Category Archives: Phishing

Ubisoft compromised, breach notification… Fail

At 19:44 CET I got my breach notification mail from Ubisoft. It seems that perhaps the consequences of the attack are still being felt at Ubisoft because currently their main web site is still down. In their words

“We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending that you change the password for your account: <account-name>”

Further details from the Ubisoft blog state that the attacker used stolen credentials to gain this level of unauthorised access.
Continue reading

Dropbox Breach leaves unanswered questions

Salt by SoraZG used under creative commons


 
On the 18th July, Dropbox announced that they had begun investigating claims from users of their service of receiving Spam to email addresses that had been associated only with Dropbox accounts. Two weeks later, it seems the mystery has been solved.
 
Dropbox have stated that “usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts“. One of these improperly accessed accounts happened to belong to a Dropbox employee account “containing a project document with user email addresses“. Which is what they believe led to the Spam.
 
For me there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a “project document”, why, shouldn’t they be using dummy data? This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other web services which were compromised. It is not specified which services they refer to, but again, why?
 
Secondly, Dropbox chose to inform their customers of the breach with an email notification containing a link to reset their password. This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a web site to enter any kind of credentials. To compound matters, according to user reports there was no notification of the attack and required password resets on the home page, which would have helped give credibility to the password reset mail they sent out. In an ideal world, an affected organisation could send out an email notification, but instead of a password reset link, they should direct users to browse to the corporate home page and follow the information there.
 
Finally, Dropbox have stated that, as a result of the intrusion, some user passwords have been reset (“In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)”). The question that arises from that is, how do Dropbox know if a given user password is “commonly used”? Are they storing passwords in the clear? Are they storing passwords using an unsalted hash (like LinkedIn were)? Are they using a common salt for every user and a hashing algorithm designed for speed rather than security? If any of these are true, then their password database is vulnerable to a rainbow table attack, which is not very confidence inspiring news. Ideally user passwords should be stored with a unique salt for every user and using an algorithm that allows a “work factor” to be introduced into the hashing process, such as Blowfish. This drastically increases the time taken to crack individual passwords and because the work factor is variable, it can be modified to keep up with advances in processing power. Increase the work factor, the hash gets slower. The effect is negligible on an individual calculation, but mass calculation of rainbow tables becomes impractical.
 
It’s great to hear that Dropbox are implementing two factor authentication for their users along with the other security enhancements they are announcing but this news and they way it was handled still leave many questions unanswered.
 
Aside from that, Dropbox users should now have their guard up for a Dropbox themed phishing campaign or two. This eventuality, will be abused by criminals. It’s another object lesson in why using secure unique password generators for your multiple online accounts is a good thing. If you can’t trust your service providers, then you must take responsibility for your own security.
 

Phishing for Apples in the Cloud

Apple customers in the UK and Australia are being targeted in a convincing-looking phishing scam with a cloudy twist.
 
Criminals are sending out targeted emails promising a “Discount Card” as a “reward to long-term customers“. This non-existent card supposedly offers £100 or $100 of credit at any Apple store, for the low-low price of just £9. As you can see below, the email contains enough location and currency specific information to make it more credible.
 

Phishing mail out to steal your personal info


 
Of course the card does not exist and will never be delivered. Instead of a link to a phishing site, the mail contains an html attachment, again convincing looking, using Apple style sheets. The criminals ask for a slew of personal and financial information including name, address, drivers licence number, date of birth, credit card number, expiry date, security code and sort code. Quite enough for some serious financial fraud.
 

Submit!


 
Instead of this stolen information being directly uploaded to a criminal or compromised server, the big blue Submit button POSTs the data to a server in Amazon’s EC2 cloud as shown below with dummy data. Once the data has been successfully sent to the criminal server, the browser is redirected to the official Apple web site.
 

Captured traffic from the phishing attack


 
This cleverly crafted and targeted attack may well be enough to fool the unwary, and it’s abuse of commercial cloud infrastructure will make it much more likely to overcome URL blocking security mechanisms.
 
I have informed Amazon of this abuse of their services, but in the meantime remember, there’s no such thing as an “Apple Discount Card”.
 
Never respond to unsolicited email, never open files attached to unsolicited email and never enter personal data on anything other than an SSL encrypted web site (one where the address starts with “https://“). If you do receive an email making you an offer you can’t refuse, do not follow links in the mail, but contact the vendor directly either by typing in their web address or using the good old telephone.