Over e-mail’s history, people have come up with a lot of technologies designed to protect recipients from fraudulent (mainly phishing) e-mails. DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) had significant drawbacks, so the Domain-based Message Authentication Reporting and Conformance show more ...
(DMARC) mail authentication mechanism was designed to identify messages with a fake sender domain. But DMARC also turned out to be far from an ideal solution. Therefore, our researchers have developed an additional technology to eliminate the disadvantages of this approach. How DMARC works A company seeking to prevent others from sending e-mails using the names of its employees can configure DMARC in its DNS resource record. In essence, that allows message recipients to make sure the domain name in the “From:” header is the same as in DKIM and SPF. In addition, the record indicates the address to which mail servers send reports concerning received messages that did not pass verification (for example, if an error occurred or an attempt to fraudulently impersonate a sender was detected). In the same resource record, you can also configure DMARC policy to specify what happens to the message if it fails to pass the check. Three types of DMARC policies cover such cases: Reject is the strictest policy. Choose it to block all e-mails that do not pass the DMARC check. With the Quarantine policy, depending on the mail provider’s exact settings, the message will either end up in the spam folder or be delivered but marked suspicious. None is the mode that lets the message reach the recipient’s mailbox normally, although a report is still sent to the sender. Disadvantages of DMARC By and large, DMARC is capable. The technology does make phishing much more difficult. But in solving one problem, this mechanism causes another: false positives. Legitimate messages may be blocked or marked as spam in two types of cases: Forwarded messages. Some mail systems break the SPF and DKIM signatures in forwarded messages, whether messages are forwarded from various mailboxes or they are redirected between intermediate mail nodes (relays). Incorrect settings. It is not uncommon for mail server administrators to make mistakes when configuring DKIM and SPF. When it comes to business e-mail, it’s difficult to say which scenario is worse: letting through a phishing e-mail or blocking a legitimate message. Our approach to fixing the DMARC’s flaws We find the technology unquestionably useful, so we decided to strengthen it by adding machine-learning technology to the validation process to minimize false positives without undermining the benefits of DMARC. Here’s how it works. When users compose e-mails, they use a Mail User Agent (MUA) such as Microsoft Outlook. The MUA is responsible for generating the message and sending it to the Mail Transfer Agent (MTA) for further routing. The MUA adds the necessary technical headers to the message body, subject, and recipient address (which are filled in by the user). To bypass security systems, attackers often use their own MUAs. As a rule, they are homemade mail engines that generate and fill in messages in accordance with a given template. For example, they generate technical headers for messages and their content. Each MUA has its own “handwriting.” If the received message fails the DMARC check, then our technology comes into play. It runs on a cloud service that connects with the security solution on the device. It begins further analysis of the sequence of headers as well as the contents of the X-Mailer and Message-ID headers using a neural network, thereby enabling the solution to distinguish a legitimate e-mail from a phishing one. The technology was trained on a huge collection of e-mail messages (about 140 million messages, 40% of which were spam). The combination of DMARC technology and machine learning helps ensure the user’s protection from phishing attacks while minimizing the number of false positives. We have already implemented the technology in every one of our products that have an antispam component: Kaspersky Security for Microsoft Exchange Server, Kaspersky Security for Linux Mail Server, Kaspersky Secure Mail Gateway (parts of Kaspersky Total Security for Business) and Kaspersky Security for Microsoft Office 365.
Dave and I kick off the 156th edition of the Kaspersky Transatlantic Cable podcast by talking about one of our favorite types of alcohol. Although Dave does like his Jack Daniel’s, it wasn’t mixed drinks we were talking about. Rather, the parent company of the US bourbon, Brown-Forman, has suffered a show more ...
ransomware attack. This attack continues the trend of big companies getting hit with ransomware. Our second story dives into the new-to-us industry of dropshipping. This business seems to make money from people overpaying for cheap Chinese products pushed by influencers or knockoff sites. To us, it sounds like a shady scheme where the consumer is the one who will suffer. From there, we jump to high tea at the Ritz in London. This case is an interesting scam that our affluent readers will want to keep an eye on. For our fourth story, we take a look at the potential impact of GDPR on an issue of data storage. To close out the podcast, we head to the land down under and a snafu involving credentials being shared on live TV. If you like what you heard, please consider sharing with your friends or subscribing. For more information on the topics discussed, please click on the links below. Jack Daniel’s-maker suffers REvil ransomware breach Dropshipping: The hustlers making millions from goods they never handle Tea at the Ritz soured by credit card scammers Instagram retained deleted user data despite GDPR rules TV stations — stop broadcasting your passwords!
The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice show more ...
phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees. According to interviews with several sources, this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or “bounties,” where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home. And over the past six months, the criminals responsible have created dozens if not hundreds of phishing pages targeting some of the world’s biggest corporations. For now at least, they appear to be focusing primarily on companies in the financial, telecommunications and social media industries. “For a number of reasons, this kind of attack is really effective,” said Allison Nixon, chief research officer at New York-based cyber investigations firm Unit 221B. “Because of the Coronavirus, we have all these major corporations that previously had entire warehouses full of people who are now working remotely. As a result the attack surface has just exploded.” TARGET: NEW HIRES A typical engagement begins with a series of phone calls to employees working remotely at a targeted organization. The phishers will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s virtual private networking (VPN) technology. The employee phishing page bofaticket[.]com. Image: urlscan.io The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal. Zack Allen is director of threat intelligence for ZeroFOX, a Baltimore-based company that helps customers detect and respond to risks found on social media and other digital channels. Allen has been working with Nixon and several dozen other researchers from various security firms to monitor the activities of this prolific phishing gang in a bid to disrupt their operations. Allen said the attackers tend to focus on phishing new hires at targeted companies, and will often pose as new employees themselves working in the company’s IT division. To make that claim more believable, the phishers will create LinkedIn profiles and seek to connect those profiles with other employees from that same organization to support the illusion that the phony profile actually belongs to someone inside the targeted firm. “They’ll say ‘Hey, I’m new to the company, but you can check me out on LinkedIn’ or Microsoft Teams or Slack, or whatever platform the company uses for internal communications,” Allen said. “There tends to be a lot of pretext in these conversations around the communications and work-from-home applications that companies are using. But eventually, they tell the employee they have to fix their VPN and can they please log into this website.” SPEAR VISHING The domains used for these pages often invoke the company’s name, followed or preceded by hyphenated terms such as “vpn,” “ticket,” “employee,” or “portal.” The phishing sites also may include working links to the organization’s other internal online resources to make the scheme seem more believable if a target starts hovering over links on the page. Allen said a typical voice phishing or “vishing” attack by this group involves at least two perpetrators: One who is social engineering the target over the phone, and another co-conspirator who takes any credentials entered at the phishing page and quickly uses them to log in to the target company’s VPN platform in real-time. Time is of the essence in these attacks because many companies that rely on VPNs for remote employee access also require employees to supply some type of multi-factor authentication in addition to a username and password — such as a one-time numeric code generated by a mobile app or text message. And in many cases, those codes are only good for a short duration — often measured in seconds or minutes. But these vishers can easily sidestep that layer of protection, because their phishing pages simply request the one-time code as well. A phishing page (helpdesk-att[.]com) targeting AT&T employees. Image: urlscan.io Allen said it matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee. And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy. Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization, Nixon said. “These guys are calling companies over and over, trying to learn how the corporation works from the inside,” she said. NOW YOU SEE IT, NOW YOU DON’T All of the security researchers interviewed for this story said the phishing gang is pseudonymously registering their domains at just a handful of domain registrars that accept bitcoin, and that the crooks typically create just one domain per registrar account. “They’ll do this because that way if one domain gets burned or taken down, they won’t lose the rest of their domains,” Allen said. More importantly, the attackers are careful to do nothing with the phishing domain until they are ready to initiate a vishing call to a potential victim. And when the attack or call is complete, they disable the website tied to the domain. This is key because many domain registrars will only respond to external requests to take down a phishing website if the site is live at the time of the abuse complaint. This requirement can stymie efforts by companies like ZeroFOX that focus on identifying newly-registered phishing domains before they can be used for fraud. “They’ll only boot up the website and have it respond at the time of the attack,” Allen said. “And it’s super frustrating because if you file an abuse ticket with the registrar and say, ‘Please take this domain away because we’re 100 percent confident this site is going to be used for badness,’ they won’t do that if they don’t see an active attack going on. They’ll respond that according to their policies, the domain has to be a live phishing site for them to take it down. And these bad actors know that, and they’re exploiting that policy very effectively.” A phishing page (github-ticket[.]com) aimed at siphoning credentials for a target organization’s access to the software development platform Github. Image: urlscan.io SCHOOL OF HACKS Both Nixon and Allen said the object of these phishing attacks seems to be to gain access to as many internal company tools as possible, and to use those tools to seize control over digital assets that can quickly be turned into cash. Primarily, that includes any social media and email accounts, as well as associated financial instruments such as bank accounts and any cryptocurrencies. Nixon said she and others in her research group believe the people behind these sophisticated vishing campaigns hail from a community of young men who have spent years learning how to social engineer employees at mobile phone companies and social media firms into giving up access to internal company tools. Traditionally, the goal of these attacks has been gaining control over highly-prized social media accounts, which can sometimes fetch thousands of dollars when resold in the cybercrime underground. But this activity gradually has evolved toward more direct and aggressive monetization of such access. On July 15, a number of high-profile Twitter accounts were used to tweet out a bitcoin scam that earned more than $100,000 in a few hours. According to Twitter, that attack succeeded because the perpetrators were able to social engineer several Twitter employees over the phone into giving away access to internal Twitter tools. Nixon said it’s not clear whether any of the people involved in the Twitter compromise are associated with this vishing gang, but she noted that the group showed no signs of slacking off after federal authorities charged several people with taking part in the Twitter hack. “A lot of people just shut their brains off when they hear the latest big hack wasn’t done by hackers in North Korea or Russia but instead some teenagers in the United States,” Nixon said. “When people hear it’s just teenagers involved, they tend to discount it. But the kinds of people responsible for these voice phishing attacks have now been doing this for several years. And unfortunately, they’ve gotten pretty advanced, and their operational security is much better now.” A phishing page (vzw-employee[.]com) targeting employees of Verizon. Image: DomainTools PROPER ADULT MONEY-LAUNDERING While it may seem amateurish or myopic for attackers who gain access to a Fortune 100 company’s internal systems to focus mainly on stealing bitcoin and social media accounts, that access — once established — can be re-used and re-sold to others in a variety of ways. “These guys do intrusion work for hire, and will accept money for any purpose,” Nixon said. “This stuff can very quickly branch out to other purposes for hacking.” For example, Allen said he suspects that once inside of a target company’s VPN, the attackers may try to add a new mobile device or phone number to the phished employee’s account as a way to generate additional one-time codes for future access by the phishers themselves or anyone else willing to pay for that access. Nixon and Allen said the activities of this vishing gang have drawn the attention of U.S. federal authorities, who are growing concerned over indications that those responsible are starting to expand their operations to include criminal organizations overseas. “What we see now is this group is really good on the intrusion part, and really weak on the cashout part,” Nixon said. “But they are learning how to maximize the gains from their activities. That’s going to require interactions with foreign gangs and learning how to do proper adult money laundering, and we’re already seeing signs that they’re growing up very quickly now.” WHAT CAN COMPANIES DO? Many companies now make security awareness and training an integral part of their operations. Some firms even periodically send test phishing messages to their employees to gauge their awareness levels, and then require employees who miss the mark to undergo additional training. Such precautions, while important and potentially helpful, may do little to combat these phone-based phishing attacks that tend to target new employees. Both Allen and Nixon — as well as others interviewed for this story who asked not to be named — said the weakest link in most corporate VPN security setups these days is the method relied upon for multi-factor authentication. A U2F device made by Yubikey, plugged into the USB port on a computer. One multi-factor option — physical security keys — appears to be immune to these sophisticated scams. The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers. The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet. In July 2018, Google disclosed that it had not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical security keys in place of one-time codes. Probably the most popular maker of security keys is Yubico, which sells a basic U2F Yubikey for $20. It offers regular USB versions as well as those made for devices that require USB-C connections, such as Apple’s newer Mac OS systems. Yubico also sells more expensive keys designed to work with mobile devices. [Full disclosure: Yubico was recently an advertiser on this site]. Nixon said many companies will likely balk at the price tag associated with equipping each employee with a physical security key. But she said as long as most employees continue to work remotely, this is probably a wise investment given the scale and aggressiveness of these voice phishing campaigns. “The truth is some companies are in a lot of pain right now, and they’re having to put out fires while attackers are setting new fires,” she said. “Fixing this problem is not going to be simple, easy or cheap. And there are risks involved if you somehow screw up a bunch of employees accessing the VPN. But apparently these threat actors really hate Yubikey right now.”
PAC aims to prevent an attacker with the ability to read and write memory from executing arbitrary code. It does that by cryptographically signing and validating code pointers (as well as some data pointers) at runtime. However, it seems that imports of function pointers from shared libraries in userspace are not properly protected by PAC, allowing an attacker to sign arbitrary pointers and thus bypass PAC.
Red Hat Security Advisory 2020-3518-01 - MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs.
Ubuntu Security Notice 4466-1 - Marc Aldorasi discovered that curl incorrectly handled the libcurl CURLOPT_CONNECT_ONLY option. This could result in data being sent to the wrong destination, possibly exposing sensitive information.
Gentoo Linux Security Advisory 202008-8 - NSS has multiple information disclosure vulnerabilities when handling secret key material. Versions less than 3.55 are affected.
Ubuntu Security Notice 4465-1 - It was discovered that the XFS file system implementation in the Linux kernel did not properly validate meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service. It was discovered that the bcache show more ...
subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. Various other issues were also addressed.
Red Hat Security Advisory 2020-3504-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.
Red Hat Security Advisory 2020-3505-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.
Red Hat Security Advisory 2020-3501-01 - Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.2 serves as a replacement for Red Hat show more ...
Single Sign-On 7.4.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include XML injection, denial of service, deserialization, and improper authorization vulnerabilities.
Red Hat Security Advisory 2020-3495-01 - Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.2 security update on RHEL 6 serves as a show more ...
replacement for Red Hat Single Sign-On 7.4.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2020-3496-01 - Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.2 security update on RHEL 7 serves as a show more ...
replacement for Red Hat Single Sign-On 7.4.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2020-3497-01 - Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.2 security update on RHEL 8 serves as a show more ...
replacement for Red Hat Single Sign-On 7.4.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a denial of service vulnerability.
One new security technology we keep hearing about is Extended Detection and Response (XDR). This new technology merges multiple prevention and detection technologies on a single platform to better understand threat signals so that you don't need to purchase, integrate, and manage various control and integration technologies. Think of XDR as prepackaged EDR, NTA, UEBA (and perhaps other
Cybersecurity researchers today took the wraps off a sophisticated, multi-functional peer-to-peer (P2P) botnet written in Golang that has been actively targeting SSH servers since January 2020. Called "FritzFrog," the modular, multi-threaded and file-less botnet has breached more than 500 servers to date, infecting well-known universities in the US and Europe, and a railway company, according
Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support! Drowning in alerts from many different sources and systems? Spending too much valuable time researching potential threats and vulnerabilities? You need Recorded Future Express, a new show more ...
browser extension from the experts at … Continue reading "Prioritize alerts and jump-start your investigations with Recorded Future’s free browser extension. Sign up now."
