Attacks/Breaches
4/18/2014
09:10 AM
50%
50%

Phishers Recruit Home PCs

Residential broadband machines spotted hosting phishing attacks.

For attackers, hide-and-seek is a daily exercise -- and a wave of phishing attacks may be have found the perfect hiding spot.

According to PhishLabs, the attacks involve phishing sites installed and hosted on the personal computers of residential broadband customers. The attackers are able to do this by exploiting the home computers of residential ISP customers who have the Remote Desktop Protocol (RDP) service enabled on Microsoft Windows and who use easily guessable passwords.

The tactic is significant because phishing sites hosted on compromised home PCs typically have a longer lifespan than those in hosting environments. This is because hosting providers are quicker to take action to shut down malicious sites, because they have direct control over the servers, and the terms of service prohibit that kind of activity, Don Jackson, PhishLabs director of threat intelligence, explains in a blog post. This is not the case with phishing sites hosted on home PCs, where ISPs have little control over the customer-owned home computers connected to their residential broadband networks, he writes.

The attackers start by scanning residential service IP address space for open RDP ports and brute-forcing weak and default passwords. Once the attackers have access to the system, they install web server software and upload various phishing pages, the links to which are blasted out in spam messages. The RDP server listens on port 3389/tcp by default, but is turned off by default on Windows desktops.

Still, Jackson tells Dark Reading that it would be a mistake to underestimate the prevalence of the attacks.

"The short answer is between 1 to 2 percent" of users have RDP turned on, says Jackson. "We looked only for the default RDP port 3389/tcp used by Terminal Services/Remote Desktop, but although there's a very small chance that some other service was running on that port, we did not verify if the port was actually being used for remote desktop connections."

PhishLabs surveyed large parts of Class B network blocks used by residential customers in primarily English-speaking markets and looked at three major broadband IPSs from which the company identified the most phishing sites.

"That means," Jackson says, "we were looking at hot spots of activity where access to the default RDP port was not blocked and had already likely or positively been scanned by the phishing crews. Of about 180,000 hosts we examined, approximately 1.5 percent of them had the Remote Desktop port open to the Internet.

"Given the number of actual phishing sites set up on these networks, we know that the phishers have been scanning at least 1.5 million computers on the affected networks each month."

After brute-forcing RDP passwords, the attackers install the PHP Triad software. Once PHP Triad is set up and running on the default port, the phishers install anywhere from a handful to several dozen phishing pages targeting various North American financial institutions and payment services.

"We have not been able to link the spam sent out with any of the big spambot networks," Jackson says. "They appear to be sent using an automated method such as a script, using a list of compromised email addresses and passwords via whitelisted mail servers that require authentication for sending email."

Jerome Segura, senior security researcher for Malwarebytes, says the strategy is "absolutely a smart tactic" for phishers.

"Typically most phishing pages are hosted on compromised web servers, which don't always have a long lifespan because they can be shut down by the hosting provider or the site owners themselves," says Segura. "The same cannot be said about Internet service providers, which don't have direct access to their customers' machines. Short of threatening their customers to suspend their account if they don't clean their PC, there isn't a whole lot they can do."

In addition, the use of legitimate systems tends to help obfuscate criminal activities, notes Trend Micro's Jon Clay. Also, criminals -- like any other business -- are always looking for ways to save money, he says.

So far, the crew behind the attacks seems to only be interested in phishing, and there hasn't been any evidence of any malware or tinkering with security settings. However, the default configuration and security vulnerabilities identified in the versions of the software components installed by PHP Triad increase the opportunity for further intrusions on compromised hosts -- either by this crew or other crews, Jackson says.

Outside not having RDP enabled, Jackson advises disabling built-in administrator and guest accounts. In addition, users should focus on their password practices.

"This is a case of hackers taking advantage of weak, common, or default username and password combinations," he says, adding that complex passwords of more than 14 characters are ideal for when no other stronger method of authentication is available.

"People should be aware that user names or IDs are half of the puzzle that these brute-force attackers must solve," says Jackson.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:47:56 PM
Long passwords -- not ideal
It's hard for me to imagine that users who already have difficulty managing strong passwords be more vigilant with even longer, more complex passwords.... 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/21/2014 | 12:34:09 PM
Re: RDP is a problem
I don't believe changing the RDP port would be beneficial or feasible. 

If you have a hacker who is worth his salt, simply changing the RDP port will not prevent him from discovering it.  Secondly, most home users that enable RDP do not have the technical expertise to understand what a port number is much less changing it.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
4/20/2014 | 8:35:57 PM
RDP is a problem
At first I thought.. Are these people using anti virus?  But that wouldn't help in this case.

Would changing the port that RDP uses help at all?
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/18/2014 | 5:19:30 PM
Re: Broadband provider's responsibility?
I imagine it would be almost impossible for the ISP's to track down these compromised hosts.  The ports and traffic generated by the compromised machines is not overly odd when compared to the traffic of legitimate home use.  Many users enable RDP or run web services out of their homes.

I would propose that the ISP's should monitor for RDP traffic originating in foreign countries destined for user's within their IP block and then alert the user's.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
4/18/2014 | 4:04:17 PM
Broadband provider's responsibility?
Do the cable Internet and DSL providers do anything to detect home networks that have become spambot nodes? I'd think they'd have some responsibility, as well as potentially a concern related to wasted bandwidth.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?