Friday, September 1, 2017

Fake Phishing CRA Canada revenue agency e-mail

as per last blog this is a yet another fake e-mail looking to take your PII  https://canadacyber.blogspot.ca/2016/08/phishing-spam-e-mail-that-harvests.html this is another fake CRA e-mail.

You receive an e-mail that is a Phishing e-mail claiming to be form CRA Canada. The e-mail looks very real as the attacked had bought a domain name https://cra.arc-cg.com that looks very much like the old domain name that was used by CRA before they moved to the one Canada.ca domain.
See pic below.




When you click on here it send you to a page that looks like a forum submission page that is from CRA. That hacker/attacker was also smart enough to use a CloudFlare to hidethe page by encrypting it using a valid certificate from them so you even get a Green bar.  The average user that was always told to look for the green lock will think this is a real legit site. BUT IT IS NOT.
The page also is asking for PII data that should never be given away.
See image below.






Let’s say you dumb enough to fill in your PII info and click submit then you are redirected to 2nd page that asks for your Credit Card info.  See image below.





At the end when you do submit the page redirects you to the real CRA page. So a normal person think they just did the correct thing. 

Below are screen shoots of other IOC's first is the e-mail path and source servers.




This IOC is of the hosting provider, as you can see the attacker was smart enough to hide his domain name behind private registration to make it harder for take downs.


Saturday, January 21, 2017

DDoS protection and mitigation methods, CanadaCyber approches



CanadaCyber: DDoS protection & mitigation methods.
 
People come to us and are always say we can’t protect against DDoS, we always say to them yes you can with the proper network implementations. 

Let’s say you own www.coolpage.com and that is pointing to server that is located within your DMZ at Ip address 11.22.33.11. 

In your DNS and name server you have listed www.coolpage.com to point to the server @ 11.22.33.11 using A record with a certain time to Live ( TTL ) lets say 1 week.

All a hacker (Attacker) has to do is target that IP or Domain name. 

We have 2 types of attackers that will try to target you, ones that will target the IP 11.22.33.11, knowing that this is your main server. And the less informed hacker that will target your domain name www.coopage.com

This is how CanadaCyber mitigates this threat. First of all you should never use A record pointing to your core server. What you should have is a series of proxies that will balance the traffic.  By doing this you have 2 advantages, first caching your content and 2nd dislocating your core server from your domain name via redirection. 

So the way you achieve this at a very basic level is by buying a numbers of servers that will just redirect your traffic to your Core IP, and then you program these IPs as the A record holder. 

When you do get attacked you can easily change the A record. the other thing is within your a record insure your TTL is setup for a very small number, as this will allow you the ability to move A records allocations on the fly to different IPs, that will then redirect to your main server IP.

Proxy servers are very cheap if setup by educated staff internally, as you can buy an amazon EC2 or Linode server for less than 15$ a month that can do this job. It can be a full fledge proxy or just a basic IPTABLES DNAT table. 

For the Geek at heart, you can also setup your own name server or have access to name servers that you can use for DNS resolution. Adding this with the above information you will have a robust DDoS mitigation plan, which will insure you have continuation of services. So if your IP, Domain name or name servers are attacked you can still deliver services.

Sunday, August 28, 2016

Phishing spam e-mail that harvests Hotmail users e-mail account using Canada Revenue Agency e-mail INTERAC deposit as a lure (Canada Revenue Agency sent you $214.17 (CAD) ). CYBER



CanadaCyber has identified a recent e-mail phishing attacks, targeting Canadian Hotmail users.
The e-mail comes in titled as:

You received INTERAC e-Transfer  Or You received a tax refund
The email looks like this on a phone then a laptop. 





The e-mail is simple you get message that looks like a standard email money transfer via INTERAC something that many Canadians are accustomed to. The amount of $214.17 is also a number that a lot of families in Canada are used to receiving from their federal government from GST to Child money.
When you click on the Deposit your money link it fwds you to a page that is asking you for your password. When you place your password it collects your password then it moves you to the next stage of the attack.
At this stage you think all is good as you see the normal government of Canada web site. You then go on and place more information like your PII Personally identifiable information and banking information. After that you are thanked, at this stage the BAD Guy has all of your info. Then you are redirected to the real government of Canada revenue agency website.   So now they have your passwords and all of your information.

The e-mail it self has a embedded png file ejuiceejuice.com/image/data/etransfer2 the interesting thing is the server used to host this image is diff than the landing page.this could be due to the attacker just linking to the file directly or using different servers for different jobs. this way it would be much harder to talk him down. as you have to contact 3 diff providers.    

the above screen shows the landing page for the first stage it send you http://support.cra.interac.taxid-423.redapp244.com/secure/index.php?em=somename@hotmail.com, we can see this is not hotmail or outlook.com from the URL. if  we do a dns lookup on the URL we do see it from217.160.0.192 belonging to 1& 1 shared hosting account that is hosting almost 1500 websites. this means any of these website could been exploited to do this but it is likley redapp244.com was compromised and the attacker created a subdomain with the name support.cra.interac.taxid-. On a mobile device this would fool most users as it does look like it is CRA.
 


On the 2nd stage we see the attacker is trying to mimic/clone a real  CRA page. they even change the title header to look so. in both 2nd stage and 1 stage the attacker used the landing page server for the links redirection and content.


Now we analyze the e-mail by looking at it source:


We see it came from a shaw.ca cable IP address 24.70.214.97 in Calgary; this could be the attacker or a compromised workstation working on his behalf. We then see it doing to the smtp-out-so.shaw.ca @ 64.59.136.138, also in Calgary. We suspect this server is allowing mail forwarding from trusted IP’s as the source IP is from the SHOW.ca network. 



This is the first mistake SHAW.ca did, it trusted its internal users IP range. Shaw.ca also did not confirm the email sender X-SID-PRA was notif482@grs.trustwave.com this is clearly not a shaw domain name or a show e-mail sub-domain. This is even more dangerous as the average user looking up this www.trustwave.com gets to see a legitimate security business, something that will later on help in convincing the victim to click on the link that will later on harvest his password.

Again this is due to Shaw not confirming the sender e-mail address so the mail severs they use just fwd the e-mail even if the email sender is forged. 

The e-mail is crafted to gain your trust first after it collects the most valuable item your PASSWORD it then moves on as it knows you might even give away more info like your PII, address, name banking info. Anything they need to fully steal your identity.

Canada Cyber had also submitted the url to virus-total and only google safe browsing identified it as bad.  https://www.virustotal.com/en-gb/url/26ae24d8a6e5bdad3cdf9bf8bbf8c78dbe89b4d4df96fb058f526a7bde680be1/analysis/1472437103/


This new attack is similar to this: http://globalnews.ca/news/1900959/canada-revenue-agency-warns-of-recent-scam-involving-money-transfers/


CanadaCyber 
 





Wednesday, August 17, 2016

Intelligent IDS A CanadaCyber prospective

What is Intrusion Detection System [IDS]? We will not cover the very technical definitions on IDS.
However, we will mention the industry standard definitions.



Institute Says: Intrusion Detection can be defined as “…the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource, more specifically, the goal of intrusion detection is to identify entities attempting to subvert in-place security controls” Did you get what they are trying to explain rather define? Good! NIST Says: “Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices” Did you get what they are trying to explain rather define? Hmm better?

Okay, let us explain what IDS is, “It’s nothing but a mechanism which helps you in the detection of something abnormal i.e. intrusion into your defined boundaries which constitute a system.” To detect something abnormal, you should teach your IDS what is abnormal so it can detect any abnormality.

This teaching part is termed as methodology on which your intrusion detection system basically works.

Intrusion Detection Methodology

Generally, there are three types of methodologies that exist which can be used to gear up your intrusion detection system. Normally, intrusion detection systems are build on any of these types of methodologies or sometimes on a combination of these technologies.
The three methodologies
  • Stateful protocol analysis
  • Anomaly based detection
  • Signature based detection

Signature Based Detection
The simplest and very actual method of detecting known threats signature is basically a pattern that corresponds to a known threat. It’s a process of comparing signatures against observed events to identify the possible incidents.

Anomaly Based Detection
Anomaly based detection is basically the process of comparing the definition of an activity considered normal against the observed events to detect or identify the significant deviation. Anomaly based intrusion detection systems use profiles that represent the normal behavior of such things as users, hosts, network connections or applications. Monitoring of typical activity over a period of time basically develops these profiles.

The major benefit of anomaly-based detection methodology is that they can be much effective at detecting previously unknown threats. For instance, they can be used to detect the infection of a computer with a new type of malware.
However, signature based detection does not support this technique of detection for previously unknown threats.

Stateful Protocol Analysis
In comparison with Anomaly based intrusion detection systems, which uses host or network-specific profiles, the Stateful Protocol Analysis methodology basically relies on vendor-developed comprehensive profiles that identify how particular protocols should or should not be used.

Therefore, we can define Stateful Protocol Analysis as basically a process, which compares the predetermined profiles of generally accepted definitions to identify deviations.

The Types of Intrusion Detection & Prevention Systems So far, we have spoken about the methods on which these systems works, IDS & IPS are also categorized in different types based on the types of intrusions they monitor.
  • Network Based
  • Wireless
  • Network Behavior Analysis
  • Host Based
The most common and most used are basically host and network based intrusion detection systems and in our workshop, we will talk about Network Based Intrusion Detection System i.e. Snort!

Host Based Intrusion Detection System (HIDS)
Host based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior on a specific device only rather than on a network.
HIDS generally involves an agent installed on each system that monitors and alerts on local OS and application activity, using a combination of signatures, rules, and heuristics to identify unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and alerting.

Network Based Intrusion Detection System (NIDS)
Network based intrusion detection basically identifies unauthorized, illicit, and anomalous behavior solely based on network traffic.
They use a network tap, span port, or hub and collect packets that traverse a given network and use the captured data and flag any suspicious traffic. An intrusion detection system does not actively block network traffic.

What is Intrusion Prevention System?
So far, we have explained to you more on intrusion detection systems. Basically, if you have a clear concept of how intrusion detection system works, then it’s much easy for you to understand how intrusion prevention system works.
Basically, intrusion prevention system is one step ahead of intrusion detection systems. The role of intrusion detection prevention system is to stop the intrusion; however, intrusion detection system alerts when there is any intrusion in the system.
“Intrusion prevention follows the same process of gathering and identifying data and behavior, with the added ability to block (prevent) the activity. This can be done with Network and Host based intrusion detection systems” One thing we do not like IPS systems, their ability to deny legitimate traffic when a false positive
happens.

Architecture of Intrusion Detection & Prevention Systems

The main question is how these systems are designed or how they actually work. The architecture of an intrusion detection system comprises of different key components.

Architecture components

There are four (4) main components of the architecture:
  • Sensor or Agent
  • Database server
  • Management Server
  • Console
Sensors
Their job is to monitor and analyze activities. Basically, the term sensor is typically used for both intrusion detection and prevention systems, which monitor networks. There can be multiple sensors configured within one network i.e. based on the network architecture.

Management Server
A management server is a device, which works centrally and receives the information from sensors and manages them.

Database Server
Its job is to store the events information recorded by the sensors. This information is later used at the time of reporting and performing different analysis for any security purposes.

Console
The console provides access to intrusion detection and prevention system. You can say it’s an interface for administration or related activities and tasks.
Most consoles offer many features to assist administrators in their daily tasks. For example, most consoles offer drill-down capabilities, which mean that when a user examines an alert, more details and information are available in layers and draws different graphs and are more presentable to senior management.

At Canada Cyber we usually employ all these items on 1 Physical or Virtual server, we do this as we are service you contract, and we manage all of the items within our sensor. We also deal with business that are usually less than 2000 employ meaning the network load is not that cumbersome of one physical device.

It is important to understand, that we offer something no one else does and that is a intelligent point of view, our security team, understand the global security threat. And can identify strange network patterns; something no hardware can ever give you. As we understand your business. This allows us to identify the threat that will pose you.

This is why we ask you, the bandwidth of your network. What is average throughput and what is the sustained session count of your network connection. As this help us determine what best to install at the edge of your network.

What is usually logged or detected by IDS & IPS
This can be customized based on the type and features of your device. Generally, intrusion detection and prevention systems usually store the following types of information.

Timestamp (usually date and time)

Connection or session ID (typically, a consecutive or unique number assigned to each TCP connection or to like groups of packets for connectionless protocols)

  • Event or alert type.
  • Rating (e.g., importance, severity, impact, confidence)
  • Network, transport, and application layer protocols
  • Source and destination IP addresses
  • Source and destination TCP or UDP ports, or ICMP types and codes
  • Sum of bytes transmitted over the connection
  • Interpreted payload data, such as application requests and responses
  • State-related information (e.g., real username)
  • We can also set it to record everything, Just think of a Video Camera system for your network.

Always keep your sensor up to date
It is important to ensure that your intrusion detection and prevention systems are up to date with the newest feed released by your vendor. This could include both software update fixes for your IDS or IPS itself or it can be a new update in their signatures to detect newer threats and attack vectors. An intrusion detection or prevention system without the latest feeds cannot help you in securing your network or systems. That is why we offer it as a managed service.

This is the introduction to the types, architecture and methodologies which intrusion detection and prevention systems generally are comprised of.

We at Canada Cyber employ a blend of these products from open source to enterprise grade system, giving us an optimum system that benefits from the open source community and the commercial options.