Making The Switch To Encrypted Emails

This past February a US judge ordered Microsoft, an American based tech company, to honor the search warrants of American law enforcement agencies requiring the company to hand over any/all data, emails and the like which the company stores on servers located overseas. The ruling came in direct contradiction to a previous ruling from a Federal Appeals Court in August of 2016, which upheld a US Circuit court ruling from July 2016, prohibiting the US Government from seizing data stored on servers located outside of US borders.

The principle behind this case is very simple to understand, does the United States Government have the right to demand foreign businesses located outside of the United States hand over their records to the United States Government if that company happens to do business with a US citizen? In other words, are foreign nations forced to abide by US law and comply with all US based legal requests? Well, according to the most recent ruling, as of February 2017, at least as far as US courts are concerned, the answer is “yes.

What Other “Authority” Does The US Government Have?

Let’s use the world’s most popular email service provider as a quick example – Gmail. Quite literally, everything you do on your Gmail account is accessible by Google at any given moment in time. After-all, you are using their service. If the US Government ever wants to see your account or any of the information on it, then all they have to do is pull up the file of a generic document, insert your name on top of it, print it out and just like that they magically have a “subpoena” to obtain all of your information from Google.

Despite how simple of a process this is, it is all groundbreaking stuff too. Believe it or not, it was not until May 2016 that the US government even needed to get a warrant or legal document of any kind to search through all of your personal emails. Don’t believe me?

Read More – Email Privacy Act of 2016: https://www.congress.gov/bill/114th-congress/house-bill/699

For you international folk out there, the news isn’t much better. You see, the US Government has its own private court known as a FISC court which, historically speaking, blindly grants “99.96%” of all warrant request brought in front of it – but who’s counting, right?

With that out of the way, all of the information above only goes to show how easy it is for the US Governments to go about obtaining all your data “legally.” But as I think we are all aware by now, agencies like the NSA or CIA do not necessarily care about US law and have the very real authority to act outside of it – #PatriotAct. To be fair, this does not necessarily mean that someone working for the US Government is literally watching/reading every single email you write every minute of the day, but they theoretically could be if/whenever they wanted to.

To that very point, early in 2016 Google came out with a press release addressing how “state-sponsored hackers” had breached over 1 million Gmail accounts over the course of that year. This was also not an isolated incident and it’s not just Google which has been targeted by these types of breaches. Literally hundreds of millions of Yahoo and Hotmail accounts have also been exposed over the years.

Read More – 3 Billion Yahoo User Accounts Hacked, Including 500 Million Email Addresses: http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html

So far I have only addressed how easy it is for the US Government and/or law enforcement agencies to access all of your personal accounts/information, this does not even account for all of the non-Government organizations or hackers out there or oppressive regimes located in countries all over the world. In fact, I am willing to bet that at least 95% of all hackers worldwide are non-Government affiliated. Moreover, Hillary Clinton, the DNC, CIA, John Brennan and John Podesta should all serve as evidence for just how easy it can be for hackers to compromise anyone’s email account if they really want to – even some of the most powerful people in society.

Quite frankly, there is a reason why politicians and members of the Armed Forces are told never to use their own personal or private email accounts, because none of these services are properly protected or encrypted! While members of the Government and Armed Forces use their own private versions of encrypted email services which are NOT open or available to the public sector, thankfully, there are a number of free and paid email encryption services out there open to the general public.

For Example:

Mailfence

Mailfence is a relatively new company globally, but one which I have already placed at the top of all encrypted email service providers. Mailfence operates their servers out of Belgium, a country internationally renown for having some of the strongest and most resolute privacy laws in the world. Unlike the United States, every surveillance request or request for information inside Belgium, including on Mailfence’s servers, must be legally brought in front of a Belgium judge and proven in court as legitimate. In this way Belgium protects user data and business confidentiality in a way that no other country in the world does.

Sign Up/Create an Account Here: https://mailfence.com

ProtonMail

This email service provider offers free end to end encryption and hosts its servers in Switzerland, outside of US jurisdiction – theoretically. When signing up, at no point in time are you asked for any personal information and you do not need to attach any other emails account or phone numbers in order to register. This service also utilizes 2-factor authentication to log in, preventing hacking attempts. ProtonMail has also partnered with humanitarian organizations around the world, such as Amnesty International, in order to help fight back against Government surveillance and cyber censorship in developing countries around the world.

On a lighter note, if you are a fan of the Television drama “Mr. Robot” this is Elliot’s email provider of choice on the show.

Sign Up/Create an Account Here: https://protonmail.com/

Tutanota

This is another free encrypted email service that has become quite popular in recent times. In fact, earlier in 2016 Tutanota officially surpassed 1 million accounts – becoming the world’s largest encrypted email service provider. In 2017, Tutanota then went on to surpass 2 million accounts, furthering the countries rock solid reputation as an industry leader.

What makes Tutanota unique is that the company makes their source code “open source,” meaning that security researches investigate for themselves the level of encryption they are receiving. For all you n00bs out there, making your source code public record and still not having it hacked proves just how good the code really is.

Sign Up/Create an Account Here: https://tutanota.com/

Amnesty Investigation – State Sponsored Hackers Launching Massive Hacking Operations Across Middle East & North Africa

(AI)

Summary

  • We have identified several campaigns of credentials phishing, likely operated by the same attackers, targeting hundreds of individuals spread across the Middle East and North Africa.
  • In one campaign, the attackers were particularly going after accounts on popular self-described “secure email” services, such as Tutanota and ProtonMail.
  • In another campaign, the attackers have been targeting hundreds of Google and Yahoo accounts, successfully bypassing common forms of two-factor authentication.

Introduction

From the arsenal of tools and tactics used for targeted surveillance, phishing remains one of the most common and insidious form of attack affecting civil society around the world. More and more Human Rights Defenders (HRDs) have become aware of these threats. Many have taken steps to increase their resilience to such tactics. These often include using more secure, privacy-respecting email providers, or enabling two-factor authentication on their online accounts.

However, attackers too learn and adapt in how they target HRDs. This report documents two phishing campaigns that Amnesty International believes are being carried out by the same attacker (or attackers) likely originating from amongst the Gulf countries. These broad campaigns have targeted hundreds, if not a thousand, HRDs, journalists, political actors and others in many countries throughout the Middle East and North Africa region.

What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets. The first campaign, for example, utilizes especially well-crafted fake websites meant to imitate well-known “secure email” providers. Even more worryingly, the second demonstrates how attackers can easily defeat some forms of two-factor authentication to steal credentials, and obtain and maintain access to victims’ accounts. As a matter of fact, Amnesty Tech’s continuous monitoring and investigations into campaigns of targeted surveillance against HRDs suggest that many attacker groups are developing this capability.

Taken together, these campaigns are a reminder that phishing is a pressing threat and that more awareness and clarity over appropriate countermeasures needs to be available to human rights defenders.

Phishing Sites Imitating “Secure Email” Providers

Amnesty International has identified several well-crafted phishing sites for the popular email services Tutanota and ProtonMail. The providers are marketed as “secure email” solutions and have consequently gained some traction among activists.

These sites contain several elements that make them especially difficult for targets to identify as fakes. For instance, the attackers managed to obtain the domain tutanota.org and used it to almost completely replicate the original website for the Tutanota service, which is actually located at tutanota.com.

No automatic alt text available.

Many users rightfully expect that online services control the primary .com.org and .net domain variants of their brand. If an attacker manages to acquire one of these variants they have a rare opportunity to make the fake website appear significantly more realistic. These fake sites also use transport encryption (represented by the https:// prefix, as opposed to the classic, unencrypted, http://). This enables the well-recognized padlock on the left side of the browser’s address bar, which users have over the years been often taught to look for when attempting to discern between legitimate and malicious sites. These elements, together with an almost indistinguishable clone of the original website, made this a very credible phishing site that would be difficult to identify even for the more tech-savvy targets.

If a victim were tricked into performing a login to this phishing site, their credentials would be stored and a valid login procedure would be then initiated with the original Tutanota site, giving the target no indication that anything suspicious had occurred.

No automatic alt text available.

Because of how remarkably deceptive this phishing site was, we contacted Tutanota’s staff, informed them about the ongoing phishing attack, and they quickly proceeded to request the shutdown of the malicious infrastructure.

These same attackers were also operating a ProtonMail phishing website (another popular email service marketed as secure) located at protonemail.ch, where the additional letter “e” is all that distinguishes this well-built replica from the original valid website protonmail.ch.

No automatic alt text available.

No automatic alt text available.

Widespread Phishing of Google and Yahoo Users

Throughout 2017 and 2018, human rights defenders and journalists from the Middle East and North Africa region have been sharing with us suspicious emails they have been receiving. Investigating these emails, we identified a large and long-running campaign of targeted phishing attacks that has targeted hundreds, and likely over one thousand people overall. Most of the targets seemingly originating from the United Arab Emirates, Yemen, Egypt and Palestine.

It is worth noting that we found this campaign to be directly connected to some attacks included in section 2.4.2 of a technical report by UC Berkeley researcher Bill Marczak, in which he suggests various overlaps with other campaigns of targeted surveillance specifically targeting dissidents in the UAE.

Our investigation leads us to additionally conclude that this campaign likely originates with the same attacker – or attackers – who cloned the Tutanota and ProtonMail sites in the previous section. As in the previous campaign, this targeted phishing campaign employs very well-designed clones of the commercial sites it impersonates: Google and Yahoo. Unlike that campaign, however, this targeted phishing campaign is also designed to defeat the most common forms of two-factor authentication that targets might use to secure their accounts.

Lastly, we have identified and are currently investigating a series of malware attacks that appear to be tied to these phishing campaigns. This will be the subject of a forthcoming report.

Fake Security Alerts Work

In other campaigns, for example in our Operation Kingphish report, we have seen attackers create well developed online personas in order to gain the trust of their targets, and later use more crafty phishing emails that appeared to be invites to edit documents on Google Drive or participating in Google Hangout calls.

In this case, we have observed less sophisticated social engineering tricks. Most often this attacker made use of the common “security alert” scheme, which involves falsely alarming the targets with some fake notification of a potential account compromise. This approach exploits their fear and instills a sense of urgency in order to solicit a login with the pretense of immediately needing to change their password in order to secure their account. With HRDs having to be constantly on the alert for their personal and digital security, this social engineering scheme can be remarkably convincing.

The following is one example of a phishing email sent by this attacker.

No automatic alt text available.

No automatic alt text available.

Clicking on the links and buttons contained in these malicious emails would take the victim to a well-crafted and convincing Google phishing website. These attackers often and regularly create new sites and rotate their infrastructure in order to avoid detection and reduce the damage of unexpected shutdowns by domain registrars and hosting providers. You can find at the bottom of this report a list of all the malicious domains we have identified.

Image may contain: text

No automatic alt text available.

How Does the Phishing Attack Work?

In order to verify the functioning of the phishing pages we identified, we decided to create a disposable Google account. We selected one of the phishing emails that was shared with us, which pretended to be a security alert from Google, falsely alerting the victim of suspicious login activity, and soliciting them to change the password to their account.

The first step was to visit the phishing page.

No automatic alt text available.

When we logged into the phishing page, we were redirected to another page where we were alerted that we had been sent a 2-Step Verification code (another term for two-factor authentication) via SMS to the phone number we used to register the account, consisting of six digits.

No automatic alt text available.

Sure enough, our configured phone number did receive an SMS message containing a valid Googleverification code. After we entered our credentials and the 2-Step Verification code into the phishing page, we were then presented with a form asking us to reset the password for our account.

No automatic alt text available.

To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is.

After checking the security events on our disposable Google account, we noticed that a password change was in fact issued by Windows computer operated by the attackers, seemingly connecting from an IP address that Google geolocates within the USA.

No automatic alt text available.

(The IP address used by the attackers to automatically authenticate and modify our Google account, 196.19.3.66, is actually an unauthenticated Squid HTTP proxy. The attackers can use open proxies to obscure the location of their phishing server.)

The purpose of taking this additional step is most likely just to fulfill the promise of the social engineering bait and therefore to not raise any suspicion on the part of the victim.

After following this one last step, we were then redirected to an actual Google page. In a completely automated fashion, the attackers managed to use our password to login into our account, obtain from us the two-factor authentication code sent to our phone, and eventually prompt us to change the password to our account. The phishing attack is now successfully completed.

Similarly, we created a new Yahoo account and configured two-factor authentication using the available phone verification as visible in the account settings:

No automatic alt text available.

Image may contain: text

No automatic alt text available.

Challenges in Securing Online Accounts

Finding a secure way to authenticate users is a very difficult technical issue, although some progress has been made over the years that has raised the bar of difficulty for attackers attempting to compromise accounts at scale.

Two-factor authentication has become a de-facto standard that is almost always recommended as a required step for securing online accounts. With two-factor authentication procedures enabled, users are required to provide a secondary form of verification that normally comes in the form of a numerical token that is either sent via SMS or through a dedicated app to be installed on their phone. These tokens are short-lived, and normally expire after 30 seconds. In other cases, like that of Yahoo, the user is required instead to manually allow an ongoing authentication attempt by tapping a button on their phone.

Why is this useful? Requiring a secondary form of authentication prevents some scenarios in which an attacker might have obtained access to your credentials. While this can most commonly happen with some unsophisticated phishing attempts, it is also a useful mitigation to password reuse. You should definitely configure your online accounts to use different passwords (and ideally use a password manager), but in the case you reuse – accidentally or otherwise – a password which was stolen (for example through the numerous data breaches occurring all the time) having two-factor authentication enabled will most likely mitigate against casual attackers trying to reuse the same password on as many other online accounts as possible.

Generally, there are three forms of two-factor authentication that online services provide:

  • Software token: this is the most common form, and consists in asking the user to enter in the login form a token (usually composed of six digits, sometimes it includes letters) that is sent to them either via SMS or through a dedicated app the user configured at the time of registration.
  • Software push notification: the user receives a notification on the phone through an app that was installed at the time of registration. This app alerts the user that a login attempt is being made and the user can approve it or block it.
  • Hardware security keys: this is a more recent form of two-factor authentication that requires the user to physically insert a special USB key into the computer in order to log into the given website.

While two-factor push notifications often provide some additional information that might be useful to raise your suspicion (for example, the country of origin of the client attempting to authenticate being different from yours), most software-based methods fall short when the attacker is sophisticated enough to employ some level of automation.

As we saw with the campaigns described in this report, if a victim is tricked into providing the username and password to their account, nothing will stop the attacker from asking to provide the 6-digits two-factor token, eventually the phone number to be verified, as well as any other required information. With sufficient instrumentation and automation, the attackers can make use of the valid two-factor authentication tokens and session before they expire, successfully log in and access all the emails and contacts of the victim. In other words, when it comes to targeted phishing software-based two-factor authentication, without appropriate mitigation, could be a speed bump at best.

Don’t be mistaken, two-factor authentication is important and you should make sure you enable it everywhere you can. However, without a proper understanding of how real attackers work around these countermeasures, it is possible that people are misled into believing that, once it is enabled, they are safe to log into just about anything and feel protected. Individuals at risk, human rights defenders above all, are very often targets of phishing attacks and it is important that they are equipped with the right knowledge to make sure they aren’t improperly lowering their level of caution online.

While it is possible that in the future capable attackers could develop ways around that too, at the moment the safest two-factor authentication option available is the use of security keys.

This technology is supported for example by Google’s Advanced Protection program, by Facebook and as of recently by Twitter as well. This process might appear painful at first, but it significantly raises the difficulty for any attacker to be successful, and it isn’t quite as burdensome as one might think. Normally, you will be required to use a security key only when you are authenticating for the first time from a new device.

That said, security keys have downsides as well. Firstly, they are still at a very early stage of adoption: only few services support them and most email clients (such as Thunderbird) are still in the process of developing an integration. Secondly, you can of course lose your security key and be locked out of your accounts. However, you could just in the same way lose the phone you use for other forms of two-factor authentication, and in both cases, you should carefully configure an option for recovery (through printed codes or a secondary key) as instructed by the particular service.

As with every technology, it is important individuals at risk are conscious of the opportunities as well as the shortcomings some of these security procedures offer, and determine (perhaps with the assistance of an expert) which configuration is best suited for their respective requirements and levels of risk.

How the Bypass for Two-Factor Authentication Works

The servers hosting the Google and Yahoo phishing sites also mistakenly exposed a number of publicly listed directories that allowed us to discover some details on the attacker’s plan. One folder located at /setup/ contained a database SQL schema likely used by the attackers to store the credentials obtained through the phishing frontend:

No automatic alt text available.

A folder located at /bin/ contained an installation of Selenium with Chrome Driver, which is a set of tools commonly used for the automation of testing of web applications. Selenium allows to script the configuration and launch of a browser (in this case Google Chrome) and make it automatically visit any website and perform certain activity (such as clicking on a button) in the page.

While the original purpose was to simplify the process of quality assurance for web developers, it also lends itself perfectly to the purpose of automating login attempts into legitimate websites and streamlining phishing attacks. Particularly, this allows attackers to easily defeat software-based two-factor authentication.

No automatic alt text available.

Yet another folder called /profiles/ instead contained hundreds of folders generated by each spawned instance of Google Chrome, automated through Selenium as explained.

No automatic alt text available.

Because all the profile folders generated by the spawned Google Chrome instances operated by the attackers are exposed to the public, we can actually get a glimpse at how the accounts are compromised by inspecting the History database that is normally used by the browser to store the browsing history.

No automatic alt text available.

Through the many Chrome folders we could access, we identified two clear patterns of compromise.

The first pattern of compromise, and most commonly found across the data we have obtained, is exemplified by the following chronological list of URLs visited by the Chrome browser instrumented by the attackers:

  1. https://mail.yahoo.com/
  2. https://guce.yahoo.com/consent?brandType=nonEu&gcrumb=[REDACTED]&done=https%3A%2F%2Fmail.yahoo.com%2F
  3. https://login.yahoo.com/?done=https%3A%2F%2Fmail.yahoo.com%2F
  4. https://login.yahoo.com/account/challenge/push?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=login&yid=[REDACTED]&sessionIndex=QQ–&acrumb=[REDACTED]
  5. https://login.yahoo.com/account/challenge/phone-obfuscation?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=login&yid=[REDACTED]&acrumb=[REDACTED]&sessionIndex=QQ–&eid=3640
  6. https://login.yahoo.com/account/challenge/phone-verify?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=login&yid=[REDACTED]&acrumb=[REDACTED]&sessionIndex=QQ–
  7. https://login.yahoo.com/account/challenge/pre-change-password?done=https%3A%2F%2Fguce.yahoo.com%2Fconsent%3Fgcrumb%3D[REDACTED]%26trapType%3Dlogin%26done%3Dhttps%253A%252F%252Fmail.yahoo.com%252F%26intl%3D%26lang%3D&authMechanism=prima$
  8. https://login.yahoo.com/account/security/app-passwords/list
  9. https://login.yahoo.com/?done=https%3A%2F%2Flogin.yahoo.com%2Faccount%2Fsecurity%2Fapp-passwords%2Flist%3F.scrumb%3D0
  10. https://login.yahoo.com/account/security/app-passwords/list?.scrumb=[REDACTED]
  11. https://login.yahoo.com/account/security/app-passwords/add?scrumb=[REDACTED]

As we can see, the attackers are automatically visiting the legitimate Yahoo login page, entering the credentials, and then following all of the required steps for eventual two-factor authentication that might have been configured by the victim. Once the full authentication process is completed, the attackers proceed to create what is commonly known as an “App Password”, which is a separate password that some services, including Yahoo, offer in order to allow third-party apps that don’t support two-factor verification to access the user’s account (for example, if the user wants to use Outlook to access the email). Because of this, App Passwords are perfect for an attacker to maintain persistent access to the victim’s account, as they will not be further required to perform any additional two-factor authentication when accessing it.

In the second pattern of compromise we identified, the attackers again seem to automate the process of authenticating into the victim’s account, but they appear to additionally attempt to perform an “account migration” in order to fundamentally clone the emails and the contacts list of from the victim’s account to a separate account under the attacker’s control:

  1. https://mail.yahoo.com/
  2. https://guce.yahoo.com/consent?brandType=nonEu&gcrumb=[REDACTED]&done=https%3A%2F%2Fmail.yahoo.com%2F
  3. https://login.yahoo.com/?done=https%3A%2F%2Fmail.yahoo.com%2F
  4. https://login.yahoo.com/account/challenge/password?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=narrow&yid=[REDACTED]&sessionIndex=QQ–&acrumb=[REDACTED]
  5. https://login.yahoo.com/account/challenge/phone-obfuscation?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=narrow&yid=[REDACTED]&acrumb=[REDACTED]&sessionIndex=QQ–&eid=3650
  6. https://login.yahoo.com/account/challenge/phone-verify?done=https%3A%2F%2Fmail.yahoo.com%2F&authMechanism=primary&display=narrow&yid=[REDACTED]&acrumb=[REDACTED]&sessionIndex=QQ–
  7. https://login.yahoo.com/account/yak-opt-in/upsell?done=https%3A%2F%2Fguce.yahoo.com%2Fconsent%3Fgcrumb%3D[REDACTED]%26trapType%3Dlogin%26done%3Dhttps%253A%252F%252Fmail.yahoo.com%252F%26intl%3D%26lang%3D&authMechanism=primary&display=n$
  8. https://guce.yahoo.com/consent?brandType=nonEu&gcrumb=[REDACTED]&done=https%3A%2F%2Fmail.yahoo.com%2F
  9. https://mail.yahoo.com/m/
  10. https://mg.mail.yahoo.com/neo/m/launch?
  11. https://mg.mail.yahoo.com/m/
  12. https://mg.mail.yahoo.com/m/folders/1
  13. http://www.gmail.com/
  14. https://www.gmail.com/
  15. https://www.google.com/gmail/
  16. https://mail.google.com/mail/
  17. https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1#
  18. https://mail.google.com/intl/en/mail/help/about.html#
  19. https://www.google.com/intl/en/mail/help/about.html#
  20. https://www.google.com/gmail/about/#
  21. https://accounts.google.com/AccountChooser?service=mail&continue=https://mail.google.com/mail/
  22. https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&sacu=1&rip=1
  23. https://accounts.google.com/signin/v2/identifier?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&sacu=1&rip=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin
  24. https://accounts.google.com/signin/v2/sl/pwd?continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&sacu=1&rip=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin&cid=1&navigationDirection=forward
  25. https://accounts.google.com/CheckCookie?hl=en&checkedDomains=youtube&checkConnection=youtube%3A375%3A1&pstMsg=1&chtml=LoginDoneHtml&service=mail&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&gidl=[REDACTED]
  26. https://mail.google.com/accounts/SetOSID?authuser=0&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fauth%3D[REDACTED]
  27. https://mail.google.com/mail/?auth=[REDACTED].
  28. https://mail.google.com/mail/u/0/
  29. https://mail.google.com/mail/u/0/#inbox
  30. https://mail.google.com/mail/u/0/#settings/general
  31. https://mail.google.com/mail/u/0/#settings/accounts
  32. https://mail.google.com/mail/u/0/?ui=2&ik=[REDACTED]&jsver=OeNArYUPo4g.en.&view=mip&fs=1&tf=1&ver=OeNArYUPo4g.en.&am=[REDACTED]
  33. https://api.shuttlecloud.com/gmailv2/authenticate/oauth/[REDACTED]%40yahoo.com?ik=[REDACTED]&email=[REDACTED]@yahoo.com&user=0&scopes=contactsmigration,emailmigration
  34. https://api.login.yahoo.com/oauth2/request_auth?client_id=[REDACTED]&redirect_uri=https%3A//api.shuttlecloud.com/gmailv2/authenticate/oauth/c$
  35. https://api.login.yahoo.com/oauth2/authorize
  36. https://api.shuttlecloud.com/gmailv2/authenticate/oauth/callback?email=[REDACTED]&code=[REDACTED]
  37. https://mail.google.com/mail/u/0/?token_id=[REDACTED]&ik=[REDACTED]&ui=2&email=[REDACTED]%40yahoo.com&view=mas

In this rather longer chronology of URLs visited by the Chrome browser instrumented by the attackers we can see that they designed the system to attempt a login into Yahoo with the stolen credentials and request the completion of a two-factor verification process, as requested by the service. Once the authentication is completed, the phishing backend will automatically connect the compromised Yahoo account to a legitimate account migration service called ShuttleCloud, which allows the attackers to automatically and immediately generate a full clone of the victim’s Yahooaccount under a separate Gmail account under their control.

After such malicious account migration happened, the attackers would then be able to comfortably search and read through all the emails stolen from the victims leveraging the full-fledged functionality offered by Gmail.

Indicators

tutanota[.]org

protonemail[.]ch

accounts-mysecure[.]com

accounts-mysecures[.]com

accounts-secuirty[.]com

accounts-securtiy[.]com

accounts-servicse[.]com

accounts-settings[.]com

account-facebook[.]com

account-mysecure[.]com

account-privacy[.]com

account-privcay[.]com

account-servics[.]com

account-servicse[.]com

alert-newmail02[.]pro

applications-secure[.]com

applications-security[.]com

application-secure[.]com

authorize-myaccount[.]com

blu142-live[.]com

blu160-live[.]com

blu162-live[.]com

blu165-live[.]com

blu167-live[.]com

blu175-live[.]com

blu176-live[.]com

blu178-live[.]com

blu179-live[.]com

blu187-live[.]com

browsering-check[.]com

browsering-checked[.]com

browsers-checked[.]com

browsers-secure[.]com

browsers-secures[.]com

browser-checked[.]com

browser-secures[.]com

bul174-live[.]com

checking-browser[.]com

check-activities[.]com

check-browser[.]com

check-browsering[.]com

check-browsers[.]com

connected-myaccount[.]com

connect-myaccount[.]com

data-center17[.]website

documents-view[.]com

documents-viewer[.]com

document-viewer[.]com

go2myprofile[.]info

go2profiles[.]info

googledriveservice[.]com

gotolinks[.]top

goto-newmail01[.]pro

idmsa-login[.]com

inbox01-email[.]pro

inbox01-gomail[.]com

inbox01-mails[.]icu

inbox01-mails[.]pro

inbox02-accounts[.]pro

inbox02-mails[.]icu

inbox02-mails[.]pro

inbox03-accounts[.]pro

inbox03-mails[.]icu

inbox03-mails[.]pro

inbox04-accounts[.]pro

inbox04-mails[.]icu

inbox04-mails[.]pro

inbox05-accounts[.]pro

inbox05-mails[.]icu

inbox05-mails[.]pro

inbox06-accounts[.]pro

inbox06-mails[.]pro

inbox07-accounts[.]pro

inbox101-account[.]com

inbox101-accounts[.]com

inbox101-accounts[.]info

inbox101-accounts[.]pro

inbox101-live[.]com

inbox102-account[.]com

inbox102-live[.]com

inbox102-mail[.]pro

inbox103-account[.]com

Inbox103-mail[.]pro

inbox104-accounts[.]pro

inbox105-accounts[.]pro

inbox106-accounts[.]pro

Inbox107-accounts[.]pro

inbox108-accounts[.]pro

inbox109-accounts[.]pro

inbox169-live[.]com

inbox171-live[.]com

inbox171-live[.]pro

inbox172-live[.]com

inbox173-live[.]com

inbox174-live[.]com

inbox-live[.]com

inbox-mail01[.]pro

inbox-mail02[.]pro

inbox-myaccount[.]com

mail01-inbox[.]pro

mail02-inbox[.]com

mail02-inbox[.]pro

mail03-inbox[.]com

mail03-inbox[.]pro

mail04-inbox[.]com

mail04-inbox[.]pro

mail05-inbox[.]pro

mail06-inbox[.]pro

mail07-inbox[.]pro

mail08-inbox[.]pro

mail09-inbox[.]pro

mail10-inbox[.]pro

mail12-inbox[.]pro

mail13-inbox[.]pro

mail14-inbox[.]pro

mail15-inbox[.]pro

mail16-inbox[.]pro

mail17-inbox[.]pro

mail18-inbox[.]pro

mail19-inbox[.]pro

mail20-inbox[.]pro

mail21-inbox[.]pro

mail101-inbox[.]com

mail101-inbox[.]pro

mail103-inbox[.]com

mail103-inbox[.]pro

mail104-inbox[.]com

mail104-inbox[.]pro

mail105-inbox[.]com

mail105-inbox[.]pro

mail106-inbox[.]pro

mail107-inbox[.]pro

mail108-inbox[.]pro

mail109-inbox[.]pro

mail110-inbox[.]pro

mail201-inbox[.]pro

mail-inbox[.]pro

mailings-noreply[.]pro

myaccountes-setting[.]com

myaccountes-settings[.]com

myaccountsetup[.]live

myaccounts-login[.]com

myaccounts-profile[.]com

myaccounts-secuirty[.]com

myaccounts-secures[.]com

myaccounts-settings[.]com

myaccounts-settinq[.]com

myaccounts-settinqes[.]com

myaccounts-transfer[.]com

myaccount-inbox[.]pro

myaccount-logins[.]com

myaccount-redirects[.]com

myaccount-setting[.]com

myaccount-settinges[.]com

myaccount-settings[.]ml

myaccount-setup[.]com

myaccount-setup1[.]com

myaccount-setups[.]com

myaccount-transfer[.]com

myaccount[.]verification-approve[.]com

myaccount[.]verification-approves[.]com

myaccuont-settings[.]com

mysecures-accounts[.]com

mysecure-account[.]com

mysecure-accounts[.]com

newinbox-accounts[.]pro

newinbox01-accounts[.]pro

newinbox01-mails[.]pro

newinbox02-accounts[.]pro

newinbox03-accounts[.]pro

newinbox05-accounts[.]pro

newinbox06-accounts[.]pro

newinbox07-accounts[.]pro

newinbox08-accounts[.]pro

newinbox-account[.]info

newinbox-accounts[.]pro

noreply[.]ac

noreply-accounts[.]site

noreply-mailer[.]pro

noreply-mailers[.]com

noreply-mailers[.]pro

noreply-myaccount[.]com

privacy-myaccount[.]com

privcay-setting[.]com

profile-settings[.]com

recovery-settings[.]info

redirections-login[.]com

redirections-login[.]info

redirection-login[.]com

redirection-logins[.]com

redirects-myaccount[.]com

royalk-uae[.]com

securesmails-alerts[.]pro

secures-applications[.]com

secures-browser[.]com

secures-inbox[.]com

secures-inbox[.]info

secures-settinqes[.]com

secures-transfer[.]com

secures-transfers[.]com

secure-browsre[.]com

secure-settinqes[.]com

security-settinges[.]com

securtiy-settings[.]com

services-securtiy[.]com

settings-secuity[.]com

setting-privcay[.]com

settinqs-myaccount[.]com

settinq-myaccounts[.]com

thx-me[.]website

transfer-click[.]com

transfer-clicks[.]com

truecaller[.]services

urllink[.]xyz

verifications-approve[.]com

verification-approve[.]com

verification-approves[.]com

xn--mxamya0a[.]ccn

yahoo[.]llc


This article was originally published by Amnesty International on December 18th 2018. It was republished, with permission, under a Creative Commons BY-NC-ND 4.0 International License, in accordance with the Terms & Conditions of Amnesty International | Formatting Edits and Tweets added/embedded by Rogue Media Labs

Tech Review: Mailfence Encrypted Email

In my line of work, secure, private and encrypted emails are becoming an everyday necessity, especially these days. While the major players in the game remain ProtonMail and Tutanota, earlier this year I learned of a new up and coming provider operating out of Belgium – Mailfence – and decided to test the service out for myself. Here’s what I learned, and why I now run my business through their servers.

Customer Service

The first thing to catch my attention about Mailfence was their responsiveness to customer service inquires, even on social media and when dealing with free account holders. For example, even whilst hosting a free account on their service I received messages back from customer support within 24 hours time. Not only this, but their social media channels remain open to the public and are very responsive to messages. By comparison, other email service providers do not have any open lines of communication through social media, and most will only provide support to paying customers.

Accounts & Plans

Mailfence offers a wide range of account services including, free, entry, pro and business level plans. If you would like to learn more about each individual plan, as well as the added costs/benefits between them, please utilize the following link.

View All Plans Here: https://mailfence.com/#register

Even though the company operates out of Belgium, they do accept payments through foreign currency, including the American dollar, and perform the currency exchange on their end. This is important to understand because not every European based company is willing to do this. For example, in 2014 I was unable to register for Perfect Privacy VPN out of the Netherlands due to their reluctance to accept anything other than Euros. Perhaps most notably, even after submitting my debit card for payment, Mailfence enacted a delay on processing the payment in order to review my account/purchase – clearly indicating that the company isn’t just after some quick cash grab, but instead has a set of moral standards in place governing what they do and who they do business with. I know, imagine that – right?

Additionally, each Mailfence email address comes with built in data storage, acting as a de fecto Cloud storage account for all your important documents. Personally, I keep all of my most important documentation backed up through Mailfence. By comparison, I refuse to keep this sort of information stored on any other data hosting platform – especially Google.

Data Servers & Security

Mailfence‘s largest claim to fame, and what separates them from their competition, is the fact that the company hosts their data servers in and operates their business out of Belgium, which is known to have literally THE strictest privacy laws of any country in the world. Not only this, but Mailfence also goes out of its way to protect its website using TLS and SSL certificates which ensure that “no American certification authority is involved in the certification chain” – something I have personally never even seen before. Their site also enforces HSTS security headers and features state of the art encryption on all messages – more on that later on.

Data servers and country of origin is important to understand. As I have pointed out in a previous article on this subject, different countries have different laws when it comes to data storage and business/customer confidentially. Moreover, while countries like Switzerland would have you believe they hold the most secured privacy laws due to their world renown banking system, this just simply isn’t the case when it comes to cyber security. For example, ProtonMail tries to bank on Switzerland’s historic reputation, but ProtonMail was developed in part by researches at the Massachusetts Institute of Technology (MIT) and their relationship to/with the NSA and US Government is more than just rumor at this point. The fact of the matter is that, at the present moment in time, Belgium does more to protect customer privacy and data confidentially than any other country in the world – period, end of story.

Image may contain: text

Encryption Measures are Second To None

While there is a lot of competition out there on the encrypted email market these days, I have not seen one company offer more options to encrypt individual emails as Mailfence now does. For example, not only does Mailfence offer end to end encryption for all of its users, but the service also allows its users to create digital signatures, implements Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) – preventing email forging and ensuring all emails attached to your domain/account are exclusively sent via Mailfence servers. These are options which simply do not exist on other encrypted mail service platforms.

On top of this, Mailfence also implements two-factor authentication for all account holders using something known as “Time-based One-time Password” algorithms – also something I had never seen before. This technology ties a unique bar-code to an individual device or cell phone, ensuring that only that one device can have the means of generating a secondary code necessary for login. Combining their sign in methods with the sites security, along with their email encryption options, from login to transit, no email company I’ve ever seen does more to protect data/privacy than Mailfence now does.

Belgium Is The Future – IMO

While Mailfence is a relatively new and upcoming name, they have already sold me and I am happy to make the investment in the future. Moreover, reading international security headlines for a living such as I do, I am noticing an increase trend in the exploitation of encrypted email services for illegal means. For example, Tutanota accounts are behind nearly every single major ransomware related incident over the course of the last two years, and it is a general fact that all of the world most famous hackers and hacking groups operate through ProtonMail accounts.

Not all publicity is good publicity. The fact that nearly all major hacking and hacking related incidents are being conducted through ProtonMail and Tutanota servers is not a good look for business, and the longer this behavior continues the more likely it is that international authorities are going to compromise these services in one way or another – if they haven’t already quietly done so. As I have already pointed out, Mailfence is careful to choose who they do business with and whom they do not, and given that they are a relatively new service globally, ensures that their reputation has not been tarnished. As a new business owner myself, I feel much more comfortable attaching my name to Mailfence than I am any of its competitors.

Lastly, with the Netherlands essentially out of the privacy/security game and the pressure slowly mounting on all of these Swiss based companies, I see Belgium as the future leaders of cyber security over the course of the next 5-10 years. Not only is Belgium at the literal center of the European Union, which enacted revolutionary new data privacy laws in 2018, but some of the worlds most innovative security companies are starting to emerge there. This is true of services like Mailfence and DNSBelgium, which is leading the charge towards blockchain dns, which has the possibility changing the course of internet history. Given the way the country structures its laws, I see several major computer or cyber security based companies either starting up in or moving to Belgium in the years to come.

Making The Switch To Encrypted Emails

This past February a US judge ordered Microsoft, an American based tech company, to honor the search warrants of American law enforcement agencies requiring the company to hand over any/all data, emails and the like which the company stores on servers located overseas. The ruling came in direct contradiction to a previous ruling from a Federal Appeals Court in August of 2016, which upheld a US Circuit court ruling from July 2016, prohibiting the US Government from seizing data stored on servers located outside of US borders.

The principle behind this case is very simple to understand, does the United States Government have the right to demand foreign businesses located outside of the United States hand over their records to the United States Government if that company happens to do business with a US citizen? In other words, are foreign nations forced to abide by US law and comply with all US based legal requests? Well, according to the most recent ruling, as of February 2017, at least as far as US courts are concerned, the answer is “yes.

What Other “Authority” Does The US Government Have?

Let’s use the world’s most popular email service provider as a quick example – Gmail. Quite literally, everything you do on your Gmail account is accessible by Google at any given moment in time. After-all, you are using their service. If the US Government ever wants to see your account or any of the information on it, then all they have to do is pull up the file of a generic document, insert your name on top of it, print it out and just like that they magically have a “subpoena” to obtain all of your information from Google.

Despite how simple of a process this is, it is all groundbreaking stuff too. Believe it or not, it was not until May 2016 that the US government even needed to get a warrant or legal document of any kind to search through all of your personal emails. Don’t believe me?

Read More – Email Privacy Act of 2016: https://www.congress.gov/bill/114th-congress/house-bill/699

For you international folk out there, the news isn’t much better. You see, the US Government has its own private court known as a FISC court which, historically speaking, blindly grants “99.96%” of all warrant request brought in front of it – but who’s counting, right?

With that out of the way, all of the information above only goes to show how easy it is for the US Governments to go about obtaining all your data “legally.” But as I think we are all aware by now, agencies like the NSA or CIA do not necessarily care about US law and have the very real authority to act outside of it – #PatriotAct. To be fair, this does not necessarily mean that someone working for the US Government is literally watching/reading every single email you write every minute of the day, but they theoretically could be if/whenever they wanted to.

To that very point, early in 2016 Google came out with a press release addressing how “state-sponsored hackers” had breached over 1 million Gmail accounts over the course of that year. This was also not an isolated incident and it’s not just Google which has been targeted by these types of breaches. Literally hundreds of millions of Yahoo and Hotmail accounts have also been exposed over the years.

Read More – 3 Billion Yahoo User Accounts Hacked, Including 500 Million Email Addresses: http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html

So far I have only addressed how easy it is for the US Government and/or law enforcement agencies to access all of your personal accounts/information, this does not even account for all of the non-Government organizations or hackers out there or oppressive regimes located in countries all over the world. In fact, I am willing to bet that at least 95% of all hackers worldwide are non-Government affiliated. Moreover, Hillary Clinton, the DNC, CIA, John Brennan and John Podesta should all serve as evidence for just how easy it can be for hackers to compromise anyone’s email account if they really want to – even some of the most powerful people in society.

Quite frankly, there is a reason why politicians and members of the Armed Forces are told never to use their own personal or private email accounts, because none of these services are properly protected or encrypted! While members of the Government and Armed Forces use their own private versions of encrypted email services which are NOT open or available to the public sector, thankfully, there are a number of free and paid email encryption services out there open to the general public.

For Example:

Mailfence

Mailfence is a relatively new company globally, but one which I have already placed at the top of all encrypted email service providers. Mailfence operates their servers out of Belgium, a country internationally renown for having some of the strongest and most resolute privacy laws in the world. Unlike the United States, every surveillance request or request for information inside Belgium, including on Mailfence’s servers, must be legally brought in front of a Belgium judge and proven in court as legitimate. In this way Belgium protects user data and business confidentiality in a way that no other country in the world does.

Sign Up/Create an Account Here: https://mailfence.com

ProtonMail

This email service provider offers free end to end encryption and hosts its servers in Switzerland, outside of US jurisdiction – theoretically. When signing up, at no point in time are you asked for any personal information and you do not need to attach any other emails account or phone numbers in order to register. This service also utilizes 2-factor authentication to log in, preventing hacking attempts. ProtonMail has also partnered with humanitarian organizations around the world, such as Amnesty International, in order to help fight back against Government surveillance and cyber censorship in developing countries around the world.

On a lighter note, if you are a fan of the Television drama “Mr. Robot” this is Elliot’s email provider of choice on the show.

Sign Up/Create an Account Here: https://protonmail.com/

Tutanota

This is another free encrypted email service that has become quite popular in recent times. In fact, earlier in 2016 Tutanota officially surpassed 1 million accounts – becoming the world’s largest encrypted email service provider. In 2017, Tutanota then went on to surpass 2 million accounts, furthering the countries rock solid reputation as an industry leader.

What makes Tutanota unique is that the company makes their source code “open source,” meaning that security researches investigate for themselves the level of encryption they are receiving. For all you n00bs out there, making your source code public record and still not having it hacked proves just how good the code really is.

Sign Up/Create an Account Here: https://tutanota.com/