues as you’d find on a file system including privileged creation and symbolic link planting attacks.
Issue 1550 is a vulnerability that allows the creation of a directory inside a user-controllable location while running as SYSTEM. The root of the bug is in the creation of Desktop Bridge applications. The AppInfo service, which is responsible for creating the new application, calls the undocumented API CreateAppContainerToken to do some internal housekeeping. Unfortunately this API creates object directories under the user’s AppContainerNamedObjects object directory to support redirecting BaseNamedObjects and RPC endpoints by the OS.
As the API is called without impersonating the user (it’s normally called in CreateProcess where it typically isn’t as big an issue) the object directories are created with the identity of the service, which is SYSTEM. As the user can write arbitrary objects to their AppContainerNamedObjects directory they could drop an object manager symbolic link and redirect the directory creation to almost anywhere in the object manager namespace. As a bonus the directory is created with an explicit security descriptor which allows the user full access, this will become very important for exploitation.
One difficulty in exploiting this vulnerability is that if the object directory isn’t created under AppContainerNamedObjects because we’ve redirected its location then the underlying NtCreateLowBoxToken system call which performs the token creation and captures a handle to the directory as part of its operation will fail. The directory will be created but almost immediately deleted again. This behavior is actually due to an earlier issue I reported which changes the system call’s behavior. This is still exploitable by opening a handle to the created directory before it’s deleted, and in practice it seems winning this race is reliable as long as your system has multiple processors (which is basically any modern system). With an open handle the directory is kept alive as long as needed for exploitation.
This is the point where the original PoC I sent to MSRC stopped, all the PoC did was create an arbitrary object directory. You can find this PoC attached to the initial bug report in the issue tracker. Now let’s get into how we might exploit this vulnerability to go from a normal user account to a privileged SYSTEM account.ExploitationThe main problem for exploitation is finding a location in which we can create an object directory which can then be leveraged to elevate our privileges. This turns out to be harder than you might think. While almost all Windows applications use object directories under the hood, such as BaseNamedObjects, the applications typically interact with existing directories which the vulnerability can’t be used to modify.
An object directory that would be interesting to abuse is KnownDlls (which I mentioned briefly in the previous blog in this series). This object directory contains a list of named image section objects, of the form NAME.DLL. When an application calls LoadLibrary on a DLL inside the SYSTEM32 directory the loader first checks if an existing image section is present inside the KnownDlls object directory, if the section exists then that will be loaded instead of creating a new section object.

KnownDlls is restricted to only being writable by administrators (not strictly true as we’ll see) because if you could drop an arbitrary section object inside this directory you could force a system service to load the named DLL, for example using the Diagnostics Hub service I described in my last blog post, and it would map the section, not the file on disk. However the vulnerability can’t be used to modify the KnownDlls object directory other than adding a new child directory which doesn’t help in exploitation. Maybe we can target KnownDlls indirectly by abusing other functionality which our vulnerability can be used with?
Whenever I do research into particular areas of a product I will always note down interesting or unexpected behavior. One example of interesting behavior I discovered when I was researching Windows symbolic links. The Win32 APIs support a function called DefineDosDevice, the purpose of this API is to allow a user to define a new DOS drive letter. The API takes three parameters, a set of flags, the drive prefix (e.g. X:) to create and the target device to map that drive to. The API’s primary use is in things like the CMD SUBST command.
On modern versions of Windows this API creates an object manager symbolic link inside the user’s own DOS device object directory, a location which can be written to by a normal low privileged user account. However if you look at the implementation of DefineDosDevice you’ll find that it’s not implemented in the caller’s process. Instead the implementation calls an RPC method inside the current session’s CSRSS service, specifically the method BaseSrvDefineDosDevice inside BASESRV.DLL. The main reason for calling into a privileged service is it allows a user to create a permanent symbolic link which doesn’t get deleted when all handles to the symbolic link object are closed. Normally to create a permanent named kernel object you need the SeCreatePermanentPrivilege privilege, however a normal user does not have that privilege. On the other hand CSRSS does, so by calling into that service we can create the permanent symbolic link.
The ability to create a permanent symbolic link is certainly interesting, but if we were limited to only creating drive letters in the user’s DOS devices directory it wouldn’t be especially useful. I also noticed that the implementation never verified that the lpDeviceName parameter is a drive letter. For example you could specify a name of “GLOBALROOT\RPC Control\ABC” and it would actually create a symbolic link outside of the user’s DosDevices directory, specifically in this case the path “\RPC Control\ABC”. This is because the implementation prepends the DosDevice prefix “\??” to the device name and passes it to NtCreateSymbolicLink. The kernel would follow the full path, finding GLOBALROOT which is a special symbolic link to return to the root and then follow the path to creating the arbitrary object. It was unclear if this was intentional behavior so I looked in more depth at the implementation in CSRSS, which is shown in abbreviated form below.
NTSTATUS BaseSrvDefineDosDevice(DWORD dwFlags,
                               LPCWSTR lpDeviceName,
                               LPCWSTR lpTargetPath) {
   WCHAR device_name[];
   snwprintf_s(device_name, L"\\??\\%s", lpDeviceName);
   UNICODE_STRING device_name_ustr;
   OBJECT_ATTRIBUTES objattr;
   RtlInitUnicodeString(&device_name_ustr, device_name);
   InitializeObjectAttributes(&objattr, &device_name_ustr,                               OBJ_CASE_INSENSITIVE);

   BOOLEAN enable_impersonation = TRUE;
   CsrImpersonateClient();
   HANDLE handle;
   NTSTATUS status = NtOpenSymbolicLinkObject(&handle, DELETE, &objattr);①
   CsrRevertToSelf();

   if (NT_SUCCESS(status)) {
       BOOLEAN is_global = FALSE;

       // Check if we opened a global symbolic link.
       IsGlobalSymbolicLink(handle, &is_global); ②
       if (is_global) {
           enable_impersonation = FALSE; ③
           snwprintf_s(device_name, L"\\GLOBAL??\\%s", lpDeviceName);
           RtlInitUnicodeString(&device_name_ustr, device_name);
       }

       // Delete the existing symbolic link.
       NtMakeTemporaryObject(handle);
       NtClose(handle);
   }

   if (enable_impersonation) { ④
       CsrRevertToSelf();
   }

   // Create the symbolic link.
   UNICODE_STRING target_name_ustr;
   RtlInitUnicodeString(&target_name_ustr, lpTargetPath);

   status = NtCreateSymbolicLinkObject(&handle, MAXIMUM_ALLOWED,                                objattr, target_name_ustr); ⑤

   if (enable_impersonation) { ⑥
       CsrRevertToSelf();
   }
   if (NT_SUCCESS(status)) {
       status = NtMakePermanentObject(handle); ⑦
       NtClose(handle);
   }
   return status;
}
We can see the first thing the code does is build the device name path then try and open the symbolic link object for DELETE access ①. This is because the API supports redefining an existing symbolic link, so it must first try to delete the old link. If we follow the default path where the link doesn’t exist we’ll see the code impersonates the caller (the low privileged user in this case) ④ then creates the symbolic link object ⑤, reverts the impersonation ⑥ and makes the object permanent ⑦ before returning the status of the operation. Nothing too surprising, we can understand why we can create arbitrary symbolic links because all the code does is prefix the passed device name with “\??”. As the code impersonates the caller when doing any significant operation we can only create the link in a location that the user could already write to.
What’s more interesting is the middle conditional, where the target symbolic link is opened for DELETE access, which is needed to call NtMakeTemporaryObject. The opened handle is passed to another function ②, IsGlobalSymbolicLink, and based on the result of that function a flag disabling impersonation is set and the device name is recreated again with the global DOS device location \GLOBAL?? as the prefix ③. What is IsGlobalSymbolicLink doing? Again we can just RE the function and check.
void IsGlobalSymbolicLink(HANDLE handle, BOOLEAN* is_global) {
   BYTE buffer[0x1000];
   NtQueryObject(handle, ObjectNameInformation, buffer, sizeof(buffer));
   UNICODE_STRING prefix;
   RtlInitUnicodeString(&prefix, L"\\GLOBAL??\\");
   // Check if object name starts with \GLOBAL??
   *is_global = RtlPrefixUnicodeString(&prefix, (PUNICODE_STRING)buffer);
}
The code checks if the opened object’s name starts with \GLOBAL??\. If so it sets the is_global flag to TRUE. This results in the flag enabling impersonation being cleared and the device name being rewritten. What this means is that if the caller has DELETE access to a symbolic link inside the global DOS device directory then the symbolic link will be recreated without any impersonation, which means it will be created as the SYSTEM user. This in itself doesn’t sound especially interesting as by default only an administrator could open one of the global symbolic links for DELETE access. However, what if we could create a child directory underneath the global DOS device directory which could be written to by a low privileged user? Any symbolic link in that directory could be opened for DELETE access as the low privileged user could specify any access they liked, the code would flag the link as being global, when in fact that’s not really the case, disable impersonation and recreate it as SYSTEM. And guess what, we have a vulnerability which would allow us to create an arbitrary object directory under the global DOS device directory.
Again this might not be very exploitable if it wasn’t for the rewriting of the path. We can abuse the fact that the path “\??\ABC” isn’t the same as “\GLOBAL??\ABC” to construct a mechanism to create an arbitrary symbolic link anywhere in the object manager namespace as SYSTEM. How does this help us? If you write a symbolic link to KnownDlls then it will be followed by the kernel when opening a section requested by DLL loader. Therefore even though we can’t directly create a new section object inside KnownDlls, we can create a symbolic link which points outside that directory to a place that the low-privileged user can create the section object. We can now abuse the hijack to load an arbitrary DLL into memory inside a privileged process and privilege elevation is achieved.
Pulling this all together we can exploit our vulnerability using the following steps:
  1. Use the vulnerability to create the directory “\GLOBAL??\KnownDlls”
  2. Create a symbolic link inside the new directory with the name of the DLL to hijack, such as TAPI32.DLL. The target of this link doesn’t matter.
  3. Inside the user’s DOS device directory create a new symbolic link called “GLOBALROOT” pointing to “\GLOBAL??”. This will override the real GLOBALROOT symbolic link object when a caller accesses it via the user’s DOS device directory.
  4. Call DefineDosDevice specifying a device name of “GLOBALROOT\KnownDlls\TAPI32.DLL” and a target path of a location that the user can create section objects inside. This will result in the following operations:
    1. CSRSS opens the symbolic link “\??\GLOBALROOT\KnownDlls\TAPI32.DLL” which results in opening “\GLOBAL??\KnownDlls\TAPI32.DLL”. As this is controlled by the user the open succeeds, and the link is considered global which disables impersonation.
    2. CSRSS rewrites the path to “\GLOBAL??\GLOBALROOT\KnownDlls\TAPI32.DLL” then calls NtCreateSymbolicLinkObject without impersonation. This results in following the real GLOBALROOT link, which results in creating the symbolic link “\KnownDlls\TAPI32.DLL” with an arbitrary target path.
  5. Create the image section object at the target location for an arbitrary DLL, then force it to be loaded into a privileged service such as the Diagnostics Hub by getting the service to call LoadLibrary with a path to TAPI32.DLL.
  6. Privilege escalation is achieved.

Abusing the DefineDosDevice API actually has a second use, it’s an Administrator to Protected Process Light (PPL) bypass. PPL processes still use KnownDlls, so if you can add a new entry you can inject code into the protected process. To prevent that attack vector Windows marks the KnownDlls directory with a Process Trust Label which blocks all but the highest level level PPL process from writing to it, as shown below.

How does our exploit work then? CSRSS actually runs as the highest level PPL so is allowed to write to the KnownDlls directory. Once the impersonation is dropped the identity of the process is used which will allow full access.
If you want to test this exploit I’ve attached the new PoC to the issue tracker here.Wrapping UpYou might wonder at this point if I reported the behavior of DefineDosDevice to MSRC? I didn’t, mainly because it’s not in itself a vulnerability. Even in the case of Administrator to PPL, MSRC do not consider that a serviceable security boundary (example). Of course the Windows developers might choose to try and change this behavior in the future, assuming it doesn’t cause a major regression in compatibility. This function has been around since the early days of Windows and the current behavior since at least Windows XP so there’s probably something which relies on it. By describing this exploit in detail, I want to give MS as much information as necessary to address the exploitation technique in the future.
I did report the vulnerability to MSRC and it was fixed in the June 2018 patches. How did Microsoft fix the vulnerability? The developers added a new API, CreateAppContainerTokenForUser which impersonates the token during creation of the new AppContainer token. By impersonating during token creation the code ensures that all objects are created only with the privileges of the user. As it’s a new API existing code would have to be changed to use it, therefore there’s a chance you could still find code which uses the old CreateAppContainerToken in a vulnerable pattern.
Exploiting vulnerabilities on any platform sometimes requires pretty in-depth knowledge about how different components interact. In this case while the initial vulnerability was clearly a security issue, it’s not clear how you could proceed to full exploitation. It’s always worth keeping a log of interesting behavior which you encounter during reverse engineering as even if something is not a security bug itself, it might be useful to exploit another vulnerability.
Kategorie: Hacking & Security

Researchers Break IPsec VPN Connections with 20-Year-Old Protocol Flaw

Threatpost - 14 Srpen, 2018 - 18:07
The attack targets IKE’s handshake implementation used for IPsec-based VPN connections, opening the door for MiTM attacks or for bad actors to access data carried in VPN sessions.
Kategorie: Hacking & Security

Adobe releases important security patches for its 4 popular software

The Hacker News - 14 Srpen, 2018 - 17:20
Adobe has released August 2018 security patch updates for a total of 11 vulnerabilities in its products, two of which are rated as critical that affect Adobe Acrobat and Reader software. The vulnerabilities addressed in this month updates affect Adobe Flash Player, Creative Cloud Desktop Application, Adobe Experience Manager, Adobe Acrobat and Reader applications. None of the security
Kategorie: Hacking & Security

Breaking Into the Boys Club: Career Advice for Aspiring Female Cybersecurity Pros

InfoSec Institute Resources - 14 Srpen, 2018 - 16:22

When it comes to recruiting new talent, the cybersecurity industry is facing a big challenge. The supply of qualified candidates is far short of demand: data shows there are 300,000+ open cybersecurity positions in the U.S. right now — a number ISACA predicts will grow to 2 million openings by as early as next year. […]

The post Breaking Into the Boys Club: Career Advice for Aspiring Female Cybersecurity Pros appeared first on InfoSec Resources.

Breaking Into the Boys Club: Career Advice for Aspiring Female Cybersecurity Pros was first posted on August 14, 2018 at 9:22 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Adobe Patch Tuesday: Fixes for Critical Acrobat and Reader Flaws

Threatpost - 14 Srpen, 2018 - 16:21
Adobe's August Patch Tuesday release impacts Flash Player, and Acrobat DC and Reader.
Kategorie: Hacking & Security

Apple Mac “zero day” hack lets you sneakily click [OK]

Sophos Naked Security - 14 Srpen, 2018 - 16:20
A security researcher revisited an old bug of his that Apple had patched, made a blunder - and found the old bug was still there after all.

CompTIA IT Certification Training 2018 — 12 Course Bundle

The Hacker News - 14 Srpen, 2018 - 14:55
The Information Technology industry has witnessed exponential growth over the years, and if you want to be a part of this growing industry, it's important for you to earn certificates in this field. Organisations always prefer employees with strong internationally-recognized professional certifications that proof your skills, knowledge, and what you know—giving you more credibility and
Kategorie: Hacking & Security

Black Hat Exclusive Video: The IoT Security Threat Looms for Enterprises

Threatpost - 14 Srpen, 2018 - 14:30
Armis' CTO discusses the top IoT security issues in the marketplace today - and whether device manufacturers will start to prioritize security.
Kategorie: Hacking & Security

ThreatList: Almost All Security Pros Believe Election Systems Are at Risk

Threatpost - 14 Srpen, 2018 - 14:00
Respondents in a survey from Venafi said they believe voting machines, encrypted communications from polling stations and databases that store voter registration data are all vulnerable.
Kategorie: Hacking & Security

Pacemaker controllers still vulnerable 18 months after flaws reported

Sophos Naked Security - 14 Srpen, 2018 - 13:32
A popular brand of heart pacemaker is still vulnerable to compromise more than a year and a half after the company that makes them was told of weaknesses in its security, researchers have claimed.

Podcast: Black Hat and DEF CON 2018 Wrap

Threatpost - 14 Srpen, 2018 - 13:00
The Threatpost team debriefs on the top news and topics from last week's Black Hat and DEF CON conferences.
Kategorie: Hacking & Security

Police body cameras open to attack

Sophos Naked Security - 14 Srpen, 2018 - 12:42
A security researcher has revealed that police body cameras could put evidence - and even police officers themselves - at risk.

Hackers can compromise your network just by sending a Fax

The Hacker News - 14 Srpen, 2018 - 12:35
What maximum a remote attacker can do just by having your Fax machine number? Believe it or not, but your fax number is literally enough for a hacker to gain complete control over the printer and possibly infiltrate the rest of the network connected to it. Check Point researchers have revealed details of two critical remote code execution (RCE) vulnerabilities they discovered in the
Kategorie: Hacking & Security

11-year-old shows it’s child’s play to mess with elections

Sophos Naked Security - 14 Srpen, 2018 - 12:07
It took him less than 10 minutes to change election results on a replica of Florida's state website.

Spam and phishing in Q2 2018

Kaspersky Securelist - 14 Srpen, 2018 - 12:00

Quarterly highlights GDPR as a phishing opportunity

In the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.

As required by the regulation, companies notified email recipients that they were switching to a new GDPR-compliant policy and asked them to confirm permission to store and process personal information. This was what criminals took advantage of. To gain access to the personal information of well-known companies’ customers, criminals sent out phishing emails referencing the GDPR and asking recipients to update their account information. To do this, customers had to click on the link provided and enter the requested data, which immediately fell into the hands of the criminals. It must be noted that the attackers were targeting customers of financial organizations and IT service providers.

Phishing emails exploiting GDPR

Malicious IQY attachments

In the second quarter, we uncovered several malspam incidents with never-before-seen IQY (Microsoft Excel Web Query) attachments. Attackers disguise these files as invoices, order forms, document copies, etc., which is a known ploy that is still actively used for malspamming. The From field contains addresses that look like personal emails, and names of attachments are generated in accordance with the following template: the name of the attachment, and then either a date or a random number sequence.

Harmful .iqy files

When the victim opens the IQY file, the computer downloads several trojan-downloaders, which install the Flawed Ammyy RAT backdoor. The infection chain may look like this: Trojan-Downloader.MSExcel.Agent downloads another downloader from the same family, which, in turn, downloads Trojan-Downloader.PowerShell.Agent, then this trojan downloads Trojan-Downloader.Win32.Dapato, which finally installs the actual Backdoor.Win32.RA-based.hf (also known as Flawed Ammyy RAT) used to gain remote access to the victim’s computer, steal files and personal information, and send spam.

It is rather difficult to detect these attachments because these files look like ordinary text documents which transfer web-inquiry data transfer parameters from remote sources to Excel spreadsheets. IQY files can also be a very dangerous tool in the hands of criminals because their structure is no different from the structure of legitimate files, yet they can be used to download any data at all.

It must be noted that malspam with IQY attachments is distributed via the largest botnet called Necurs. As a reminder, this is the botnet responsible for malspam (ransomware, macro-viruses, etc.), as well as pump-and-dump and dating spam. The botnet’s operation is characterized by periods of spiking and idling while infection and filter evasion mechanisms become ever more sophisticated.

Data leaks

The wave of confidential information leaks we discussed in the previous quarter is still on the rise. Here are some of the most notable events of the quarter:

  • Hacking and theft of personal information of 27M Ticketfly customers;
  • 92M MyHeritage genealogy service users’ personal information was discovered on a public server;
  • 340M individual records were lost by Exactis, a marketing company;
  • An unprotected Amazon server allowed access to the personal information of 48M Facebook, LinkedIn, Twitter, and Zillow users.

As a result of such leaks, cybercriminals get a hold of users’ names, email addresses, phone numbers, dates of birth, credit card numbers, and personal preferences. This information may later be used to launch targeted phishing attacks, which are the most dangerous type of phishing.

Cryptocurrency

In the second quarter, our antiphishing system prevented 58,000 user attempts to connect to phishing websites masquerading as popular cryptocurrency wallets and markets. In addition to classic phishing, which aims at gaining access to the victim’s accounts and private key information, cybercriminals try every way to entice a victim to willingly send them cryptocurrency. One of the examples of this are cryptocoin giveaways. Cybercriminals continue using the names of new ICO projects to collect money from potential investors that are trying to gain early access to new tokens. Sometimes phishing sites pop up before official project sites.

Ethereum (ETH) is currently the most popular cryptocurrency with phishers. The popularity of Ethereum with cybercriminals increases as more funds are attracted by ICOs on the Ethereum platform. According to our very rough estimate (based on data received from over a thousand ETH wallets used by malefactors), over the Q2 2018, cybercriminals exploiting ICOs managed to make $2,329,317 (end-of-July-2018 exchange rate), traditional phishing not included.

Fake ICO project pages: the first is located on fantom.pub and imitates fantom.foundation, the real site of the FANTOM project; the second one, found on sparkster.be, is an imitation of sparkster.me, the original SPARKSTER site

World Cup 2018

Cybercriminals from all over the world prepared for the World Cup as much as its organizers and soccer fans. The World Cup was used in many traditional scamming methods using social engineering. Cybercriminals created fake championship partner websites to gain access to victims’ bank and other accounts, carried out targeted attacks, and created bogus fifa.com account sign-in pages.

HTTPS

As mentioned in the 2017 report, more and more phishing pages are now found on certified domains. Those may include hacked or specially registered domains that cybercriminals use to store their content. This has to do with the fact that most of the Internet is switching to HTTPS and it has become easy to get a simple certificate. In the middle of the second quarter, this prompted Google to announce future efforts aimed at changing the way Chrome works with certificates. Starting in September 2018, the browser (Chrome 69) will stop marking HTTPS sites as “Secure” in the URL bar. Instead, starting in October 2018, Chrome will start displaying the “Not secure” label when users enter data on unencrypted sites.

When Chrome 70 comes out in October 2018, a red “Not secure” marker will be displayed for all HTTP sites where users enter data.

Google believes that this will make more sites use encryption. After all, users should expect the web to be safe by default and receive warnings only in the event of any issues.

An example of a certified phishing website marked as “Secure”.

At the moment, the green Secure message in the URL bar is rather misleading for a user, especially when they visit a phishing website.

Vacation season

In anticipation of the vacation season, cybercriminals have used all of the possible topics that may interest travelers, from airplane ticket purchases to hotel bookings. For instance, we’ve found many websites that offer very tempting accommodations at absurd prices (e.g., an entire four-bedroom house in Prague with a pool and a fireplace at $1,000 a month). Such websites pose as Amazon, TripAdvisor, and other sites popular among travelers.

An example of a fake hotel booking website

A similar method is used to fake ticket aggregator websites. In these cases, the displayed flight information is real, but the tickets turn out to be fake.

An example of fake airline ticket websites

Distribution channels

In our reports, we regularly point out you that phishing and other spam has gone way beyond email a long time ago. Attackers use every means of communication at their disposal and even recruit unsuspecting users themselves for malware distribution. In this quarter, most large-scale attacks were found in messengers and on social networks.

WhatsApp

Cybercriminals have been using WhatsApp more frequently to distribute their content lately. WhatsApp users copy and resend spam messages themselves, just like they used to do with luck chain letters many years ago. Most of these messages contain information about fictional lotteries or giveaways (we have already discussed these types of scams many times). Last quarter, cybercriminals brought back the airplane ticket giveaways. This quarter in Russia, for instance, they used names of popular retailers such as Pyaterochka and Leroy Merlin, and also McDonald’s. Some fake messages come from popular sportswear brands, as well as certain stores and coffee shops.

Users share messages about ticket raffles with their contacts via a messenger since it’s one of the conditions for winning

Once a user has sent the message to some friends, he or she is redirected to another resource, the content of which changes depending on the victim’s location and device. If the user visits the site from their smartphone, most often they are automatically subscribed to paid services. The user may also be redirected to a page containing a survey or a lottery or to some other malicious website. For instance, a user may be invited to install a browser extension which will later intercept the data they enter on other websites and use their name to do other things online, such as publish posts on social media.

An example of a page which a user is redirected to after a survey, at the end of which they were promised a coupon to be used in a popular retail chain. As you can see, no coupon has been received, but the user is invited to install a browser extension with suspicious permissions.

Twitter and Instagram

Cybercriminals have been using Twitter to distribute fraudulent content for a long time. However, it has recently become a breeding ground for fake celebrity and company accounts.

Fake account for Pavel Durov

The most popular cover used by cybercriminals is cryptocurrency giveaways on behalf of celebrities. The user is asked to transfer a small amount of cryptocurrency to a certain wallet to get double or triple coins back. To enhance trust, the wallet may be located on a separate website, which also contains a list of fake transactions that the victim can see “updating” in real time, which confirms that any person who transfers money to the fake wallet gets back several times the amount transferred. Of course, the victim does not receive anything. Despite the simplicity of this scheme, it makes cybercriminals millions of dollars. This quarter, cybercriminals favoured the names of Elon Musk, Pavel Durov, and Vitalik Buterin in their schemes. These names were chosen for a reason — Elon Musk is an entrepreneur, inventor, and investor, while Durov and Buterin made it to the cryptocurrency market leader list published by Fortune.

An example of a website advertised on Elon Musk’s fake account

News sensations make these schemes even more effective. For instance, the shutdown of the Telegram messenger generated a wave of fake messages from “Pavel Durov” promising compensation. In this case cybercriminals use similarly-spelled account names. For example, if the original account name contains an underscore, cybercriminals register a new user with two underscores in the name and publish messages about cryptocurrency giveaways in comments to the celebrities’ authentic Twitter posts. As a result, even a detail-oriented person may have a hard time spotting the fake.

Twitter administration promised to stop this type of fraud a long time ago. One of their first steps involved blocking accounts that tried to change the user’s name to Elon Musk, and most probably other names commonly used by cybercriminals as well. However, it is easy to keep the account from being blocked by entering a Captcha and a code sent via text, after which the user can keep Elon’s name or change it to anything they want— the account will not be blocked again. It is also unclear whether Twitter will block the obfuscated names of famous people that are often exploited by cybercriminals.

Another measure taken by the social network is blocking accounts that post links to Elon Musk’s account. Just like in the previous example, the account can be unblocked by entering a Captcha and confirming a phone number via a code received in a text message.

This scam has started spreading to other platforms as well. Fake accounts can also be found on Instagram.

Vitalik Buterin’s fake Instagram account

Facebook

On Facebook, in addition to the aforementioned content distribution through viral threads, cybercriminals often use the advertising mechanisms offered by the social network. We have recorded instances of get-rich-quick schemes being spread through Facebook ads.

Fraudulent website ad on Facebook

After clicking on the ad, the user is redirected to a website where, after completing a few steps, they are offered a reward. To receive this reward, the user must either pay a fee, enter their credit card information, or share some personal details. Of course, the user does not receive any reward in the end.

Search results

Ads with malicious content and links to phishing sites can be found not only on social networks, but also in the search results pages of major search engines. This has recently become a popular method of advertising fake ICO project websites.

Users do not always notice the “Ad” label next to the ads

Spammer tricks

Last quarter, spammers tried to use the following new tricks to evade filters.

Double email headers

When generating spam emails, spammers use two From fields in the email header. The first From field contained a legitimate address, usually one from a well-known organization (whose reputation is untarnished by spam scandals) while the second contained the actual spammer email address, which has nothing to do with the first one. Spammers were expecting the email to be treated as legitimate by filters, forgetting that modern anti-spam solutions rely not only on the technical part of the email, but also on its content.

Subscription forms

In these events, spam messages in the form of an automatic mailing list subscription confirmations arrive in recipient inboxes. Regular websites capable of unlimited user registration were employed to create them (especially when they allowed using the same email address multiple times). Spammers used a script that auto-filled subscription forms inserting recipient addresses from previously collected (or purchased) databases. Spam content was a short phrase with a link to a spam resource inserted into one of the mandatory fields in the form (in particular, the recipient name). As a result, the user received a notification sent from a legitimate mail address containing a spam link instead of their name.

An example of spam mail sent using the subscription service on a legal site

Statistics: spam Proportion of spam in email traffic

Proportion of spam in global email traffic, Q1 and Q2 2018 (download)

In the Q2 2018, the largest percentage of spam was recorded in May at 50.65%. The average percentage of spam in world mail traffic is 49.66%, which was 2.16 p.p. lower than the previous reporting period.

Sources of spam by country

Spam -originating countries, Q2 2018 (download)

The leading spam-originating country in Q2 2018 was Vietnam (3.98%), which fell to seventh place in the second quarter, replaced by China (14.36%). The second and third places, the USA in Germany, are only one percentage point apart, with 12.11% and 11.12% shares, respectively. France occupied the fourth place (4.42%), and the fifth was occupied by Russia (4.34%). Great Britain occupied the tenth place (2.43%).

Spam email size

Spam email size, Q1 and Q2 2018 (download)

The results of the Q2 2018 indicate that the share of very small spam messages (up to 2 KB) fell 2.45 p.p. to 79.17%. The percentage of 5-10 KB spam messages, on the other hand, grew somewhat (by 1.45 p.p.) in comparison with the previous quarter and amounted to 5.56%.

The percentage of 10-20 KB spam messages was practically unchanged — it went down by 0.93 p.p. to 3.68%. 20-50 KB spam messages saw a similar trend, their share decreasing by 0.4 p.p. (to 2.68%) in comparison with the previous reporting period.

Malicious attachments: malware families

Top 10 malware families, Q2 2018 (download)

According to the results of the Q2 2018, the most widely-distributed family of malware by-mail was Exploit.Win32.CVE-2017-11882 (with 10.35%)/ This is the verdict attributed to various malware that exploited the CVE-2017-11882 vulnerability in Microsoft Word. The amount of mail with the Trojan-PSW.Win32.Fareit malware family in it, which steals user information and passwords, decreased during the second quarter, losing the first place and now occupying the second place (with 5.90%). The third and fourth places are occupied by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%). The Worm.Win32.WBVB family was the fifth most popular malware with cybercriminals.

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggers by country, Q2 2018 (download)

The first, second, and third places among the countries with the highest quantity of Mail Anti-Virus triggers in Q2 2018 were unchanged. Germany remained in the first place (9.54%), and the second and third places were taken by Russia and Great Britain (8.78% and 8.67%, respectively). The fourth and fifth places were taken by Brazil (7.07%) and Italy (5.39%).

Statistics: phishing

In the Q2 2018, the Antiphishing prevented 107,785,069 attempts to connect users to malicious websites. 9.6% of all Kaspersky Lab users around the world were subject to attack.

Geography of attacks

The country with the highest percentage of users attacked by phishing in Q2 2018 was again Brazil, with 15.51% (-3.56 p.p.).

Geography of phishing attacks, Q2 2018 (download)

Country %* Brazil 15.51 China 14.77 Georgia 14.44 Kyrgyzstan 13.60 Russia 13.27 Venezuela 13.26 Macao 12.84 Portugal 12.59 Belarus 12.29 South Korea 11.66

* Percentage of users whose Antiphishing system triggered against all Kaspersky Lab users in the respective country.

Organizations under attack

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.[/caption]

In Q2 2018, the Global Internet Portals category again took first place with 25.00% (+1.3 p.p.).

Distribution of organizations affected by phishing attacks by category, Q2 2018. (download)

The percentage of attacks on organizations that may be combined into a general Finance category (banks, at 21.10%, online stores, at 8.17%, and payment systems, at 6.43%) fell to 35.70% (-8.22 p.p.). IT companies in the second quarter were more often subject to threats then in the first quarter. This category saw an increase of 12.28 p.p. to 13.83%.

Conclusion

Average spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.

In this quarter, malefactors actively used GDPR, World Cup, and cryptocurrency themes, and links to malicious websites could be found on social networks and messengers (users were often distributing them themselves), as well as in marketing messages served by large search engines.

Exploit.Win32.CVE-2017-11882 was the most widely-distributed family of malware via mail, at 10.35%. Trojan-PSW.Win32.Fareit fell from the first place to the second place (5.90%), and the third and fourth places were taken by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%).

Syndikovat obsah