dns phishing. against polish public service · pharming this is the most dangerous to an average...

DNS PHISHING.AGAINST POLISH PUBLIC SERVICE

| PUBLICATIONS

Commentary provided by the FOUNDATION EXPERTS

The publication belongs to the Stratpoints Foundation’s Neptune project.

PROJEKT BEZPIECZEŃSTWO &R OZWÓJNEPTUNE

PROJEKT BEZPIECZEŃSTWO &R OZWÓJNEPTUNE Copyright © Fundacja Bezpieczeństwa i Rozwoju Stratpoints

1. INTRO

Phishing

In short, phishing is a social and IT based fraud. The objective is to create a fake identity of a person or institution to steal some information or to inject a false information into that organization. The most common example of that technique is an email from a person that pretends to be an official representative of some institution. The goal of such email is to steal some personal data and/or some electronic payement information, mostly by the link that leads to the fake web site. A fake site looks very close to the original one and in most cases that’s just a login page identical to the original host. User enters his login and password credentials to the fake site in a very same way as he logs into the original site. These data are send from a fake site to the attacker, so that he can use it to login into the authentic server. The other technique is to send an email with a request of some information or papers. In both cases, there’s always a chance that a reader may not notice an invalid email adres and will respond in a way that he would respond to the original institution or person.

DNS poisoning

Domain name server poisoning is a technique based on a massive attack of DNS server by sending a fake request that redirects from a valid URL adress to an invalid IP. DNS server cache will collect a history of invalid requests and pass that information with invalid ip numbers to other domain name requests. The result of such operation is that the user will be redirected to invalid IP number. A user should pay a special attention when there’s no a valid SSL certificate installed on a webiste. Unfortunatelly, nowadays it is possible to create a fake site of almost any polish


official organisation in an easy and a legal way without any attack agaist DNS servers. It is important to note, that DNS poisoning technique is very rare today due to many improvements of a newest domain name servers. However the problem and the thread still exists, even if a technique of attack is modified. The objective and a result in all cases of DNS phishing are almost the same. It’s also important to note, that there’re some other ways to easy steal or fake the information.

Screen #1 – an example of fake website of Bank Zachodni WBK S.A using fake reply adress and hyperlink to fake site

Pharming

This is the most dangerous to an average user technique and most difficult to identify. It is a phishing mechanism that is based on a redirection into valid URL with invalid web site or invalid subdomain of a valid main host address. In general, there’re three ways of pharming :

1. Global DNS server poisoning that leads to redirection to invalid server,


2. By using a troyan horse or injection software to modify an operating system configuration that leads to a DNS request redirection from a valid adress to a fake web site

3. Subdomain registration under a valid host adress with redirection to a hostile server that immitates a main domain, valid server

Screen #2 – an example of fake login page with invalid URL of mBank, hosted on a fake server, source : mBank

It is critical to understand that the first enlisted technique is a very difficult technical challenge and a very rare issue to appear. However, when such attack is discovered, it is almost immediately published within a security bulletins, social news and security email lists.

The second case is mostly eliminated by antivirus software that verifies a system files and processes. However it does not protects against all cases and a thread is very common in Poland due to lack of antivirus software installed on home computers and a massive use of pirated and cracked software downloaded from TOR, torrent and other servers. In many cases installation package contains additional components that modifies DNS services, installs


keylogger, crypto-currency services, spyware and many other. It is important to note, that most of polish version of pirated software have a russian origin i.e. cracked Windows 7 PL edition have some drivers replaced that communicates with servers located in Petersburg to send and receive command lists with timetable.

The third way is almost invisible and very difficult to identify. It is massively used against polish public service nowadays. In most cases the web connection is made with Russian Federation IP servers. That does not mean that all of these attacks are made by russians. It is important to notice, that Russia is a comfortable and easy accesible host zone for such attacks and a world wide preffered one within the underground society.

E-mail spoofing

This attack technique is based on a fake email header that redirects to an attacker address. In short, some meta data are modified to imitate an official organisation. The other example is an email that includes links to invalid URL described as a valid one. In most cases this is marked as spam. Most of email software will not even display the details of an email and that’s the critical point of that technique. To identify the difference and some potential threads, user must read all meta data information if such are not enlighted and marked by email client as an important data to verify by the reader.


Example #3 – email structure and details within an e-mail spoofing message; please note the difference between the sender adress and a reply-to address

DNS crossfix

DNS crossfix is a simple domain name missdirection technique. It is a very simple trick and it is not a thread itself. However, when used in a combination with other technique, it fullfills the details of the main attack. In short, when DNS server is separated from a host server, a host server may have a configuration of a different domain name, then it actually is configured on a DNS server. In example, DNS servers responds that a valid IP for policja.wroclaw.pl is 192.168.1.1 when a server itself will be configured to identify himself as wroclaw.policja.gov.pl during email send and receive operations. It is a result of a different local DNS entries and a DNS server configuration. Even if these configurations are different – there’ll be no conflict between a host and DNS server


as they’re in fact a different machines. Due to that, the DNS server does not access a host DNS services, and a host server does not sends all of DNS requests to DNS server. Both DNS configurations are separated from each other and a different configuration is used for an incoming email and outgoing email. It is even more complicated and transparent when some URLs are hardcoded into server hosts configuration. That combination is critical to „farm an emails” where attacker’s server is a trap that collects all of incoming information that missed a valid server due to users mistakes. An additional trick here is to set all incoming email rules to ACCEPT_ALL, that leads to register all incoming emails, even if there’s a typo within an email address. A wide open email inbox increases a chances of pharming an incoming emails. An example Sendmail configuration will look very close to this one :

define(`SMART_HOST',`local:some_user')dnl define(`MAIL_HUB',`local:some__user')dnl dnl optional part to list local users/mailboxes excluded from the redirect dnl in /etc/mail/direct-users file (one user per line) LOCAL_CONFIG FL/etc/mail/direct-users divert(0) In such example, a configuration file /etc/hosts will probably contain something like this :

127.0.0.1 localhost 192.168.1.1 policja.wroclaw.pl 192.168.1.1 wroclaw.policja.gov.pl That will lead to a different responce from the same command,


depending if we execute it from local host or a DNS server : ping policja.wroclaw.pl ping wroclaw.policja.gov.pl Ping from a local host server will reply with the same IP for both requests, where DNS server will actually reply with a different IPs due to a different DNS configuration table.


2. THREADS TO THE STATE

Targets

Phishing is a thread not only to social media users, banking or any commercial institution. It is a real thread to the state and it directly interacts with the very base of administration, government and security units.

The main thread comes directly from lack of knowledge of basic IT security. The additional problem is a lack of general rules of how to identify a fake government site from a valid one. Most of users simply does not know where to look for and what to look for. A common citizen does not know if there is any pattern to look for when looking for ABW, Regional Court, Tax Office or CBA. So most probably, the first thing that he’s going to do, is to search via Google or any other search services and he will probably open the first link found. If the first address is similar or the same as the one mentioned within the email address, he will probably assume, that this email is valid and official. However, the problem is, that even if the address is very similar but still a bit different and the website looks the same, and a fake site is hosted on a subdomain server of an official domain site, the risk of trust to the trap is very high.

Preparation

The simplest way is to reserve subdomain of a regional domain and create a fake site that immitates an official site. The other simple way is to reserve a short domain address, mostly with 3-letters prefix or suffix. For example we can register a domain address policja.com.pl that will fake the official site of policja.pl. That will probably not work for phishing, or will work in a very limited way as a Police is not a commercial type of institution.


However if we register policja.wroclaw.pl, we gain a trust benefit coming from a trust to wroclaw.pl site, which is a portal of Dolnośląskie Voivodeship. It is unknown why it is possible to create a subdomain of any address and type under an official regional domain name. That gap was very quickly exploited both by commercial organisation as well as some unknown organisation outside of Poland. More to that, it is possible that any http request to policja.wroclaw.pl will be automatically redirected to a valid Police site, while all SMTP connection will be caught in a fake server. An example, simple PHP script in an index.php file put in a valid directory will redirect from fake server to an official one, so that the fake server does not need to host a copy of a main site. There’s a high risk that a common user will identify both URL and servers as one machine, while in fact, they are totally different.

<?php header(‘Location: http://wroclaw.policja.gov.pl/pl/’);

?> If we put that script on any http server main directory, the web browser will automatically redirect to http://dolnoslaska.policja.gov.pl/pl/

So, in that particular case, http requests will be redirected, but the mail will stay on a subdomain server. More to this, an attacker will probably rebuild a mailbox structure of official server to make sure that all incoming mail to the fake server, will not be rejected. There’s no need for a complicated tools or software to do this. Any modern Linux distro with sendmail service will do fine. For example a Slackware Linux user will most probably do it in a very simple way :

cd /usr/share/sendmail/cf/cf sh Build sendmail-slackware.mc


cp sendmail-slackware.cf /etc/mail/sendmail.cf cp submit.cf /etc/mail/ chmod +x /etc/rc.d/rc.sendmail /etc/rc.d/rc.sendmail start

The next step is to create an email inboxes on a fake server equal to origin ones. That’s a trivial task and a simple adduser command is enough. It is also not too difficult to find the names of original server’s inboxes. In most cases theses names of inboxes are simply enlisted on an official website. More over, an attacker may look for organisation employees via social media and simply ask them for an official email address. If he use a fake account with an attractivee woman photo the probability of success is very high. Most of employees will probably find nothing suspicious in giving away an official email address. It is also important to notice that domain and email addresses are mixed on an official webistes and that it is a factor that increase a chance to success of a potential attack. Example (notice a different prefix within the domain address) : URL : http://www.wroclaw.policja.gov.pl/pl/o_nas/kierownictwo/ Email address listed on that site : [email protected] There will be no site if we try to open wroclaw.wr.policja.gov.pl via web browser. So, if the user will try to validate if this email address is valid by opening and URL with http, he will most likely assume that there’s a typo or invalid email and will use another one. More to that, a mail software may use the same


technique during adress book sorting and put a fake server email address on top of a valid, official email address.

So, in total it is very likely that an additional email address of [email protected] will not gain an attention and many people will comunicate in trust, that they’re in fact dealing with an official regional Police.

That leads to the risks of attack. A fake email account [email protected] may be used to cross-pharm. An email send to tax office will be probably replied. In other case, an attachement of christmass card, will be opened. By the time, this address will be more and more trusted and positioned within the address books of more and more official institution.

There are additional techniques of masking and attacker, especially email spoofing and DNS crossfix. A small detail within an email adress is very difficult to notice. Even antivirus software might not find any thread in such cases, especially if an official webiste server does not have a valid SSL certificate installed. It is critical to notice, that almost all of polish administration official sites does not have a valid certificate. A simple click next to URL address will provide some basic information about trusted connection and website identity.

Example #4 – verification of a secure connection and a domain certificate


Ministry Of Defence is a classic example. Most of the email addresses are listed on a contact page http://www.mon.gov.pl /kontakt

Execution

An effects of the attack before a military maneuvers may push imagination to the limits. It is possible that military units will send or receive a fake informations that some will affects the planned operations. Not only all of these informations needs to be verified, but analys of a risk and concequences must be made for each case separately. A preventive action must be taken for future as well. Unfortunatelly, as we can see, this is a problem that requires a general perspective approach and cannot be totally solved on a level of single military unit, single department, voivodeship or even organisation or ministry. A nation wide cyber-defence strategy is a must.

It is important to note, that the whole setup and destroy operation for a fake server may take just several minutes. It is very easy to do it in a public places as well (i.e. internet cafe), using a common laptop with a public wifi connection. It is possible that a hacker will quickly setup a fake site of local police or any other institution, send some informations or documents to prosecutor office or another administration office using fake emails, and will cover the tracks and close the fake site after receiving an answer. It is practically impossible to discover the identity of a attacker if the whole operation is performer from a public place using public available connection. More to this, an attacker does not need a fake server on a subdomain linked to regional or official server if he is just about to send fake information without receiving any answer.


High value targets

1. ABW

Official website of Agencja Bezpieczeństwa Wewnętrznego is hosted within abw.gov.pl domain name. However most of internet users will most likely open abw.pl first. Hopefully this address is curently reserved by the company registered in Poland, but that’s an exception. Some domain addresses as well as IPs raise an open questions. There’re some already registered „abw” subdomains within the regional, official domains, that are hosted outside of Poland, mostly in Ukraine and Russian Federation.

There’re many regional domains available with open subdomain registry and it’s low likely to attack from non-voivodeship subdomains like abw.wolomin.pl. However some subdomains like abw.warszawa.pl are highly exposed to manipulation.

2. Centralne Biuro Antykorupcyjne

CBA is a similar case to ABW mentioned above. The official site and domain is cba.gov.pl. However the most common visited URL in context of serach for official site is cba.pl. There’re some interesting background issues here as well. Some of URLS links to Netherlands, switches from time to time to Kraków (IPLOCATION). Some other subdomains links do Ukraine or Deutschland.

There’re many other already existing fake sites with an interesting behaviours. It is currently unknow what is a temporary site, what is fake site and what is just coincidence with a name of a different organisation. There’s no traffic watch and most of an incoming and outgoing connection are via other services from http.


3. Ministerstwo Obrony Narodowej (Ministry of National Defence)

There’s a huge numer of official domains related to Ministry of National Defence. Mostly there’re some .gov.pl subdomains and .mil.pl servers. However, for most of the internet users, there’s no significant difference between i.e. http://11ldkpanc.wp.mil.pl and http://11ldkpanc.zagan.pl and they’re unable to identify which one is official and which one is fake, especially when the same context is displayed. There’s no official registry of a valid domain address for each military base. Therefore it’s very easy to fake sites and informations related to any of these, as well as to send or receive fake emails.

It is a difficult to understand the concept behind the idea of blog of military base and military units. There’re some misunderstandings behind recreation of military personel structure via social media web services. So far, Poland is one of few NATO countries, where top level military commanders runs a blog or use a Twitter or Facebook accounts to argue with other commanders about a defence strategy or other military related issues. These social media accounts are very wide used by mobile application within the smartphone. These devices connects to routers inside of military bases. While switching between routers, an espionage software might be installed. Users does not have to manually switch or interact with a device. A close range to the connection spot or other device is enough to spread the injection software via background services. It is important to note, that WiFi/TCP connection is not the only way to connect and attack – a Bluetooth technology is widely used during that kind of attacks as well. A last global attack of that kind of operation were discovered and reported on 7th November, at new ones appears several times a month :


https://blog.pointas.com.pl/lokibot-nowy-trojan-bankowy-uzytkownicy-stracili-juz-15-mln-dolarow/

There’s also a danger coming from a practice of using software with no licence or outdated licence inside of military bases. That applies both to desktop software and hardware drivers. This is unacceptable, yet practiced every day.

4. Urzędy Skarbowe (tax office)

In general, polish tax offices uses a „us” prefix to the regional domain. However, it’s not an official rule and it does not apply to all cities. Some of „us” subdomains are left free to register and some of them are already taken by private companies and outside organisations. For example us.bialystok.pl is hosted in Katowice, while search result of „urząd skarbowy Białystok” redirects to many third parties websites. That applies to hundreds of other regional subdomains and there’s no single general pattern to identify a fake sites from an official one. That rises a fraud risk and it’s out of control of Ministry of Finance.

5. Zakład Ubezpieczeń Społecznych (social security office)

ZUS have a very similar problem to a tax office, yet a little bit different. There’s only one „main site” with zus.pl domain name. Therefore if we search for example „ZUS Białystok”, a search result is zus.bialystok.pl which is a private service company. It is important to note, that these URLs changes very quickly and out of tracking and control. Most of polish internet users does not know which administration site is fake or not.


6. Policja (police)

Police needs a special attention in case of phishing and pharming perspective. Some fake sites already exists and redirects http request to an official police portals, other does not. There’s a significant number of fake sites or subdomains overtaken by private sector. For example URL policja.katowice.pl redirects to http://www.katowice.slaska.policja.gov.pl/ but at the same time policja.radom.pl redirects to aftermarket service. It is also important to note that some other police subdomains under regional domains connects to Deutschland located server (Bayern/Gunzenhausen). There’re is a lot of regional subdomains with names related to police, still available to register.

More over, many police stations runs a blogs and websites via social media. There’s a lot of fake social media sites as well. It is just another way to farm and send fake information. The clue of the problem is that there’s no order and regulated pattern of domain names of police and public administration in Poland.

7. Urzędy Wojewódzkie i Urzędy Miejskie (regional office, municipial office, city council)

A typical internet user will type a city name when looking for an official city portal. That rise a risk, that he will not suspect any trap while opening a site with a short subdomain „uw” i.e. uw.[regional].pl. He will most likely assume, that’s just a „part of site” that is under control of regional office.

There’s also a risk of manipulation of many eup/esp/bip subdomains. The „eup/esp” shortcut comes from Elektroniczna Skrzynka Podawcza or Elektroniczny Urząd Podawczy service


(electronic application inbox), that was a service running within many city councils. The „bip” shortcut comes from Biuletyn Informacji Publicznej, which is a Public Information Bulletin of regional public administration. In most cases these short subdomains are free to register under a regional, official domain name of voivodeship or city.

8. Sądy i prokuratura (courts’s and prosecutor’s office)

There is a similar problem with courts office and prosecutor’s office. There’s a pattern however of using domain address [city_name].sr.gov.pl for a regional courts and [city_name].so.gov.pl for a district court. Unfortunatelly most of internet users will access first a subdomain much close related to official city portal i.e. sad.gdansk.pl or sad.warszawa.pl. This comes directly from a human intuition behavior and lack of knowledge of a pattern mentioned above. There’s a lot of „sad” (court) subdomains overtaken by private sector and third parties.

( The domains and subdomains where verified via NASK and http://whoisrequest.com/ service on 7th November 2017. Some other services, like IP-LOCATION gives a different response i.e. that abw.bydgoszcz.pl is hosted in France, some other in Ukraine or in Russia Federation).

High vulnerabilities

A common internet user is a primary target. There’s a common lack of knowledge about cyber threads and consequences. Citizens are the largest group of people being massively under attack every day. Most of these cases are unidentified and some questions are rised when it’s already too late. Only very few attacks are reported


to the police and almost only in case of huge material loss. It is unknow to the public, how many operations are performed per day or how many information is lost per day or during some period of time. If you reader, think that most of these situations are not directly related to you, then think about the document that you are now reading. It is written in format that allows an attacker to perform remote execution on your local machine and in fact, you do not really know where this file originally came from. You do not even have to open this file to be a potential target of attack. A specific action might be performed in a first place, just when your email reader received an attachement from your inbox. You may find many examples of that kind of attacks over here http://goo.gl/CGoPXu So, if you can be the target, anybody can be the target. Hopefully, this is just a lesson for you and a new experience. You were not harmed, this time.

A secret service and a special forces are especcially exposed to a cyber attack because of high value of information related to their service. There many other ways of phishing and pharming, not described in this paper. It is possible to manipulate DNS requests, fake news, fake email and many other that might be used in combination with social engineering. It is important to remember that an attacker targets not just the primary target, but their families as well. In fact, the easiest way to get close to the target is to use social media and other techniques via the members of family like wife, children or other people related. It is possible, that son use the same WiFi connection as his father and therefore a successfull router hijack will exploit other family members connection spot as well. As mentioned above, an accidental contact on the street may result in a mobile device infection that will spread through Wifi or Blueetooth connection. It is critical to understand, that to maintain


the security level is to obey the rules and keep self-discipline every single day.

Phishing and pharming works in a similar way on every level of public administration including police, courts, prosecutor, legal office and many more. The cyber thread nowadays is a reality and it affects every single human life. An information is now a critical factor that may be used both to push forward or fall immediately any criminal case or a business case. It may even immediately put a person under criminal charges or clear suspected out of charges. If you think that lawyers, prosecutors, curators, judges and other official does not use their official inbox for private issuess, then you are wrong. There’re no legislations that can stop that proces.

Members of parlament, deputies, senators, presidents and all other politicians are a particularly vulnerable group. It is a common situation that a deputy receive an email or text message from unknown source, just before a legislation meeting. A backstage game against each person is not always visible at the first moment, yet they’re all part of the same chessboard, even if they do not realize this. Even if there will be no time to validate the incoming news or message, it will affect person’s feelings, point of view and negotiation tactics. Many attacked people will not even take it as an attack and they’ll follow the bait as expected. It is interesting to note here, that there’s a long list of politicians using their mobile devices irresponsibly. Some people use them during voting proces, some other use to blog, play the mobile games, or even keep all private and official information on the same device. It is both funny and tratic to know, that some of them use exactly the same login and password for an official email inbox as well as for the account for the most popular mobile games or social media services. There’re many other issues to be addressed here.


3. DEFENCE

Education is the primary defence. It is essential to shape public awareness of what cyber-threats are and what they can do to counteract them. That applies to both regular internet users as well as officials and other public administration employees.

Trusted certificates are an absolutely essential part of the security policy. The average Jan Kowalski must develop a habit of checking the authentication of internet address, email, information and other, before sending out any information or opening any attachement or link.

The third element of defence policy is a wide use of cryptography. There’s absolutely no excuse for sending information between military, law department or police units or departments without using cryptography. That include both inside contacts as well as an outside contacts. The scope of this mechanism should be introduced not only to officials and politicians, but to an ordinary users as well. It is impossible to obligate everybody to use cryptography and it’s not neccessary but it is critical to understand, where and when you should.

There’s an open question about blocking fake websites and registering private subdomain services next to regional servers. It is not clear why some of the obvious keywords where not excluded for registration. So the bottom line is, that fake servers should be identified and monitored, and some keywords should be simply reserved for public administration.


4. CONCLUSIONS

It should be emphasized in particular that the paralysis of ICT infrastructure is a key element in every simulation of potential attack on the state. That applies both to terrorist attack, hybrid war or even a full scale conventional warfare. Effective reconnaissanse and divertion efforts are essential to successfully carry out such cyber attack.

Secret Service and military should be particulary aware of the existing threads and take all initiatives to minimize a potential danger in this area. Data protection and cyber defence technology are a permanent components of any preventive action, continuous modeling and improvement of the processes of protection and exploitations of digital infrastructure.

Cyber security brings with it a new challenges and threats. It is not a distant future but a critical factor of public security and safety. Cyber security becomes a more and more important factor every single day, as it is related to every other issue in our life in today globalized, digital world.

| PUBLIKACJE

Publikacja w ramach projektu NEPTUNE fundacji Stratpoints objęta jest prawami autorskimi. Celem uzyskania licencji na cytowanie artykułu we fragmentach lub publikacji całości prosimy o kontakt: [email protected]

www.stratpoints.eu


dns phishing. against polish public service · pharming this is the most dangerous to an average...

Documents