Anti-phishing techniques and tools

/in /by

There is a big illicit business out there and it’s driven by a simple old trick: deception.
Deception is at the base of many online black and gray activities, from click baiting to ransomware.

Pair deception with email and what you get is email phishing.
The target of e-mail phishing campaigns is inducing the victim to perform an action at the advantage of the attacker. It’s as simple as this.

In order to induce you to perform an action against your own interest, the attacker uses the following deception tools:
– a message that grabs your attention
– a sense of urgency
– a call-to-action

What if I tell you that your Apple account has been disabled and that you won’t be able to use your devices until you fix it?
What if you happen to know that money has just been withdrawn from your bank account? Maybe you should check immediately.
What if your mailbox quota has been exceeded and you won’t receive emails until you act?
Of course there are also incredible offers or you may be the winner of a great prize or maybe a young beautiful girl wants to know you.

I guess you’ve already experienced some of these messages, if not all of them.

So far for grabbing attention and transmitting a sense of urgency. What about the call-to-action?
The call-to-action, as usual, varies from clicking on a link to land on a site that drops it’s infective payload or asks you to enter personal information to opening an attachment.

It’s important to note, though, the difference between mass phishing and targeted phishing, also known as spearphishing.
Spearphishing is phishing targeted to a specific person, building a credible message based on knowledge gathered on social networking sites or other sources. Spearphihing is much more difficult to detect.

For the first Libra Esva Partner Event, in may 2016, I’ve done an interesting experiment. I’ve used the open source framework gophish to create a phishing campaign in order to assess, in practice, how effective such campaigns are.
Gophish is one among many tools that make it easy to create and phishing campaigns, it assists you in the whole process from the creation of the email template and landing page to the real time metrics and analytics. It’s a complete framework, it also acts as a web server to serve your phishing site.

Such phishing tools are particularly valuable for training your users not to fall for real phishing. You can run, for example, a phishing campaign on the employees of your company and then follow-up with a training session. The phishing campaign has both the advantage of measuring the effectiveness of your training over time and also to make the training more effective by attaching it to a real and direct experience.

In my test, I created a fake LinkedIN contact request by grabbing the content of a real LinkedIN email. I also grabbed the content of a LinkedIN loging page to create my phishing landing page. Then I sent the phishing email to all the participants to the Partner Event.
The numbers suprised all of us.
We sent 44 emails, 24 of which have been opened. A respectable open rate of 54%.
18 “targets” clicked on the link and landed on our fake login page: 75% click-throug-rate.
We don’t know whether they attempted to enter their credentials or not because the page didn’t submit any data, it just informed the user of the phishing experiment when they pressed the “submit button”.

results of phishing test

In the end, 40% of the “targets” ended up clicking on the link and this is all you need in order to get infected.
40% is a huge number considering that this was a very security-literate audience.
Remember: just clicking on a random link can get you infected. If you are not convinced about this just have a look at a the security fixes that Microsoft releases every second Tuesday of the month, search for the ones flagged as “remote code execution vulnerability”.

Phishing is a real danger because it is effective and very affordable. The good news is that with a reasonable effort you can use phishing to rise awareness among your users and make your training more effective.

How can an email security appliance help with phishing?

The standard spam fighting techniques are not sufficient for phishing. Phishing emails often closely resemble real emails from your bank, your service provider, you colleagues. They often come from legit end-user email accounts illicitly used with passwords coming from database breaches (don’t reuse your passwords, use a password manager) or from infected computers. Content analysis must rely on the detection of subtle differences.

Besides AV engines, filename and filetype policies, nested archive scanning, Libra ESVA provides “ESVA Labs” which is based on collaborative detection and expert analysis. Administrators and users of our appliances can report false positives and false negatives to our ESVA Labs. These reports are immediately delivered to us along with the internal analysis performed by ESVA and most of them are very pertinent. We don’t have to dig through hundreds of thousands of non-pertinent reports and we can quickly analyze them. Our analysis team updates and releases new detection rules usually within 30 minutes form the report, the new detection rules are automatically downloaded by all ESVA appliances every hour. Being quickly reactive is the key to fight phishing.

Rodolfo Saccani

The Bot

/in /by

From time to time a chatbot contacts me. If I have time, I enjoy to find out what kind of script the chatbot follows.

This time it was on gtalk.

As you can see from the following transcript, the chatbot didn’t care at all about my replies, it just waited for any input on my side and proceeded with it’s own script.

All the URLs have been truncated in order not to drive traffic towards them.

Enjoy.

 

(15:17:23) [email protected]: Are you there??
(17:56:20) [email protected]: :-* hi
(17:56:50) Rodolfo Saccani: hi
(17:57:08) [email protected]: Im bored and wanted to meet new people… 24/female…you?
(17:57:26) Rodolfo Saccani: 4/dog
(17:57:43) [email protected]: I’m feeling a little naughty wanna have some fun ? 🙂
(17:58:09) Rodolfo Saccani: of course
(17:58:28) [email protected]: here’s a picture lol www.i.imgur.com/[truncated] you like? hehe =D
(17:59:26) Rodolfo Saccani: image no longer available
(17:59:36) [email protected]: Haha, you want some more?
(18:01:42) Rodolfo Saccani: more non existant images?
(18:01:59) [email protected]: www.i.imgur.com/[truncated] my turn.. wow. I’m soooo turned on right now!!
(18:02:44) Rodolfo Saccani: xyz
(18:02:57) [email protected]: Mmm…is the game getting “harder”? 😉
(18:03:03) Rodolfo Saccani: __
(18:03:24) [email protected]: www.i.imgur.com/[truncated] i want your cock baby really bad would you give it to me??
(18:03:54) Rodolfo Saccani: your images are very … texty
(18:04:13) [email protected]: www.i.imgur.com/[truncated] ok last one lol, you’d love to fuck me wouldnt you 😉
(18:04:54) Rodolfo Saccani: dddddddddddddddddddddddddddd
(18:05:14) [email protected]: Baby we really need to go on cam i cant wait anymore
(18:05:55) Rodolfo Saccani: qwerty
(18:06:10) [email protected]: Here i just invited you www.letsplayoncamz[truncated] try accepting that babe
(18:07:23) Rodolfo Saccani: ççç
(18:07:45) [email protected]: Its supposed to be the best app for this kind of thing, hurry up and accept!!!
(18:08:25) Rodolfo Saccani: abcdefghijklmnopqrstuvwxyz
(18:08:48) [email protected]: Its worth the annoying signup babe, wait until you see what we can do once you’re in
(18:09:19) Rodolfo Saccani: j
(18:09:43) [email protected]: Its free to join.. i promise.. but it will ask for a card i think.. im gonna get naughty and i cant have kids watching..
(18:10:10) Rodolfo Saccani: I love bots
(18:10:31) [email protected]: Ok babe.. talk to you in there.. gonna charge my phone.. mwa! xoxo
(18:11:04) Rodolfo Saccani: k

Rodolfo Saccani

Malware evades Sandbox, can security solutions catch up with it?

/in /by

Yesterday evening, I was reading some security feeds and I came across a great blog article posted by @a_de_pasquale heading “New password Protected Macro Malware evades Sandbox and Infects the victims with Ursnif Malware!!”

I do not want to annoy you with the malware specific architecture and working, if you wish you can read the full story at following link: https://cysinfo.com/new-password-protected-macro-malware-evades-sandbox-infects-victims-ursnif-malware/.

Three magic words captured my attention: “Malware evades Sandbox”!

The article deepens into a sandboxing analisys and shows how opening the document with Microsoft Word in a fully sandboxed virtual machine  and observing it’s behaviaour cannot detect anything suspicious, considering the document safe while is not!

At Libraesva we declare that our QuickSand Protection technology is “Virtually immune to sandbox evasion techniques!”.

The principle of everything we do at Libraesva starts from real life experience and we stand for our commitment in delivering real protection and not pure marketing stuff !

Is that true ? Or is our brand new QuickSand Protection Technology vulnerable to this piece of Malware, that evades all the security controls to infect the targeted machines?

Passion in our work drives us to be “always on” and I was so keen to send this kind of stuff through our appliance and check the QuickSand Protection we offer, that I started searching for the original document with my Ipad.

Yesterday evening I promised myself to spare some family time and I left my notebook in the office, at least that was the intention.

Still, the temptation was too strong and with my iPad I was only able to get the malware samples hashes posted on Paylod Security (https://www.hybrid-analysis.com) without being able to download and uncompress the sample itself.

 

So I took my daughter’s macbook , I registered at Payload Security to download the malware, I have extracted it, renamed the file to malware_sample.docx and fired up my Gmail account to send a new email to my business email, protected with Libra Esva. Note that the malware has been analyzed for the first time on March 2nd 2017 by Payload Security, so I would expected some kind of security warning.

Surprisingly Gmail allowed to attach the malware sample without any warning, all good. I sent the email and after 10 seconds I got it in my business inbox.

 

What’s happened? The email came through but the original attachment (the malware sample) has been replaced by our QuickSand Protection warning: “QuickSand has removed the file “malware_sample.docx” because it contained suspect active content.”

 

To cross check the industry standards, I then submitted the sample to Virustotal: this kind of malware still slips through 53 out of 55 AV Engines on VirusTotal after 12 days since it’s first submission!

It seems the industry giants are still catching up with this kind of infections.

At that point I was pleasantly surprised about what we did and with a full sense of pride of our simple technology I started writing this article focusing on some questions about cyber-security :

  • do we need complicated and expensive technology to stop these threats?
  • Is the root problem due to a technological factor or to a social approach?

I trust we all agree on the latter, as the ransomware business relies on people actions. And certainly we do not need to have fancy screenshots of a virtual environment running the malware without detecting it, just to have a nice report that complacency. Without considering the resources and time needed to run it, introducing delays in people productivity and mining their privacy if sending the document to a cloud sandbox for the analysis. Libra Esva QuickSand Protection runs entirely at the gateway and does in deep source code analysis, it takes a few seconds and it is very effective!

Again:

  • Can the technology help educating people?

Sure it can! But what if we deliver a common sense of protection with marketing slogans that do not reflect the real like scenarios?

Why most security vendors do not disclosure their deductive calculations in classifying contents as safe or dangerous? Is there anything to hide? Why everything in cyber-security is so complicated?

I believe that the correct approach is definitively based on transparency: explain people your approach, tell them which checks you do, don’t be afraid to detail why you missed a malware or a malicious email. Do not build a wall in between customers and support with complicated policies that discourage customers from asking.

And finally do not let the fireworks of a fancy dashboard drive your development in the name of marketing. And do not stand with sentences that are simply stupid: the end of ransomware! We block 100% of known malware! And more… Be pragmatic, customers are not stupid.

We need that kind of approach in Cyber-security!

 

Lecco, March, 14th 2017

Eng. Paolo Frizzi