Cyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant

Published: 2012-10-26
Last Updated: 2012-10-26 19:56:14 UTC
by Russ McRee (Version: 1)
3 comment(s)

Here on Day 26 of Cyber Security Awareness Month, as the ISC focuses on standards, we received a very interesting email from David at Lamp Post Group, the IT provider for Access America Transport.

Per David: "Access America owns a US Trademark and the domain accessamericatransport.com. On Tuesday, October 23, a malicious user registered the domain accessamericatransport.net and immediately began sending phishing emails under the domain. Purporting to be Access America Transport, some emails were sent to several of our carriers with a link to a fake "Rate Confirmation" ("rate confirmations" is a normal term in the 3PL industry) or carrier "Claim" which in fact linked to an executable containing a virus."

There are a number of interesting elements here so let me parse them individually.
First, with an eye for security awareness specific to your domain names:
Depending on the "value" of your enterprise name space, you may want to ensure you own the related domain for all the major TLDs (com, net, org) and even consider some of the newer offerings (info, biz, us). Think about close possible squatter matches too. Using the example David sent us, phishers and attackers may buy domain names that closely match those related to your enterprise. While the attackers David reported simply acquired accessamericatransport.net, had that not been available, they might have created the likes of accessamericantransport.com or accessamericatransp0rt.com. It can definitely start to get expensive to buy the near names matches in addition to what should be all your known good domain names, but your Internet presence is your reputation. David's sharing this attack with us all is admirable transparency and an excellent lesson learned.
By the way, as we are weaving in discussion around standards, you should read the primary DNS-related RFCs. I'm always reminded about how little I know about DNS when I dig in here. Yes, DNS dig pun intended.

So, let's dig into the attack against Access America Transport:
Most importantly, they've recovered control of accessamericatransport.net and have posted warnings to their primary page.
The phishing emails sent from accessamericatransport.net included links to Zeus binaries hosted in the Ukraine(UA) in Eastern Europe (shocker) at 91.20x.20y.167 (slight obfuscation to protect the innocent). The binaries, when executed, phoned home to 193.10x.1y.163 (Seychelles(SC) in Southern Africa) and POSTed victim identifying data to the C&C app at 193.10x.1y.163/file.php. I spotted config files being downloaded including the likes of candy.dll and cit_video.module. This is in keeping with the Citadel Zeus variant; there's a nice writeup from 12 MAR 2012 on this behavior here.
Targeted Zeus attacks are nothing new, but in this case the analysis does seem to indicate a ramp up against the 3rd party logistics (3PL) industry. David indicated at least four other 3rd party logisitcs companies that have recently suffered similar "attention". The efforts against Access America allegedly even included a vishing attempt.

In summary, here's the BOLO (be on the lookout):
1) Protect your domain name interests with awareness of any names you lose control of that may be used against your consumers
2) 3rd party logistics (transportation) organizations, beware of a possible increase in phishing/vishing activity leading to dangerous malware

The ISC always appreciates your feedback. Readers, if you're seeing similar activty, please feel free to comment or send us samples.
 

Russ McRee | @holisticinfosec

 

3 comment(s)

Securing the Human Special Webcast - October 30, 2012

Published: 2012-10-26
Last Updated: 2012-10-26 17:33:21 UTC
by Adam Swanger (Version: 1)
0 comment(s)

Special Webcast: How To Create an Engaging Awareness Program People Want To Take - 3nd in Series

Tuesday, October 30, 2012 at 1:00 PM EDT (1700 UTC/GMT)

Featuring: Will Pelgrin, Chair of the MS-ISAC, President & CEO of the Center for Internet Security

Details and sign in at https://www.sans.org/webcasts/create-engaging-program-people-3nd-series-95539

--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu

0 comment(s)
ISC StormCast for Friday, October 26th 2012 http://isc.sans.edu/podcastdetail.html?id=2899

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives