Posts Tagged: Skype


8
Mar 18

Look-Alike Domains and Visual Confusion

How good are you at telling the difference between domain names you know and trust and impostor or look-alike domains? The answer may depend on how familiar you are with the nuances of internationalized domain names (IDNs), as well as which browser or Web application you’re using.

For example, how does your browser interpret the following domain? I’ll give you a hint: Despite appearances, it is most certainly not the actual domain for software firm CA Technologies (formerly Computer Associates Intl Inc.), which owns the original ca.com domain name:

https://www.са.com/

Go ahead and click on the link above or cut-and-paste it into a browser address bar. If you’re using Google Chrome, Apple’s Safari, or some recent version of Microsoft‘s Internet Explorer or Edge browsers, you should notice that the address converts to “xn--80a7a.com.” This is called “punycode,” and it allows browsers to render domains with non-Latin alphabets like Cyrillic and Ukrainian.

Below is what it looks like in Edge on Windows 10; Google Chrome renders it much the same way. Notice what’s in the address bar (ignore the “fake site” and “Welcome to…” text, which was added as a courtesy by the person who registered this domain):

The domain https://www.са.com/ as rendered by Microsoft Edge on Windows 10. The rest of the text in the image (beginning with “Welcome to a site…”) was added by the person who registered this test domain, not the browser.

IE, Edge, Chrome and Safari all will convert https://www.са.com/ into its punycode output (xn--80a7a.com), in part to warn visitors about any confusion over look-alike domains registered in other languages. But if you load that domain in Mozilla Firefox and look at the address bar, you’ll notice there’s no warning of possible danger ahead. It just looks like it’s loading the real ca.com:

What the fake ca.com domain looks like when loaded in Mozilla Firefox. A browser certificate ordered from Comodo allows it to include the green lock (https://) in the address bar, adding legitimacy to the look-alike domain. The rest of the text in the image (beginning with “Welcome to a site…”) was added by the person who registered this test domain, not the browser. Click to enlarge.

The domain “xn--80a7a.com” pictured in the first screenshot above is punycode for the Ukrainian letters for “s” (which is represented by the character “c” in Russian and Ukrainian), as well as an identical Ukrainian “a”.

It was registered by Alex Holden, founder of Milwaukee, Wis.-based Hold Security Inc. Holden’s been experimenting with how the different browsers handle punycodes in the browser and via email. Holden grew up in what was then the Soviet Union and speaks both Russian and Ukrainian, and he’s been playing with Cyrillic letters to spell English words in domain names.

Letters like A and O look exactly the same and the only difference is their Unicode value. There are more than 136,000 Unicode characters used to represent letters and symbols in 139 modern and historic scripts, so there’s a ton of room for look-alike or malicious/fake domains.

For example, “a” in Latin is the Unicode value “0061” and in Cyrillic is “0430.”  To a human, the graphical representation for both looks the same, but for a computer there is a huge difference. Internationalized domain names (IDNs) allow domain names to be registered in non-Latin letters (RFC 3492), provided the domain is all in the same language; trying to mix two different IDNs in the same name causes the domain registries to reject the registration attempt.

So, in the Cyrillic alphabet (Russian/Ukrainian), we can spell АТТ, УАНОО, ХВОХ, and so on. As you can imagine, the potential opportunity for impersonation and abuse are great with IDNs. Here’s a snippet from a larger chart Holden put together showing some of the more common ways that IDNs can be made to look like established, recognizable domains:

Image: Hold Security.

Holden also was able to register a valid SSL encryption certificate for https://www.са.com from Comodo.com, which would only add legitimacy to the domain were it to be used in phishing attacks against CA customers by bad guys, for example. Continue reading →


17
Mar 16

Spammers Abusing Trust in US .Gov Domains

Spammers are abusing ill-configured U.S. dot-gov domains and link shorteners to promote spammy sites that are hidden behind short links ending in”usa.gov”.

shellgameSpam purveyors are taking advantage of so-called “open redirects” on several U.S. state Web sites to hide the true destination to which users will be taken if they click the link.  Open redirects are potentially dangerous because they let spammers abuse the reputation of the site hosting the redirect to get users to visit malicious or spammy sites without realizing it.

For example, South Dakota has an open redirect:

http://dss.sd.gov/scripts/programredirect.asp?url=

…which spammers are abusing to insert the name of their site at the end of the script. Here’ a link that uses this redirect to route you through dss.sd.gov and then on to krebsonsecurity.com. But this same redirect could just as easily be altered to divert anyone clicking the link to a booby-trapped Web site that tries to foist malware.

The federal government’s stamp of approval comes into the picture when spammers take those open redirect links and use bit.ly to shorten them. Bit.ly’s service automatically shortens any US dot-gov or dot-mil (military) site with a “1.usa.gov” shortlink. That allows me to convert the redirect link to krebsonsecurity.com from the ungainly….

http://dss.sd.gov/scripts/programredirect.asp?url=http://krebsonsecurity.com

…into the far less ugly and perhaps even official-looking:

http://1.usa.gov/1pwtneQ.

Helpfully, Uncle Sam makes available a list of all the 1.usa.gov links being clicked at this page. Keep an eye on that and you’re bound to see spammy links going by, as in this screen shot. One of the more recent examples I saw was this link — http:// 1.usa[dot]gov/1P8HfQJ# (please don’t visit this unless you know what you’re doing) — which was advertised via Skype instant message spam, and takes clickers to a fake TMZ story allegedly about “Gwen Stefani Sharing Blake Shelton’s Secret to Rapid Weight Loss.” Continue reading →


21
Mar 13

Privacy 101: Skype Leaks Your Location

The events of the past week reminded me of a privacy topic I’ve been meaning to revisit: That voice-over-IP telephony service Skype constantly exposes your Internet address to the entire world, and that there are now numerous free and commercial tools that can be used to link Skype user account names to numeric Internet addresses.

A Skype resolver service in action.

A Skype resolver service in action.

The fact that Skype betrays its users’ online location information is hardly news. For example, The Wall Street Journal and other news outlets warned last year about research showing that it was possible to coax Skype into revealing the IP addresses of individual Skype users. But I believe most Skype users still have no clue about this basic privacy weakness.

What’s changed is that over the past year, a number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

A Skype IP resolver service in action.

A Skype IP resolver service in action.

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account, and then use the resolvers to locate their IP. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Many of these resolver services offer “blacklisting,” which for a fee will allow users to prevent other users from looking up the IP address attached to a specific Skype account, said Brandon Levene, an independent security researcher.

“It’s basically a protection scheme,” Levene said.

Continue reading →


28
Feb 12

PSI 3.0: Auto-Patching for Dummies

A new version of the Personal Software Inspector (PSI) tool from vulnerability management firm Secunia automates the updating of third-party programs that don’t already have auto-updaters built-in. The new version is a welcome development for the sort of Internet users who occasionally still search their keyboards for the “any” key, but experienced PSI users will probably want to stick with the comparatively feature-rich current version.

PSI 3.0 Beta's simplified interface.

PSI 3.0 introduces one major new feature: Auto-updating by default. The program installs quickly and immediately begins scanning installed applications for missing security updates. When I ran the beta version, it found and automatically began downloading and installing fixes for about half of the apps that it detected were outdated. The program did find several insecure apps that it left alone, including iTunes, PHP and Skype; I suspect that this was based on user feedback. It may also just avoid auto-patching busy programs (all three of those applications were running on my test machine when I installed PSI 3.0); for these, PSI presents the “run manual update,” or “click to update,” option.

But users familiar with previous versions of PSI may be frustrated with the beta version’s intentional lack of options. The beta is devoid of all settings that are present in the current version of PSI, and the user dashboard that listed updated software alongside outdated programs and other options no longer exists. In fact, once a program is updated, it is removed from the update panel, leaving no record of what was updated (I had to sort my Program Files folder by date to learn which programs were touched after running PSI 3.0).

Continue reading →


11
Mar 11

Rogue Antivirus Via Skype Phone Call?

A few readers have written, saying that they recently received Skype phone calls urging them to download and install a system update for Microsoft Windows. Users who visit the recommended site are bombarded with the same old scareware prompts that try to frighten them into purchasing worthless security software.

Scareware scams are nothing new to Skype: They have spread for some time now over the instant message client built into Skype, but this is the first I’ve heard of rogue anti-virus peddlers resorting to robocalls via Skype to spread their junk software.

One quick-thinking reader managed to record the tail end of the call, which is available by clicking here. It says, “To download the patch update, request professional maintenance at www.sosgt.com.” It seems from this thread on the Skype.com user forum that a great many others are getting these rogue AV calls.

Continue reading →


3
Nov 10

‘Evilgrade’ Gets an Upgrade

“Evilgrade,” a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles, recently received an upgrade of its own and is now capable of hijacking the update process of more than 60 legitimate programs.

Evilgrade’s creator, Francisco Amato of InfoByte Security Research, says that by targeting widely deployed programs that don’t properly implement digital signatures on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be downloading a package designed to compromise the security of their computer.

Software companies should include these signatures in all of their updates, so that a user’s computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with a cryptographic key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key. But for whatever reason, many software vendors have overlooked this important security precaution, and have chosen not to sign their updates — or have implemented the signing verification process in a way that can be circumvented.

Among the software products that Amato says EvilGrade can compromise are iTunes, Java, Skype, Winamp — even security applications like Superantispyware, Sunbelt, and Panda Antirootkit (a longer list of vulnerable apps is available in the documentation).

The video above shows how Evilgrade works against even the latest version of Java — Java 6 Update 22.

As the release notes state, this tool is a cross-platform attack suite, meaning that it can be used to attack not only Windows systems, but any vulnerable update mechanism: The attacker need only supply platform-specific payloads designed to run on the targeted user’s operating system.

Continue reading →