?

Log in

Previous Entry | Next Entry

There appears to be a new social engineering attack making the rounds of registered owners of Web sites that have SSL encryption certificates. I have a large number of Web sites, and so far I've only received emails to the technical address of sites which have SSL (security) certificates on them.

*** WARNING *** WARNING *** WARNING ***
This attack is currently live. DO NOT attempt to visit the URLS in this email if you do not know what you are doing!

The emails come from a phony From: address that is system@[thewebsitename.com]. Each email takes the form:

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.[thenameofthewebsite.com].secure.ssl-datacontrol.com/ssl/id=712571016-[email address of registered contact]-patch257675.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator


So for example if you have a Web site called "theweaselstore.com" and your email address is "headweasel@theweaselstore.com" you may receive an email claiming to be from: system@theweaselstore.com, which tells you to click a link that looks like

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

Needless to say, the "patch" you download from this address is a computer virus.




This is one of the most sophisticated social engineering attempts I've seen to date. It seems to be going after a very specific group of people: people who own secure Web sites. The email itself is custom-tailored to look as much as possible like it comes from the system operators of the Web site in question, and the payload is delivered from a hostile server with a URL that has the address of the target site owner's Web site embedded within it.

My suspicion, though I have not taken the time to analyze the payload, is that it is a key logger, and that the virus writers are attempting to get FTP credentials for the target Web site.

Being able to hack secure Web sites would offer the hacker a treasure trove of advantages. First, secure Web sites may contain customer information, transaction records, payment histories, and credit card numbers for the site's customers.

Second, a phony bank or eBay site placed on a secure server is more convincing, because the phony site can be accessed using "https://" and will have the browser padlock indicating that the site is secure, which may help it to fool more people.

I've mentioned in this post how a Web address can be designed to fool people. It does not matter what's in the address except for the part in front of the very first / character; so for example if you see a Web address that looks like

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

you are not on eBay. You can see where you are by looking at the part just before the first / which in this case is

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

a site called signin.ru in Russia.

Similarly, in the URLs in these hacker emails, the key part of the URL is

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

The computer virus is being distributed from a site called "ssl-datacontrol.com".




ssl-datacontrol.com lives on servers belonging to an ISP called trouble-free.net, which is now a subsidiary of another ISP called interserver.net.

Trouble-free.net is an ISP I'm very familiar with. As near as I can tell, the "trouble" they are free of is meddling trouble such as legal issues, or those pesky problems you might have with having your spam or phish site shut down; they have, in my experience, a long and ignoble history of hosting viruses, spammers, pirate software sites (notorious credit card fraudster and pirate Art Schwartz has been hosted on trouble-free.net for over five years), and other criminal content.

The whois for ssl-datacontrol.com is, unsurprisingly, Russian:

whois ssl-datacontrol.com

Whois Server Version 2.0

Domain Name: SSL-DATACONTROL.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.CEDNS.RU
Name Server: NS2.CEDNS.RU
Status: clientTransferProhibited
Updated Date: 05-oct-2009
Creation Date: 05-oct-2009
Expiration Date: 05-oct-2010

>>> Last update of whois database: Mon, 12 Oct 2009 21:44:52 UTC <<<


Registrant ID: HEIGAAS-RU
Registrant Name: Elena V Zhuravlyova
Registrant Organization: Elena V Zhuravlyova
Registrant Street1: Orekhovyi boulevard
Registrant Street1: d.31 kv.72
Registrant City: Moscow
Registrant State: Moscow
Registrant Postal Code: 115573
Registrant Country: RU

Administrative, Technical Contact
Contact ID: HEIGAAS-RU
Contact Name: Elena V Zhuravlyova
Contact Organization: Elena V Zhuravlyova
Contact Street1: Orekhovyi boulevard
Contact Street1: d.31 kv.72
Contact City: Moscow
Contact State: Moscow
Contact Postal Code: 115573
Contact Country: RU
Contact Phone: +7 499 2678638
Contact E-mail: awoke@co5.ru

Registrar: ANO Regional Network Information Center dba RU-CENTER





So in short what we have is a very sophisticated, highly directed attack targeted at Web site owners who are using SSL security certificates on their Web sites, being conducted through emails which create a custom From address and custom attack URL for each specific victim.

The same rules apply to this as to all emails:

- DO NOT believe the From: address of an email. Ever.

- DO NOT respond to ANY security alert, question, or prompt you receive in ANY email. Ever. No matter who it appears to be from.

- Learn to read Web site URLs. DO NOT trust any part of a URL except the part immediately in front of the first slash.


Comments

( 10 comments — Leave a comment )
janetmiles
Oct. 12th, 2009 10:43 pm (UTC)
May I copy this -- with credit, of course! -- to the person who maintains my union's website?
tacit
Oct. 12th, 2009 11:03 pm (UTC)
Absolutely!
merovingian
Oct. 13th, 2009 12:09 am (UTC)
I've heard a term for something similar.

"Whaling."

It's like phishing, except you go after a small number of high-value targets. Usually, I've seen the targets as executives and VPs when people talk about "whaling" since they often have a lot of access but not necessarily a lot of technical ability.

Still, I think the term applies. "Whaling." Carefully selected valuable targets, but the same kind of phishing schemes, just more sophisticated since you've got a smaller target victim.
kengr
Oct. 13th, 2009 12:47 am (UTC)
This is why the tech support address for my domain goes to *me*.

Anything claiming to be from the folks running my domain is *automatically* spam, since all [mydomain] addresses are either me or a couple of friends. The folks hosting it are friends and would be sending from their business domain address, not any address in my domain.
calico_weaver
Oct. 13th, 2009 05:50 am (UTC)
I'd just like to thank you for the warnings you give and the knowledge you spread. It is truly appreciated :)
catdragon_
Oct. 13th, 2009 07:46 am (UTC)
I received my first one of these today. Since my sys admin is my wife I just sent it to her.
Thanks for the technical stuff and warnings.
ext_86640
Oct. 13th, 2009 08:54 am (UTC)
Just had one here, too. Thanks for the warning and info
sweh
Oct. 13th, 2009 07:52 pm (UTC)
I wonder if they're also skipping self-signed certs, or only picking on certs signed by the big CAs...
(Anonymous)
Oct. 15th, 2009 02:34 pm (UTC)
Excellent Detail
Our company received this attack in large numbers on Monday October 12th. Of course, before we could get it blocked and cleaned up, we had at least 1 user click and get infected. We'll have the cleanup/reload(s) done shortly. Thanks for the details.
(Anonymous)
Jan. 17th, 2011 06:52 am (UTC)
iphone unlock
[url=http://www.3gsunlock.co.uk]iPhone Unlock[/url]
( 10 comments — Leave a comment )