Josh Moulin Archives - Lee Lofland

Tag Archive for: Josh Moulin

Josh Moulin: Cyberattacks And How To Protect Your Computer and Data – Part 2

The following was originally posted to the blog site of author L.A. Sartor. She and Josh were kind enough to allow me to share this extremely cool bit of knowledge with you. By the way, many of you will remember Josh from his wonderful cybercrime presentations at the Writers’ Police Academy, and from his fascinating articles here on The Graveyard Shift.

So, without further ado, I’ll ask L.A. Sartor to introduce today’s guest blogger …

Author L.A. Sartor

“I’m incredibly honored that Josh Moulin, who was my cyber expert for Forever Yours This New Year’s Night, responded with a “yes” when I asked him to do a series on what is a cyberattack, how to recognize them, and how to protect yourself.

Take it away, Josh.”

In my first blog, I discussed the cyber kill chain and how hackers move through predictable steps to launch an attack against a target. In that blog, I used the example of an author who was targeted because of their controversial writings and the author’s system was compromised with ransomware. In this second post, I am going to discuss the most common cyberattacks and how computer users can become savvy to detect potentially malicious activity. While there are many kinds of attacks, I’m going to highlight some of the most common attacks that I see. Additionally, while the technical execution of many of these attacks are different, the methods for detection and prevention are similar if not identical.

Phishing Attacks
The most common way that computers and networks are compromised is through phishing attacks. In my scenario in the first post, the author was tricked into clicking a link within an email that caused the author’s system to reach out to a server and download malicious code. Phishing is a very easy attack to create and is more of a social engineering attack than anything technical.

Sometimes these messages are clearly phishing attacks; the message contains grammatical and spelling errors, it is sent by an organization you never do business with, or it is sent by a prince in Nigeria or the U.K. lottery asking you to claim your winnings. Clever hackers though take time in crafting their message and even if it is blasted to millions of email accounts, all they need is to steal the credit card information of just a few people to make a huge return on their investment.

Below is an actual phishing email that came to me. As you can see, the message looks legitimate and there are no obvious signs of it being malicious. Remember, the rule is to never click any links until and unless you are positive the message is legitimate.

When I hovered over the links within the email, none of them went to the Amazon.com domain. Instead the links all pointed to hxxp[://]greatdeals.gungh.top/system/9d011840a8b905ba79667fa20d0a0936. This URL has since been taken down as malicious, but had I actually clicked the link when the URL was still active, my system very well may have become infected.

In some cases of phishing, instead of getting a link to click, the attacker will send a specially crafted attachment. PDFs and Office documents (e.g., Word, PowerPoint, Excel, etc.) can be embedded with malicious code and once a user opens the document the code may be able to execute. This is why in the latest version of Microsoft Office, documents are opened in safe mode and in order to edit or print, users must click a button. This safe mode prevents the document from running any macros or other code that may compromise the computer.

If you are ever unsure of a URL or a file, there are several free online resources to help. For instance, URLQuery.net allows you to enter a URL and scan it for malware, complaints, or other warnings. It also tells you the country it is hosted in and gives a screenshot of the website you looked up. Another site, VirusTotal.com, is owned by Google and allows both URLs and files to be scanned for malware. If you receive a file from someone and you want it scanned before you double click it, upload it to VirusTotal to see if it’s malicious first.

Drive-By or Watering Hole Attacks

As organizations and individuals have become more adept at identifying phishing emails, attackers have had to change their modus operandi. One such example of this evolution is changing phishing emails so instead of sending an attachment within an email that is compromised or a link that begins the download of a piece of malware, the email (or Facebook post, or Tweet, etc.) sends the user to a website. The website is most likely legitimate and the user’s system would not detect anything suspicious at this point because nothing is attempting to download.

In the background however, the attacker has compromised the website, hosting malware on the site itself. Once the victim’s browser begins to read the contents on the website, it delivers a payload of malware to the system. This may come in the form of a download where the user is prompted to run something, or it may be a piece of JavaScript that when the browser sees the code, it automatically runs it without user interaction.

These attacks are called “drive-by” attacks because they can indiscriminately target anyone who browses the site, or watering hole attacks because the malicious activity is just sitting in the site, waiting for people to stop by. There have been some very popular websites compromised and embedded with malware such as CNN and Forbes so this kind of attack can be extremely widespread.

How do you spot this attack? Well, this one is tricky and there is a possibility that nothing on your system will notify you that an attack is taking place. Some more advanced anti-malware software may catch it, or if you notice strange things happening on your computer (website crashes, or your computer begins running slow with high CPU or memory utilization), or being prompted to download and run something may all be indications of a problem.

Wireless Attacks / Man in the Middle (MiTM) Attacks

While it has long been known that Wi-Fi, Bluetooth, and other wireless technologies are vulnerable to attacks, it is still a common and successful attack because people continue to connect to open access points out of convenience or to save their data consumption. Many people do not configure their home wireless access points correctly either, leaving them vulnerable to attacks by people in the area.

When I was in law enforcement, I remember a case where an Internet Protocol (IP) address was identified as downloading hundreds of images of child sexual abuse. My team wrote a search warrant and executed it, only to find that the home we went to had nothing to do with the crime. Our investigation later revealed that a neighbor about three homes down was a registered sex offender and had been using this neighbor’s Wi-Fi to commit their crimes. It was a huge inconvenience (not to mention a traumatic event) to not secure their Wi-Fi network and it all could have been easily prevented by taking some basic security steps.

Beyond securing your personal network, you must be extremely careful with the networks you allow your devices to connect. If you are connected to an unsecure wireless network (e.g. Starbucks) anything that your device transmits or receives that isn’t otherwise encrypted is fair game for someone also connected to that same wireless network. Wireless networks acts as a hub, meaning that anyone else connected to that network can see all the traffic, not just the traffic between their own device and the wireless router. Because of this, I can setup my device on the Starbucks network to promiscuously listen to all traffic and capture it, allowing me to compile it and view anything you typed, downloaded, uploaded, etc. as long as you were doing it unencrypted (http instead of https for example). If you navigate to a website that is not using encryption like http[://}yoursite.com and enter a username and password, I can sniff that out of the air and later use it.

It is true that more and more sites, especially sites that involve finance or healthcare use encryption because it’s mandated, there are still many sites that do not. The other danger is that most people reuse passwords, so even if your bank uses encryption (i.e., https[://]yourbank.com) but your favorite news site does not and you use the same password between the two, once I get the unencrypted username and password and see in your traffic you navigated to US Bank’s website, I can try your username and password on that site to see if it works. This is another huge reason to always use multifactor authentication on everything (more on this in the next post).

Another wireless attack is called the Man-in-the-Middle or MiTM attack. This kind of attack, which can also be carried out with cellular devices using devices like the Stingray can be very dangerous. In this kind of attack, the criminal creates a rogue access point (AP) and advertises it for users to connect to. On one side of the rogue AP are the victim devices and the other side is a path to the Internet. This allows the attacker to capture, decrypt, and record all of the traffic between the victim device and the Internet. It also allows the attacker to inject malicious traffic or redirect websites using the Domain Name Service (DNS).

To illustrate an MiTM attack, imagine you are seated at the airport and see a variety of wireless APs available to connect to. One has the name of “Free WiFi” and the other says “Free High Speed WiFi.” The “Free WiFi” is the legitimate Internet connection offered by the airport, but the “Free High Speed WiFi” is a malicious AP. An attacker sitting in your general proximity has created an AP using free software on his laptop. As your device scans for open APs it locates the High Speed AP and since anyone would want high speed over standard speed, you click to connect to the high speed AP. Once you click to connect, your device associates itself with the attacker’s laptop.

Now that you are connected to the attacker’s laptop, he essentially owns your device and the communications between your device and the Internet. Since the attacker is routing your traffic through to the Internet, as a user nothing seems out of the ordinary. In fact, the attacker is probably leveraging the airport’s free Wi-Fi to get your device out to the Internet. However, the attacker is now capturing all of the traffic coming into and out of your device and as we have already learned, anything typed in the clear (unencrypted) is recorded by the attacker in plaintext.

The attacker could make things even more interesting by using his laptop as a proxy between your device and the Internet and decrypting your encrypted traffic between your device and wherever you are browsing. Essentially what happens is your device connects to the attacker’s laptop where he breaks your connection to your bank or Facebook account, or whatever it is you are navigating to and decrypts your traffic, then re-encrypts it between his laptop and the destination (we’ll use your bank in this situation). Now the attacker can record even encrypted traffic such as usernames and passwords in plaintext. This attack however, will prompt the user’s device with an error message that the encryption certificate that you are using to visit your bank does not match the domain name of the bank and will require the user’s interaction to continue. If you’re interested in the technical details of encryption, certificates, etc. send me a note and I’ll be glad to discuss it.

Suffice it to say that if you get an error message about mismatched certificates (as shown below) on any device there is a high likelihood that the certificate has been compromised or you are the victim of a MiTM attack. No matter the reason, if you get this error, stop browsing, try connecting later from a different access point or from your cellular data to see if you get the same error, or contact the institution you are trying to access.

An error message generated by Safari showing there is a problem with the website encryption certificate

The same website visited in Firefox; notice the alert over the padlock

An example of Firefox showing a correctly implemented website encryption certificate

As mentioned above, the attacker can also inject malicious traffic into your session or redirect your computer. For example, if you type google[.]com into your browser, the attacker can create DNS entries that says if a user types google[.]com, actually send them to duckduckgo[.]com. In an even more sinister scenario, the attacker could create a rule that if you type wellsfargo[.]com, send the computer to wellsfargoamerica[.]com which might be a fake website that looks exactly like the real Wells Fargo (see Pharming attacks below).

How do you spot this attack? First, don’t connect to free Wi-Fi hotspots. If you absolutely must, then make sure you are using a Virtual Private Network (VPN) connection (either through your employer or use some of the VPN services available) which creates an encrypted tunnel between you and the VPN service before you navigate the Internet. Spotting a simple MiTM rogue AP may be nearly impossible. Spotting a rogue AP acting as a proxy will give you the browser certificate error messages shown above.

Pharming and Illegitimate Websites

Pharming, like it’s sister Phishing, is an attack that socially engineers a user. Instead of sending a message out, pharming is more like the watering hole attack where it waits for victims to stop by. Pharming is usually done by an attacker when they create a fake website but make it look legitimate and trick users to visit the site and enter their sensitive information (like credentials). Take this scenario: an attacker knows that because of a recent disaster, many users will be donating money to the American Red Cross on the legitimate website redcross[.]org. So, the attacker uses a free tool to “scrape” the actual Red Cross website, purchases the domain name of redcross[.]info, and then uploads the copy of the real Red Cross website to a server being hosted with Amazon Web Services (AWS). The attacker then begins a massive spam campaign for people to donate and provides the link of redcross[.]info and as people go to that site, it looks completely legit just like the real site. Users begin to donate millions of dollars to the PayPal account, which all goes to the attacker’s bank account.

This kind of attack can also be used by taking advantage of common misspellings or known letter combinations that people may not notice in the URL bar of their browser.

How do you spot this type of attack? This one may be difficult or impossible. Since nothing malicious is actually running on your computer (unless the attacker is combining Pharming with another attack) and you are just entering information into a website, there may be no signs or alerts at all. The best way to prevent this type of attack is by being very careful what you type into the URL address bar of your device, using known good bookmarks instead of relying on searches each time, and if you are given a link to click, make sure it matches the known website. Sometimes if I get a link from someone to follow, instead of clicking the link I will Google the organization and go to it that way, or at least confirm that what was in the link matches what is in Google.

In all of these attacks the bottom line is to pay attention, don’t click links that you don’t absolutely trust, actually read error messages that pop up on your screen before just clicking “OK”, don’t connect to public Wi-Fi APs, and make sure the certificate of an encrypted website you are visiting matches the domain name. In the last post of this series I will discuss the preventative strategies you can take to help harden your systems from attack and some proactive steps you can take to reduce the likelihood of being compromised.

About the author:

Josh Moulin serves as a trusted advisor to federal government IT and cybersecurity executives with the world’s leading IT advisory and research firm. Previously, Moulin was the Chief Information Officer for the Nevada National Security Site, part of the U.S. Department of Energy’s Nuclear Weapons Complex and before that spent 11 years in law enforcement including 7 years as the commander of a cybercrimes task force.

Moulin has a Master’s Degree in Information Security and Assurance and has over a dozen certifications in law enforcement, digital forensics, and cybersecurity including as a Certified Ethical Hacker. For more information, visit JoshMoulin.com or connect with him on LinkedInor Twitter.

L.A. Sartor

If you love stories filled with suspense, adventure, fighting against all odds and winning love, then please click here to visit the website of author L.A. Sartor. You’ll be glad you did!

May 21, 2018/by Lee Lofland

Josh Moulin

Josh Moulin: Cyberattacks And How To Protect Your Computer and Data – Part 1

So, without further ado, I’ll ask L.A. Sartor to introduce today’s guest blogger …

Author L.A. Sartor

I’m incredibly honored that Josh Moulin, who was my cyber expert for Forever Yours This New Year’s Night, responded with a “yes” when I asked him to do a series on what is a cyberattack, how to recognize them, and how to protect yourself.

Take it away, Josh.

Cyberattacks and data breaches are unfortunately commonplace in the daily news cycle. Many of us have had our personal, healthcare, and financial data breached so much that we are used to receiving letters notifying us of unauthorized disclosures or getting signed up for yet another credit monitoring service. Cybercrime is out of control and the most infuriating part is that most of the attacks are not sophisticated or require an expert hacker. Indeed, most of the successful attacks use the same modus operandi that they have for a decade.

The fact that the majority of attacks are not sophisticated is as troublesome as it is helpful. Since we know what most attackers do, it makes the identification and prevention of these attacks easier. Individuals and small to medium businesses often assume (incorrectly) that if the United States Federal Government or massive corporations such as Home Depot, Anthem, Yahoo!, Target, and Equifax, who spend millions of dollars each year in cybersecurity can’t keep hackers out, then there is no possible way they can defend themselves.

It is true that many cyberattacks are easily preventable and only effective because mistakes have been made which create vulnerabilities. However, it is also true that this world has nation-state military units and sophisticated hackers which target government agencies, universities, corporations, and high-value individuals. When a skilled attacker has set their sights on a victim and has the means, opportunity, and intent to launch a cyberattack against that victim, these attacks may use techniques, tactics, and procedures that are highly complex and extremely difficult to detect. For the purposes of this article, I am not discussing these advanced attacks.

In this first blog post of a three-part series, I am going to focus on the cyberattack kill chain and lay the foundation for how cyberattacks happen. The focus audience of this post is individuals who are trying to protect their personal devices and data from cyberattacks. The next blog post will discuss the most common attacks and how to spot them, and finally I will discuss preventative strategies that people can take including security software, configurations, and backup strategies.

Cyberattack Kill Chain
Each cyberattack goes through a series of steps to accomplish its mission. Depending on the target, mission objectives, and abilities of the attacker this kill chain may happen very quickly or may take months to years to accomplish. Sometimes an attack is to simply disrupt a business competitor or political adversary. Attacks like this are generally carried out through Distributed Denial of Service (DDoS) attacks or website defacement. Other attacks are performed with the intent of gaining intelligence about a competitor or government agency, and yet others are to steal intellectual property, harass someone, or to support a political ideology (hacktivism).

The attack kill chain is comprised of the following steps:
1. The target is defined: This may simply be a target of opportunity (e.g., a person in close proximity to a hacker that has a vulnerable mobile device) or could be targeted due to the person’s position, the value of their data, etc

2. Reconnaissance: The attacker begins to research the target. What information is available via public open source intelligence (OSINT) such as Facebook, LinkedIn, Google, public databases, etc. What IP addresses are assigned to the target, what operating systems do they use, and are there any known vulnerabilities for the target’s Internet connected systems?

3. Weaponization: The attacker develops their weaponized attack, which is generally malware (malicious software) such as a Trojan horse, virus, ransomware, worm, etc. or may utilize a previously unpublished exploit known as a zero-day (0-day). The weapon must be able to exploit a vulnerability, which is what the attacker discovers during the recon stage.

Delivery: The attacker delivers the payload to the victim. This may be done in a variety of ways such as via an email attachment or embedded link (phishing), through a chat session, uploading a file to a server on the Internet, compromising a website and then sending the victim to the compromised website (also called drive-by attacks), or several other methods.5. Exploitation: Once the payload has been delivered, the malicious code must execute to exploit the system. Malicious code can be executed by the attacker, by the system itself, or frequently by a user who clicks something and executes the malware.
6. Installation: After the vulnerability is exploited the malware is installed on the system. Most attackers want one thing: persistence. They want to get on a system and stay on a system, having the ability to do internal recon now that they are inside the network and laterally move to other systems to stay within the network and spread their attack. Some advanced malware only lives in RAM and never actually “installs” on a hard drive, making post-mortem examinations of systems difficult.

7. Command & Control: Once the malware is installed it generally opens up the system to receive commands from the attacker (known as Command & Control, or C2). Malware may “phone home” occasionally asking for any new commands from the C2 which may tell the malware to perform functions such as copy and send data from the computer to the attacker’s system, activate the system’s webcam, or any number of other things.

8. Exfiltration: Generally the main goal, this is the step where the attacker gets access to data and begins sending (exfiltrating) the data from the system to the attacker.

Source ~ Event Tracker

There are several ways to make yourself less susceptible to a cyberattack, such as reducing the attack surface, target hardening, and learning how to identify potentially dangerous situations online or in emails.

A Practical Scenario

An author is putting their finishing touches on their latest work in preparation of sending it off for review. This author is somewhat controversial and critics are anticipating the release of the new book, posting negative comments all across the Internet. A hacker decides to make a statement by attempting to hack this author’s computer and disrupt the author’s ability to publish the book as well as steal a copy of the book before it is released. Step 1, target acquisition is complete.

The hacker begins by finding out as much as possible about the author through social media, Internet posts, interviews, and any other source of OSINT. The hacker is able to determine through social media that the author has a daughter in the fourth grade and because of geotagged photos posted of the author’s daughter, the hacker determines what school the daughter attends. The hacker now downloads the logo of the elementary school as well as an offline copy of the school’s website. Step 2, reconnaissance is complete.

The hacker obtains a variant of ransomware from a hacker website and places the malicious code on a server controlled by the hacker and sitting inside of Amazon Web Services (AWS). The malicious code is just waiting to be downloaded and executed by anyone who visits the server. Step 3, weaponization is complete.

Next, the hacker drafts an email using the same logo, colors, and “look and feel” of the elementary school’s website. The hacker addresses the email to the author’s email address (which was obtained via Google) and sends an email to the author during school hours that there has been an active shooter incident at the school. Included in the email is a link that tells the author to click for further details.

As any parent would, the author clicks the link of the email. When the author clicks the link, they are directed to a webpage that looks exactly like the school’s site. They receive some bothersome pop-up that the don’t read because they are terrified about their child’s safety and just click “ok” to close the window and see what is going on at the school. In reality, when the author clicked the link they navigated to a fake site hosted by the attacker and their computer downloaded the ransomware code. When the code attempted to execute, a pop-up appeared asking for administrative privileges to execute the code. When the author clicked “ok” they just executed the ransomware on their computer. Steps 4, 5, and 6 (delivery, exploitation, and installation) are complete.

The ransomware on the author’s computer begins immediately encrypting data on the hard drive and searches the drive for any .doc or .docx files, compresses them, and exfiltrates them to the attackers C2 server located in AWS. The author has now lost their latest manuscript and cannot access any files on their computer due to the ransomware encryption. Steps 7 and 8 (C2 and exfiltration) are complete.

This scenario is exactly the kind of targeted social engineering attacks that occur on a daily basis and are extremely easy to perpetrate. In future blog posts I will discuss how to recognize attacks and how to harden your systems to try and prevent malicious activity.

About the author:

L.A. Sartor

If you love stories filled with suspense, adventure, fighting against all odds and winning love, then please click here to visit the website of author L.A. Sartor. You’ll be glad you did!

May 19, 2018/by Lee Lofland

Follow WPA

Followon Twitter Subscribeto RSS Feed

Writers’ Police Academy

The 2024 Writers’ Police Academy is a special event called Killer Con, which is designed to help writers create stunning realism in their work, Killer Con focuses on the intricate details surrounding the crime of murder and subsequent investigations.

Learn from CSIs, homicide detectives, coroners, forensics and other experts, and more. There’s even a murder for you to solve by examining the scene of the crime, the body and other evidence, and using the tools and techniques learned at the event.

This is a KILLER event!

Visit The WPA website to register!

*The Writers’ Police Academy (WPA) is held every year and offers an exciting and heart-pounding interactive and educational hands-on experience for writers to enhance their understanding of all aspects of law enforcement, firefighting, EMS, and forensics.

Get to Know Lee Lofland

Lee Lofland is a nationally acclaimed expert on police procedure and crime-scene investigation, and is a popular conference, workshop, and motivational speaker.

Lee has consulted for many bestselling authors, television and film writers, and for online magazines. Lee has appeared as an expert on national television, BBC Television, and radio shows.

Lee is the host and founder of the Writers’ Police Academy, an exciting, one-of-a-kind, hands-on event where writers, readers, and fans learn and train at an actual police academy.

To schedule Lee for your event, contact him at lofland32@msn.com