Phishing: Old Attack Vector, New Targets and Tactics
Frequent visitors to my blog posts may have noticed that I love to make movie analogies when introducing information security (InfoSec) concepts to real life and this week is no exception. Michael Mann’s 2015 phenomenally terrible flop of an InfoSec movie Blackhat introduces technical inaccuracies that would even make CSI say “Yeah… that isn’t real.” The movie is best summed up by my wife’s comment of “Good eye candy (main star Chris Hemsworth), but incredibly far-fetched plot”. One glaring example of a technical inaccuracy is when a computer technician types in browser.exe into a Linux command line to bring up the GUI web browser. *rolleyes* Another plot line revolves around the use of an NSA forensic tool to recreate partially deleted data/software using AI/Machine Learning/Algorithms/Pixie Dust/Hollywood Magic.
The protagonist and aforementioned eye candy Chris Hemsworth (who is a hacker-with-a-heart-of-gold felon looking for redemption) requires access to this tool to recreate a piece of malware that was used to meltdown a nuclear reactor, using only a fragment of the recovered code. Since the NSA used this tool to reconstruct his malware and put Hemsworth behind bars, they are not willing to share that technology with him, even it means preventing a terrorist attack. Hemsworth phones up an NSA lackey and social engineers the name of his manager. He then proceeds to send said manager an e-mail (conveniently his e-mail address is firstname.lastname@example.org) with a message to change his password, including infected PDF titled “Password Guidelines.pdf”. After opening the password guidelines, the idiot boss is presented with a "change password" screen with which he enters his current password and his newly desired password. Just like that, our protagonist now has remote access to Fort Meade and access to the tool that ultimately landed him in jail. No two-factor, no IP address restriction, no behavioral analysis, no e-mail security, no common sense, I can go on for a while…
While phishing is not a new attack vector, for it has been scooping up credentials and personal information as long as I can remember, the targets and tactics have shifted over time. The state of InfoSec is best described as an arms race between security researchers and attackers (often state-sponsored with limitless resources). E-mail vendors like ProtonMail introduced encrypted-by-default e-mail with separate passwords for login and inbox decryption. Even if ProtonMail were breached, there would be no way to read the inboxes without the user's password. Google has made two-factor stupid simple. YubiKeys can be obtained for the cost of a dinner out. Despite these advancements of making security more available and convenient, users still fall prey to basic phishing schemes granting corporate access to outside attackers.
SMS as a second factor is better than nothing, but near worthless from a security perspective. Attackers have found ways to bypass two-factor at scale to attack political dissidents and reporters. Protecting valuable assets such as e-mail and banking go hand and hand; both information and money are valuable. Almost a decade ago, the Zeus and Spyeye banking trojans bypassed traditional two-factor authentication by creating phishing links for both the login pages and the subsequent two-factor code entry page. The banking trojans would trick a user into revealing these details into a false website, then forward the user to a webpage indicating that the bank is undergoing planned maintenance and to try back again later. In the background, the attackers would take these credentials in real time (since the two-factor code expires) and enter them into the legitimate bank’s website and drain its contents.
Last month, Amnesty International issued a warning that political dissidents in the Middle East are being targeted by spear phishing campaigns in an effort to monitor their activities. On the heels of the disappearance of journalist Jamal Khashoggi, a frequent critic of the Saudi Crown Prince, dissidents and journalists should take notice and be more vigilant with their electronic activities. This is similar to China allegedly planting malware-laced versions of messaging apps (including the traditionally more secure iOS) WeChat and WhatsApp during Honk Kong’s Pro-Democracy Yellow Revolution (not to be confused with today’s Yellow Vest revolution in France). Attackers are using old tactics such as one-letter-off domains (e.g. “protonemail[.]ch” with an added “e” or changing the top level domain (e.g. “tutanota[.]org” instead of “.com”). Tools like the popular pen-testing tool Social Engineering Toolkit make cloning websites effortless. Not registering the .net and .org domains for an organization’s main domain is also largely negligent for such an important privacy service.
Phishing filters often look for words on a web page such as “Microsoft Login” or “Google Login” and other keywords to detect possible phishing attempts. New phishing campaigns will use an image of the webpage and only make the login fields interactive to circumvent traditional phishing controls. Add in a free SSL certificate from Let’s Encrypt and attackers have a very convincing website that will fool most users. Using tactics straight out of the banking trojan playbook to initially bypass two-factor, attackers can gain persistent access by logging into a user’s account and generating an “App Password”. This is a password that grants perpetual access to a user’s account, but only usable on one device; typically a device that does not support the two-factor login such as an Xbox, an out-of-date operating system, or a smart TV.
Privacy is about balancing security and convenience. After Hillary Clinton’s campaign manager John Podesta’s Gmail account was hacked during the 2016 US Presidential Elections, Google announced the release of their Advanced Protection Program (APP) that requires users to possess two hardware tokens in order to access their personal Gmail account. In addition to the hardware token requirement, Google disallows APP users the use of OAUTH for third party logins, requires the use of the official Gmail app for smartphones (sorry Windows Phone users), and implements a strict and lengthy password recovery process to prevent unauthorized account takeover Google offers very strong privacy controls at the cost of usability and users will need to determine if sacrificing the use of the native iOS mail app and carrying around a hardware token to access their email is worth very strong privacy controls. Hardware tokens such as YubiKey from YubiCo offer in my opinion the strongest protection against unauthorized access. Even if an attacker were to remotely compromise a machine through the user of a Remote Access Tool (RAT), YubiKeys require you to physically tap on the key to activate it as proof of physical presence. This has been so effective that every Google employee now carries a YubiKey and Google has reported zero unauthorized access since the mandate.
If a state-sponsored attacker wants access to someone’s e-mail account, they will find a way to do it and short of a good implementation of RFC 2549, there’s little average users can do to completely prevent it. However, there are many tools available today to make it harder and possibly prevent casual attackers, ex-lovers, or script kitties from gaining unauthorized access. Good defense in depth starting with user awareness training, e-mail security, and the use of secure web proxies with a cloud sandbox and SSL Inspection help mitigate phishing and spear phishing attacks. Reputation-based solutions that use DNS-based filtering and ingest threat feeds from industry leaders such as VirusTotal and PhishTank are not enough. A web proxy with SSL inspection will be able to inspect every element on a webpage to compare it against known bad assets as well as heuristically determine if a phishing webpage is attempting to circumvent traditional detective controls (TraceBusterBuster). The use of a cloud sandbox will protect users no matter where they are against malicious PDF files sent by Chris Hemsworth and any other attacker looking to compromise users’ passwords and machines to gain unauthorized access.