The coronavirus pandemic resulted in the closure of many bricks and mortar retail stores, forcing UK consumers to adopt online shopping more than ever before. This trend has largely continued in spite of many stores since reopening, as millions of consumers have become accustomed to the practical benefits of online shopping.
Along with this increased volume of online shopping came a new trend of phishing attacks where cybercriminals impersonate parcel delivery companies in an attempt to steal financial details from their victims. Royal Mail and Hermes were popular targets for these types of attack, but most new attacks now impersonate the Post Office.
These attacks are typically disseminated via text message, informing the victim that they have missed a delivery. Sometimes the messages say up front that the recipient must rebook the delivery by paying a small surcharge. The relatively small surcharge is often sufficient to trick victims into believing the phishing site is legitimate, or at least that any risk is minimal, allowing the phisher to obtain the victim’s details and potentially steal a much larger amount.
As most of the attacks are orchestrated via text message, the phishing sites are usually hosted with purpose-bought domain names that include the targeted company’s name in an attempt to be convincing. Some examples include:
Some messages instead use generic URL shorteners to take victims to the phishing sites, but this would not necessarily be viewed as suspicious by all recipients, as the use of URL shorteners is commonplace even in legitimate text messages.
Most of the phishing kits used in these attacks also attempt to evade detection by blocking unwanted clients such as bots and anti-phishing organisations, but Netcraft successfully circumvents these checks.
After impersonating the delivery company, some of these phishing attacks proceed to also impersonate one of several UK banks. This gives the criminal an opportunity to steal additional credentials that are specific to each bank, such as online banking security codes and other tokens that would likely be used to gain unauthorised access to the victim’s bank account.
Some attacks - particularly those that do not use the phishing site to directly impersonate the victim’s bank - are followed up by a phone call from the cybercriminal, who will use the information stolen by the phishing site to convince the victim that it is a genuine call from their bank regarding the payment they just made. This provides a more interactive opportunity for the criminal to obtain the information required to gain access to the victim’s bank account, including time-sensitive OTP codes.
Netcraft’s research into the Android banking malware FluBot confirms that its operations are expanding rapidly, with a spike in the number of malware distribution pages deployed, and finance applications affected in greater numbers.
In recent days new overlays have been distributed that target a number of Polish and German banks, only days after news that FluBot has begun to target Australian banks.
FluBot is distributed in the first instance using text messages, containing links to so-called “lure” pages: web pages unintentionally hosted by compromised web servers, commonly impersonating parcel tracking services, or voicemail notifications. Lure pages attempt to induce visitors to download the malware.
The FluBot strain of Android banking malware, which was initially observed in Spain in late 2020 before spreading more widely across Europe over the following months, is now targeting Australian banks.
Once installed, FluBot periodically sends a list of apps installed on the device to one of its command-and-control servers. The server responds with a list of apps the malware should overlay. Upon one of these apps being launched, FluBot immediately displays an overlay on top of the legitimate app. The overlays impersonate the legitimate apps and are designed to collect the victim’s online banking credentials, which are sent to the criminals operating FluBot via the command-and-control server.
Netcraft monitors the list of apps targeted by FluBot, and today discovered that FluBot for the first time is serving overlays for Australian banking apps, including Bank Australia, Bank of Melbourne, BankSA, CommBank, Great Southern Bank Australia, HSBC Australia, National Australia Bank, St.George Bank, Suncorp, and UBank.
Over 100,000 Outlook Web Access servers have been rebooted since Microsoft released security updates for the ProxyLogon remote code execution vulnerability. The subsequent flurry of reboot activity is likely indicative of many Microsoft Exchange servers being restarted after having security updates applied.
Around half of all servers running Outlook Web Access (a service included with Microsoft Exchange Server) were rebooted in the five days after the emergency patch was released. Some of these have since been rebooted again, so will appear later in the above graph. Rebooted machines are likely to have been updated, but the absence of a reboot after 2 March does not necessarily indicate vulnerability. Anecdotally, most servers have requested a reboot after being updated, but some may only require services to be restarted – although administrators may have opted to reboot the servers anyway.
Microsoft’s original fixes can only be applied to servers that already have the latest cumulative updates of Exchange Server already installed; however, amidst mass exploitation of the vulnerabilities, Microsoft also released a set of security updates that can be applied to older and unsupported Exchange servers that do not—or cannot—have the latest cumulative updates installed.
The alternative security update path is intended as a temporary measure to protect vulnerable machines. Crucially, installing a later cumulative update that does not include the March 2021 security fixes will make the server vulnerable again, and any machine that uses the alternative security update path must be rebooted even if not prompted. In these cases, the servers will certainly not be protected until after the reboot.
Some of the more recent reboots may have been prompted by Microsoft’s 9 March “Patch Tuesday” collection of software updates, which also includes fixes for the remote code execution vulnerabilities in Microsoft Exchange.
On 6 March, four days after the original security updates were released, Netcraft found more than 99,000 Outlook Web Access servers were still running versions flagged as definitely vulnerable by Kevin Beaumont. However, applying Microsoft’s updates even in a timely fashion could have been like shutting the barn door after the horse had bolted, as more than 10% of all visited Outlook Web Access installations were already compromised with attackers' web shells installed. These provide the criminal with continued administrative access to the compromised servers after the security updates had been applied.
Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight.
More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey — which took place two weeks ago — were no longer responding at 06:00-07:15 UTC this morning.
Thankfully, everybody is safe; but OVH said the fire in its SBG2 datacenter was not controllable and no data is likely to be recoverable. Part of its SBG1 datacenter has also been destroyed. Firefighters were protecting SBG3 throughout the night, and although there was no direct fire impact on SBG4, it was also unavailable due to the whole site being isolated. Consequently, all services in SGB1-4 have been offline.
Websites that went offline during the fire included online banks, webmail services, news sites, online shops selling PPE to protect against coronavirus, and several countries' government websites.
Examples of the latter included websites used by the Polish Financial Ombudsman; the Ivorian DGE; the French Plate-forme des achats de l’Etat; the Welsh Government’s Export Hub; and the UK Government’s Vehicle Certification Agency website, which got a new SSL certificate by 10am and is now back online with a UK hosting company.
Unsurprisingly for a French hosting company, the most affected country code top-level domain (ccTLD) is
.fr, which had 184,000 knocked-out websites spread across 59,600 distinct domain names – these account for 1.9% of all
.fr domains in the world. In comparison, there were only 24,100
.uk websites hosted in the affected datacenters, across just 8,700 unique domains. Most of the affected websites use the generic
.com top-level domain, amounting to 880,000 websites across 180,000 domains.
This weekend, several days after Tuesday 2nd March when Microsoft released fixes for the ProxyLogon vulnerability, Netcraft found more than 99,000 unpatched Outlook Web Access servers accessible on the internet — of which several thousand have clear evidence of one or more web shells installed.
Outlook Web Access (OWA) provides remote access to on-premises Microsoft Exchange mailboxes. While a treasure trove of corporate email is a tempting enough target itself, it can also act as a jumping-off point for deeper network access. Vulnerable versions allow unfettered remote access to the mail server. Originally attributed to the Hafnium group, the variety of different web shells and file naming conventions found by Netcraft suggest that the shells belong to multiple groups who have been spurred into action since Microsoft’s announcement by the scale of the opportunity.
Netcraft has established that at least 10% of all visited OWA installations are now infested with web shell backdoors that do not use randomised filenames, and so could plausibly be guessed by anybody. These implants allow continued administrative access to the server, long after the underlying vulnerability has been patched.
All of the backdoors hide in plain sight on the web server’s file system but are disguised as benign scripts or information dumps in order to avoid detection. There are several different variants of the backdoor script, but all have the same common feature in that they pass the hacker’s commands to the JScript Eval command, allowing arbitrary code to be executed directly on the web server.
Most of the backdoor scripts accept the criminals' arbitrary commands via a specially named GET or POST parameter, while others require the commands to be Base64 encoded first, and some only accept them via a POST parameter.
Netcraft has also seen several different variants of these backdoor scripts being uploaded to individual websites, likely in an attempt to preserve unauthorised access to the compromised web server. Unless all of the backdoor scripts are found and removed, the hackers will still be able to get in and create more.
While some of the backdoor variants are wildly different in appearance, they all function in a similar way and require the user to know a secret variable name before any commands can be executed on the server. The variable name effectively acts as a password and provides the only security mechanism to ensure that the backdoor can only be used by the person or persons responsible for uploading it.
However, some of the shells use easily guessable variable names like “o” and “orange”, which could plausibly allow them to be misused by other hackers if they can find the scripts and guess the correct variable names. This presents an even more dangerous situation where other fraudsters could then upload their own web shells to secure a foothold on the server. Such a situation could escalate quickly… new battlegrounds could erupt where rival fraudsters try to delete each others' web shells and upload more of their own in a race to secure access and decide how best to monetize their exploits, all long after the initial OWA vulnerabilities have been resolved.
Your link here? Advertising on the Netcraft Blog