[BreachExchange] Phishing for CC’s

[Destry Winant]

https://www.riskbasedsecurity.com/2020/03/11/phishing-for-ccs/

In our 2019 Year End Data Breach QuickView report, and elsewhere on
this site, we wrote about modern phishing attempts and how malicious
attackers are targeting unsuspecting people on the web.

There’s a tendency to associate phishing with crude boilerplate
emails, dubious attachments, and poor attention spans, but that’s only
part of the story. In the covert redirect examples we explored,
attackers were spoofing system update prompts or redirecting users to
pages crammed to the brim with all sorts of dubious code.

We saw some impressive fakery at work, so let’s take a moment to dig
deeper into a new example.

An Example of Modern Phishing

A single mistake could be a catalyst that exposes thousands, or even
millions, of records – potentially into the hands of malicious actors.
Attackers are constantly adapting their methods to manipulate your
trust, as in all social engineering attempts.

We won’t propagate the scam by publishing the URL, but here’s a
detailed screenshot of the real-life example we came across:

TRUST ME, I’M NOT A BOT

This fake forum was constructed to give the appearance of an organic
conversation that includes a free download of the real book
Intelligence-Based Security in Private Industry (safe to click).

Even in the face of Santa Hat Armageddon, there are reassuring signs
that might lead you to assume that this is authentic. Take the site
information, for example:

This might be enough for many users to conclude legitimacy. The site
has a valid certificate, and the footer of this page displays a
copyright for vBulletin (a legitimate website tool). So far,
everything appears to check out.

The cast of characters on the forum is reassuringly familiar, too.
Let’s meet the players:

CHARACTERS IN ORDER OF APPEARANCE:

- Jack, our protagonist who, like the visitor, is searching for a copy
of Intelligence-Based Security in Private Industry;
- Harry, a senior member of the forum, ready to help Jack out;
- Oscar, a man who encourages Jack to give his details because it’s a
trusted site;
- Other Jack, another senior member, who reminds us that credit cards
can be used for identification purposes;
- Sofia, the mid-section of an attractive and patriotic American
female, who has also been searching for the same book for a long time;
- William, grateful man who now has what he needs,
- Admin, a mysterious authority figure who helpfully closes the thread
because the definitive solution has been found

It’s easy to imagine a user who resembles Jack taking all this at face
value, clicking the link, and filling out their credit card
information. After all, other grateful users (with faces) say it is
legitimate and that it works. The browser tells us that it is a secure
connection and that “your information (for example, …credit card
numbers) is private when sent to this site“. However, unlike Dawn’s
fingertips, we all know that the real picture isn’t quite so rosy.

Dissecting the Page

When checking the details, a couple of things stand out. For starters,
all of the key points are conveniently embolded:

“That’s great, thank[sic], solid website, entered CC and just got what
I needed.”

William, Junior Member

Also there are glaring inconsistencies.

Other Jack is a senior member despite having only 48 posts and his
Join Date is “caffeine”. We’ve all had mornings like that.
The admin goes back in time and “closes” the topic before it was
opened, validating our suspicion that forum admins are not of this
realm.

Unless you’re specifically looking for inconsistencies or red flags,
most readers will not catch these. These are small things that cast
doubt on the legitimacy of the forum, but that could easily go
unnoticed by a casual reader.

GOING DEEPER CASTS DARKER SHADOWS

For example, removing the bulk of the URL reveals that the website
dynamically fills in the heading and posts:

“Intelligence-Based Security in Private Industry” is gone.
Theoretically, this forum will pop up for any subject matter that the
attacker has previously encoded in the URL, making this a convenient
and replicable phishing method.

And the link that Harry and pals are trying to get Jack, and you, to
click? It diverts to a new unsecured http:// domain. The link also
implies it is a .torrent file, yet it is not.

Going Down the Rabbithole

What else can we find? Well, going down the rabbithole we can see just
how detailed the attacker was (and wasn’t) when it came to engineering
this forum. Let’s revisit our characters.

“SOFIA”

Among all the profile pictures, Sofia’s stands out the most.

A reverse image search reveals a lot more about Sofia. Aside from her
keen interest in Intelligence-Based Security in Private Industry, she
has varied tastes including Tai Chi, and is an active member of a
Healing group in California. She has quite an online presence, with a
number of Twitter handles and Facebook profiles under an array of
aliases. Sofia/Alexei/Amira has even taken the time to review her
skateboard purchases from lesser-known online retail outlets:

“great sport”

Sofia/Alexei/Amira

“HARRY”

The savior with the link. Aside from Sofia, this picture is extremely
ordinary. This, however, was an easy search because not many people
have ever stood on a hill… Unsurprisingly, typing “man on hill”
reveals the path to stock photo nirvana. But there are other hidden
clues involving Harry’s avatar and the root of it also sheds light on
a different topic as well – the source of “caffeine” that appears
under Other Jack’s Join Date.

WHAT IS “CAFFEINE”?

If you noticed, all the profile pictures have a santa hat. Hovering
over the hat reveals an image tag that reads “caffeine” which all the
other profile pictures share. However, Harry has an additional hidden
tag that reads “yurikuzn”.

WHAT/WHO EXACTLY IS “YURIKUZN”?

Searching for “yurikuzn” lands you on GitHub, revealing that
“yurikuzn” is the username of a developer. We seriously doubt that
yurikuzn has anything to do with this malicious page, but this is
definitely an interesting find. The actual creator of this phishing
website may be an anonymous follower, or could have parsed yurikuzn’s
information randomly. Perhaps, somewhere on GitHub there is another
fake library lurking in the shadows.

“OSCAR”

Like Harry’s profile picture, there is an additional image tag for
Oscar, which in this case reads “Makov”. Image searches end with no
results and searching “Makov” in GitHub doesn’t yield the same
concrete answer as “Harry” did.

This is where the trail runs cold.

Attackers are Adapting

This example shows just how much work attackers can put into modern
phishing attempts. After an initial and brief inspection of the site,
casual users would likely see that the site itself had a secure
connection and that it was hosted on legitimate software, and might be
sufficiently convinced to click through, exposing their credit card
details or opening the door to malicious software.

WHAT IF YOU CLICKED IT?

We don’t know exactly what the repercussions of clicking this specific
link could be. It could take you to ransomware, malware, or even a
copy of the book. OK, probably not that last one.

We could have our research team set up a sandbox to examine the
possibilities further, but they’re busy serving the needs of our
clients. Jack is on his own…

So what can people do in the face of phishing attempts like this?
Well, look for details that would give a malicious website away. It
will definitely slow you down while you’re trying to find that book
you’ve been looking for, but it’s better than trying to unpick that
malicious browser extension that’s mysteriously found its way onto
your system, or reclaim your identity from whoever is now using your
credit card (Oscar looks pretty guilty right now). Ultimately,
remember that you shouldn’t click a link if you do not 100% trust the
source and know where it will take you.

As a decision-maker within an organization, it is hard to keep track
of every employee’s credentials. Not only are there countless users
and endpoints to account for, but you need to know immediately if any
have been compromised and to what sources. With Cyber Risk Analytics,
you can get real-time alerts straight to your inbox whenever any of
the organizations you care about are breached.

See for yourself why Cyber Risk Analytics is the standard for
actionable data breach intelligence, risk ratings, and supply chain
monitoring.