Advanced Phishing Threat (APT) — Exploiting Modern Features

hello b-siders and welcome back to track two our next presentation is titled advanced fishing threats exploding modern features our speaker peyton miller joined the open security team after the completion of the applied cyber security undergraduate program at the sands institute of technology having sharpened his pentestine skill set and garnering recognition across the industry through his participation in various capture the flag competitions peyton quickly set himself apart as a highly motivated self-starter thank you peyton for being here today i'm going to pass you the controls all right

[Music] am i sure yeah thanks jj for the introduction and thank you guys for joining me with uh advanced fishing threats uh exploiting modern features i'm glad to be here and honestly it's great to see this type turn out with b-sides so getting into it as previously stated i am a cyber security engineer with open security i'm my gsac gcihg pen and i have attained my education from sans but what wasn't mentioned was i absolutely love finding obscure way to break web applications um legacy protocols anything like that just obscure ways to either exceed our permissions or break the protocol together so at a basic level we need to get on the same page what is fishing so what are we trying to

achieve and to get into that we need to understand a few things first off social manipulation now maybe we're trying to achieve and convince you to disclose some type of information this information can vary from you know your email and password but it could also be something as trivial as what kind of applications your organization is running now this type of information at face value may not you know it may not be but as an attacker if i can that you're using office 365 or using verisign i can create campaigns targeted around that concept now this is usually deployed in two ways first off maybe we'll jump into a voice call with you and we'll act as your

company's i.t that's called fishing meanwhile we fishing where we send you an email and we try to get you to interact with it and disclose some type of information that we can't find on our own so fishing typically has two parts and historically this is rain true we have to give you some type of issue that pulls you in and gets you to engage with us so maybe you need the new company benefits you need to download and update download the software maybe you qualify for a stimulus check you know these are the types of things that if you get that in your inbox you may or may not actually interact with now in all of these cases they work

and they work because we put deadlines on average phishing campaigns only have 23 hours if they're deployed in mass so we have 23 hours to get you to click and fill out your information or download that software as a society building web applications and just creating this complex internet where are we so from an organizational standpoint organizations don't want people to buy domain names that are similar to theirs so instead they'll buy 10 maybe 20 in some cases even 30 domain names and they'll maintain these and have them redirect to the official webpage that's great and it is a practice that we keep seeing time and time again there's nothing vulnerable here until an attacker redirects to your homepage

and then that attacker gains trust because for years maybe you start to think that you actually own that domain and maybe your clients that you own that domain what's the difference historically we've kind of shied away against disclosing information that shouldn't be shared and this type of information is sitemap.xml and robots.txt it can lead to the disclosure of information that we don't want you to find but should we be exposing a list of all the services that our company actually owns another trend that we've seen and this has picked up over time is third party apis i myself if i host a website say it's a shock i'm selling products i don't want your credit card

information i don't want the liability that comes with that if we get hacked then i have to disclose to everyone hey you might want to get a new credit card and there's fees for that i do not want that liability of holding on to that type of personal information so we'll use apis and so if you go to an untrusted site that you don't trust and they have an api to a trusted service will you trust that trusted service we're relying on this untrusted site to provide a trusted service it seems kind of backwards doesn't it so that's kind of led to consent based phishing in part for example microsoft you can create custom apps

and you can delegate whatever permissions you would like so in this case if i was to install this application it would be allowed to sign in as me read my profile my mail send mail as me and update my mailbox settings alongside everything else enumerated there are those really features that these api should be delegating or the permissions that should be delegated from these apis maybe maybe they are maybe that is a use case i don't see why any application would need all of that information but it is possible now historically we've had a few go-to methods and one of those is typo domain squad so let's say we want to buy a domain like google google.com

we can remove some letters maybe take out no maybe we duplicate letters and we have three o's or two l's we can also try google.net or google. different top-level domains or we can look for services that they own like googleapis.com and then we can try to name things around their naming convention now as you can see here this is a various which is available in the github that was posted to the discord but you can see we can very quickly enumerate different types of domain name domain names that may or may not have legitimacy back in them and so a lot of these are available which is the horrifying thing and you can buy these for

20 maybe 30 dollars in some cases we also have internationalized domain names now internationalized domain names is the usage of symbols within the domains or all character sets for example the twitter one there um you can see in the symbolic domain name table twitter.com is entirely made of cyrillic characters now this was a very big vulnerability and finding back in 2015 2016. the issue was that looks convincing so what we've done is we've created this puny code and it's unicode but url safe and so anytime you access one of these symbolic domain names it will convert to the puny code equivalent and that should in most cases at least for web browsers it will protect you in recent times

chrome by default converts every request to the puny code equivalent that's interesting but it's still abusable we can send mail from twitter.com even though we don't own twitter.com but we own the cyrillic version with this type of use case we'd recommend staying in one character set and it's interesting because if you look at this it does say signed by the puny code equivalent domain but to some unknowing victim even if they analyzed this they wouldn't know what that meant and that's the issue with security while puny code and internationalized domain names are inherently untrusted we can still send email as those services globally okay now i will take a step back i do feel a

hundred percent comfortable disclosing microsoft.com and twitter because frankly i am never getting those back um as you can see i received this really nice email about res about um the identification of phishing activities on my domains in preparation for this conference it's kind of interesting and as you can see this legitimate email is going to cancel my domain registrations or terminate my account if i don't take action in three days now that's interesting that sounds a lot like a lot of the phishing campaigns and the identifiers of fishing in fact i may actually use this as a fishing campaign down the road but in this case it is a truly legitimate message and understandably do not host

phishing content or your domains will be seized and you will not be getting them back but what can we do what can we do with this complex internet and how can we achieve legitimacy so there's a few techniques and if we start out we can try to use vulnerabilities to inherit trust and it has an open redirection on it we can send you a link that is test.com redirect question mark url equals our site and because they click to link to your site or sorry to test.com and now you're redirected to site which is attacker.go you inherently trust my website because why else would this trusted site redirect you other examples of this would be

cross-site scripting we can try to steal your credentials obviously which that makes phishing campaigns really easy when we identify that or we can try to redirect to our site or inject a login form or set up any ruse we want under your domain name that's powerful some other abusable services that formats on behalf of the user we have link shorteners now in the case of twitter it's t.co and we need that because twitter you only have so many characters you want shortened links um file hosting if we host products on safe and secure um services that are inherently trusted then we can send malware from those in the case on the left here in that image

we have facebook dot me slash a ton of numbers now i genuinely don't know if that is facebook marketing or whether or not that's a phishing campaign and that's a reflective redirection i don't know another service we can do if we don't want to do the domain hop-in we can do sub-domains um google and firebase they can tell you.web.app and firebase.com so you can own any service you want as long as you fit their naming schemes for what a subdomain should be but these things are free um to be fair the file hosting is not the web is a complex place and as we start to understand this we have to think about how these applications work

and one example that comes to mind is meeting platform software so for example if i have email and it links directly into um my calendar can an external entity send me a meeting invite well yeah they should be able to and what if they don't use the same meeting platform as me can they send me a link to a nefarious meeting software installation and then receive that and i'm like hey i got a meeting in 15 minutes what's the implicit trust that i'm going to click that link and download that software because i'm expected to be in that meeting and these are the types of things that we're trying to identify and we're trying to find

that these modern phishing campaigns can just use the internet it's just that simple something that's kind of controversial is the use of safe links and link filtering so what this actually is is a redirection through outlook's safe link protocol and it's a open redirection as long as the rest of the data in that url is valid the issue here is if i click that i have no idea where i'm going in the black box there you can see i've kind of highlighted http um some parentheses symbols google.com that's the url encoded form of google.com but as you can see it it's a lot and if i receive a ton of emails a day i'm not spending the time looking for

what the url actually is this is a default protection and frankly i think it makes our users normalize trusting random links because they don't know where they are going we can also do subdomain impersonation now sub domains by default there are a few character steps you can do a through z zero through nine hyphens underscores and you can use periods as delineators you also have up to 253 characters on most registrars or dns providers rather to type whatever you would like okay so this is a valid subdomain interesting this is also a valid subdomain huh so how can we start to use this well here's an example that's not very convincing you know it could be http.steam.com

and just to prove it all of these are completely valid subdomains and i did blur my actual domain name there of course so how can we achieve impersonation so first off we want to find a trusted website with a really long url we open our impersonator we run a script and we update the dns it's just that simple now what the script does and it is again provided on the github that i linked there it runs a few regex expressions to replace equals with hyphen delete http or https replace a few special characters with hyphens and then delete any of the bad characters that shouldn't be there so now we have this is this a legitimate

domain name um is this discord app.com cdn and at first you may actually think it is but no in this case our domain name is actually test.com the only real way to identify that is the lack of characters that we can put we can't put slashes but we can put a ton of periods and so at first impression this could look relatively legitimate and the worst part is instead of test.download we could have any domain in existence we could have it short we could have id numbers.com it really depends one of my favorite techniques personally is left to right overrides and right to leftover eyes now i don't think this classification vulnerability has been given a proper shot

i don't think it's been given a proper chance if you actually look into this it's very hard to find anything that actually uses it usually you'll find it through online synopsis of what it does so we'll get into it by default in the english language text goes from the left side of the screen to the right side of the screen and in some languages such as arabic hebrew it's the right side of the screen to the left side of the screen now on windows we've determined that why can't we do both at once and we can't so we can have left to right and right to left at the same time now why is that an issue

well as you can see here what we can actually do is completely shift the file extension anywhere in the file name or at least that's what's rendered to the user now this is a little bit complex but as you can see the first record there or row in the table it looks like a dot docs it looks like a word document in reality it's an executable and the second one is the use case that's commonly seen with right to left over right is that you slide the extension one spot over but this is so much more powerful instead of having dot link.docs we could have.js a long file name dot pdf and you may or may not think it's a pdf

depending on the rendering and finally my personal favorite amazon.com now.com files actually execute on modern windows as dot exes so that's really interesting because we're able to achieve execution by using web addresses and as you can see here this is actually how you type it out it is a little bit complex and you do have to play with it a little bit but as previously stated in the github repository that i linked there there is an html file that will generate most of these for you it does take a little bit tinkering just because of um the weird rendering but a lot of the times it will get you the most of the way there

now this is interesting because if we have file names uh file name extension is disabled we can no longer see things such as executive summary it hides the exe but in the case of amazonwith.com this is really powerful because now instead of amazon.com and that's still trustworthy we also have um 2021 executive summary if we enable the file name extensions and that looks relatively legitimate itself um or amazon.com space dash invoice.pdf now what other applications does this have well frankly if we can send the email we can write anything we want in the from header and so what that means is that potentially we could flip a domain name maybe we don't actually own microsoft.com

but we can allocate a non-spoofed email address from there and because it's not spoofed maybe that will give our email legitimacy and it won't send it to the spam list another example looks inside of a zip file and displays what type of file names are inside of it and as you can see here we have amazon.com space dash and voice.docs even though everybody here knows that's actually a dot-com file which executes as a dot-exe so how do we protect ourselves on the internet what can we do well to protect individuals we'd recommend a password manager and url matching what that does is whenever you type in your password if you are on a fictitious domain name

it won't allow your password manager to automatically type in your password for you and you might be able to identify that you are on a malicious website we also have two factor authentication the real benefit of this is if you think that something needs to be done right away you'll type in your username and password but if there's 2fa implemented you'll take out your phone you'll pull up your authenticator app and you'll think about it for a sec and maybe that's just long enough to rethink typing in your credentials in that token we also have safe site scanners in the security industry it is kind of a running joke but they do detect brand new and new

registered domains as malicious and it was found that 33 of phishing campaigns on an actual domain were registered within a month of use that might be sufficient protection to protect you if you're worried about windows spoofing where an adversary uses css styles or modifications to the web browser to emulate another web browser opening you can use custom chrome things historically a great recommendation is if you can avoid clicking a link google or navigate directly to the website and see if you can find the page yourself that way if there is a cross-site scripting or other threat it's mitigated because you're not clicking the link with the malicious payload and finally regular internal training to ensure that your organization can

identify a large range of threats and regular training security the threat landscape does change over time and we need to identify that and be on top of it finally to protect your organization here's a few recommendations if you do have a domain that's being used for mail server ensure that your dns records are valid and up to date reduce unnecessary domain redirections so maybe you shouldn't point everything at your home page or at whatever your organization's top level domain really is maybe we want to expose a list of what services we actually own or some type of endpoint that we can query that now this does have other benefits um although it would have to be maintained

we could implement logging and so if a lot of people began querying a fictitious or phishing domain maybe we can take action on that before people lose their credentials and finally maintaining web servers with regular vulnerability assessments and ensuring that your external services are secure i have linked a few additional resources if you want to do any further research on your own and some links to blogs that i found interesting while researching the topic and doing my own investigations um finally i know we are close on time so if you do have any questions that haven't been answered at this point and you want to reach out to me on twitter or discord or follow up with me in the open security

channel afterwards all scripts that i've mentioned are available in the github that is both published in the discord chat and enumerated right there [Music] so [Music]

[Music]

[Music]

[Music] you