This does not mean that a CAPTCHA is exempt from any security issue. A report from the security company Cofense reports on a new phishing campaign that, using CAPTCHA boxes, hides a fake Microsoft login page.

According to IT system audit experts, operators of this malicious campaign use CAPTCHA to prevent anti-malware analysis on a system from being performed correctly, so it will not be possible to check if a web page was made to extract visitors’ credentials.

Many companies use Secure Email Gateways (SEG) to scan their incoming emails for malware or indications of other attack variants. The point is that SEG is not sophisticated enough to solve a CAPTCHA and, as this is not a known attack variant, SEG vendors do not have adequate protection.

“SEGs cannot scan the malicious page, only the CAPTCHA code site, which does not contain malicious elements, so the SEG tags it as secure content and allows the user to advance,” the IT system audit experts mention. When the recipient of the email resolves the CAPTCHA challenge, they receive a fake Microsoft login page that will record the login credentials to their company accounts.

Specialists detected that the email address from which the phishing link is sent is an avis.ne.jp email account that has been hijacked by campaign operators. The message is intended to be a notification about a voice mail message; both the phishing page and the CAPTCHA used by the attackers are hosted on Microsoft cloud servers.

These kinds of attacks make it difficult for people or automatic scanners to detect that a page is not legitimate. SEG technology typically focuses on the reputation of the domain from which an email is sent; in this case, because the malware is hosted on a Microsoft cloud server, it is easy for attackers to bypass this protective measure.

Experts in IT system audit from the International Institute of Cyber Security (IICS) say they are concerned about the ability of threat actors to reverse techniques normally used against them to take advantage over their victims. In this case they have taken advantage of the use of CAPTCHA, but they have also been shown to be able to exploit HTTPS encryption, cryptographic signatures and other protective measures to interrupt anti-malware analysis.

The post How CAPTCHA is being used to bypass anti malware security scans and firewalls appeared first on Information Security Newspaper | Hacking News.

• For testing we are using Kali Linux 2019.1 amd64. This tool we are testing on live boot of Kali Linux 2019.1 amd64.

Installation :-

• For cloning type git clone https://github.com/Dionach/PhEmail.git

root@kali:~/Downloads# git clone https://github.com/Dionach/PhEmail.git
 Cloning into 'PhEmail'…
 remote: Enumerating objects: 88, done.
 remote: Total 88 (delta 0), reused 0 (delta 0), pack-reused 88
 Unpacking objects: 100% (88/88), done.

• Type cd PhEmail

root@kali:~/Downloads# cd PhEmail/

• Type ./phemail.py

root@kali:~/Downloads/PhEmail# ./phemail.py
 PHishing EMAIL tool v0.13
 Usage: phemail.py [-e ] [-m ] [-f ] [-r ] [-s ] [-b ]
           -e    emails: File containing list of emails (Default: emails.txt)
           -f    from_address: Source email address displayed in FROM field of the email (Default: Name Surname name_surname@example.com)
           -r    reply_address: Actual email address used to send the emails in case that people reply to the email (Default: Name Surname name_surname@example.com)
           -s    subject: Subject of the email (Default: Newsletter)
           -b    body: Body of the email (Default: body.txt)
           -p    pages: Specifies number of results pages searched (Default: 10 pages)
           -v    verbose: Verbose Mode (Default: false)

Usage of Phemail :-

• After starting phemail. You can gather your target email addresses to send malicious email.
• Type ./phemail.py -S google -d example.com -F 1 -p 12
• -S is used to send query on any search engine. We have used google to search for the email addresses of target domain.
• -d is used to gather domain: of email addresses. NOTE: For security of the tested domain we have changed original domain name to example. The above generated list is used in sending malicious email.
• -F is used in format of email addresses. As phemail collects emails from internet using search engine, using this option it will gather email addresses in the form of firstname surname.@example.com
• -p is used to specify no. of mail addresses to be fetch from target domain. Here 12 mail addresses will be fetched.

root@kali:~/Downloads/PhEmail# ./phemail.py -S google -d example.com -F 1 -p 12
 Gathering emails for domain: example.com
 Google Query: example
 ./phemail.py:281: UserWarning: No parser was explicitly specified, so I'm using the best available HTML parser for this system ("lxml"). This usually isn't a problem, but if you run this code on another system, or in a different virtual environment, it may use a different parser and behave differently.
 The code that caused this warning is on line 281 of the file ./phemail.py. To get rid of this warning, pass the additional argument 'features="lxml"' to the BeautifulSoup constructor.
 html = BeautifulSoup(data)
 100%
 agus.kurniawan@example.com
 anders.liliegren@example.com
 andrea.wiseman@example.com
 andrew.cavallaro@example.com
 anna.faoagali@example.com
 antonette.sullivan@example.com
 ashfaq-ahmad.jan@example.com
 ayman-al.maaraf@example.com
 bernadette.oulton@example.com
 bobby-esther.mak@example.com
 carolyn.riley@example.com
 danny.wilson@example.com
 dinesh-varma.indukuri@example.com
 doctor.example@example.com

• For testing we have used temporary mail id. Go to
  https://temp-mail.org/en/
• Add the temporary mail in emails.txt

root@kali:~/Downloads/PhEmail# nano emails.txt
   GNU nano 3.2                                                  emails.txt
 halevedopo@direct-mail.info

• Save file, press Ctrl + X Then press Shift + y & press enter.
• Type nano body.txt to create body of the phishing email. Write text which will display in phishing email.

root@kali:~/Downloads/PhEmail# nano body.txt
   GNU nano 3.2                                                   body.txt
 need to talk right now

• Save file, press Ctrl + X Then press Shift + y & press enter.
• Type ./phemail.py -e emails.txt -f “Name Surname name_surname@example.com” -r “Name Surname name_surname@example.com” -s “Subject” -b body.txt
• -e is used to give list of email ids.
• -f is from_address: Source email address displayed in FROM field of the email.
• -r is reply_address: Actual email address used to send the emails in case that people reply to the email
• -s is used to write subject of email.
• -b is used to write body of email.

root@kali:~/Downloads/PhEmail# ./phemail.py -e emails.txt -f "Name Surname name_surname@example.com" -r "Name Surname name_surname@example.com" -s "Subject" -b body.txt
 Domain: direct-mail.info
 SMTP server: mail.direct-mail.info
 ./phemail.py:115: UserWarning: No parser was explicitly specified, so I'm using the best available HTML parser for this system ("lxml"). This usually isn't a problem, but if you run this code on another system, or in a different virtual environment, it may use a different parser and behave differently.
 The code that caused this warning is on line 115 of the file ./phemail.py. To get rid of this warning, pass the additional argument 'features="lxml"' to the BeautifulSoup constructor.
 html = BeautifulSoup(body)
 Sent to halevedopo@direct-mail.info
 Domain: outlook.com

• Above query has sent the phishing link on target mail address. The same result is shown in ethical hacking classes of international Institute of Cyber Security
• Below is the testing mail box.

• The above mail box has received the mail.

Analyzing Temporary Mail Header :-

• Opening email header of temporary mail, shows same email address in from & reply:to.

Received: from 127.0.0.1
      by node3 (Haraka/2.8.16) with ESMTP id 5055F1D0-04FF-4831-B67F-CC4EA11CFE35.1 
     envelope-from name_surname@example.com; 
     Wed, 24 Apr 2019 11:55:34 +0000 
 Content-Type: multipart/related;  
  boundary="===============1127976200482479669==" 
 MIME-Version: 1.0 
 from: Name Surname name_surname@example.com
 subject: Subject 
 reply-to: Name Surname name_surname@example.com
 to: josotese@emailapps.info 
 
 This is a multi-part message in MIME format.
  --===============1127976200482479669== 
 Content-Type: multipart/alternative;  
   boundary="===============1585715368107923823==" 
 MIME-Version: 1.0 

 --===============1585715368107923823== 
 Content-Type: text/plain; charset="us-ascii" 
 MIME-Version: 1.0 
 Content-Transfer-Encoding: 7bit 

 This is the alternative plain text message. 
 --===============1585715368107923823== 
 Content-Type: text/html; charset="us-ascii" 
 MIME-Version: 1.0 
 Content-Transfer-Encoding: 7bit 
 need to talk right now 
 --===============1585715368107923823==-- 
 --===============1127976200482479669==--  

• Above shows same email id in from & to.

Tracing Email ID :-

• Further we have traced above header using online email tracer. Go to : https://www.iplocation.net/trace-email

• Email tracer has found location from where mail has send.

The post Send fake mail to hack your friends appeared first on Information Security Newspaper | Hacking News.