Cyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant

Published: 2012-10-26
Last Updated: 2012-10-26 19:56:14 UTC
by Russ McRee (Version: 1)
3 comment(s)

Here on Day 26 of Cyber Security Awareness Month, as the ISC focuses on standards, we received a very interesting email from David at Lamp Post Group, the IT provider for Access America Transport.

Per David: "Access America owns a US Trademark and the domain accessamericatransport.com. On Tuesday, October 23, a malicious user registered the domain accessamericatransport.net and immediately began sending phishing emails under the domain. Purporting to be Access America Transport, some emails were sent to several of our carriers with a link to a fake "Rate Confirmation" ("rate confirmations" is a normal term in the 3PL industry) or carrier "Claim" which in fact linked to an executable containing a virus."

There are a number of interesting elements here so let me parse them individually.
First, with an eye for security awareness specific to your domain names:
Depending on the "value" of your enterprise name space, you may want to ensure you own the related domain for all the major TLDs (com, net, org) and even consider some of the newer offerings (info, biz, us). Think about close possible squatter matches too. Using the example David sent us, phishers and attackers may buy domain names that closely match those related to your enterprise. While the attackers David reported simply acquired accessamericatransport.net, had that not been available, they might have created the likes of accessamericantransport.com or accessamericatransp0rt.com. It can definitely start to get expensive to buy the near names matches in addition to what should be all your known good domain names, but your Internet presence is your reputation. David's sharing this attack with us all is admirable transparency and an excellent lesson learned.
By the way, as we are weaving in discussion around standards, you should read the primary DNS-related RFCs. I'm always reminded about how little I know about DNS when I dig in here. Yes, DNS dig pun intended.

So, let's dig into the attack against Access America Transport:
Most importantly, they've recovered control of accessamericatransport.net and have posted warnings to their primary page.
The phishing emails sent from accessamericatransport.net included links to Zeus binaries hosted in the Ukraine(UA) in Eastern Europe (shocker) at 91.20x.20y.167 (slight obfuscation to protect the innocent). The binaries, when executed, phoned home to 193.10x.1y.163 (Seychelles(SC) in Southern Africa) and POSTed victim identifying data to the C&C app at 193.10x.1y.163/file.php. I spotted config files being downloaded including the likes of candy.dll and cit_video.module. This is in keeping with the Citadel Zeus variant; there's a nice writeup from 12 MAR 2012 on this behavior here.
Targeted Zeus attacks are nothing new, but in this case the analysis does seem to indicate a ramp up against the 3rd party logistics (3PL) industry. David indicated at least four other 3rd party logisitcs companies that have recently suffered similar "attention". The efforts against Access America allegedly even included a vishing attempt.

In summary, here's the BOLO (be on the lookout):
1) Protect your domain name interests with awareness of any names you lose control of that may be used against your consumers
2) 3rd party logistics (transportation) organizations, beware of a possible increase in phishing/vishing activity leading to dangerous malware

The ISC always appreciates your feedback. Readers, if you're seeing similar activty, please feel free to comment or send us samples.
 

Russ McRee | @holisticinfosec

 

3 comment(s)

Comments

Two critical early warning items to watch registrant domain changes by username and by domain name.

With DomainTools it is possible to get an email whenever a change is made by your registrar login. Be sure to choose a unique username, however. Changes to domains with selected names can also trigger an alert. If the alert phrase is generic, e.g., "name" alerts on similar names such as "name2" will be generated.

Hopefully the alert comes soon enough to reverse the theft.
Thank you, Russ, for posting an excellent analysis. It's been an interesting last 4 days...

@Gordon- Yes, that's an excellent point. I'll whole heartedly agree. Unfortunately for us, the .net website wasn't even registered by anyone to begin with. As soon as we discovered that someone had registered it, however, we did everything we could to gain control of it.
> Think about close possible squatter matches too.

Google should have thought about that -- my aunt accessed 'www.gooogle.ca', and got very-unexpected results.

Diary Archives