Salted Links: 28 April 2014 (Phishing Edition)

For this edition of Salted Links, we're examining various Phishing-related threats.


Hook, line, and sinker - today's post focuses on Phishing.

Forgive me for the idiom, but it had to be done. There's been a good deal of Phishing related items in the news this month, from studies to reports of unusually creative campaigns. Rather than flood the blog with several, smaller posts, I thought it would be a good idea to offer a quick round-up of the more interesting items of note.

Phishing goes political in India

A Phishing campaign in India, leveraging the public's interest and desire to connect during ongoing general elections, is using cloned Facebook pages featuring politicians. In one example, a spoofed Facebook page featured Arvind Kejriwal, the former chief minister of New Delhi and leader of the Aam Aadmi Party.

The scam is rather typical, as the criminals are looking for usernames, email addresses, and passwords. However, it's a good example of how criminals can narrow their Phishing efforts to regional events and focus on local matters. [SOURCE]

Shared hosting providers targeted for Phishing attacks

According to a report from the Anti-Phishing Working Group (APWG), virtual servers accounted for 18 percent of all Phishing attacks globally in 2013.

Targeting shared hosting providers enables those responsible for Phishing campaigns to hijack several websites at once, and while the campaign is active, they can leverage the inherent trust associated with the compromised domains.

In the second half of 2013, the APWG says that there were 178 mass break-ins at shared hosting providers related to these incidents.

"Breaking into such hosting is a high-yield activity, and fits into a larger trend where criminals turn compromised servers at hosting facilities into weapons," the report noted.

"Hosting facilities contain large numbers of often powerful servers, and have large 'pipes' through which large amounts of traffic can be sent. These setups offer significantly more computing power and bandwidth than scattered home PCs."

Overall, the APWG said there were 115,565 unique Phishing attacks worldwide during the last half of 2013, which is an increase of nearly 60 percent compared to the first part of the year. Year-over-year, when compared to the second half of 2012, the totals have declined some. [SOURCE / PDF]

Phishing moves to residential networks

Somewhat related to the APWG report, is the research coming out of PhishLabs. According to researchers, criminals are scanning residential IP addresses for open RDP ports and using brute-force to compromise the systems relying on common, weak, or default passwords for their remote desktop services.

"Once access is gained, the attackers install web server software and upload a number of different phishing pages, the links to which are sent out via spam email messages. This is a significant trend because phishing sites hosted on compromised home PCs typically have [a longer lifespan than those] located in hosting environments (which are far more prevalent)."

Once the RDP connection is compromised, criminals will use that access to install PHP Triad, a open source webserver for Windows that enables webpages to be viewed from the desktop on standard ports (in this case, it's port 80/tcp). If the default ports are blocked by the ISP, the criminals will use alternates, such as port 114/tcp. The software is extremely out of date, and the installations of Apache, MySQL, and phpMyAdmin are riddled with vulnerabilities.

"Hosting providers can quickly take action to shut down malicious sites in their environments because they have direct control over the servers and terms of service that explicitly prohibit such activity (even unknowingly). This is not the case with phishing sites hosted on home PCs, where ISPs have little control over the customer-owned home computers connected to their residential broadband networks."

[SOURCE] [Additional details via Duo Security]

Easy to use awareness training, from one security professional to another

Finally, Tero Hänninen, a security consultant from Gothenburg, Sweden has written a useful blog post on the topic of spotting Phishing scams.

After reading it, I'm of the opinion that it's a great basic premier on the topic. It covers the basics, uses simple language, and includes visual examples to demonstrate points. As far as simple awareness training tools go, it's a solid post. [SOURCE]

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)