PentesterLab.com – Excercises To Learn Penetration Testing

PentesterLab is an easy and straight forwards way to learn the basics of penetration testing. It provides vulnerable systems in a virtual image, and accompanying exercises that can be used to test and understand vulnerabilities. Just decide what course you want to follow, download the course and start learning. You can easily run the course...

Read the full post at darknet.org.uk

A Phone Call, a Phish, and a Remote Access Trojan

In April 2013, Symantec was alerted to a series of sophisticated social-engineering attacks targeting a limited set of organizations in Europe. The most distinguishing feature of these attacks is that the victim will receive a phone call from the attacker who impersonates an employee or business associate of the organization. The caller spoke in French and asked the victim to process an invoice that they were to receive in an email.

Here is an example of an email that was received during one of the attacks. The email typically contains a malicious link or an attachment, which is actually a variant of W32.Shadesrat, a Remote Access Trojan (RAT).

Email_v2.png

Figure 1. Spear phishing attack email
 

There is evidence to suggest that these attacks began as early as February 2013, however, it was only more recently in April that phone calls were being placed prior to sending the victim the phishing email. The attacks are currently localized to French organizations but have also included subsidiaries that operate outside of France.
 

Flags_2_Luxembourg.png

Figure 2. Number of organizations compromised in each country
 

The attacker is well prepared and has obviously obtained the email address and phone number of the victim prior to the attack. The victims of these attacks generally tend to be accountants or employees working within the financial department of these organizations. Since handling invoices is something they would do on a regular basis, this lure has the potential to be quite convincing. Each element of this attack requires careful planning and contributes to the overall success rate of the attack.
 

image3_1.png

Figure 3. Attack event cycle
 

It appears that the attacker’s motivation here is purely financial. Targeting employees who work with company finances likely provides access to sensitive company account information. These employees may also have the authority to facilitate transactions on behalf of the organization; a valuable target if the attacker gains access to secure certificates that are required for online transactions or confidential bank account information. The employees would also provide a useful source of information to use in subsequent social-engineering attacks. Invoices and contract agreements would provide the attacker with all of the elements (email, phone, and relevant purchase/sales agreements) to continue executing these well prepared attacks.

These attacks are continuing to this day and organizations should be aware of these increasingly sophisticated social-engineering attacks. The attacker may have limited information, so asking additional questions on a call may help to determine the legitimacy of the request. Organizations also need to be aware that personally identifiable employee information that exists outside of your enterprise, even in the form of an invoice, can be used against you if a business associate becomes compromised. Employees working with very sensitive information should store this in a secure location, ensure that it is encrypted, and only access it from a fully patched computer with adequate security solutions in place.

The Trojan used in these attacks is W32.Shadesrat, a Remote Access Trojan (RAT). W32.Shadesrat (a.k.a. Blackshades) is used by a variety of attackers of varying skill levels. A publically available Trojan, it can be licensed for as little as $40-$100 a year. In June 2012, as part of a global sting operation carried out by the FBI, one of the contributors to the Blackshades project, Michael Hogue (a.k.a. xVisceral), was arrested. However, this RAT is still under active development and clearly shows no indication of going away any time soon.
 

chart2234_0.png

Figure 4. Unique W32.Shadesrat infections, top 10 countries

Dear hacker: Please help us eavesdrop on our customers

Mobily, a Saudi Arabian telecommunications company with 4.8 million subscribers, is working on a way to intercept encrypted data sent over the Internet by Twitter, Viber, and other mobile apps, a security researcher said Monday.

Moxie Marlinspike, the pseudonymous cryptographer who has identified several security bugs in the secure sockets layer protocol used to protect website transactions, said he learned of the project after receiving an e-mail from company officials. Carrying the subject line "Solution for monitoring encrypted data on telecom," it said the project was required by "the regulator." Marlinspike believed this meant the government of Saudi Arabia. In follow-up e-mails, the Mobily officials said they were looking for ways to bypass the protections built into the SSL and Transport Layer Security protocols so telecom workers could monitor messages spreading terrorism.

"One of the design documents that they volunteered specifically called out compelling a [certificate authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception," Marlinspike wrote in a blog post. "A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities."

Read 5 remaining paragraphs | Comments