Social Engineering will always win!

From time to time, my friends will send me phishing attacks that they receive.  Typically, it starts the same, an email or instant message asking them to go to some site and validate their credentials.  If you are anything like myself, then you become curious to how sophisticated the attacker(s) is.

This attack started the same way, except instead of social media or email, it was a SMS asking a peer to validate their credentials to help “protect their account”.

Screenshot_20180202-091717.png

Anyone with common sense will instantly notice that this is a crap shot by this attacker, that being said, later you will see that people still fall for it.  Being asked to investigate, due to my friend thinking they submitted their information to it, I dug in.

First thing you notice when you check the domain registrar is that this domain name was just created (high probability it was created just for this attack).  You will also note that it traces back to .ru.

Raw WHOIS Record

Domain name: EBAISECURITI.COM
Domain idn name: EBAISECURITI.COM
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Domain ID:
Registrar WHOIS Server: whois.reg.com
Registrar URL: https://www.reg.com/
Registrar URL: https://www.reg.ru/
Registrar URL: https://www.reg.ua/
Updated Date: 2018-02-01
Creation Date: 2018-02-01T04:32:23Z  <--Red Flag
Registrar Registration Expiration Date: 2019-02-01
Registrar: Registrar of domain names REG.RU LLC
Registrar IANA ID: 1606
Registrar Abuse Contact Email: abuse@reg.ru
Registrar Abuse Contact Phone: +7.4955801111
Registry Registrant ID:
Registrant ID:
Registrant Name: Protection of Private Person
Registrant Street: PO box 87, REG.RU Protection Service
Registrant City: Moscow <-- Why would ebay be registered here
Registrant State/Province:
Registrant Postal Code: 123007
Registrant Country: RU
Registrant Phone: +7.4955801111
Registrant Phone Ext:
Registrant Fax: +7.4955801111
Registrant Fax Ext:
Registrant Email: EBAISECURITI.COM@regprivate.ru
Admin ID:
Admin Name: Protection of Private Person
Admin Street: PO box 87, REG.RU Protection Service
Admin City: Moscow
Admin State/Province:
Admin Postal Code: 123007
Admin Country: RU
Admin Phone: +7.4955801111
Admin Phone Ext:
Admin Fax: +7.4955801111
Admin Fax Ext:
Admin Email: EBAISECURITI.COM@regprivate.ru
Tech ID:
Tech Name: Protection of Private Person
Tech Street: PO box 87, REG.RU Protection Service
Tech City: Moscow
Tech State/Province:
Tech Postal Code: 123007
Tech Country: RU
Tech Phone: +7.4955801111
Tech Phone Ext:
Tech Fax: +7.4955801111
Tech Fax Ext:
Tech Email: EBAISECURITI.COM@regprivate.ru
Name Server: a.dnspod.com 
Name Server: b.dnspod.com 
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018.02.02T17:27:08Z <<<

Even though everyone reading this already knows at this point that it is malicious, I still kept investigating.  After setting up my VPN connection and firing up my dummy box, I decided to check out the page myself.

Capture.JPG

Many red flags appear here:

  • form POST unencrypted (that by itself should always be flagged)
  • asked for credit card information
  • at the end, it redirected me to ebay site (wasn’t even smart enough to pass my creds along so that it looked liked I logged in)

 

So what is next?

This is the sucky part, watching a robbery happen and not being able to stop it or call someone to stop it.  You just get to watch them wave to you.  Only thing you can do is try to understand how this happened and what the scope is.

NMAP results will show that this machine has two services running, WWW and SSH.  Interesting enough, banner from SSH shows SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u6  and HTTP comes back with nginx, but based on the input, they are virtually hosting more than a single site (reverse dns lookup did not yield much).

This appears to be actor procured environment as it does not have any other client related services or applications exposed.

Interesting enough, a simple nikto/dirb will yield many files in the root

dirb http://www.ebaisecuriti.com -X .txt,.html

-----------------
DIRB v2.22 
By The Dark Raver
-----------------

URL_BASE: http://www.ebaisecuriti.com/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt,.html) | (.txt)(.html) [NUM = 2]

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://www.ebaisecuriti.com/ ----
+ http://www.ebaisecuriti.com/.hta.txt (CODE:403|SIZE:210) 
+ http://www.ebaisecuriti.com/.hta.html (CODE:403|SIZE:211) 
+ http://www.ebaisecuriti.com/.htaccess.txt (CODE:403|SIZE:215) 
+ http://www.ebaisecuriti.com/.htaccess.html (CODE:403|SIZE:216) 
+ http://www.ebaisecuriti.com/.htpasswd.txt (CODE:403|SIZE:215) 
+ http://www.ebaisecuriti.com/.htpasswd.html (CODE:403|SIZE:216) 
+ http://www.ebaisecuriti.com/cgi-bin/.html (CODE:403|SIZE:215) 
+ http://www.ebaisecuriti.com/db.txt (CODE:200|SIZE:21410) 
+ http://www.ebaisecuriti.com/index.html (CODE:200|SIZE:7443) 
+ http://www.ebaisecuriti.com/robots.txt (CODE:200|SIZE:65)

Interesting enough, this attacker decided that no one would find their dump.  Analyzing the attacker, they log on semi frequently to flush this file.  Checking this file, there appears to be a collective ~2000 lines, looking mostly legit.  Below is a sample only showing the non legit entries.

 95.213.237.5:test:test:name:name :kkk:8979897:987897:98/79:877:ihiuh
 95.213.237.5:Df:df:Dd:Xd:Xx:Xx:Xxx:22/12:Dd:Dd

We legally cannot stop them, so now what?

Yup, I guess this is where the hat you wear determines your next course of action.  A simple python script can be used to pull email addresses out of the db.txt file and email the impacted users.  Hopefully, they will immediately change their credentials.

Also uploading bogus data at a high frequency will cause the attackers disk to fill up quickly and render the next writes from happening, or so they say.

Finally, putting this information out there can entice other more aggressive good people to take the next steps.

Wrap up

There were many signs that could have been used to prevent this attack.  Web browsers should alert on newly registered domains.  Browsers should also alert anytime a form POST is happening through an unencrypted protocol (HTTP).  Finally, you have the “User” piece, which should have seen that ebay was incorrectly spelled, legit companies will never ask you to verify yourself by specifying your credentials and credit card information.  So the onus is on the user, but the browsers need to do a better job vetting out the low sophisticated attacks.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s