13 Different Phishing Tactics and 1 Way to Prevent It

 

Phishing Attacks are no longer that TOO GOOD TO BELIEVE – you have won a Million $$ jackpot kind of emails from strangers that easily stands out from your otherwise mundane life.

Today, phishing emails have got sophisticated. It is called spear phishing where the attacker tries to “custom-write” the emails to make it believable to you. They try to copy our (normal) life, and that’s where it gets interesting and scary at the same time.

23% of recipients now open phishing emails and 11% click on attachments. and nearly 50% of this happens within 60-minutes of the attack !

– 2015 Data Breach Investigations Report (DBIR group)

Let me share a personal experience.

We got selected as the Top 50 Product Companies as part of #Intech50 2016, and I was on the road – on my way to the event. I got an email on my phone saying “a gift from Intech50 is waiting for me”.

I was surprised and opened the email. and this is how it looked…

Spear_Phishing_Example

Being in the security space – It will not be an overstatement if i say – I have got “hardened” to suspicious emails. But for any other normal person, this email would be too tempting to not to fall for it.

Right Person. Right timing. Right content. Wrong Intent !!

In this article I will cover the various different tactics that the bad guys use to succeed in a phishing attack, and in the end also cover one of the most effective tactics to prevent it.

Sit tight and enjoy the ride …

Tactics Used for Phishing  (Many Old. Some New.)

1. Deception Phishing

One of the most traditional approaches to phishing is to send out a mass email and try to convince users to click the link in the message such as the one shown below.

Deception_Phishing_Example

(Source: Srijan)

2. Tab-Nabbing

Tab-nabbing techniques seek to impersonate popular websites that have been left unattended for some time, and convince users to re-enter their credentials.

Tabnabbing-Example

3. Malware Based Phishing

Malware based phishing, a strategy typically aimed at small and medium -sized businesses (SMBs) inserts malware onto a user’s computer (by email attachment, download, etc.) in order to gain information and exploit vulnerabilities. SMBs frequently have weak patch management policies, thus forgetting applications and operating systems updates – which frequently have patches to harden the system against these types of attacks.

Ransomware is a special type of malware that is getting increasingly popular. It involves encrypting the victim’s data, and asking for a ransom to decrypt it. Very effective because of the bad data backup routine we all follow.

68% of 200 security professionals surveyed by TripWire during the 2016 RSA conference expressed concern that their company would not be able to fully recover from a Ransomware attack.

Malware-Ransomware-Example

(Source: The Hacker News)

4. Key Loggers and Screen Loggers

Key loggers and screen loggers are a type of malware that can record a user’s keystrokes and activities – sometimes even your entire display. Computers can become infected with key loggers and screen loggers when users visit certain web pages or complete downloads such as applications and device drivers. Using this method, phishers can intercept any information input to the system once it is sent to the designated collection server.

Spyeye, one of the more popular keyloggers, plagued the financial services industry for years by quietly stealing customer account information by recording keystrokes.

Keylogger-example.png

(Source: TrendMicro)

5. Web Trojans

One of the most devious and deceitful methods of phishing involves web Trojans, which are malicious programs that are used to collect a user’s login credentials while disguising itself as a specific website – e.g. a company login portal, a social media platform, or an email account. The user believes they are entering their ID and password into this certain website, when in reality they’ve just submitted their credentials to a phisher.

The Dyre Banking Trojan was delivered by emails disguised as JP Morgan & Chase advertisements. These trojans were able to pass through anti-virus software allowing them to remain undetected for large periods of time.

Web-Trojans-example

(Source: Softpedia)

6. Data Theft

Once malicious code is successfully implanted on a user’s computer, phishers are able to steal confidential information. Not only is this tactic widely used to collect social security and bank account numbers, but this has been known to be aimed at corporate espionage in many cases.

Data-Theft-Example

7. Content Injection

When hackers are able to gain access into the back-end of websites, they are often able to tweak content to be misleading, resulting in users submitting sensitive information.

content-injection-example

(Source: Netcraft)

8. System Reconfiguration Attacks

Hackers can modify system settings on user desktops to create holes in endpoint security that can be further exploited – such as updating URL favorites to redirect to malicious websites and even disabling endpoint anti-malware endpoints with administrative privileges.

Sys-reconfigure-example

(Source: Google)

9. Search Engine Phishing

Search engine phishing occurs when phishers create websites with “offers” – often, too good to be true, and have them indexed systematically within popular search engines.

Users stumble upon these sites in their usual searches, and oftentimes are fooled into providing information to receive the offer (which can be a false bank offering low interest rates, insurance solutions, etc.)

The search companies would eventually take them down if there are complaints, but that might be later.

search-engine-phishing-example

 

10. Man in the Middle (MitM)

Quite possibly the hardest type of attack to detect, MitM phishing attacks occur when hackers position themselves between users and legitimate websites – resulting in the interception and recording of any data sent to the website.

MitM-example

(Source:  Understanding the  Increasing Problem of  Electronic Identity Theft – by Markus JAcobsson/Steven Mayers)

11. Session Hijacking

Session hijacking occurs when malicious software “hijacks” a user-initiated session once a user has entered their credentials. This type of attack can simply be used to monitor activity, and is usually carried out by local malware on the user’s endpoint or as part of a man-in-the-middle attack.

session-hijacking-example

(Source: PC & Tech Authority)

12. DNS Based Phishing (Pharming)

DNS Based Phishing generally includes any technique that interferes with the integrity of a domain name search.

As per Infoblox and DarkReading.com -The DNS threat index jumped almost 60% in 2015 as attackers became far more sophisticated in their campaigns. Also a new generation of inexpensive and quick startup domain names has made it easier for bad guys to set up shop in the DNS infrastructure.

One example includes a phisher polluting the user’s DNS cache with information that can be used to redirect the user to a false, corrupted location.

DNS-Pharming-example

(Source: Massive)

13. Host File Poisoning

Hackers use this form of local pharming, or DNS poisoning to corrupt the user’s host file. When a user enters in a web address, it must first be converted to IP address using the host name lookup, before undertaking the DNS lookup. By “poisoning” the user’s host file, users are sent to websites impersonating others in order to steal information.

host-file-corruption-example

(Source: Phishlabs)

So these were some of the tactics used in phishing.

Having said that – this list is by no means complete. The bad guys are devising new ways to attack, as we are reading this !

So How to Prevent ?

There are a whole lot of things you can do as a counter measure in order to harden your organization against falling prey to phishing. Some of these measures can be –

  • Anti-malware: Popular anti-virus/anti-malware solutions
  • Web Filters: Determining what websites users can access using a risk-based approach
  • Data Loss Prevention(DLP) : Protecting data in transit, at rest, and in use
  • Anti-phishing software: Containerization solutions for downloads from malicious emails and websites
  • Using HTTPS for transactions: Checking the padlock icon to ensure secure transactions
  • Spam Filters: Many email clients can detect potential spam (many being phishing attacks) and separate out those emails
  • Patch Management: Ensuring systems are patched and up-to-date can mitigate many vulnerabilities targeted by phishing campaigns

But the most important defense mechanism is still the “people”.

Companies without security training & awareness programs spent an average of $683,000 due to new hire security incidents while those who did have security training & awareness spent only $162,000. i.e less than 1/4th of the cost !

– PwC’s US State of Cybercrime Report

Phishing is called a Social engineering for a reason – because it is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Therefore one of the most effective prevention tactics involves training people.

“One of the most effective ways you can minimize the phishing threat is through
awareness and training.”

—Lance Spitzner, Training Director,
SANS Securing The Human

Phishing Fall and Fail Rates: Why they matter ?

In a typical phishing attack, the target is enticed to read an email, visit a website and reveal information. A common misconception is that the attack is successful only if the target reveals information. But, this is not true. An attacker essentially looks for information to plan the next move, which he/she can get based on user actions, even when there are no major revelations of private data. For instance, just by the action of visiting the malicious website, the target reveals information that could be used for fingerprinting and understanding the kind of information that attracts targets.

The Fall Rate is defined as the percentage of users (targets) who “fall” for the attack and visited that fake website.

The Fail Rate is defined as the percentage of users (targets) who “fail” in the attack, visit the fake website and reveal sensitive information.

It is obvious that all employees who “fall” need not necessarily “fail”, which means that either they realized it was an attack (most likely the case) or just didn’t proceed further due to other priorities. This means there is a good opportunity to train people using the “teaching moments”.

If people are educated with examples of good and bad behavior based on their own actions, the retention of that knowledge would be far greater than the retention of knowledge gathered from generic training.

Phishnix is a phishing diagnostic solution by Aujas that simulates a phishing attack and captures users potential reaction to a real attack. It further leverages the teaching moment created based on the user’s response, and generates an easy-to-implement action plan to drastically improve the defense against future phishing attacks.

Do you want to see a demo or want to know more about Phishnix ?

Please tell us a little more about you.

Phishnix is currently being used by several organizations globally to strengthen their people defense against phishing attacks. It focuses on the “Fall rate” and “Fail rate” based on actual employee behavior and is very effective in helping organizations in developing specific control measures to address potential problem areas.

How can Internet of Things (IoT) Not become a pain-in-the-a$$ from a cyber security perspective?

Internet of Things is as enticing to hackers, as it is to consumers like you and me!

Let’s look under the hood of IoT from a security perspective, in order to see how we can reduce the risk of cyber threat.

IoT is the network of physical devices which are embedded with electronics, software, sensors, and network connectivity, and it enables these devices to collect and exchange data. IoT allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for closer integration between the physical world and computer-based systems, resulting in improved efficiency, accuracy and economic benefits; when IoT is augmented with sensors and actuators, the technology becomes an instance of the more general class of cyber-physical systems, which also encompasses technologies such as smart grids, smart homes, intelligent transportation and smart cities. Each thing is uniquely identifiable through its embedded computing system but is able to inter-operate within the existing Internet infrastructure.

As the Popularity of IoT devices increase, so does their vulnerabilities to attacks.

 

IoT Cyber Attacks

(Source: Spectrum.ieee.org)

The above picture sums up the situation pretty well.

As per a study conducted by HP – 90% of devices collected at least one piece of personal information via the device/cloud/mobile application and 60% of devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS, un-encrypted connections & weak credentials.

Let’s look at an example

If we consider a Home automation system which is controlled by a Mobile App built on Android or IOS platform using angular.js (which is mostly the case for most of the devices), each of them has more than 10-15 different vulnerabilities.

If you do a Threat Modeling Diagram of a Simple Home Automation system – a total of 22 vulnerabilities popped up !!

Threat-modelling-simple-home-automation-aujas

To make our lives easy – Open Web Application Security Project (OWASP) has classified these vulnerabilities into the following Top 10 categories.

  1. Insecure Web Interface
  2. Insufficient Authentication/Authorization
  3. Insecure Network Services
  4. Lack of Transport Encryption
  5. Privacy Concerns
  6. Insecure Cloud Interface
  7. Insecure Mobile Interface
  8. Insufficient Security Configurability
  9. Insecure Software/Firmware
  10. Poor Physical Security

(Source: OWASP 2016 Top10 for IoT)

If you look closely into this – You will notice that most of the vulnerabilities are very basic yet can give the bad guys an opportunity to own an entire database of PSI (Personal Sensitive information) and BSI (Business Sensitive information).

Going back to our example of home automation system – Most of them use Amazon or Azure Cloud web services for communication from Mobile to their servers. If you are intercepting the traffic between Mobile device app and device via web-services, it is very easy to get access to a lot of valuable data.  You can try to get information from AWS token, JWT token, or any other tokens, most of them will give information in the form of Base 64 encoding which can be easily decoded using online resources like JWT.IO (https://jwt.io/) which will give you the decoded information in micro-seconds!

Also note that when it comes to IoT, Business logic vulnerabilities are more prevalent than technical ones because most of the IoT devices communicate using an identification number like device-id or username due to which it becomes very easy to gather a lot of information by just running a script containing numbers (sequential/random) to gather PSI or BSI related to the device. Most of the devices will also have CSRF or Session related vulnerabilities unless you address that in the configuration.

Coming to the Network part of IoT devices, needless to say IoT devices run with very low power and the communication between the IoT devices can happen over a wide variety of communication protocols like   Zigbee, Bluetooth, Z wave,  Wi-Fi, NFC, Neul Or BLE.

As with the rise of new protocols coming to light, the attack surface has also increased. As these communication mediums also possess risk to IoT devices. There is more to IoT devices than you can think. You can pass various sorts of commands to these devices for them to crash or cause a DOS (Denial of Service attack)

IoT devices have made our lives a lot richer in terms of consumer experience .However in terms of Privacy evasion it is going to be the next big thing given the number of vulnerabilities that keeps popping up. It is estimated that by 2019 a total of 15 million devices would be in use by users, consumers, industry and needless to say by hackers as well.

But don’t panic. If you take care of the basics as covered above – you should be good. For most part of it !

Bonus: My personally recommended list of tools 🙂

  1. Hardware Security module (HSM) – a security based hardware device which generates, stores and protects cryptographic keys.
  1. Bus pirate – an open source sniffer which supports various hardware protocols like I2C, SPI, JTAG, 1-Wire, etc
  1. Good FET – Open source tool for interfacing, hacking chips and target devices.
  1. There are various commercial sniffers available (eg. Beagle) which supports dissecting lower level protocols.
  1. Logic Analyzer – concurrent capturing, visualizing and decoding large quantities of digital data.
  1. Protocol Analyzer – Real time non intrusive device for monitoring, capturing and decoding of wired communication.
  1. Spectrum Analyzer – Visualizing RF or radio spectrum.
  1. Burp- For intercepting traffic between Mobile and device.
  1. Codenomicon /Achilles- For fuzzing protocols.
  1. IDA Pro/Fortify/Klocwork-Reverse Engineering and Firmware analysis

 

About The Author:-

Avinash Sinha is a Security Consultant with Aujas. His areas of interests include Vulnerability assessments, Secure Code review, Security research, Web/Mob Penetration testing, SCADA/ICS, and network infrastructure protection.

30-Sec Guide: How to save from DROWNing? (DROWN Attack – SSLv2 – CVE 2016-0800)

 

What is DROWN ?

DROWN is the latest in a long line of recent vulnerabilities discovered in SSL/TLS. It is a cross-protocol attack which uses a combination of brute-force decryption of weak ciphers and a Bleichenbacher padding oracle attack on SSLv2.

The RSA algorithm used in TLS and SSL uses a particular form of padding called the RSA-PKCS#v1.5, the implementation of which was known to be vulnerable to an information leakage attack called the Bleichenbacher padding oracle attack. Most SSL/TLS implementations resorted to fixing this vulnerability using a hack that works around one of the preconditions for this attack to succeed. This fix has mostly been found satisfactory from SSLv3 onwards, but has just been found to be inadequate for SSLv2 which has fundamental differences in the way it works.

What does a generic attack look like?

The general variant of this attack involves first observing and storing a number of TLS connections. Then a specially crafted handshake message, with a modified RSA cipher text from the original TLS connection is sent over an SSLv2 connection. Because of the Bleichenbacher padding oracle, the attacker would be able to deduce whether the cipher text was successfully decrypted to the plain text or not. The attacker would then be able to repeat this over several attempts to fully decrypt the original TLS connection.

Ideally around 40000 connections and around 250 offline brute force computations would be required on average to decrypt a single TLS connection. Even though the amount of computing power required for this seems high, the researchers who identified the vulnerability were able to make use of GPU computations and perform the attack in around 8 hours.

If you are lucky – You might see this “Improvised” Attack

A variant of this attack exists which makes use of identified vulnerabilities in OpenSSL to significantly speed up the attack process. In the special case, the researchers were able to decrypt the TLS connection in just a minute on a standard computer by exploiting vulnerabilities in OpenSSL. The OpenSSL vulnerability (CVE 2016-0703) is in the SSLv2 code and accepts any non-zero value for a cipher. This allows an attacker to perform the DROWN attack using only 17000 connections and significantly lesser rounds of brute-force computations compared to the generic version of the attack.

Who should worry?

Weaknesses in SSLv2 have been known for over two decades now and its use has been deprecated ever since. But even though modern clients do not have support for SSLv2, many servers still support SSLv2 either to ensure backwards compatibility or because of default configurations. Measurements by the research team has shown that 17% of all HTTPS servers allow SSLv2 connections.

Compounding this issue is the fact that most organisations use the same private key pair across multiple servers. That is, even if a web server did not explicitly support SSLv2, it was enough if another server such as the VPN server or a mail server also supported SSLv2. All an attacker requires is to have at least one server with a shared private key that supports SSLv2.

Some implementations of OpenSSL (CVE 2015-3197) allow SSLv2 connections to a server with SSLv2 support built-in even though it has been explicitly disabled in the configuration.

How bad is this really?

An attacker using this vulnerability needs to have privileged access within a network and make a large number of requests to decrypt a single TLS connection. The private key is not accessible, but only the master key used for a particular connection can be obtained. This makes it less severe than the Heartbleed vulnerability. Most security research firms categorise it with medium severity and have assigned the CVE a CVSS score of 5.9.

How to fix the Vulnerability

Fixing the vulnerability is merely a matter of disabling SSLv2 support on all servers (Web, Mail, VPN, etc.) and ensuring the SSL/TLS library used is updated to the latest version possible. Since the attack does not impact the confidentiality of the private key, it is not required to change the certificate.

If it is not possible to immediately disable SSLv2 because of backward compatibility reasons, it is recommended that a firewall be implemented to block multiple consecutive failed SSLv2 connections to a server.

About the Author:

Naresh T.A is a security consultant with Aujas. He is interested in researching on new vulnerabilities and threats, in order to help enterprises strengthen their defense systems against cyber threats.

Encounter with Mobile Malware

Author: Milan Singh Thakur

The trend of Smartphones has evolved drastically over the decade. The number of Smartphones in the market almost double up each year.  The usage of mobile devices has increased the productivity and has changed the way organizations do business. This has led to the   development of millions of Mobile Applications, but how many of these applications are safe? How many applications steal your personal data like your email, mobile number, location info, your Money?

clip_image002_0005

Mobile applications are the most effective way used by attackers to spread malwares/rat onto devices. Many applications available on Google Play Store/Apple App Store are analyzed using automated analysis tools, which however, cannot detect sophisticated malwares like Zeus Bot or Dyre Wolf Banking Malware. Additionally, users install applications from unverified sources. It is highly recommended that all mobile applications undergo Security testing before being released on App Store or even to users.

Understanding How Mobile Malware works:

There are many free applications available on the internet, which has  a backdoor that allows the attacker to gain access to our mobile devices. Moreover, users are prone towards downloading free software rather than buying it. This also includes patches, mod apks, and various cracked gaming applications. Given below  is the actual depiction of how malware gets into our device:

Below given is the actual depiction of how malware gets into our device:

clip_image004_0001

Most affecting and Active Malwares on Mobile Devices:

DangerousObject.Multi.Generic
Trojan-SMS.AndroidOS.OpFake.bo
AdWare.AndroidOS.Ganlet.a
Trojan-SMS.AndroidOS.FakeInst.a
RiskTool.AndroidOS.SMSreg.cw
Trojan-SMS.AndroidOS.Agent.u
Trojan-SMS.AndroidOS.OpFake.a
Trojan.AndroidOS.Plangton.a
Trojan.AndroidOS.MTK.a
AdWare.AndroidOS.Hamob.a
Android.Geinimi
SMS.AndroidOS.FakePlayer.c
Android.DroidDream AKA
Android.Rootcager AKA
AndroidOS_Lootoor.A
Android.BgServ AKA
Troj/Bgserv-A AKA
AndroidOS_BGSERV.A
Android.KungFu Variants

More are here:

AegisLab, Andr/Plankton-A, Andr/SMSRep-B/C, Android, Android Market, Android OS, Android.Adrd, Android.Adrd.A, Android.Adsms, Android.Basebridge, Android.Bgserv, Android.DroidDream, Android.Fokonge, Android.Geinimi, Android.GGTracker, Android.Gunfu, Android.Hippo, Android.HippoSMS, Android.HongTouTou, Android.Jsmshider, Android.LightDD, Android.Lovetrap, Android.NickiBot, Android.Nickispy, Android.Pjapps, Android.Rootcager, Android.Smssniffer, Android.Smstibook, Android.Snadapps, Android.Spacem, Android.Tonclank, Android.Trojan.SmsSpy.B/C, Android.Uxipp, Android.Walkinwat, Android.Zeahache, Android.Zsone, Android/DroidKungFu.A, Android/Sndapps.A, Android/YZHCSMS.A, AndroidOS_Adsms.A, AndroidOS_BGSERV.A, AndroidOS_Droisnake.A, AndroidOS_Lootoor.A, Botnet, F-Secure, Google, Lookout, Malware, Security, SMS, SMS.AndroidOS.FakePlayer.a, SMS.AndroidOS.FakePlayer.b, SMS.AndroidOS.FakePlayer.c, Spyware, Symantec, Trend Micro, Troj/Bgserv-A, Trojan-Spy.AndroidOS.Smser.a, Xuxian Jiang

Mobile Phishing: Thief right in your pockets

Author: Sohail Najar

No other technology has impacted us like the mobile phone. The fastest growing manmade phenomenon ever, it grew from zero to 7.2 billion in three decades. Today there are more mobile phones than humans and they are growing almost five times faster than the rate at which the population of the world is growing. These facts are enough to  prove how popular mobile phones have become. This rapid growth has also led to lot its exploitation and with each year, new types of vulnerabilities are added. More than 90% of the attacks start from phishing . In this article we will talk about how one can help themselves and others from this epidemic.

Phishing through mobile is relatively easy with better success rate of stealing the information than through computers, laptops or other electronic media due to the following reasons:

  1. Usability: – We use  our mobile phones day in and day out. Statistics reveal  that the amount of time spent on Smartphone has increased to more than 30 hours per month. So, more one us their mobiles, more are the chances of  revealing private information to a hacker.
  2. Screen Size: – Smaller screen size would make it difficult for the user from distinguishing between a phishing site and a genuine website.  The applications (or apps) developed are made relatively simple to entertain different screen size which also make it  easy for the hackers to replicate it.
  3. Security Indicators: – There are very few application indicators which can evaluate how secure and authentic  an  application is.
  4. Behavioral: – We are accustomed to entering our password in familiar and repeated setting which make it more vulnerable to attack with higher success rate.
  5. Inadequate Identity Indicators: – As far as apps are concerned , there are very few identity indicators available and fewer people who use it. So a user is not able to distinguish between apps from legitimate and non-legitimate source.

Nobody wants to reveal information to strangers who can misuse it for their own benefit especially the sensitive information like credit/debit card details, your personal information, your personal data etc. But before we tell you what you can do to not accidentally supply the information to a stranger, you need to understand the way in which they can attack you.  No attack is possible without a data transfer medium, and mobile phones these days, use plethora of mediums from short distance mediums (like infrared, NFC, S Beam etc.) to long distance mediums (like Bluetooth, Wi-Fi, 3G, 4G etc.). Let us look at how an attacker can exploit these mediums for his benefits

  1. Wi-Fi Phishing Attack: – Wi-Fi has become one of the imperative  needs in our life. Whether it is your office or your favorite café or your home, the need to remain connected is all time high. So Wi-Fi has indeed become an integral part of our life and hence a hotspot for the attacker too. While using Wi-Fi, it is easy to set up a fake Access Point (AP) as a user cannot validate the authenticity of APs they are connecting to.  Hence, an attacker can setup an AP with SSID that looks like as a legitimate one. For example, he can create an AP near Starbucks with a cousin SSID: Starbucks Wi-Fi or similar names.  Once the victim is connected to a fake AP, the attacker can misdirect the user to fraudulent sites or proxy servers which appear to the user as legitimate websites.
  2. Bluetooth Phishing attack: – Bluetooth is a wireless technology standard for exchanging data over a short range. Bluetooth enabled phones have a serious security flaw that allow users to connect to the device without the user’s permission. Once the attacker gets access to your phone through Bluetooth, he can get access to your files, call logs, phonebook, connect to your internet etc. It doesn’t end there, he can change the contact number, send you a phishing message, make you download malware by making you believe it’s a genuine one . So once you get into his trap, you are most likely to reveal your secure information to him assuming he is genuine.
  3. SMS Phishing or SMShing: – It uses cell phone text messages to deliver the bait to induce people to divulge their personal information. In many cases, such texts are sent via emails which are difficult to trace. If the sender’s number is a small number or some texts like ‘516000’ or ‘DM-YATR’ instead of an actual phone number, it is an indication that it is coming from email.
  4. Voice Phishing or Vishing: – In this, attackers use telephone systems to impersonate a legitimate company and steal the personal information from the bait. Some attackers use Voice over IP (VOIP) features like caller id spoofing by which they could choose any number to call the bait. To the bait, it appears to be coming from the legitimate source. It is even difficult for the legal authorities to monitor or trace such calls which make such type of phishing attack more dangerous.
  5. Mobile Web Application Phishing Attack: – On an average Smartphone user uses more than 24 apps per month which gives attacker 24 spots per user to attack. Due to the small screen size, most of the apps have simple designs which make it easy for an attacker to replicate. There are typically four ways by which you could be directed to these phishing websites which are:-
    1. App ->App: – In this user is directed to other phishing application from the legitimate application and thus the user doesn’t get suspicious about such phishing apps and reveals his data.
    2. App -> Web: – In this user is directed to the website by the legitimate application. As the screen size of the mobile is usually small the user doesn’t verify the credentials of the websites. So next time, if you are directed to any website from your Facebook or twitter account you should think before providing any information
    3. Web ->App: – In this user is directed to phishing app from the web browser which appears to be a legitimate app. As there is no security application indicator which can distinguish between the legitimate and the phishing app, user ends up revealing his information. So next time, your browser directs you to your Facebook app, you should check properly if it opens the legitimate Facebook or the fake one.
    4. Web -> Web: – In this user is directed to another phishing website from the legitimate website. This is the most common attack as it is useful to attack computer users as well.
  6. Others Probable Phishing: – There are new data transfer mediums like S Beam, NFC which could be exploited in the near future by the attackers to target you. Although there are still no signs of such attacks but one should be alert of any such attacks which can use mechanisms similar to the ones  mentioned  above

This is just the broad classification of how the phishing attacks are possible on your mobile device. So a thief is right in your pocket and is just waiting for you to make one mistake. So now the question is what can you do to prevent yourself from such traps? Suspicion is the key to prevention. So let’s find out where you should keep your eye of suspicion on.

  1. Check before connecting: – One should always ensure that they are connecting to the right or legitimate AP or hotspot (in case of Wi-Fi and Bluetooth respectively) connection.
  2. Secure Connection: – Pay attention to the site’s security connection — if the URL appears correct but it isn’t preceded by https, it’s almost certainly not legitimate.
  3. Check URL: – Compare the address of the sender to the address that usually appears when you get an email from this person or organization — it’s probably a fake.
  4. Check Sender: – Watch for spelling mistakes or other telltale signs of a phishing scam – if you’re reading an email supposedly from Facebook but the address that appears when you hover over the link to visit Facebook to retrieve that message doesn’t show a URL with http://www.Facebook.com anywhere in it, it’s not legitimate.
  5. Check Redirection: – If you are redirected to a new page when you open the message, check the URL of this page. If it isn’t in line with where you expected to be, leave immediately.
  6. Make Whitelist: – Make the list of trusted vendors (called whitelist) and try to install applications, download content or retrieve information from these trusted vendors only. Even if you face any phishing attack, it’s easy for you to detect and report.
  7. Use Application Identity Indicators: – User cannot reliably tell what web site is currently loaded in the browser or what application is currently running. So the user should dedicate a small portion of the screen to application identity because websites and applications can replicate each other with the high degree of accuracy.
  8. Use Updated Antivirus: – Antivirus keeps track of the websites, application and even messages coming from a non-legitimate user and could help you track it. One should keep the antivirus updated to keep your phone aware of such websites and vendors.
  9. Be Suspicious: – Whenever you are providing any information on any medium, you should check all the credentials and authenticity. A little suspicion can help you  avoid falling into traps.

Current defense mechanisms against phishing attacks in a mobile environment are still inadequate. Therefore, there is a need of an anti-phishing solution which can work on the recipient as well as the transmission mode. The landscape of the digital world is changing day by day with users spending more time on their phones and tabs rather than their laptops or computers. Phishing attacks are going to grow and the need of an Anti-phishing solution is a must for this changing landscape.

Venom Vulnerablity

Introduction

Venom, an acronym for “Virtual Environment Neglected Operations Manipulation”, is one of the “Virtual Machine (VM) Escape” category vulnerabilities in which an attacker may be able to break out of confined virtual machine and interact with the host operation system. However, VENOM is different from the rest of the VM escape vulnerabilities in a sense that it can be exploited even in the default configuration of the VM platforms and can spread to all other VMs running on the host.

This vulnerability resides in the floppy disk controller (FDC) driver code used in QEMU, a free and open source virtualization package used by many virtualization platforms like Xen, KVM, and VirtualBox. VMware, Microsoft Hyper-V, Linode, Amazon AWS and Bochs hypervisors are not impacted by this vulnerability.

The Vulnerability

As per the blog published by Jason Geffner, a security researcher from CrowdStrike who discovered this bug, the attack can be triggered by sending specially crafted data from guest virtual machine to Floppy Disk Controller (FDC) to cause the buffer overflow and ultimately execute arbitrary commands. This may result into (should be in) gaining control of the host machine and all other virtual machines running on the same host. Now, an attacker can access the sensitive data outside the exploited VM. In a cloud environment, it means gaining the access to other company’s (cross-tenant) data. 

CrowdStrike has published the diagram that elucidates the attack flow –

aujas-dig

Though this vulnerability seems to have a devastating impact, there are multiple factors we need to take into account while measuring the likelihood of this vulnerability getting wide spread –

  1. An attacker needs to be authenticated to one of the virtual machines in order to be able to exploit the vulnerability. Hence, it is not remotely exploitable vulnerability.
  2. CrowdStrike states that “Neither CrowdStrike nor our industry partners have seen this vulnerability exploited in the wild.” It means that exploit is not yet found or at least publicly not known.
  3. Even if the exploit is discovered, most likely this vulnerability will be used for targeted attacks and would not be used on large scale like Heartbleed.

Fixing the vulnerability

Even though there is no known exploit for this vulnerability, attackers may come up with the exploit as soon as the code is publicly available for them to reverse-engineer. Hence, it is advised to patch the vulnerability before attackers discover the exploit.

If you are running your guest system on any one of the affected virtualization platform, please contact your cloud service provider at the earliest. Patch information for different affected platforms is listed below –

QEMU

Patch information is published at http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c

Xen

Patch information is published at http://xenbits.xen.org/xsa/advisory-133.html

All versions of Red Hat Enterprise Linux (RHEL) running QEMU:

Update system using the commands, "yum update" or "yum update qemu-kvm."

Oracle VirtualBox

Patch information is published at http://www.oracle.com/technetwork/topics/security/venom-cve-2015-3456-2542653.html

References

http://venom.crowdstrike.com/

http://blog.crowdstrike.com/venom-vulnerability-community-patching-and-mitigation-update/

https://threatpost.com/oracle-patches-venom-vulnerability/112868

https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/05/13/venom-hypervisor-vulnerability

Logjam (CVE-2015-4000) – Are you FREAKed again?

Author : Naresh T A

The TLS protocol is vulnerable once again. This time it’s  identified as the logjam attack and it is the most recent one in a long list of weaknesses that have been identified in the SSL/TLS protocol ever since it was introduced. This recent vulnerability has been identified in the Diffie-Hellman key exchange algorithm by research teams from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania.

Logjam is very similar to the FREAK attack, in the sense that it also exploits the availability and the use of export ciphers but   while FREAK exploits the RSA key exchange algorithm, Logjam exploits the DH key exchange algorithm. Export ciphers are a relic of the cold war era in which the U.S. Government restricted the export of software with strong cryptographic algorithms to countries it perceived as enemies; thus allowing it to easily eavesdrop on them.

Even though these restrictions no longer exist, a large number of cryptographic libraries continue to support and offer these ciphers. Let’s first understand how the Handshake and Key Exchange works

The Handshake

In the initial phase (called the handshake), when a connection is being established between two systems, the following steps happen:

  1. The client sends a message (called Client Hello) telling the server what cipher suites (algorithms) it supports.
  2. The server picks a cipher suite from the list sent by the client, then picks a set of parameters for key exchange and performs a set of computations.
  3. The chosen cipher suite, parameters and the computation performed is signed by the server using its certificate and sent to the client (called Server Hello)
  4. The client verifies the signature, extracts the parameters and performs its own computations on it which is sent to the server.

Once this is done, both systems use the parameters and computations to separately arrive at the same common key. This is the shared secret key and is used by both the systems to encrypt future communications in the session.

Key Exchange

The algorithm that allows two systems to generate a common key by only sharing a few computations is called the key exchange algorithm. The most commonly used ones are RSA, DH and recently ECDH.

The DH (Diffie-Hellman) algorithm is the oldest of the three, makes use of the fact that it is extremely difficult for computers to calculate the discrete logarithms of two large prime numbers in a finite group.

These large primes are the parameters that are chosen by both the client and the server during the handshake process. When export cipher suites are used, the sizes of the parameters chosen are limited to 512-bits in length.

A 512-bit key by itself was good enough even though most libraries choose these keys from a single group of primes, this was considered secure as long as a new key was chosen for each connection.

The Attack

The research team modified the general number field sieve, the most efficient algorithm that can calculate the discrete log for a set of primes to pre-compute the first step. Since most implementations only use primes from a known common group, the researchers could pre-compute a part of the results with the algorithm and calculate the discrete logs for 512-bits long primes in a few minutes.

Furthermore, the same technique was tested on 768-bit and 1024-bit primes and was found to be computable by capable adversaries.

The logjam attack is not only applicable to TLS but also to any protocol that implements the DH algorithm including IPSec and SSH.

The Impact

An attacker who is able to intercept and store the communication that is using weak DH ciphers would be able to decrypt the encryption key offline and as a result decrypt the entire communication.

Even if the connection is not using EXPORT DH ciphers by default, an attacker can launch a man-in-the-middle attack to downgrade the connection and later decrypt it offline.

Testing for Logjam

The research team behind identifying logjam have created a website for quickly testing if you’re vulnerable to logjam. For checking clients you can go to https://weakdh.org and for testing servers you can use the testing tool at https://weakdh.org/sysadmin.html.

Mitigations

  1. Disable all EXPORT cipher suites: Although export-grade cryptography is no longer supported by modern browsers, an adversary can trick them into supporting it.
  2. Use ECDH over DH: Elliptic-Curve Diffie-Hellman prevents all known cryptanalytic attacks of the original DH and should be given preference over DH.
  3. Use a strong, unique DH group: Servers should generate a unique 2048-bit or stronger DH group for each server.

The instructions for configuring many different kinds of servers to mitigate logjam can be found here.

References:

https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html

https://isc.sans.edu/forums/diary/Logjam+vulnerabilities+in+DiffieHellman+key+exchange+affect+browsers+and+servers+using+TLS/19717/