Ruslan Rakhmetov, Security Vision
In the last article, we talked about what phishing is and listed its main types. Today it is time to talk about a number of practical methods and techniques that attackers use in phishing and socio-engineering attacks, as well as trends in phishing and countermeasures.
1) Pretexting is a technique of creating an artificial situation or pretext (Pretext) in which the attacker lures information from the victim or forces the victim to perform certain actions (click on a link, enter a password, open a file). Reverse social engineering is also a type of pre-texting, in which the victim initiates contact (dialogue or correspondence) with the attackers - for example, a user sees a banner with information that his or her PC is infected with a dangerous virus (to create the illusion of authenticity, information about the user's browser and device can be obtained by Fingerprinting), so he or she writes to the "tech support" chat room by clicking on a link from the banner. Another example - a citizen receives an SMS with a warning that his account on Gosuslugi has been hacked, and to restore access he should call "tech support l" (of course, the number of Gosuslugi technical support indicated in the SMS belongs to fraudsters, and if you suspect that your account on Gosuslugi has been hacked, you should personally contact the nearest MFC).
2) Baiting is a technique of luring the victim and inducing them to perform actions that are favourable to the attacker. For example, the victim may click on a banner promising a free download of a new TV series, or open a file received in the mail with the intriguing title "Salary statements", or pick up a "lost" flash drive on the street and connect it to a working PC - in all these cases, the result will be a virus infection of the device.
3) ClickFix attack: a CAPTCHA is displayed on the phishing site, when clicked on, a set of commands is placed in the victim's device clipboard, and the text of the message invites the victim to open a command execution window (for Windows and Linux) and paste the copied text there - thus, the user himself runs the malicious command from the clipboard.
4) Attacks on Chromium browsers: Similar to the ClickFix attack, the user can be prompted to open the page in Safe/Compatible Browser Mode by launching the Chromium browser with the "--auto-select-desktop-capture-source" flag (this will launch the barouser screen demo) or with the "--auto-accept-camera-and-microphone-capture" flag (this will activate the device's camera and microphone). Another technique is to open the web page in Application Mode, which will open the site in a separate application mode with the address bar hidden, making it harder to identify the phishing domain when entering credentials.
5) Screen demo, remote administration tools: the user can be persuaded to download and run legitimate remote administration software and screen demo ostensibly to fix a computer problem by "tech support specialists" - and in the meantime, attackers either infect the laptop with VPO or send a request to restore access to a web service and see the text of an SMS message on the smartphone screen. Similarly, fraudsters also gain access to the victim's State Services portal.
6) Using trackers: web beacons (also called web beacons, tracking pixels, spy pixels) can be embedded in email messages and attachments in the form of invisible microscopic images that are downloaded from attackers' servers and also used by analytical and marketing firms. Depending on the program with which the user views the email message (mail client or browser), such web beacons can transmit to the attackers the IP address of the user who opened the letter, the version of the mail client, as well as all information about the browser that can be obtained using the Fingerprinting method. If the user opened an attachment with a built-in beacon (for example, an office document), then the attackers will receive information about the version of the OS and office suite. To counteract such methods of collecting information, some email clients by default do not download external content in letters, and the MS Office office suite opens documents received from the Internet in a secure mode (the authenticity of files in the Microsoft environment is determined by the MOTW labeling technology, for which there are various ways to bypass and vulnerabilities - for example, when opening documents from sent archives using some archiving programs). Another method of attack is related to the peculiarities of NTLM authentication, in which a workstation, when opening a link to an image with a file scheme://will automatically send the login and Net-NTLMv2 hash from the password to the remote resource, and the protection method will be to set the Windows policy "Computer Configuration - Windows Configuration - Security Settings - Local Policies - Security Settings: Network security: NTLM restrictions: outbound NTLM traffic to remote servers "into blocking mode ("Deny all").
7) Multifactor authentication bypass: As we have already discussed, attackers use a number of techniques to bypass multifactor authentication systems based on push notifications and one-time codes. In the case of push notifications, attackers can use social engineering techniques (e.g., calling a user on behalf of tech support and asking them to confirm a supposedly "business" login to their account). In the case of one-time codes generated in an application or received via SMS, attackers use phishing sites where the user enters both login, password and one-time code. Such phishing sites may have a reverse proxy (e.g., Nginx-based) that sends all the data (login, password, code) received from the user to the real website, receives a session cookie or JWT token from the website, which the attackers then use to gain unauthorised access to the site. The user, meanwhile, is on the page of the phishing resource, but sees in the web browser window the contents of a familiar website (including all his files, mail, etc.), which is proxied by the attacker's server in order not to arouse unnecessary suspicions about the authenticity of the resource by the employee - such an attack can be realised, for example, through the freely distributed Evilginx utility.
8) Hacking of one of the participants in the correspondence and embedding in the email chain: by analogy with the BEC attack, which we talked about last time, attackers are increasingly using the technique of hacking the email account of one of the participants in the correspondence with further sending "response" (with citation) phishing messages on his behalf, which increases confidence in such letters. Fraudsters do the same when hacking accounts in instant messengers - they write messages "in response" to old correspondence, as well as look for voice and video messages and then create deepfake records for friends or relatives (for example, "Got into trouble, urgently transfer money").
9) The use of AI for mail phishing: if earlier attackers in the implementation of Spearphishing attacks had to carefully create a phishing message manually, checking grammar and style, then modern AI technologies make it possible to put Spearphishing on stream not only for point hacks of large companies, but also for phishing at the household level against ordinary users. Generative AI technologies allow you to perform high-quality translation of text into any language, create a message in an official or informal style, copy the characteristic stylistic features of the author (if his account was previously compromised and is used to further send phishing to the contact list). AI allows you to conduct fraudulent correspondence simultaneously with different potential victims, enter into a long dialogue with them, and gradually persuade the attackers to perform the necessary actions.
10) The use of AI for voice phishing: AI allows not only high-quality reproduction of the voice and image of who the fraudster seems to be, but also to conduct a dialogue with victims when implementing massive Vishing attacks. For example, to automate the manual "labor" of fraudsters in illegal Call Centers, AI bots can massively call users, working by analogy with voice assistants in legal services. Another fraudulent scheme is to weed out vigilant citizens due to the need to take proactive actions when talking to an AI bot: for example, if such a bot called the user and informed the legend about "blocking the card," then the victim is invited to either enter a tone command (for example, press "1"), or answer "Yes" supposedly to connect with the operator - this will allow you to weed out attentive users and transfer the call to the "live" fraudster only from those who have already believed in the scam legend.
Fraudsters are constantly improving methods of deceiving and using credentials stolen as a result of phishing, using, for example, the following techniques and tools:
1) Infostilers: Malware equipped with the functionality of stealing credentials, including those stored in browsers, is still popular with cybercriminals - as a result, infostilers, spyware and keyloggers transfer cookies, tokens, login-password pairs to attackers.
2) Hacktivist actions: politically motivated attackers post large dumps of compromised accounts obtained as a result of mass phishing, hacking of web services and parsing of infostiler virus logs. Other cybercriminals are looking for valid data among the accounts posted in the public and carry out further attacks with their help.
3) Phishing-as-a-Service: a common approach among attackers that involves renting illegal mail server infrastructure and phishing kits (ready-made phishing kits that include email and phishing web page templates) for fraudulent campaigns.
4) Initial Access Brokers are trading platforms for attackers who specialise in stealing credentials for various services (mostly corporate) and then selling them on the Darknet, where the buyers may be other cybercriminals, such as extortionist cyber groups or cyber spies, who then gain unauthorised remote access to the infrastructure of the company of interest.
5) Contagious Interview and WageMole: two relatively new scams that are used either to infect the devices of candidates for fake jobs by sending them viruses disguised as technical tests and telecommuting tools (Contagious Interview scheme) or to remotely recruit candidates for large companies for cyber espionage purposes using an AI-generated fake IT profile (WageMole scheme).
To protect email systems from spam and phishing, there are a number of solutions, such as:
· Email security tools (SEG, Secure Email Gateway) - solutions for filtering spam, phishing messages, malware, data leaks, performing additional authentication of email messages (SPF, DKIM, DMARC), in which AI and machine vision technologies can be used to identify signs of phishing and spam (for the purpose of recognizing images under which mask phishing text);
· Isolated program execution systems (sandbox, sandbox) - solutions for creating an isolated controlled environment for checking files received by email for viruses;
· Anti-spam filters are basic solutions for detecting and blocking spam that are embedded in email servers and email clients
Despite the presence of such security solutions, attackers are finding new ways to bypass them, for example:
1) Polymorphic phishing: each individual message within the framework of phishing mailing is slightly different from each other, which does not allow you to quickly identify and block all phishing messages within this email mailing, and also complicates the tracking of the entire malicious campaign and reduces the effectiveness of block lists on SEG and mail servers.
2) "HTML Smuggling" technique (literally "HTML Smuggling"): a sub-technique for obfuscating malicious files, in which JavaScript hosted on a web page (the user opens an html attachment or follows a link) triggers the download of a binary object (JS blob), the contents of which are decoded by the browser on the local PC and then saved to disk, and the user is offered open it. A malicious file can be saved under the guise of a password-protected archive, and the password will be specified on the same phishing web page. Attackers also use features of SVG files that can display HTML and execute JavaScript when loading an image with the further local formation of a malicious object, and also exploit features of the blob URI scheme.
3) Using a legitimate mail infrastructure for phishing mailings: in order to reduce the level of phishing detection, attackers send malicious messages from previously hacked email accounts, as well as create phishing domains disguised as legal services on which SPF, DKIM, DMARC technologies are correctly configured, which also reduces the level of detection of sent phishing. In addition, attackers use a number of popular platforms for phishing purposes to organize marketing and other legal mailings - a non-exhaustive list of such services can be found on the Living Off Trusted Sites (LOTS) project page using the Phishing filter.
4) URL Rewriting technique: various SEG solutions and sandboxes usually check the security of the URL link at the time of receiving the email, and if the link is not identified as malicious at the time of processing by the security solution, then it is transmitted to the user. However, the attack will be successful if, between the check by the security solution and the target user clicking on the link, the contents of the web page where it leads are overwritten - for example, within a few night hours, instead of a harmless business card site at the same address, a form of entering credentials will appear imitating a corporate service. Another feature is related to the fact that email protection solutions, after analyzing a URL link that is harmless at the time of verification, overwrite it - i.e. replace it with a redirect link of the security solution itself, which causes users to trust such a link. Accordingly, an attacker will first need to compromise one account protected by a corporate solution using a similar URL rewriting system, and send himself a link that will be harmless at the time of verification, and then receive the overwritten "secure" redirect link and distribute it to the corporate address book already - after changing the content of the web page to a malicious security solution, it will no longer be able to detect this, and the redirect link will pass all filters within the company and will not arouse suspicion among corporate recipients.
5) Using AMP technology: attackers use outdated AMP (Accelerated Mobile Pages) technology to hide a malicious URL behind an AMP link from a legitimate provider (Google, TikTok, etc.).
6) Using URL shortening services: attackers use URL shortening services (TinyURL, Bitly, ShortUrl, etc.) to mask malicious links.
7) Redirect Chain: Attackers use the "302 Found" HTTP code to discreetly redirect users to another site, and there can be many such redirects. Some SSIs do not support multiple redirect checking, which allows attackers to bypass such protections.
8) Using CAPTCHA: in order to hide the content of a malicious site from URL, sandbox and SEG content checking services, attackers install captcha that such SZIs cannot pass, but victim users will perceive the need to pass CAPTCHA verification as commonplace.
9) Geofencing: in order to protect against the verification of a phishing site by various SIS, search engine robots and Internet analyzers, attackers allow access to their phishing site only from certain geo-zones in which the attacked users are located, and also use filtering technologies by IP addresses (allow connection only from the IP range of the attacked company), by HTTP - User-Agent header, by language supported by the browser, OS type, etc. This allows you to filter out victims of targeted phishing mailing from random users and prevent a malicious site from entering the block lists based on the results of analysis by various security solutions.
10) Using graphic images: The idea of using images instead of text to bypass text anti-spam and anti-phishing filters is not new, and machine vision technologies are successfully used to identify suspicious text in images. However, increasingly, attackers embed QR codes into phishing messages, implementing a Quishing (QR phishing) attack, and combine it with other techniques such as URL Rewriting and redirect chains.
11) Sandbox bypass using password archives: attackers are looking for ways to deliver malicious content in archives with a password that can be transmitted as an image, sent in subsequent email messages, or indicated on a web page from which the user is prompted to download the malicious archive.
12) Sandbox traversal using non-standard content types: attackers can forward malicious archives in parts, use large levels of nesting in archives, and send malicious content in .iso (disk image) or .vhd (virtual hard disk) formats. In addition, attackers can transfer large files or archives in the hope that their processing will either not be performed by the SIS due to resource restrictions or due to the settings of the corresponding policy on the SIS, or a large file will be delivered to the user without any verification at all, since its processing will take too long time and the SIS will trigger Fail-Open timeout mode.
The problem of phishing is new, and SPF, DKIM, DMARC technologies have long been developed and applied, which allow you to cut off some of the simple phishing. Nevertheless, experts have already covered a number of problems and ambiguities that arise when processing email even when using these security technologies (report at BlackHat USA 2020, research, utility from the authors of the study, discussion at Habré):
· There is uncertainty in the logic of checking email headers (for example, SPF checks the HELO header, and DMARC checks the MAIL FROM header);
· Special characters in email headers allow you to deceive the logic of SPF/DKIM/DMARC verification;
· The Mail Transfer/Delivery Agent (MTA), such as a Dovecot or Postfix server, must verify that the "From:" header matches the authenticated user's name, but in practice, checking the "From:" field is difficult due to the potential for intentional use of complex but acceptable syntax (RFC 2047 allows use non-ascii characters, and RFC 5322 allows escaping special characters in message headers);
· In accordance with RFC 5322, messages with multiple "From:" headers should not be received, but in practice, receiving mail servers often skip such messages without problems;
· The mail client (for example, MS Outlook - Mail User Agent, MUA) displays to the user in the "Sender" field the contents of the "From:" header (which can be arbitrary), and not the contents of the "MAIL FROM" header (the authenticity of which is checked by the mail service);
· The mail client displays to the user in the "sender" field the contents of the "Sender:" or "Resent-From:" headers in case the "From:" header is missing or created with deliberate errors.
As a result, even if the incoming email message successfully passed all SPF/DKIM/DMARC checks, this does not guarantee that the user's email client correctly displays the address of the actual sender of the letter in the "From" field, which means that the user will make a mistake when determining the author of the message and follow the phishing link.
Nevertheless, despite some skepticism, one of the effective ways to combat phishing remains user training, which should take into account some psychological features of the target audience - PC experience, age, impulsiveness, curiosity and other characteristics.
.jpg)
 2 - копия.jpg)
