Since the coinage of the term in 1956, Artificial Intelligence (AI) has evolved considerably. From its metaphorical reference in Mary Shelly’s Frankenstein, to its most popular recent application in autonomous cars, AI has made a progressive shift, over the years. It influences all the major industries such as transportation, communication, banking, education, healthcare, media, etc.
When it comes to cybersecurity, AI is changing how we detect and respond to threats. However, with the benefits, comes the risk of the potential misuse of AI capabilities. Is the primary catalyst for cybersecurity, also a threat to it?
How do we use AI in our daily life?
Social media users encounter AI on a daily basis and probably don’t recognize it at all. Online shopping recommendations, image recognition, personal assistants such as Siri and Alexa, and smart email replies, are the most popular examples.
For instance, Facebook identifies individual faces in a photo, and helps users “tag” and notify them. Businesses often embed chatbots in their websites and applications. These AI-driven chatbots detect words in the questions entered by customers, to predict and deliver prompt responses.
How do malicious actors abuse and weaponize AI?
To orchestrate attacks, cyber criminals often tinker with existing AI systems, instead of developing new AI programs and tools. Some common attacks that exploit Artificial Intelligence include:
Misusing the nature of AI algorithms/ systems: AI capabilities such as efficiency, speed and accuracy can be used to devise precise and undetectable attacks like targeted phishing attacks, delivering fake news, etc.
Input attacks/ adversarial attacks: Attackers can feed altered inputs into AI systems, to trigger unexpected/incorrect results.
Data Poisoning: Malicious actors corrupt AI training data sets by poisoning them with bad data, affecting the system’s accuracy.
Examples of how AI can be weaponized
GPT-2 text generator/ language models
In November 2019, OpenAI released the latest and largest version of GPT-2 (Generative Pretrained Transformer 2). This language model has the training to generate unique textual content, based on a given input. It even tailors the output style and subject based on the input. So, if you input a specific topic or theme, GPT-2 will yield a few lines of text. GPT-2 is exceptional in that it doesn’t produce pre-existing strings, but singular content that didn’t exist before the model created it.
Drawbacks of GPT-2
The language model is built with 1.5 billion parameters and has a “credibility score” of 6.9 out of 10. The model received a training with the help of 8 million text documents. As a result, OpenAI claims that “GPT-2 outperforms other language models.” The text generated by GPT-2 is as good as text composed by a human. Since detecting this synthetic text is challenging, creating spam emails and messages, fake news, or performing targeted phishing attacks, among other things, becomes easier.
Image recognition software
Image recognition is the process of identifying pixels and patterns to detect objects in digital images. The latest smartphones (for biometric authentication), social networking platforms, Google reverse image search, etc. use facial recognition. AI-based face recognition softwares detect faces in the camera’s field of vision. Given its multiple uses across industries and domains, researchers expect the image recognition software market to make a whopping USD 39 billion, by 2021.
Drawbacks of image recognition softwares
Major smartphone brands are now using facial recognition instead of fingerprint recognition, in their biometric authentication systems. Since this cutting-edge technology is popular among consumers, cyber criminals have found ways to exploit it.
Tricking facial recognition: It has been demonstrated that Apple’s Face ID can be duped using 3D masks. There are also other instances of deceiving facial recognition with infrared lights, glasses, etc. Identical twins, such as myself, can swap our smartphones to trick even the most efficient algorithms, currently available.
Blocking automated facial recognition: As facial recognition depends on key features of the face, an alteration made to the features can block automated facial recognition. Similarly, researchers are exploring various ways by which automated facial recognition can be blocked.
For example: Researchers found that minor modifications to a stop sign confuses autonomous cars. If implemented in real life, these technologies could have severe consequences.
Poisoned training sets
Machine learning algorithms that power Artificial Intelligence, learn from data sets (training sets) or by extracting patterns from data sets.
Drawbacks of Machine Learning algorithms
Attackers can poison training sets with bad data, to alter a system’s accuracy. They can even “teach” the model to behave differently, through a backdoor or otherwise. As a result, the model fails to work in the intended way, and will remain corrupted.
In the most unusual of ways, Microsoft’ AI chatbot, Tay, was corrupted through Twitter trolls. Releasing the smart chatbot was on an experimental basis, to engage people in “playful conversations.” However, Twitter users deluged the chatbot with racist, misogynistic, and anti-semitic tweets, turning Tay into a mouthpiece for a terrifying ideology in under a day.
AI is here to stay. So, as we build Artificial Intelligence systems that can efficiently detect and respond to cyber threats, we should take small steps to ensure they are not exploited:
Focus on basic cybersecurity hygiene including network security and anti-malware systems.
Ensure there is some human monitoring/ intervention even for the most advanced AI systems.
Teach AI systems to detect foreign data based on timestamps, data quality etc.
To meet the growing needs of customers, banks are increasingly adopting Information Technology (IT) solutions, to carry out daily operations. Thus making them attractive targets for escalating cyber attacks. To ensure that Indian banks function in a cyber-resilient environment, the Reserve Bank of India (RBI) issues regular guidelines. Hence, in one of its recent circulars, in addition to distinguishing cybersecurity from information security, the RBI advises banks to establish mechanisms for:
Continuous surveillance to protect personal data
A focused approach towards cybersecurity
Board/ Top Management to be aware of the bank’s threat quotient
Board/ Top Management to proactively monitor, share, and mitigate threats
The RBI guidelines advocate the following measures to help banks improve their overall security posture:
1. Provision for continuous surveillance
Cyber attacks are not preceded by warnings or timelines. Hence, the RBI recommends that banks set up continuous surveillance to stay abreast of emerging cyber threats.
XVigil helps you anticipate and mitigate threats
XVigil, CloudSEK’s digital risk monitoring platform, offers continuous monitoring across the surface and the dark web. Specifically focusing on: mentions of the bank, its brand, and its infrastructure.
2. Ensure protection of customer data
Financial institutions depend on technology to function smoothly. It also helps them deliver cutting-edge digital products to address their customers’ needs. However, in the process, banks collect customers’ personal and sensitive information.
Banks should take appropriate steps to ensure uncompromised confidentiality, integrity, and availability of this data. Moreover, as custodians of such information, it is incumbent on banks to preserve data, in transit and in storage, within their environment or that of third party vendors. To this end, banks should establish suitable systems and processes, across the data/ information lifecycle.
XVigil detects data leaks
XVigil proactively monitors the web for data leaks. Subsequently, it alerts banks to leaks involving their customers’ information, credit card details, or debit card details. The platform also reports 3rd party data leaks that could affect banks and their customers.
3. Report cybersecurity incidents to RBI
Banks also need to notify the RBI of all unusual cybersecurity activities and incidents, irrespective of the success or failure of the attempts.
XVigil generates reports to notify the RBI
XVigil prepares reports, listing major incidents that may be submitted to the RBI, adhering to compliance standards.
4. Manage inventory of IT assets
Banks need to maintain an up-to-date inventory of assets including their infrastructure and business applications.
XVigil scans your assets every day
XVigil performs daily asset scans, to track all internet-facing assets, including domains, sub-domains, IPs, WebApps, etc.
5. Prevent execution of unauthorized software
Banks should maintain an updated, and preferably centralized, inventory of authorized/ unauthorized software.
XVigil monitors for Shadow IT threats
XVigil runs infrastructure scans every day and alerts banks to any threats. As a result, it keeps Shadow IT threats in check.
6. Secure configuration
Banks must document and apply baseline security requirements/ configurations to all categories of devices.
XVigil detects misconfigured assets
XVigil detects and reports misconfiguration of internet-facing assets, in addition to the Open Web Application Security Project (OWASP) top 10 vulnerabilities.
7. Vendor risk management
Banks are accountable for appropriate management of security risks pertaining to outsourced and partner arrangements.
XVigil detects third-party leaks
XVigil monitors and reports on any third-party sources that leak sensitive information, thus fulfilling the RBI’s requirement to manage vendor risk.
8. Advanced real-time threat defence and management
The RBI advocates for banks to:
Build a robust defence system against the installation, spread, and execution of malicious code, at multiple points in the enterprise
Consider whitelisting of internet websites/ systems
Consider implementing secure web gateways with capabilities to deep scan network packets. Hence securing (HTTPS, etc.) traffic passing through the web/ internet gateway.
XVigil provides real-time alerts
XVigil monitors and provides real-time alerts, on threats that impact banks’ brand or infrastructure, from various sources across the surface web and the dark web. In addition, the platform scans open ports, misconfigured SSLs, leaky S3 buckets, and XSS vulnerabilities.
Banks have been advised to subscribe to anti-phishing/ anti-rogue apps or services from external service providers. Since, this will help them identify and take down phishing websites/ rogue applications.
XVigil detects and initiates takedowns
XVigil detects phishing/ rogue apps, fake domains, and fake social media accounts. CloudSEK also offers takedown of such phishing websites/rouge applications.
10. Data leak prevention strategy
Banks should develop a comprehensive data loss/ leakage prevention strategy to safeguard sensitive, proprietary, and confidential business and customer data.
XVigil monitors data leaks
XVigil scans for data leaks, including third-party leaks, and additionally gives banks timely and actionable threat intelligence.
11. Vulnerability Assessment, Penetration Test, and Red Team Exercises
Banks should conduct periodic vulnerability assessment and pen-testing exercises on all the critical systems, particularly the internet-facing ones.
XVigil runs periodic tests
XVigil runs basic level vulnerability assessments, as well as pen-testing exercises, every day. And subsequently alerts banks to open ports, misconfigured SSLs, leaky S3 buckets, and XSS vulnerabilities.
Banks must make arrangements for forensic investigation unless they have support.
CloudSEK offers forensic services and support
CloudSEK offers forensic services, together with unlimited support.
13. External Integration
While delivering services to customers, several stakeholders are involved directly or otherwise. Their experience is indispensable. Besides, their integration with multiple tools would give organizations a view of the entire security landscape. Thus, encouraging better decision making.
XVigil can be integrated with ease
XVigil can be easily integrated with multiple SIEMS, SOAR and other platforms. Thus giving banks a single view of their entire security landscape.
In the recent past, several security vulnerabilities have been discovered, in widely used software products. Since these products are installed on a significant number of devices, connected to the internet, it entices threat actors to develop botnets, steal sensitive data, and more.
In this article we explore:
Vulnerabilities detected in some popular products.
Target identification and exploitation techniques employed by intrusive threat actors.
Threat actors’ course of action in the event of identifying a flaw in widely used internet products/technology.
Popular Target Vulnerabilities and their Exploitation
Ghostcat: Apache Tomcat Vulnerability
All Apache Tomcat Server versions are vulnerable to Local File Inclusion and Potential RCE. The issue resides in the AJP protocol, which is an optimised version of the HTTP protocol. The years old vulnerability is vulnerable because of the component which handled a request attribute improperly. The AJP protocol, enabled by default, listens on TCP port 8009. Multiple scanners, exploit scripts, honeypots surfaced in a matter of days after the original disclosure by Apache.
Stats published by researchers indicate a large number of affected systems, the numbers being much greater than originally predicted.
Recently, Directory Traversal and RCE vulnerabilities, in Citrix ADC and Gateway products, affected at least 80,000 systems. Shortly after the disclosure, multiple entities (ProjectZeroIndia, TrustedSec) released PoC scripts publicly that engendered a slew of exploit attempts, from multiple actors in the wild.
Jira Sensitive Data Exposure
A few months ago, researchers found Jira Instances leaking sensitive information such as names, roles, email IDs of employees. Additionally, internal project details, such as milestones, current projects, owner and subscriber details, etc., were also accessible to anyone making a request to the following unauthenticated JIRA endpoints:
Avinash Jain, from Grofers, tested the vulnerability on multiple targets, and discovered a large number of vulnerable Jira instances, revealing sensitive data belonging to various companies, such as NASA, Google and Yahoo, and its employees.
Spring Boot Data Leakage via Actuators
Spring Boot is an open source Java-based MVC framework. It enables developers to quickly set up routes to serve data over HTTP. Most apps using the Spring MVC framework now also use the Boot utility. Boot helps developers to configure what components to add, and also to setup the Framework faster.
An added feature of the tool called Actuator, enables developers to monitor and manage their applications/REST API, by storing and serving request dumps, metrics, audit details, and environment settings.
In the event of a misconfiguration, these Actuators could be a back door to the servers, making exposed applications susceptible to breaches. The misconfiguration in Spring Boot Versions 1 to 1.4 granted access to Actuator endpoints without authentication. Although later versions secure these endpoints by default, and allow access only after authentication, developers still tend to ignore the misconfiguration before deploying the application.
The following actuator endpoints leak sensitive data:
performs a thread dump and returns the dump
returns the dump of HTTP requests received by the app
returns the app-logged content
commands the app to shutdown gracefully
returns a list of all the @RequestMapping paths
exposes all the Spring’s ConfigurableEnvironment values
returns application’s health information
There are other such defective Actuator endpoints, that provide sensitive information to:
Gain system information
Send requests as authenticated users (by leveraging session values obtained from the request dumps)
Execute critical commands, etc.
Webmin RCE via backdoored functionality
Webmin is a popular web-based system configuration tool. A zero-day pre-auth RCE vulnerability, affects some of its versions, between 1.882 and 1.921. This vulnerability enables the remote password change functionality. The Webmin code repository on SourceForge was backdoored with malicious code allowing remote command execution (RCE) capability on an affected endpoint.
The attacker sends his commands piped with Password Change parameters through `password_change.cgi` on the vulnerable host running Webmin. And if the Webmin app is hosted with root privileges, the adversary can execute malicious commands as an administrator.
Why do threat actors exploit vulnerabilities?
Breach user/company data: Data exfiltration of Sensitive/PII data
Computing power: Infecting systems to mine Cryptocurrency, serve malicious files
Botnets, serving malicious files: Exploits targeted at adding more bots to a larger botnet
Service disruption and eventually Ransom: Locking users out of the devices
Political reasons, cyber war, angry user, etc.
How do adversaries exploit vulnerabilities?
On disclosure of such vulnerabilities, adversaries probe the internet for technical details and exploit codes, to launch attacks. Rand corporation’s research and analysis on zero-day vulnerabilities states that, after a vulnerability disclosure, it takes 6 to 37 days and a median of 22 days to develop a fully functional exploit. But when an exploit disclosure comes with a patch, developers and administrators immediately patch the vulnerable software. Auto update, regular security updates, large scale coverage of such disclosures help to contain attacks. However, several systems run the unpatched versions of a software or application and become easy targets for such attacks.
Steps involved in vulnerability exploitation
Once a bad actor decides to exploit a vulnerability they have to:
Obtain a working exploit or develop an exploit (in case of a zero-day vulnerability)
Utilize Proof of Concept (PoC) attached to a bug report (in case of a bug disclosure)
Identify as many hosts as possible that are vulnerable to the exploit
Maximise the number of targets to maximise profits.
Even though the respective vendors patch vulnerabilities reported, upon searching GitHub or specific CVEs on ExploitDB, we can find PoC scripts for the issues. Usually PoC scripts require a host/ URL as an input and it measures the success of the exploit/ examination.
Adversaries identify a vulnerable host through their signatures/ behaviour, to generate a list of exploitable hosts. The following components possess signatures that determine whether a host is vulnerable or not:
Indexed Content/ URL
Many commonly used software has a specific default installation port(s). If a port is not configured, the software installs on a pre-set port. And in most cases a software installs on the default port. For example, most systems use default port 3306 to install MySQL and port 9200 for Elasticsearch. So, by curating a list of all servers with an open 9200 port, a threat actor can determine systems running the Elasticsearch. However, port 9200 can be used to install other services/ software as well.
Using port scans to discover targets to exploit the Webmin RCE vulnerabilities
Determining that the default port where Webmin listens to after installation is Port 10000.
Get a working PoC for the Webmin exploit.
Execute a port scan on all hosts connected to the internet for port 10000.
This will lead to a discovery of all possible Webmin installations that could be vulnerable to the exploit.
In addition, tools like Shodan make port-based target discovery effortless. At the same time, if Shodan does not index the target port, attackers leverage tools like MassScan, Zenmap and run an internet-wide scan. The latter approach hardly takes a day if the attacker has enough resources.
Similarly, an attacker in search of an easy way to find a list of systems affected by Ghostcat, will port scan all the target IPs and narrow down on machines with port 8009 open.
Software/ services are commonly installed on a distinct default path. Thus, the software can be fingerprinted by observing the signature path. For instance, WordPress installations can be identified if the path ‘wp-login.php’ is detected on the server. This facilitates locating the service as it accesses a web browser.
For example, when phpmyadmin utility is installed, by default it installs on the path ‘/phpmyadmin’. A user can access the utility through this path. In this case, a port scan won’t help, because this utility doesn’t install on a specific port.
Using distinct paths to discover targets to exploit Spring Boot Data Leakage
Gather a list of hosts that run Spring Boot. Since the default Spring Boot applications start on port 8080, it would help to have a list of hosts that have this port open. This allows threat actors to see a pattern.
Hit specific endpoints like ‘/trace’, ‘/env’ on the hosts and check the response for sensitive content.
Web path scanners and web fuzzer tools such as Dirsearch or Ffuf facilitate this process.
Though responses may include false positives, actors can use techniques, such as signature matching or static rule check, to constrict the list of vulnerable hosts. As this method operates with HTTP requests and responses, the process can be much slower than mass scale port scans. Shodan can also fetch hosts based on http responses, from its index.
Software are commonly installed on a specific subdomain since is an easier, standard, and convenient way to operate the software.
For example, Jira is commonly found on a subdomain as in ‘jira.domain.com’ or ‘bug-jira.domain.com’. Even though there are no rules when it comes to subdomains, adversaries can identify certain patterns. Similar services, usually installed on a subdomain, are Gitlab, Ftp, Webmail, Redmine, Jenkins, etc.
Security Trails, Circl.lu, Rapid7 Open Data hold passive DNS records. Other scanners that maintain such records would be sites such as Crt.sh and Censys. They collect SSL certificate records regularly and have an add-on feature that supports queries.
The content published by services is generally unique. If we employ search engines such as Google, to find pages based on particular signatures, serving specific content, the results will have a list of URLs running a particular service. This is one of the most common techniques to hunt down targets, easily.
It is commonly known as ‘Google Dorking’. For instance, adversaries can quickly curate a short list of all cPanel login pages. For which, they could use the following Dork in Google Search: “site:cpanel.*.* intitle:”login” -site:forums.cpanel.net”. The Google Hacking database contains numerous such Dorks and after understanding the search mechanism, it is easy to write such search queries.
There have been multiple honey pot experiments to study the mass scale exploration and exploitation in the wild. Setting up honey pots is not only a good way of understanding the attack patterns, it also serves in identifying malicious actors out there, trying to exploit systems in the wild. These identified IPs/ Network trying to enumerate targets or exploit vulnerable systems end up in various public blacklists. Various research attempts have set up diverse honeypots and studied the techniques used to gain access. Most attempts are to gain access via default credentials, and originated mainly from blacklisted IP addresses.
Another interesting observation is that, most honeypot detected traffic, seems to originate from China. It is also very common to see honeypots specific to a zero-day surface on Github as soon after a the release of an exploit. The Citrix ADC vulnerability (CVE-2019-19781) also saw a few honeypots being published on Github within a short time after the first exploit PoC was released.
Research carried out by Sophos highlights the high rate of activity on exposed targets using honeypots. As reported in the research paper, it took from less than a minute to 2 hours for the first attack on the exposed target. Therefore, if an accidental misconfiguration leaves a system exposed to the internet, for even a short period of time, it should not be assumed that the system was not exploited.
Payment gateways, such as Wibmo, CCAvenue, and PayUbiz, facilitate payments on thousands of online portals. And customers implicitly trust them to secure their transactions. But, as reported by a security researcher, a flaw in the logical design of a previous version of Wibmo payment gateway put its customers at risk. This was because the payment gateway did not distinguish between transactions initiated within the same time frame.
Payment gateways serve as a channel of communication, between merchants and banks, to conduct secure transactions. The gateway encrypts the transaction information, which includes the credit/debit card number, CVV, expiry date, etc. And passes on the information to the payment processor, which acts as the link between the user bank and merchant bank. The gateway confirms the payment, unless the information is incorrect. Then, the processor settles the payment with the merchant’s bank.
One Time Passwords for gateways
In order to secure transactions, 3-dimensional payment gateways add time-based One Time Passwords (OTPs) as an additional layer of authentication. The payment gateway only accepts time-based OTPs submitted within the permitted time frame. After which the OTP is not valid. Even though this additional layer of authentication should secure transactions, a vulnerable gateway, could reduce its efficacy. A payment gateway that is not able to distinguish between transactions, could permit unauthorized transactions.
Flaw in the design of Wibmo Payment Gateway
Wibmo fails to distinguish between transactions processed during a single 180 second time frame.
So, the OTP generated for a transaction is valid for other transactions, in the same time period. Irrespective of the amount or geo-location.
This vulnerability increases the possibilities of a man-in-the-middle attack (MITM) by which the attacker forges the request.
And if the OTP remains unused for the first few seconds or minutes, it allows attackers to conduct fraudulent transactions within the validity period of the OTP.
Explaining the flaw through a scenario
A user initiates a legitimate transaction for Re.1.
They receive an OTP, on their registered mobile number, which is valid for 180 seconds.
Before the user applies the OTP for that transaction, an attacker intercepts the OTP and uses it to process a transaction for Rs.1000. Irrespective of the attacker’s location, and transaction amount, the fraudulent transaction is considered legitimate. And the attacker successfully receives the amount.
Verification of the Wibmo Payment Gateway flaw
CloudSEK’s research team tested Wibmo with various banking systems to confirm the flaw. We found that the same OTP is valid for 180 seconds or more, for any transaction, provided the OTP has not been used already. The screenshots below prove the same:
With the increasing number of online transactions, flaws such as Wibmo’s make users vulnerable to threat actors. Apart from financial losses, it could impact the reputation of the payment gateway, and the online portals using it.
Note: Wibmo became aware of this flaw on the 3rd of August, 2019. The security team at Wibmo closed the issue and marked it as a known functionality on August 12, 2019. And publicly disclosed the flaw on August 25, 2019. Wibmo recommends that portals using its payment gateway should fix the vulnerability, to avoid security incidents.
We have all received calls from fake bank representatives, offering us complimentary credit card upgrades, free Insurance, and assistance to complete KYC (Know your customer) formalities. And to provide these services, they would have requested us for credit card or debit card details.
However, in the last few years, the general public has smartened up to this scam. And most of us don’t indulge these calls anymore. And in response to this, scammers have repackaged their scams, that are delivered to us, via other channels. The new schemes are so convincing that we reach out to them.
Let’s explore these sophisticated approaches and the various resources that allow scammers to continue defrauding us.
What makes us vulnerable?
Most people unequivocally rely on Google search for everything ranging from bank locations to restaurant reviews. So, it is only natural that scammers have started targeting Google services, to index bogus web pages that contain fake bank branches and customer care numbers. Also, it is simple to list a business on Google, because there is no detailed verification process. In 2018, police busted a scammer who was running a fake branch of Karnataka Bank in UP’s Ballia.
How are fake banking services provided?
The scammer buys a domain name that closely mimics the targeted bank. They replicate the bank’s trademarks, logos, and website design, to give it an air of authenticity.
They set up telephone numbers which are advertised on the fake website. The scammer goes the extra mile, to convince skeptical users, by mimicking original caller tunes, hold tunes, and following standard operating procedures.
Sometimes, scammers even set up interim branches and kiosks, employing people at different levels, so that it appears to be a legitimate operation.
They then list themselves on Google services with seemingly genuine location details.
When a customer searches for a bank branch or customer care number, these sites appear as top Google search results.
When the customer calls the fake number or visits a fake branch, scammers slip questions about CVVs (Card Verification Value) or ask for OTPs (One Time Password) in the middle of the conversation.
They may even advise users to download and install certain remote desktop sharing apps or open links that give them the control of the customer’s mobile device.
Scammers especially favour UPI (Unified Payment Interface) and other similar apps. They will ask for a victim’s UPI ID, and convince them to accept 1 rupee on the app. Wherein, instead of accepting money, unaware and inexperienced users, will in fact be remitting a large amount from their account.
Are there precautions we can take?
Stay abreast of scammers and the different types of online scams.
Proactively monitor the surface web and alert authorities of any scams you have identified.
Inform targeted banks about such scams. It will also help them to initiate the takedown of such sites and apps and ensure others don’t fall prey to these scams.
If you have concerns about your organization’s security posture, contact us: Request a Demo now.
FASTag Phishing Campaigns Flourish on Social MediaWith FASTag, toll collection is the latest of our everyday services that has gone digital. And, as is their wont, cyber criminals have already figured out ways to exploit it. FASTag, which is an Electronic Toll Collection (ETC) instrument, is mandated by the Government of India, for all vehicles passing through toll booths across the country. Considering the growing adoption, combined with users’ limited experience, it is not surprising that scammers are launching phishing campaigns by employing novice social engineering approaches.
In this article, we explore the different types of phishing campaigns and the channels that facilitate them.
FASTag Phishing Campaigns
Though FASTag is a straightforward service, there are several avenues, ranging from distribution to after-sales support, through which scammer can exploit it.
Scammers are defrauding people in the following ways:
Selling fake FASTags
Recruiting other scammers
Selling FASTag distributor rights
Operating fake helpline numbers
Providing unblocking services for blacklisted FASTags
Scammers are delivering these campaigns via:
Deep web sites
Surface web sites
We will investigate each of these scamming methods and the channels used to facilitate them. While FASTag scammers are present across the internet, they are especially active on social media because of how easy it is to create accounts and conceal their identities.
Selling Fake FASTags
There are social media profiles, personally promoting the “FASTag” project implementation (especially in local languages), even though they are not officially authorized or connected to the project.
Some accounts are also offering services on behalf of authorized FASTag banking partners, by advertising the bank’s name along with their personal contact numbers. Since we cannot verify if such individuals are authorized to act on behalf of these financial institutions, it is best to avoid responding to their posts, to avail their services.
There are also social media posts that are promising free FASTags and FASTag services, even though the actual price is INR 500. However, they appear trustworthy to the general public because some of these campaigns include genuine images.
Since FASTag became mandatory on 1st December 2019, we have observed phishing emails, delivered from various networks, to personal email IDs. Many of these campaigns use the classical approach of furnishing lookalike “from” names. In this case, ‘FASTag’, in some form, appears in the name of the sender. The domain name of the email is only visible when we purposely expand the ‘from’ address. This allows scammers to mislead receivers of the emails, since we don’t generally inspect the sender’s complete email address.
As seen above, the sender’s name is ‘Axis FASTag’ and only on closer inspection, we notice that the email id is: firstname.lastname@example.org and the domain name is: indiafamous.info. And, the website’s location is listed as Bihar. It is safe to assume that the below email is a phishing attempt. (We have noticed that previous phishing campaigns targeting NPCI, were also mapped to the same location).
Given the size of the targeted audience, scammers will not spare any platform through which they can prey on the public.
Here is a case of an OLX listing that is advertising Axis Bank’s FASTag service.
Further investigation threw up listings like the ones below, in which the prices have been inflated. By inflating and then reducing the price of the tags, scammers are trying to make their proposition more attractive. This is a major red flag that is indicative of a phishing campaign.
We also observed that some of the vendors are offering free GPS along with the tags. And the tags themselves are listed at prices lower than the actual cost of INR 500. But, it is not clear from the listing, if a standalone GPS comes free with the purchase of a FASTag.
As seen from the below post, in which a vendor ‘Vivek Shukla’ from UP, has listed FASTag as “Fastage” along with a GPS app. The app is not officially associated with FASTag.
Deep web campaigns
We have spotted a series of phishing campaigns on various blogs and deep web sites. These advertisements offer FASTag services by using the names of popular banks such as Axis Bank, HDFC Bank, etc.
These campaigns are being widely spread through chat platforms such as Sharechatas well.
On clicking the link, the page is redirected to an ad-hosted campaign which is not connected with Axis Bank FASTag services. And visiting these malicious links makes the visitor’s device vulnerable to malicious software, such as adware or other PUPs (Potentially Unwanted Programs). This, in turn, creates a backdoor to all vital information on the device and helps scammers fund other malicious campaigns they run.
Moreover, on analysing the details of the page through Virus Total, it was found to be listed as spam.
Ad campaigns on other sites
We spotted ad campaigns on other unrelated websites such as a music download service. Through which unwary users can be clickjacked to phishing sites.
Surface web sites
The official way to buy FASTags is via NPCI , authorized banking partners such as ICICI or HDFC, wallet partners such as UPI Airtel Payments, or authorized vendors. Yet there are similar looking domains, registered to individuals, that are masquerading as official vendors of FASTag.
Though the above mentioned sites are not functional at the moment, there is a chance that they may become available at any time, to host phishing campaigns, by assuming an air of legitimacy.
These are only a few examples of domains that use some version of “fastag” in their name. There are many more, yet to be listed or found. Some of these domain names, which have not been bought yet, are available at cheap prices.
Recruiting other scammers
While scammers directly exploit new FASTag users, they also attempt to recruit other people to carry out such campaigns. Here are examples of such posts, from a private Facebook group, in which a scammer has advertised FASTag as an opportunity to make money.
Selling FASTag distributor rights
Authorized sales and service providers/vendors employ agents to sell and top-up FASTags. However, we have observed the presence of unauthorized people, on closed Facebook groups, who are selling free agent IDs. Which is why, FASTags procured from 3rd party agents, may or may not be genuine.
Here are some examples of Facebook posts offering free Agents IDs.
Operating fake FASTag helpline numbers
There are posts on social networking sites that are advertising phone numbers and email ids that are not the official FASTag support contacts. They offer to set up FASTags or provide other related support. Calling such numbers is a sure-fire way to get defrauded.
We also found several unofficial social media accounts listing email ids that mimic the official email contact and vendor names. For example: email@example.com “FASTag” and “HDFC”. Thus, setting up a honeypot, for unsuspecting people looking for genuine support.
Another phishing email id was mentioned as a point of contacton a flagged website. The website promotes this email id for any issues related to FASTag.
Email ID: firstname.lastname@example.org
As observed from the above post, threat actors are advertising FASTag at a discounted price of INR 300, even though the original price of INR 500. Subsequently, people tempted by such offers, call these numbers, and become easy victims.
A well-crafted poster appeals to the general public as advertisements for reliable/ legitimate services. Upon investigation, we found that the service provider ‘Aveon’ does not have an official website.
Providing unblocking services for blacklisted FASTags
As with any new service, FASTag has a few ongoing issues. Some tags appear as ‘blacklisted,’ while passing through the toll gate, even though there is sufficient balance in the owner’s wallet. Consequently, scammers are exploiting this loophole in the system, by launching a campaign that offers unblocking of “blacklisted” tags.
How do we avoid becoming victims?
In conclusion, these examples are just a tip of the iceberg, in the zeitgeist of ongoing scams. But they clearly show that if we, as end users of FASTag, are not vigilant, we can become easy victims of these malicious campaigns.
End user precautions:
Don’t rely on individual vendors. Instead, buy FASTags from NTEC or from other official banks.
Don’t reveal OTPs received on your phone to anyone via call, or in person.
Never fill forms found on blogs or websites with look-alike domains that include the keyword “fastag”.
Never click on hyperlinks provided in phishing emails, especially with subject lines such as “Free FASTag” etc.
Avoid calling random toll free numbers, especially those flashed on third party websites/blogs. And, reach out to NTEC or Official Bank Helplines, for support.
Above all, don’t post or tweet any of your personal/transaction details (if you have not received your FASTag after applying for it). As this would help fraudsters customize their approach based on your specific problem.
Miscreants recently siphoned INR 4.57 million from Creative Engineers’ bank account. The attackers first hacked the proprietor’s gmail account and sent an email to Airtel to confirm the SIM swap. With access to his email and phone number, they were able to gain access to his internet banking credentials, to carry out the attack. The attackers employed SIM hijacking, which is the process of deactivating a SIM and appropriating a phone number, to pass the internet banking authentication.
If you have a phone, you are a target.
Other than being a convenient mode of communication, mobile phones also serve as authentication for a variety of services.
Since password protection alone could not secure accounts, we introduced 2 Factor Authentication, linked to our email or phone number, to protect sensitive accounts. This includes emails, online banking accounts, and cryptocurrency exchanges.
Time has come, to assess if 2 Factor Authentication is still ironclad. Given the success of attacks such as SIM hijacking, it looks like hackers have found a way to get around that as well.
SIM Hijacking is the process through which a hacker confiscates your phone number and deactivates your SIM card, rendering it non-functional.
Getting access to your SIM is usually just one part of a larger scam. In order to siphon your bank accounts or steal sensitive information, a hacker needs access to your account details also. Without which they cannot successfully bypass 2 Factor Authentication.
SIM Hijacking is also used to steal Instagram usernames that are then sold for Bitcoin. This form of attack, though not as rampant, should be monitored, considering the potential impact.
Sophisticated strategies to compromise a phone number
SS7 and Diameter attacks function by attacking the underlying telecom network/protocol. This allows an attacker to take over any phone number by intercepting SMS-based tokens, account recovery codes, and calls.
IMSI catchers are RF devices that enable an attacker to take over a phone number by intercepting and injecting cell traffic. This method requires physical proximity to the target.
Fig 3: ISMI catcher used for SIM hijacking
SIM Hijacking targets a carrier through conventional attacks, or by social engineering support staff, to take control of a phone number. This is known as SIM porting/hijacking, which is becoming increasingly popular with attackers.
Execution of SIM Hijacking
In India, hackers often contact victims, posing as executives from telecom companies, offering better network plans or discounts. They usually verify your full name, address, phone number, DOB, last four digits of social security number (SSN), Aadhaar number, or other security questions.
The attacker then tries to obtain your unique 20-digit SIM number and SIM swap authentication. For example: If you are a Vodafone user, the attacker will use a new Vodafone SIM to process the SIM exchange. Vodafone will send a confirmation SMS on your phone number. And the attacker will instruct you to press a digit to authenticate the SIM swap. Vodafone will then officially initiate the SIM swap.
Once the swap is successful, your SIM will stop working and won’t have cell reception. On the other hand, the attacker’s new SIM will be fully functional.
The attacker, in most cases, will already have your banking ID and password. All they need is the OTP to perform fraudulent financial transactions. Hijacking your number allows the attackers to pass the 2-step verification process. This gives the hacker access to your accounts across Google, Twitter, Facebook, O365, online banking, and crypto currency trading platforms.
Fig 4. Execution of SIM Hijacking
What if the hacker has an individual’s email ID but not their phone number?
With your email ID the hacker will initiate a password reset process for your accounts.
The hacker can reset your password using a link or a secret code received via email, SMS, or phone call.
To reset a password with an SMS or a phone call, the prompt displays part of the phone number. Depending on the platform, the number of digits visible, may vary. This is because there is no standardized way to mask personal identifiable information (PII) such as phone numbers. For example, Paypal reveals the first digit and the last four digits. While some other platforms show the first digit and the last 2 digits.
Similarly, the hacker will use your email on different platforms to reveal more digits of your phone number.
A typical Indian mobile number format is: “+91-XXXX-NNNNNN”. The first four digits indicate an operator’s code, while the remaining six digits are unique to the subscriber. The hacker narrows the options by detecting the operator code.
There are many ways an attacker can verify if the shortlisted phone numbers are linked to the email address:- Using search engines to check if you have posted your phone number on a forum, website, etc.,
– Employing online services such as Pipl or Spokeo that have huge databases with personal information
– Using telephone system online services that allow you to reverse search the owner of a phone by its number.
By abusing password reset options, and by brute-forcing using publicly available information, a hacker can obtain your complete phone number.
When the hacker has a phone number, this process is reversed, to obtain the corresponding email ID. Services such as Amazon and Twitter allow password reset using a phone number. For this, a verification link is sent to the associated email ID. The prompt for which, displays a few characters of the email ID. Amazon provides the first and last letter of the username and the full domain. Also, the number of masked characters reveal the length of the username.
While it is incumbent on telecom carriers to enforce stringent measures to prevent attacks that target phone numbers, it is also important for us, as mobile phone users, to be able to identify the signs of a SIM Hijacking attack.
You are a victim of SIM Hijacking if you:
Lose cell service for an extended period of time.
Get locked out of your email and social media accounts because the passwords have been reset.
Receive suspicious calls, during which the executive asks for your personal details or SIM number.
Another layer of security, while helpful in the short term, won’t be fool proof. As witnessed from the breach of previous security frameworks, hackers will find a way to circumvent the new layer of security as well. So, how do we shield ourselves against SIM Hijacking:
Use PIN based authentication. Most carriers offer the option to protect your accounts using a passcode or PIN.
Using an authentication app such as Google Authenticator instead of receiving the two-factor authentication code via SMS.
Link sensitive accounts to a separate phone number and keep it confidential.
Label email addresses and phone numbers. So that the hint prompt displays labels such as “Home phone”, instead of your phone number.
As evident from the recent attack on Creative Engineers, hackers are increasingly resorting to SIM hijacking. And being linked to the services we use every day, makes each of our phone numbers valuable targets.
While telecom operators need to bolster the security of their networks, as users, our best defense is awareness. We can protect ourselves by taking simple precautions and by understanding how scammers orchestrate such attacks.
During the 2019 — 2020 holiday season, XVigil identified several phishing sites targeting popular eCommerce companies. Many of the domains were registered in December and were subsequently taken down after Christmas or New Year. This indicates that the sites’ main targets were shoppers, eager to avail holiday discounts.
Detection of phishing sites
XVigil’s fake domain finder monitors the web for fake or similar looking domains that might infringe on a brand. When we calibrated XVigil to monitor Indian eCommerce companies, we detected a wide range of phishing domains.
Firstly, we ascertained the phishing sites’ domain details, including the server, IP, registrant, and admin.
Prima facie, we were able to determine that the sites had certain similarities:
Irrespective of the eCommerce site being targeted, the most common payment platform was Paytm payment gateway.
Many of sites, including 2 Paytm phishing sites (hxxp://paytm-megaoffer.com* , hxxp://wowbuzz4.com/pytm_mall*) were hosted on the same IP. So, both the sites could be the work of the same scammer/ group of scammers.
Some sites, though not hosted on the same server, share overall website design, look and feel, site navigation, and data input methods.
Paytm phishing analysis
The sites appear familiar and trustworthy because:
The look and feel of the sites are similar to the official Paytm site.
Usage of Paytm logo.
Transacting through the widely trusted Paytm payment gateway.
The sites list a limited number of products, but at highly discounted prices. For example: the listed price of the iPhone 11 is INR 5999. And there is a countdown that indicates the offer is valid only for the next few minutes. These factors make it tempting, for even the most discerning of customers, to make hasty purchases.
The following characteristics of the sites are proof of the scammers’ rudimentary technical skills:
Presence of default or dummy content.
Poor web design features such as blurred images and grammatical errors.
Poor coding practices such as the absence of validation of details entered in the phone number and pin code fields.
The conspicuous lack of https certification.
Limited product catalogue.
Unbelievably low pricing.
How the phishing sites work
The shopper browses the site and adds the product to the cart.
The billing section collects the customer’s personal details including phone number, email id, and address. The scammers could use these details to devise other fraudulent schemes.
The customer is directed to the payment page.
The customer then lands on the Paytm payment gateway to complete the transaction.
Paytm Payment Gateway Analysis
Many phishing sites, irrespective of the eCommerce company they are targeting, use the Paytm payment gateway. It is notable that there are merchants registered with fake names such as ‘for’. One of the merchants goes by ‘One Communications’. The name closely mimics One97 Communications, which is Paytm’s parent company; lending the site an air of legitimacy.
From the source code of the payment pages we identified the following merchant details:
hxxp://paytm-megaoffer.com* Merchant: One Communications MID: kRdXWH24078674748775
hxxp://paytmmallcart.com* Merchant Name: for MID: GPZvOS78323169981271
hxxp://flipkart-loot-offers.com* Merchant: Online Mobile Shop MID: kLJwiy42558605770665
hxxp://newyearflipkart.com* Merchant: Lucky Mobile And Lamination MID: nixGaL07658395498481
Source Code Analysis
We analysed the source codes of both the sites and discovered that hxxp://paytm-megaoffer.com* was importing the hxxp://wowbuzz4.com/pytm_mall* source code.
It was found that hxxp://paytm-megaoffer.com* and hxxp://wowbuzz4.com/pytm_mall* have the same Google Analytics ID (UA-131481750-1). It is uncommon for 2 unrelated sites to have the same Google Analytics ID.
This indicates that both the sites belong to the same scammer/ group of scammers.
The contact details used to register hxxp://paytmmallcart.com* are not available, and that of hxxp://wowbuzz4.com/pytm_mall* cannot be traced back to any person or organization. However, hxxp://paytm-megaoffer.com* can be traced back to Parate Traders, a business in Nagpur.
Despite having different name servers, hxxp://wowbuzz4.com/pytm_mall* and hxxp://paytm-megaoffer.com* are hosted on the same IP. Therefore, whoever runs hxxp://paytm-megaoffer.com*, is likely responsible for hxxp://wowbuzz4.com/pytm_mall* also.
Impact of phishing
Phishing scams are the oldest and most rampant type of cyber threats. They are fairly simple to orchestrate, but have the potential to severely impact a company’s reputation and revenue.
Apart from the targeted eCommerce companies, phishing also damages the reputation of the payment gateway that facilitates the fraud. Paytm for Business enables a variety of online and offline transactions. Hence its reputation, among shoppers and legitimate merchants, will be tarnished by the concerted misuse.
We found a social media poster who claims to have lost money to a Paytm phishing site. Other than the immediate loss of money, users could become victims of other scams that leverage the personal details, collected via the phishing sites.
Considering how easy it is to buy a domain, phishing cannot be tackled by taking down pages or sites. Also, companies often detect phishing sites, only after users have been affected. To begin with, eCommerce companies should proactively monitor and take down phishing sites. In addition, Paytm should also disable/block the scammers’ Paytm for Business accounts. This will hinder transactions on all phishing sites that use the same merchant accounts.
In the long term, eCommerce companies should identify and counteract the servers that host these phishing sites. Furthermore, they should also take action against scammers, whom they can identify, by leveraging the domain details and MIDs.
Phishing sites such as hxxp://paytm-megaoffer.com*, hxxp://wowbuzz4.com/pytm_mall*, and hxxp://paytmmallcart.com*, are not anomalies. When combined with the misuse of Paytm payment gateway, these scams indicate, a concerted effort to exploit Paytm and its users.
A company’s brand image is the fruit of sustained effort and strategic planning. However, it takes only one malicious attack, to undo the hard won trust and goodwill of their customers. And any damage to this intangible asset can have serious and far-reaching consequences.
A continuous monitoring tool, such as CoudSEK’s XVigil, helps companies sustain continual brand scan, to effectively combat fake pages, impostors, rogue applications, and domains.
*Note: All http links have been obfuscated to hxxp to avoid spam alerts. [/vc_column_text][/vc_column][/vc_row]
The dark web, which is a component of the deep web, is the nesting ground of online, as well as offline criminal activities. Though most of us have a general understanding of the dark web, we are still unaware of the specific activities it facilitates, and how it affects us on a daily basis.
ATMs are a common part of our everyday lives, yet we know little about how ATMs can be exploited, by even the most novice of attackers. At CloudSEK, we have unearthed a range of techniques and devices, that are used and sold on the dark web, for the purpose of hacking ATMs.
There used to be a time when hacking an ATM required sophisticated skills and tools. Not anymore. We have encountered amateurs with rudimentary skills, who have hacked ATMs, using the tools and tutorials available on dark web marketplaces. This is possible because the devices sold on the dark web come with detailed instruction manuals. And most of these devices can be operated remotely, using an Antenna, to target systems that run on basic Windows XP.
ATM Malware Card
On the dark web, anybody can buy an ATM Malware Card, that comes with the PIN Descriptor, Trigger Card and an Instruction Guide. This manual provides step-by-step instructions on how to use the card to suspend cash from ATM machines. Once the ATM Malware card is installed in the ATM, it captures card details of all the customers who subsequently use the ATM. The Trigger card is then used to dispense cash from ATMs.
The image above, shows the product description provided on dark web marketplaces, to advertise the features and benefits. This malware mainly targets ATM machines that run on Windows XP. This card is capable of drawing out all the money that is available in the affected machine; which could amount to as much as $500,000. The product description is so detailed that even a layman can use it to hack an ATM.
USB ATM Malware
Another prevalent method to fraudulently dispense cash from ATM Machines, is by infecting them with a Malware hosted USB drive. This method also targets machines that run on Windows XP.
This image describes the product in simple words, with details about what files are contained in the USB drive, and instructions on how to use it to orchestrate an attack.
ATM SKIMMER SHOP (ALL IN ONE)
Apart from individual sellers, there are also online shops that sell such products. One such shop is the ATM Skimmer Shop (all in one), that offers ATM hacking appliances such as EMV Skimmers, GSM Receivers, ATM Skimmers, PoSs, Gas Pumps, Deep Inserts, etc.
The same shop also offers prepaid credit cards with high balances at different price points. The shop also updates and stocks itself with the latest cracking devices released in the market, such as POS Terminals, Upgraded Antenna, custom-made ATM Skimmers, RFID Reader/Writer, etc. This shop was previously available on the surface web, but is now available only on the dark web. Here, hacking devices that need be physically attached to ATM machines, such as the ATM Insert Skimmer or Deep insert, are also sold.
The image above describes the benefits of using an insert skimmer to hack an ATM. It is advertised as a “plug and play” product, implying that it is a ready-to-use product.
Anyone who has access to the dark web and this shop, can order any of their products, hassle-free. Another such online shopping site is the Undermarket that claims to sell bank fullz and physical bank cards on their platform.
There are underground hacking forums that discuss and sell tutorials on how to hack bank accounts using Botnets, and other such topics. Forums such as Optimus Store, sell these malicious files for $100.
A recently uncovered, active ATM Jackpotting method that uses a malware, is called Ploutus-D. It works by compromising components of a well-known multivendor ATM software, to gain control over hardware devices such as dispensers, card readers, and pin pads. It allows the hacker to suspend all the cash from affected machines, in a few minutes. The source code for this malware, along with instructions on how to use it, are sold on the dark web.
As hacking tools and techniques become ubiquitous, it is important to be aware and vigilant, by understanding new and sophisticated trends in hacking, and how you can defend yourself against them.
XVigil Solutions provide organizations unified supervision across the internet, their brand, and their infrastructure. It yields analytics and actionable intelligence, needed to tackle external threats, by deploying comprehensive security scans and monitors.
Leaking the source code of the proprietary tools is not a new scenario in the cyber threat arena. Recently, Windows 10 source code was leaked into “Beta Archives’ FTP”; (later removed) which is an active discussion forum on Windows Releases.
Sometimes, it may be an Insider Threat (Breach) or other times, it may be an Intrusion which ultimately classified into “Leaks”.
Few months ago, the source code of the proprietary tool named “Presto”- a browser layout engine used by Opera, was leaked in January 2017 into a code sharing site “GitHub” and later to “BitBucket”. Although Opera is recognized as an open source material in the outer world; the layout engine which they were using earlier was a proprietary product inside the Opera Community.
It was taken down immediately by the DMCA Takedown Request filed by Opera; the complete packages had been removed from multiple code sharing platforms like GitHub and BitBucket.
The netizens had expressed their notion against the takedown of Presto Engine; expressing their views to open source the product; voicing through social media platforms like Reddit and other online forums; but no response hit back.
This onion site also provided the ways to download the entire package (which is huge) using the following wget command:
wget -m http://xxxxxxxx5q5s4urp.onion/
In case, if any error occurs while mirroring/downloading the complete onion domain; the site had also facilitated it by subdividing each branch; hence making it into archives format: http://xxxxxxxx5q5s4urp.onion/browser.git/, so that clone command can be used effectively as:
git clone xxxxxxq5s4urp.onion/browser.git
During an investigation, it was found that the onion site had been created on 20th December, 2017 and is hosted on an unstable Nginx server. It was accessible at some time; which makes it unstable.
Hosting the leak in the deep web is a clever method to evade the take downs from DMCA or other legal entities, as the onion domains will not be tracked; and can’t break until it is attacked by any means like DDoS.
Presto was being used by Opera till 2013; switched to WebKit engine.
Although the source code had been in no use; still it can be referenced by anyone to analyze the methods in the Opera community; hence the future proprietary apps from Opera could be using the same strategy for the development.
CloudSEK is a Unified Risk Management Platform. Our AI/ML technology based products XVigil and CloudMon monitor threats originating from the Web, DarkWeb, Deep Web, Web applications etc.. and provide real time alerts.