PhishLabs is looking forward to joining our colleagues in Prague to continue the fight against cyber-crime and online fraud.

ABOUT the Counter eCrime Operations Summit

CeCOS VI, the second APWG conference held in Europe, is an open conference for members of the electronic-crime fighting community, hosted by the APWG and its Conference Partner AVG, Program Partners: The Council of Europe and Organization for Security and Cooperation in Europe, and sponsored by AVG, Google, Microsoft, MarkMonitor, ESET, Telefonica and ICANN. The CeCOS programs are widely considered the most vital events to investigators and managers of electronic crime from across the private and public sectors.

AGENDA

http://apwg.org/events/2012_cecos.html#agenda

CONFERENCE REGISTRATION:

http://secure.lenos.com/lenos/antiphishing/cecos2012/

Let’s clear it up once and for all.

There are actually 3 distinct but related types of malware being used to commit various scams by one or more criminal groups.

Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs.    Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan.    There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams.    The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information.    It is basically a hosting platform used by the attackers.    Because the Avalanche bots act as a simple proxy, and there are thousands of them, it has been exceedingly difficult to shutdown the phish pages.   Instead most Anti-Phishing organizations have focused on shutting down the domain names that were used in the phishing URLs.

PhishLabs recently presented new information about the Avalanche botnet at the recent Anti-Phishing Working Group (APWG) fall conference.   We were able to acquire a copy of the bot software and analyze it.    What we learned is that the malware is actually rather simple.    It listens on TCP port 80 for incoming connections and simply relays data receives to another server that hosts the actual phishing pages and malware files.

In an effort to help service providers and others clean-up Avalanche infected machines, here are the key details:

Removing the Avalanche bot components is as simple as deleting the two files and one registry key.

PhishLabs has also been able to determine the IP addresses for a large number of the infected systems.  Service Providers are invited to contact us at info -at- phishlabs.com for a list.     We have also shared this information with our friends at ShadowServer who are helping report infected systems as well.

In case you’re not familiar, a formmail script is a CGI web application which receives data from a form on a web page and sends it off via email.    They’re commonly used for things like ‘Contact Us’ forms, support requests, feedback, etc.    Matt Wright claims that his formmail script has been downloaded over 2 million times since 1997.   Matt’s version and lots of others are everywhere.

And that’s the problem.   Many people have written their own without understanding the security and abuse implications.   Written correctly, they restrict the destination of any generated emails to the address of the webmaster or appropriate contact for that web site.    Written incorrectly, they can be used to send any message content to any address – including that of a cyber-criminal on a phishing expedition.

Recently, PhishLabs examined the prevalance of formmailer abuse by phishers.     After reviewing two weeks of phishing sites, we estimate that 10% of all phishing abuses formmailer scripts.     That’s significant.    Many phishers use open formailers in combination with free web hosting.    For example, t35.com provides free web hosting, but they don’t support ability to send emails from their web servers.    So instead the attackers set-up the phishing site so that the HTML pages send victim data to another site with the open formmailer.    The formmail script then emails the compromised account information to the attacker.      Without the open formmailer, the attacker would have to hack into a legitimate web site instead.    Get rid of open formmailers you get rid of (most) phisher’s who can’t hack.

Of the approximately 100 open formmailers we detected being used for phishing, the following are the top 10 worst offenders.

1. http://cgi.mywebserv.com/cgi-bin/formmail.pl
2. http://homepage.eircom.net/cgi-bin/auto_mail.cgi
3. http://www.hotspace.com.au/ccgi/mailform.asp
4. http://www.infonet.com.br/cgi-bin/mailto/comments.exe/msg.txt
5. http://iceworm.com/temp/form.php
6. http://www.necasa.org.uk/cgi-bin/mailform.pl
7. http://www.iolfree.ie/cgi-bin/responder
8. http://home.ism.com.br/cgi-bin/scripts/mail_form.pl
9. http://www.boomsoft.com.pl/images/wmail.php
10. http://www.magnet.pl/cgi-bin/mailform.cgi

We hope that the responsible parties will restrict access to these scripts or remove them.    Also, it would be great if web content filtering companies would also block access to them.   It would certainly prevent some phishing victims.

I encourage anyone who is interested in understanding how phishing really works to read the paper, but here are a few of the key take-aways:

• Over 75% of phishing sites are hosted on hacked web sites
• Despite legend to the contrary, there is no data to support the notion that phishers use phish URL blacklists (like PhishTank) to find vulnerable web sites
• About 9% of phishing web sites are hacked again and another phish added within 4 weeks

Also see Dr. Clayton’s blog posting on Light Blue Touch Paper for more.

Why do the bad guys do it this way?   Generally, because they’re using free web hosting to install phishing HTML pages, but the free hosting services does not support any server-side scripting like PHP (or .NET, CGI, etc.).     All the phishers have to do is upload the HTML files and point them towards some other web site’s  poorly configured formmail script.   Voila!   Insta-spoof!

So how often do phishers actually use a formmail script?   PhishLabs set out to find out by reviewing the HTML source code of over 33,000 phish in our archives over the last 4 months.  It turns out that after ignoring botnet hosted (e.g. fast-flux) phishing sites, that formmail phish represent roughly 4% of attacks.

Unfortunately, the biggest facilitators are not “mom-and-pop” web sites but in some instances well known companies.   One of the world’s largest domain registrars has an ecommerce subsidiary that has an open formmailer program that is responsible for helping at least 200 phishers over the last few months.  ISPs, web hosters, and universities are also complicit in helping phishers.

By “back of the napkin” estimates, if each phish attack costs banks (and consumers) $1000, then ill-configured formmail programs are costing us all roughly $3 million per year.    Dear web developers – if you’re going to use a formmail script, check referrers (even though they can be spoofed) and hard code the destination email address in the back-end script rather than allow it to passed by the web client.

The silver lining in this is that the phishers’ email addresses are usually exposed in the HTML of the phishing site when they use this tactic.   PhishLabs has turned over a list of 513 email addresses to ISP and law enforcement cyber-crime investigators.

First a little bit about us.  PhishLabs was founded by John LaCour in September 2008.  Our vision is to do more to stop cybercrime than the status quo model of detecting, counting, categorizing, and (sometimes) reporting attacks.   The media is full of stories with interesting statistics about the number of cyber attacks going up ‘X’ percent with attacks mostly coming from certain countries.    Vendors and even free Internet community groups report cybercrime to ISPs who shutdown attacks just to have another one replace it.  Measuring the number of attacks and stopping them is better than ignoring them, but ultimately does almost nothing to stop cybercrime from reoccurring.

PhishLabs aims to change that by providing our clients with information about the identity of cyber-criminals, how they operate, why and when their scams are successful, thereby  providing actionable intelligence for the affected organization, and if desired, law enforcement. This is accomplished by going much deeper than detecting and shutting down individual attacks.

While we take on a variety of initiatives, our focus is within three main areas:

Advisory Services:
We help clients review their anti-fraud programs within the context of their peer group and industry leading best practices.   Where appropriate we drive the implementation of program improvements (both technical and non-technical) to reduce or eliminate online fraud.

Intelligence:
We investigate specific criminal groups, actors, and fraud methods and provide recommendations to reduce or eliminate their impact.  We also work with law enforcement and related groups like the NCFTA to provide information they can use to ultimately arrest and prosecute cyber criminals.

Incident Response:
While there are often day-to-day attacks which can be managed with in-house expertise or security operations vendors, responses to new types of attacks or dramatic changes in attack volume may require some outside help.    Whether it is a rock-phish attack or a new type of malware, PhishLabs helps clients by rapidly assessing complex attacks and rapidly developing and implementing a cost-effective plan of action.

In addition to helping our clients with the services outlined above, we strongly believe in sharing with the security community.   In the coming days and weeks, please check back with this blog to find information about hacker techniques and tools, pointers to academic research of to fighting cybercrime, as well as advice on the steps you can take to protect your organization and customers from online fraud.    Of course we’ll also be sure to keep you updated on the latest developments at PhishLabs.

Thanks for reading and please keep in touch.

John LaCour, CISSP
President, PhishLabs
jal@phishlabs.com