February 20, 2011

USA Green Card Fraud

Few days ago I have got an email that indicated that I won a green card. It looked strange since I never posted registration forms though.

The story begins - First Mail from USAFIS which includes an "intro" for a mail that I should receive from the US government, see the email content in the following image:


Few minutes later I have got a mail from "usa.gov.states@usa.com" which indicated that I won the green card and the only thing left is to pay a 880$ fee. See screenshot below:


These emails looked strange from the following reasons:
1. No contact details in both emails.
2. I never filled a form for getting a green card (should I?)
3. As far as I know - USA is a governmental site, which means that it should be ended with .GOV instead .COM

Therefore I decided to investigate this potentially fraud. Each solution for a mystery begins with one small step - Who are USAFIS? Did they sent me the email? In order to get the answers, I sent reply email with question about the winning. The reply that I got is an automatic reply which indicated that the information can be found in the second email that I have got, see screenshot:


OK, It was not enough for getting the information that I mentioned to get, therefore I googled and found the web site of usafis. I sent an email to the helpdesk and asked if I won the green card. As response I got the following email which tells me that it was a fraud:


Note: The real email from USAFIS comes from USAFIS.ORG, where the fake comes from POST.COM domain.

As for the .GOV/.COM issue, I executed whois query and found the following info about usa.com domain:



If I ran the same query on USA.GOV, I would not get any information.


In conclusion, please note the emails that you read and verify (as far as you can) the identity of the sender.

February 16, 2011

Internal Denial of Service (iDoS)

I like the traditional Denial of Service attacks which are based on the Application layer, i.e. Buffer overflows, function recursion etc. Moreover, most of the network DoS\DDoS attacks are targeted to external systems.

I would like to share an idea about execution of internal DoS (iDoS) attack on the network level. In order to explain the attack, it is important to divide the attack to 2 extremely different networks:

1. Flat Network
Flat networks allow access to all resources in the network. Let's assume that attacker finds a way to install scanning tool silently (e.g nmap with winPcap, by using nmap-x.xx-setup.exe /S /D=C:\tools\Nmap) on all\most of the remote computers, either by exploit or privileged permissions. After installation has been completed, the attacker can execute an intensive scan (paralelly or serially) on the IP range in the internal network.
As a result, the attacker can cause most of the computers in the internal network to scan the entire network, which may lead to exhaustion or denial of service in the internal network.

2. Segmented Network with IPS
In this kind of network, on one hand the attacker might infect less operating systems, on the other hand the remediation might take longer.
If an attacker implements the same attack as above on such a network, the infected resources will be locked by the IPS, which automatically will cause a denial of service to the resources above. In addition, this attack may be taken to other scenarios i.e. flooding the IPS in the network.

In order to reduce the threat I would recommend to limit the access to the internal resources (either by drive encryption, device control etc) and block scanning tools in the Antivirus software on the operating systems.
I know that my recommendations might be bypassed, however it is still a pretty good solution.


Nir Valtman