Browsing and User Behaviour
Author: Derek Burke, Technical Support Engineer, firstname.lastname@example.org
In the previous installment we secured our Wi-Fi and discussed segmenting our network to the best of our ability. All this work will be for naught, however, if we allow malicious software in through our own actions. In this final installment we will examine user behaviour and review known avenues of exploits relative to the coronavirus outbreak.
A web browser seems like a simple tool to most, but it is an extremely powerful and capable application that exchanges data with numerous systems on the internet including fetching, interpreting, and executing various kinds of code to render text, images, video and more. The potential for exploit exists both with how the browser itself works, and further with the what the user willingly (or unwittingly) does with it.
A few extensions can help secure our web surfing experience. The first is uBlock Origin, available as an add-on to most browsers. uBlock Origin is a flexible and customizable add-on that serves to help block malicious scripts, maintain privacy, and block ads. Its default settings are good for most users and it is easy to disable on a per site basis if it causes a website to not load properly. uBlock Origin’s main page can direct you to your specific browser’s plugin: https://getublock.com/
The EFF (Electronic Frontier Foundation) has developed several tools for users to maintain security and privacy online and one of these is HTTPS Everywhere. This browser extension simply ensures your browser is using the secure portions of a website when available. It can be found here: https://www.eff.org/https-everywhere.
Some browser extensions can be a liability as well. This post on The Hacker News shows that extensions are frequently caught stealing browser data. Exercise caution when deciding which browser plugins to add and this is a case where less can be more (security).
Email is an extremely common vector for extracting information, conning individuals, and placing malicious software onto systems. We are probably all familiar with the so-called “Nigerian” or “419” scams where an individual in need requests some financial aid to resolve a problem and will handsomely reward you afterwards. Indeed, these scams predate email and, while we mostly chuckle at them now, they must still work well enough to be worth the effort. Threat actors (a fancy name for bad hackers) have gone beyond the hapless prince in need to leverage email to elicit information or install malware. These methods are known as ‘phishing’ and are designed to either get the user to click on a link or open an attachment. These phishing attempts can become quite sophisticated, utilizing the personal information and interests of the victim. When this occurs, it is known as ‘Spearphishing’. You are more likely to be targeted in this way if you are a public and/or prominent figure in your organization, perhaps a C level executive or department head. Keep in mind that with the large amounts of publicly available information online, it probably isn’t overly difficult for an attacker to ascertain who you are, how to contact you, and discover personal interests and relationships through social media. On that note, phishing tactics are not limited to email, all manner of communication can be employed to elicit information from a target through Social Engineering tactics (an art of manipulating people to achieve some goal). The EFF has put together a good primer that explains what to look for and how to avoid falling prey: https://ssd.eff.org/en/module/how-avoid-phishing-attacks. As a rule, if you did not request, or otherwise expect, an attachment, do not open it. If the email contains a link to a page you can reach independently, you should do so. For example, if an email comes from a financial institution with a link for you to update your personal info, instead, go the institution’s website independently to perform those actions rather than clicking on the link. If you receive an email from a superior requesting an action that falls outside of standard procedures, be wary and try to confirm the instructions through a separate channel. Using a position of authority and urgency are two common methods an attacker employs to cloud the victim’s judgement. This level of caution applies equally to voice calls, SMS messages, paper correspondence, and personal interactions (admittedly, an unlikely vector at present). Relative to Covid-19, a common theme being seen in phishing is linking to websites claiming to have medical information and updates on new cases in the targeted individual’s area.
If you connect to business assets remotely through a VPN (Virtual Private Network) there is something to be aware of. Most corporate VPN deployments will use something called ‘Split Tunneling’, an undesirable but often necessary situation due to resource constraints. This simply means that only the network traffic bound for company resources is sent through the VPN tunnel while all other traffic from your device is not. When on our corporate network(s) we have the benefit of being protected by multiple layers of security appliances for nearly everything we do on those systems. With split tunnelling, this is not the case as much of what we do will likely not traverse the VPN and therefore not have the benefit of the company’s security and monitoring infrastructure. As a user, just know you cannot rely on the same level of protection you are used to when working locally. If you are a member of your organization’s IT or Information Security staff, you are probably already aware of the loss of monitoring and visibility this situation creates. On a related note, the increase of use and reliance on VPNs has seen a corresponding surge in attackers scanning for weaknesses in VPN deployments.
Finally, let’s end with some general awareness about how malicious actors are leveraging Covid-19 before briefly discussing how a targeted attack might develop. There is no shortage of malicious activity using Covid-19 as cover to spread malware or harvest sensitive information.
Chances are, if you have heard of any technology-related disruptions amid the various quarantines and stay-at-home orders, it has to do with online meetings. We are finding ourselves more reliant on online conferencing applications than ever before due to the home being both the new workplace and classroom. Zoom, especially, has been in the spotlight for lax security policies allowing ‘zoom-bombing’ though they have been quick and responsive to address these issues so far, they can’t seem to catch a break as new vulnerabilities are discovered almost weekly. The following are some steps you can take to keep any unwanted guests out of online meeting spaces, with that said, these probably are not the best forums for sensitive business discussions in the first place. First, use a unique meeting ID and password. One of Zoom’s early issues was that the meeting ID was easily discoverable allowing anyone to locate it and join the meeting. This has since been addressed but keeping the meeting ID private and further requiring a password makes gaining access more than a trivial measure. Second, enable a waiting room where the host must approve each person joining the meeting. This could be cumbersome for large meetings but ensures that each participant is vetted and that an uninvited guest can’t slip in and eavesdrop. Similarly, one can usually lock a meeting once all participants have joined. Limiting screen sharing to only the host will help prevent some of the lewd actions perpetrated by zoom-bombers as well. The main attention around zoom-bombing seems to be focused on immature and lewd antics but the larger threat is probably an eavesdropper going unnoticed and obtaining sensitive business information.
Numerous mobile apps claiming to help track Covid-19 were found to contain trackers, keyloggers, malware, and ransomware. This disproportionately affects Android users (I am one as well so don’t shoot the messenger). To combat this, stick to trusted app sources such as the Google Play Store (and trusted developers beyond that) and, even then, exercise discretion when choosing which apps to install. Ask yourself “Do I really need this app?”; malicious apps making it into both the Play Store and even Apple’s App Store are not rare events. Android ransomware dubbed Covidlock has been found to spread through a Covid-19 tracking app. If you or someone you know has been affected by this, a password key has been discovered to unlock an affected device and can be found here: https://www.scmagazine.com/home/security-news/news-archive/coronavirus/password-found-to-rescue-victims-of-malicious-covid-19-tracker-app/. Another app labelled Corona Live 1.1 presents data from Johns Hopkin’s Coronavirus Tracker but is really an implementation of the SpyMax surveillance ware in disguise (https://blog.lookout.com/commercial-surveillanceware-operators-latest-to-take-advantage-of-covid-19).
Attackers are registering malicious and lookalike domains en masse to capitalize on those seeking information regarding the Coronavirus outbreak. Stick to known and trusted sources for information and double and triple-check the URL for spelling variations and character substitutions that could indicate an imposter website. Even so, know that it is also possible for official sites to be compromised. An incident with hhs.gov occurred where attackers took advantage of an open redirect to send visitors to a malicious web page (https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/).
Many of these attacks cast a wide net hoping to indiscriminately affect, or infect, as many people as possible. I mentioned periodically throughout the series the potential for targeted attacks as well so let’s explore how an attacker might single an individual out. Two challenges I have personally heard to the notion that a hacker might specifically target someone are “Why would they care about me?” and “How would they even find me?”. The answer to the first question is likely due to who you work for, what you do there, and what access you may have. The motives of an attacker are not always clear, but some common ones are a desire to steal personal information, money, and intellectual property or a desire to undermine, discredit, or embarrass an individual or organization.
To answer the second question, I will focus on Open Source Intelligence (OSINT) methods. First, has your organization published a directory of personnel and is it public? Even if it’s not public don’t assume it is hard to access. Do you have a LinkedIn or similar profile that contains information such as the company you work for, your job title, resume and skills? These sources offer a lot of insight into the kinds of company resources you likely have access to. When cross-referenced with job postings for similar positions in the same company we can further refine what technologies/software are in use. Do you also use social media services like Facebook, Instagram, or Twitter? How much personal and work information do you share on these sites? I invite you to search yourself on fastpeoplesearch.com and truepeoplesearch.com (may only apply to US citizens). Starting with just a name can lead to a trove of personal information and these are just two examples of many sites that aggregate publicly available information online. If we take the information available via the above sources, there is a good chance we can determine a lot about a person’s professional life. Add social media and we can further build a profile around their personal life, interests, hobbies, and family. Data like geolocation information from posts and/or photos, especially when combined with profiles from sites that compile public information, offer a good chance we can narrow down a person’s general locale, if not gain their exact address. This information is invaluable to an attacker preparing a targeted phishing campaign or social engineering effort. Careful reconnaissance is the first step in most successful targeted attacks, in the worst cases a few hours of research can result in a surprisingly comprehensive dossier of the target. An individual could be a key component in any such planned offensive or simply a stepping stone to the next objective.
I hope the advice in this series of articles will prove useful for people now finding themselves working remotely and will remain helpful long after the Coronavirus epidemic. Whether it is the pervasive attempts to spread malware or scam the unfortunate to the targeted threats against individuals and organizations there always will be a new crisis for attackers to capitalize on. This is a topic certainly worth exploring more, especially if you found the material interesting, as I have only scratched the surface of these subjects. Best wishes to everyone out there and it is my hope that you will stay safe both online and off.
For Further Reading: