Tuesday, October 24, 2017

Cleaning and Gutting Phish for Beginners

To start with, beginners don’t usually clean phish but anyone can help to get the cleaning process started. Admitting that someone else has a problem is the first step toward fixing the problem! If it is your own website that is hosting a phish then it is up to you to clean it, or get help cleaning it.

Phishing links can be dangerous to click on as they make take you to a site with exploits. If you have a safe environment, such as a virtual machine or sandbox, then it is typically ok to follow the link, but be sure to replace the VM with a pristine copy or delete the contents of the sandbox.

When you receive an email that you suspect or know is a phish, before you delete it share it with Phishtank. The easiest way to get it to PhishTank is to forward the email to  phish@phishtank.com. PhishTank make phish available for people to validate. Security companies can also pull information so as to more quickly block the phishing attacks. It is a great idea to sign up for an account at PhishTank. If you have the know-how to tell a phish from spam you can help by logging into PhishTank and evaluating some phish.

If the phish is attacking customers of a financial institution you might be able to contact the institution, but frequently it is hard to find a way to report the phish to. Sometimes you can message the affected company on social media and find out where they would like the phish forwarded to.
Sometimes you can let website owners know when their websites are being used to host the phishing pictures and kits.

Now let’s move along to gutting a phish. We will start with the small phish.

We’ve all seen these before. I particularly like the professional touches on this one such as To: Undisclosed-Recipients and “This message was sent to “”.” I right-clicked on the email so I could view the source text. On the lower right you can see the context menu. Here are the entire contents of the body (guts) of the phish.

<!DOCTYPE html>
<p><a href="http://bit.ly/2QKGRFNGDBF"><img alt="Mountain View" src="http://bit.ly/TGFDCYTHGRFDHGF" style="width: 592px; height: 473px;" /></a></p>

There are two significant things going on here. src="hxxp://bit.ly/TGFDCYTHGRFDHGF"   is where the picture in the email is coming from. This is the second link above. The first link is the smelly part of the phish. hxxp://bit.ly/TGFDCYTHGRFDHGF is where the phishing kit used to be located. It was replaced with a 404.
These links happen to be bit.ly shortened URLs, but there are many sites that provide URL shortening services. You really want to know where you are going before you go there, so expand the URL back to the full version before you decide to click. The JoshMeister has some great tips for decoding links that have been shortened by using a variety of services.

Since this URL is shortened by bit.ly we just add a + sign to the link and hit enter. This takes us to the bit.ly site where we are shown the full URL. In this case hxxp://bit.ly/TGFDCYTHGRFDHGF+

hxxps://s1.postimg.org/1smpducc3j/boaaaaaaaaaaa_NEW.png is not the link that matters. That one has advertising that would give the phish away. The one you want is the smaller one in orange. hxxp://bitly.com/TGFDCYTHGRFDHGF leads us to the plain picture shown at the beginning of the gutting section of this blog.

When you click on the picture in the Phishing email you would have been taken to the phishing kit which asked for your login information and many other details. It even asked you to create 5 challenge questions that are commonly used. I liked the one that asked “What is your father’s middle name?” I answered “The one between his first name and his last name.” I do not suggest that you visit the phishing sites though. I was using my wife’s computer so I was never at risk.

So how did I help to clean this phish? First I admitted that someone else had a problem and then I let them know that there was a problem.

I wrote up more about this specific incident in a blog titled “Phishing for a Gold Medal” at Quttera. I am now a Senior Security Analyst at Quttera. I included a couple of more shots of this particular phish and a tiny bit of biographical information about the gold medal winning Olympic athlete.
In addition to my personal blogs here, I hope you will follow me at Quttera as well!

Randy Abrams
Independent Security Analyst by night and
Senior Security Analyst at Quttera Labs

Wednesday, October 18, 2017

Living With Brian Cassin – CEO, Experian

I have to change my address again. I don’t like where Bank of America has moved me to so I am going to move to 475 Anton Blvd., Costa Mesa, CA 92626. I hear that they have really nice digs there.

Following my discovery of  an issue with a link on the Equifax website I decided to return to what I set out to do in the first place - get my mailing address corrected on my Experian credit report. How hard could that be?

This is where the unholy collusion of creditors and credit reporting agencies makes a blatantly unabashed public appearance. The answer to “how hard could it be?” is “it is surprisingly hard.”

Any creditor can report a change to your mailing address, your gender, your age, your marital status, etc., and Experian will change it and you cannot contest it. Your creditor has to change the information for you. If your creditor will not (or cannot) change it then you are "attached to another object by an inclined plane, wrapped helically around an axis."

In this case Bank of America has explicitly told me that they have no idea where the incorrect information is in their systems. The address is correct in my online profile, just not in the system that reports to Experian.

Nobody knows how many millions of Americans have incorrect personal information on their credit reports. Experian has no idea because there is no data validation. Consumers do not know because changes are made secretly, and even when they are discovered, there is no recourse.

Even with free annual credit reports, falsified information can easily persist for months on end unless a person pays the ransom to see their credit reports more frequently. Changes to personal information should be proactively reported to the consumer. Equifax proactively tipped me off to the Experian issue.

At Experian incorrect financial reporting can be contested. Correct financial reporting can be contested. Incorrect personal information is off limits. Just one more slip of the keyboard at Bank of America and I will be a 21 year old, Native American woman, living in Finland and married to Brian Cassin. Granted that is an unlikely scenario since Finland is too cold for me.

I asked Experian “If Bank of America reports my address as being the address of Experian’s corporate headquarters, will you change it to that?” The response was “Yes, if that is what a creditor reports then that is what will be on your credit report.” Unlike Experian, changing my address online at Bank of America is simple! I think this will be the start of a beautiful friendship. I am moving in with Brian Cassin at the posh Experian headquarters.

 I know where I will live; you only think you know where you live.

Please send your best wishes to me on my move to the Experian headquarters by post at:

Randy Abrams
C/O Brian Cassin CEO
475 Anton Blvd.
Costa Mesa, CA 92626
Randy Abrams
Independent Security Analyst just trying to find his home.

Saturday, October 14, 2017

VirusTotal, Equifax, and Antimalware Products

There is a subtle precision in the statement “VirusTotal only showed three antimalware scanners detecting malware.” If you think that means only three scanners on VirusTotal detected the malware, then read it again more carefully; that is not what it says and that is not what it means.

Before I continue to talk about VirusTotal mythology, there are a few things I would like to clarify concerning my find of a malicious link on the Equifax website.

  • The site was not hacked, but as stated in the title of my blog, it was compromised. There is a difference; there were no exploits, no backdoors, etc.
  • There was no malware and there were no malicious pages on the site.
  • There is no indication or probability that data was stolen as a result of the compromise.
  • Equifax’s security team is blameless for this one. They were sucker-punched so badly by a third party who was in turn compromised.  The whole food chain was poisoned.
  • Infection required two clicks, a download and an install. It was not a drive-by.
  • There was a serious threat to people who clicked on the link and fell for the attack. This was really nasty malware.

I do not understand why the Experian page was down for two days. I have a theory, but I will wait for the producers of Ancient Aliens to tell me what some people believe before I publish.

Speaking of antimalware, I hope that Kim Komando will agree to write some guest blogs under the pen name “Auntie Malware.” How cool would that be? But I digress. At the 2017 Virus Bulletin Conference in Madrid Spain I presented VirusTotal tips, tricks, and myths. I believe the full presentation will be available soon. The content of the presentation was submitted to my friends at VirusTotal to validate accuracy. I am going to do a series of blogs about VirusTotal mythology.

There are multiple reasons why one cannot assume that only the scanners that display detection on VirusTotal are the only ones that have detection of the threat. Just as importantly you cannot assume that if the scanner you did not display detection of the threat you were not protected.

VirusTotal uses command-line versions the scanners. Command-line antimalware scanner cannot be expected to perform the same way that the GUI versions do. There are undocumented switches that can boost heuristic detections to a levels not available in commercial offerings. Antimalware vendors can hide detection on VirusTotal. Sometimes you do not want the malware authors to know what you know. The commercial versions may very well have detection.

There is more to say on the subject, but for now know that “Displayed on VirusTotal” does not mean that only those scanners that display detection provide detection. Don’t forget protection; it is not the same as detection, but it matters. I know for a fact that at least one product that did not demonstrate detection offered protection. I have a very high degree of confidence that other scanners did too.
In the next series of blogs, which may not be sequential, I am going to dispel the following myths:

  • VirusTotal can be used to perform comparative testing
  • Detection of malware on VirusTotal means the scanner can detect it
  • Lack of detection means the file is safe
  • False Positive means false positive
  • Detection by more scanners means better coverage
  • Malicious website means malicious website

I am going end this blog by summing up VirusTotal in one neat little quote by Alan Greenspan.

“I know you think you understand what you thought I said
but I'm not sure you realize that what you heard is not what I meant”

Randy Abrams
Independent Security Analyst

Wednesday, October 11, 2017

New Equifax Website Compromise

Update: Third party analysis tends to indicates something that is conceptually the same as malvertising. Watch the video and replace Equifax with your favorite website. It happens every day throughout the world. Now it's a security training video.

I like Equifax more than Experian. TrustedID gave me the heads up that Experian had falsified personal information in my file. After verifying that Experian did in fact falsify the data (it was due to incompetence and apathy) I decided to see if the misinformation had propagated to Equifax. As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL. The URL brought up one of the ubiquitous fake Flash Player Update screens.

For all of you voyeurs...

Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash.
I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines “deplaning” a passenger... It hurts.
And once again Equifax, all I want from you are my credit scores. Please?

Independent Security Analyst

Tuesday, October 10, 2017

Equifax Caught Experian Falsifying My Personal Information

One of the silver linings of the Equifax breach is their free identity theft protection. Perhaps that is the only silver lining. I was skeptical when I received an email from TrustedID that said “We've noticed a change on your credit report.”  I know that identity theft is rampant and credit reports change frequently, but consider the source. Equifax owns TrustedID; need I say more? I figured the email would be something like a LinkedIn style “three people have looked at your credit report. Upgrade to premium to find out who they are.” Or “views of your credit report are up 80% over last week’s views.” Still, I was curious. I logged into my TrustedID account and was informed that Experian had changed my address on file.

My investigation revealed that Experian now showed my current address is in a city I have never lived in. Perhaps accusing Experian of falsifying my personal information is a bit dramatic, but it is technically true. I won’t say it was deliberate because I know Hanlon’s razor. Hanlon’s razor essentially says “"Never attribute to malice that which is adequately explained by stupidity." In this case apathy is probably closer to accurate than stupidity. To paraphrase Lily Tomlin’s classic “we’re the phone company” sketch… “We don’t care. We don’t have to. We’re the credit bureau.” Experian is not stupid, they excel in math. They know exactly how much each congress person that can be bought costs. Based upon the laws of supply and demand I expect it isn’t very much.

Here is how I believe Experian got it wrong. For several years my Brother and sister-in-law had been living in a house I owned in Seattle. When they moved they filed a change of address form with the post office. My brother’s name is Steve. Steve is a name with five letters. The name Randy has five letters in it too. The rest is history. Data validation is not on Experian’s strong suit. Fortunately when I request my free credit report my brother will pass it along to me after Experian sends it to him.

Let’s compare Experian’s attitude toward consumers with T-Mobile’s attitude. In 2015 it was revealed that Experian had suffered a 2 yearlong data breach that affected T-Mobile’s customers. T-Mobile CEO John Legere response included the following comments.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected.”

Did you notice it was not Experian but rather T-Mobile whose first focus was on assisting customers?
Legere went on to say “Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.”

 Improving the protection of T-Mobile’s data is important to Experian’s bottom line, but maintaining the integrity of consumer data is irrelevant to Experian. It doesn’t help or hurt their bottom line. Let’s hope the Equifax breach results in industry wide changes that, among other things, makes negligent changes of consumer data expensive.

In conclusion, thank you Equifax for bringing to my attention the falsification of my personal data by Experian. On a more cheerful note, when Experian is breached again the attackers won’t get my real address.

Independent Security Analyst
I am my brother’s keeper, but I am not my brother