logo

Top

RedMarlin Research Labs Blog

RedMarlin / RedMarlin Research Labs Blog

Equifax, one of the three major credit bureaus in U.S. made a disclosure on Sept 7th that they suffered a massive data breach on July 29th, 2017. They reported an estimated 143 million consumers may be impacted, making it one the largest breaches in U.S. history.

As security researchers, we’ve been closely monitoring the news since it broke out. In this blog post, we share some early domains that look suspicious and are worth monitoring closely. As we typically see in such breaches, there is an element of bad actors exploiting the situation for their personal gains in the aftermath. Phishing is one such threat that we always expect in the days following the disclosure. Since thescale of the breach is so big and the data at stake is extremely sensitive (SSNs, DOB, Names etc.), it becomes extremely important for everyone to stay vigilant of deceptive phishing links that might be trying steal user’s information.

Equifax’s free credit monitoring: a phishing link that wasn’t

Within couple of hours of the official announcement on Sept 7th, we started receiving queries on RedMarlin’s free phishing lookup tool CheckPhish for a suspicious looking link: https://trustedidpremier.com/eligibility/eligibility.html. Our AI engine marked it clean but we had to dig further as the link had various suspicious characteristics. It was registered few days ago, the domain is hosted on Amazon, has WHOIS information privacy protected and the site is asking for 6-digits of SSN and last name as seen in the image below.

Trusted ID Premier: Equifax's free credit monitoring lookup

Image 1: Equifax’s credit lookup tool to check if you were affected in the breach.

Upon tracing it back, we found the proper chain which links it back to https://www.equifax.com/personal as you can see below. We were relieved to inform users it wasn’t a phishing attempt on them.

Path from Equifax homepage to the trustedidpremier.com link

Various researchers reported that the site https://www.equifaxsecurity2017.com was being marked as phishing by security providers, which is understandable given the suspicious indicators on that site as well. It was registered recently and saw a massive spike in DNS volume and likely caused some of them to mark it as phish. We agree that it is better to be on the safer side and mark something so suspicious as phish proactively until there is enough evidence to prove otherwise.

In addition to the above, we saw reports on Twitter for the trustedidpremier.com site being blocked by Google Chrome, although it seems to be fixed now.

If you wish to check more details on the above links, CheckPhish has more insights into them:

For trustedidpremier.com: https://checkphish.ai/insights/1504820558046/d472758e4de186bf04c66982fdf97e73bf981e25e0297da81f4f60232207c956

For equifaxsecurity2017.com: https://checkphish.ai/insights/1504845916728/310e17fee782fbf677a575cfa991796eb2e1a189f892a842524e09944be64c33

Sample CheckPhish insights page

Image 2: Sample CheckPhish insights page for trustedidpremier.com

At the time of writing this post, at least one engine marked the above two domains as phishing on Virustotal:

For http://trustedidpremier.com: https://www.virustotal.com/#/url/f301a01db2e921d773b13340eb4883d3fb32733cf822f897a032b6ad15fc400d/detection

http://equifaxsecurity2017.com/ https://www.virustotal.com/#/url/99e3eadc2b4b59115b57016b621a014007434ae03662580f910939d87c764597/detection

 

What’s in store next?

As mentioned earlier, we expect phishing attempts to go up in the coming days and weeks. In our daily monitoring of newly registered domains, we saw 77 new ones that look very similar to the ones used by Equifax. They were all registered in last few days. Few examples below:

trustidentitypremiereefx.net
trustidentitypremiereefx.com
equifaxtrustidpremiere.org
equifaxtrustidpremiere.net
equifaxtrustidpremier.org                                                                                                                                                         efxtrustidpremier.net
efxtrustidpremier.com
efxtrustidentitypremiere.net
efxtrustidentitypremiere.com

None of these domains resolve to an IP so far and their WHOIS is privacy protected. The most plausible theory is that they were registered proactively by incident response teams at Equifax before the bad guys get hold of them. Full list of the domains here.

We’re also seeing reports of domain registrations that are deceptively similar to the above but most of them are redirecting to the equifaxsecurity2017.com site. Here is a list of 247 such newly registered domains. Most of these domains are registered on Name.com and look different from the previous list that are hosted on Amazon.

So far, we don’t have any evidence of any of the newly registered sites that we found to be hosting phishing but that’s not unusual as it has only been a few days since the breach announcement.

We’ll keep making updates to this blog post as we gather more information on phishing attacks that we find in the following days. Stay vigilant!

 

Update 1 (2017-09-11): Thanks to the awesome dnstwist tool, we have an un-curated list of several more variants of Equifax domains. Note that this an exhaustive list that contains both legitimate (Equifax owned) domains and several other suspicious ones. Please filter at your end. Complete list here.

My parents were visiting from India and my mother who is very keen on learning new things on the internet wanted to access her bank account online. Having heard about WannaCry Ransomware in the news in India she wanted to know if it safe for her to access her bank account online. I asked her how does she know that she is going to know that she is visiting the real site? She simply said I see a ‘lock’ in the browser. I have happy and terrified at the same moment. Happy because she knew basics about SSL and TLS and terrified because we all in security community have teaching that https protects against everything.

How an attacker can obtain legitimate SSL certificate for any domain

Thanks to free SSL services anyone can get a certificate with no verification.

Getting SSL Certificate for Gmail homograph domain gmạil.com


https://www.sslforfree.com/
https://letsencrypt.org/
https://buy.wosign.com/free/

We went about just doing that. We used LetEncrypt for our example. It took less than 5 minutes from buying to domain to getting an SSL certificate on Ubuntu 16.04. See steps below:


wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto certonly --standalone -d xn--gmil-6q5a.com

https certifcate

getting certificate

Then tested quality of certificate from SSLLabs at Qualys and it got a nice B Rating

qualys certificate check

qualys certificate test

Finally you can see that we were successfully able to register Gmail the gmạil.com homograph domain. You can check it out in your browser.

We tested with Firefox, Chrome, Safari, IE and Microsoft Edge (latest versions of each). To our surprise IE was the only browser that expand domain gmạil.com to its punnycode ‘xn--gmil-6q5a.com’.

Trends on phishing attacks that use SSL

At RedMarlin, we are seeing a consistent rise in phishing attacks over https. Our latest figures show nearly 10% of all real-world phishing urls were hosted on https with legitimate SSL certificate. In the month of July 2017, we saw a massive surge in phishing sites on https. This is a worrisome trend because we know users are more likely to click on a phishing url if it is hosted on https.

https phishing trends

Ways to identify these scams

Ways to identify these scams and protect yourself.
As a security community, we should stop telling people that just because they see “https” or “lock” in the browser it is ok to trust the website. We need to educate them more. Here are the few steps one can take if they want to be sure that they are visiting trusted website.
1. Do a domain lookup and see who is the registrar of the domain. Is there a real phone number and address? You can use whois lookup tool like the one provided by DomainTools, to determine if domain is owned actually by the company and not by an imposter. You can clearly see contact information for our site ‘gmạil.com” is not that of Google.
2. If url looks suspicious to you then you can use either Phishtank or CheckPhish to determine whether site is phishing or not.
3. Check who has issued the certificate? Is it a trusted authority?
4. Check who the certificate was issued to. It should have the details of the organization you were expecting for the domain.

Resources

1. Phishtank – a database of phishing urls
2. CheckPhish – an AI based tool to detect phishing in real time
3. Dnstwist – Domain homograph generator

This is more technical version of the post on info-sec magazine

Tech support scams have been around for several years now but there are no signs of them going away. A recent crackdown by the Federal Trade Commission revealed that one Florida-based scamming company alone, victimized over 40,000 users between November 2013 and 2016. This resulted in these victims losing a total of $25 million. Another report published by the FBI, reveals there were 10,850 tech support scam complaints in 2016 alone, resulting in a loss of $7.8 million. These victims reported fraud from 78 different countries, highlighting how far and wide do these scammers cast their net.

A survey conducted by Microsoft gave deeper insight into these scams. 2 out of 3 people experienced tech support scam in 2016, nearly 1 in 10 lost money, 17% of those who continued with a fraudulent transaction were older than 55 and surprisingly, 50% were between 18 and 34.

Anatomy of a scam

A tech support scam typically begins through any of the following techniques:

1) User gets a cold call from the scammer.

2) User visits a site that maliciously redirects them to the scam site or pops up another window through embedded links on the source page.

3) User mistypes the URL in a browser and the scammer controls the incorrectly typed domain.

Once the user visits the scam site, it hangs the browser using various Javascript tricks and by consuming all the resources of the computer. The idea behind hanging the browser is to make the user believe that something indeed is very wrong with their computer.

The video below shows how interacting with the webpage can get very painful and how at the end, the browser hangs completely. Notice how the page in fullscreen mode, has a background image with address bar that shows Microsoft’s secure support website. This is obviously an attempt to trick users into believing it’s the real Microsoft site.

Users who fall for such scam, end up calling the phone number listed on the website. The scammer then takes control of the user’s computer, shows them some benign files – calling them malicious, and then asks for money to fix it. The monetary transaction typically happens through services like PayPal or simply by asking user’s credit card information over phone.

Another variant of the scam is when the scammer says they want to refund the money from a previous call to the same victim. The scammer then takes control of the computer again, asks user to open their bank account and transfers money from within their bank accounts (between checking and savings etc.). Even though the transfer was made within the same user’s accounts, the scammer claims they made the transfer. Then they claim that they transferred more than what they were supposed to, by mistake, and that the victim should wire the extra money back the scammer.

Victims typically report losing a few hundred dollars on average.

Analysis of the latest scam sites

Even though the crackdown by law enforcement in U.S. and other countries have shut down several offenders, tech support scams are far from over. A study for a month (Jun ’17 – Jul ’17) with URL data collected from large-scale email honeypots and several other data sources, revealed the following:

  • On an average, about 50 new scam sites are registered each day. Almost all of the scam URLs are from newly registered sites with very few coming from older, hijacked websites.
  • A newer top level domain (TLD) .online was used the most by scammers to register these sites. 43% of all domains were registered on .online.
  • Other popular TLDs were .info, .tech and .xyz. .com was fifth in terms popularity with scammers, followed by .site and .club. The use of these TLDs were presumably because of their low cost.
  • Scammers sometimes adapt their scare tactics based on malware attacks that are popular in the news, for example, “Ransomware” alerts or “Zeus trojan” alerts.
  • The scam sites were not just abusing Microsoft’s Windows brand. There were several variants targeting Apple’s Mac users and Google Chrome users with site content tailored for each variant.

We provide details below of top 10 scam phone numbers and IP addresses associated with tech support scam sites. The phone numbers listed comprised of 31% of all scam sites while the IP addresses were associated with 38% of all scam sites. All the IP addresses listed below are located in the USA.

Rank

Scam phone numbers

IP addresses

1

+1-844-416-3555

23.229.238.233

2

+61-2800-431-437

45.55.54.118

3

+1-844-426-1777

45.55.54.22

4

+1-844-249-5888

159.203.44.191

5

+1-888-334-0566

166.62.10.186

6

+1-844-416-1555

138.197.221.191

7

+1-800-829-0951

67.205.172.135

8

+1-800-741-9208

159.203.106.173

9

+1-800-774-1799

67.205.133.56

10

+1-844-258-4222

34.230.160.110

Full list of phone numbers can be seen here.

The screenshots below highlight some of the scam variants:

This slideshow requires JavaScript.

 

Stay vigilant to thwart these scams

Even though tech support scams can be sophisticated, the scammer still largely relies on the user to fall for it. Therefore, user awareness is the key to identify and thwart such scams. It begins with knowing how to identify them:

1) If you get an unexpected call claiming your computer is infected, it’s a clear sign of scam and you should hang up immediately. It is not advisable to rely on called ID as often times, it is spoofed to make it look like the call originated from a legitimate company. The caller also typically pretends to be from a well-known company like Microsoft and uses a lot of technical terms to bait the user.

2) A pop-up on your computer screen warning you of “malware infection” or similar alerts, is fake and you should close the window immediately. Often times, these scam sites will hang your browser if you wait for even a few seconds. If that happens, you can close the browser using Activity/Process Monitor application of your Operating System.

In addition to the above, if you have a concern about your computer, you should call your security software company directly, whose details you can get from the company’s website. Do not call the number listed on the pop-up website. You should also never share passwords or give remote control of your computer to anyone.

For more tips, check out FTC’s official guidance on tech support scams.

Tools and Resources

It takes work from various parties to fight the menace of Tech Support scam.

If you wish to lookup whether a URL is a scam site, you can use these freely available tools: CheckPhishVirustotal.

If you are a researcher, and would like to find out who the abuse contact for the offending IPs are, you can use a handy tool querycontacts to find out the email address where you can report.

If you wish to report to FTC, use their official complaint form at ftc.gov/complaint under the Internet Services, Online Shopping, or Computers section.

 

 


About the author: Shashi Prakash is the Chief Scientist at RedMarlin – a brand monitoring and anti-phishing company. He has been a security researcher for the past 7 years working at the intersection of email/web security and AI. He has worked at various big and small security companies, most recently at Cisco Talos, doing threat intelligence work in email security. He holds a Masters in CS from the Johns Hopkins University and Bachelors in EE from the Indian Institute of Technology.