UK born, US based InfoSec Guy
User received an email
Yes, there is even more to it, even more disclaimers
The ‘attached’ file, is a link elsewhere, of course
That link goes to the fake PDF page
That link goes to another page that is using the wrong cert so you get a warning
Sadly at this point it 404d out
But it would have been a fake Microsoft login page we’ve seen before
Until next time, stay safe out there
From a local county email address, asking me to ‘please complete the required training’. Takes you to a hacked wordpress site (based on the wp-crons URL)
Gives a fairly standard fake OWA login page
Then asks for more info
Note: DD/MM/YYYY not MM/DD/YYYY oddly. Are they targeting Europe?
Then you have to ‘wait’ for security (i.e. make it look like it’s doing something)
Then you get a nice word doc. Oddly it didn’t redirect me (was that bit broken?), but commonly they will bounce you over to the real outlook site.
Throwing it at Virus Total doesn’t find anything
I used an online viewer to check the document and it really is an employee evaluation form
This is to try to make the recipient not question it, at least not until later when they try to take the completed for to HR!
Stay safe out there
Note the spaces in 365, presumably to try to avoid filters looking for ‘365’.
The link I find interesting (and annoying)
Looks like it’s going to BMW USA.com. And it really is! It uses them to redirect. Not sure how, or why that works (my guess is it’s used to redirect to your local BMW retailer or something).
Interestingly they do some form of lookup for the ID. I tried a few random ones which didn’t work. So maybe dealer ID or similar?
I’ve seen a trend of this recently, where spammers are using legitimate companies as relays, so it looks more legitimate. All the ‘usual’ checks like newly registered domains, does it have links online (Alexa scores or similar) will be passed by using an actual website
I just heard back from BMW this morning that this was fixed hence the post now, nine months later about it 🙂
I’m tired of things letting me use a character, then later on telling me it’s invalid. Today it was Microsoft, but many companies do this. I needed to search for something in a mailbox I was going to name the search “Search Term” Search to make it obvious to me what I was searching for (I was searching for several terms so there are multiple searches). I then went through several more pages for exact search terms, and then I was told:
Now there isn’t really any good reason why you can’t use specific characters. It’s not like using escape characters to get around this is a new thing. There is a whole Wikipedia page about it and the linked page (from the wayback machine as the page is down) says 1956. If you don’t know what an escape character is, it’s a way of reusing characters. For example a common one would be a tab character – how do you find one in a text editor if the ‘find’ field only accepts text. Let me introduce you to the \ character. \t is a tab character in a lot of editors (here is a screenshot from Notepad++ one of my favourite editors)
\t there is the tab as mentioned earlier, and \n and \r are new lines. Characters you can’t just type.
OK \n is a new line \r is carriage return but depending on your operating system a new line might be just \n, or \r, or \n\r and I really don’t want to go into all of this here
In short, if you can’t accept certain characters (which you should, but let’s say you can’t) stop me on page 1. Don’t wait until page 12 and then make me skip back 11 pages to redo it, and make me have to then re-read those pages!
At first glance I thought it was just a sales pitch, but it looked really bad. And then you look more. The random email it’s from (not a ‘[email protected]’ or similar), the to that isn’t even us (I don’t work for comcast), and the oddly spaced phone number. I copied the whole text and dropped it into notepad (note to self: install notepad++ on this machine). Notepad works, and is on every windows machine. It doesn’t do fancy fonts so any hidden text will show up
Bingo. Now we see it really is doing something weird there. The contact now is a string of numbers with a different font colour to obfuscate it.
It was at this point I actually read the text and wondered what legitimate company would charge you in gift cards. And felt dumb for not noticing that before.
Now I just have to figure out if it is the FTC, or the FCC that I can report this to (or both?)
Just stop please. Let me use the web client. I don’t need a bunch of extra apps on my machine
Also, gotowebinar was trying to make me use the app, and didn’t show the ‘use web version’ after downloading, so I searched and found the way to make it use the browser (from https://support.goto.com/webinar/help/how-do-i-join-a-webinar-from-the-instant-join-app) but in short, take the link and add ?clientType=html5 on the end
The other’s I’ve had to use it makes you download something but then gives you a ‘connect online’ option.
A user was trying to record something in streams and share it with a vendor. Now this is all complicated anyway because Microsoft used to record directly to streams, then stopped for lower licensed but kept it for the upper ones last year, and now they are moving to onedrive entirely and not using streams (which I’m pretty sure is just a skin on sharepoint like onedrive is anyway but I digress…)
So I’m trying to find why the user can’t do this and find this article. To quote:
This error occurs because Stream can’t currently share to external users. This includes Azure Business to Business users.
What is the workaround, you may ask. I’m glad you did!
To work around this issue, store the video in another location. For example, add the video to a SharePoint Online or OneDrive for Library location that enables external sharing, and then share the video to the external users.
In short. Streams can’t share externally, and the workaround is not to use streams. Microsoft Video is still around and it looks like they are killing off streams too. At least they are moving to OneDrive.
In short, you should have warnings on external emails. Yes in Outlook you can look at the address, but on other platforms (Apple for one) it just shows the ‘from’ name. Also if you spoof an internal email Outlook will ‘helpfully’ look up the photo of the person and add that for you making it look like the person actually sent the email!
As mentioned in the last post, I based all of this from this post on external email warnings. But I did create a second one for spoofed emails which matches:
If the message:
Sender's address domain portion belongs to any of these domains: 'company.com' or 'company.org'
and Is received from 'Outside the organization'
Take the following actions:
Prepend the message with the disclaimer 'WARNING: Please contact IT - this email appears to be a Phishing attempt'. If the disclaimer can't be applied, attach the message to a new disclaimer message.
Except if the message:
Is received from 'Partner company that sends emails as us'Basically any emails from external that claims to be from an internal domain flag them. I highly recommend that you test this first, as there will be domains you will have to exclude from this. Like payroll companies and similar that email as your company. But it should help with phishing emails.
Security should be like olden castles. Not just one door to get in, but moats, multiple walls, towers etc. Multiple defenses to stop the bad guys. Assume they will get in, but then they have to avoid all your traps to remain undetected. This is just one of many things you can do to protect yourself.
Until next time, stay safe out there.
I’m not talking about users picking bad passwords. Yes, we know. Use unique passwords and a password manager! I’m talking about sites that have terrible rules on new passwords. Passwords that really are great get rejected for stupid reasons. Things like this
hnhD9^mEG^%NU2u9UxSBRio^m2CSZ6%eTsa&Cg83Nxo7#C&[email protected]!A6HVfnjt^gYzjmqwX#2En!8bNQ*LBTNdasFQw!A!#acPQAwrV7^u&B4h%2 is a “bad” password because the number 2 repeats 4 times?
Again, so I can’t make a nice long password because you limit to 40 characters. I don’t care about the length of the password when I use a password manager. Also, this is the wrong way to do passwords.
One argument, is that if you allow a 1000 characters for your password, then that takes up a lot more space in the database than a 40 character password. Which if you were storing the password would be true (although given space being as cheap as it is really shouldn’t matter). But that isn’t how passwords are stored. So that argument is irrelevant.
So lets explain how passwords are stored using a really bad example. Passwords are hashed in a way that means you can’t decrypt them. So, for example when you were a kid and were learning division, you didn’t learn about fractions (yet). You just used ‘remainder’. 8 divided by 5 is 1 remainder 3. The official term for this is modulo or usually just mod. So 8 mod 5 is 3. However 13 mod 5 is also 3. As is 18, 23 etc.
If I told you that the result was 3, even if you knew we did mod 5, you have no idea what the original number was. However if I gave you 23, which you mod 5 to get 3, you know that the answers match. Now this is a horrible example, as there are only 5 possible answers (0, 1, 2, 3, and 4) but you get the idea. When you enter your password, it should be hashed to give some random (but repeatable) result. This means they can check your password, but don’t store your password.
Now obviously the real way passwords are hashed are entirely different. Lets use another bad example. Take a password (we’ll use numbers here for simplicity, to save converting one to the other) of 123
Then we need three prime numbers, which the first two when multiplied are larger than the third. So lets pick 2, 3, and 5 because the maths is easier. Why prime numbers? Because you can’t simplify the maths. If I asked you to divide 100 billion by 10 billion, or
100,000,000,000
10,000,000,000
You should quickly realise that almost all the zeros cancel, making the maths easier. Same thing for encryption. If you don’t use prime numbers you may be able to simplify it
OK so we have
Password: 123
Primes: 2, 3, 5
This next bit gets a little complicated. Lets split the password into single characters, and we want to add to the first prime, multiply the result to the second, then mod that result to the third. That is the first number of the output. Then add that output, to the second number of the password, and repeat (add, multiple, mod)
1 + 2 = 3. 3 * 3 = 9. 9 MOD 5 = 4
4 + 2 + 2 = 8. 8 * 3 = 24. 24 MOD 5 = 4
4 + 3 + 2 = 9. 9 * 3 = 27. 27 MOD 5 = 2
The password 123 encrypts to 442. Note that the order of the password matters. 321 would encrypt to 311
4 + 2 = 6. 6 * 3 = 18. 18 MOD 5 = 3
3 + 2 + 2 = 7. 7 * 3 = 21. 21 MOD 5 = 1
1 + 1 + 2 = 4. 4 * 3 = 12. 12 MOD 5 = 1
This is why you add the output back in, so you can’t crack each number on its own. You should also add some salt in too, but I won’t cover that here (basically think cooking – adding more or less salt changes the taste of the meal even if you follow the recipe. The same password with a different salt gives a difference result).
It should go without saying but please DO NOT use that method for storing passwords. There are many standard libraries for doing this in various languages. For example Argon2 won the Password Hashing Competition in 2015. Do not try to roll your own encryption it will never work
In short, if you are encrypting a password, you really don’t care how long it will be as you will get a long string out anyway so limiting the input field means you are doing it wrong. And if you have this wrong, what else is wrong? I’m always wary of sites that get this wrong.
Finally, Microsoft, really?
That seems fine until you realise how it calculates the ‘weak’. Spring21 is strong?
However creation thursday thievish fraying android slander empathy capsize composed aspect symphonic domestic (which is 12 random words) is weak because it doesn’t have capitals or symbols
In conclusion: Lets not blame the users for making bad passwords. We’re teaching them to use crappy ones, so why are we shocked they are listening to us?
Another phishing email. I’ll explain the boxes at the top later – that is me, not the email. Blurred regions are emails
Again, links go to some website. WordPress again. People, you need to update your WordPress! And stop using all the plugins
No, I’m not saying WordPress is terrible. I’m using it for this site. I’m saying (as with all things) you need to patch early, and patch often! Too many times people spin up a WordPress site then basically ignore it for update, and then it gets hacked.
The link (once I changed the email address) goes to a fake login page. Interestingly not a fake Microsoft, just a random one. It pulls the name after the @ to put it in the blurred regions. So lets say it was ‘[email protected]’ you were using, it says ‘Whitehouse Online Webmail App’. Also, Copyright 2019?
Then the usual trick of saying your password is wrong, to make people re-enter to confirm they were entering it correctly
Then the ‘you fixed it’ message (and now copyright 2018?)
And it redirects you to the domain for your email.
Now to explain the boxes on the email. Microsoft Rules, basically. The red one triggers on any email from external, that doesn’t match our domain. Then you have to whitelist anything that legitimately spoofs your domain. The yellow one is just triggered on any external emails. Not 100% but works pretty well. I should do another post explaining it, but in short I used this and made a second one based off of that.
Stay safe out there
Xoke's dot com 