Georgia Institute of Technology

Newsweek is reporting an increased incidence of scams and fraud surrounding Valentine’s Day celebrations:

LOOKING FOR LOVE ON VALENTINE’S DAY? EMAIL SCAMS TARGET SINGLES LOOKING FOR ROMANCE

Background

Many websites that are hosting spam ads and links are either:

allowing unauthenticated visitors to create content:

or

allowing only authenticated users to create content, but also allowing visitors to fully self-register an account:

Popular examples of this are web forums, blogs with comment threads, and wikis. Unless you are restrictive or selective with regards to whom you allow to create content on your website, the site will get repeatedly spammed.

The Problem

Recently, we’ve seen an up-tick in the number of websites on our campus that are showing up in Google searches as hosting spam content; E.g.:

We’re not the only university that’s experiencing this issue, and I’ve seen links like these on .edu websites for at least the past year, if not longer.

The spammed websites all share the following characteristics:

1. All of these sites are running either WordPress or Drupal and all of them have comments and public account registration turned off.
2. The spam is always in the form of PDF documents, and most of them refer to online viewing of movies or television shows/events.
3. The sites all allow for users to submit information via a form or set of forms that:
   1. allow the upload of a PDF file (e.g. a form that allows visitors to submit an application and include a resume/CV in the form of a PDF file as part of the form submission)
   2. have forms with modern CAPTCHAs that are meant to prevent automated spamming attacks.

So, if the sites are locked down and the forms all have CAPTCHAs, how are the spammers getting the PDFs up on the server? Have they figured out a way to break the CAPTCHAs?

The Cause

The problem stems from the way that the forms on sites are configured…

First, all of these forms are all allowing for PDFs to be uploaded before the form is submitted. E.g.:

These uploads are taking place via AJAX. An example web server log entry from a file uploaded to a Drupal site (via a webforms module form):

10.0.0.1 - - [05/Sep/2017:15:51:16 -0400] "GET /misc/throbber-active.gif HTTP/1.1" 200 1963 "https://somewebsite.gatech.edu/sites/default/files/css/css_xE-rWrJf-fncB6ztZfd2huxqgxu4WO-qwma6Xer30m4.css" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:54.0) Gecko/20100101 Firefox/55.0"
10.0.0.1 - - [05/Sep/2017:15:51:16 -0400] "POST /file/ajax/submitted/file/form-SDqIHCt_95oHHFep01lI8kcK1hbVRzuF4DkXTyxeBZM HTTP/1.1" 200 3776 "https://somewebsite.gatech.edu/form/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:54.0) Gecko/20100101 Firefox/55.0"

This may make for a “better“ user experience, but it has the side-effect of bypassing any CAPTCHA protection the form may have. CAPTCHAs in the forms are protecting the submissions of the forms (proper), but aren’t protecting the AJAX uploading via the file submission fields.

Secondly, the files that get uploaded are put on the server with permissions/location that allow for the files to be downloaded without authentication (for some time). The URL for and uploaded file is knowable/guessable by the spammers ahead of time, so it’s easy to upload a PDFs files to your server and then know the URLs that need to be submitted to Google for crawling. Soon your site is showing up in Google search results for spam terms. E.g.:

Though CMSs/form plug-ins periodically check for uploads and move the uploaded files to a private/protected directory, the files generally stick around long enough for the spammers to submit the file’s URL to Google and for Google to retrieve, index and cache the PDF file. For this reason, almost all of the spam links you find that are generated by this method return a 404 within a day or two after the spam was uploaded. This might seem like “problem solved”, but the SEO/reputation damage to your site and domain has already happened; it’s in your best interest to prevent these uploaded spam PDFs from being crawled in the first place.

This is such a problem with Drupal websites that back in 2016, the Drupal team issued a PSA about it.

The Solution(s)

So, how do we stop Google from indexing the uploaded the files. Four basic strategies are:

1. Use a robots.txt entry to request Google (and other well-behaved crawlers) to not crawl URLs in the upload path of form submissions:

   The downside of this is that spammers may not recognize your defense and continue to upload spam files to your site without realizing that Google won’t crawl them.

2. Use an .htaccess or web-server-configuration-equivalent method to block retrieval of the uploaded files, perhaps allowing only to a limited audience:
   

3. Configure the CMS, CMS plug-in/module, or form element to upload files into an area that is not allow for access. For example, when using the Drupal webform module, setting the “Upload destination” of the file field to “Private files”:
   

4. Stop allowing file uploads in a form via AJAX. This may not an option or possible given your CMS/plug-in/module, but if your form is protected by an effective CAPTCHA, allowing the file upload, as part of the form submission, would prevent all but the most aggressive spammers.

Notes

This kind of website spam attack is somewhat unusual, as it doesn’t depend on weak credentials, nor upon outdated software. It depends, instead, on the specific configurations of CMSs and their form-related plug-ins/modules (OWASP top 10 category “A5 – Security Misconfiguration”). For this reason, this kind of issue is not something that as easily scanned for with most vulnerability scanners (e.g. Nessus, Qualys, etc.). We have attempted to address the problem though education (presentations to user groups) and monitoring (via Google Alerts).

The LastPass family is about to get bigger. Coming your way this summer, we’re excited to announce LastPass Families that will make it easy to manage your family’s digital life. The LastPass Families addition is just one more way we’re delivering a faster, simpler, and more intuitive password manager for all our users.

When it comes to keeping your loved ones safe online, recent research found that 91% of people feel that having a strong password allows them to protect their family better. We’ve seen this reflected in your requests for more shared folders and the ability to buy and manage licenses on behalf of others. We also know it’s a growing challenge to keep track of all your family’s information online: healthcare provider logins, school passwords, streaming media accounts. What worked 10 years ago, even five, just doesn’t cut it anymore.

Enter LastPass Families, where you can store everything from bank accounts to passports to credit cards. Your details are secure, organized the way you want, and easily shared with your spouse, kids, in-laws, and more. You can even give access to others in the event of an emergency. The family manager can quickly add and remove members to the account, making it easy to get everyone up and running.

Read the rest of the article here: https://blog.lastpass.com/2017/07/from-passwords-to-passports-a-new-way-to-manage-your-familys-digital-life.html/

Here at Cyber Security, we realize that sometimes researchers need to do some things that fall outside of the technical rules in our policies – especially when researching hacking and hackers, etc.

Because of this, we have created a Security Research Procedure that allows Cyber Security researchers to conduct their research without violating the law, violating Institute policy, or introducing reputational risk.

It’s published here: https://security.gatech.edu/security-research-procedure – so please read the procedure and familiarize yourself with it.

A group of security researchers announced this morning that some HP laptops and desktops are shipping with an audio driver that includes a keylogger that logs all keystrokes to a local file. This includes potentially storing passwords and other sensitive data in a plaintext file that can be read by anyone on the system.

Indications are that this is debugging code that was left on unintentionally rather than a malicious actor, but it’s still a risk.

To see if your HP system is vulnerable check to see if C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe exist on the system.

For detailed information see the original writeup

This article addresses a concern that I think many of us who provide IT support with a focus on security share.  Namely that the implementation of what’s available to better secure a user has become too complex for them to easily adopt.

http://windowsitpro.com/troy-hunts-security-sense/security-sense-security-becoming-too-hard-layperson

Ever wonder what can happen with the accounts that get compromised on campus? Read on!

https://www.insidehighered.com/quicktakes/2017/03/31/university-credentials-sale-dark-web#.WN5hvfYJvks.mailto

LastPass comments on recent security vulnerabilities discovered in the LastPass client code:

Security Update for the LastPass Extension

ZDNet reports on the release of records from a database containing more than 33 million records from government departments and large corporate clients:

http://www.zdnet.com/article/millions-of-records-leaked-from-huge-corporate-database/

Wordfence points out a new phishing technique involving an unusually formatted URL. This technique has been used to target Gmail users, as well as users of some other popular services. It has been partially mitigated in Chrome.

https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/

Lifehacker points out a new, tricky phishing scheme affecting Gmail users that uses an embedded image made to look like an attachment:

http://lifehacker.com/beware-this-clever-fake-attachment-gmail-phishing-sca-1793264478

Wordfence blog has an article discussing common attack methods in brute-forcing WordPress login attempts: https://www.wordfence.com/blog/2017/01/xmlrpc-wp-login-brute-force/

For a number of years now, Apple has been implementing “Activation Lock” and “Find my iPhone” to deter the theft of iOS devices. According to some statistics, this effort has had some success. But with millions of users carrying devices costing $500 and more loosely secured in their pockets, mobile devices far exceed the value of an average wallet.

Activation Lock links a device to a user’s iCloud account. If a user configures a new device, the user is asked for iCloud credentials or offered to set up a new iCloud account. A device can not be activated without providing this information. If you sell or pass on a device, deleting the data from the device is not sufficient, but you will also have to remove the link to your iCloud account, for example by turning off “Find My iPhone.” Changing the setting always requires at least a password (and if configured two-factor authentication). Biometrics can be used to unlock the phone, but it can not be used to remove the iCloud link.

But iOS devices are still being stolen, and thieves have come up with some rather ingenious methods to unlock them…

https://isc.sans.edu/forums/diary/How+Stolen+iOS+Devices+Are+Unlocked/2162

Botnet armies have become bigger, more active and more heavily armed than ever before. In the first quarter of 2016, attacks launched by bots reached a record high of 311 million—a 300 percent increase compared with the same period in 2015 and a 35 percent increase compared with the final quarter of 2015.

http://www.securityweek.com/battling-botnet-armies

Over the past months, ransomware has become a widespread cyber-threat aimed at enterprises and consumers alike, and a recent massive attack against Office 365 users proves that once again.

http://www.securityweek.com/cerber-ransomware-used-massive-attack-targeting-office-365-users

A malicious mobile application targeting Android users managed to trick the Google Bouncer protection system and slip into the Google Play marketplace by employing a time-delay attack technique, Symantec researchers warn.

http://www.securityweek.com/photo-stealing-android-app-uses-time-delay-attack