Information Security News
Antivirus provider Webroot is causing a world of trouble for customers. A signature update just nuked hundreds of benign files needed to run Microsoft Windows, as well as apps that run on top of the operating system.
Social media sites ignited on late Monday afternoon with customers reporting that servers and computers alike stopped working as a result of the mishap. The admin and security pundit who goes by the Twitter handle SwiftOnSecurity told Ars that, at the company he or she worked for, the false positive quarantined "several hundred" files used by Windows Insider Preview. Hundreds of "line of business" apps, such as those that track patient appointments or manage office equipment, suffered the same fate. Webroot was also flagging Facebook as a phishing site.
As this post was going live, Webroot's cloud-based system for issuing commands to clients was unable to revert the quarantined files. Officials have yet to confirm they would be able to revert all the bad determinations.
BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons.
Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks—with 1,295 attacks coming in just 15 hours—it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day.
"Just like BrickerBot.1, this attack was a short but intense burst," Geenens told Ars. "Shorter than the four days BrickerBot.1 lasted, but even more intense. The attacks from BrickerBot.3 came in on a different honeypot than the one that recorded BrickerBot.1. There is, however, no correlation between the devices used in the previous attack versus the ones in this attack."
[This is a guest post submitted by Remco Verhoef. Got something interesting to share? Please use our contact form to suggest your topic]
Today I got lucky walking around within a phishing site and found some left-over deployment files, containing the complete source code of the site. This gives a unique insight into the inner workings and complexity of the site. Ive analyzed many phishing site source codes before, but this one is definitely more sophisticated than usual.
The site has been called Scam Paypal v1.10 by the author Shadow Z118.
Ill walk you through the source code and my findings. The source code consists of 127 files, 6MB in size, with date ranges from the September 2016 till now. The author is definitely using the Agile development process here.
The `.htaccess` file contains several measures against (automated) analysis for known anti-phishing tools:
There is also a duplicate of this file, called htaccess (without the usual leading dot). I assume this is a mistake.
Phishtank had an issue last week where the kinds of redirects were causing incorrect flagging safe domains as phishing.
The `index.php` file contains several more checks for bots:
This index will copy the code from a source/template folder to a random folder per user (/customer_center/customer-IDPP00C followed by a random number). After the copy, the user will be redirected to this new location. Not completely sure why this hasnt been done with rewrites.
The `robots.txt` contains disallow all rules for folders to disable indexing by robots.txt respecting bots.
The source code contains quite some aversive methods against automated analyzed by a/v vendors and bots. The `bots` folder contains more scripts that will return 404s for all kind of checks.
For every request, a global hit counter will be incremented on each hit. When the counter exceeds 30 it will create a deny record for that specific remote address, user-agent and hostname.
Track all user-agents and ip addresses for bots, depending on a list of words. This will create a database with all user-agents and ip addresses for specific a/v vendors.
An `HTTP/1.0 404 Not Found` will be returned, sometimes accompanied by the friendly message `HELLOOOOO BITCHES | I FUCKING LOVE YOU HAHAHAHAHAHAHA 3 | TRY BYPASS ME NEXT TIME BB 3.`. Note the HTTP/1.0 it will return, even when the request has been made with HTTP/1.1
All emails will be sent to both [email protected]` and [email protected]`, accompanied by the text `PUT UR FUCKING E-MAIL BRO`. There is also a reference to [email protected]`, which is somewhat obfuscated that will receive a copy of each email. It looks like that the maker of the software want to keep track of things without the phishers knowledge. Within the code I find references to `Mr-YcN Z.1.1.8` and `SHADOW Z.1.1.8`.
There is a file which will detect the browser specific os and browser family using the user-agent.
A file containing language entries. Currently, only English is supported.
The lib folder contains all scripts and css files.
The actual phishing flow is as follows:
* first the user will have to sign in, using her email and password
* next the user will be asked to verify the account, by entering card number, card type, c_valid, expiry dates, csc, name on card, fullname, address, zipcode, city, state, country
* then it will check if the credit card type is visa, mastercard or maestro and if you are from France, Spain or Norway the next step will be skipped
* youre being asked to upload your identity photos, with allowed extensions (gif, jpeg, jpg and png)
* social security number details, day of birth, and country-specific social security numbers
* a success page containing a summary of all entered data, redirecting you to PayPal after 5 second
Each step the user will go through will result in sending an email to the noted addresses. This email will contain all entered information and is distinguishable by different subjects and different senders.
* NEW BB XD ? LOGIN INFO FROM : .$_SESSION[_forlogin_]. ? .$_POST[login_email]. ?
* .$_SESSION[_cardholder_]. ? FULLZ : .$_SESSION[_ccglobal_]. ? .$_SESSION[_global_]. ? .$_SESSION[_login_email_]. ?
* .$_SESSION[_cardholder_]. ? VBV FULLZ : .$_SESSION[_ccglobal_]. ? .$_SESSION[_global_]. ? .$_SESSION[_login_email_]. ?
* .$_SESSION[_cardholder_]. ? NEW ID CARD - ENJOY BTC ? .$_SESSION[_global_]. ?
* some of the comments are in french
* the html contains a randomiziation routine for class names
* all userdata will be saved in php sessions for persistence between the steps
* the forms contain validation
* emails will be send only when there has been entered useful data, eg password, creditcard number
* all pages contain anti bots measures