Michael N. Dundas

I was at a talk by a spam researcher who made the point that although there are some complicated identify theft scams happening on the Internet, most are very, very simple. Yesterday, I received 3 emails supposedly from Scotiabank. Each one had a similar format, different subjects ’scheduled security maintenance’, ’securing customer data’. Standard fraud email. I would hope that most people today should realize it as fraud, mark it as ‘Junk’ and move on with life. The first flag for me was that I am not a Scotiabank customer. Second, banks never do this via email (and if your bank does you should change banks). Third, I received 3 of them to three different emails that I use to sign up for forms and the like on the Internet. The email had the standard URL for the user to click which appears to be a Scotia bank link. If you hover your pointer over the link, you can see that the actual link is different. I have highlighted the actual link in light green in the screen shot below. The actual site on the URL is ‘http://www.scotiaonline.scotiabank.com.dll.ec’.
I decided to take a few moments and see how ‘complicated’ this scam was. So far they rated very low on the ‘covertness’ scale. I fetched the URL in the email in a way that no code would execute or do anything nasty and took a look at it. It was standard HTML all compressed so there was no indentation or formatting, probably a simplistic attempt at obscurity. I ran that file through an HTML formatter and took a look at it. A simple form requesting information that your bank would already have. I pulled back the style sheets and graphics the page requested to ensure they did not have any malicious code in them. They didn’t.

Confident that all was reasonably safe so far, I went to the site with my browser. I was happy to see that the site had already been flagged by Mozilla as a fraud site and my browser immediately warned me.
I ignored the warning and proceeded to the site. A professional form appeared from ‘ScotiaBank’ requesting my card number, 3 codes that I assume Scotia customers use to authenticate themselves when using online banking services and some personal details.

If you fill in this form, it simply submits the information to the ‘fraudsters’ and I assume they can quickly access and transfer money from your bank account possibly automated via a BotNet. This is not an attempt at identity theft so much as it is an attempt to harvest information about accessing your account. I suspect that submitting data to this form, your bank profile and associated accounts would be accessed in seconds most likely from an automated program where money would be transferred or some fraudulent transactions would occur. The fact that they did not ask for a social insurance number on the form, means it is probably not an identity theft scam. My guess is that requesting a social insurance number most likely would raise more suspicion with some targets and probably would require the target to go look up what their number was, giving them more time to think before submitting the form. If the goal is to get access to the accounts and it is not required, why ask for what you don’t need and raise suspicion.

This is a simple attack and the technical knowledge to do it is minimal, making it easy for just about anyone with a computer and access to the internet to do it. It may be more complicated on the backend, bots to harvest and send emails, bots to automatically access the account and transfer money from users that submit proper data.

The talk from the spam reasearcher seems accurate, at least with this selected example. The attack was pretty simple although disappointing. I was hoping for more technical wizardry and smarts.

I was catching up on some of my reading last night when I couldn’t sleep. A friend of mine had posted a link to an article on the difference between ‘traditional workers’ and ‘web workers’. Personally, I definitely fall into the ‘bursty’ or ‘web worker’ category and my office I realize has a ‘mix’ of both types.

I remember a few consulting gigs years ago where I was required to extract binary data such as Microsoft Word documents, audio and video files from network captures. The process was quite involved using sniffer, hex editors, base64 decoders and other software to accomplish the task. Today, there are many commercial and freely available pieces of software that hide the process involved in conducting these activities.

Assuming you have access to a network stream, either in your corporate network or at an ISP via a warrant and you capture the network data of a particular subject, how do you review the binary data contained in the capture? Let’s assume that you are profiling a subject and they are visiting myspace briefly and appear to be listening to an audio track that is streaming from a server to the subject.

To accomplish this, I often use a utility called Chaosreader. Chaosreader is an older utility written in Perl, but I find it still does a good job extracting binary data from a network capture in the standard pcap format. The other benefit is that since it is written in Perl, code review is possible to understand how technically this is accomplished.

To keep this post as focused and easy to understand I isolated the capture file to contain just the area where the user connected to myspace to start listening to the audio file in question but this is not a requirement in a normal investigation.
Running Chaosreader on the capture file is a simple step. A summary of the files created from the capture file is listed and it creates an index.html file which you can point your browser to.
Looking at the resulting output, it is obvious the two files of interest are the session_0005.part_01.data and the session_0005.www.html. In a large capture with many sessions it is easier to view the index.html that was generated.
Viewing the index.html file with your browser will show a chart that breaks down each of the sessions listing a timestamp, duration, 5 tuple, service, data size transmitted, and links to the files that are associated with the flow.

The session we are interested in is session 5. It is by far the largest and will be the audio file that was being streamed to the subject. What we do not know is what type of data was streamed. Was it wmv, mpeg, or some other protocol? Selecting the as_html link for session 5, a text version of the file including headers will be displayed.

Here we can see two blocks of text. The first block in red shows the subject (client) requesting the resource to be streamed to them. The second block of text in blue is the data response to the request from the server. The header information is transmitted prior to the data which informs the client of the data that is about to be transmitted, then the binary data is transmitted to the client. Specifically if you look at the ‘Content-Type‘ header, the data format is ‘audio/mpeg‘.

Armed with this information, we simply rename the file session_0005.part_01.data which contains the binary stream to something more meaningful with a .mpg extension.
Select your preferred mpg player and play the file.
Keep in mind is that depending on the quality of the network connection, there is sometimes minor ‘noise’ in the output due to retransmits that happen on the network. Chaosreader provides other information not discussed here. I encourage anyone interested to experiment with it and other software available via the open source community.

More news articles from stv.tv and EFF have been published on China working with Skype for chat conversations searching for key words etc. from the investigative work done by a Toronto based researcher. Although this is not a good thing for Skype, I wonder about other IM platforms such as MSN. I have friends in China that also use MSN regularly. If China has a policy to monitor IM transmissions for Skype, logic would dictate that they are doing the same with MSN and other chat programs as well.

Working remotely in my opinion is great. I came across this video of an individual April Dunford who works for Nortel. She discusses working remotely and the benefits it offers. From experience, I agree with her comments. My company has a very similar view on working remotely. Personally, I find I am much more productive when I am not in the office than when I am. For me it is the interruptions, meetings, and chats that take away from my productivity. At home during the day there is just me and the Internet, so lots of time to get stuff done and if anyone really needs to get me it’s not difficult, e-mail, phone, VoIP, IM …. just choose your channel.

What actually caught my attention was her name, I knew I had seen it before but at first couldn’t recall from where or when. Then it hit me. She is a friend of a friend and was mentioned on one of his blog entries. She also has a blog.

This is not a surprise. There have been suggestions of Skype being monitored before. A research paper by Nart Villeneuve about the Chinese monitoring of Skype messaging has been published as well as a news article about the paper.

Just because something is encrypted does not mean it is secure. The fundamental problem is that of control. When businesses outsource their data to storage or processing to third parties, or one uses social networking sites, it may no longer be your data. Even if it is your data, you have given up some if not all control of the data. Deleting data such as a record, audio file or photograph does not mean it is actually deleted. Chances are very high the data is never really deleted and can be brought back. Try deleting your facebook profile for a week, then re-create it. You’ll find everything comes back, just as you left it.