text/plain

Attack Techniques: QR Codes

As outlined in earlier posts in this series, attackers know that security software can detect their phishing lures and block users from even seeing the lure if it contains a known-phishing URL. For example, both Windows Live and Gmail block email that is believed to contain phishing links. If your enterprise uses Microsoft Defender for Office, or you subscribe to Microsoft 365 Family, all inbound hyperlinks through Microsoft email services are rewritten to navigate through the “SafeLinks” service that performs another real-time check for malicious URLs whenever a user clicks on them.

To avoid security software, attackers try to hide URLs, using techniques like asking the user to retype URLs from an image, or sticking the link inside a password-protected PDF document, or avoid URLs by asking the user to call a phone number or send a reply email containing sensitive information.

Another technique is to send the user a QR Code. A QR Code is simply a picture that can be converted into the URL using the camera app on our now-ubiquitous mobile phones.

Users are increasingly accustomed to using QR Codes for legitimate purposes, so their use in attack scenarios won’t stand out as much as it once would have.

How does this URL-obfuscation technique benefit an attacker over a plain hyperlink?

Mail software can’t rewrite QR codes, so features like Microsoft SafeLinks won’t apply.
The use of a QR Code allows an attacker to cause the attack flow to move from a well-protected desktop to a less-protected mobile device.

For example, users might be using a mobile web browser with weaker real-time anti-phishing reputation services than the browser on their desktop.

That mobile browser may not be configured to proxy traffic through a secure proxy.

Similarly, a user’s personal device might not include a password manager, making the attacker’s request for manually-typed credentials more plausible.

Someone recently tried to phish a Microsoft CTO via this approach:

Here’s a news article about a recent attack using the QR Code vector.

Update: In December 2023, the Microsoft Defender for Office 365 team outlined some of their protections against QR code phishing.

Stay safe out there — treat any QR codes received via SMS or email with extra caution. Carefully examine the url in any preview your camera app offers and check the browser’s address bar to see the final URL, because open redirectors are common, so the preview URL may be misleading.

-Eric

Enforcing SmartScreen with Policy

Microsoft Defender SmartScreen provides protection against the most common forms of attack: phishing and malware. SmartScreen support is built-in to Microsoft Edge and the Windows 8+ shell. The SmartScreen web service also powers the Microsoft Defender Browser Protection extension for Chromium-derived browsers.

While SmartScreen provides powerful controls to block attacks, the user remains in full control. SmartScreen will block Edge browsers from visiting a known-phishing site, but there’s a “Continue to this unsafe site (not recommended)” link available to override the decision:

Similarly, if a known malicious file is blocked from download in Edge, the user may use the Keep menu command to override the blocking decision:

When a known bad file is downloaded using another browser without SmartScreen built-in (e.g. Chrome), attempting to run the file via Windows Explorer will trigger a SmartScreen AppRep prompt that also includes a hidden-by-default option to run anyway:

Why Allow Overrides at all?

Digital security is an adversarial threat environment where the threats evolve rapidly in response to protection.

Threat Intelligence inherently will always include both false positives and false negatives – they will never go to zero for any real threat intelligence source.

As a consequence, products that utilize threat intelligence typically offer a mechanism for an override, either from an expert (e.g. an analyst in a Security Operations Center) or an end-user (e.g. a Windows Home user).

Most product features default to allowing an end-user override (with varying levels of advice about danger) blocks while providing IT Administrators the option to disable that user override.

Controls

But what if you’re a tech-savvy parent, child, or IT administrator who doesn’t want a less-savvy user you’re responsible for protecting to override the security protections of SmartScreen?

Here’s where Group Policy comes in. SmartScreen allows you remove these dangerous override options.

Policies can be set using various administrative tools, but these ultimately flow through to a handful of registry settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"EnableSmartScreen"=dword:00000001
"ShellSmartScreenLevel"="Block"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
"SmartScreenPuaEnabled"=dword:00000001
"SmartScreenEnabled"=dword:00000001
"PreventSmartScreenPromptOverrideForFiles"=dword:00000001
"PreventSmartScreenPromptOverride"=dword:00000001

The Edge SmartScreen policies concern behavior in the Edge Web Browser

The Explorer SmartScreen Policies concern SmartScreen Application Reputation

After these policies are set, the software’s dangerous “do it anyway” commands are removed entirely.

The Edge block page loses the “Continue” link:

When downloading malicious or unrecognized programs, the “Keep” command is disabled:

Within the Windows Shell, the “Run anyway” link or button is removed from the dialog when invoking malicious or unrecognized files downloaded via other browsers:

Pairing the powerful protections of SmartScreen with policies that ensure that only experts are in control helps you keep everyone safe.

-Eric

Note: The Chrome extension unfortunately cannot read Windows policies, so if you want to enforce its protections, you’ll need to set other registry keys.

Note: If you’re using Windows Defender Network Protection, you must use a different policy set via InTune or Set-MpPreference EnableConvertWarnToBlock to disallow users of Chrome/Firefox users from bypassing phish/malware warnings.

Note: Perhaps surprisingly, if you have Windows Defender Application Control enabled and set to use the “Signed and Reputable mode”, the Intelligent Security Graph (ISG) clause means that SmartScreen AppRep is consulted.

Critically, however, if AppRep returns “Unknown”, the user will be prompted via the blue “Windows Protected your PC” dialog. If the user chooses to “Run anyway”, the “unknown” file is treated as trusted. This may not be what you want; if you don’t, you can either choose a different configuration, or use the SmartScreen policies to remove the “Run anyway” options.

Note: Apps built atop the WebView2 control (a hosted Microsoft Edge) have an additional option to disable SmartScreen via the IsReputationCheckingRequired property; setting that property to false will bypass reputation checks even if SmartScreen is otherwise set to enabled for Edge/Store apps.

Attack Techniques: SMS Gift Card Scams

Last week, I had the chance to fly to Redmond to meet my new teammates on the Protection team in Microsoft Defender. I also had the chance to catch up with a few old friends from the Edge team, one of whom I met for coffee on Friday morning.

As we sat down with our coffee, she received a text from the CEO of the small startup where she now works, requesting that she go to a Target or Apple Store to grab some gift cards for a partner they were working with. While she’s got a job in senior management, at startups, everyone pitches in to help out with any task.

“I don’t have time for this right now…” she mused, and I was excited to note “Well, that, and it’s a scam,” a smug security smarty-pants.

I immediately recognized the true nature of the situation for two reasons: first, it wasn’t my CEO with a time-sensitive request, and second, because another friend was targeted by exactly the same scam. She’d received a SMS text message “signed” by her CEO, asking that she go buy some Google Play gift cards and respond with the codes:

Mark’s organization was large enough that the request was more obviously unnatural, and she’s always on guard for scammers, having grown up in a variety of scam-rich environments.

The attacker in this case only needs a few things: the name of a senior leader with budget approval, names of target employees, their phone numbers, and a throwaway account from which to send the lure. Sometimes this recon information is sourced from data breaches, and sometimes it can be determined from employment sites and other public sources.

The attacker can blast out text messages to dozens or hundreds of potential victims at once. While any given attack is only likely to yield hundreds of dollars, it’s a low-investment attack for the bad guys. Like similar attacks via our phones, these attacks evade URL reputation security scanners. Better still, attackers don’t have to find a way to convert credentials into money — they get the gift card codes which they can immediately convert into either merchandise or sell to unsuspecting buyers.

Why bother with an attack like this?

Because the scam works, even against very smart people — it’s not a question of intelligence. Attackers follow the well-trod social engineering path:

create a sense of urgency,
abuse our desire to be useful to our bosses,
subvert the trust we’ve built with our colleagues, and
exploit our limited ability to authenticate the source of our communications.

Stay safe out there!

-Eric

Kilimanjaro – Getting There

My kids and I flew from Austin to Maryland on Friday, June 23rd, and spent a day getting them settled in with their grandparents as I finished collecting a few last-minute essentials for the adventure. My brother and I had a few last-minute conversations about gear (“How many rolls of TP should we bring? Do I have room for this LED lantern?“) and got excited as the hours ticked away.

The evening of Sunday, June 25th, our transatlantic flight to Amsterdam was set to depart from Dulles Airport (IAD) near Washington D.C. We were delighted to discover that Dulles was nearly empty, managing to clear check-in and security in under 30 minutes. Since we’d arrived at the airport almost three hours early, we had plenty of time to grab a coffee at Peet’s, chat, and look at our ride:

We boarded our Airbus A330 around 5pm. We’d paid for an upgrade to “Comfort Plus” seats, so we were in the front row of the economy section with a few feet of legroom between us and the bulkhead.

Shortly before takeoff, we got the good news that favorable winds would shorten our flight time by almost an hour, but moments later the pilot came on to announce that we’d have to wait on the runway because all takeoffs were paused due to problems with communication between air traffic control and planes. He mentioned that the plan was to send one plane up to check communications and if that went well, the airport would reopen.

Not long after that, he announced that we were first in line for takeoff and I wondered “Wait, are we the guinea pigs?” An hour and nine minutes after leaving the gate, we took off uneventfully at 6:40pm and were finally on our way.

While I’d planned to watch a bunch of movies and TV on the flight, I instead mostly ended up reading Longitude, a book about the race to find a reliable means for sailors to determine their longitude while crossing the ocean throughout the 15th and 16th centuries. I periodically looked up from my book to the GPS-powered flight display showing our progress over the sea, a feat made possible by hundreds of years of scientific ingenuity.

As an international flight, we got a pretty nice dinner:

Thanks to six hours of timezone difference, our delayed 8 hour 9 minute flight arrived in Amsterdam at 7:40am on Monday morning. After a layover of a few hours, we switched over to a 787 for the 8 hour 42 minute flight to Kilimanjaro Airport (JRO), taking off at 10:38am.

Our seats weren’t quite as nice on this second flight, but by this time I was a bit of a zombie. I finished reading my book and zoned out in a half-awake state.

Our flight path seemed strangely indirect, until we noticed that the plane was carefully avoiding flying over Sudan, whose airspace had been closed since a coup in April.

Unfortunately, our arrival was 90 minutes after sundown, so we didn’t get even a tantalizing glimpse of Kilimanjaro, beyond what we saw on the map screen:

After having boarded the A330 around 5pm Sunday night Virginia time, we finally disembarked from our 787 around 20:15 Kilimanjaro time.

It took almost an hour to clear immigration, collect our duffel bags (which had arrived, thankfully!), and wait for a shuttle bus to the hotel. While we waited, I was amused to listen in on a large group of teenagers who’d all arrived for a trip together, sans parents, as a part of some sort of adventuring group.

A bumpy ten minute ride on the packed shuttle from the airport brought us to our hotel (Planet Lodge), ending the first major part of our journey.

Shortly after checking in, we were shown to our room which took up half of a duplex on the enclosed grounds. While there for a practical reason, as a westerner, the mosquito nets would’ve lent the room a romantic feel were it not my brother in the next bed. :)

I felt both super-sleepy and somewhat energized, but after unpacking a little, scribbling a bit in my journal and brushing my teeth (remembering to use bottled water!), we hit the beds and tried to get some shut-eye in a time zone seven hours from US EDT.

My journal entry concludes: For now, sleep. Tomorrow… adventure!

< Back to Kilimanjaro Journal Index

Kilimanjaro – Journal

Following two previously-posted entries:

…this is an index post with links to the day-by-day journal of my Kilimanjaro trip.

From Gadget’s GPS Tracker. We head East, round the crater, summit, then descend.

I’ve split the posts up by day because the idea of summarizing the entire trip in a single post feels like an endeavor as overwhelming as the trek itself.

Day -4,-3 (June 25,26) Flights
USA -> Amsterdam, Amsterdam -> Tanzania
Day -2 (June 27) Coffee Tour
We tour a coffee farm and “factory” near Arusha.
Day -1 (June 28) Mini Safari
We visit Arusha National Park for a mini-Safari.
Day 0 (June 29) Meet the Team, To Ndarakwai Lodge
We meet our team and drive to a lodge in the wild.
Day 1 (June 30) Entry Gate to Forest Camp
Our first day of hiking as a team.
Day 2 (July 1) To Shira 1 Camp
We clear the clouds and finally see Kilimanjaro for real.
Day 3 (July 2) To Shira 2 Camp
Perched above the clouds. My favorite camp?
Day 4 (July 3) To Lava Tower and Barranco Camp
We hike high (>15k feet), then descend to sleep “low“.
Day 5 (July 4) Up Barranco Wall to Karanga Camp
An intimidating rock scramble turns out to be the best part of the trip so far.
Day 6 (July 5) To Kosovo/Respicius Base Camp
We get in a good position for summit day.
Day 7 (July 6) To Summit
Stella Point then Uhuru Peak.
Day 8 (July 7) Descent to Mweka
We continue the long trip down the mountain dropping from 16k to 10k feet.
Day 9, 10 (July 8,9) To Exit Gate & Home
We reach the exit gate and relax with our friends at a nearby restaurant/shop before flying out.

Coda: I started publishing these posts on July 27th and finally finished writing on Labor Day weekend, 58 days after reaching Kilimanjaro’s summit. I imagine I’ll be tweaking them for the next few weeks, and I probably need to write some sort of concluding post summarizing what I’ve learned from this adventure and what I hope to do next. But first I have to figure all of that out. :)

Update: I never did get around to writing a concluding post, and instead ended up signing up for another adventure. I’ll be ending 2025 atop Kilimanjaro, trekking Thomson’s Grand Traverse route with a friend. I’m excited to have a reason to get back in shape, and looking forward to seeing the north side of the mountain. Hopefully I’ll pack a little wiser this time and be warm enough to not huddle in my tent quite as much. :)