This week’s Threat Thursday focuses on a newly spotted social engineering campaign targeting American Express customers. The email blast seeks to trick users into providing highly sensitive information such as their social security number, credit card information and other personal identifiers. The email informs the recipient that a phone call requesting a one-time password was made to them in regards to a recent transaction. Those who did not receive a phone call are instructed to click on the provided link in the message which directs to an exploited website.

amexphishing

The exploited site is an accurate recreation of American Express’ website. The throw-away domain for this campaign was created one week ago. This of course is a huge red flag. In the screenshots below, the cyber criminals seek to obtain various personal information from American Express customers. It’s highly unusual for a financial institution to ask for this amount of information for account verification purposes.

amexphishing2

amexphishing3

amexphishing4

Once all of the information has been filled out and submitted, the website redirects to the official American Express homepage. This campaign was well thought out and executed. Besides the information presented above, other red flags our security research team noticed were the sender’s address of the email. It’s been spoofed to appear to come from a legitimate Amex email address. The originating IP addresses and language used in the campaign also provided hits to the legitimacy of this message.

AppRiver’s SecureTide filter has various rules in place to keep these messages from reaching our customers. 8600+ emails have been blocked at the time of this writing.

rocco-et-al

From left: Wounded Veteran and comedian Bobby Henline, Gold Star Dad Tim Scherer, Sr., and AppRiver executive vice president Rocco Donnino.

This past weekend, AppRiver was proud to honor true heroes during the 4th annual Cow Harbor Warrior Weekend in Northport, Long Island, New York. The three-day weekend of appreciation, recreation and celebration welcomed and honored twelve veterans and their family members and included a golf tournament, 4-mile warrior run, beach activities, clambake fundraiser and live entertainment from Common Ground and the inspiring comedian Bobby Henline, as well as wonderful food and fellowship throughout. We recognize that genuine heroes live among us in every community throughout the United States and it was an honor to show our appreciation not only for their sacrifice, but also for the inspiration they provide.flag

Cow Harbor Warriors is a 501(c)(3) non-profit organization that was founded in 2012 by AppRiver executive vice president Rocco Donnino for the purpose of honoring and enabling individuals who served in Operation Iraqi Freedom and Operation Enduring Freedom. With the Cow Harbor Warrior Weekend, as well as other fundraising efforts and events, the organization strives to raise awareness for and to support wounded veterans/veterans in need. For more information about Cow Harbor Warriors, please visit www.cowharborwarriors.com.

While summer invokes nostalgia of beaches, volleyball, and sunscreen for many, white hats look forward to a different kind of trip every summer. Every summer brings the anticipation of what is known as “Hacker Summer Camp” to mind. This year did not let us down. For those of you who are not familiar with this, Las Vegas is the scene of what amounts to the largest gatherings of hackers and InfoSec enthusiasts in the world. Three big conferences, BSides Las Vegas, BlackHat and DEF CON all take place over the course of a week in late July / early August. This year’s events took place during the week of August 1st, 2016 starting with BSides Las Vegas. I was fortunate enough to be able to attend BSides Las Vegas and DEF CON.

BSides Las Vegas is an amazing conglomeration of everything security from CTF (Capture the Flag) competitions with the Pros vs. Joes event to the Lockpick Village and The Hacker Pyramid and other interesting contests run by the vendors that participate. Vendors that participate are more interested in what you have to offer them as opposed to what they can sell you. Most, if not all, the vendors participated in the Hire Ground track which offered extensive help to those wanting to find work or simply hone their resumes and interviewing skills.

The talks are categorized into well-defined tracks that each have an underlying theme. Each talk is recorded and can be found on YouTube. I was fortunate to be accepted to give a talk this year in the Proving Ground track. My talk can be found here if you are interested. In addition to my talk, there were more than 100 other talks and panels given by some amazingly talented people spread throughout seven different tracks. One of the tracks was made up entirely of workshops and classes. The best part is that everything is 100% free! That’s right, just show up and get a badge and away you go. Some of the topics include:

These are but a few of the great talks and workshops presented at BSides Las Vegas. Some talks are quite sensitive in nature, are given under strict security and not filmed or recorded in any way. Aside from the talk content and insight, this conference is small enough for more one-on-one interaction and discussion away from the tracks. It is often in these dialogues that you learn the most and expand you network of contacts and colleagues.

There are also a multitude of social events including a pool party, the Super Soaked Hackers water balloon fight benefiting Hack4Kids, the ever exciting Hacker Pyramid and various auctions benefiting EFF and BSides Las Vegas.

I arrived a day early so that I could participate in the practice in the speaker practice session on Monday afternoon. Tuesday and Wednesday were filled with time attending talks, presenting, visiting the many vendors and learning tables, interacting with people I hadn’t seen since previous events and socializing. You have to be somewhat organized and plan ahead so that you can maximize your time and get the most out of the time spent. I will still be going back and reviewing the videos of talks that were of interest but conflicted with others commitments. What you learn at an event like this is far more than you might expect. Digesting everything and putting it use means going back later and reviewing or rehashing talks and extracting those pearls that make your life in InfoSec easier.

Attending conferences like BSides Las Vegas helps expand your vision and view of the world, helping you better understand what is trending in the world of InfoSec. This year was my second time attending and I already plan on returning next summer.

If you are a regular DEF CON or BlackHat attendee, make plans to come a few days early and check out BSides Las Vegas. The costs are minimal. You will be pleasantly surprised. I will discuss my DEF CON adventures in an upcoming post.

 

An onslaught of PayPal themed messages have been hitting our filters over the past few weeks. Utilization of attached (.)HTM/HTML files to distribute malware and phishing attacks has been actively used for the better part of a decade now. This file type is still considered relatively low risk since they are still shared for legitimate purposes quite regularly–despite that fact that they are used for evil with even greater regularity.

One particular variant poses as a security alert from PayPal. It utilizes an attached (.)HTM file (containing an embedded script) in an attempt to trick users into disclosing a bevy of personal and financial information. Thus far, we have quarantined roughly 250K messages from this particular campaign. In addition to phishing a potentially devastating amount of information from the target, beneath the surface the obfuscated script also serves to install malware onto the victim’s machine.

Clicking the attached (.)HTM file begins the process. The phishing pages rendered attempt to gather a great deal of information such as PayPal credentials, mother’s maiden name, social security and credit card data– in a series of three consecutive phishing pages (displayed below).

page 12016-09-09_9-55-29b

page 2

2016-09-09_10-00-29c

page 3

2016-09-09_10-03-35

Remember, a legitimate security alert should never require direct interaction with an email attachment. Should you ever find yourself on the receiving end of a message of this nature, reach out to the company directly to voice your concern.

If you suspect you may have fallen victim to phishing or think your credentials have been exposed through some other means (such as a data breach) you should take immediate proactive measures to help reduce the potential impact. Always contact the provider immediately for their recommended course of action. Change your password for not only the effected account but also for any others where you may be using the same or similar password but surely no one is doing that… right?

This week the security research team at AppRiver has been monitoring a phishing email blast targeting Amazon.com customers. The various campaigns spotted attempt to defraud recipients into providing their login information through an exploited Web form.

A screen capture of one of the email samples we’ve spotted is below. In this example, the email informs the recipient that his Amazon.com account has some missing and/or incorrect information. A dead give away that this is fraudulent is the ominous warning that without this updated information, his account will be closed. A link is provided to direct the recipient to update the requested account information.

amazonphishingspam

Once the user clicks on the link, he is redirected to the below exploited site. The site is mirrored to resemble an Amazon login screen. Notice in the screen capture the URL points to the base domain get-confirmed.reviews and not Amazon.com. The social engineering attempt is further strengthened through injecting amazon-com as the sub-domain.

amazonphishingspam2

A more recent variant of this phishing campaign has also been spotted. This email attempts to trick the recipient by stating Amazon will begin requiring account information be validated every six months. Similar to the other campaign, this one also includes a link to an exploited website seeking to gain access to a customer’s account.

amazonphishingspam3

Because of Amazon’s high popularity, cyber criminals frequently target their customer base in various phishing, spam and malware campaigns. AppRiver’s SecureTide filter has a few rules in place set to block these campaigns. Over 12,400 messages have been quarantined at the time of the posting.