How to Prevent Phishing Attacks?

what is phishing attack
Reading Time: 3 minutes

What Is Phishing?

Phishing is a method employed by cybercriminals to access email accounts and systems using deception rather than defeating security protections. In basic phishing attacks, cybercriminals send an email that appears to be legal, tempting the victim to open an attachment or click on a link. This click could result in loading malware onto the victim’s computer or it could take the victim to a realistic-looking website. In several cases, the aim is to capture user credentials without the knowledge of the victim. Cybercriminals have discovered that it is usually easier to delude a victim into clicking a link instead of breaking through technology defenses.

Common Phishing Attacks

Email phishing
A phishing email is a fake email that appears to be like a crucial communication sent by a popular website or a bank. This email puts forth a tone of urgency and thus succeeds in tricking you into downloading an attachment or clicking on a link.

You will be taken to a fake website when you click on a link in a phishing email. This website could just drop a virus on your device or it could ask you to share classified information.

In many cases, downloading an attachment will infect your computer with a virus.

Phishing by SMS
This phishing attack that uses SMS is known as SmiShing. You will get an SMS, for instance, a WhatsApp message, informing you about an incredible offer. In this SMS you will be asked to redeem the offer by clicking on a link. After you click this link, you will be taken to a fake website that could infect your device with a virus or ask you to share confidential information.

Phishing by call
In a phishing call scam, you will get a phone call from a person acting like a bank manager, a software firm employee, or a known organization. This phishing call aims at tricking you into sharing private and vital details such as ATM PIN, expiry date, CVV, debit card number, and OTP.

Phishing techniques used by attackers:

  • Spoofing the sender address in an email to look like a reputable source and request sensitive information
  • Installing a Trojan through a malicious email attachment or advertisement allowing the intruder to exploit loopholes and then get all the required sensitive information
  • Attempting to gather company information using a phone by posing to be a known IT department or company vendor
  • Embedding a link in an email that redirects your employee to an unsafe website requesting sensitive information

How to prevent phishing scams

Protection of your personal information

  • To prevent yourself from becoming a victim of a phishing scam, you will have to be extremely cautious with your personal information including your passwords and usernames.
  • When you enter your password/username and several other information, that information gets transmitted to the con artist, who can actually misuses it at a later stage
  • A few phishing scams divert you to a deceitful website that looks like your bank’s website or a similar trusted source.

Become familiar with the common phishing language:

  • Be aware of common phishing language present in emails like “Verify your account.”
  • Legitimate businesses will never send you an email to ask for sensitive personal information or your login information.
  • Look out for emails that attempt to put forth a sense of urgency.
  • Directly get in touch with the company to inquire about such emails, when you suspect an email phishing activity, instead of using any link or other contact information provided in the email.
  • Always look out for emails that do not address you directly.
  • A few email phishing scams use your name in the email, whereas many are sent out as spam messages to thousands simultaneously.

Look out for suspicious Emails and prevent clicking suspicious links

  • Do not click links sent along with suspicious emails.
  • Addresses that appear to be official, could usually comprise of conspicuous differences that redirect you to a fraudulent site.
  • Be extremely suspicious of any emails sent to you from trustworthy entities like your bank.
  • Avoid clicking on the link and instead type in the web address of the institution into the browser in order to access the website.

Count on authenticated websites:

  • when you visit a website with a padlock, click on the padlock.
  • You will get to see the name of the organization that applied for the padlock. You can suspect a phishing activity when the name does not match the name you know.
  • Prevention is better than cure, hence it is always a good practice to look at all the websites and emails with a pinch of suspicion just to prevent email phishing and other phishing activities. This will help you to save thousands of dollars and a lot of your valuable time.

Massive Phishing Attacks Hit Turkish Banks Users. But … is it Just Phishing?

phishing scams
Reading Time: 6 minutes

The immense wave of phishing attacks hit the users of major banks in Turkey. Poisoned emails dropped into the users’ inboxes to covertly penetrate their computers and give the attackers total control over those who would be unlucky to take the perpetrators’ bait. With sophisticated and hard-to-discover malware attached, the phishing waves spread from many countries around the world but were stopped by Comodo resources.

The emails: deception is knocking into your inbox

The phishing emails imitated various messages from major Turkish banks — Türkiye İş Bankası, Garanti Bankasi, T.Halk Bankasi, Yapi ve Kredi Bankasi, T.C. Ziraat Bankasi.

501 emails were disguised as messages from Turkiye ls Bankasi bank, the first and the largest bank in Turkey. The message you can see in the screen below in Turkish means “5406 ** ** 9306 dated September 10, 2018, is attached to the details of your Credit Card statement”.

phishing attacks

Another 424 emails imitated Garanti Bankasi messages…

email phishing

… and 865 pretended to be an email from T. Halk Bankasi A.S.

Phishing mail

…619 emails mimicked Yapi ve Kredi Bankasi

phishing attacks

… and another 279 wearied the mask of T.C. Ziraat Bankasi.

Phishing Mails

All emails contain a “debt” message or “credit card statement” to lure users in opening the attached files. Of course, the files contained malware. But of what kind?

The malware: opening door for the enemy
Actually, all emails carried two types of malware files: .EXE and .JAR. Below is the analysis of the .JAR file conducted by the Comodo Threat Research Labs analysts.

malware file

Let’s see how this sneaky malware can harm users if they run it.
Firstly, it tries to detect and quit security applications running at the target machine. It calls taskkill multiple times, with a long list of executables from various vendors. Then it drops a .reg file and imports it to the registry.

malware exe file

Thus it changes the attachment manager settings to allow running executable files received from the Internet without any warnings, disables task manager and alters IEFO registry keys of security applications.

Malware text file

Further, it creates an installation ID and puts it in a text file in a randomly generated path. The attackers will use this ID to identify the infected machine.

VBS files

After that, it drops and runs two VBS files to detect the antivirus and firewall installed on the system.

startup key

Then it adds a startup key to run upon each restart. The autorun value is added for a current user only so that no alarming UAC prompt will appear. And then it’s launched from the new location

JAR file

Executed from the new location or upon system’s restart, it drops another .JAR file “_0.<random_number>.class” to Temporary folder and run it.

WMIADAP application

Significantly, the .JAR is launched via WMIADAP application. As it’s a Windows component, some security software might allow its execution without any restriction. One more trick to bypass protection.

Now is the moment of the truth: we can see the real face of the malware attacking the banks’ client. It’s a Java-written backdoor known as TrojWare.Java.JRat.E. Its purpose is to provide unauthorized remote access to the infected machines.

JAR package

As you see on the screen, the JAR package contains an encrypted file – “mega.download”. Decrypted, it reveals the malware properties:

ywe data

What is left to do is finding out what’s hiding behind the “ywe.u” resource.

CONFIG file

Further on, we can extract and decrypt the malware .CONFIG file to discover its configuration options.

malware data

And here you go! We see now that the malware connects to the attackers’ server 185.148.241.60 to report about successful infecting the new victim and then waits for instructions from the perpetrators.

conversation filter

You must be wondering how exactly the malware harms the user. As any backdoor, the malware enables covert access to the compromised machine and thus hand over it under total control of the cybercriminals. They can steal information, add another malware or use the infected machine to spread malware and attack other users all over the world.

“It’s definitely more complicated attacks that it seems to be from the first sight”, says Fatih Orhan, The Head of The Comodo Threat Research Labs. “It’s not a regular phishing to steal banking credentials but an effort to implant a malware that gives the attackers total control of the infected machines for a long time while victims might remain unaware of the fact their computers are in the perpetrators’ hands.

Meantime the perpetrators can covertly utilize the compromised machines in different ways for their multiple criminal purposes and profit. For example, initially they can steal credentials for a victim’s accounts.Then they can use an infected machine as a part of a botnet to spread malware or conduct DDoS attacks on other users. Besides that, they can constantly spy the victims’ activity.

Also, the scope of the attacks is impressive. It looks like the attackers tried to create a network of thousands controlled computers for conducting multiple attacks around the world. I hate to think how many users would have been victimized if Comodo hadn’t stopped those attacks”.
Live secure with Comodo!

The heatmaps and IPs used in the attacks

Türkiye İş Bankası

The attack was conducted from Turkey, Cyprus and the USA IPs. It started on September 10, 2018 at 05:01:49 UTC and ended on September 10, 2018 at 07:10:10 UTC.

Türkiye İş Bankası

The IPs used in the attack

CY 93.89.232.206 161
TR 79.123.150.10 2
TR 85.159.70.243 1
US 64.50.180.173
67.210.102.208
1
336

Garanti Bankasi

The attack was conducted from Cyprus and the United Kingdom IPs. It started on September 24, 2018 at 09:38:29 UTC and ended on September 26, 2018 at 11:01:10 UTC.

Garanti Bankasi

The IPs used in the attack

CY 93.89.232.206 184
GB 163.172.197.245 240

T.Halk Bankasi

The attack was conducted from Cyprus, United Kingdom, Turkey, the United States, and India. It started on September 24, 2018 at 10:28:06 UTC and ended on September 27, 2018 at 14:54:55 UTC.T.Halk Bankasi

Top 5 of the IPs used in the attack

US 67.210.102.208 629
CY 93.89.232.206 152
TR 185.15.42.74 36
US 172.41.40.254 24
TR 95.173.186.196 17

Cyprus

T.C. Ziraat Bankasi

The attack was conducted from Turkey and Cyprus IPs. It started on September 05, 2018 at 12:55:50 UTC and ended on September 24, 2018 at 09:32:18 UTC.

T.C. Ziraat Bankasi

The IPs used in the attack

CY 93.89.232.206 105
TR 31.169.73.61 279

Yapi ve Kredi Bank
The attack was conducted from Turkey, South Africa, and Germany IPs. It started on September 25, 2018 at 09:54:48 UTC and ended on September 26, 2018 at 15:10:49 UTC.

Top 5 IPs used in the attack

TR 31.169.73.61 374
TR 193.192.122.98 129
TR 194.27.74.55 26
TR 193.140.143.15 20
TR 193.255.51.105 10

Did China put hardware backdoors into Apple and Amazon networks?

Chinese Backdoor
Reading Time: 5 minutes

Chinese Backdoor

Bloomberg Businessweek published a shocking and controversial report on October 4th. Supermicro is based in San Jose, California. Although their end product servers are designed in the United States, they make their system motherboards in China.

China is indeed the world’s manufacturing powerhouse. Roughly 75% of mobile phones, 90% of PCs, and 100% of my goth platform shoe collection is made there. Chances are that a lot of the things you own right now were made in that country, no matter who you are or where you live.

For years American officials have claimed that internationally shipped mobile devices and networking hardware made by Huawei and ZTE, two companies with verifiable ties to the Chinese government, are being used for Chinese cyber-espionage. China denies it, and back in September 2015, Chinese President Xi Jinping and American President Barack Obama announced at a press conference that China had agreed to not support cyber attacks to acquire American intellectual property for the benefit of Chinese companies.

Bloomberg’s Jordan Robertson and Michael Riley say they have spoken to anonymous sources from both Apple and Amazon who claim that, through Supermicro’s server motherboard manufacturing, China’s People’s Liberation Army have infiltrated the supply chains of those tech giants, and probably others. Apple and Amazon have both officially denied those claims. So, what’s the truth?

Here are the details of the allegations. Very tiny microchips, roughly the size of a sharpened pencil tip or Abraham Lincoln’s nose on the American penny, are a component of the server motherboards which Supermicro makes in China, or are added afterwards, somewhere in the global supply chain. A Chinese military unit made the chips that were sent to Supermicro’s factory, and Supermicro is likely knowledgeable and cooperative with the operation.

Supermicro makes server machines with those apparently tampered motherboards and ships them to dozens of American companies, the most notable being Apple and Amazon. The tiny microchips only have room for a little bit of code, but that tiny bit of firmware is enough to open a hardware backdoor for Chinese cyber-espionage. When the servers are in their datacenters and turned on, the firmware can make changes to the operating system kernel for specific alterations. The backdoors also enable the servers to communicate with a cyber attacker’s command and control servers in order to spy on American networks and receive further potentially malicious code. According to the Bloomberg report:

“This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity.”

Both Apple and Amazon host streaming video services, a function that a lot of the Supermicro servers were designed to fulfill.

Robertson and Riley claim that after detecting firmware problems and anomalous network behavior, Apple’s own investigation lead to the discovery of the backdoor chips around May 2015. Anonymous sources who are described as senior Apple insiders say that the Cupertino-based company reported their discovery to the FBI, but only shared limited information with the agency. Apple apparently denied the FBI access to their hardware.

While the FBI tried to investigate Apple’s discovery with limited intel, Amazon found the same malicious components and activity in their Supermicro servers. Amazon not only shared their findings with the FBI, but also gave them access to their apparently sabotaged servers.

On October 4th, Apple officially denied Robertson and Riley’s claims with a press release from their newsroom:

“Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”

Also on October 4th, Amazon made an official denial with Stephen Schmidt’s post to the AWS Security blog:

“Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware (former middleman between Supermicro and Amazon, which has since been acquired by Amazon) at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.

As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).”

Bloomberg Businessweek stands by their report in the wake of Apple and Amazon’s official denials:

“Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

If what is written in Bloomberg Businessweek is true, then it’s shocking news and a very serious cyber-espionage conspiracy. Robertson and Riley’s piece has shocked the Silicon Valley and the potential international relations implications are grave.

Uh Oh – UEFI rootkit malware spotted in the wild

UEFI-Rootkit
Reading Time: 3 minutes

UEFI-Rootkit

I remember a little while back, the year was 2011. Those were the last of my consumer Windows tech support days before I specialized in cybersecurity. I would buy Maximum PC magazines in print, because the “no books or magazines at your desk” rule very specifically excluded anything related to computer technology. So Psychology Today had to wait until I was on the bus ride home.

Anyway, one issue that year had a feature on UEFI, a technology that was just starting to become more common in consumer PCs. Better quality motherboards for Intel Core i5 and i7 reliably had UEFI back then. Now in 2018, it’s unusual for a new x86-64/amd64 motherboard to have an old-fashioned BIOS, UEFI is now standard. UEFI stands for Unified Extensible Firmware Interface, a more sophisticated style of firmware to check that PC hardware components are working before booting into your operating system. I loved looking at UEFI GUIs, all of the extra options and even mouse support! The possibility for network connectivity before booting into an operating system sounded promising. Most of my work back then was remote support, and it would be very convenient for me to be able to fix hardware configuration or boot order issues on my own. Because I could only remote into a user’s PC once Windows was running, it would really test my patience to give users instructions over the phone. “You need to change the boot order, so we can reinstall Windows from your DVD.” “I need you to hit F8 at the right time, so you can boot into Windows Safe Mode.” Sometimes my customers were not very computer literate and it was a challenging part of my job.

But because I already thought like a cybersecurity professional, I was also concerned about the increased cyber-attack surface of UEFI compared to BIOS-based systems. A cyber attacker could really wreak havoc via remote control a target PC before booting into an operating system!

I’m actually surprised that it took until 2018 for there to be UEFI rootkit malware that’s not just a proof-of-concept.

LoJax is a malicious fork of Absolute Software’s non-malicious LoJack anti-theft software. Early versions of LoJax were spotted during the first part of 2017. Its BIOS and UEFI persistence feature was fascinating. Researchers explained how the feature was implemented in Computrace, the precursor to legitimate LoJack software:

“Computrace attracted attention from the security community mostly because of its unusual persistence method. Since this software’s intent is to protect a system hardware from theft, it is important that it resists OS re-installation or hard drive replacement. Thus, it is implemented as a UEFI/BIOS module, able to survive such events. This solution comes pre-installed in the firmware of a large portion of laptops manufactured by various OEMs, waiting to be activated by users. This activation step can be done through a BIOS option.”

LoJax is a weapon for APT (advanced persistent threat) attacks. Therefore, LoJax attacks are very targeted. When the malware is deployed and infects the targeted machine, cyber attackers can control the computer at the UEFI level and also see sensitive data about hardware configurations, such as PCI Express, Memory, and PCI Option ROMs.

The first stage of a LoJax attack is to get the DXE driver component to execute in a Windows machine. Because the driver is unsigned, it won’t work if Secure Boot is enabled.

If the driver deploys as the cyber attacker intended, an event is created associated with the Notify function. The event gets triggered when the UEFI boot manager chooses a boot device. From that point, payloads are written to the Windows NTFS file system. Then LoJax manifests like a disease, infecting both UEFI and the operating system. While maintaining persistence, cyber attackers command and control servers gain even more control of a target machine than a typical RAT (remote access trojan) infected computer.

Researchers are almost completely certain that LoJax is the work of the Russian Sednit APT group, for several different reasons. Russia is suspected because LoJax infections were found in government computers in the Balkans, Central, and Eastern Europe. and the domain names associated with the LoJax command and control servers are linked to Sednit specifically.

Because LoJack is legitimate software, antivirus software often whitelists its characteristics. Malicious LoJax code is mainly the same as benign LoJack, so it slips through the cracks.

Keeping your UEFI firmware up to date can prevent LoJax infections. Enabling Secure Boot prevents the LoJax unsigned driver from working. Plus, advanced and frequently patched malware detection heuristics (like Comodo’s) can prevent malware like LoJax from infecting your network in the first place.