Phishing Tale: An Analysis of an Email Phishing Scam

Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we’d tell the story of some spam that was delivered into my own inbox because even security researchers, with well though-out email block rules, still get SPAM in our inboxes from time to time.

Here’s where the story begins:

Today, among all the spam that I get in my inbox, one phishing email somehow made its way through all of my block rules.

Spam email in our security team's inbox

Even our security team gets SPAM from time to time.

I decided to look into it a little further. Of course, I wanted to know whether or not we were already blocking the phishing page, but I also wanted to investigate further and see if I could figure out where it came from. Was it from a compromised site or a trojanized computer?

The investigation started with the mail headers (identifying addresses have been changed, mostly to protect my email ☺):

Blog1

The headers tell us that miami.hostmeta.com.br is being used to send the spam. It’s also an alert that some of the sites in this shared server are likely vulnerable to the form: X-Mailer: PHPMailer [version 1.73]. I decided to look into the server and found that it contained quite a few problems. This server hosts about twenty sites, some of which are outdated–WordPress 2.9.2 is the oldest–while others are disclosing outdated web server versions (Outdated Web Server Apache Found: Apache/2.2.22) and still others are blacklisted (http://www.siteadvisor.com/sites/presten.com.br). This makes it pretty difficult to tell where the spam came from, right?

Luckily, there’s another header to help us, Message-ID:. nucleodenegociosweb.com.br is hosted on miami.hostmeta.com.br and it has an open contact form. I used it to send a test message and although the headers are similar, the PHPMailer differs:

Blog2

What Do We Know Now?

We know who is sending the phishing messages, but what host are they coming from? There are some clues in the message body:

blog3

From that image, we can see that http://www.dbdacademy.com/dbdtube/includes/domit/new/ is hosting the image and the link to the phishing scam, but it doesn’t end there. As you can see from the content below, we’ll be served a redirect to http://masd-10.com/contenido/modules/mod_feed/tmpl/old/?cli=Cliente&/JMKdWbAqLH/CTzPjXNZ7h.php, which loads an iframe hosted on http://www.gmff.com.hk/data1/tooltips/new/.

Here is the content:
Phishing email

Problem Solved. Or is It?

In this case, there are three compromised sites being used to deliver the phishing campaign and it’s becoming very common to see this strategy adopted. The problem, from the bad guy’s point of view, is that if they store all of their campaign components on one site, then they lose all of their work when we come in and clean the website. If they split the components up and place them on multiple sites, with different site owners, then it’s unlikely that all of the sites will be cleaned at one time, which means their scam can continue.

As always with malware, it’s not enough for your site to be clean. You also need to rely on everyone else to keep their own site clean. When others don’t, your computer or website can be put at risk.

If you’re interested in technical notes regarding the type of research we do be sure to follow us on Twitter and be sure to check in with our Lab Notes. If you something interesting you’d like us analyze please don’t hesitate to ping us, we’re always looking for a new challenge.

Analyzing a Malicious iFrame – Following the Eval Trail

Over the last week, we’ve been working with some interesting malware injections. Developers and malware prevention professionals usually think of hidden iframes that deliver spam-seo or other malware as easy to spot. Take this injection, for example (Thanks to Sucuri team member, Rafael C., for the sample):

Sucuri - JS Infection II

This is not a traditional iframe src=’http://… code, but you can see where the bad code lives in the example above. This is a problem for the creators of this malware because if an infection is easily detectable then it’s a relatively straightforward process to write a script to detect and clean it up. That’s why the next step for the malware creator is to hide or obfuscate the injection.

Spotting Obfuscated Code

Using JavaScript, there are several ways to obfuscate malicious code like CharCode or URLEncode. In general, obfuscated malware looks like the example below, but of course, the techniques can be more or less advanced. Our team tends to like writing about the more complicated events:

Sucuri - JS Injection Sample

At first glance, this code looks like a CSS related script, i.e. part of your site’s visual architecture, which you don’t want to touch because it could break your site’s look and feel. This, of course, is exactly what the malware creator wants you to think.

Is it Malware?

The tricky thing here is that this function is actually creating a CSS rule. Were we wrong to think that it’s malicious?

last_style_node.addRule(selector, declaration);

What we need to do to find out is look at the content of the rule. To do that, we look for the function call.

createCSS('#va', 'background:url(data:,String.fromCharCode)');

The code is defining the background image for the #va selector. When you look closely you can see that String.fromCharCode is not a valid URL. Remember, malware creators need to figure out how to hide their code injections. In this scenario, storing the functions it needs inside a CSS style is ingenious.

Now that we know where the malware lives, we can find out how it is recovering those strings:

Sucuri - JS Infection III

Putting It All Together

In the code above, we see that the vkk variable is used as the fromCharCode function and uu variable contains a va string. At this moment, this doesn’t make sense, but it starts to come together as we keep moving through some lines of code.

Sucuri - JS Infection IV

It’s important to the hacker that nothing is stored in plain sight (if it was, it’d be much easier to clean). In this instance, take the t variable as an example; it contains the number 2. In this case, this value is attributed by subtracting 2 from the number of seconds of a date stored in the knr variable. That’s pretty complex, right?

This t variable is used to multiply all entries of the xt array*

*Some of the content of this variable has been removed to shorten the post. It doesn’t affect the code’s logic.

Next, there is an empty function called g, which is attributed to hhhu variable, and within these parameters the uu is being used to create the function. By concatenating the e, va(the content of uu) and l we end up with, eval! Now we’re finding some malware.

Then, another chain of variables, hhhu, is now attributed to ac with a different function–the one inside the variable ry, which, previously, we saw contains String.fromCharCode. Now it’s eval’ing String.fromCharCode for CharCodes that are stored in the xt variable.

Finally, after all this, it calls the eval again–the hhhu–but now to execute the code inside dwms variable, which was decoded using the for loop from before.

Dissecting Malware is A Full Time Job

That was an illustration of one payload. It’s just one data point that articulates the sort of complex obfuscation we deal with on a daily basis and, we can say without reservation, as we continue to find new ways to detect it more easily, malware creators will find ways to make their obfuscation more and more complex. If you’re having trouble with malware or blacklisting, take a look at the symptoms of malware and ask us to help.

Do you have samples you’d like us to analyze? Feel free to engage us on Twitter at SucuriLabs or feel free to send us an email at labs@sucuri.net.

Desktop AVs and Website Security

Brian Dye tells the Wall Street Journal that antivirus tools like his company’s Norton suite are effectively “dead” because they catch less than half of all attacks, but from where we sit, that’s really just half the story.

Does Brian mean that antivirus defenses–also know as “AV”– are useless? Probably not. Just like you should get a flu shot to protect you from known viruses in the real word, you should also keep running AV to protect you from known viruses in the virtual world. We think a better way to put it is this; an AV alone isn’t enough to protect your computer because the websites you visit are constantly putting it at risk with new, unknown, viruses. When you look at websites, the same principle applies. Every day, we clean infected websites and webservers that already had some kind of antivirus or security software installed and we never tell our clients to just get rid of the security software.

The main reason that these sites get hacked is that the core of most security software relies heavily on signatures of known virus families. In the past, this worked well because there were just a few variants of viruses, which made it simple for research teams to study them and release signatures. However, the amount of malware now being created and released is so astronomical –because there is a lot of money in it– that a manual process is almost impossible. By the time researchers are able to dissect one malware string, a thousand more will already be released. So, even if you have an antivirus, your site and server can still be at risk. The key is to protect yourself from these bad outcomes before they can infect your site or your computer.

What can you do?

First, you have to be able to detect and respond to compromises quickly. Second, security, like winter weather, is all about layering. The more layers you have, the more comfortable you’re likely to be.


Read More

Watch a Layer 7 DDOS Attack – WordPress Security

A few weeks back we reported on very large Layer 7 DDOS attacks within the WordPress ecosystem. Today we decided to provide you a little illustration of what that looks like.

Remember, there is a big difference between Brute Force and Denial of Service attacks, this is specifically for a large DDOS attack involving 40k WordPress sites.

Does Sucuri work with my host? Yes, Yes we do.

We’ve been scanning and removing malware from websites for years, and in this time frame we have seen the website security domain grow by leaps and bounds. Over the same period, the ubiquity of the internet has reached to all corners of the globe, and the number of websites worldwide has skyrocketed (estimated at 955 million and growing). Where do all of those sites live? We decided it would be interesting (and instructive) to look inward to see what the demography of hosts is within our own construct.

Hosting Companies Sucuri Works With

The good news is that it doesn’t matter what host you choose to work through. It’s likely that we already work with whomever you’re likely to choose, though from time to time we do work with hosts that we didn’t even know were in the business. It’s important to note that some hosts, like managed hosts, don’t actually have their own infrastructure. They resell or sit on top of existing hosts. As such, this investigation doesn’t include their number.

This investigation illustrates–in pretty pie-graphical form–that sites on every hosting service get attacked. Regardless of your host platform you should always be thinking about how to protect the investment you’ve made in your website. Here is the host distribution within our environment*:

*The distribution of our clients among the hosts does not mean that any one host gets infected more or less than any other, and is reflective of many different factors.

HostChart_3

Read More

SiteCheck Extended – Making It Easier to Scan Your Websites

Sucuri SiteCheck is our free website malware scanner that crawls any website to detect signs of Malware injections, SEO Spam, Blacklisting, Defacement and other similar indicators of a compromised website.

It is widely used by Webmasters to verify if their sites have not been compromised or blacklisted. And now we’re extending it to other platfroms, by making it easier to use from multiple devices and products.

Please be sure to take a minute to understand how SiteCheck works, then leverage it on your own web properties to show visitors that your site is malware-free.

Read More

AdSense Blackmail – Hacking Websites for Profit

We deal with different types of malware injections and compromises everyday and the most common question our clients ask us is, “Why me? Why my small little site?”

There are so many answers to this question. In some cases, someone may attack a site for fun, they may do so in the name of “Hacktivism” or it could be someone trying to prove what he/she can do. However, most of the time, it’s done for the same reason most unethical things are done:

Show me the Money!

As in many other walks of life, if there is money to be made unethically by attacking websites, then there will be some people out there willing to make it. Unfortunately there is a LOT of money to be made by taking advantage of websites that don’t have security measures put in place.

People hack sites for money. They make money distributing malware, SEO spam and even phishing. While we still encounter defacements and some other activities that do not give monetary gain to an attacker, money is the most common reason we see for attacks on websites.

To illustrate this point, we recently resolved a case where a customer was being blackmailed regarding a Google AdSense account. AdSense extortion isn’t new (there are several reports from users complaining about it), but this client’s story helps to explain what it could mean for “your small site,” and why it makes sense for an attacker to target many small sites without security measures in place instead of a couple of large ones that may offer a bigger reward per site but be more difficult to attack.

Lets get to our client’s story:

The first contact from the bad guy to our client (all misspellings and grammatical errors sic’d):


Read More

Ad Violations: Why Search Engines Won’t Display Your Site If it’s Infected With Malware

As your site’s webmaster, have you ever seen an e-mail from Google like this:

Hello,

We wanted to alert you that one of your sites violates our advertising policies. Therefore, we won’t be able to run any of your ads that link to that site, and any new ads pointing to that site will also be disapproved.

Here’s what you can do to fix your site and hopefully get your ad running again:

1. Make the necessary changes to your site that currently violates our policies:
Display URL: site.com
Policy issue: Malware
Details & instructions:

2. Resubmit your site to us, following the instructions in the link above….

If so, you know the potential downside risk this poses for your website. In their own words, Google says,

In some cases, you may be unaware that you have malware on your site. But to protect the safety and security of our users, we stop all ads pointing to sites where we find malware.

In essence, Google and Bing care about their searchers more than your business so, to protect their customers, they’ll shut your website out of Adwords and Bing Ads and will return your site less in organic searches.

Often overlooked in the search business is the role of the actual search engine in the ad placement process. These are businesses that specialize in creating algorithms to show relevant search results, assigning quality scores to your landing pages and placing your actual ads. A lot goes into the process, but in all cases, the key for the search engine is to show relevant search results (including ads) that keep people using their search engine. It is in this spirit that search engines like Google and Bing reserve the right to refuse your ads. This is especially true if they have any reason to believe that your site may be infected with malware–including viruses, worms, spyware, and Trojan Horses–or is being used in phishing schemes.

From the search engine’s perspective, this makes perfect sense. Searches are their lifeblood and there are other search engines a person could use to find websites. By showing your ads or returning your site organically in a search, they are tacitly telling the searcher, “We found these sites to be relevant to you.” If they start sending you to sites that are potentially harmful, then a searcher could, potentially, switch search engines.

However, knowing why search engines work as they do doesn’t make it easier to be a webmaster when a site is hacked. Luckily, our clean up and malware removal tools as well as our de-blacklisting service are just a click away.

Or, better yet, keep yourself from ever getting an email like the one above from Bing or Google. Instead, protect your site, and business, from potential problems stemming from malware, blacklisting or phishing and look into protecting your site with a website application firewall like our CloudProxy WAF .

Thumb Wars: Sucuri Acquires Google Webmaster Tools

Today Sucuri unofficially acquires Google Webmaster Tools.

Google Webmaster Tools

In an effort to combine forces of good, Sucuri officials challenged Google to a thumb wrestling war. Here is a breakdown of the event.

Over The Top

In a best-of-5 style tournament, the competition got heated. The underdog had fought well, and stayed in it to win it, they weren’t letting the big dog walk away with this. In what turned into an exciting but nerve recking competition, the tournament was at a 2-2 going into the final match. With great confidence, Matt Cutts from the Google team belted out that, “Google does no harm, but that doesn’t extend to your thumbs.” He was so confident that he bet the ranch, saying “winner takes all, including Google Webmaster Tools”.

The room went silent. You could see sweat on the faces of each of the competitors, no more than on the faces of our trusty Labs team. They knew what this meant. It was go hard now or go home empty handed.

The last match was about to start, and you could see white knuckles showing from the great pressure in grip arrangements. It was time, thumbs were arched, and hats were turned backwards. This could be the very moment where everything changed.

The start was called, and Google aggressively launched their attack, a quick launch sneak pin attack, but the Sucuri competitor saw it a mile away. Google missed their kill shot and Sucuri took advantage with an over-arching attack from the top ropes. Sucuri slammed down with the power of Zeus…Google was in trouble.

Coming to an End

One quick glance to the right and you could see Matt’s face twisted in horror. One quick glance to the left and you could see the Sucuri CTO, Daniel Cid, his face emotionless as he enjoyed his popcorn.

You could see the strain and distress across faces of team Google as they realized what was happening, as they realized how it was about to go down. The tip of their thumb was moving from shades of red to signs of failed purple. The counter by Sucuri was risky, but as strong as Eddie Bravo’s triangle to beat Royler Gracie in 1993. This was epic. You could just imagine what was going through team Google’s mind, “Sergey will never understand”

The crowd. Silent. Almost as if the hand of death had grabbed their shoulder. Stuck in sudden disbelief as to what was transpiring, and in complete anticipation as to what was next.

The referee started to count. It was as if slow motion was being called in slow motion. The ref kept counting, and counting. Then you had it. As quick as it had started, it was over.

Sucuri had won. On the line was Google Webmaster Tools which will now slowly be migrated to Sucuri Labs over the coming weeks.

In this moment of great triumph, the David-sized security firm looks forward to expanding website security efforts to all webmasters across the world, with the inclusion of this Goliath-sized prize.

No Fooling Around

If you’re interested in helping fight the good fight, make sure to check out our open job requisitions.

If you have questions about this fever dream of a completely fake post, please leave them in the comments below.

Understanding Denial of Service and Brute Force Attacks – WordPress, Joomla, Drupal, vBulletin

Many are likely getting emails with the following subject header Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute. Just this week we put out a post titled More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack.

What’s the Big Deal?

Remember life before social media? How quiet and content we seemed to be? How the only place we got our information was from the local news or cable outlet? Maybe a phone call, or via email? Today however, we seem to be inundated with information, with raw unfiltered data, left to our thoughts and perceptions of what they really mean. Every day there is some new tragedy, a plane goes missing, a child is abducted, a school shooting, the brink of WWW III. Is it that we live in a time where we are all losing our mind? Or maybe, could it be that the only difference between now and then, is the insane amount of information at our finger tips?

With this in mind, yes, it’s true, there are ongoing Distributed Denial of Service (DDoS) and Brute Force attacks against WordPress sites. In fact it extends far beyond that specific platform, it’s affecting many other platforms like vBulletin, Joomla, Drupal. The reality is that these attacks have been ongoing for many months now, so much so, that they’ve become part of our daily life and it’s not when they happen that we’re surprised, quite the contrary, when they don’t.

Read More