Phishing

Over a month ago, I received a creative phishing attempt. We use a relatively popular service which is mimicked fairly well. I typically receive notification emails from it by an administrative assistant. This came from another name. That was my only real clue that made me look closer. Since, I have received almost a dozen, each pretending to be a different product.

I noticed they all used different domain names for the payload link. But, they all use file.php?d=<value> or f.php?d=<value> to deliver the payload.

Computers are smarter than I am when it comes to patterns like this, so I created an email filter to look for the file names and set it loose. If I see another phishing attempt using another script name, then I will add it to the list. But, so far, I am pleased with how well it protects me from myself.

Email Changes

Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address.

Say, I am a Blackhat and used a phishing attack to get the password for the account. Having legitimately logged in, I then change the email address associated with it from victim@outlook.com to my blackhatalias@gmail.com. Sending the confirmation to blackhatalias rather than the victim ensures a compromised account will get altered. Strong security would want to prevent the change unless the owner of victim@outlook.com confirms the change.

Though, it does look like an email was sent to victim@outlook.com almost 3 hours after the confirmation saying:

Still scary. The blackhat has probably already made off with the data and done the damage.

I get the temptation to allow users to change their email address to a new one. It will prevent support phone calls because if they no longer have control of the old email account, users can simply change it to another address they do.

Of course, the site in question also does not have Two Factor Authentication. But, then it also is just a support forum. So, the ramifications of losing the account is impersonation at worst. They could ask or answer a question as me or change the profile to say something demeaning.

Phishy Corporate Communications

Received an email that looked phishy:

Greetings,

Please read this important e-mail carefully.

Recently you registered, transferred or modified the contact information for the following domain name:

ezrasf.com

In order to ensure your domain name remain active, you must now click the following link and follow the instructions provided.

http://verify.domain.com/registrant/?verification_id=999999&key=BFrrpxGDbb&rid=999999

Sincerely,

Domain Registrar

The web page listed my name and email address, so the riskiness of clicking it seemed low, but ALL KLAXONS were going off in my head about this being phishing. I also received another email threatening to suspend my domain if I did verify it.

The email headers really confirmed for me this was phishing:

Received: from mx.registrarmail.net (mx.registrarmail.net [216.40.35.248])
	by myemail-mx26.g.emailprovider.com (Postfix) with ESMTP id 999AA999999DDD
	for <myemail@mydomain.com>; Mon, 28 Mar 2016 05:43:25 -0700 (PDT)
Received: from cron01.endurance.prod.tucows.net (unknown [64.99.53.70])
	by mx1.registrarmail.net (Postfix) with SMTP id B5999999E51
	for <myemail@mydomain.com>; Mon, 28 Mar 2016 12:43:24 +0000 (UTC)
Received: by cron01.endurance.prod.tucows.net (sSMTP sendmail emulation); Mon, 28 Mar 2016 08:43:24 -0400
X-MP-Host-Origin: front04.endurance.prod.tucows.net
Message-Id: <999999.0.28Mar2016084324-osrs-registrant_verification-999999@endurance.registrarmail.net>
Date: Mon, 28 Mar 2016 08:43:24 -0400 (EDT)
X-OSRS-Id: osrs-registrant_verification-999999
From: "Domain Registrar" <support@registrar.com>
To: <myemail@mydomain.com>
Subject: Important: Please validate your domain name

The original sender is tucows.net? There’s no way a real company would be using such a site to send these emails. After all, that’s some lonely script kiddie in their mom’s basement BS. This had to be phishing.

One last check. I did a dig on verify.domain.com and compare that to the www for the company. Two very different IP spaces, but crucially the nameservers have “dyn” in the name which red flagged that it was one of those dynamic DNS services so it could be anything anywhere. Definitely not legitimate.

So I go to the registrar’s site to report this phishing and look at my domain’s record to see if anything really had changed. It had not, but I noticed there was a phone number I’ve not used since 2003, so I update the record. There is a notice that they need me to verify the information. I go looking for it and see… another copy of the phishing email at the time I updated the record. At this point, I suspect maybe I am completely wrong. Since the risk seems low, I do click the link and verify button and go back to the registrar’s site to see if the warning about needing to verify my information cleared. It did. Dammit!

Turns out the phishy email is actually ICANN not the registrar.

Security Inside Out #USGRockEagle13

Eddie Carter and Orrin Char, Oracle

    • Identity management and security and access management.
    • Eddie wore a UGA shirt. Guy in front of me made fun of him obviously not wanting to sell to Georgia Tech. Turns out he’s from  Kennesaw. The GT-UGA rivalry knows no bounds. Love it!
    • Handout: Database firewall more auditing and ACLs than enterprise firewalls access to many hosts.
    • 67% records breached from servers. 76% breached through weak or stolen credentials. Discovered by an external party. 97% preventable with basic controls. Source: 2013 Data Breach Investigations Report.
    • Pre-1997: security issues mistakes. 1998-2007: Privilege abuse. Curiosity. Leakage. 2008-2009: Malicious. Social engineering. Sophisticated attacks. Business data theft. Loss of reputation.
    • Can be fined. Buy services for people affected by the breach.
    • DBAs are the targets. Phishing to get credentials.
    • Change is where gaps are opened. Being more available means more highly privileged users. Consultants and vendors claim they need DBA level access.
    • 80% of IT security programs do not address db security. They address outside computers such as with firewalls. More and more attacks exploit legitimate access applications and user credentials.
    • Supports SQL Server and MySQL.
    • Preventative
      • encryption : If data stolen in encrypted form, then do not have report the breach? Application should not even know it is encrypted. Network encryption now free to us. Autonegotiates with destination. No application changes. Little overhead. Integrated with Oracle technologies. Key management 2 layers. Master in hardware module or in a wallet. Wallet can be tied to hardware and accessed at restart. Data encrypted with table or column key. Table and column keys encrypted with master key.
      • redaction : Use ACLs to determine who can see. It will replace text such as on credit card numbers, SSNs, so can only see a full, partial, fixed.
      • data masking for nonproduction use : copy of production data in test with test being less secure. Masking means no longer valuable data. Finds sensitive columns through templates and convert the data so meaningless. Shuffle salaries. ID numbers randomized even partial. Randomize all but first two characters of last name. Can be two way so change for sending to a partner for process but then revert back when returned.
      • privileged user controls : Compartmentalization of commands. Prevent consultants from querying certain tables. Creates protective zones around schema objects.
    • Detective
      • activity monitoring :
      • database firewall : sits on the network. Parses SQL to determine the intent. Whitelist and Blacklist and exception list. If none, then alerts security to it and potentially added to a list. Have a learning and blocking mode. Can return empty result list to a hacker so thinks there are no records.
      • auditing and reporting : analyze audit-event data. Central audit repository so hacker unaware. Default and custom reports.
      • conditional auditing framework : if-this-then-that
    • Administrative
      • privilege analysis : privilege capture mode. report on what actual privileges and roles that are used. Revoke unnecessary.
      • sensitive data discovery : scan Oracle for sensitive fields. data definitions.
      • configuration management : discover and classify databases. scan for secure config.

Phish-ish Legit Email

Part of the problem of getting people not to succumb to phishing attempts is the poor practices used in legitimate emails.

Google sent me an email saying something was going to expire in a month because of inactivity. I needed to click on a link and verify my information. You know, exactly the same kind of things a phisher would wrote.

I spent half an hour looking at the HTML to verify the links and the headers to see if there was anything suspicious. Eventually, I decided it was legitimate. But even then I was still very careful. Few people I know would be this careful because they would not know how.

Sadly, in the many years where phishing attempts have become so common, few people care enough about changing their bad email practices that contribute to end users becoming victims.