I recently came across a very well formatted phishing email with a valid SSL certificate and close enough domain name to PayPal - paysnal.com that caught my attention. The techniques are age old as in the real world of fishing - the lure, the distraction and the impersonation. Like in the real world of fishing - what a fish considers a day-to-day normal business (like fish eating worms), can be a successful trap (death for the fish). Let me explore this to show how the story unfolded
The phishing starts with a well formatted message which automatically loads the images and content from paypal's UK site. It actually has a reasonably well formatted message - no obvious issues such as spelling errors, incorrect syntax, no subject .
When I pull up the email on a terminal and look the content it comes from outlook.com's network (a commonly trusted server in the internet with good reputation) and the link inside the email shows a URL forwarding link hosted at "google" through the "goo.gl" link (another trusted name your email scanner will not catch or complain about)
This link looks like (replace =2E with . and =3D to = and =22 with ")
The certificate details show a 6 month valid certificate and everything checks out good - thank you Free SSL cert from Comodo!
As you can tell, this shows a number of issues and gaps with SSL certificate provisioning and the issues with a domain name validated certificate. While you may consider "EV certificate" or Extended Validation certificate more secure. The price and the process for getting these is also getting cheaper. This makes it very difficult for Paypal to force authenticity check of a phishing site.
The only option left with Paypal is to go through "domain take-down" process. Currently there is no "SSL takedown or revocation process." Even though Netcraft and few other organizations focused on domain name security and SSL security have already warned about these type of impersonations see article Netcraft bulletin and Infoworld article, there has been no process currently for revoking SSL certificates like these for misues or abuse.
Paypal seems to have used the one card they are left with to play in this game - the legal domain take down procedure. Below is the timeline of the story with about one week of a quick attempt to run a phishing campaign. Although I noticed the infrastructure on UK2.net with IP address 77.92.69.142 was still serving the content for a few days. Only a day or so of DNS caching will allow for the content to be reachable to those scattered emails. Here is the timeline of the phishing campaign. The timeline shows how all this done very fast - most likely using provisioning, registration API's, automated SSL provisioning and all the good things service providers (domain name, server hosting, SSL and email service providers) today give you. Building this campaign took less than a day as the phishing emails were sent within 24 hours of domain registration using either false registered outlook.com email or stolen account.
This tells me that the domain takedown is in fact a effective way to respond to these type of threats to your organization. While a number of security defenses could be setup and pursued such as building a blacklist for paysnal.com etc. It is finally the hammer in the coffin for this campaign to be stopped. It comes through a legacy non-technical approach taken by Paypal.
Apart from all the required best practices, security tools and capabilities that you are doing - my recommendation for organizations is to always consider the problem holistically. Some ways you can do this:
So the lesson learned is to ensure your organizations is aware of the multiple options instead of just technology when responding to a cyber threat. If you are an online bank or represent an online bank and there is a phishing campaign against you, do you have the ICANN contacts and procedures as part of your response strategy? In the earlier blog article I pointed out some budget options in the back pocket that C-level executives should be aware of to combat a cyber threat or attack. Some of these can be a simple and effective for certain types of threats. Make sure your organization has a response plan in place if such as campaign is successfully launched against you.
When I pull up the email on a terminal and look the content it comes from outlook.com's network (a commonly trusted server in the internet with good reputation) and the link inside the email shows a URL forwarding link hosted at "google" through the "goo.gl" link (another trusted name your email scanner will not catch or complain about)
<A href=3D=22https://goo=2Egl/Q7NCVT=22>
Which forwards to https://www.paysnal.com - a domain close enough to paypal that you do not notice if you were just glanncing at the URL bar. The website you will visit through the URL after Google URl shorten redirects is a site that perfectly mimics the Paypal website with a valid SSL certificate provided by "Comodo". So if you trained your users to make sure they see the "green lock" at the URL bar, they can still fall for this impersonation of the site. (see below)
As you can tell, this shows a number of issues and gaps with SSL certificate provisioning and the issues with a domain name validated certificate. While you may consider "EV certificate" or Extended Validation certificate more secure. The price and the process for getting these is also getting cheaper. This makes it very difficult for Paypal to force authenticity check of a phishing site.
The only option left with Paypal is to go through "domain take-down" process. Currently there is no "SSL takedown or revocation process." Even though Netcraft and few other organizations focused on domain name security and SSL security have already warned about these type of impersonations see article Netcraft bulletin and Infoworld article, there has been no process currently for revoking SSL certificates like these for misues or abuse.
Paypal seems to have used the one card they are left with to play in this game - the legal domain take down procedure. Below is the timeline of the story with about one week of a quick attempt to run a phishing campaign. Although I noticed the infrastructure on UK2.net with IP address 77.92.69.142 was still serving the content for a few days. Only a day or so of DNS caching will allow for the content to be reachable to those scattered emails. Here is the timeline of the phishing campaign. The timeline shows how all this done very fast - most likely using provisioning, registration API's, automated SSL provisioning and all the good things service providers (domain name, server hosting, SSL and email service providers) today give you. Building this campaign took less than a day as the phishing emails were sent within 24 hours of domain registration using either false registered outlook.com email or stolen account.
Apart from all the required best practices, security tools and capabilities that you are doing - my recommendation for organizations is to always consider the problem holistically. Some ways you can do this:
- Don't forget or loose sight of your options when a cyber threat is seen against your organization
- Keep your "ducks in a row" - keep your contacts, procedures handy for various takedowns.
- Look at your options to minimize loss and recovery in attack scenarios.
So the lesson learned is to ensure your organizations is aware of the multiple options instead of just technology when responding to a cyber threat. If you are an online bank or represent an online bank and there is a phishing campaign against you, do you have the ICANN contacts and procedures as part of your response strategy? In the earlier blog article I pointed out some budget options in the back pocket that C-level executives should be aware of to combat a cyber threat or attack. Some of these can be a simple and effective for certain types of threats. Make sure your organization has a response plan in place if such as campaign is successfully launched against you.
No comments:
Post a Comment