This past October, Cyveillance reported that cyber criminals were exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses were spoofed, the bogus messages were sent to addresses of the organizations’ personnel. The messages asked the recipients to click on a link in order to change the security settings. Once clicked, the users were routed to a fake Web site and if a user clicked on the link to the executable file on the site, then malware was downloaded to his or her computer. More info at: /general-cyberintel/a-dangerous-blend-of-phishing-methods
Unfortunately, cyber criminals are encountering success with this attack method because similar attacks continue today. Over the weekend, both Cyveillance and its customers received multiple emails similar to the one below:
Like in the attack illustrated in our October posting, the email requests the user to click on a link to false Web page. The Web page instructs the user to download a file that contained Malware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs.. The malware in the attack above was downloaded and analyzed by the Cyveillance Security Lab. Once installed, the malware made several communication attempts to URLs at 220.127.116.11/livs/rec.php and 18.104.22.168/lcc/ip2.gif. The first URL received encrypted data from the infected host making it difficult for security researchers to analyze while the 2nd URL was a Zeus Binary used to capture banking credentials.
The lab also observed additional attempted TCP connections to 22.214.171.124 on hundreds of different port destinations. It appears that the infected host was scanning the IP address for other services that may be running. The scan was of low intensity to avoid IDS detection. In summary, it appears that server located at 126.96.36.199 is the command and control server, which instructed this infected host to port scan 188.8.131.52 for known services and report back with the collected data; a dangerous, but effective combination of attack methods.
IT departments should continue to monitor for suspicious activity related to the attack described above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.