Tag Archives: phishing

Blog Post Shout Out: Google Chrome Cleanup and GDPR

Google have made available a clean-up tool within Google Chrome to remove threats such as adware, browser hijackers, fake system optimizers, & tracking software which may impacting your browsing experience.

This tool from ESET appears to be a revised version of the tool I discussed over 3 years ago. This blog post from Lawrence Abrams of Bleeping Computer provides more details of how to use it and what data it collects (and sends to Google who retain it for 14 days). If you are experiencing issues with Google Chrome, this tool is a good place to start your troubleshooting. If necessary a full reset can later be performed.

====================
Separately with the European General Data Protection Regulation (GDPR) (written by Dr. Jessica Barker) due to come into effect on the 25th of May; you may be receiving emails from every online service or account that you have advising of their approach to the new regulation.

Most of the emails do not ask you to take any action however some will request you to review the information they have on file/record and update it if necessary. My advice for these emails is treat them as you would any email you receive regarding an online account, with caution.

If for example you receive an email purporting to be from PayPal but you don’t have a PayPal account, delete it! For the emails you do receive; if you suspect they are fraudulent, as per past advice from SANS call the company yourself and verify they are sending such emails and what if any actions they wish you to take? Be very careful if you do click on the links and think before you provide any personal information (in almost all cases you won’t have to enter anything).

====================
I hope the above blog posts which I have provided a respectful shout out for provide a useful resolution if you are experiencing issues with Google Chrome and guidance on how to approach the large volume of email you are likely receiving.

====================
Update: 24th May 2018
====================
I received a call yesterday from one online account I hold stating they sent me an email yesterday relating to GDPR and asking me to update my preferences. While it was a genuine call (I did receive the email that very morning); I had not yet acted on it. The person even offered to call me back today to check I had updated my preferences. I explained I would update them and a call back would not be necessary.

This very much is the exception, no other online account have called me. As always; be cautious accepting calls and don’t provide any personal information to someone you do not know; they may not be who they claim to be.

Thank you.

Attackers intercept SMS/text messages to drain bank accounts

In early May this year a German newspaper Süddeutsche Zeitung detailed the first documented case where cybercriminals exploited known SS7 (Signalling System version 7)(defined)(PDF) vulnerabilities for their own profit (the attack took place in January 2017).

How did this incident take place?

According to the German newspaper, the attackers first obtained the victim’s credentials for their bank account (by phishing (defined) emails), then used the SS7 flaws to hijack their phone number and receive the transaction confirmation code (within a text message (an SMS (defined) message)) on a mobile phone in use by the attackers. This exploit allowed the attackers to steal users’ mobile transaction authentication numbers (mTAN) and thereby withdraw money from their victim’s accounts.

Currently, carrying out such attacks requires specialized hardware and special codes to interact with other telephony providers. Buying such equipment and the codes isn’t as hard as you believe, and an SS7 hacking rig could cost an attacker a few hundred to a thousand dollars, well below the money they stand to make.

Why should this vulnerability be considered important?

The SS7 (Signalling System No. 7) protocol was developed in the 1980s and is a so-called telephony signalling protocol, used to route calls between different telephony providers.

The protocol has no security features, and its flaws became widely known after talks at the Chaos Communication Congress meetings held in 2010 and 2014. In these two talks, German security researcher Tobias Engel (with Karsten Nohl in 2014) showed how a determined actor could locate and track any person on the planet via SS7, and even manipulate their communications by taking over their phone number.

Moreover in April 2016; the issues surrounding SS7 came back again into the limelight when a CBS reporter with the help of the above mentioned German security researcher (Karsten Nohl) used the same flaws to track US House of Representative’s member Ted Lieu’s whereabouts (with his consent). Indeed; both US Senator Ron Wyden and Representative Lieu have previously called for the FCC to at least look into strengthening the security of SS7. They also wrote an open letter (PDF) to the Homeland Security Secretary John Kelly.

Just one month later (May 2016) security firm Positive Technologies showed how using another technique an attacker could hijack a person’s phone number and receive messages intended for other WhatsApp and Telegram accounts.

How can I protect myself from these vulnerabilities?

Before focusing on the vulnerabilities within SS7, let us first review how the attackers emptied victim’s bank accounts:

They first obtained their victims banking details via phishing emails. Tips to avoid being effected by such emails are provided here.

Following this incident, the affected German mobile network operator made it impossible for call forwarding to be effected by other organizations that have access to the mobile operator’s network. Other German mobile network operators have implemented this change. This should mitigate a similar attack occurring in the future for these mobile operators. All other mobile operators should deploy similar mitigations. Further recommendations to mobile operators e.g. the use of a signalling firewall are provided in this news article. As this article mentions, the successor of SS7, namely Diameter will take time to migrate to and unfortunately suffers from some of the same vulnerabilities.

In 2016 the US National Institute of Standards and Technology (NIST) began recommending not to use SMS messages for two-factor or two-step verification (differences between 2FA and 2SV). Instead they are suggesting the use of tokens (most likely hardware tokens) and cryptographic authenticators (and perhaps at a later time biometric authentication (defined)).  They also encourage software vendors to check for the presence of a VoIP connection (Voice over IP, defined). This is due to some VoIP services allowing the hijacking of SMS messages.

At this time, the use of software authenticators such as the Google and Microsoft authenticators and RSA’s SecurID app are increasing and it favours the eventual phase out of SMS messages. The use of biometrics (perhaps making use of Windows Hello) or USB tokens such as the YubiKey.

Advice for consumers/end-users:

The previously linked to article (above) also contains advice (in the final three paragraphs) which you may find useful.

Thank you.

Punycode makes phishing harder to detect

In mid-April, security researcher Xudong Zheng publicly disclosed (defined) and provided a demonstration of a security vulnerability within popular web browsers e.g. Google Chrome, Mozilla Firefox and Opera which may be used in phishing (defined) attacks.

Why should this vulnerability be considered important?
This vulnerability is not the first of kind, e.g. a similar vulnerability exists in how the DNS protocol resolves device hostnames (defined) (when combined with Service Discovery (SD) provides the capability of network resource distribution beyond the reach of multicast normally limited by the MAC Bridge.
However this vulnerability has the potential to allow an attacker to lead you into clicking a legitimate looking link which may lead to an unexpected website (which an attacker can populate with content of their choice). This may happen since an attacker can send you a highly targeted email (i.e. spear phishing) which you may be expecting and inadvertently click an undesired link or enter login details into a legitimate looking website (following a link from such an email).

Mr. Zheng demonstrates how this vulnerability exploits how web browsers translate letters from other non-Latin languages into Latin letters. For example, he registered the website of apple.com which when visited actually displays the website of xn--80ak6aa92e.com but your web browser will still show apple.com This occurs due to the translation of non-Latin letters into Latin characters making use of Punycode (a recognized standard of the Internet Engineering Task Force).

How can I protect myself from this vulnerability?
While the conventional advice of hovering over any link before clicking to view its actual destination is not redundant it is now significantly less useful.

If you use a password manager which works with your web browser it will not enter your username/password into a website translated from its Punycode. For example, your Apple credentials would not be entered into xn--80ak6aa92e.com

Google has addressed this vulnerability with the release of Chrome version 58. Opera also resolved this issue. Mozilla is currently considering the best means to resolve this vulnerability (Firefox 53 mistakenly shows apple.com) . In the meantime; Mozilla Firefox users can use the steps mentioned at the end of this news article to mitigate this issue.

For any website important to you, please manually type its address into your web browsers address bar to visit the legitimate website. Using encrypted connections where possible is encouraged e.g. https://twitter.com or https://mail.google.com

Thank you.