Category: News

PayPal Phishing Sophistication Growing

Phishing is a frequent topic of conversation in the media, but what exactly is it?

Phishing is the attempt to trick a victim into providing sensitive information such as usernames, passwords, credit card and banking information or other private data through the use of a realistic-looking email that appears to come from a legitimate website or business. The general idea behind a phishing attack is to entice a victim into clicking a link, much like a fisherman attempts to catch a fish with a lure on a hook. Once a victim falls for this and clicks a link in a phishing email, they may be directed to a seemingly legitimate website where they are prompted for information or to download malicious software.

While the majority of phishing attacks are not personalized and are sent to as many potential victims as possible, targeted phishing also occurs. Targeted phishing uses known information about a recipient to better convince them into providing credentials. A well-crafted targeted phishing attack can defeat even the best security controls if an attacker is able to collect highly-privileged login credentials.

To better understand how phishing attacks are conducted and how they sometimes convince end-users to type credentials into legitimate-looking websites, we will walk through some recent examples of advanced phishing attacks seen by OpenDNS Labs.

 

Details

On January 26th at 11:15pm UTC, OpenDNS Security Labs detected multiple domains created to impersonate a Paypal website for use in an email phishing campaign and personal information harvesting.

One of the primary websites (redirectly-paypal[.]com) was registered on January 25th, 2015 through Wix.com based on nameserver information (or possibly registered at Network Solutions, Inc. and then transferred to Wix.com’s nameservers). One of the fraudulent domains (security-paypal-center[.]com), which has been dormant since its expiration in 2005, was re-registered January 22nd, 2015 – again through Wix.com. We also found a few other Paypal related spoofing domains that we display below: x-paypal.com, securitycheck-paypal.com, paypalinspection.com, area-paypai.es, and many more (not shown).

Based on the auto generated privacy email within the registrant’s WHOIS information (Figure 1), we can ascertain that both domains were registered at the same time – likely on the same transaction.

Figure 1 – WHOIS Information for Both Domains

Screenshot 2015-02-04 16.05.50

The fraudulent Paypal websites (Figures 2, 4, 5, 6, and 7) are virtually indistinguishable from the legitimate PayPal.com site (Figure 3).

Figure 2 – Fake Site

fraud

In fact, the fraudulent site borrows much of its image, text, and color scheme from the real site.

Figure 3 – Real Site


During the writing of this post, a fraudulent site was discovered that looked like a perfect clone of the legitimate PayPal.com site – but using an unusual domain: x-paypal[.]com.

Figure 4 – A Fake Site

In this image, we see attention to detail in presentation, but with the odd domain name, x-paypal[.]com. An untrained observer might not notice and actually follow through with entering credentials.

We saw that this was registered with ENOM INC., a registrar that consistently came up when investigating these typo-squatting domains:

enomss

The next image is an example of a slightly more sophisticated attack, in which the attackers copied HTML code directly from the legitimate PayPal[.]com in order to set up their own realistic phishing website. Additionally, the domain, securitycheck-paypal[.]com might lead a less observant user to avoid questioning its legitimacy.

Figure 5 – Another Fake Site

securitycheck

Figure 6 – Another Fake Site

The following phishing attempt is spoofing an Apple ID Verification page at the domain paypalinspection[.]com. While the services that PayPal and Apple offer are unrelated, it’s possible the the unobservant user could fall for this and enter their Apple ID credentials.

ApplePaypal

Figure 7 – Another Fake Site

In following attempt, there is less attention to detail in the replication of the PayPal login page. It uses some original content pulled from actual PayPal servers, but is in Spanish while being sent to English-speakers. Additionally, the domain, area-paypal[.]es is fairly far-removed from paypal[.]com. A potential victim of this phishing attempt would hopefully notice something isn’t right before continuing.

90sPaypal

OpenDNS Investigate Observations

The following information was surfaced by our OpenDNS Investigate product and shows the global query traffic, registrant, and IP information for the aforementioned domains:

redirectly-paypal.com

pp2

security-paypal-center[.]com

ppal

Both domains are hosted with CyrusOne LLC (http://www.cyrusone.com/), a provider of global datacenter facilities for colocation of servers. The company boasts customers such as CarFax.com, Dell, Enbridge Energy Company Inc., and Rent-A-Center. A quick look at the Autonomous System (AS) number associated with CyrusOne (AS20013) shows a number of similarly fraudulent PayPal-related domains. Some examples include:

  • helpcenter-paypal-rosolution[.]pepitoheyashi[.]ga
  • paiiypal[.]com
  • paypal-secure-account-information[.]reikitrainingjourney[.]com
  • paypal[.]com[.]user[.]accounts[.]lwproductions[.]net
  • paypalcomcgibinwebscrcmdloginsubmitdispatch58z8duft875dl80al[.]planetevents[.]co[.]in
  • paypalupdate[.]uploadppl[.]com
  • paypaluserupdateinfoforupaypalnowclosedbypaypal[.]bodybuildingexercise[.]org
  • update[.]paypal[.]com[.]kgreendesigns[.]co[.]za
  • www[.]paypal[.]com-webapps-cgi-bin-webscr-login-access[.]com

OpenDNS has reported these domains to PayPal. We have received confirmation that its fraud and abuse department is currently investigating and working to take them down. In the meantime, OpenDNS has blocked access to these domains for all users of our DNS infrastructure.

Fraudulent Phish Workflow

OpenDNS-Phishing_Flow_final

 

These attacks are not new, but they are beginning to look more legitimate with every iteration. Companies like Wix.com make it trivial to create a professional looking site these days – and the attackers have noticed. All users should remain diligent when surfing the Internet, clicking on links in emails, and opening attachments. The difficulty of identifying the validity of these websites visually will soon be untenable.

Detection

OpenDNS Security Labs specializes in developing anomaly detection models to identify different types of attacks. For this particular algorithm we utilized natural language processing techniques such as a fuzzy substring matching, and a modified Levenshtein distance to check for the word distance between legitimate and typosquatting domains (ex. malware.com vs. rnalware.com, linkedin.com vs. 1inkedin.net, ). We also leveraged SecurityGraph’s vast amount of data to investigate different types of attacks in our user’s DNS data. For example, we built up an ASN map of all legit domains mapping to their appropriate ASNs (ex. Google->ASN 36492 ).

This idea was previously outlined in the DarkHotel blog. In addition we mined these adversarial domains’ WHOIS records to extract patterns. When registering a domain on internet, registrants typically have to provide information about the entity registering the domain. One of the ways we are able to track these adversary syndicates is mining their WHOIS records for patterns. Searching the WHOIS database for registrant information among these domains, a common denominator that was noticed was the use of Perfect Privacy, LLC.

Using privacy protection is nothing new, yet does add another layer of obfuscation. The use of this particular privacy provider accounted for a majority of the more sophisticated sites that were identified, leading to the theory the same actor(s) were involved in the production of these sites. We also found that many of these domains were created/registered very recently, some within the past couple days, most within the couple months.

Recommendations

Some of the indicators to look out for to make sure you don’t fall victim to this type of attack is to verify that the site is using HTTPS and a legitimate SSL Certificate from the organization you are visiting. All of the spoofed sites we saw served their content over HTTP, which is highly uncommon for money transfer sites.

Other items to notice are variations in the layout from the legitimate site. The original phishing email could also provide clues as to its authenticity. If the wording is off or it’s blatantly asking for you to enter your password somewhere, it could be phishing. A more advance user may want to review the headers of an email, tracing the path to determine if it was spoofed to look as if it is coming from another location.

The post PayPal Phishing Sophistication Growing appeared first on OpenDNS Security Labs.

Visualizing 2014 Attack Data

Leveraging the data and threat intelligence derived from our massively distributed and global DNS infrastructure, OpenDNS saw more than 2% of the world’s Internet connections, blocked more than 80,000,000 malicious requests per day, and ensured quick and reliable DNS resolution for more than 50 million active users daily in 196 countries.

As a result we at OpenDNS Security Labs had a unique view of the year’s prominent security events. As we prepared last year we decided to release a stunning Visualizing Attack Data microsite covering 8 of the most prominent security happenings in 2014. Though this is not a complete list of every security-related event in 2014, we believe it to represent a great sampling of some of the most publicized and prominent events that affected the Internet at large.

All of the visualizations were constructed with OpenGraphiti, our free and open source 3D data visualization engine for data scientists to visualize semantic networks, and OpenDNS data. More information on how to use OpenGraphiti can be found at http://www.opengraphiti.com.

Without further adieu, we present to you the 2014 Visualizing Attack Data site…

Visualizing Attack Data

 

The post Visualizing 2014 Attack Data appeared first on OpenDNS Security Labs.

Internet of Things (IoT) meets the Internet of Holidays (IoH)

As the OpenDNS Security Labs team took some much needed time off, we found ourselves wondering what “toys” would be connected to the Internet throughout the holiday season, and what traffic patterns would emerge as a result. This blog post will detail some of our findings through the lens of the Internet of Things (IoT) connected devices, home automation products, toys, and wearable devices.

Belkin International, Inc., an American manufacturer of consumer electronics that specializes in connectivity devices, had a relatively flat showing throughout the holiday season. The only item of note was an uptick on Monday, December 15th at 04:00 UTC. We cannot directly correlate this anomaly with any recent events so this will likely remain a mystery.
heartbeat.belkin.com
Competitor D-Link Corporation (Chinese: 友訊科技), a Taiwanese multinational networking equipment manufacturing corporation headquartered in Taipei, Taiwan, saw a similar pattern in traffic destined to signal[.]mydlink[.]com
signal.mydlink.com
If we look at signal[.]eu[.]mydlink[.]com, however, we notice a surge on Christmas Eve and Boxing Day (spanning multiple timezones). Again, another curious spike on December 9 that cannot be correlated to anything of consequence.
signal.eu.mydlink.com
One of the most noticeable spikes after Christmas was related to the Phillips Hue lighting devices. We saw peaks of more than 1,800 queries per interval which is likely associated with the installation and configuration of the lights. With the recent announcement of the 12 Monkeys television series synchronizing with Hue home lighting to match the onscreen action, we find ourselves wondering what this traffic will look like in the coming weeks.
my.meethue.com
Google-owned Nest saw very little increase during the holidays, perhaps due to the complexity required to install the devices – compared to that of a simple lightbulb. We find ourselves wondering if this will spike in the new  year and if spikes will be seen predominantly on non-workdays.
nest.com
Arrayent, Inc., a software company that has developed the Arrayent Connect Platform, experienced a sizable spike in traffic to its primary domain arrayent[.]com. The largest spikes we saw, however, were before the holidays even started – perhaps people purchasing new appliances before their guests arrived?
arrayent.com
You may not have heard of Arrayent before but you’ve probably heard of some of the brands they partner with.
arrayent-brands-slider
We looked at some of these brands including Whirlpool (whirlpool-sw1[.]arrayent[.]com).
whirlpool-sw1.arrayent.com
and Chamberlain (chamb-api[.]arrayent[.]com), a manufacturer of garage door openers and associated equipment.
chamb-api.arrayent.com
So what caused the Arrayent spike? We’re still investigating.

August[.]com, makers of the August Smart Lock, saw a significant increase leading up to and continuing through the holidays. We saw peaks as high as 3,537 queries per interval during our analysis timeframe.
august.com
The most interesting spikes, and perhaps the most concerning if you are a parent of a small child, was that of traffic associated with educational entertainment company Leapfrog. The company homepage – leapfrog[.]com – saw a significant post-Christmas surge to more than ~31,000 queries per interval. At first glance, we thought this might be related to parents’ searching for instructions on how to configure the devices for their kids, registration of the devices, and even application downloads.
leapfrog.com
Looking at some of the co-occurring domains we noticed the lfcam[.]leapfrog[.]com domain had an abnormal spike as well. One can only assume that this is in some way related to a LeapFrog camera (hence ‘lfcam’) either registering or, even more alarming, uploading pictures taken by users of the devices.
lfcam.leapfrog.com
The devicelog[.]leapfrog[.]com domain also sees a significant increase that likely correlates with newly purchased devices. Are these diagnostic messages being sent up to the LeapFrog cloud or are they usage statistics for actions taken on the devices?
devicelog.leapfrog.com
Perhaps the most depressing, yet predictable, traffic pattern observed was that of the FitBit wireless-enabled wearable devices and activity trackers. With the start of Hanukkah (on December 18) and throughout Christmas we noticed a steady decline in callbacks to api[.]fitbit[.]com. The low point, Thursday, Dec 25 at 22:00 UTC, dropped to 429 queries per interval – or as it shall henceforth be known, “The Turkey Coma Canyon”.
api.fitbit.com
We hope you enjoyed this blog post. Now throw on your activity tracker, install that connected garage door opener, install your thermostat, and hook up your new washer and dryer!

The post Internet of Things (IoT) meets the Internet of Holidays (IoH) appeared first on OpenDNS Security Labs.

Scroll to top