IT Security Blog

As we look back at the month of June, one could call it the month of Social Engineering in the spam world.

Although the original outbreaks started in May with the government agency scams purporting to be from the Better Business Bureau and the IRS, they extended into June with spoofs against the FTC and most recently the Department of Justice. Throw a fake Microsoft patch and a fake Proforma invoice into the mix too, and you have what made for a pretty busy month!

So, why did these scams work? Putting aside the targetting tactics used, the real culprit here is social engineering. According to Wikipedia, social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. How does one do that? How does a scammer manipulate you into doing exactly what THEY want you to do? Simply put, social engineering is about establishing trust or credibility with the person that you are attempting to scam. On other levels it can also plead to the human sense of want or desire.

The government agency scams mastered the art of social engineering in a number of ways that we spoke about in previous blog entries such as the method of targetting and the inclusion of specific information within the message body.

Let's use the BBB scam as an initial study. The BBB scam targetted itself towards high level executives at organizations. Why? For starters, if the CEO of a company receives an email purporting to be from the Better Business Bureau it is likely to get more attention than if it were sent to the guy who works in the mailroom. Secondly, C-level executives are generally more affluent, and as a result if they do get victimized they have a lot more to lose to the scammer ranging from higher bank and brokerage account balances to corporate trade secrets.

Social engineering is a key driver to the success of any cybercrime campaign. Without effective social engineering, you'll fool only the most gullible (like the people who still go out and buy V1@gr@...I never did understand that!). Even though anything north of a 0% success rate is profitable to the scammer, most aren't in it for nickels and dimes. They are in it for the nice house on the beach and expensive foreign cars.

We see new examples of cybercrime and its uses of social engineering every day, whether it is an email claiming to contain video clips on breaking news stories (such as was with the Storm Worm), fake Microsoft Windows Operating System patches, or phishing scams posing as IRS refunds (November, 2005), the social engineering aspect of cybercrime is only going to get more advanced and more difficult for even the trained eye to detect. As such, education, education, and more education will continue to be paramount in minimizing the effects of cybercrime.

Starting yesterday (June 26th) we started to see yet another low volume malware attack originating via spam email. This time the spam posed as a patch to Microsoft Outlook which linked out to a malicious site (4 sites hosting the trojan have been identified at the time of this posting) which when accessed would covertly download a trojan (You didn't really think it was going to download a patch, did you? :) ) onto your PC which opens up a back door into the computer for other hackers to use (the actual net effects of this backdoor have not yet been made known).

This attack, like the BBB, IRS, FTC, and Proforma outbreaks over the past 4 weeks was targetted. The name of the person who the email was being sent to (or sometimes their company name) was insert into the message body.

Similar to the FTC scam, this message was also somewhat sloppy in its composition. It has several grammatical errors within the message body.

Within the message there is also a license key which is solely used as an effort to make the message look authentic. This format of this license key does not follow the standard format for neither Microsoft Windows XP nor Outlook license keys (that's a subtlety though that many may not have picked up on). Similar to the government scams which used the logos of the agency being spoofed within the message body, this new scam brands the message with the Microsoft logo across the top of email.

The Internet Storm Center has a great writeup on this new outbreak as well.

Emails related to this outbreak contain the subject line of "Microsoft Security Bulletin MS07-0065 - Critical Update" and should not be opened. If you receive an email with this subject line or purporting to be a Microsoft Patch, delete it immediately.

I, like many others, am eagerly anticipating the release of the new iPhone by Apple on the 29th of June. The presentation is beautiful and the usability features and functions of the phone far and away surpass the competition. It's truly a beautiful piece of equipment, and I can't wait to see it in action.

Mind you, I am not actually going to be buying one of these phones. I can already hear the screams of "You spent HOW MUCH?! For a PHONE?!" at the mere thought of spending $500-600 for a device that I use mostly for conversation and rarely for internet connectivity. I'll be more than happy to look over a friend's shoulder and listen to him swear up and down at it while the kinks are worked out though.

Anyway, last week Steve Jobs announced that Apple will be allowing other companies to write applications for the iPhone through the Safari web browser.

Let the malware race begin!

David Maynor (of the Macbook compromise debacle at the Blackhat conference in 2006. He has since apologized) has stated that he already has identified several bugs within Safari which will allow for remote code execution. Since he does not yet have an iPhone though he doesn't yet know how well, if at all, his findings will pan out into anything significant.

Whether or not you believe Maynor or whether you believe he is credible the proof of concept is sound in that by allowing third party applications to be built for the iPhone, Apple has opened the door for hackers to race to create the first, biggest, and best iPhone botnets. It'll only be a matter of time before we are actively using terms like PhoneBot or iBot to discuss the state of our shiny, new iPhones.

As we spin the wheel of malware and government agency scams it looks like this week's winner is the FTC!

Late last night and into this morning we are seeing yet another morph of the BBB and IRS scams that seem to have been making a weekly appearance (they took last week off though).

Today's variation is purporting to be from the FTC (from an @ftc.gov address). The format of the scam is the same as the other two incarnations. Highly targetted to specific individuals (they are probably even using the same list for every variant of the scam, although I can't prove this) with the name of the person targetted and the company name in the message body with an RTF file with an embedded executable attached which launches a keylogger.

I have no solid proof of this yet, but I would guess that these different variants are being sent out by the same spam gang, and are likely even targetting the same people with each new run.

Be on the lookout! If you get a message purporting to be from the FTC with an RTF attachment do yourself, your personal information, and your bank accounts a favor and delete it!

Starting in May and continuing into June we are starting to see a rapid decline in the volumes of what people have been accustomed to as "image spam." Image spam is commonly referred to as spam messages which when rendered in the user's mail reader look like an image containing the text of the spam as opposed to the advertisement/scam being transmitted in clear text. These image based spam messages are typically either rolex ads, ads for various medical enhancement type of products (Cialis, Viagra, and Xanax are popular), or stock pump and dump scams where the scammer is trying to get you to buy the stock to pump the price so that they can dump it for a profit and leaving the victim holding the bag.

To give a little background as to the increase in prevalence of image based spam, it was about 10% of all spam traffic back in December, 2005. By October, 2006 it had risen to about 33% of spam traffic. This was causing problems for service providers of all types as the increase in spam volume was also accompanied by a non-linear increase in spam bandwidth because the average size of a spam message had almost doubled because of the size of these image based spam messages. The 33% of spam volume being taken up by image spam was also accounting for 70% of the bandwidth!

Image spam continued its popularity reaching almost 40% of all spam traffic earlier in 2007. April's rate was about 37%, but in May dropped significantly to 24%. So far June appears to be continuing this downward trend.

So, does this mean that image spam is gone? Have we won the image spam war?

Not quite.

As with most spam tactics, as folks who do any kind of email filtering continue to develop solutions to effectively block one type of spam, the spammers adapt and change their methodologies to something else. That is what we are seeing here.

We have started to see a couple of new types of image spam:

The first type is one where the spammers are using legitimate image hosting providers such as Imageshack and Flickr to host their images. There are a couple of problems with this tactic from the spammer's perspective. For one, the user has to click a link in order to see the image. Secondly, the image hosting providers are pretty quick to shut these down and take the images offline. Third, from a filtering standpoint, it is pretty easy to block. I wouldn't expect to see this tactic used for too long even though it currently accounts for about 4% of our spam volume.

The second type is one that we have started to see only within the past couple of days, and it is a hybrid of the original image spam tactic of attaching the image to the message and using an external image host. With this new tactic, the location of the image is used as the background attribute to the body tag within the HTML code of the message. So, the image itself can be hosted by a free image host or a compromised web server, and since the image is being called as the background in an HTML page the image renders within the body of the message. This way the user does not have to click a link in order to see the image. No solid volume numbers to report on this tactic yet, but I would expect it to become more popular.

So, it looks like the next wave of image spam is upon us. These new tactics actually open up quite a few new possibilities for image spam to morph into other types of spam such as flash movies. Expect to see more experimentation over the next couple of months as spammers continue to tinker with this new tactic to find new and more creative ways to get their junk delivered to your inbox.

Greetings from Ireland!

I am currently in Dublin for the 10th General MAAWG (Messaging Anti-Abuse Working Group) Meeting. I got here on Sunday morning in the pouring rain which made going out to find my way around interesting. Apparently waterproof clothing is only waterproof for as long as it can sustain keeping out the water and assumes that you are making reasonable attempts to get out of the rain. I walked for about 5-6 miles on Sunday only to be completely soaked through all of my clothes by the end. Good times!

Since the conference didn't start until today (Tuesday) I took Monday as an opportunity to do some sightseeing. I took a 4.5 hour bus and walking tour of the south coast of Ireland which included a self-guided tour of a place called Powerscourt Gardens. This place was absolutely gorgeous and was a great opportunity to take some unforgettable pictures. There was a Japanese Garden, huge grassy knolls with fountains and trees with blooming flowers all over them. Truly spectacular! Also, posted all over the place though were signs to "Keep off of the grass" which were apparently translated by some folks with kids as "YOU keep off of the grass. It's ok for me and my kids." Mind you there were only a few kids who I saw using the grassy areas as a huge playground, but the parents weren't doing anything to get them off of the grass either. The whole 4.5 hour tour which included the price of admission to the Gardens was only 25 Euros (between $33-35 USD). Very much worth it!

Speaking of the grass, I want some of the grass here for my front lawn! For as much as it rains here, the grass is mostly short and very fine. If it rained this much at my house, I'd be outside everytime it stopped raining to cut the grass just to keep the yard from becoming a jungle.

Monday night was a dinner hosted by the folks at Cloudmark. We took a bus to a place called Johnny Fox's which was about an hour ride from the hotel. Great dinner and even better company and discussion with lots of singing (if I can call it that) on the bus on the way back followed by a couple hour nightcap in the hotel bar. Wednesday night Symantec is hosting a tour of the Guinness brewery.

When people say that Ireland is so green that it can hurt your eyes, it's true. Not only is EVERYTHING green, it is a BRIGHT green. A beautiful bright green. It really is a beautiful place and a great place to visit. I'd be more than happy to share some pictures with whoever would be interested.

The MAAWG conference starts today. Since it is a member's only meeting there might not be much that I am actually allowed to say about what is discussed, but if there are any good tidbits that I can safely share, I will do so.

Cheers!