Researcher finds 670 Microsoft subdomains vulnerable to takeover

Years after it was first identified as a possibility, researchers have found it’s still child’s play to hijack subdomains from companies such as Microsoft to use in phishing and malware attacks.

Researchers at Vullnerability.com were able to grab more than 670 subdomains that had previously been used by Microsoft but subsequently forgotten about, including:

  • identityhelp.microsoft.com
  • mybrowser.microsoft.com
  • web.visualstudio.com / webeditor.visualstudio.com
  • data.teams.microsoft.com
  • sxt.cdn.skype.com
  • download.collaborate.microsoft.com
  • incidentgraph.microsoft.com
  • admin.recognition.microsoft.com

And many others, all of which look like the sort of legitimate subdomains users (including Microsoft employees), would be inclined to trust if lured to them by a phishing attack.

Why wouldn’t someone trust these? They’re subdomain prefixes of big and important domains such as microsoft.com and skype.com that are under the control of those companies.

Imagine the potential power that grabbing and abusing one of these would give an attacker, particularly ones targeting enterprises.

The researchers offer examples that include persuading a visitor to install a spying extension in their browser, phishing enterprise credentials with a fake login page, or asking visitors to upload sensitive documents to data.teams.microsoft.com with the Teams App. They could even deface a subdomain linked to from a larger domain.

All hypothetical exploits of course, but still an appealing alternative to the other domain ruse of typosquatting domains and hoping nobody notices.

Bad housekeeping

The underlying problem here is weak DNS management, in this case by Microsoft, a problem that’s been magnified by the huge proliferation of subdomains used in cloud services.

First, the attackers look for orphaned subdomains by navigating to one they guess might be up for grabs using a scanning tool. If they receive a 404 page-not-found error, they have a candidate.

Let’s say an attacker gets a 404 error for an abandoned shop at shop.example.org.

The attackers can’t edit the DNS records for that site because they don’t own the example.org domain. Instead, they check if the subdomain is an alias for a different domain or subdomain that they might be able to take control of, indicated by a CNAME record.

If the CNAME points to a domain name whose ownership has lapsed, they can try to buy that domain and use it to host a malicious website.

Often though, the CNAME points to a subdomain on a hosting service like Azure, which allows users to create websites using subdomains of .azurewebsites.net.

If the Azure subdomain in the CNAME record is no longer in use the attacker can try to claim it. They can configure a virtual machine on a Microsoft Azure account, install a web server that throws up a clone of a target site, and add the Azure subdomain as a custom domain that points to it.

No verification, no alert to Microsoft that one of their old subdomains has been taken over, and no easy way for enterprise security systems to detect that this apparently legit domain is anything but.

The defence against this is to cleanse the DNS records for the subdomain, but the sheer number that are set up and then fall into disuse means that doesn’t always happen.

Vullnerability says in their blog:

Our team claimed some of those critical subdomains before attackers and reported them ethically to Microsoft.

The issue of subdomain takeover has been around for years and can affect subdomains belonging to any company on any cloud platform and not only Microsoft’s.

However, the issue of vulnerable Microsoft subdomains is becoming an ongoing theme with a separate researcher, Michel Gaschet, finding and reporting another 280 in this state between 2017 and 2019. Microsoft only fixed a few of these, he claimed.


Latest Naked Security podcast

Chrome extension cons cryptocurrency users out of hardware wallet key

Cryptocurrency security company Ledger has warned users about a rogue Chrome extension that dupes its victims into giving up the keys to their crypto wallets.

Cryptocurrency owners need a wallet just like users of regular cash do. Instead of cash, however, crypto wallets hold digital keys – which grant users access to the blockchain addresses to unlock their funds. Some people write those addresses down on a piece of paper, while others might store them in a file on their computer or in a software application that doubles as a wallet. A hardware wallet is a device dedicated to storing the addresses, and they are built to be as difficult to hack as possible.

Launched in 2014, Ledger claims to have sold over 1.5m hardware wallets. There are two available: the Nano S and the Nano X. Both of them connect to an app called Ledger Live that lets users check balances and send and receive coins and tokens.

The app doesn’t contain a user’s private key. Instead, it accesses it from the hardware wallet when the owner wants to manage their crypto assets. To do this, the user connects the hardware wallet device to the app, which is available on Android and iOS, and also as desktop software.

This week, it emerged that a rogue developer published what they said was a Chrome extension version of Ledger Live on the Chrome store. The extension claimed to let Ledger owners use their hardware wallets to access Ledger Live’s functionality directly within Google’s Chrome browser. All they had to do was enter their Ledger wallet’s seed phrase – a string of 24 words that is the only way to recover their private keys if their wallet is damaged or lost.

The Chrome extension was a scam that copied the seed phrase to a Google form. The author could use it to access all the victim’s private keys and take control of their crypto assets using another Ledger wallet.

Ledger warned people of the scam through its support Twitter account yesterday:

This isn’t Ledger’s fault. It’s the app equivalent of phishing, where someone creates a malicious site in a legitimate company’s name and uses it to gather sensitive customer information without the real company having anything to do with it.

On its security support page, Ledger explicitly advises customers not to give up their recovery phrase:

Anyone who gets your recovery phrase can take your crypto assets. Ledger does not store your private keys, nor ever asks for it.

According to ZDNet, over 120 Ledger Live users apparently took the bait. The offending app had been taken down by yesterday afternoon, but this reinforces the need for proper user education about cryptocurrency security and the importance of never giving up your seed phrase.

Companies can produce slick hardware solutions that do everything possible to protect customers, but if users are gullible and willingly enter sensitive information into malicious software from a third party, there’s very little the company can do about it.


Latest Naked Security podcast

Cathay Pacific fined over crooks slurping its database for over 4 years

The UK’s Information Commissioner’s Office (ICO) said on Wednesday that it’s fined Cathay Pacific Airways £500,000 (USD $647,015, €576,992) for failing to secure passengers’ personal details, leading to malware being installed on its server that harvested millions of people’s names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

Cathay said at the time that the intruders also accessed 403 expired credit card numbers, as well as 27 credit card numbers that didn’t have a CVV attached.

This wasn’t a one-time security fail, the ICO said. All that data was at risk for over four years.

Cathay, which is based in Hong Kong, first realized in March 2018 that its database had been hit by a brute-force attack. As we’ve explained previously, you can think of such an attack like this:

→ Brute force is the way you open those cheap bicycle locks with wheels numbered 0 to 9 if you forget the code. You turn the dials to 0-0-0 and then click round systematically, counting up digit by digit, until the lock pops open.

Once it found that its database had been rifled through in 2018, Cathay Pacific hired a cybersecurity firm and subsequently reported the incident to the ICO.

Investigations found that the airline lacked appropriate security to secure customers’ data from October 2014 to May 2018. The data was exposed for longer than that, though: Cathay said in October 2018 that its system had been compromised at least seven months prior. As the New York Times reported, Cathay learned in May 2018 that passenger data had been exposed after first discovering suspicious activity on its network in March.

Why didn’t the company announce the breach earlier? It didn’t say.

The incident led to the exposure of a huge trove of personal data belonging to 111,578 people from the UK and about 9.4 million more worldwide.

The ICO says that Cathay Pacific’s systems were entered via a server connected to the internet. Enabled by what the office called a “catalog of errors,” crooks managed to install data-harvesting malware. The security sins turned up by the ICO’s investigation included some basic ones: for example, the ICO found back-up files that weren’t password-protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection.

Steve Eckersley, ICO Director of Investigations:

People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.

The fine imposed on the company would have caused a lot more hurt if the breach had been discovered after the General Data Protection Regulation (GDPR) went into effect.

In July 2019, the ICO flexed its new GDPR muscles for real, imposing record fines on Marriott and British Airways (BA) for their data breaches. It said it was looking to fine BA a record £183.39 million (US $229.34 million at the time) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.

Marriott’s breach was similar to Cathay Pacific’s, given that attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.

Though it escaped the weight of the GDPR hammer, the ICO Says that Cathay Pacific’s breach was “a serious contravention” of Principle 7 of the 1998 Data Protection Act, which states that “appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.”

For full details on the fine, check out the ICO’s Monetary Penalty Notice.


Latest Naked Security podcast

Boots yanks loyalty card payouts after 150K accounts get stuffed

Boots, a UK pharmacy chain, has suspended payments on the loyalty cards of 14.4 million active customers after its security team spotted “unusual” activity on a number of Boots Advantage Card accounts.

It wasn’t hacked, the company said in a statement, and this isn’t what you’d classify as a breach. Intruders didn’t get into its systems during the attack, Boots said on Thursday. Nonetheless, for the time being, it’s suspended payments made with the loyalty points cards.

This wasn’t our fault, the company said in its statement:

We would like to reassure our customers that these details were not obtained from Boots.

If Boots wasn’t hacked, then where did crooks get the credentials that they’ve evidently used to try to get into people’s Advantage Card accounts so they can make fraudulent purchases on what we refer to in the States as “somebody else’s dime?”

(Or, in this case, on somebody else’s penny: The loyalty cards award shoppers with four points for every £1 they spend. One point will get you one penny’s worth of spending power, so if your card has a balance of, say, 199 points, you could use it to buy something that costs £1.99 at a store or online at boots.com… which, of course, means that anybody who gets access to your account can do the same, regardless of where they’re located. That’s why Boots shut down the program, so nobody can shop with points at either stores or online.)

Boots suggests that the suspicious activity spotted in customers’ accounts is coming from crooks trying to get at their accounts by using credentials that were exposed in some other breach – credentials that those customers have used, reused, re-reused and re-re-re-diculously refused to let go of.

It’s called credential stuffing. Sticking (reused!) passwords into every online place you can think of is a simple way to get into somebody else’s account without permission: just go online and look for lists of breached credentials, often available for sale or for free, then try them out until you hit the jackpot. Or the pennies on people’s loyalty cards, as the case may be.

In its statement, Boots said that a) it’s letting a small number of affected customers know, and b) this wouldn’t happen if people used unique credentials – because yes, using a password twice (or more, of course!) is really, truly a lousy idea.

We can confirm we are writing to a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts. These attempts can be successful if people use the same email and password details on multiple accounts.

We would like to reassure our customers that these details were not obtained from Boots. We are aware that other organisations may be impacted too.

As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.

A spokeswoman for Boots told the BBC that the breach affected less than 1% of the company’s 14.4 million active Advantage Cards – fewer than 150,000 people. That number’s hazy as yet, given that the company’s investigation is still ongoing.

After the investigation does reach a final number, and if the final number of affected accounts turns out to be anywhere near the small percentage Boots is now estimating, it will mean that millions of customers have been locked out of their loyalty points due to a tiny minority who haven’t made it a priority to protect their online accounts.

Who can blame them? We know it’s hard to come up with strong, unique passwords. Or to keep track of them if you do.

Oh, wait, scratch that – it’s not!

Earn “Loyalty to Security” points!

Want to earn Loyalty to Security points? …Which will buy Better Security For All Of Us Who Get Locked Out of Our Accounts Due to Password Reusers? Take these simple steps:

Pick strong passwords. Watch our video to find out how to come up with a brute:

[embedded content]

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Say “Yes, please!” to 2FA. If a website gives you the option of using two-factor authentication (2FA or MFA), take them up on it. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Use a password manager. We know they’re not perfect, but we still highly recommend using one: the advantages of using one outweigh the security imperfections that have cropped up and which, at any rate, get taken care of in updates.

Don’t dismiss accounts that “don’t matter.”
Boots’ shutdown of its Advantage Card shows that there really isn’t such a thing as a “low-value” account. The crooks don’t care how much you value a given account: if it’s easily hackable, they’ll take advantage of it, and everybody will suffer when a company has to shut down a popular program and launch an investigation.

In cybersecurity, if you aren’t part of the solution, you’re part of the problem. Please, make sure to lock down all your accounts, lest you ruin it for everybody else.


Latest Naked Security podcast

Coronavirus warning spreads computer virus

Earlier this month, we reported on a phishing scam in which the lure was “safety measures” against the Coronavirus (Covid-19).

In that attack, the crooks took you to a facsimile of the website of the World Health Organization (WHO), where the information was originally published.

On the ripped-off copy of the site, however, the crooks had added the devious extra step of popping up an email password box on the main page.

Of course, the WHO website wouldn’t ask for your email password – it’s a public information website, after all, not a webmail service, so it has no need for your email details.

The crooks were hoping that because their website looked exactly like the real thing – in fact, it contained the real website, running in a background browser frame with the illicit popup on top – you might just put in your email details out of habit.

Well, here’s another way that the crooks are using concerns over the Coronavirus outbreak, combined with the WHO’s name, to trick you into clicking buttons and opening files you’d usually ignore:

SophosLabs tracked this particular spam campaign in Italy, where the crooks have made it believable and clickworthy by:

  • Writing the message in Italian.
  • Pretending to quote an Italian official from the WHO.
  • Referencing known virus infections in Italy.
  • Urging Italians in particular to read the document.

In other words, the crooks haven’t just pushed out a blanket message trying to capitalise on global fears, but have given their scam email a regionalised flavour, and therefore a specific reason to act:

coronavirus: informazioni importanti su precauzioni

A causa del fatto che nello suo zona sono documentati casi di infezione […] [l]e consigliamo vivamente di leggere il documento allegato a questo messaggio!

coronavirus: important information on precautions

Because there are documented infections in your area […] we strongly recommend that you read the document attached to this message!

This time, there isn’t a link to a fraudulent website, but an attachment you are urged to read instead.

By now you ought to be suspicious, given that Word documents can contain so-called macros – embedded software modules that are often used to spread malware, and that are an obvious risk to accept from outside your company.

Indeed, Word macros – often used legitimtely inside companies for managing internal business workflow – are sufficiently risky when they arrive from outside that Microsoft has, for many years, blocked them by default.

As you probably know, however, the crooks have learned how to turn Microsoft’s security warnings into “features”, as you see here:

The actual document – the part that isn’t dangerous, and doesn’t harbour the macro code – is the text with the blue background you see above, and it has been deliberately created by the crooks to look like a message from Microsoft Office itself:

Your application activated

This document was created in an earlier version of Microsoft Office Word. To view full content, please click “Enable Editing” and then click “Enable Content”

© Microsoft 2020

As reasonable as this sounds, DON’T ENABLE CONTENT!

The “content” you will activate by clicking the [Enable Content] button is not the document itself – you’re already looking at the document part, after all – but the macros hidden in it.

And the macros in this document aren’t anything to do with your company’s workflow – they make up the malicious software code that the crooks want to run.

SophosLabs has published a technical report on what happens if you run this macro malware, which involves a series of stages that ultimately result in infection by a well-known strain of Windows malware called Trickbot.

We recommend you read the Labs report to learn how a modern malware infestation unfolds, with each step downloading or unscrambling the next part, usually in the hope of breaking the attack into a series of operations that are less suspicious, one-at-a-time, than running the final malware right away.

Where have I heard that name before?

If you’re wondering where you’ve heard the name Trickbot before, it might very well have been on the Naked Security Podcast, where our resident Threat Response expert Peter Mackenzie has mentioned it more than once. (In the episode below, Peter’s section about malware attacks starts at 19’10”.)

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Trickbot is dangerous in its own right – it started life as a so-called banking Trojan, a type of malware that tries to hijack access to your bank account.

These days, Trickbot is also very commonly a precursor to a full-blown ransomware attack.

By implanting Trickbot on your computer, the crooks get a foothold inside your network where they can harvest passwords and data and much more, as well as mapping out what resources you have.

Once they’ve squeezed all the criminal value they can out of the Trickbot part, the crooks often use the bot as a launch pad for their final act: a ransomware attack.

One ransomware family that commonly follows unchecked Trickbot infections is the malware strain known as Ryuk, whose criminal operators are notorious for asking for six- and even seven-figure ransom payments.

What to do?

  • Don’t be taken in by authority figures mentioned in an email. This scam claims to be from an Italian WHO official, but anyone can sign off an email with an impressive name.
  • Never feel pressured into opening attachments in an email. Most importantly, don’t act on advice you didn’t ask for and weren’t expecting. If you are genuinely seeking advice about the coronavirus, do your own research and make your own choice about where to look.
  • Never click [Enable Content] in a document because the document tells you to. Microsoft blocked the automatic execution of so-called “active content”, such as macros, precisely because they are so often used to implant malware on your computer.
  • Educate your users. Products like Sophos Phish Threat can demonstrate the sort of tricks that phishers and scammers use, but in safety so that if anyone does fall for it, no real harm is done. Sophos also has a free anti-phishing toolkit which includes posters, examples of phishing emails, top tips to spot email scams, and more.
go top