Phising And Security

[TheDevopsGuy]

[LEFT]So lately I've been rethinking about an event which happened to me last summer where I was targeted by a Phisher which unfortunately I ended up falling a victim to. Immediately after I realized what happened I formatted my PC restarted my network and changed every settings through my mobile 3g.

My question is the only link I remember ever clicking on was a link sent to me through Twitch.tv and at the time I recall it definitely being https://www.imgur.com/a/blablabla link,of course when it redirected me I was on an imgur album but after awhile I noticed the breach.

Was the Attack Even Phishing? What were the possibilities?

The only information which could've possibly been compromised after me clicking the website was probably when I logged into my email,which was at the time saved on my browser so I doubt if it was a keylogger it would've registered the strokes for my mail address.

I'm writing this thread so hopefully I can understand what were the possibilities and how to defend myself from these from the future apart from the obvious case of not clicking random links sent from strangers.

Any Feedback would be Appreciated sorry for the long post.[/LEFT]

 

[DelJo63]

Phishing or otherwise - - it was an attack that was effective :sigh:

(1) you can use a proactive antivirus like Avast Free which will protect you from email or weblinks
(2) try to educate yourself on what a bogus link looks like and not go there
(3) if email is from unknown source, DON'T even open it but just immediately delete it.

Some URLS are impossible to read: short urls in particular.

• The short form of the Techspot home page is https://bit.ly/1jaqtkg

For all we can tell, that could be an adversary on MARS! Do you risk being infected again??? Once bitten, twice shy in my book! Never click on short urls!

More on (2): is Techspots.com safe?? Read that carefully! See the extra 's'? I wouldn't chance it! (btw: this example is benign & safe)

I had an email this week from a correspondent joe_doe and the name showed up correctly. HOWEVER, joe_doe uses yahoo.com email and the one in my mailbox was something like bogus.smtp_email.from.au The AU was the give away.

• know correspondent: joe_doe@yahoo.com
• unknown: joe_doe@bogus.smtp_email.from.au

On (1) proactive AV: Most antivirus products are reactive, meaning they attempt to cleanup after the damage has been done. This includes products like Norton and MS Defender.

I prefer products that find the villains BEFORE they land on my disk! I don't have to rely upon an unknown cleanup process and nor do I need to rescan the HD before I access programs or data. I've been using Avast Free for years now and it's been very effective for me.

 

[TheDevopsGuy]

Phishing or otherwise - - it was an attack that was effective :sigh:

(1) you can use a proactive antivirus like Avast Free which will protect you from email or weblinks
(2) try to educate yourself on what a bogus link looks like and not go there
(3) if email is from unknown source, DON'T even open it but just immediately delete it.

Some URLS are impossible to read: short urls in particular.

• The short form of the Techspot home page is https://bit.ly/1jaqtkg

For all we can tell, that could be an adversary on MARS! Do you risk being infected again??? Once bitten, twice shy in my book! Never click on short urls!

More on (2): is Techspots.com safe?? Read that carefully! See the extra 's'? I wouldn't chance it! (btw: this example is benign & safe)

I had an email this week from a correspondent joe_doe and the name showed up correctly. HOWEVER, joe_doe uses yahoo.com email and the one in my mailbox was something like bogus.smtp_email.from.au The AU was the give away.

• know correspondent: joe_doe@yahoo.com
• unknown: joe_doe@bogus.smtp_email.from.au

On (1) proactive AV: Most antivirus products are reactive, meaning they attempt to cleanup after the damage has been done. This includes products like Norton and MS Defender.

I prefer products that find the villains BEFORE they land on my disk! I don't have to rely upon an unknown cleanup process and nor do I need to rescan the HD before I access programs or data. I've been using Avast Free for years now and it's been very effective for me.

Regarding https I understand its a layer of protection added upon http to encypt data of websites but can't most websites even phising ones mimick https protocols by being self signed or buying a certificate?

 

[DelJo63]

Regarding https I understand its a layer of protection added upon http to encypt data of websites but can't most websites even phising ones mimick https protocols by being self signed or buying a certificate?

HTTPS only protects the connection between the user and the website via encryption - - it says absolutely NOTHING about the content being delivered!

 

[DelJo63]

Phishing -- pronounced just like fishing; so what is it?

• A knowledgeable fisherman casting tasty-looking-bait hoping to fool the fish into biting.

In our technology world, this is one component of Social Engineering where our paranoia, fears, and insecurities whisper in our ears "Oh oh, this sounds / looks bad and I better check it out to be safe". So we take the bait, click into the unknown(which is inherently unsafe), and actually create an evil consequence. We were better off by listening to the voice on the other shoulder, "I really don't need to know this".

The email subject line was just to enticing and so we bit -- and were served up for dinner to some scammer as a consequence. The bait gets cast to us via email, text messages or even voicemail. I had one last week where the message was

"This is the Social Security Administration and we need to talk to you. Call us immediately at 305-xxx-yyy."​

• I live in Southern Calif and the 305 area code is out of Miami, FL. Why wasn't the origin from a SoCalif area code?
• BECAUSE, SSA & IRS don't initiate a conversation using electronic means -- it's always begun using USPS hardcopy letters.

It is very hard to filter all the delicious look bait by automation filters. As the feedback phone numbers change quickly, they are not reliable indicators of phishing.

Robo calls have a similar problem. Your best indicator is the Caller-ID does not resolve into a name in your contacts and only shows up a 10 digit phone number, sometimes with a very broad City, State. NEVER answer these calls. IF they are legitimate, they will leave a voicemail, identify the company, person and subject matter, leaving a return number you can verify. Otherwise, you known you just avoided a lot of pain.

ps:- yes the subject is an old thread, but still an ideal place to consolidate such information on phishing

 

[TheDevopsGuy]

Robo calls have a similar problem. Your best indicator is the Caller-ID does not resolve into a name in your contacts and only shows up a 10 digit phone number, sometimes with a very broad City, State. NEVER answer these calls. IF they are legitimate, they will leave a voicemail, identify the company, person and subject matter, leaving a return number you can verify. Otherwise, you known you just avoided a lot of pain.

What are the risks when picking up the phone on such phone calls? In Europe I don't believe we ever get calls related to the IRS, most of the time its either Microsoft tech support or international calls which when answered return no response is returned or so I've heard I've never encountered this ever.

I'm guessing most of the time it's to confirm the mobile number is registered and currently in use?

 

[DelJo63]

My fundamental rule for all phone calls:

• If the number is NOT in my contacts (ie: no name shows but only the phone number), then the call is suspect.
• Such calls I Never answer but let them go to voicemail.
• If they leave no message at all, then it wasn't important, wasn't business related and I was correct.
• If they left a message, I have to make a judgment call on the validity of the call (eg the area number 305 cited above)
• Rarely I get a call from a person I do actually know but don't have in my contacts and I get to catch-up by calling back (my last one was to Rome and place the cost on me )

 

[TheDevopsGuy]

My fundamental rule for all phone calls:

• If the number is NOT in my contacts (ie: no name shows but only the phone number), then the call is suspect.
• Such calls I Never answer but let them go to voicemail.
• If they leave no message at all, then it wasn't important, wasn't business related and I was correct.
• If they left a message, I have to make a judgment call on the validity of the call (eg the area number 305 cited above)
• Rarely I get a call from a person I do actually know but don't have in my contacts and I get to catch-up by calling back (my last one was to Rome and place the cost on me )

Honestly, its just a coincidence but today a security company came over and gave us a talk about their services. They seem to offer services which allow telecommunication companies to monitor sms entries and exit points, seems like tech giants have "found" a way to send password and 2fa recovery sms's free through manipulation of the current "system".

Gave me a vibe of one of Kevin Mitnicks works Ghost in Wires.

Makes me wonder if such systems can be deployed why are we still getting bombarded by such attacks.

I'm guessing it boils down to

• ISP's don't want to spend money on such systems? Even though they're utilizing their systems for free.
• As is with everything in technology, Attacks advancement, pattern avoidance basically I patch this the hacker exploits this and on and on the battle goes.

 

[DelJo63]

Honestly, its just a coincidence but today a security company came over and gave us a talk about their services.

Remember, their agendas to SELL YOU something -- maybe they can, maybe they can't

 

[TheDevopsGuy]

Remember, their agendas to SELL YOU something -- maybe they can, maybe they can't

I was more intrigued when they mentioned they built their own IP stack and internal tools capable of decrypting crap. Makes me wonder how one gets to build a custom ip stack. Guess thats a future area id like to investigate.

 

[DelJo63]

Makes me wonder how one gets to build a custom ip stack. Guess thats a future area id like to investigate.

This, or any driver, has a spec (an RFC in internet parlance) and anyone with good programming skills could do this (but not with M$ MFC )

 

[TheDevopsGuy]

This, or any driver, has a spec (an RFC in internet parlance) and anyone with good programming skills could do this (but not with M$ MFC )

Ahh, so It's basically a fully fledged out protocol with slight modifications, If I may ask how would a different IP stack benefit a company/user? Why would I want to build one differently than the standard?

 

[DelJo63]

Ahh, so It's basically a fully fledged out protocol with slight modifications, If I may ask how would a different IP stack benefit a company/user? Why would I want to build one differently than the standard?

The big payoff would be because of nefarious intent.

A secondary choice would to be to add new functionality. TCP/IP has a design known as the OSI 7 layer model (see https://en.wikipedia.org/wiki/OSI_model) and it is very mature now.