175. BazarCall of the Wild
Here are a few highlights from each article we discussed:
- Cybercriminals are using Wyoming shell companies for global attacks
- This was brought to light when a Somali reporter heard a colleague was abducted, but he didn’t have a way of getting the word out due to digital sabotage
- The complainant was the chairman of the Somali Journalists Syndicate, and their website and email system had been compromised and disabled, so he wasn’t able to use his well-known operation to more effectively get help for the colleague
- The reporter in question – Abdalle Ahmed Mumin, was able to receive help from Qurium
- Qurium is essentially two separate bodies – a digital hosting service with a Swedish media foundation wrapped around it
- They provide paid hosting for journalism and news organizations with an emphasis on security and resiliency in the face of attacks
- As a hosting company they also represent a kind of firewall between the journalists that operate on there and takedown requests abusing DMCA, GDPR, or other laws to try and censor embarrassing content
- They’ve got some really interesting write ups in the “Dark Ops” section of their website, including campaigns utilizing hundreds of spurious domains to intimidate with legal requests or impersonate government officials
- Why is Wyoming such a hotbed for cybercrime?
- It’s really, really easy to register an anonymous shell company in Wyoming
- You don’t even have to do it in-person. You can contract remotely with a registered agent in Wyoming who agrees to be the public point of contact, then obfuscate all other information
- This exists in other states but Wyoming has made it cheaper and easier. In addition, that gives your fake business a US address, and makes it much easier to set up digital services within the US so it shows as a domestic IP address
- The registered agents take no responsibility for the folks they supposedly partner with, and in most cases it’s incredibly simple to dissolve one spurious LLC and spin up a new one to do the same thing
- How have Wyoming legislators reacted to this influx of shell companies?
- The general counsel for the Wyoming secretary of state said they’d support new laws to tighten things up; and that they’d forward on the information Reuters provided for further investigation
- They might form a legislative committee of some sort and put an ad in the newspaper as required for public comment
- What sort of mitigations could be taken to prevent this?
- Ian’s a fan of consequences
- The one Registered Agent company that responded to Reuters said it followed all in-state laws and did all required due diligence, which is probably their way of saying “the check cleared to pay their fees.” Realistically the fastest patch here is to saddle Registered Agents with strict liabilities pertaining to what their partnered companies do, steep insurance requirements to cover monetary liabilities, and professional consequences to one’s ability to act as a Registered Agent
- Ian’s a fan of consequences
- We’re talking about a BazarCall attack leverages Google forms to increase perceived credibility
- What is a BazarCall attack?
- The calling card of this group s a form of phishing attack where the miscreant lures the victim into getting on a phone call with them, and ultimately harvesting credentials
- This kind of social engineering leverages something we just talked about in our episode with @nullcookies—it’s what Tim calls “opt-out psychology.”
- Originally, and still some of the time, phishing uses an opt-in strategy, meaning that the victim is enticed by something that the phisher is offering, or feels compelled to take some action, like we see with business email compromise
- Opt-out cleverly abuses our wariness and, in fact, our vigilance for fraud. The phisher sends what looks like a confirmation of a subscription or some other payment, and the lure will say something like “if you believe this to be an error,” do [whatever action]
- Whatever action in this case, with BazaCall or BazarCall (let’s have fun with swapping back and forth between those two versions of the name through this whole segment), anyway, the action they want the victim to take is to get on the phone and give them their credentials verbally
- They have met with quite a bit of success with this, so it seems like the power of the human voice works well for convincing potential victims that the phisher is legit
- Do attackers need to know anything about the intended victims?
- Not at all—which is part of the twisted genius of opt-out psychology!
- The victim could look at the phish and go “whoa, this is total fraud—it doesn’t match up to my own stuff. Guess I’d better get them on the horn, pronto, and straighten this out!” But even if it was a spear phish where they had done that homework, it still could work, if the victim isn’t savvy about these scams
- How are BazarCall attacks using Google Forms?
- We would think Google Forms would be a dead giveaway that it’s not an official form of communication, but so far they’re working
- But they’re using Google Forms like this:
- the phisher creates a Google Form and populates it with details about the phony transaction—an invoice number and date, method of payment, and information about the product or service that was purportedly purchased, etc.
- The second step, which you may be familiar with if you’ve ever created a Google form, is to go to the Settings tab and enable the response receipt option
- This sends a copy of the completed form to the email address entered into the first field and—get this—the phisher sends the invitation to complete the form to themself
- So when they get this email to themself, the phisher clicks the Fill Out Form button, which pops up the Google Form. Then, they enter the target’s email address in the “Your email” field and click Submit
- Because the attacker enabled the response receipt option, the target will receive a copy of the completed form, which in the example from the article, the phisher has designed to look like a payment confirmation for Norton Antivirus. So—fundamentally, this is just a method they use to send a somewhat convincing-looking invoice form
- Why is detection so difficult in this type of attack?
- It has to do with the fact that, unlike so much of what we talk about on this here podcast, this phish does not use infrastructure that the phisher set up
- It doesn’t use spoof domains or obscure infrastructure that might ordinarily tip off the would-be victim—or their IT department if it’s a work email in play—that the communication is illegitimate
- In this case, everything is coming from Google infrastructure. It’s safe to say that that’s not going to be blocked, pretty much anywhere
- Are there ways to prevent this type of attack?
- Let’s distinguish between detection and prevention
- Prevention is hard in the sense that you’re not going to be able to auto-block this by virtue of blocking newly-created domains, or or using typical anti-spam measures like SPF or DKIM
- But we would argue that this is a good example of where phishing education can really go a long way
- On a corporate security team, we might push out a communication to my users saying that Google Forms are not a common method of confirming transactions from legitimate organizations, and therefore if they receive an email sent directly from Google Forms with the sender address being forms-receipts-noreply@google[.]com, and the sender display name being “Google Forms,” they should treat that email with a lot of skepticism, assuming it’s not an RSVP for your bowling league or a survey from your ornithological society or whatnot
- The article, we should point out, is written by a security company that has products that will say they’re effective against this type of attack, though we do not have any direct knowledge of said products, so we can’t comment on efficacy
- But we do think some education would go a long way against this type of phish
- Let’s distinguish between detection and prevention
This Week’s Hoodie/Goodie Scale
Cracking the Shell
[Ian]: 2/10 Hoodies
[Tim]: 2/10 Hoodies
It Was a Close BazarCall
[Ian]: 2.5/10 Hoodies
[Tim]: 2.5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!