Tuesday, December 11, 2007

Vulnerability in 2Wire routers

We've just released a security advisory for a vulnerability in 2Wire routers that is being actively exploited through phishing.

The advisory is located here.

Monday, December 3, 2007

Win a car!, just click here

I don't know if this scam really qualifies as "phishing" because it seems odd at first sight.

I don't know even if it really represents a threat to anyone. Let me explain, the e-mail asks the user to click on the attachment and answer a trivia to win a car, so what's this all about?

The picture of the "prize" is of a Volkswagen Golf (by the way, the name of the file is misspelled as "Wolsvagen") but not the brand new model, not even the previous one, the car is something around Mark 3 or Mark 4 (newest is Mark 5), I'm not sure because I'm not a VW fan nor expert, but certainly it isn't a Mark 5 VW Golf, you can take a look at the VW Mexico website.


So, my first thought was "this e-mail must be a joke", but when I analized the binary I realized that the threat was very real, the .exe file modifies the hosts file in Windows and, guess what, add some entries to replace the BANAMEX domain name.

I don't know if this is intentional, but in any case the phishers put little effort to deceive the user, finally, there's always a user who will try to "win the car" even if the car was dropped from production in Mexico many years ago.

Md5sum: 70d0a93d0001288ad057f41c7fd8a397
Filename: Wolsvagen-Sorteo.exe
IP: 65.23.158.58

Ps. I did some research and found that the car is indeed offered as a prize in Spain, so my guess is that this phishing scam originates in the Motherland.

Tuesday, October 23, 2007

iPhone targeted for hacking

HDMoore has announced very good stuff to hack the iPhone (like adding an openssh to the phone and getting a rootshell). The entry has been added to the Metasploit blog.

I know it will be a long time before the iPhone make its debut in Mexico, but it seems like the delay will be worth it.

Friday, October 12, 2007

Malware speech

Next monday I'm giving a speech at Facultad de Ingeniería, UNAM. Here is the complete information.

Sunday, September 2, 2007

Pharming and One Time Passwords (OTP)

Sadly, the pharming is increasing in Mexico, with local "look & feel" and targeting online banks, mainly Banamex.

Banamex (Citigroup in Mexico) is one of the largest banks in Mexico, so it is natural for phishers to target the users of this bank. But it isn't just related to the number of users but to the fact that Banamex uses NETKEY token to give online access. So, you may wonder why criminals are targeting Banamex if two-factor authentication is used?

The reason is, NETKEY is a "sequence-based token", this means a new pseudo-random number will be given to the user each time he/she pushes a key on the token, but won't expire after some time (like time-based tokens do).

Criminals will fool the user into thinking that he/she has reached the bank website, then the phisher will steal the login, the password and the OTP and show the user a message like "we're under maintenance, please come back in a few hours"; finally the phisher will get access to the online bank and steal the money (as long as the user doesn't log in to the genuine website before the e-robbery takes place).

The problem here is the OTP doesn't expire (I've tried with my NETKEY and I could log in two hours after reading the OTP at NETKEY's display), so the phisher has more time to steal the money. Other banks use time-based tokens so the phisher would need to log in with the stolen credentials within sixty seconds or less. Banamex should adopt the time-based solution, in the meantime its users are in risk.

Now, for the attack-vector part, the message says "a finnish kid was condemned because of a youtube video", and at the end of the text it prompts the user to download the supposed video.


The file is a .rar that contains an executable file that modifies the hosts file and it also opens a browser window with a video from youtube (in fact the video is in spanish).
The md5 of this file is: b845cbb13117a9776852bc86a802b51a

Wednesday, August 29, 2007

"Anti-fraud dipping birds" Unit

At UNAM-CERT, we think that any help is good help. After the pharming attack we faced yesterday, we called the special forces unit.



With one hundred of these workers we could take the anti-fraud fight to a new level.

For information about"drinking birds": wikipedia.

Tuesday, August 28, 2007

Pharming attacks are on the rise, this time: UNAM-CERT

Today's early morning we started receiving phone calls from people asking us about an e-mail they received last night. This e-mail included links to UNAM-CERT, a supposed "guide" to secure the PC and the UNAM-CERT's phone number.

Some user submitted to me a copy of the e-mail that supposedly came from UNAM-CERT, this e-mail included a text asking the recipients to download a supposed "guide" to secure their PCs (Manual.exe).


The md5 checksum of the malware is: fcfc77d1786572812aac1319e5ad5fde
This malware modifies the hosts file in Windows, redirecting www.banamex.com to an IP address under the control of the phisher.

What is really interesting in this attack is the fact that phishers are using well-known organizations as vector for infection, even when the final target is another website, like Banamex in this case.

For more information regarding recommendations and related info you should go to the UNAM-CERT official site.
For an in-depth analysis check the UNAM-CERT's malware blog.

Monday, July 30, 2007

The Privacy Risks of Social Networking Sites

For those concerned about privacy on the Net and social networks like Facebook, Hi5, Myspace, etc., there is a good article in the last issue (May-June 2007) of IEEE's Security & Privacy magazine by David Rosenblum.


"For the Net generation, social networking sites have become the preferred forum for social interactions, from posturing and role playing to simply sounding off. However, because such forums are relatively easy to access, posted content can be reviewed by anyone with an interest in the users' personal information." "It is possible to glean personal information even without accessing a home page on these sites because many people use the public wall as a private message board to post intimate details of their lives, schedules, or recent sexual conquests. But what would motivate people to broadcast their private lives? As one user explained it: 'Like many of my generation, I consistently trade actual human contact for the more reliable high of smiles on MySpace, winks on Match.com, and pokes on Facebook. I live for Friendster views, profile comments, and the Dodgeball messages that clog my cell phone every night.”

Many websites ask its users to enter a "secret question/answer" in case they forget the password, so the user can recover/reset it. Many of the secret answers could be found at myspace or hi5, i.e.: name of the primary school, name of the pet, city of birth, favorite team.

Worst, many of these questions are used as authentication method at phone services offered by many banks, so when you call for the very first time you will be asked for your mother's maiden name and even if you didn't publish this info, it isn't hard for an attacker to directly ask this question at your myspace/hi5/facebook site(using social engineering). Worth a look.

Friday, July 27, 2007

Pharming in the wild

My SPAM folder is an unbeatable source of malware, I think better than the honeynet project (JK); last week I found an e-mail with an interesting subject "Combate al robo de combustible" loosely translated "Fighting the gas rip-off", let me explain, in Mexico there are some gas station pumps that dispense less fuel than what you're paying for, you pay for 1 L but you get, let's say 900 ml (or less). Well, there is a study on this topic and a list of gas stations that rip you off.

Back to the e-mail stuff, it was supposedly sent by the "Tec de Monterrey" (private university in Mexico), it seems to be fake.
And it includes a link to a file that pretends to be the list of gas stations (Gasolinera.rar); inside this rar is contained a "gasolineras.exe" file with md5 hash: f5e9203e2d799cc98016db11a1832880.


It was evident this file was malware, but I always upload suspicious files to virustotal before start a deeper analysis (to save efforts in case of an existing malware), but reported nothing. Then I sent a copy of the file to the malware team at UNAM-CERT for analysis, at the same time I was trying to reverse-engineer the code to highlight the main activities of this malware.

The file has interesting strings:

Gasolineraxc
SeguridadBanamex
Gasolineras
ProductName
SeguridadBanamex
FileVersion
1.00
ProductVersion
1.00


This malware add entries to the "C:\WINDOWS\system32\drivers\etc\hosts" file, specifically:

209.40.195.154 banamex.com
209.40.195.154 www.banamex.com
209.40.195.154 banamex.com.mx
209.40.195.154 www.banamex.com.mx
72.249.77.180 www.bancanetempresarial.banamex.com.mx
209.40.195.154 bancanetempresarial.banamex.com.mx
209.40.195.154 boveda.banamex.com
209.40.195.154 www.boveda.banamex.com


This kind of attack is known as "PHARMING" and will fool the browser and other applications into resolving to fake internet portals, mainly online banks. This means, that when I type www.banamex.com at the browser, the system will go to check the hosts file, the malware previosly added the entry, so the www.banamex.com domain now belongs to the IP: 209.40.195.154, and of course the attacker has control over this IP.

The antivirus fails to detect this malware as potentially unwanted because doesn't open TCP ports, doesn't add entries to the windows registry and doesn't spy hardware interruptions (among other hacking activities), needless to say it's a very NASTY attack.

The details maybe quite technical for some people, but let's make an analogy: An attacker overwrites the yellowpages book, so when you try to reach Domino's pizza by phone you get in fact the number of Pizza hut.

So, how can I protect myself?, ALWAYS check the SSL certificate when browsing online banks, no matter you type directly the URL in the browser, and NEVER execute files received as attachment, even if antivirus says it's ok.

Thursday, July 5, 2007

New celebrity phishing

Today I found an interesting brand new (at least for me) vector of infection; usually when you are being phished the attackers send you e-mails with the look & feel of some bank's website trying to convince you of the authenticity of the site. But now it's being obvious and people do know how phishing e-mails look like.

This time I got a supposed video from a well-known magazine with the headline "Luis Miguel cheating on his wife", some pictures and three links to the "video". The video is a tvnotas.exe file.

You may wonder why would a victim click on that link, well Luis Miguel is a famous singer in Mexico, one of the richest, and all the magazines and TV programs are always following his career and personal life (far beyond of his public life). Maybe I'm not the target for this phishing, but I know a lot of people (mostly women) who would click before they finish reading "luis miguel"; you know, his wife is another beautiful woman "Araceli Arámbula", and it would be embarrasing to him to be caught "on action".

If you are curious about who was luis miguel supossedly kissing, it was "Jessica de Alba" (sic), I guess phisher was referring to "Jessica Alba" the chick from Dark Angel and Fantastic four.

After all this "background", I downloaded the tvnotas.exe troyan from www.nocleh.cz and uploaded to virus total (www.virustotal.com) to scan it. Virus total is a public free service in Spain, you can upload any file you like to get scanned for virus and malware.


From all the 30+ engines used at virus total, just 6 reported from "suspicious file" to "Trojan/Delphi.Downloader.Gen", Symantec and Mcafee reported nothing.

What we can learn from this is not to blindly trust the Antivirus. Everyday hackers are trying to fool you into clicking an image or link and have freshly programmed code that intercepts your request. You might get convinced with a headline and download a file, run the antivirus and as long as there isn't any alerts you double click the file and you are gone.

Saturday, June 30, 2007

American Express phishing

Yesterday I received a promotional flyer from American Express Mexico to speed up the collecting of membership rewards. Either I call by phone and ask for the promotion or sign up myself at Internet.

The problem is, when you access the URL you're asked for your credit card number, no problem. I would give my number after checked the SSL certificate and double-check I'm at the correct American Express site; but wait a moment... I opened the source code at Firefox browser to get myself assured about the destination of my credit card data:

form name="forma1" action="http://extranet.ogilvy.com.mx/amexoptin/default.asp"

Am I wrong or is there a missing "s" after the "http"?

It's not the first time I got promotionals from American Express asking for my account number without encryption layer over the Internet. Last time I was supposed to send my credit card number via e-mail (no encryption at all) and I would get 500 membership rewards.

Last time I wrote down "It seems that American Express is phishing... their clients", now I'm pretty sure they are.

Friday, June 29, 2007

Wardriving

Like a month ago I was wardriving south of the city for a project at UNAM-CERT. I found a lot more networks than six months ago that I did a Wi-Fi reconnaissance; most of the networks were totally open like hotspots.

This is a growing problem in Mexico because wireless technology it's being recently widely adopted (with some years of delay respect to other countries). Everytime we do pentest we found the weakest link to be the wireless network, so bad.

Here some pictures of the kit for wardriving. (click for bigger image)




Saturday, June 16, 2007

Online fraud in Mexico

Last week, the UNAM's Computer Security Conference was held at the Palacio de Mineria in Mexico city. One of the sponsors was Bancomer and there was a discussion panel between Bancomer and Banamex.

The banks were trying to convince people that they do everything to protect your money online, the truth is, they just do the necessary to keep their business working and make profit of it.

One guy at the audience asked them, about an internet portal dedicated to online frauds of Bancomer, Banamex and many other banks with mexican clients (like HSBC, Santander, etc.)
I wrote down the URL (http://www.robosbancarios.com), and today I visited the site; I've been reading some of the affairs, needless to say, banks in Mexico SUCK BIG TIME.

I realized that I should asked to the bank guys why the hell they don't give details of the transactions to the affected clients, but I was busy with the conference organization. The banks justify saying they're following the "banking secret", the truth is they're just protecting criminals.

Another form of fraud in Mexico, and very common, is the social engineering. It would be interesting to hear why the banks call to your home/office offering new credit cards and ask for personal data that any criminal can gather to steal your identity, and it's perfectly legal. It's a form of phishing and banks do nothing to stop the modus operandi, they should adopt an anti-phishing policy for phone calls.

"Bancomer won't ask for personal information: Be suspicious of any unsolicited phone calls asking for your personal information", that would help a lot, but after all they are BANKS, they're more interested on getting new clients rather than protecting them.

Friday, June 15, 2007

Biometrics at UNAM-CERT

Finally, today the access control mechanism were setup at UNAM-CERT, consisting of proximity card and biometric (fingerprint).

This mechanism is part of the new policy for SOC (Security Operations Center) at UNAM-CERT, DGSCA. The proximity card device has been the de-facto standard for a while, but the biometric gives added security to the scheme.

Switching to blogger

This is an important day to this blog:

first, because I'm moving from my home-made blogging tool to blogger, and

second because I'm switching from spanish to english language.