Fake Phishing CRA Canada revenue agency e-mail

as per last blog this is a yet another fake e-mail looking to take your PII  https://canadacyber.blogspot.ca/2016/08/phishing-spam-e-mail-that-harvests.html this is another fake CRA e-mail.

You receive an e-mail that is a Phishing e-mail claiming to be form CRA Canada. The e-mail looks very real as the attacked had bought a domain name https://cra.arc-cg.com that looks very much like the old domain name that was used by CRA before they moved to the one Canada.ca domain.

See pic below.

When you click on here it send you to a page that looks like a forum submission page that is from CRA. That hacker/attacker was also smart enough to use a CloudFlare to hidethe page by encrypting it using a valid certificate from them so you even get a Green bar.  The average user that was always told to look for the green lock will think this is a real legit site. BUT IT IS NOT.

The page also is asking for PII data that should never be given away.

See image below.

Let’s say you dumb enough to fill in your PII info and click submit then you are redirected to 2^nd page that asks for your Credit Card info.  See image below.

At the end when you do submit the page redirects you to the real CRA page. So a normal person think they just did the correct thing. 

Below are screen shoots of other IOC's first is the e-mail path and source servers.

This IOC is of the hosting provider, as you can see the attacker was smart enough to hide his domain name behind private registration to make it harder for take downs.

DDoS protection and mitigation methods, CanadaCyber approches

CanadaCyber: DDoS protection & mitigation methods.

 

People come to us and are always say we can’t protect against DDoS, we always say to them yes you can with the proper network implementations. 

Let’s say you own www.coolpage.com and that is pointing to server that is located within your DMZ at Ip address 11.22.33.11. 

In your DNS and name server you have listed www.coolpage.com to point to the server @ 11.22.33.11 using A record with a certain time to Live ( TTL ) lets say 1 week.

All a hacker (Attacker) has to do is target that IP or Domain name. 

We have 2 types of attackers that will try to target you, ones that will target the IP 11.22.33.11, knowing that this is your main server. And the less informed hacker that will target your domain name www.coopage.com. 

This is how CanadaCyber mitigates this threat. First of all you should never use A record pointing to your core server. What you should have is a series of proxies that will balance the traffic.  By doing this you have 2 advantages, first caching your content and 2^nd dislocating your core server from your domain name via redirection. 

So the way you achieve this at a very basic level is by buying a numbers of servers that will just redirect your traffic to your Core IP, and then you program these IPs as the A record holder. 

When you do get attacked you can easily change the A record. the other thing is within your a record insure your TTL is setup for a very small number, as this will allow you the ability to move A records allocations on the fly to different IPs, that will then redirect to your main server IP.

Proxy servers are very cheap if setup by educated staff internally, as you can buy an amazon EC2 or Linode server for less than 15$ a month that can do this job. It can be a full fledge proxy or just a basic IPTABLES DNAT table. 

For the Geek at heart, you can also setup your own name server or have access to name servers that you can use for DNS resolution. Adding this with the above information you will have a robust DDoS mitigation plan, which will insure you have continuation of services. So if your IP, Domain name or name servers are attacked you can still deliver services.