Published on June 1st, 2017 | by Akshay Nayak
Avoiding Extension-Appending Attacks
Let’s commence our Gone Phishing series by looking at the first technique – the Extension-Appending Attack.
This phishing technique involves an attacker chaining together different types of file extensions. In most cases, this chain starts with an extension pertaining to different document types such as pdf or MS office formats like docx, pptx, xlsx, etc. The attacker ends the chain by terminating with an extension associated with executable files e.g. bat, exe, etc.
The attacker could spoof an email from the CFO of a company with an attached file employee_bonuses.xls.bat. Another scenario could be a phishing email sent to a recruiting manager with an attachment titled resume.pdf.exe.
How Could An Extension-Appending Attack Succeed?
Microsoft, in its infinite wisdom thought that one of the ways of hiding the underlying complexities of its OS from end users was to hide file extensions by default.
So, in the second example mentioned above resume.pdf.exe would appear as resume.pdf.
It’s not very difficult for the hacker to change the icon to make the file look like a pdf.
An IT person might find it rather suspicious that a “pdf” file needs to run with admin privileges as indicated by the blue and yellow shield in the icon. However, these kinds of phishing emails are more likely to target slightly less security savvy folks working at HR, Marketing or Sales. Depending on how the PC is configured, a UAC (User Account Control) prompt appears but lucky for the attacker, most users end up clicking yes.
Following this the machine is infected with malware.
Free Email Providers – Messengers of Doom or Guardians of the (eMail) Galaxy?
This phishing attack has undergone a few changes in the last few years. This has happened in the wake of popular email providers not allowing executable files to be attached directly to the email body.
Gmail has a resounding lead in this effort to combat phishing emails with malicious attachments. It blocks files extensions that can be used for malicious purposes. In this case, it does not allow the executable to even be attached with the email. This way, it cannot be used to send malicious executables; at least not directly.
Not only this, the Gmail SMTP server refuses to accept any email that contains suspicious attachments.
Outlook also blocks suspicious file extensions albeit with one subtle difference. The email most likely goes through with the attachment but cannot be downloaded or accessed by the recipient. This is indicated by a crossed circle icon in the attachment. However as far as end users are concerned, the result is the attachment being blocked so kudos to Outlook for doing that.
On the other hand, Yahoo does not seem to be that capable in handling malicious attachments. It successfully sent an email including the executable file without raising any alerts. As a result, it has a very high potential to be used as a channel for direct dissemination of files with malicious extensions like .exe and .bat. However, Yahoo mail does have one redeeming quality. It’s SMTP server blocks malicious attachments when receiving email. It returns an email send failure notice with error code 554 which could have multiple reasons, one of them being suspicious attachments. Maybe things might improve once Verizon acquires Yahoo.
From an attacker’s point of view, the only thing that matters is the victim receiving the email and subsequently opening the attachment. If an email provider does not allow malicious attachments to be sent using its infrastructure, an attacker can send it from their own SMTP server.
Since most email providers block executables, the attackers had to come up with another way to get the attachments across. The answer? Archive file formats such as .zip, .rar and .7z. In fact, this is exactly how Cryptolocker infected its victims. Seeing how archive file formats were being used to send malware, Google took drastic steps and imposed lots of restrictions when it comes to sending files inside compressed file formats via Gmail.
What’s In A Name?
Another way in which attackers can theoretically get their files directly to the user is by simply renaming the file. In the above case renaming resume.pdf.exe to resume.pdf did not cause any problems when sending the email.
Of course, it’s implied that the adversary must devise a clever plan to get its victim to rename the file back to its original executable form which will raise suspicion of someone who has gone through even the most basic security awareness training.
Another way a phisher might approach this problem is to get a user to download another malicious application (a rogue pdf reader in this case) that can be used to open the infected attachment which would otherwise be deemed corrupt by the default pdf reader i.e. Adobe, Foxit on the victim’s system. But then, if the user clicks on a suspicious link to install custom software, the attacker can just infect the endpoint via the malicious link itself. Why go through the trouble of attaching another malicious attachment which could increase the chances of the email being flagged as a phishing email? Plan B, maybe?
Hackers – On Cloud 9
Say, .zip and other compressed file formats won’t work. What’s next? If the title did not give it away – it is cloud service providers like Dropbox, Onedrive or Googledrive. Most email providers that don’t allow an executable to be attached directly or indirectly (inside an archive) give the user an option to upload it to cloud storage and share a link.
When sent this way, it is possible to send almost any type of file inside a zip archive or even directly.
Countermeasures Against Extension-Appending Attacks
User awareness training is the key to preventing such phishing attacks from being successful. Users must tread with caution when dealing with suspicious attachments specially from unknown email addresses. When receiving an email with attachments that happen to have suspicious file extensions (.exe, .bat, .zip etc.) from a friend or colleague, it might be a good idea to check with them if they really sent that email, specially if one is not expecting it. This may not seem like a lot but it could avert a major incident or a breach. In some cases, if such emails happen to come from a known contact’s email account that has been compromised, it may help bring attention to that as well.
Almost all businesses today use one email client or another – the most popular being Outlook. Even home users should think about using email clients such as Outlook or Thunderbird. That’s because when all email addresses are managed using these email clients, configuring the security settings correctly can help block malicious attachments for all managed email accounts rather than relying on their respective webmail security settings.
Users can also protect themselves from these attacks is by enabling the option to show file extensions on Windows systems. On Windows 10, this can be done by navigating to the windows explorer View tab and ensuring the box beside File name extensions is has a tick mark inside it. Another way of doing this is to click on the Options drop down menu in the same view tab on Windows Explorer and clicking on “Change folder and Search options”. In this box, one can un-tick the box that says Hide extensions for known file types. Once this is done, the file will appear as resume.pdf.exe and not resume.pdf as the attacker wanted.
Another thing a user can do to notice appended extensions is to change the way icons are viewed. For example, in the views tab if the user chooses the Details representation, the Type column shows that the file is in fact an application and not a pdf file.
The Content representation is even better as it emphasizes the fact that the resume.pdf.exe is actually an Application and not a pdf file by including the filetype right below the filename.
Akshay Nayak is a Threat Researcher at SS8. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.