Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake Link removal requests

Published: 2013-03-29
Last Updated: 2013-03-30 00:05:47 UTC
by Chris Mohan (Version: 1)
1 comment(s)

 

Over the last month we’ve had three requests to remove a particular link belonging to a specific security vendor. We’re a nice enough bunch and if there’s a good, honest reason to remove a link, we’ll consider it. What make this interesting is that the requests weren’t from the company or any of its staff and finally, the reason why the removal was requested.  We did contacted the target company and let them know this was happening but as the third request has only just come in, it’s worth bring to your attention. 
 
The emails looked like a reasonable, if somewhat odd, request as normally the more links back to your company’s site, the better your ranking (a super simple explanation of search engines’ ranking I know - but just go with it). As most web masters are super sensitive to Google rule changes, they may have automatically complied, thinking this was something new. 
 
I’ve changed the well-known security firm’s name, removed the single link they referenced on the ISC site and here’s the first request sent Fri 8/03/2013 

Subject: Link Removal Request
 
Hello
 
I am the webmaster for www.targetedsecurityproduct.com
In light of Google's newest algorithm change, I need to request that you remove every link to www.targetedsecurityproduct.com from your website.
 
Below is our link location:. http://ISC.Removed
 
I would greatly appreciate your immediate cooperation.
 
If it is not too much of a hassle, I would appreciate you letting me know once it has been removed. Thank you in advance for your cooperation.
 
Thank You
 
Leslie keemen

 
The email sender, allegedly leslie.keemen at gmail.com, is a red flag straight way as it’s not a company address, plus the email was sent from and home broadband ISP in New Delhi, India. Not the country this company is based in or has office in either. Being good sports we responded with a polite “Please confirm this request from a company email address and we’ll thin about it” and surprise, surprise no response, while talking to the targeted company to let them know about this email. Ten days later, Mon 18/03/2013, we received an identical request again from the same email and home broadband ISP in New Delhi, India. This one we ignored.
 
The third one on Friday, 29 March 2013 changed tactics slightly; it was sign by "Matt" and the email sender address was spoofed as links@targetedsecurityproduct.com. Happily for us it was still from the same home broadband ISP in New Delhi, India.
 
I’m making an assumption this is an attempt at removing this company from search engine ranking as part of some search engine optimisation (SEO) campaign. Whether the company employing the SEO “firm” using Indian resources to make this unethical approach has approved these dubious methods or not, it worthwhile keeping an eye out your company’s web ranking (if they are important to the business) for attacks like these. And, if this happening to me, I would classify this as a form of attack and start up incident response case.
 
Has anyone else seen these shady tactics been used against them or have an insight in to what the actual end goal of these types of fake requests are? 
 

Either write in to https://isc.sans.edu/contact.html#contact-form or reply below, I'd love to hear your thoughts on this.

Chris Mohan --- Internet Storm Center Handler on Duty

Keywords: email spoofing
1 comment(s)
Wireshark v 1.8.6 released http://www.wireshark.org/download.html
NEW VMware Security Advisory ID: VMSA-2013-0004 and revised Advisory ID: VMSA-2013-0001.3

Does your breach email notification look like a phish?

Published: 2013-03-29
Last Updated: 2013-03-29 01:51:24 UTC
by Chris Mohan (Version: 1)
5 comment(s)

 

With the continual cycle of systems being compromised and customer data being stolen, using email notification is a fast, easy and direct method to send out warnings and advice to the unfortunate victims. It’s the one way, other than physical interaction (Phone calls, personal visits while offering a warm cup of tea and a sad smile or hiring street criers calling out the names of the afflicted in every town in the land…) that means all the right people do get notified, well, if they read their emails. It’s a defacto standard to communication so surely we’ve worked out how to use it properly.
 
One group that uses email to great success are phishers. Here at the ISC, we get plenty phishing emails: Reader submitted and those sent directly to us, from the nonsensical, incoherent jibber-jabber to those carefully and professional crafted. The recent Mandiant report [1] goes to highlighting that even the top end of attackers uses phishing emails, making awareness programmes [2] to anyone that has an email address something that needs tick off the to do list one of these days.
 
So what this got to do with breach notification emails? Glad you asked.
 
If you’re a security professional charged with protecting systems, networks or organisations your incident response plan should have a thought through section on communications before, during and after an incident. So if one or one million customer/user details suddenly appear on the pastebin.com you’ve advised on the pre-written notification email management/PR/marketing are about to send out right?
 
Tragically that doesn’t seem to be the case. If you received an “Oops! Some bad has happened to your account/details” email you may be shock (or not) to notice a hyperlink in the body of the email. Okay, so the link in this case is to make life easier; the link may direct to a reset password page, more information on what happen or even an apology. Here’s the but: With so many social engineered phishing emails why add a hyperlink at all? Why not stick with a clear statement to connect to the web site and follow the instructions on the /Security page.
 
For years we’ve being trying to teach anyone that will listen to do - at minimum - hover over the hyperlink and it looks suspicious then don’t click on the link, so why in such a crucial message does it suddenly become okay to drop a link in and expect the recipient to obediently click on it? 
 
No, it is not. It’s yet another way to desensitize and normalising bad practices in the sake of making the already exploited victim feel they have a quick way to fix their issue. In the best case scenario let’s pretend that when the recipient checks the link it, shows https: //myhackedsite.com.au\wearereallysorry\honest\passwdreset.html which matches the company that sent out the notification. Surely this couldn’t get any worst?
 
Oh, dear reader, you know better than that! Amazingly some notifications take that one step further and making an even bigger mistake. The hyperlinks in the email look something like this for our fictional site myhackedsite.com.au: http:// myhackedsite-domain.informuz.net/r/ukidDinGcjUucD9taT0zXYzwMjA1JnA9MSZ1PTEwUTUwMzA1MDAmbGk9MTU1NTQxNjU/index.html
 
Let’s pause for a moment and enjoying the pure insanity and listen to the sounds of the phishers , cackling incredulously then frantically rushing to be the first flood inboxes with cloned copies to take advantage of a second round of pillaging against those that have already been victimized. 
 
I can only subscribe this madness to marketing/customer relation team attempting to outsource the notification process and simultaneously track those poor souls that decide to click on the link in some form of lets see how many people this really hit so we can follow up with jolly marketing spam.
 
If you receive one of these poorly thought through emails, a polite, but firm, note to those that send it and their support desk asking if they think it looks like a phishing email and would they click on the link given you’ve lost my details once already? 
 
I’m going to protect the guilty parties that send out poorly conceived breach notifying hyperlinked email but if you become a recipient I’d heartily recommend you raise the issue and created a conversation to stop this madness re-occurring endlessly.
 
At NO point I am I suggesting flashy HMTL marketing designed emails with hyperlinks that link to an exact location or the perfect thing you have to buy should be banned or outlawed. Who doesn’t love knowing what great offers on the stuff you might possibly like some Cyber Cloud AI-like entity has picked for you? 
 
Breach notification emails telling something bad has happened and you need to take urgent action should require the victim to go to the web site by typing in the URL by hand, not this downward, spiring mistake of send them easy to use hyperlinks. As any good penetration tester will tell you “It only takes one click to own the network” [3] but remember there always a person behind that decision to click. Let get rid of one daft way of making a bad situation worse and ditch those hyperlinked breach notification emails.
 
[1] http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf 
[2] As an example http://www.securingthehuman.org/resources/planning
[3] http://www.slideshare.net/brycegalbraith/why-are-our-defenses-failing-one-click-is-all-it-takes
 

Chris Mohan --- Internet Storm Center Handler on Duty

Keywords: Notification phish
5 comment(s)
ISC StormCast for Friday, March 29th 2013 http://isc.sans.edu/podcastdetail.html?id=3214
Diary Archives