Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters A new phishing campaign that uses a custom font to hide its tracks and evade detection has been uncovered. Security house Proofpoint reports this week that miscreants hoping to steal login credentials from customers of "a major retail bank" were able to hide their phishing emails from automatic detection tools by seemingly …
As always, one way to avoid phishing attacks (along with running antivirus and spam filters) is to avoid following links from any unsolicited or suspicious emails that purport to be from your bank.
I'm still surprised at how many folks have to open, read, and then click on the links in emails. Even hovering over a link and seeing where it goes is better than blindly clicking on it. I've got one acquaintance who opens and reads every email (including obvious spam) evens hits the links just because "it might be important". He hasn't learned even after multiple virus infections. I suppose many folks read every piece of mail in their snail mail also. What can they possibly be thinking?
The head of one of the major security vendors gave a talk at our college and said that his wife had been banned from her provider because she clicked on any "click me" or equivalent link and downloaded lots of bad stuff.
In response to a direct question as to which antivirus tools he used he said he didn't use any - he was just careful!
This post has been deleted by its author
These days all email links go to Mimecast or similar filtering services, in an attempt to stop the muppets.
Sadly, that means we're training everyone not to check links before clicking. So anything the filtering service misses becomes a massive hole.
On the bright side, it also means you can't forward the emails to anyone outside the company, which hopefully cuts down on chain emails...
Some people grew up in environments where each mail was important, and ignoring one could have lead to big issues. They are unable to change mindset now that the landscape changed, failing to understand how dangerous it became.
Years ago, my late grandfather opened my house door to a nice young woman who said she was from the "gas company" - and I don't have any service from any gas company. She was of course trying to sell gas sensors, at least she was not dangerous. But my grandfather was used to have visits from the gas company employee to read the meter (or called because of possible issues), so he opened without thinking twice - because it could have been "important".
my late grandfather opened my house door to a nice young woman who said she was from the "gas company"
I occasionally get people presenting themselves at the door who think they can authenticate themselves by waving a phot-ID card from whoever they claim to be representing. It baffles them I fail to believe them and point out that I could produce the same with my camera, colour printer and a laminating kit bought from eBay.
Hmmm. Idea. Get one of those laminating kits and make my own badge claiming to be from some suitably official- and threatening-sounding body to wave back at them. Yesss...the more I think about it the more I like it.
@AC wrote: Also bring a clip board and you will be invincible.
Used to be a clipboard and a frown would let you leisurely stroll past any security. I wonder, in the age of computers does that still work or will people stop you to ask "Hey, what's that"?
@AC wrote: Also bring a clip board and you will be invincible.
Used to be a clipboard and a frown would let you leisurely stroll past any security. I wonder, in the age of computers does that still work or will people stop you to ask "Hey, what's that"?
===
the clipboard and THE frown were social engineering 101 back in the day, still works to this day, just that some organisations are getting their act together, mind you, the sheer number of web based connections available nowadays is making the use of social engineering less important now, even if it is still a potent force at times
Hmmm. Idea. Get one of those laminating kits ...
Funnier idea. Ask person to hold up fake ID to door camera* (both sides please) and have automated routine print up a card with your own photo/name on it once picture and name zones are identified. Ask for a minute so you can get dressed (you were in the shower) and laminate up the result. Answer door wearing same ID bearing supervisor job title. Act puzzled, then angry.
*properly isolated from the Internet of Tat of course.
Great idea, but just try this:
Take a photo of your personal ID card and print it.
The result won't look like what can be obtained with a scan.
An app like CamScanner could fix this, but all the colors would be messed up and the result is far from perfect
There was a report out of Verizon at the 2016 Black Hat: roughly 1/4 of users surveyed clicked on everything regardless of training, background whatever.
Likely these people are the ones glued to their phones/computers, obsessively grinding through every email and social media message.
1/4 don't click on anything - the paranoid/security types.
The middle 1/2 can be educated but would still be fooled by attacks like the one noted in the article.
Was there any suggested reasoning behind the 1/4 who insist on clicking everything? I always struggle to figure out why there are still people like that and presumably it comes down to some sort of human behaviour\psychology aspect (e.g. cognitive dissonance).
What annoys me is how legitimate companies are sending marketing emails that look like they have gone out of their way to make the email look suspicious. I keep getting one from Parcel force, click here to download your free whitepaper on growing your business. A quick google of the domain in the URL doesn’t bring up results that would confirm either way since they use a different potentially phishyish looking domain for the download. I have even had genuine invoices come in where the wording of the email is really vague and it screams phishing attempt. Also local councils now seem to be emailing businesses with these really vague non relevant requests for tenders requiring users to click here and log into so and so corporate sounding thing to bid for business and the users are like eh wots this is it a virus. Just assume every email is a virus or a scam unless you are expecting it.
I got a fantastic letter from Barclays the other day - their logo looked like it had been photocopied, badly, telling me about how my application for credit was successful, call 03XX to query.
I was so sure it was a scam by that point that I was slightly impressed they had bothered to get hold of an 03 number.
Then I remembered that I had taken out "partner credit" with Barclays when buying a sofa.
Yes, people still fall for cons that other people find obvious.
Blaming users for security errors has gotten us nowhere. There are many users, they vary widely, and we're not going to be able to train them all to resist all attacks. In fact, we're not going to be able to train any of them to resist all attacks. IT security experts get spearphished. Constant, perfect vigilance is impossible.
We have to build safer systems. We can't build safer users.
But you MUST. Otherwise, you can't have safer systems, period, because the user is behind 9 out of 10 safety failures (and those include failsafe failures--think "click fatigue"). And like Douglas Adams once said, you can't make things foolproof; a better fool will always come along: often one over your head.
How I hate that! It has no place there
Absolutely, but it's more and more common. I get a lot of legitimate emails these days where the plain text part is either completely blank, or says something like "you have been sent an email". I'm trying to retire my Acorn RiscPC as my main email-reading computer, but at the moment it's the only 100% safe way to deal with these things (shift-double-click on the HTML part to load into a text editor, if nothing nefarious, double-click to load into a "dumb" web browser). Kmail on the Linux boxes is great and is set to text-only by default, but you do sometimes have to "view as HTML" and hope. And the HTML often just says "click here to view the full message".
HTML adds next to nothing to an email anyway, though I suppose it's one step better than sending .docs around - can't preview them on the Acorn at all.
M.
I just cleared our mail server quarantine queue - this involved releasing an email from a payment service for a large US based hospital:
This is a secure message from Bank of America. Click here by 2019-01-19 02:36 GMT to read your message. After that, either open the attachment or request the sender to re-send the message.
It's real, we get the regularly - it comes with "SecureMessageAtt.html" ... Arghhhhhhhh
This is a secure message from Bank of America.
I used to be with BoA (briefly). Their "secure mail" wasn't mail and wasn't secure. They would send you an email with a JavaScript attachment that you were supposed to save and then run in your browser! (I wonder how many people did that without reading the script first.) This then took you to a BoA web site which displayed an image of a US style mail envelope (I'm in the UK), complete with franked US stamp, which you clicked on to read the message. While the message was displayed cut and paste were disabled, just in case you wanted to keep a copy. If you wanted to communicate with them, the only allowed methods were snail mail (to the US), or fax. Fortunately changes in US law meant they dumped all their non-US customers, so I ended up with a Swiss bank that is technically competent and actually cares about its customers
I've had a Bank of America account for many, many years. A while ago, I got a fake text message claiming to be from them. I ignored the link in the message and went to their web site, logged on and went to "Messages" which, no surprise, was empty.
I've done some basic computer security training classes, and I always tell people to VERIFY any remotely suspect message by another route: either contact the sender by another route (not clicking on any links!) and verify the message or check for messages via a known good web site.
My healthcare provider sends emails that say "you have a message." They do provide a link to click, but I always just go to the web site directly and check there for the messages.
I get a lot of legitimate emails these days where the plain text part is either completely blank, or says something like "you have been sent an email"
I get a third type as well, where the text/plain part has exactly the same content as the text/html part (and usually awful layout so it's unreadable without horizontal scrolling).
If there is an excellent reason not to simply delete .doc attachments, try antiword (.doc -> .txt converter) which is available for RISC OS. There are dedicated text browsers: lynx, links and w3m (none of them appear to have a RISC OS port).
I have had a Mac user who could not modify a plain text email and send it back. Is this PEBKAC or are Macs really that bad?
Agreed. I read email for the message
Me too !
too many people want it to look pretty - marketing people I am looking at you.
Except that often the result isn't that it looks pretty - it often makes it unintelligible.
I'm slowly getting into reading some of my emails on my phone - with a small display. Plain text emails are fine, but formatted ones, even non-HTML get shrunk so the formatted version fits in the screen, resulting in impossible to read text. Even on a laptop screen, many emails are "hard to read" because they render in the stupid font/size and stupid colour the sender's email program defaults to - like the small blue text Microsloth seem to think is a good idea.
And don't get me started on Microsloth's contribution to email usage by defaulting to top posted replies.
And to think people at work kept telling me I was in the wrong for using plain text and bottom posting :-/
HTML mail is *evil*. It should be killed to death by burning with fire (see icon).
from article: "Viewing messages in plain-text will also reveal or neuter any shenanigans"
We should ALWAYS! practice 'safe surfing' and 'safe e-mail reading'. It's like a front-line defense. This includes NEVER viewing/previewing mail as HTML whenever possible. And don't foist it upon the recipient, either.
[having to use anti-virus/malware BECAUSE of HTML mail is, well, LAME - no real value added, obvious no-cost solution]
> [having to use anti-virus/malware BECAUSE of HTML mail is, well, LAME - no real value added, obvious no-cost solution]
From bitter experience I must disagree. My work involves a lot of reporting and in some of the cases I need instructions within a time limit. This was rarely observed, until I started writing Instructions needed: (ISO standard date) in large, friendly letters that also happened to be in bright red.
Absolutely that. I cannot count the times I have been forced to call someone and ask them if they had read my mail. "Of course I did !" is always the answer, to which I reply : "Then could you please send me the information I requested in the second paragraph ? I need it now."
Cue several minutes of re-checking, mumbling, faffing about and, rarely, an "Oh sorry, I must have missed that." Yeah, you did.
People who don't understand what they read are the bane of businesses all over the world. So I totally get your solution, even if I don't like it either.
This is such a big issue ( at least I think it is). I'm just sick to the back teeth of people who respond to an email with something I didn't ask for/about. Often boilerplate generic responses to a very specific question or complaint.
The classic is the BBC's. I emailed to complain that Wimbledon was simultaneously on BBC1 and BBC 2 for the whole afternoon.
Their response said; "We're sorry you think there's too much sport on the BBC...".
As it happens I like sport on the TV. I even like tennis sometimes. But not both channels all bloody afternoon.
In another example that's just come back to me; I've emailed a company to point out that there was rubbish blocking a fire exit and had a reply "We're sorry that you found our premises were untidy..."
No I found their premises were a death trap!"
So call them by telephone and inform them the location in question has a fire hazard. If that doesn't get a prompt reply, go to the municipal council and complain of dereliction of duty. You'll either get a response or media attention as the news picks up on the story.
OH, you've never asked about Linux or any other open source development then?
I've seen it recently a little with 3D printers, but Games and OS is the worse. I don't doubt it's the same in closed source too! Just we don't get to see the arguments there. ;)
"Oh, I just want to change a font in my Word Processor, for when I finally output to open format documents, which button in the GUI does this?..."
"Have you compiled the Kernel with additional fonts?"
"Have you compiled the Kernel to allow for access to the internet to download additional fonts?"
"Have you compiled the Kernel to allow for font creation by back porting over from an Acorn and bouncing the download packets off the ISS on a full moon?"
"No guys, he is wasting our time asking us to make a new icon in the GUI, when he should be using a terminal to TCP into the customers computer and sending them messages by switching power states via morse code.
The BBC complaint response was likely so they could categorise your complaint in a way that was less tangental to reality but more convenient to them.
I once complained about the football scores being shown on the news directly before match of the day so if you recorded it, you stood a good chance of accidentally seeing the scores you'd managed to avoid all day, leading to having to start the programme but with your hand obscuring all of the screen and hoping you could tell whether MOTD had started from the colour of the corner.
Their response: sod off.
Wimbledon: presumably different games (or, same game, different matches).
If they pass coverage from BBC1 to BBC2 or back then it's liable to run in parallel on both until there's a pause.
It's how tennis is - when it's on, there's a lot of it. Five-a-side or more would let more people play at one time and on one TV channel.
Actually, there are people who need better text display than what you can achieve with plain text only - and not for fancy marketing emails only. It happened to me more than once to have to review important emails before sending them out, and being able to use advanced features is very handy.
Probably HTML isn't the right solution, unless it's heavily sanitized - Javascript should be banned, and links checked and requiring specific affirmative actions to be followed, displaying clearly which address will be used - and signalling any issue.
Anyway stupid marketing companies are the best allies of phishers - just a few days ago my sister got an email from a local Swarovski shop about upcoming sales that though legitimate, was a perfect example on how not to do a promotional email - and it triggered all the alarm bells it could. They used a marketing system, and i.e. links typed and shown where actually changed to point to tracking ones before being redirected, and so on.
Fine if all parties know it - which in many environments doesn't happen. It was a workaround when displays were text only - I would like to move to the future in a sensible way, not to be tied to the past. People are used to specific typographical features, you have to deliver them.
You can have both typographical features and security - the real issue here is not bold or color, it's unrestricted HTML and using engines designed for web browsers inside mail clients. Links redirecting outside security boundaries without any check are pure evil, more even so when they can be "obfuscated".
I think it would be straight-forward to write a HTML parser-cum-re-writer that did most of the sanitisation necessary. Both MIME and HTML are well-defined and text parsing as a technology is older than I am.
In addition to JavaScript, I'd ban "links to external content, like images or iframes" and (especially given this article) custom fonts. If you can't write an email without those, I don't want to hear from you.
I'd probably want to ban hyperlinks altogether. This forces authors to put the actual URL in plain sight, which makes all sorts of scams more obvious. It also forces readers to manually cut and paste it into a browser. If you can't do that, you need to learn a bit more about computers before you are safe to use one.
HTML is well-defined if it has been passed through validation. Unfortunately the baddies will target parsers that have slack acceptance of standards with specially crafted HTML. I used to be able to crash IE just be leaving a paired tag dangling.
The authors of HTML parsers are in a quandary: do they enforce strict validation and reject incorrectly structured HTML, or do they pander to users who think a parser is crap if it can't render anything that is thrown at it?
I'm curious as to what 'better text display' you refer to?
If people have bad eyesight and need the text bigger, or they're sensitive to certain colours so need the text in green, or that sort of thing... well plain text is better because their email client can be configured to display all emails that way rather than trying to parse what the sender wanted.
That was my initial thought as well. For a general-purpose email filter, it would have to check quite a few languages in order to not block every email written in, say, Italian or Thai. Also needs to be context-aware, so they can't avoid triggering the filter by just putting half of Moby Dick in an HTML comment.
Might be simpler to have a check for embedded fonts. If found, render the message into an image, apply OCR, and run filters again on the result.
Better to just disable embedded fonts entirely.
There is literally no legitimate reason to embed fonts in email - if my email reader doesn't already have access to locally-installed fonts that support the unicode code points in the email, then they're a form of communication that I can't read anyway.
If I understand (eg) Korean, then I'll have installed a few Korean fonts. If I haven't got a font for those characters, it's almost certain that I don't understand them anyway!
This post has been deleted by its author
"I'm willing to not see any email with any spelling errors."
So you're not willing to accept any e-mail from an English speaker across the ocean because you use "ou" and they use "o" (or vice versa), which trips most spell checkers? Sounds like a business killer to me.
Can't rely on users to use common sense so my shoppe uses Microsoft ATP Safelinks to rewrite URLs in emails so they are checked in real time when the luser clicks on them. If Safelinks doesn't catch it, all Internet traffic is passed via ZScaler cloud proxy with filtering of d/l content. If that fails Bitlocker on Windows should block unknown .exe from running, and users login with an unprivileged account of course.
BitLocker is for disk encryption [with TPM], did you mean Smart Screen?
Also, are you checking for other executable files, such as ClickOnce or JavaWS? At an old company I'd worked for, while they'd blocked native executables, they didn't have any CAS policies so I could run whatever .NET stuff I wanted and install/run things with it that way. Obviously I didn't end up staying long.
the problem with 'safelinks' is that you can't just look at it to see if it's legit. it takes away the ability to easily see things like "mybank.nefarious.cn" in the URL [for one possible example]. View as plaintext shows these URL hijacking links as they REALLY are, not as the phisher intended.
So I'd say 'smart links' are for people who aren't... [train them instead, or at LEAST pre-configure all e-mail readers for plain-text only, and make it a company policy]
that kinda reminds me of a problem I had a few years ago sending spam complaints to an 'abuse@' email on a server in korea that had some customer joe-jobbing me (outgoing spam with my e-mail address in it). The 'abuse@' e-mail address had a spam filter on it, and if I attached the spam I was complaining about, it would bounce (yeah spam filter on an 'abuse@' address, really smart). I contacted some other admin upstream of that in Switzerland (as I recall) with a "hey these guys" kind of request to give them a good kick and within a few days it was shut down. That was really pathetic.
Virginmedia STILL does this. The shit comes through to my spam filters and is sidelined to a spam folder.
If I send it to VM's spam report address it gets bounced by VM because it contains spam. What the fuck else do they want us to forward to them, Christmas cards? Fucking incompetent bunch of goons.
Why's there no blood pressure icon.
> We still get genuine emails from Tesco Bank marketing, with "click here" links.
Contact them on their GDRP-mandated privacy contact email address and tell them this is a GDRP violation since it uses undue web tracking. Since this is from a bank it can be VERY costly.
> We still get genuine emails from Tesco Bank marketing, with "click here" links.
All the banks I deal with are doing it, Nationwide, Barclays, Santander, Lloyds, and others. Click here to go to a logon screen. It's idiotic and in the minds of many it legitimises the practice and leads to fraud.
Why don't they get it?
PAypal/Ebay make a fee/cut of every transaction. Even fraudulent ones. Even if they have to refund customers, they can mark that down as "cost of doing business" with a nice payment on top for their special hard work.
So I don't think all the banks want to stop fraud, just keep it at a level where it's profitable for them...
(No special knowledge here, just look up the news articles on banks allowing fraud on accounts if "well off/rich" customers, and passing a blind eye to it.)
I worked for a Govt organization that sensibly locked down email clients to text-only mode. Outlook was deliberately crippled to prevent one from enabling anything but plain text.
BOFH part: If you tried to enable html, or send html, or click on a link, you were sent to a "reeducation camp". In this IT Siberia, people are forced to watch presentations on email safety. Powerpoint shows designed to crush the spirit and create unthinking compliance. One viewgraph every 30s for an hour. The quiz at the end requires a perfect score. Imperfect score? Re-do the training.
BOFH part: If you tried to enable html, or send html, or click on a link, you were sent to a "reeducation camp". In this IT Siberia, people are forced to watch presentations on email safety. Powerpoint shows designed to crush the spirit and create unthinking compliance. One viewgraph every 30s for an hour. The quiz at the end requires a perfect score. Imperfect score? Re-do the training.
You may have said this as humor, but I'm seriously, seriously contemplating implementing this if I ever get to be in charge.
This is the only (legal, humane*) way to coerce users into obedience,
Is it only the H&S crew who get to violate human rights and the Geneva Convention with their presentations?
* which is why The Cattleprod (or Da Stapler) are not used in real life.
"BOFH part: If you tried to enable html, or send html, or click on a link, you were sent to a "reeducation camp". In this IT Siberia, people are forced to watch presentations on email safety. Powerpoint shows designed to crush the spirit and create unthinking compliance. One viewgraph every 30s for an hour. The quiz at the end requires a perfect score. Imperfect score? Re-do the training."
If you treat users like idiots, they will act like idiots. Crush their spirit and create unthinking compliance, and they will just stop thinking. The good ones will leave. The bad ones will be left to run your civil service and keep the nation ticking over. Is that what you want?
Also, if you have the technical means to detect when people try to do bad stuff, is it not negligent of you not to simply prevent it? That one-hour punishment session sounds like a waste of taxpayers money just to satisfy some perverted BOFH-like urge. I sincerely hope that the government in question isn't mine, but based on how fscking stoopid they have been recently, I suspect I may be disappointed.
"I think that even the most gullible phishee would spot that."
Hm, I fear you overestimate our species.
¡¡¡soopıɹɐןןop uoıןןıɯ uǝʌǝs ʎʇɟıɟ puɐ pǝɹpunɥ ǝǝɹɥʇ¡¡¡ ɟo sƃuıuuıʍ ʇodʞɔɐɾ pǝǝʇuɐɹɐnƃ ɹnoʎ ɯıɐןɔ oʇ pɹɐɔ ɥsɐɔ ɹnoʎ ɹoɟ ǝpoɔ uıd ǝɥʇ puɐ ǝpoɔ ʇɹos puɐ ɹǝqɯnu ʇunoɔɔɐ ʞuɐq ɹnoʎ 'ʇɹodssɐd ɹnoʎ ɟo uɐɔs ɐ ɥʇıʍ ןıɐɯǝ sıɥʇ oʇ ʎןdǝɹ ʇsnɾ ¡ʎɹǝʇʇoן ɐƃǝɯ uɐıןɐɹʇsnɐ ǝɥʇ uoʍ sɐɥ ssǝɹppɐ ןıɐɯǝ ɹnoʎ ¡suoıʇɐןnʇɐɹƃuoɔ
My company just got acquired. The new company sends out scads of "feel good" employee communications, plus loads of IT system status messages, most of which dont concern me.
They alxo, I discovered, have hired a company with the email domain of "phish-me.com" to send out periodic phishing test messages. I fell for the first one, something about security update that looked official on my newly created account, but have now filtered those out.
THE SPAM IS COMING FROM INSIDE THE COMPANY!
Yeah, IIRC one of the "spam tests" was an obvious "set up to fail" in another Reg article. The spam was actually sent from an IT bods/Managers account (which of cause, if hacked would still be wrong to click!).
But the false positives were not from everyone clicking it, but from everyone doing actual forensics and seeing if the Manager had been hacked or not. So they eventually got their black marks removed. XD
Oh, though in your case, I don't know what to say. I'm torn, because clicking any fake link is worrisome, as said, even if internal!
Most font rendering engines can be tricked into drawing something like an O about a billion times. Modern fonts are just a program that often runs with elevated privileges.
Blind downloading fonts into a browser is a risk. There were a number of CVEs last year about the issue.
"This creates a primitive substitution cipher fooling security tools looking for certain keywords, as the software would only observe a set of random letters"
How 2010 of them. Does ANYTHING spam detecting software still work on primitive keyword lists like that?
Most systems I've seen use statistics and analytics, they look at messages hitting more the one email box and adjust accordingly. Whether the word 'payme' or 'fgswa' is in the email doesn't matter.
If these emails are regularly getting through the spam filter of your provider, I'd suggest changing providers, they're software is crap.
Oh, and the letters aren't RANDOM, they will be exactly the same for exactly the same word. Article writer might want to look up what random means.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
