Desenmascara.me

How to verify whether a website is legitimate or not?: desenmascara.me

martes, 17 de abril de 2018

Fortinet I hope that we all do not fall for one of these one day

This post of Fortinet called my attention: You will fall for this one day. I could not believe that a CTF player was the victim of a counterfeit-related web showed through and ads in Facebook. It is not my intention to put guilt on the victim but instead to highlight that if a savvy-technical guy can be lured by the online counterfeiters, the chances for an average Internet user to avoid this fraud are quite low.


The article is quite good describing how these scams usually work and the tactics of the online counterfeiters in relation to a carefully-chosen website name, as described in the Tracking online counterfeiters paper, in order to lure to their victims.

Also to my surprise, near to the conclusion of the article I could read -the bold sentence of the paragraph below:


The CTF player reported the website to the affected brand, Salomon in this case. This is a good action on their side but its a drop in the Ocean. The desenmascara.me project, through its twitter account, has alerted -so far- around 10.000 times to 142 different brands being affected by online counterfeiters. Though the number of counterfeit-websites detected by this side project is higher but due to API twitter restrictions, not all websites detected are automatically tweeted.

But the article had more surprises as in relation to the Fortinet approach to cope with this fraud:


While is great to see how some security vendors are taking into account these kind of fake websites luring users, yet the "phishing" categorization might not be accurate enough as to highlight this massive online fraud. As pointed out in the mentioned paper about "Tracking online counterfeiters" to have a specific categorization for this specific fraud will help to raise awareness among users and also to create alliances with other stakeholders to fight it. But this is a not-so-easy battle as even Kaspersky call it phishing. The reality behind such counterfeit-related webs is that rarely phishing is the goal but instead is a profit center through which victims transfer new capitals into the underground, and as a profit center, all the pieces of this ecosystem must work properly:



Also to assess that FortiGuard customers are protected from this scam cause the website has been classified and blocked is a very valid (but weak) point to show value over other vendors not being able to recognize this online fraud:



But the reality is that a more wider approach is needed to cope with this massive online fraud. Just as an example taken from the fake website being blocked by Fortinet: www.salocc.com
There are dozens of additional fake webs which belong to the same counterfeit-campaign (as noted by the use of the same infrastructure and website domain registration details):



Are also all those fake websites detected and blocked by Fortinet?. The answer; at this point in time they are not, as showed below with a random fake web domain related to the same campaign:






As I said before, this is just a drop in the ocean. After researching this online fraud for years; publishing a paper about "Tracking online counterfeiters", collaborating with Europol into joint operations to take down websites related with this fraud, and also unveiling massive campaigns of counterfeit-related websthe reality is that all the past estimations from different sources about the rising of this massive and underestimated online fraud are becoming true. In order to tackle this online fraud a more holistic approach is needed, the technology to do it is already available but the only thing truly needed to cope with it is will.

As stated in the last sentence of the "Tracking online counterfeiters" paper, the ultimate ambitious goal of this research and the desenmascara.me side project, is to protect users worldwide of this massive online fraud. How this could be achieved?: by having widely-used technologies like SafeBrowsing or alike flagging a new kind of unsafe sites: FAKE websites related with the online counterfeiting.

Therefore, Fortinet, I hope that we all do not fall for one of these one day.


P.D: Unfortunately this is an underrated online fraud. This is feature request to  Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1326308 which was closed as "will not be fixed" cause they did not consider the topic relevant enough as to act upon it.

domingo, 8 de abril de 2018

RFC1918 IP Addresses in APT reports being used as IOCs by "Intelligence" providers

The title of this article was published some days ago as a tweet. Unfortunately by seeing the responses it seems this is not a so uncommon issue:





All started as a heads´up about a high priority incident in a sensitive environment. A watchlist that matches an internal private IP against a botnet?. This incident needed confirmation as got escalated with urgency. As its common in this scenario dealing with different stakeholders, the private IP being categorized as botnet was anonymized in order to protect sensitive information, but we need such information in order to further investigate it. To request such information sum up time to the investigation.

Once we have the private IP details we can do some cross checks to get the additional context needed in this scenario. The additional cross-checks are to verify which intelligence feed contained the private IP and then to gather the details. After some investigation we were unable to find any correlation, none of the watchlists we do provide (from public and private sources around the world, including product vendors, industry experts, government agencies, professional associations, media, news groups..) contained such info. Next step was to seek the private IP into any public report, cause at this time it was a bit clear which the issue was, and Bingo !! - Anunak: APT against financial institutions is a great report released by Group-IB and Fox-IT and contained the private IP address as a C&C IP and without any additional info. This is likely a common mistake about not vetting the information provided by reverse engineers to the intel team responsible to craft up the APT report, then this mistake is chained by Intelligence providers who do not perform any vet into the IOCs they ingest, packed and then sell. It turns out the customer affected was using additional threat intelligence providers, and was one of them who did provide the private IP address as an IOC.

Based on The cost of bad intelligence: "Security professionals practicing threat intelligence must understand the implications of mistakes and poor analysis. Bad intelligence can and does decrease the security effectiveness of an organization."