Perpetual IT

If you’ve ever wondered why cybercriminals are interested in your IM passwords…

…well, it’s not just so they can sneak into your account and snoop through your personal data with a view to abusing it themselves or selling it on to someone else who will.

Access to your account also gives crooks a level of trusted access to your friends and family that makes scams of all sorts much easier to pull off.

Whether it’s pitching a bogus investment plan, luring someone to a fake login page, persuading them to submit an application form for a non-existent job, or simply getting them to waste their money on useless, overpriced, shoddily made tat…

…well, it’s much more likely that a scammer will be able to talk you into clicking a link using a message that actually came from a friend’s account than if they just contacted you out of the blue.

Indeed, many users deliberately limit their “circles of contact” on social media and instant messaging services not just for privacy reasons but also to cut down on the sort of unsolicited messages, spams and scams they endure via email.

A menace to those around you

A scammer with your instant messaging or social media passwords is not only a menace to you, but also to those around you, as one of our readers discovered this evening when he received a note from a friend via Facebook Messenger that said:

Is it you in the video [LINK REDACTED]

From someone you didn’t know, a question like that would fall somewhere between bizarre and creepy, but from a friend, who wouldn’t want to take a look?

Fortunately, inspecting the link before clicking would be a reliable giveaway in this case.

The link not only goes to a randomly-generated server name on a boutique Hungarian web hosting platform, but also uses HTTP and not HTTPS. (Facebook was an early adopter of HTTPS-for-everything, giving up on HTTP altogether back in 2012.)

However, if you weren’t careful, or if you were in a hurry, you probably wouldn’t be terribly surprised to see what looked like a Facebook login page pop up:

Unfortunately, putting in your username and password here would submit them to a server running on a low-cost web hosting service in the USA, using a vaguely legitimate-looking domain name that was registered less than a month ago.

Our reader immediately assumed that his friend had himself recently recieved a similar (perhaps even an identical) message, and had not only clicked through but attempted to login, handing his password to the crooks and thus ensuring that all his contacts would soon be spammed in turn.

After the fake login page

This scam goes even further – whether as a distraction to buy a bit of time before victims realise they’ve been taken in and rush to change their Messenger passwords, or simply to give the crooks a second bite at the cherry, we don’t know.

After entering your password, there’s a short delay, as you might expect whan logging in to any online service, after which the crooks seem to pick from a range of other scams and redirect you to one of them randomly.

These didn’t look as though they were being run by the same criminals, so we’re assuming the message-spamming crooks were simply hoping to collect “affiliate fees” from other criminals in the underground.

These “second redirect” scams varied from specious VPN offers to a range of those “free” phone deals where all you need to do is pay a modest delivery fee (£1.95 in the variants we saw here), thus giving the crooks a believable excuse to collect your credit card details.

What to do?

• Use 2FA on any account you can. Adding a second factor of authentication means that the crooks can’t phish your password alone and then access your account. 2FA is a minor inconvenience to you, but a major roadblock for cybercrimimals.
• If you think your friend’s account has been hacked, contact them via some other method. Don’t reply via the very same account that you don’t trust – if it is a scam, you are just tipping off the crooks, who will lie to you and tell you everything is fine.
• If a friend lets you know your account was hacked, don’t delay. Get into your account as soon as you can (without clicking on any links that anyone just sent you!), assuming you can still access it, and change your password right away so the old password is useless to the criminals.
• Use a password manager. Password managers help in many ways: you automatically get a different password for every site; you get passwords that are random and can’t be guessed; it’s faster to change your password if you do get hacked; and it’s much harder to get phished because your password manager won’t put the right password into the wrong site.
• Use an anti-virus with a built-in web filter. Attacks of this sort generally don’t rely on sending malware to your computer, but instead rely on tricking you into uploading secret data like passwords from your computer. A web filter helps stop you landing on fake pages in the first place and therefore shields you from phishing. (Sophos Home has a web filter – there’s a free version for both Windows and Mac.)

The first thing people want to know when there’s a new ransomware story going around is: How much are the crooks asking for this time?

Sadly, that is one question that victims themselves don’t need to ask, because the blackmailers who just attacked them will make jolly sure they know the “price”.

In one recent and confronting story, an educational establishment in Scotland was confronted with an extortion demand for a surprisingly specific sum of money.

This turned out to be the crooks boasting just how much they knew about the college they were attacking – it exactly matched the amount in the college’s bank account, which was the entire budget for the next 12 months. (The college refused to do a deal, so the crooks ended up with £0.)

But a much more important question, for ransomware victims and wide-eyed bystanders alike, is: How did the ransomware get in?

Indeed, that is probably the most important question of all, on the grounds that the crooks already know how they did it, having done it once already, so if you don’t figure it out, the crooks can come back and do it all over again.

Or a second bunch of crooks might figure it out for themselves, or buy the information from the crooks who were there before, and get in that way.

In 2020, we conducted a survey of IT managers in 5000 companies in 26 different countries and asked about ransomware attacks. Just over half of them (51%) revealed that they had been the victims of ransomware in the previous year. As if that weren’t dramatic enough, 40% of those victims admitted they had been hit twice or more – in other words, where crooks had got in once, either those same crooks or others had got back in later to repeat the crime. (A tiny silver lining in this survey was that of the 94% of the victims who recovered their data, about three-quarters managed to do so without paying extortion money to the criminals. Interestingly, those who paid up spent an average of just under $1.5M each, including the ransom, to get going again. Those who recovered on their own spent an average of just under $750k.)

How ransomware gets in

As regular readers will know, many network intrusions start with crooks logging in as if they were genuine users.

Sometimes, the crooks find a legitimate remote access server (e.g. RDP, short for Remote Desktop Protocol) with badly-chosen passwords or an insecure configuration, and guess or barge their way in.

Sometimes, the crooks entice genuine users onto a fake login page, typically by means of a cunningly worded phishing email, and purloin their passwords.

But in a surprising number of ransomware incidents, the immediate delivery mechanism in the attack turns out to be existing malware inside the network.

Simply put, a zombie malware infection inside your network, also known as a bot (short for software robot), can act as a secret remote access Trojan (RAT) for criminals.

Importantly, bots work even on computers where strict firewall rules prevent inbound network connections – which includes most home networks, where inbound connections are typically blocked by default, either by your router or your ISP, or by both.

Early RATs, such as the notorious Back Orifice toolkit from the late 1990s, relied on incoming connections. (Back Orifice famously listened on TCP port 31337 by default, an elite hacker witticism.)

Back then, many if not most home computers were hooked up directly to the internet via a dedicated dialup modem, without a router or firewall to regulate incoming connections, and inbound connections to listening network ports on home PCs were almost always permitted by default.

But the demise of dialup, the prevalence of “one-way traffic” home routers, and an on-by-default connection firewall in Windows quickly made the Back Orifice technique obsolete.

These days, therefore, RATs and bots initiate outbound network connections themselves instead of listening for connections.

They connect outwards to a server operated by the crooks who control the bot, known colloquially as the botherders, and download their commands from there.

These criminal-controlled computers are known in the jargon as CnC, C&C or C2 servers, where the two Cs stand for command and control.

Compact, quiet and persistent

As you can imagine, a general-purpose remote access zombie would be a ideal toolkit for a cybercriminal gang – and so it should come as no surprise to find that tools of just this sort can be bought in underground forums, assuming you know where to look.

One such tool, which we’ve seen going for just $200, is a small but sneaky “product” known as SystemBC, which is compact, quiet and persistent.

Where possible, SystemBC installs itself as a Windows system service so it can run automatically in the background even if no one logs on.

SophosLabs just published a technical analysis of this malware, which members of the Sophos Rapid Response team have found at the heart of several recent high-profile ransomware campains they have been called in to investigate.

As Sean Gallagher of SophosLabs explains:

While SystemBC has been around for over a year, we’ve seen both its use and its features continue to evolve. […] Over the past few months, we have continued to detect hundreds of attempted SystemBC deployments worldwide. SystemBC was used in recent Ryuk and Egregor attacks investigated by [the Sophos Rapid Response team]. […] In some cases, the SystemBC RAT was deployed to servers after the attackers had gained administrative credentials and moved deep into the targeted network.

As you’ll learn from the report, SystemBC is compact and self-contained, and it not only encrypts its C&C traffic but also uses the Tor network for anonymity and disguise:

Most of the CnC communications with the SystemBC RAT are over a Tor connection. The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network. [..T]e bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API.

SystemBC accepts commands that consist of complete programs, including VBS scripts, BAT and CMD command files, PowerShell scripts, and Windows executables (EXE and DLL files).

When a script or BAT file is sent to the bot, it gets written into the TEMP folder and run from there, but when an EXE or DLL is received, it’s loaded directly into memory and launched without writing a copy of the executable to disk.

In other words, a cybercriminal criminal who operates, or who can purchase access to, a network full of SystemBC remote access zombies…

…can quietly and easily tell them all to run the same ransomware program at the same time, without even leaving a copy of the ransomware behind afterwards.

We’re not sure where the name SystemBC comes from. BC could be short for backdoor connection, botnet client or backdoor controller, or it could be a reference to Base Crypto, the Windows cryptographic functions used by the malware so it doesn’t need to have a third-party encryption library such as mbedTLS or OpenSSL compiled into it. Sophos products report this malware with the name HPMal/SysBRat-A.

What to do?

• Read the report. Even if you aren’t technical, it’s easy to understand and tells a fascinating story that will help you understand how cybercriminals think, and how they endeavour to make their mass attacks as stealthy and and unexpected as they can.
• Read our advice on how to stay protected from ransomware. Ransomware crooks use a range of techniques to get their first toehold inside your network, including spamming out phishing attacks, cracking or guessing passwords, and seeking insecure or forgotten remote access servers on your public network.
• Don’t give up on user awareness. Treat your users with respect and help them learn how to be more vigilant, and you can turn them into extra eyes and ears for your core cybersecurity team.
• Make it easy for users to report suspicious activity. Set up a central mailing list or contact number to act as a “cybersecurity 911”. Cybercriminals don’t phish one user and give up if they fail, so an early warning from someone can immediately help everyone.
  

  ---

We look at phishing tricks that really work, investigate a bizarre scam involving Subway sandwiches, and ask whether cybercriminals have lost their interest in the rest of us now they have coronavirus-related targets to go after.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music: Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

Here’s our latest Naked Security Live talk, about how to avoid email scams that arrive under the guise of a well-known brand – in this case, global sandwich seller Subway.

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air between 18:00 and 19:00 UK time (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

As two people for whom creating phishing emails constitutes legitimate employment (we are on the product team behind the Sophos Phish Threat phishing simulation service) we know we’re in the minority.

Like our not-so-lawful counterparts, we spend our days using social engineering techniques to trick people into opening malicious messages and clicking on links they ought to leave alone.

Understanding the attackers’ approach helps you spot a phishing email when it hits your inbox.

Having written and tracked the performance of hundreds of simulated phishing emails, we’d like to share our approach so you can raise the red flag quickly.

In general, there are four main steps phishers go through when creating convincing phishing emails, and understanding these steps helps you to spot and stop them.

Step 1: Pick your target

Different people fall for different tricks, so the more information you have about your target the easier it is to craft a convincing phishing lure.

The audience may be broad, for example users of a particular bank or people who need to do a tax return, or it may be very specific – such as a particular role within an organization or even a specific individual.

Either way, we – like our adversaries – always have an audience in mind for each attack.

Step 2: Choose emotional triggers (select your bait)

Attackers play on our emotions in order to get us to fall for their scams. Here are three emotional triggers that phishers commonly exploit to trap you – sometimes using them in combination to boost their chance of success:

• Curiosity. Humans are naturally inquisitive and phishers abuse this by making you want to know more. “Do you want to know what happened next?” All you need to do is to click the link or open the attachment…

• Hope. The abuse of hope by phishers can range from general messages about unexpected prize wins and dating opportunities to specific emails referring to job offers, pay increases and more.

• Necessity. Phishers often use a cybersecurity lure – pretending that you’ve suffered a security breach – to make it sounds as though you simply must act now.

Step 3: Build the email (bait the hook)

Next up, we need to build the email. Like our criminal counterparts, we will often attempt to cloud your judgement by using one or more of the the emotional triggers we listed above to get you to perform a specific action without thinking about it first.

That action may be as simple as clicking a link or as complicated as initiating a wire transfer.

One clever trick to writing an effective phishing email is to make the action you wish the target to take inevitable, but not necessarily obvious.

For example, an attacker might send you an email that appears to contain clickable links to weight loss products. At the bottom of that same email, the attacker also includes a clickable “unsubscribe” link. Here’s the catch though: clicking on the “unsubscribe” link takes you the exact same place as clicking any other link in the email.

This way, the attacker presents you with the illusion of a choice while ensuring they get you to click the link they wanted, regardless of where in the email you do it.

Step 4: Send the email (cast the line)

Finally, the phishing email needs to be delivered to the targets. There are a variety of ways for an attacker to do this. They may simply create a new email account on a generic service like Gmail and send the message using that email address, or they could be a bit trickier about it.

Attackers sometimes purchase unregistered domain names that look similar to a legitimate domain, changing the spelling slightly in a way that isn’t obvious, such as writing c0mpany for company (letter O changed to digit zero) or vvebsite for website (two adjacent Vs used for a W).

They will then send the phishing email using this lookalike domain in the hope that users who are in a hurry won’t spot the subtle difference.

It’s also possible for attackers to compromise an email account that belongs to a legitimate source and use it to send a scam message. This is commonly referred to as Business Email Compromise (BEC), and means that even the email address of a co-worker could potentially be used by an attacker to phish you.

How to stop phishing attacks

Even if a phishing email does reach your inbox, it still requires you to take some specific action – clicking a link or opening an attachment – befores it succeeds.

So, knowing what to look out for, and what to do if you see something suspicious, has a huge impact.

Here are some steps to help reduce your phishing risk. While they are mostly written with organizations in mind, many are also equally relevant in our personal lives:

• Educate through safe exposure. In the workplace, periodically exposing users to simulated phishing attacks offers them an opportunity to interact with a realistic but harmless version of what could have been a real attack. This allows people to make mistakes and learn from them while the stakes are low, thus preparing them to handle real threats when the stakes are high. Variety is important here and we strongly recommend the messages vary in detail such as length, topic, tone, style and the time they were sent.
• Analyze your security culture. If you run phishing simulations in your workplace, collect as much data as you can, including how many samples of each message were opened, whether the recipient clicked on a link or opened an attachment, and what kind of device they were using at the time (computer or mobile). This will give you a powerful picture of overall employee awareness and where you might be particularly vulnerable to real attacks. Armed with this data you can focus your resources on supporting the areas and employees at greatest risk.
• Target your training efforts. Direct your training efforts to departments that are at the greatest risk. Staff in finance, IT and management, and those with access to customer records, are high-value targets for attackers. Don’t overlook the basics, such as reminding staff to question why an email is asking them to do something, who the email is from, and so on. Distracted, tired and busy employees can easily be caught out.
• Provide clear guidance on how to respond. Make sure not only that your staff know how to report potential phishing emails, but also that they receive a timely response when they do. Remember, if one person in your organization has received a phish there is a high chance that others have too. The earlier you can investigate and act, the better.
• Enable cultural change. Fostering a company-wide culture of awareness and support is one of the most important things you can do. Give employees the opportunity to fail safely and offer them a clear route for reporting suspicious emails. Recognize and reward people who report phishing emails (praise is important) and support employees who inadvertently fall for a scam.

Remember, the goal of phishing training is to make people more aware of potential threats, and more likely to report them.

Be supportive and understanding if you test someone and they do fall for your trick and do click through, and make it clear you are not trying to catch people out in order to get them into trouble.

One more suggestion

Sophos Phish Threat, the product we work on, makes it easy for you to run simulated phishing programs, measure results, and target training where it’s needed. You can try it for free for 30 days.