Iranian Hackers Target US Military Personnel via Social Media

People trust and share way too much on social media sites, and unfortunately this extends to government employees and military troops around the world. Iranian hackers have taken advantage of this and for the last three years have been targeting high ranking officials worldwide by attacking social media accounts using social engineering.

Social Engineering means to attempt to gain access or information from someone by pretending to be someone else or by physiologically manipulating someone to trick them into doing something they normally wouldn’t. Hackers use these techniques to gain account login information, access to a physical location or confidential data, or to gain information that could be used in future attacks.

According to the security firm iSight Partners in Dallas, Iranian hackers pretending to be members of US News media and defense contractors have social engineered high ranking officials via sites like Facebook, Linked-In, YouTube and Twitter since 2011. The firm has tracked the attacks for six months and have been amazed at the depth and persistence of the hackers:

It is such a complex and broad-reaching, long-term espionage campaign for the Iranians, what they lack in technical sophistication, they make up in creativity and persistence,” said iSight Senior Vice President Tiffany Jones.

The targets included a US Navy Admiral and other high ranking officials from the US and also Israel, UK, Iraq, Saudi Arabia and Syria.

People share way to much via social media assuming it is a safe environment. Military personnel and government officials around the globe share where they are, what technology they are working on, unit locations and capabilities, and other seemingly innocent data shared with “friends” that could be a gold mind to cyber espionage and social engineering hackers.

Officials should be very wary of unknown social media contacts pressing them for confidential data or account information. High ranking military personnel or those in top secret positions should not use social media sites as resumes or to share where they are or what they are working on.

Some country’s even prohibit soldiers from posting any pictures of themselves in uniform or discussing any military occupation information on social media sites.

Advertisements

Removing your Location and Personal Details from “Spooky-o” (Spokeo.com)

Spokeo.com is one of the coolest websites on the web when you are trying to find someone, but it can also be very creepy. In most cases Spokeo lists your name, relatives, location and even a picture of your house. Available to anyone on the web.

But how do you get out of their database?

If you live in the US and want to find information about someone, just go to Spokeo.com, put in their name and state and you can find a lot of information about them including the location where the person lives and past locations going back years!

This has led some people to nick-name the search site, “Spooky-o.com” as at times it indeed can be pretty spooky.

But how does it work?

So, if you search for Bill Gates in the US you find this:

Spokeo 1

There seems to be a lot of Bill Gates in the US.

But what about Bill H. Gates in Medina, Washington?

Well, that narrows down the search quite a bit. One of the returns shows this:

Spokeo 2

Without a Spokeo account, you can see parts of the address, phone and e-mail address. But with an account you can get a lot more information. This is something that a lot of people probably won’t want to be publicly accessible.

So, how can you get out of Spokeo’s database?

Thankfully, Spokeo provides an opt-out page which will remove your information from their database. Simply look up your name in spokeo and copy the url of the page you want removed. Then, surf to:

http://www.spokeo.com/optout

And fill out a small form including the spokeo url and your e-mail address.

Once Spokeo receives the form, they do in fact remove that record from Spokeo.

If you have multiple records listed, unfortunately you have to do it multiple times.

Social Engineers use sites like Spokeo to gather information about a target. If you want to remove your information from Spokeo, hopefully this will help provide you with a little more internet privacy.

Granted your personal information is still out there, the form does not remove you from the sources that Spokeo uses, but at least it removes it from one location!

Upcoming Conferences: DerbyCon! (September 25-29th, 2013)

The security rockstars are at it again in Kentucky.  This week, DerbyCon 3 will be held in Louisville. And it looks like they have a great lineup. A ton of talks, tech tracks and parties.

They will even have a Zombie Apocalypse with proceeds going to Hackers for Charity.

How cool is that?

DerbyCon will run from Sept. 25th to the 29th:

Wednesday – Training starts at 9:00AM and ends at 5:00PM
Thursday – Training starts at 9:00AM and ends at 5:00PM
Friday – Opening ceremonies start at 8:30AM and the keynote starting at 9:00AM. Talks finish at 8:00PM
Saturday – Talks start at 9:00AM and end at 7:00PM
Sunday – Talks start at 9AM and end at 4PM

Event and Talk Schedule

I also hear that security guru and creator of the Social Engineering Toolkit (SET) David Kennedy will be live on Foxnews tomorrow morning at 7:40 EST.

Check it out!

Basic Malware Analysis: Malicious Data Mining E-Mail Attachment

Malicious E-mail Message

Oh look, an unsolicited incoming Fax Report. Odd it is a fax transmission, but our company doesn’t even have a fax server. But it is on 2013 Recruitment Planning – I better open it!

Corporate networks are being slammed with e-mails like the one above. Looks innocent enough, but if a user did indeed open it, the malicious attachment that anti-virus didn’t detect would scan the victim’s hard drive for data and upload it to a malicious server. All undetected by the unsuspecting user.

I have seen several versions of this same attack in the last week. So let’s take a closer look.

When these attacks first started, only 2 anti-virus engines would detect the attachment as a malicious file. AV engines are catching on to it now and are detecting it as a generic Trojan. As a matter of fact, if I try to open this message today, I get a message from Microsoft Mail that the attachment is malicious:

Infected with unknown virus

So let’s take a closer look at one of these “Incoming Fax Report” attachments.

*** WARNING: Never open suspected malware on a live, network connected system. In this example I use a sandboxed virtual memory system running with very limited network capabilities. ***

The attachment, once unzipped, shows a PDF icon, but this is no PDF file. The file has an .exe extension meaning that the file is an executable and not a text file. So how can we take a closer look at the program to see what it does?

The program Dependency Walker will show us what functions that the program uses and will give us a clue as to what the program actually does. If we run Dependency Walker we can see the .dll files that the program calls and what main functions it uses:

Kernel32 Functions

Okay, it may not be very clear from the Kernel32 side, but you can see this program uses functions like CreateFile, DeleteFile, GetCurrentDirectory, GetEnvironmentVariable. It is definitely poking around the file system.

And if you look at the functions under Wininet.dll you see a whole bunch of FTP commands:

Wininet32 Functions

Any guesses on where this is going?

Now that we have a general idea of what it could do, let’s execute it in a controlled environment so we can see what it actually does. We will want to know what registry settings it touches, what network communication is attempted and as much about the running processes as we can obtain.

For this we will use the following programs:

REGSHOT

Regshot is very easy to use, just download and run it. You then have three options. 1st Shot, 2nd Shot and Compare. Simply select 1st Shot to get a baseline look at your registry. Then Run the suspicious program. Next hit 2nd Shot to capture any changes made to your registry.

Regshot

Finally select Compare to get a report of any changes made:

Registry Modifications

PROCESS MONITOR

Process Monitor is a bit more involved. Basically after you run it, you need to turn off capturing (File, then uncheck Capture Events) and clear the cache (Edit, then Clear Display). Leave the capturing off until you are ready to fire up the malware. Then turn capturing on and execute the malware.

Process Monitor

Let it run for a few minutes then you can turn off capturing so you don’t fill your system memory up with process captures.

Then finally we need to Filter for our suspicious file. So select Filter, then Filter again. Then select Process Name from the first drop down box, Leave “is” in the second box, then pick the filename of the file you want to monitor in the third box:

Process Name

Then just click “Add” and “OK”.

You can now view all the process information that is related to the malicious file.

You can further filter the data available for the file in question by using the 5 select boxes on the menu:

Process Monitor filters

With these you can view just registry activity, processes, file use activity , network use, etc.

If we look at our malicious file with Process Monitor you will see that the program searches your entire drive for user files, installed programs, security programs and patches, Installed FTP programs, file manager programs and even remote storage clients (like Dropbox).

Process Monitor Scrrenshot 1 Process Monitor Scrrenshot 2 Process Monitor Scrrenshot

WIRESHARK

Finally we want to see what network activity the virus initiates. Simply have Wireshark running before you execute the program.

Wireshark Malware Traffic

As you can see, as soon as the malware was executed, it immediately tries to connect out to a malicious server.

ANALYSIS

As you can see if a user is duped into allowing the malicious e-mail attachment to run, a basic analysis of the file shows that it is a data miner trojan. It searches your hard drive for all data that could be of interest then tries to send it out to a malicious server.

Of the three different samples obtained. All were similar in that they claimed to be a fax report from an internal fax server. Some looked much more believable than others. All three had an executable attachment that was masked to look like a .pdf file.

All three searched the hard drive and registry for pertinent information. And all three connected out to a suspicious server address. The funny thing is that when all three were run through the Who-is Database, all three domains pointed to the same server!

Lastly the e-mail addresses in all three seemed to be in a somewhat alphabetical order. This seems to point to a botnet type control system going through a list of e-mail addresses, breaking them down into a groups and sending them one of the malicious e-mails.

CONCLUSION

These type of automated phishing attacks are becoming very common. The best line of defense against these attacks are vigilant users who question unsolicited e-mails, especially ones with attachments. Blocking incoming and outgoing IPs from unneeded locations and ingress and egress filtering is paramount in stopping these attacks.

Network Security Monitoring with full packet capture will also help to find what, if any, data was actually compromised if the attack is a success.

This was just a very basic analysis of this malicious attachment. Want to take a closer look at these techniques and learn a whole lot more about malware analysis including advanced techniques? Check out Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig.