Cyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant
Last Updated: 2012-10-26 19:56:14 UTC
by Russ McRee (Version: 1)
Here on Day 26 of Cyber Security Awareness Month, as the ISC focuses on standards, we received a very interesting email from David at Lamp Post Group, the IT provider for Access America Transport.
Per David: "Access America owns a US Trademark and the domain accessamericatransport.com. On Tuesday, October 23, a malicious user registered the domain accessamericatransport.net and immediately began sending phishing emails under the domain. Purporting to be Access America Transport, some emails were sent to several of our carriers with a link to a fake "Rate Confirmation" ("rate confirmations" is a normal term in the 3PL industry) or carrier "Claim" which in fact linked to an executable containing a virus."
There are a number of interesting elements here so let me parse them individually.
First, with an eye for security awareness specific to your domain names:
Depending on the "value" of your enterprise name space, you may want to ensure you own the related domain for all the major TLDs (com, net, org) and even consider some of the newer offerings (info, biz, us). Think about close possible squatter matches too. Using the example David sent us, phishers and attackers may buy domain names that closely match those related to your enterprise. While the attackers David reported simply acquired accessamericatransport.net, had that not been available, they might have created the likes of accessamericantransport.com or accessamericatransp0rt.com. It can definitely start to get expensive to buy the near names matches in addition to what should be all your known good domain names, but your Internet presence is your reputation. David's sharing this attack with us all is admirable transparency and an excellent lesson learned.
By the way, as we are weaving in discussion around standards, you should read the primary DNS-related RFCs. I'm always reminded about how little I know about DNS when I dig in here. Yes, DNS dig pun intended.
So, let's dig into the attack against Access America Transport:
Most importantly, they've recovered control of accessamericatransport.net and have posted warnings to their primary page.
The phishing emails sent from accessamericatransport.net included links to Zeus binaries hosted in the Ukraine(UA) in Eastern Europe (shocker) at 91.20x.20y.167 (slight obfuscation to protect the innocent). The binaries, when executed, phoned home to 193.10x.1y.163 (Seychelles(SC) in Southern Africa) and POSTed victim identifying data to the C&C app at 193.10x.1y.163/file.php. I spotted config files being downloaded including the likes of candy.dll and cit_video.module. This is in keeping with the Citadel Zeus variant; there's a nice writeup from 12 MAR 2012 on this behavior here.
Targeted Zeus attacks are nothing new, but in this case the analysis does seem to indicate a ramp up against the 3rd party logistics (3PL) industry. David indicated at least four other 3rd party logisitcs companies that have recently suffered similar "attention". The efforts against Access America allegedly even included a vishing attempt.
In summary, here's the BOLO (be on the lookout):
1) Protect your domain name interests with awareness of any names you lose control of that may be used against your consumers
2) 3rd party logistics (transportation) organizations, beware of a possible increase in phishing/vishing activity leading to dangerous malware
The ISC always appreciates your feedback. Readers, if you're seeing similar activty, please feel free to comment or send us samples.
Last Updated: 2012-10-26 17:33:21 UTC
by Adam Swanger (Version: 1)
Special Webcast: How To Create an Engaging Awareness Program People Want To Take - 3nd in Series
Tuesday, October 30, 2012 at 1:00 PM EDT (1700 UTC/GMT)
Featuring: Will Pelgrin, Chair of the MS-ISAC, President & CEO of the Center for Internet Security
Details and sign in at https://www.sans.org/webcasts/create-engaging-program-people-3nd-series-95539
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu