#Unicode Domain Phishing Generator | Explore Tumblr posts and blogs

cyb3r-security-blog · 5 years ago

Text

The 5 Most Common Types of Phishing Attacks

Phishing is one of the most common techniques which are used by cybercriminals all around the world. Cybercriminals are getting smarter and smarter and are coming up with different ways to phish unsuspecting people.

Phishing as a whole contains a lot of techniques that are designed to fool people one way or another. Today, we will talk about the most common phishing techniques which are used by cybercriminals all around the world.

DECEPTIVE PHISHING

Deceptive phishing is by far the most common type of phishing scam. In this type of ploy, fraudsters impersonate a legitimate company in an attempt to steal people’s personal data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want.

As an example, PayPal scammers could send out an attack email that instructs recipients to click on a link in order to rectify a discrepancy with their account. In actuality, the link redirects to a fake PayPal login page that collects a victim’s login credentials and sends them to the attackers.

The success of a deceptive phish hinges on how closely the attack email resembles a piece of official correspondence from the abused company. As a result, users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website. They should also look out for generic salutations, grammar mistakes and spelling errors scattered throughout the email...to know more, visit - Tripwire.

EMAIL PHISHING

Most phishing attacks are sent by email. The crook will register a fake domain that mimics a genuine organisation and sends thousands out thousands of generic requests.

The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.

Alternatively, they might use the organisation’s name in the local part of the email address (such as [email protected]) in the hopes that the sender’s name will simply appear as ‘PayPal’ in the recipient’s inbox.

There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download a attachment...read more at - it governance.

Spear Phishing:

Spear phishing usually targets business organizations. The impostors customize their attack emails with the target’s victim name, company, position, work phone number, and other vital information to trick the recipient into believing that they have some connection with the sender.

Here the goal of the attacker is the same as that in the email phishing. The attacker tricks the victim to click on a malicious URL or any email attachment so they can give away their data. Spear phishing is prevalent on social media sites like LinkedIn, where hijackers use multiple sources to craft a targeted attack email. It is often found that different social media platforms have more than 20% of methods to deliver malware over the internet other than websites. The cyber-criminals also earn approximately $3.5 billion by violating social media. Thus, it is imperative to maximize your social media safety.

To defend against this type of scam, companies should conduct security awareness training programs. Employees should be taught not to publish either corporate or any other sensitive information on social media. Organizations should invest in solutions that examine inbound emails to know malicious emails and links...go to - My Memory for more information.

CEO Fraud

Despite the name, CEO fraud is targeted at anyone within a company who has the power to enact payments or provide vital information. As we’ve seen from several high-profile cases, fraudsters assume the identity of an authority figure within a company and make a request to the accountant of the business to action a payment.

Be sure to double-check any ‘fishy’ sounding requests, and remember the boss will be more annoyed by a million-dollar scam than an extra phone call here and there. Companies are also encouraged to employ two-step or two-factor authentication as best practice to defend against such trickery...visit - Cloudm to know more.

Domain spoofing

The next type of phishing we want to mention is known as domain spoofing. This method of attack uses either email or fraudulent websites. Domain spoofing occurs when a cybercriminal “spoofs” an organization or company’s domain to:

make their emails look like they’re coming from the official domain, or

make a fake website look like the real deal by adopting the real site’s design and using either a similar URL or Unicode characters that look like ASCII characters.

How’s that possible? In the case of an email-based attack, a cybercriminal forges a new email header that makes it appear like the email is originating from a company’s legitimate email address. In a website domain spoof, the cybercriminal creates a fraudulent website and with a domain that looks legitimate or is close to the original (apple.com vs apple.co, for example).

Read more at: https://www.thesslstore.com/blog/10-types-of-phishing-attacks-and-phishing-scams/

Now you know what kind of emails you can get in your inbox. User education can come in handy but you shouldn’t use it as the last line of defense as just one click is enough to hack into your system, Real-time link click from phishing prevention services can give you better security.

#phishing #security #email #spoofing

0 notes

terabitweb · 6 years ago

Text

Original Post from Talos Security Author:

By Edmund Brumaghin and Holger Unterbrink.

Executive summary

Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. There are typically numerous, unrelated attackers attempting to leverage this RAT to compromise corporate networks for the purposes of establishing an initial point of network access, the performance of lateral movement, as well as to exfiltrate sensitive information that can be monetized. Orcus RAT was in the news earlier this year due to Canadian law enforcement activity related to the individual believed to have authored the malware.

Cisco Talos recently discovered a threat actor that has been leveraging RevengeRAT and Orcus RAT in various malware distribution campaigns targeting organizations including government entities, financial services organizations, information technology service providers and consultancies. We discovered several unique tactics, techniques, and procedures (TTPs) associated with these campaigns including the use of persistence techniques most commonly associated with “fileless” malware, obfuscation techniques designed to mask C2 infrastructure, as well as evasion designed to circumvent analysis by automated analysis platforms such as malware sandboxes.

The characteristics associated with these campaigns evolved over time, showing the attacker is constantly changing their tactics in an attempt to maximize their ability to infect corporate systems and work toward the achievement of their longer-term objectives.

Malicious email campaigns

There have been several variations of the infection process associated with these malware distribution campaigns over time. In general, the emails in every case claim to be associated with complaints against the organization being targeted. They purport to be from various authorities such as the Better Business Bureau (BBB). Below is an example of one of these emails:

Phishing email

In addition to Better Business Bureau, Talos has also observed emails purporting to be associated with other entities such as Australian Competition & Consumer Commission (ACCC), Ministry of Business Innovation & Employment (MBIE) and other regional agencies.

Earlier malware campaigns contained a hyperlink that directed potential victims to the malicious content responsible for initiating the malware infection. The attacker made use of the SendGrid email delivery service to redirect victims to an attacker-controlled malware distribution server.

The link in one example email was pointed to the following SendGrid URL:

https://u12047697[.]ct[.]sendgrid[.]net/wf/click?upn=X2vR6-2FdIf8y2XI902U8Tc8qh9KOPBogeTLss4h7AKXe0xRjCQw1VcMTssPPPTU28KY7PwUPERvVvIa8n4VQD-2Fw-3D-3D_tIiqtngjMfK6xwiZyGxyMuaZ5weLruJKBoFJsVrKYBziY2h51ElcQ2ocLru0oJCxt-2FOlkcr6RH8ktqTc-2B-2BQjmMscOQaeiy2zw8OOUb6nD0f1srQnQG-2B-2BIXtpubqjWMnnIHxJg3TvgFRq0itu75WQHjsdUv1O1g-2FrQzQAyJkGQN6vC9fH5R4R4FyLG9ahUnvbnHt-2FEmdUJQuft0jfw2c5uPBA2M5Yspgi-2Fodr8cEU2b8-3D

This URL is responsible for redirecting the client to a URL hosted on an attacker-controlled server that hosts a ZIP archive containing the malicious PE32 used to infect the system. Below, you can see the HTTP GET request that is responsible for retrieving this and continuing the infection process.

ZIP File download

A PE32 executable is inside of the ZIP archive. It needs to be executed by the victim to infect the system with Orcus RAT. The PE32 filename features the use of double extensions (478768766.pdf.exe) which, by default on the Windows operating system, will only display the first extension (.PDF.) The PE32 icon has been set to make the file appear as if it is associated with Adobe Acrobat.

Double extensions trick

This loader (478768766.pdf.exe) is protected by the SmartAssembly .NET protector (see below), but can easily be deobfuscated via d4dot. It is responsible for extracting and decrypting the Orcus RAT. It extracts the Orcus executable from its Resource “人豆认关尔八七” as shown in the screenshots below.

Orcus loader resources

The Class5.smethod_1 method, shown in the screenshot below, decodes the content from the resource section and restores the original Orcus RAT PE file.

Resource section payload decoding

The smethod_3 shown below finally starts another instance of the loader (478768766.pdf.exe) and injects the Orcus PE file into this loader process. Then it resumes the process, which executes the Orcus RAT PE file in memory in the 478768766.pdf.exe process context. This means the original Orcus RAT PE file is never written to disk in clear text. This makes it more difficult for anti virus systems to detect it.

Process injection method

The loader achieves persistence by creating a shortcut that points to its executable and storing the shortcut in the following Startup directory:

C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup

The dropper also copies itself over to %APPDATA%Roamingtrfgtfrfgrf.exe and creates and starts the rfgrf.exe.bat file, which you can see below. The bat file executes the copy of the loader every 60 seconds.

rfgrf.exe.bat

In later campaigns, the adversary modified the infection process and emails no longer leveraged the SendGrid URLs. Later emails featured the same themes and verbiage but were modified to contain ZIP archive attachments.

Phishing email

The attached ZIP archives contain malicious batch files responsible for retrieving the malicious PE32 file and executing it, thus infecting the system. Early versions of the batch file retrieved additional malicious content from the same server previously used to host the ZIP archives.

Malicious .bat downloader

One interesting thing to note about the batch files was the use of an obfuscation technique that is not commonly seen. In early campaigns, the attacker prepended the bytes “FF FE 26 63 6C 73 0D 0A” into the file, causing various file parsers to interpret the file contents as UTF-16 LE, resulting in the parsers failing to properly display the contents of the batch file.

Unicode obfuscation standard editor

The hex view of the same file shows these prepended bytes which are responsible for this parsing issue.

Unicode obfuscation hex view

This is a well-known technique as can be observed in the forum thread here.

Later versions of the .bat downloader featured the use of obfuscation in an attempt to make analysis more difficult. They are using a simple obfuscation method and are just replacing all characters by variables that are resolved at runtime.

Obfuscated RevengeRat .bat downloader

The decoded version of the .bat file looks like this. Like in the non-obfuscated versions of the .bat file, the adversaries are downloading the .js file to a local directory (C:windowsr2.js) and executing it.

Decoded obfuscated .bat file

This r2.js file is another obfuscated script. It is filled with a bunch of rubbish and one long line of code.

Downloaded r2.js file

This scripts writes the ‘TVqQ…’ string into the registry.

r2.js payload

Stored encoded malware in registry key

It loads this string at the end of the infection process, decodes it and executes it.

r2.js payload decoding routine

Decompiling this payload in dnSpy shows an old friend: RevengeRAT.

RevengeRAT decompiled binary

Command and control (C2) obfuscation

As is the case with many popular RATs, the C2 infrastructure was observed leveraging Dynamic Domain Name System (DDNS) in an attempt to obfuscate the attacker’s infrastructure. In the case of these malware campaigns, the attacker took an additional step. They pointed the DDNS over to the Portmap service to provide an additional layer of infrastructure obfuscation.

Portmap is a service designed to facilitate external connectivity to systems that are behind firewalls or otherwise not directly exposed to the internet.

Port forwarding service

These systems initiate an OpenVPN connection to the Portmap service, which is responsible for handling requests to those systems via port mapping. We have recently observed an increase in the volume of malicious attackers abusing this service to facilitate the C2 process across various malware families.

HTTPS certificate

As demonstrated above, the DNS configuration for the DDNS hostname used by the malware for C2 has actually been pointed to the Portmap service. Let’s Encrypt issued the SSL certificate associated with this host.

Payload analysis

The adversaries used at least two different RATs in the campaigns which we have closely analyzed: Orcus RAT and RevengeRAT. For both RATs, the source code was leaked in the underground and several adversaries have used it to build their own versions. You can see the comparison of the leaked version of RevengeRAT and the one we analyzed below.

Compairson leaked malware and modified one

The adversaries changed the source code slightly. They moved the original code into separate functions and changed the execution order a bit plus added other minor changes like additional variables, but overall the code is still very similar to the leaked code. On the other hand, it is modified so that the resulting binary looks different for AVs.

It is interesting to see that both (Client) IDs are pointing to the same name: CORREOS. In the Nuclear_Explosion file, aka RevengeRAT, it is only base64 encode “Q09SUkVPUw==“.

RevengeRAT Atomic class config

Orcus decoded XML config

Conclusion

These malware distribution campaigns are ongoing and will likely continue to be observed targeting various organizations around the world. RevengeRAT and Orcus RAT are two of the most popular RATs in use across the threat landscape and will likely continue to be heavily favored for use during the initial stages of attacks.

Organizations should leverage comprehensive defense-in-depth security controls to ensure that they are not adversely impacted by attacks featuring these malware families. At any given point in time, there are several unrelated attackers distributing these RATs in different ways. Given that the source code of both of these malware families is readily available, we will likely continue to see new variants of each of these RATs for the foreseeable future.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)

The following indicators of compromise (IOCs) have been observed to be associated with malware campaigns.

ZIP Hashes (SHA256):

c66c96c8c7f44d0fd0873ea5dbaaa00ae3c13953847f0ca308d1f56fd28f230c d6c5a75292ac3a6ea089b59c11b3bf2ad418998bee5ee3df808b1ec8955dcf2a

BAT Hashes (SHA256):

20702a8c4c5d74952fe0dc050025b9189bf055fcf6508987c975a96b7e5ad7f5 946372419d28a9687f1d4371f22424c9df945e8a529149ef5e740189359f4c8d

PE32 Hashes (SHA256):

ff3e6d59845b65ad1c26730abd03a38079305363b25224209fe7f7362366c65e 5e4db38933c0e3922f403821a07161623cd3521964e6424e272631c4492b8ade

JS Hashes (SHA256):

4c7d2efc19cde9dc7a1fcf2ac4b30a0e3cdc99d9879c6f5af70ae1b3a846b64b

Domains:

The following domains have been observed to be associated with malware campaigns:

skymast231-001-site1[.]htempurl[.]com qstorm[.]chickenkiller[.]com

IP Addresses:

The following IP addresses have been observed to be associated with malware campaigns:

193[.]161[.]193[.]99 205[.]144[.]171[.]185

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: RAT Ratatouille – Backdooring PCs with leaked RATs Original Post from Talos Security Author: By Edmund Brumaghin and Holger Unterbrink. Executive summary Orcus RAT…

#Talos Security

0 notes

heckyeahlucilleballilovelucy · 7 years ago

Text

Know who hacked the Binance cryptocurrency exchange? Earn $250,000

Binance, one of the world’s biggest cryptocurrency exchanges by trading volume, has offered a reward equivalent to $250,000 to anyone providing information that leads to the arrest of hackers who attacked the platform last week.

For two minutes on March 7th, the Binance platform saw abnormal trading activity, which caused automatic protection systems to trigger, blocking any withdrawals.

The exchange explained that it had seen sophisticated phishing attacks targeting its users since early January, and around February 22nd there was a sharp uptake in phishing emails pointing to similar-looking domains but using unicode characters (under the “i” and the “a” of “binance.com”

Reports suggest that many of the compromised accounts did have two-factor authentication (2FA) enabled for a higher level of protection. Unfortunately for them, their 2FA codes were valid for 30 seconds or so, meaning that once the code had been given to the phishing site the attackers could generate an API key and use it to access the real site.

All very sneaky. But whoever seized control of the accounts appears to have bided their time, choosing not stealing cryptocurrency immediately but instead creating a trading API key for each hacked account.

On March 7th the hackers were ready to try to turn their hack into hard cash, placing “a large number of market buys on the VIA/BTC market, pushing the price high, while 31 pre-deposited accounts were there selling VIA at the top.”

The bad news for the hackers was that Binance’s automated systems quickly blocked all withdrawals, including attempts by the phishers themselves to make off with their intended fortune.

As Binance describes, “not only did the phishers fail to steal any coins, their own coins have also been withheld.”

Binance says that its prompt action meant that the hack was unsuccessful, but nonetheless it was an organised attack and one that it wishes to see result in the arrest of whoever was responsible.

To that end Binance is offering a $250,000 equivalent bounty “to anyone who supplies information that leads to the legal arrest of the hackers involved in the attempted hacking incident on Binance on March 7th, 2018.”

Those with information are asked to share it with their local law enforcement agencies, as well as [email protected].

In addition, Binance says it has allocated the equivalent of ten million dollars for future awards against illegal hacking attacks against its systems.

from HOTforSecurity http://ift.tt/2InvR9k

#HOTforSecurity

0 notes

kingmindint · 7 years ago

Text

Binance Team Shows Why the Exchange Is Leading the Field Following Bitcoin ‘Hack’

Posting on the Binance website, the company has disclosed information on the recent theft attempts and also details how the exchange foiled them and preserved users’ investments. Amid several exchanges’ losses due to cybercrime, Binance has reaffirmed itself as a secure exchange and demonstrated at least one good reason why it has become the largest cryptocurrency exchange in the world, listing well over 200 coins for traders.

Binance users sitting pretty

Starting with “Fellow Binancians,” the company demonstrated true transparency in its bulletin surrounding a recent phishing attempt that would have cost users a fortune in digital currency.

“On March 7, UTC 14:58-14:59, within this 2 minute period, the VIA/BTC market experienced abnormal trading activity. Our automatic risk management system was triggered, and all withdrawals were halted immediately,” disclosed the leading exchange.

Although the Binance hack generated rumors that some observers have cited as factors in Bitcoin and other values taking major dips, the post has unambiguously assured users of the exchange’s security protocols at play.

Binance was NOT hacked. Stop spreading FUD. A popular trading bot that some people use was hacked, the bot was instructed to sell all ALTs to $BTC to buy $VIA . If you don’t use bots to gain an unfair advantage, then you should be fine. #cryptocurrency#binance #binance via #via

— dinhlang (@vidinhlang) March 7, 2018

The attack was staged as a cleverly disguised phishing attempt. Not only was it challenging for users to detect, but it was also apparent from the nature of the effort that user credentials had been accumulated over an extended period. The post went on to state the only welcome summary:

“This was part of a large scale phishing and stealing attempt. So far: All funds are safe and no funds have been stolen.”

Posting recently on LinkedIn, Binance CEO Changpeng Zhao relayed his thoughts on the future of cryptocurrencies. Presenting as a well thought out, enthusiastic but level-headed voice in the arena, users have been reassured that it carries through to the fundamental build of the Binance exchange.

Zhao on Wednesday, March 7, 2018, tweeted that “All funds are safe.”

The onsite post said added, “The earliest phishing attack seems to have dated back to early [January]; however it was around [February 22, 2018,], where a heavy concentration of phishing attacks were seen using Unicode domains, looking very much like binance.com, with the only difference being 2 dots at the bottom of 2 characters.”

Showing the depth and determination of the hack attempt, as “[many] users fell for these traps and phishing attempts,” after securing the user accounts, the hackers then “simply created a trading API key for each account but took no further actions, until yesterday.”

On March 7, 2018, “within the aforementioned 2 minute period, the hackers used the API keys, placed a large number of market buys on the VIA/BTC market, pushing the price high, while 31 pre-deposited accounts were there selling VIA at the top.”

This move was a savvy attempt to transfer the BTC from “the phished accounts to the 31 [hacker] accounts.”

There was also some irregular movement and repercussions after the halt on trades, with reversals enabling sudden profits for users who would have otherwise lost value in their trades. Many have withdrawn the funds thus secured already.

Looks like @binance_2017 is sending out mails to people who “benefited” from the hacks yesterday. Since they reversed trades, some people already withdrew or did some other trades with the profits and now Binance has a problem… Wondering if they have any legal ground for this. pic.twitter.com/zj0wqQHBTD

— WhalePanda (@WhalePanda) March 8, 2018

Risk management worth its salt

Withdrawals had already been flagged and automatically halted by the platform’s risk management system and none of the fraudulent withdrawal attempts were successful.

Furthermore, the accounts associated with the hack and loaded with VIA coins were frozen and the hackers have now ostensibly lost those holdings.

The report also mentioned: “The hackers were well organized. They were patient enough to not take any immediate action, and waited for the most opportune moment to act. They also selected VIA, a coin with smaller liquidity, to maximize their own gains.”

Although some users did lose, as their phished accounts were not traded off against flagged hacker accounts, the responsiveness of the risk management protocols still saved almost all of the potentially small fortune that could have been lost to the phishing attempt.

“As such, we are not in a position to reverse those trades,” said the exchange, going on to warn users of the dangerous sophistication of cybercriminals.

Thanking users for their support, the report concluded the following parting statement:

“We again advise all traders to take special precaution to secure their account credentials.”

The post Binance Team Shows Why the Exchange Is Leading the Field Following Bitcoin ‘Hack’ appeared first on BTCMANAGER.

Source

The post Binance Team Shows Why the Exchange Is Leading the Field Following Bitcoin ‘Hack’ appeared first on Bitcoin Geek.

via Kingmind Binance Team Shows Why the Exchange Is Leading the Field Following Bitcoin ‘Hack’

#Kingmind #Kingmind International

0 notes