Thoughts on Krebs article about .gov URL shortener abuse

——————Update: 19 Apr 2016

Nearly a month later the same spam campaign is still attempting to use the virginia government website to refer spam victims to their strikenx.bid and assembled.accountant domains.. Either people are reading spammy emails a month late, or the idiots in charge of the campaign haven’t changed their spam campaign despite it not properly using the referral.

Of note, some other pushers seem to be trying to exploit the referral mechanism of an EPA website, but failing as well..
new_spam_campaign

new_spam_campaign2

One other thing that I was thinking about with regards to reconnaissance is the Witchcoven campaign that fire eye reported on. https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

Although the profiling that you can do with the method I detailed below is much more limited than what the Witchcoven actors are using, there is one distinct advantage with my method. There is no infrastructure or indicators to uncover since you don’t need to compromise a legit server or even buy your own profiling servers. With no easy way to link the reconnaissance to the next step which would be delivering the targeted recipients an exploit based on their android kernel and browser it would be significantly harder to figure out if victims are random targets of opportunity or chosen…

——————–end update

——————Update: 31 March 2016

I found another “fun” use for the data coming off the developer stream for the bit.ly gov shortener 1usagov.

Everybody talks about how bad the Android ecosystem is for updates, and that the majority of phones in the field are vulnerable to something or other. It is nice to see the data myself though. By curl’ing the developer stream and then grep’ing for Android versions it’s pretty apparent. I’m not even going to bother making iOS comparisons cause that has been done to death. Needless to say the world is ripe for the droid malware ecosystem or worse.

android

curl --url http://developer.usa.gov/1usagov | grep -o 'Android [0-9].[0-9].[0-9]'

android2

XP is dead, long live XP!
——————–end update

xp
Brian Krebs reported on this issue last week and I did some poking today so I thought I would write a small article.

http://krebsonsecurity.com/2016/03/spammers-abusing-trust-in-us-gov-domains/

As reported by Krebs, bit.ly offers a URL shortener to government addresses such as .gov, .mil, etc. The main security issue as reported by Krebs is that if a spammer or malware pusher can find any sort of local or state government site that offers shortening services to any site, they can then in turn use the bit.ly service to shorten it into a more legitimate looking 1.USA.gov address.

On my linux box I ran the following command to find an active spam operation.

curl --url http://developer.usa.gov/1usagov | grep "VAURL

The results were a Russian spam operation attempting to abuse a va.gov domain, but failing at it since the virginia website was not correctly directing to their URL’s.
spam_campaign

Domains associated with this particular Russian IP, and the spam campaign.
spam_campaign3

The more interesting thing for me isn’t the shortening tactic, but the USA.gov developer view that Krebs reported.

http://developer.usa.gov/1usagov
developer

If IP’s were included this would be pretty close to the ideal control panel that you would want for running a malware/spam campaign.

What is interesting about this to me?

I can use a LEGITIMATE and unique url for a government website, send it to someone after doing the bit.ly shortening which gives it the http://1.usa.gov/…. and then know all the information about their browser, and their timezone. Normally I would have to use BEEF, cookies, etc.. Now I can do it without using cookies, or owning any public domains/IP’s.

My idea in practice.

Find a random unique gov address:

http://www.fsis.usda.gov/wps/portal/fsis/topics/food-safety-education/get-answers/food-safety-fact-sheets/meat-preparation/ground-beef-and-food-safety/ct_index

Shorten it through bit.ly
http://1.usa.gov/1drrCH6

Curl the developer API website for the unique URL:

curl --url http://developer.usa.gov/1usagov | grep "http://www.fsis.usda.gov/wps/portal/fsis/topics/food-safety-education/get-answers/food-safety-fact-sheets/meat-preparation/ground-beef-and-food-safety/ct_index"

And sure enough………. I get a hit on my OS, browser, language, and timezone which could be useful info to then target further messages for a spam campaign or malware. Since this is a unique address I sent to one person I know there won’t be a false positive. Well, at least there wasn’t going to be until I posted it in this blog.. 😉

Capture_me

TAAS – Tracking As A Service. Is that a thing?

Mallory in the Mobile (MitM)

No, I’m not trying to re-invent the MitM initialism. However, I do want to detail setting up the Mallory intercepting proxy for use in mobile application assessments. Mallory is a useful tool for intercepting non-HTTP traffic. On a recent engagement, I had a need to proxy IMAP/S traffic to determine how the mobile application I was testing handled messaging. Alas, trusty Burp suite couldn’t help me here, so I turned to Mallory, as Mallory can intercept and tamper with non-HTTP protocol traffic.

Continue reading Mallory in the Mobile (MitM)