Why you need MFA now: Gmail phishing scheme prepends URL with working script data

hacker-hooded.jpg
Leo Lintang, Getty Images/iStockphoto
Imagine waking up one morning to discover your email address and current password have been plastered onto a billboard on the side of a major highway. It’s a bit improbable, I know, but play along.
For some of you, that would be the end. Anyone could paw through your email history, steal personal identifying information, run password resets for other sites, and generally wreak untold havoc.
But, for others of you, the billboard would be a mere annoyance. You’d pick a new password and go on with your day. Nobody would have gotten into your account, your identity information would be safe, and havoc would remain unwreaked.

What is the difference between these two scenarios? Why would some people with exposed email addresses and passwords be hacked, attacked, smacked, and wracked — and why would others just merely be annoyed?

Multi-factor. It’s not just a compound word. It’s a defense strategy. The idea is this: In addition to something you know (your email ID and password), logging in requires something you have, or something you are. Usually, that’s something like an authentication key generated by your phone, or a fingerprint.

When you use multi-factor authentication, you’re requiring an additional factor beyond user name and password.

With that, I’m going to tell you about a new way some bad guys are phishing for authentication information. These nasty folks are trying to trick users out of their user IDs and passwords. And, in a lot of cases, they’re succeeding. The trick is relatively subtle, so even the most aware users might be tricked into falling for the ruse.

Malware uses denial-of-service attack in attempt to crash Macs

ddos-email-client.png

Victims are asked to call a phony Apple support number in order to restore their machine.

A tech support scam is targeting Mac users with unusual malware which tries to crash the system then encourages the victim to call a phony Apple support number in order to get the system restored to normal.

Victims are infected with the malware via a malicious email or by visiting a specially registered scam website. Cybersecurity researchers at Malwarebytes warn that these websites are particularly dangerous for Mac users running Safari because simply visiting one of the domains can execute the attack.

Once the malicious code has been triggered, it will first of all check to see which version of OS X the victim is using and then attempt to trigger a a denial-of-service attack by repeatedly opens draft emails.

The DDoS continues drafting new emails in individual windows until so many windows are running that the system crashes due to lack of memory. The subject line of the emails tells the user a virus has been detected and to call the tech support number.

There are also instances of the malicious software opening up iTunes without any user prompting and displaying the fraudulent phone number there.

While users running the most up to date version of the Apple operating system – macOS Sierra 10.12.2 – don’t appear to be affected by the DDoS attack against the mail application, so users should patch their systems to ensure the most protection against the attacks

Cybersecurity Expert Links Taiwan And Europe ATM Hacks

Group-IB says both attacks were likely carried out by Cobalt group using malware “ATM spitter.”

Cybersecurity firm Group-IB has linked the July Taiwan ATM cyber heist to the ATM hacking spree in Europe last year, claiming the two were carried out by the same hacking group, dubbed Cobalt. Reuters reports that Group-IB’s conclusion is based on the fact that the hack technique used in both incidents match.

A group of 22 foreign nationals are alleged to be behind the First Commercial Bank ATM hack in Taiwan, of which three Eastern Europeans are in custody. Most of the stolen money was recovered and Taiwan authorities believe the bank network was breached at a London branch.

According to a Group-IB report, the hackers used malware “ATM spitter” in the Taiwan attack as well as in similar hacks carried out in Britain, Russia, Poland, Spain, Bulgaria, and many other European countries, Reuters adds.

What’s a Honeypot ? How to set one up ?

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked. This is similar to the police baiting a criminal and then conducting undercover surveillance, and finally punishing the criminal.

 

By the end of this tutorial you should have created a command server with at least one sensor attached to it, all being created by using tools provided by the Modern Honeypot Network

 

Step 1- Digitalocean and an Ubuntu server.

In this stage you will be setting up an Ubuntu server on Digitalocean. At the end of this stage you should have a fully working server running the Ubuntu operating system and should have received a confirmation email from DigitalOcean. You can achieve this by following the below steps:

STEP 1.1 – Creating a droplet

Droplets

Select Ubuntu under ‘Choose an image’

First you will need to sign into your DigitalOcean account with the username and password you entered on creation.

Now you will need to set up your droplet, in this instance we will be using the bare minimum required to run our server.  First off you will need to choose the underlying operating system for your command server. Once we have finished we will be using a website GUI front end so the underlying OS is not overly important, however in this instance we will be using Ubuntu (Make sure this is the version specified in the image to the right) .

 

Size

Select the ‘$5/mo’ option

 

 

 

 

Next we will be choosing the specifications of our command server. This server will be taking the information given to it by our sensors and in turn will not be performing any overly complicated tasks. That being the case it is a good choice to choose the least expensive option in this regard. That being the case in this instance we will choose the ‘$5/mo’ option.

Location

Select a location closest to you.

The final option that we will be dealing with on this setup page is the location in which our server is based. It is best to choose a location that is closer to where you will be primarily dealing with the server however this choice is up to you. As HackingInsider works out of the UK we will be selecting London.

Finally you will be presented with several additional options, in regards to this instance we will not be using any of these and we can now simply move onto creating our droplet. To do so select ‘Create’. After which you may need to set up your payment information depending on if you have done so in the past.

After the above has been completed you will be emailed the details for your new server of which you can take forward to the next stage. The above is required due to the necessity of having a command sever that our AWS sensors will communicate with. On average the above process should take around 5 to 10 minutes to complete.

Step 2  – Setting up the control server:

Now we have set up the backend for our server we will now need to add the Modern Honeypot Network (MHN) framework to our server. At the end of this you should have a fully working Honeypot with a working GUI web front end. This can be achieved by following the below steps:

Step 2.1 – Installing a command line interface tool:

putty

The Putty GUI

For the remainder of this tutorial we will be using the command line interface (CLI) on Ubuntu, that being the case we will need a tool we can use to operate this. In this instance I will be using a tool called Putty, which is a free tool that can be used for an array of tasks.

Once you have downloaded putty off their website you can launch it like any other .exe program.

Step 2.2 – Accessing your server and installing MHN:

After you have completed the above you will need to enter the IP that you were emailed by DigitalOcean into the section on Putty that asks for ‘Host Name (or IP address)’. After you have done this, select ‘Open’. You will be taken to a CLI of which you will be asked to enter the server’s username and password (These would have also been emailed to you). After so you will be asked to change the server’s password.

You will now have access to your server and in turn its CLI. The next step of which will be to install the needed software to run the Modern Honeypot Network. Once here you will need to enter the following commands in order, dealing with any errors that occur accordingly.

CLI

Ubuntu CLI

sudo apt-get upgrade
sudo apt-get update
cd /opt/
apt-get install git -y
git clone https://github.com/threatstream/mhn.git
cd mhn
sudo bash install.sh

 

UserInput

MHN setup

Eventually you will be greeted with a prompt asking for you to enter an array of questions for your Honeypot. These will depend solely on what you want to set them as, however see the image below for an example of an input.

 

After the above the script will continue to configure the Modern Honeypot Network setup and will take a sizable amount of time. During this process you will also be asked if you want to integrate the honeypot with Splunk, for simplicity we will select ‘no’ in this instance.

honeypot2

Web interface for MHN

After the installation has taken place you will then be able to visit your server via a web browser. If you point your webbrowser to  the IP address sent to you by DigitalOcean you will be able to access your server’s web GUI.

This stage was required to set up MHN on your main command server and to create the GUI interface you will use day to day. This stage will take approximately 30 minutes due to the installation time.

 

Step 3 – Deploying sensors:

In this stage you should finish the completion of your Modern Honeypot Network setup. After this stage you should have set up at least one sensor (based off AWS) that will communicate back to your command server. You can achieve this by following the below steps:

Step 3.1 – Set up an AWS instance:

After creating your AWS account you will be directed to a screen detailing an array of Amazon Web Services, on this screen you are looking for the one labelled EC2. After which you will need to locate the button labelled ‘launch instance’.

AWSUbuntu

Choose Ubuntu as your AMI

When launching this instance you will need to follow very similar steps to previously when working with Digitalocean. First you will need to select the operating system you wish to be installed on the server, in this case we will be using Ubuntu.

AWSSecurityGroup

Add a security group to allow all traffic from all IPs

Next you will continue through the setup process selecting the next button as appropriate, this being until you reach the ‘Step 6: Configure Security Group’ page.  On this page you will create a security group that allows for traffic to access the server from any IP address.

AWSKey

Create a keypair

After you have done this you can review your setup and then finally click ‘Launch’. Once you have selected this you will be asked to make a ‘Key pair’. Once you have created your key pair you will need to download it.

After you have completed the above stages you will have set up an AWS server and can view it by selecting the ‘instances’ button.

Step 3.2 – Accessing your instance via Putty:

AWSPuttyGen

Load your .PEM key and save a .PPK key

As  Putty does not accept the default .pem key files that AWS creates we will need to convert it. You can do this by using the tool puttygen.exe of which should have been downloaded along with putty. Once opened you will need to select the ‘Load’ button and find your .pem key. You will then need to select ‘Save private key’ and save it as the same name as your key was on AWS.

AWSPuttyKey

Load your .PPK key

After you have done this you will need to open up Putty again and go to ‘Category’ > ‘Connection’ > ‘SSH’ > ‘Auth’. Once here you will need to ‘Browse’ to your newly created key file.

awsSSH

ubuntu@<Your server’s Public DNS>

Once you have done this you will need to SSH into your Ubuntu server, do this by following the image below.

After you have SSHed into the server you will once again be confronted with a CLI of which should allow you to access your Ubuntu instance.

Step 3.3 – Running the sensor Script:

MHNSnort

Select ‘Ubuntu – Snort’ in the ‘Select Script’ section

Now you have a working AWS instance we can now run a Bash script on it to connect it to your command server. To do this you will need to sign into your command server via your website GUI and go to the ‘Deploy’ section. Once in this section you will need to select ‘Ubuntu – Snort’.  In the ‘Deploy command’ section you will be presented with a script. Copy this script into your AWS CLI and wait for it to be completed. Once completed you can also choose ‘Kippo as vulnerable juniper netscreen’ and enter that into your CLI.

After you have completed this you’r Honeypot will now be fully functional and will begin to collect attack data from those who attack it. You can view this data from the website GUI interface.

 

What is a Spamtrap ?

Nowadays, almost all email service providers can automatically detect spams emails in user accounts effectively and redirect those potential spam emails to spam folders without human intervention.

But, how are spam emails detected automatically by email service providers ?

How are spam emails detected automatically ?

Almost all email service providers use machine learning to detect these spam emails. Typically, this machine learning technique relies on some predefined rules. When an incoming email matches most of those rules, the email is marked as spam and redirected to spam folders automatically. Otherwise, the email is sent to inbox.

What is a Spamtrap 

To detect spam emails automatically, firstly one has to decide on rules of detecting spam emails, based upon which the software can detect potential spam emails.

To decide on those rules, firstly enough research is done on spam emails to detect the most common properties of spam emails. And, based on those properties, rules of detecting spam emails are set.

Once the rules are decided, the email service providers set those rules in the spam detection software. And, spam emails are automatically detected in user email accounts.

A Spamtrap is an email address which is used to collect spam emails, so that enough research can be done on them to detect spams.

We have learnt about Honeypots in Computer Security and how they are used to lure the attackers. Spamtraps are like honeypots for collecting spam emails. They are the email addresses that are meant to collect spams only.
How are Spamtraps used
Anti-spam systems are normally automated. They collect samples of spam emails and make rules based upon them.

So, Spamtraps, which are email addresses dedicated to receive spam emails only, are created. After collecting enough samples, the anti-spam system study them and make rules for detecting spams. And, everything is done in an automated way.

How do Spamtraps reach the spammers

After creating Spamtraps, they are published over the internet, so that when spammers collect email addresses from various websites using crawlers, the Spamtraps are collected by the crawlers.

As Anti-Spam Systems work in an automated fashion, any legitimate emails coming in the Spamtraps can be mistakenly taken as spams and that can affect the system.

So, to prevent receiving legitimate emails in Spamtraps, Spamtraps are published in a location hidden from view such that only an automated script can find them.

After harvesting the email-ids spammers start sending out spams in bulk. But, as spamtraps are hidden from normal views, Spamtraps collect spams only and they do not receive legitimate emails.
Vulnerabilities of using Spamtraps
There are a couple of vulnerabilities of using Spamtraps. To mention a few of them :
  • If spammers can detect a spamtrap, the spamtrap becomes tainted. Spammers may send malicious emails in the spamtrap to control the automated spam detection process.
  • Spammers can even send malicious emails to spamtraps with sender’s address modified to the spamtrap itself. And this can cause backscatter.
  • Sometimes, spammers put lots of legitimate email ids in the To and CC field of spams. So, if any of those legitimate email receivers reply to that spam email, the legitimate email address also can get considered as spam address by mistake.
  • If a Spamtrap becomes visible and someone sends legitimate email to the spamtrap by mistake, that email also will get considered as spam by mistake.

15 Useful Command Prompt Tricks You Might Not Know

1. Get help on almost every Command

command-prompt-tricks (1)

This is especially helpful for beginners, but advanced users may get to learn few things too. You can easily get info on almost every command you provide in the Command Prompt. Information includes complete details of what a command does and what process are used, it may also show some examples.

To get the help, just type “/?” at the end of the command of which you need info. For example, you can type “ipconfig/?”, and you will get all the info.

2. Use Function Keys

You can use function keys (F1, F2, F3, etc.) right inside command prompt and get different results. Below are the uses of functions keys in Command Prompt:

  • F1: Pastes per character last used command
  • F2: Pastes last used command only to a specified command character
  • F3: Pastes Last used command
  • F4: Delete command only to a specified command character
  • F5: Pastes last used command without cycling
  • F6: Pastes ^Z
  • F7: Provides a list of already used commands (selectable)
  • F:8 Pastes cycleable used commands
  • F9: Will let you paste command from the list of recently used commands

3. Save a Command to a File

command-prompt-tricks (2)

If you want to save results of a command to a .txt for future reference, then it is quite easy as well. All you need to do is add “> (destination/file name with .txt extension)” at the end of the command you are about to execute.

For example, you can type “ipconfig > c:\Networkdetails.txt”, this command will create a .txt file in C drive with name “Networkdetails”.

4. Copy Data from the Command Prompt

command-prompt-tricks (3)

Copying data from the Command Prompt isn’t just a Ctrl+C away, the process is actually different. It is not that hard, just right click anywhere in the window and click on “Mark” from the menu. After that, just select the text you want to copy and hit Enter to copy it.

Important Note: With Windows 10, Ctrl+C and Ctrl+V commands to copy/paste has been enabled in Command Prompt. So you don’t need to follow the above process, if you are using Windows 10. Also, In Windows 10 keyboard shortcuts for CMD are enabled by default which wasn’t the case with earlier version of Windows.

5. Cycle Through Folders

Specifying exact directories can be a bit frustrating task if you don’t have the destination copied. However, if you just know in which drive or folder the required folder is located, then you can cycle through all the folders to reach it. To do this, just type specified drive and start press TAB key on your keyboard to cycle through all the folders inside it.

6. Use QuickEdit Mode

command-prompt-tricks (4)

Command Prompt comes with QuickEdit Mode to quickly copy and paste content with just your right-click. In QuickEdit mode, you can highlight content and right-click to copy it or right-click in a blank area to paste content from the clipboard (if there is any).

To enable QuickEdit Mode, right-click on the top of the Command Prompt interface (where exit button is located) and select “Properties”. In the properties, check the checkbox next to “QuickEdit Mode” to enable it (you will have to disable it later).

7. Check IP address of any Website

command-prompt-tricks (5)

You can see IP address of any website just by entering “nslookup” command along with the name of the website. For example, you can type “nslookup beebom.com” to find its IP address.

8. Execute Multiple Commands

command-prompt-tricks (6)

You can easily execute one command after another by provide all the commands and putting “&&” between each command (may save some time). For example, you can type “ipconfig && dir” to execute both commands one after another.

9. Check Default Programs

command-prompt-tricks (7)

You can check which applications are used to open specific types of programs. For this purpose, just type “assoc” in the Command Prompt and hit enter. You will see all the extensions and their associated program that opens them written next to them.

10. Get PC Drivers List

command-prompt-tricks (8)

You can open list of all the drivers installed on your PC with just a single command. Just type “driverquery” in the Command Prompt and press Enter. After a short delay, you will see all the drivers installed in your PC along with, Name, Type and Link date.

11. Scan System Files

command-prompt-tricks (9)

The system files can also be scanned and repaired from the Command Prompt. Type “sfc/scannow” and press enter, the scan will start and may take quite some time depending on your PC speed (up to an hour may be). It will either automatically repair the files or let you know if there is a problem and provide its details.

12. Change Command Prompt Color

command-prompt-tricks (10)

You can also change command prompt color to make it look less dull and a bit easy on the eyes. To do so, right-click at the top corners of Command Prompt and select “Properties” from the menu. In the properties, navigate to “Colors” tab and you will find all the options to change color of both text and background.

13. Create Undelete-able Folders

command-prompt-tricks (11)

You can create undeletable folders using specific set of keywords. In the Command Prompt, type the name of the drive where you want to create the folder (it must not have Windows installed in it). After that, type any of these keywords “md con\” or “md lpt1\” and press Enter. So it should look something like this “D: md con\”.

This will create a folder with the same name that could not be deleted or renamed. To delete the folder replace “md con\” with “rd con\” or “md lpt1\” with “rd lpt1\”.

14. Get Network Details

command-prompt-tricks (12)

You can get quick network details, like IP address and subnet mask or Default Gateway with a single command. Type “ipconfig” and press Enter, you will see all the details of your network.

15. Hide Files and Folders using Command Prompt

command-prompt-tricks (13)

You can hide folder with the help of Command Prompt that cannot be accessed using the traditional hide feature of Windows. To do this, type the drive name where the folder is located and then enter this command “Attrib +h +s +r” and afterwards, enter the name of the file/folder you want to hide. So it should look something like this “D: Attrib +h +s +r haider”.

If the folder is inside another folder, then the command must come before the folder/file you want to hide not just after the Drive name. To again see the folder, use the same process above but change the command to “Attrib -h -s -r” from “Attrib +h +s +r”.

Know when someone opens your email and get reminders to follow up

Find out when, how many times, and which recipeient has opened your message. Also, get the option to auto-create followup reminders for them.

gmail auto followup

Install the Chrome extension FollowUp and sign in using whatever method you prefer. You will also need to grant the app permission to manage your Gmail. Once it’s installed, you will see new options in your Gmail compose window including the option to track that email, send it later, and more.

Find out if someone else has access to your Gmail account

See if anyone else has used your email account by checking your Gmail recent activity logs.

gmail recent activity

If you are concerned your account has been hacked, you can check your Gmail activity logs by scrolling to the bottom of your Gmail window and clicking on “Details” (see screenshot). A new window will open with all your account activity including extension, app, and client access logs. When in doubt, it’s best to change your password anyway.

Hit by Globe3 ransomware? This free tool could help you decrypt your files

globe-ransom-note-730x730.png

Globe3 demands victims pay a ransom to get their files back

Image: Emsisoft Lab

Victims of the latest strain of Globe ransomware can now unlock their files without paying out money to cybercriminal extortionists, thanks to a newly released and free-to-use decryption tool.

As its name suggests, Globe3 is the third incarnation of Globe ransomware, which first appeared in summer 2016.

Globe and Globe2 have successfully infected numerous targets with high profile victimsincluding a group of UK hospitals which were forced offline by a Globe2 ransomware infection and had to cancel 2,800 patient appointments as a result.

Free decrypters for Globe and Globe2 have previously been released, and are available as part of the No More Ransom free decryption tool project. However, while this was beneficial to victims of this ransomware strain, it has led to criminals developing a new version, Globe3.

Cybersecurity researchers at Emsisoft spotted the new variant around the turn of the New Year. Globe3 has been tweaked to allow perpetrators to customise the ransomware depending on the targets they want to infect. It notably allows users to demand larger ransoms when targeting enterprise networks,which have become increasingly lucrative targets for ransomware pushing cybercriminals.

Constructed using a Globe ransomware builder, users are able to build numerous different variants of Globe3. If infected with this latest strain, users can recognise they’ve become a victim because extensions of files will have been changed to .decrypt2017 or .hnumkhotep.

Like most other forms of ransomware, Globe3 demands that the victim pays a bitcoin ransom in order to regain access to their files and also warns that attempting to self-decrypt the locked files will result in the destruction of the data.

However, Emsisoft researchers have managed to find a way to recover Globe3 encrypted files and have released a free tool capable of decrypting “all possible variants” of Globe3 that can currently be produced by the cybercriminal tool. Users affected by Globe3 can

download the free decrypter from here.

This ransomware scheme is targeting schools, colleges and head teachers, warn police

  • Cybercriminals are pretending to be government officials as part of a ransomware scheme which is targeting schools and demanding payments of up to £8,000 to unencrypt the locked files.
  • Action Fraud, the UK’s fraud and cybercrime centre, and the City of London police, have issued a warning over the activity, which begins with criminals contacting the targeted schools with a phone call.
  • Claiming to be from ‘The Department of Education’, the caller asks for the email address of the head teacher which they claim they need in order to send them sensitive information which is unsuitable for the school’s general email address.
  • The scammers usually claim the documents contain guidance for the head teacher, ranging from exam guidance to advice on mental health assessments.
  • Once those carrying out the scheme have the contact details they need, they’ll send an email containing a ransomware infected .zip file – often disguised as an Excel or Word document – to the intended victim. If the file is opened, it will execute the ransomware, encrypting files and then demanding a ransom be paid in order to retrieve the files.
  • Ransom demands have been made for up to £8,000, although the police haven’t confirmed if these ransoms have been paid, what ransomware variant is used, or which schools have been targeted.
  • But educational establishments are far from the only UK public sector bodies being targeted by ransomware schemes; NHS hospitals have also been a target. One notable example isthe Northern Lincolnshire and Goole NHS Foundation Trust which saw a ransomware infection take three hospitals offline and the cancellation of 2,800 patient appointments.