Coming up this week on Breaking Badness: Curiosity is the Ultimate Phish Phood, Security Alert You Can Hang Your Hat On, and Gold, Guidance, and Grievances.
Here are a few highlights from each article we discussed:
Curiosity is the Ultimate Phish Phood
- What exactly is thread hijacking and what makes it so successful?
- This is a type of phishing lure where the recipient is cc’ed into what appears to them to be an ongoing email thread (like we’ve all probably had happen in a non-phishing sort of context – suddenly you’re added to an email thread that was in progress and you have to catch up to figure out what’s going on)
- In this case, it’s a phishing lure and one of the interesting things is unlike other phishing lures, this one is not requesting any particular action or threatening any negative consequences if the recipient/would be victim doesn’t respond to the phish
- The phisher is taking a chance that the victim is going to fall for the lure when they’re not directly addressing them, so it relies on curiosity – they’re hoping that when the victim gets added in, they will decide to click on the attachment or follow the link – whatever is being shared
- We’re used to more conventional methods of phishing
- What is the difference between thread hijacking and business email compromise?
- A traditional business email compromise looks like the attacker is directly asking the victim, “hey, I need you to go buy these gift cards,” or “I need you to transfer these funds into this account.” and whatnot
- Business email compromise lures are coming purportedly from a CEO or CFO or someone higher up in the organization and often the recipient is farther down in the organization
- The implied negative consequences of not doing what someone in the C-Suite is asking might be a career-limiting decision
- A summarization of the thread hijacking example from the article:
- This comes from Lancaster, Pennsylvania where LancasterOnline.com publishes the story about one Adam Kidan
- A wealthy businessman with a criminal past who’s also a major donor to Republican causes and candidates and the author of that story whose name is Brett Shultis received two emails from Kidan, both of which contained attachments and they weren’t addressed to Shultis
- The phishers were just hoping that he would bite
- So the there were two of these lures and one of them said it had the subject line read “successfully sent data” and the second one read “new work order” and then the message of that second one said “please find the attached” so there were attachments on both of those email threads
- Now our hero Brett Shultis was wise to the fact that these looked kind of suspicious and so he did not click on anything except the forward button sent them to the IT department and the IT department did in fact flag them immediately as phishing emails
- If they had been successful, what these phishes would have been is Microsoft credential theft, so they would have ultimately opened up a phony Microsoft page where the login, if successful, would have been passed through to Microsoft so that would have made it fairly transparent to the victim, but in the meantime their Microsoft credentials would have been harvested so so fortunately they did the right thing did not fall for this, and in fact we don’t know how Brian Krebs initially found out about it we don’t know if they contacted Brian but he wrote a great article about it which of course we’re linking in these show notes
- Is contacting the FBI the best step in this scenario or is there a step in between contacting the FBI?
- That’s definitely a good step to take
- There other steps that they should take – this is a great opportunity for employee awareness training so if we’re the IT department at LancasterOnline.com, we’re probably going to do some awareness around this maybe send some screenshots of this phish
- Maybe explain a little bit about how thread hijacking skims work – it’s a teachable moment
- Another one that immediately comes to mind from a technology standpoint depends on different settings on email security gateways like the ProofPoints and whatnot of the world and some take a very strict stance on whether any attachments are allowed through or not
- That’s very configurable and different organizations have different tolerances, so you can have a very high sensitivity trigger for blocking attachments or you can have it more low sensitivity and allow more stuff through
- Every organization makes their own decisions about that and we wouldn’t be surprised if this organization decides to crank that down a little bit because in most security gateways, you can tell them to deny all attachments or neutralize them
- It’s likewise with links – you can neutralize web links contained in emails
- If you lock all of that down a hundred percent, it will severely impede people’s ability to get their job done so nobody’s going to go to 100% with those, but it is an opportunity to look at the tuning and ask whether it’s worth ratcheting down a little bit farther
- When reading the comments on Krebs’ article, someone mentioned that it’s time to move on from email because it’s built on legacy tech that’s obsolete – what does Tim make of this statement?
- Tim said that while there is truth in the comment, what do you propose we replace email with – there’s no good answer for that
- Tim’s early 2025 prediction is that we will still be using email barring an asteroid hitting the Earth
- It is frustrating that older technologies are prone to scamming, but on the other hand, name a communications platform that isn’t abused in a phishing technique or social engineering
- There will always be social engineering in communication methods
- We just have to have our Spidey senses in good shape for this in catching these social engineering attempts
- How do we mitigate these types of attacks? Surely, “be less curious” isn’t the answer, right?
- Curiosity is a wonderful thing, but it should never be the motivation for opening an attachment or an unexpected email, so really awareness is the answer here
- It’s great Brian Krebs wrote this article because he has a substantial following, so there’s probably a few thousand people who are now more aware of what thread hijacking is, not to mention the many millions who will hear it on this podcast
- Once you understand more about this method of social engineering and how the initiators are expecting you to respond, it makes it much easier to use that big pattern matching matching between your ears and recognize those patterns to halt the process of reaching for that mouse button to click the attachment
Security Alert You Can Hang Your Hat On
- What is .XZ Utils for those that may not know?
- .XZ Utils are a popular compression library used in Linux to make files smaller and then make them larger again
- So you compress and decompress the file size of the file and it’s used by pretty much everybody, so that makes it pretty critical
- This was discovered on Friday (3/29) by a Microsoft developer who was testing some newer builds of some software that included a little package of a new version of .XZ that had just been dropped and noticed that the SSH connections took an extra 500 milliseconds when the software is being used and decided to start poking around more
- 500 milliseconds is exactly half a second – and that’s all the time it took to realize something was amiss
- This person discovered a 2+ year long conspiracy essentially to plant a backdoor into this critical open source project that is used by virtually everyone
- The findings state that the latest version of the .XZ tools and libraries contain malicious code which appear to allow unauthorized access
- This starts several years ago with these critically important and free open source software projects that everyone leverages and they’re generally maintained by a handful of people
- They may have started as a labor of love or a project in school or as a side project
- In some cases, the person behind these tools has been working on them for over 10 years and these libraries get included in all sorts of downstream releases of Linux
- Out of nowhere so much showed up and started to look like several sock puppet accounts showed up and and manipulated the scene by submitting some requests and say “hey we should do things a certain way” and then coming in and fixing a bug and getting into the good graces of the maintainer of this these utils these utilities for compression
- This long con kind of goes over the course of a couple of years it includes many hundreds of commits to not just this project but other projects along the way
- Have any fedora linux 40 builds been compromised at this time?
- That was on the list – there’s a list of those because the malicious code is in version 5.6.0 and 5.6.1
- They’re not in the major for Red Hat and Debian releases
- What should folks do if they’re running an affected distribution?
- We don’t know what we don’t know here – we think if you’re in a position to be able to nuke and pave (so to speak) do that it’d be a great option
- Obviously patching to the newer versions of this is another option
- We’re lucky this got caught before it made any kind of mainstream release
This Week’s Hoodie Scale
Curiosity is the Ultimate Phish Phood
[Tim]: 3/10 Hoodies
[Taylor]: 2.25/10 Hoodies
Security Alert You Can Hang Your Hat On
[Tim]: 8/10 Hoodies
[Taylor]: 8.5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!