First off the bat is a couple of posts that I’ve had direct (some would say intimate) involvement.

BeEF QR Fun – Summarising some of the salient points from my OWASP AppSecAPAC 2012 presentation (Shake Hooves with BeEF), I finally pulled my finger out and posted for the BeEF blog. Mainly focusing on custom mount points in BeEF with iFrame target-site impersonation, plus a dabbling of QR-codedness, the post hopes to demonstrate a few different methods to fit BeEF into your social engineering methodology.

Anonymous Post-Compromise Control via Tor Hidden Services – My colleague Dave somehow managed to wrangle up an opus on utilising Tor to anonymise backdoor connectivity to compromised hosts over the Christmas period. Knowing Dave’s relationship with beer I’m surprised that he still had the brain power to push this out (:P). If you have any interest in Metasploit and Tor then you should check out his post.

And now onto other security stuff..

Minion – Automating Security for Developers – There are a few different open source security automation projects going on at the moment (I mentioned Codesake recently), but this one looks pretty interesting. It seems to be fairly modular (currently appears to interface with ZAP, Skipfish and Garmr. The demo video seems really interesting, very point and click. For developers, this may be an ideal ‘step’ in their SDLC to catch bugs sooner.

Red October – There’s been quite a bit of noise about this attack recently. This was one of the first blog posts I read that seemed to provide a clear summary, with further links into the Kaspersky reports. This long-term campaign has apparently been targeting embassies and other governmental agencies (including defence) for the past 5 years.

Non-Negotiable Elements of a Secure Software Development Process: Part 2 – Nick Coblentz has been posting these great articles on elements of a secure systems or software development lifecycle which are non-negotiable. Part 1 started with security requirements, while this post is focused on security architecture, configuration and other patterns. If you’re working on embedding security into your development lifecycle definitely keep in the loop on Nick’s posts.

Man-in-the-Middle Attacks Against Browser Encryption – Schneier recently posted a summary of how Nokia are intercepting HTTPS channels to offer better data transmission speeds over slower networks through compression and other means. This is really similar to a 2009 post of mine talking about how Opera Mini was doing the same thing.

Defeating AES Without a PhD – Dan Crowley writes up an excellent post on leveraging some of Burp’s more tricky intruder settings to understand (and attack) encrypted parameters within web apps. (Dan’s a great guy, was happy to have a few beers with him while he was down in Sydney last year).

Bouncer’s Laser Precision Phishing – RSA have posted an article on a particular phishing kit (i.e. pre-canned tool used to create or implement phishing sites) which utilises unique URL links for each recipient (so this kit includes the email/spam component too) to ensure that the site is only accessible (at least initially) by the victim. I’m sure there are ways to bypass this, but, it certainly may fool some simple phishing detection tools (such as used by finance or other sectors when they analysis abuse mailboxes or email bounce backs etc).

Okay, enough with the security stuff .. (Fine! .. here’s one article..)

Monkey Island Insult Swordfighter in your Browser – for those fans of the original Monkey Island point and click adventure games you should check this out! This guy has dumped in browser form a collection of the sword-fighting challenges..

“Hey girl in your eyes
I see a picture of me all the time
(step!)”

Which is roughly how this new mechanism works to provide a second factor of authentication using an out of band mechanism. After submitting a payment, a “Cronto Visual Cryptogram” (a picture) is displayed which has to be decrypted by your mobile phone (or other device) providing you with a code you then have to enter into your payment page.

Similar to SMS 2FA (or at least well implemented SMS 2FA), the “cryptogram” can include other textual information such as payment details. This should hopefully prevent fraudulent transactions from being “authorised” via the channel, such as those generated by a “man-in-the-browser” trojan.

Whilst I haven’t really had time to process the benefits and disadvantages (mobile phone compatibility?) of this mechanism I’m quite happy to hear that innovate research is still being done in this space. Interesting…

(Thank you SBN feed for bringing this article to my attention!)

Whilst phishers, or at least the guys who make and distribute the kits, have been relatively good at keeping their methods up to date with changes in Internet technology (Twitter phish anyone?), it’s still not uncommon to find the odd scammer who runs a phish site like we’re still the 90s. You can sometimes tell these guys apart from the rest because of their general lack of HTML and CSS knowledge.

A couple of the tell tale signs I’ve noticed over the past year or so is things like their inability to recreate a HTML button which uses CSS to use a custom image. For example, where the HTML is similar to:

<input type="image" class="loginbutton" src="blank.gif" style="height:30px;width:80px;" />

And the CSS is similar to:

.loginbutton {background-image: url(actualbutton.jpg); background-repeat:no-repeat;}

Because this prevents the user from right clicking the button and choosing “Save Image As..”, you’ll find that instead of going through the CSS to find where the ACTUAL button image is (actualbutton.jpg) they’ll take a screenshot of the page and recreate the image from there.

Another sign is the “Mark of the Web” (MotW). The MotW was created back in the days of IE 4.0 as a mechanism for a HTML page to run in a different security zone then what it actually is. For example, if you want to test a HTML page locally, but make sure it runs in the Internet zone you can set the MotW within the HTML page to “about:internet“. An example MotW is:

<!-- saved from url=(0022)http://www.google.com/ -->

The #### between the brackets indicates the length of the following URL.

Now you might be wondering whether or not this allows a page out there on the Internet to run in the “Local” security zone in IE, the MotW is configured such that it will only run the HTML in the prescribed MotW zone if it is more restrictive than the “Local” security zone.

So what’s this got to do with phishing? Well, when you save a page in IE, it inserts the MotW into the saved HTML as the URL of the site. So for example, if the login page the phishers want to impersonate is http://www.twitter.com, then the saved HTML would include

<!-- saved from url=(0023)http://www.twitter.com/ -->

Of course, when they setup their phishing site the URL won’t be that, it’ll be something like http://i.hacked.some.joomla.server.com/images/twitterphish/index.html. Naturally this URL does not match what is specified in the MotW within phished content at index.html.

Surely you’d think that the guys setting up these phishing kits would look at the HTML and remove these sorts of things? Sometimes yes, but sometimes no. Often the only thing they have to change is where the login form POSTs to. So instead of POSTing to itself, they’ll then change their phishing content to post to some mailer script at “mailer.php” or whatever.

As far as I know, none of the browsers look at the MotW for anything, except IE which looks at it for security zones. I’m unsure if any of the Google or Yahoo bars review the MotW for any discrepancies. Whilst not entirely accurate, and likely to lead to some false positives I thought it was worthwhile to look at anyway. This is where “Mark of the Phish” (MotP) was born from.

MotP is a Greasemonkey script (that means Firefox only folks!) that looks at the MotW tag within HTML documents, and if it does NOT match the current URL pops up an alert asking if you want to continue. This is primarily a proof of concept to determine if this type of early detection would work at all in the real world. It’s difficult for me (or even perhaps anyone who reads this?) to tell, because as professional security folks we’re tuned to detect a dodgy site, regardless of what’s included within the HTML, MotW or not.

In an ideal world this functionality could be built into anti-phishing toolbars, or perhaps into the browser itself. I’m also aware that this is only a temporary detection, you would assume that Darwin’s theory of natural selection would eventually weed out all the phishers creating useless phishing kits, and slowly but surely the guys making the effective kits would get better at reviewing their HTML before rolling it out. Until that point though, perhaps every little bit helps. Tell me what you think.

The phishers out there are spreading their nets wider and wider. First it was the McPhish, where scammers were offering $75 credit if you filled in a survey about your McDonalds eating habits, and then it was the Phish Day Out (Big Day Out phish).

For all you non-Aussies asking yourself what the Big Day Out is, well the BDO is one of Australia’s largest music festivals that tours around the country around the end of January finishing up here in Perth early February. The past few years I’ve seen some terrific bands at the BDO, including some of my all time favourite acts, Tool, Rage Against The Machine, The Mars Volta, The Killers and a whole bunch more. From the BDO press release:

Big Day Out has become aware of an internet phishing scam whereby individuals have received an email claiming to be on behalf of Ticketmaster and Facebook, stating that the recipient has won VIP passes to the Big Day Out.

The email then requests that the recipient provide personal identification information including passport, birth certificate, drivers licence, health care card, Medicare card or bank statements.

This email is fraudulent and should not be responded to.
It is not authorised by the Big Day Out, Ticketmaster or Facebook.

What disturbs me about this is that to my knowledge this has been one of the first targeted phishing scams in Australia that focuses on a single event and is solely interested in gathering Personally Identifying Information (PII). They’re not looking to directly take your credit card details (although I’m sure they’re looking for that too), but to gather all the other information they need in take over your identity and therefore allow them to open bank accounts and all sorts of other nasty ID theft things (wiki).

Whether it’s consumers wising up to scams and not divulging their credit card information over the Internet, or the scammers are making better money on-selling PII as opposed to CC numbers, these types of scams will continue to increase. Not just in the information they’re trying to pilfer, but their use of current events.

For all you people out there who don’t know this already (I’m not entirely sure who you are, but there’s no harm in repeating the message):

You should NEVER give out your personal or bank account details to somebody you don’t know and trust.

Don’t be fooled by an email that looks legitimate or appears to link to a genuine website.

Please take care with your personal information!

For all you Aussies, check out www.scamwatch.gov.au.