Friday, June 9, 2017

IBNS Malicious Infrastructure Targets Financial Institutions

In the last days of May, Wapack Labs identified a large email delivery infrastructure targeting multiple industries including finance and transportation. Wapack Labs dubbed this network “IBNS”. The infrastructure consists of a single name server and over 17k typo-squatted domains. The size of this recently discovered IBNS network is unprecedented. Wapack Labs believes that IBNS is a malicious provider that uses web automation and reseller services to facilitate their criminal activities. The actors sell through channels, using resellers instead of selling direct, creating a level of separation between themselves and the users. Tactics Techniques and Procedures (TTPs) associated with the activity suggest attribution to a known Nigerian fraud group. 


I hear every day about the stupid users clicking through, and the CISO that talks about the problem being in the human. Honestly? I get kinda mad when I hear it. Why? These guys are using automated psychology to overwhelm, confuse and take advantage of unsuspecting users.

It means to me that the CISO who said it has never seen well crafted emails meant to slip past the goalie.  Or perhaps they don't understand the idea that users only have so much will power, or that my own out-of-band email account (an AOL account that I've had for probably 20 years) receives far more spam than it does legitimate email.

Bad guys are smart. They know that users have only a limited amount of will power, and after seeing hundreds of spam per day, the idea that some of them are going to be opened —out of sheer exhaustion and confusion, is 100%.

Overwhelm, confuse, create fatigue, repeat, add additional sources of confusion, repeat again.

ONE typosquat dump that we identified had over 17,000 domains that look a heck of a lot like credit card and payment company domains. CapitalOne? Capital1? CapitalONE? Capital-one? My typo squats are terrible but you get the idea. Imagine dozens of variations created programmatically and then used to overwhelm.

Folks, it's not about stupid users. It's about information security folks not understanding the strategy of fatigue and confusion and then how to protect those (your) lambs as they're being lead (by Nigerian scammers, Lazarus actors, or APT) to slaughter.  It's like the door to door salesman that keeps throwing features, prices, and deals at you until you sign just together the guy out of your house.  There's psychology involved.

…and you only need one to slip past the goalie to be infected, and many times, you'll have absolutely no idea that you've been p0wned.

Wapack Labs has been running this thing that we call the Cyber Threat Analysis Center. We scour primary sources to identify intended victims before they become victims. The graphic above is a sample of a report that we provide on a weekly basis to one of our folks. We give them normalized blacklists in periodic chunks of that they can drop into their defenses —either their intrusion prevention systems, SEIM, or whatever they have.  They can wait for us to give it to them or they can pull it programmatically via API on whatever frequency that they desire.

Want to know more? Drop us a note through the website, or at

OK folks.. it's our first nice day in a while up here in NH and that lawn (hay field?) isn't going to mow itself.

Oh, before I forget, if you're local, I hope to see some of you at our Granite State Security cookout Monday afternoon… nothing heavy, just burgers and beer but it's supposed to be nice. Let's have some fun! Here's the link to the meet up… I've invited the local Open Source community and security folks.

Have a great weekend!