IT Security Blog

For everyone in the United States, I hope you and your families had a wonderful Thanksgiving holiday. For those outside the US, I hope you had a productive second half of last week.

And so the holiday shopping season has begun. The Black Friday early morning deals are over. I didn't go out this year, but did last year and have to admit, it was kind of fun despite the chaos.

Last year I went to a Kohl's department store in search of a kitchen mixer that my wife really wanted (it was on sale from $300 down to about $160). So, I got to the store about an hour before it opened and the foyer area was already packed. I was still able to find a little space to squeeze in though which was nice because it was pretty darn cold outside. Anyway, 5am came, the doors opened and the mad rush began. The hot item was a personal DVD player which was on sale (after rebates) for about $50, down about 75% or so from its' regular price. There was a huge display of boxes of DVD players about 50 feet from the door and as soon as the doors opened people ran towards them like they were going to get an opportunity to touch their favorite rock musician. It was almost cartoon-like watching not only people fighting over these boxes, but watching the boxes fly all over the place as people tried to grab them. It truly was something to behold. Thankfully most people weren't there for the mixers so I was in and out of the store in about 7 minutes. Not bad to save $140!

Anyway, I digress...

Coming up on Monday is the single largest *online* shopping day of the year, thusly named Cyber Monday. On Cyber Monday (November 27th) 2006 people spent $608M online according to comScore Networks. That was a 26% increase over the 2005 number of $484M. The 2007 number is expected to be higher than the 2006 number, but perhaps not as much of an increase because of the economic ups and downs of the past year.

Why is this a security issue? Many people will be doing not only their Cyber Monday shopping, but also a good amount of their total holiday online shopping from their computers at work, taking advantage of faster online connections than they have at home. Depending on who you read the percentages range anywhere from 45% to 75% of people will do some amount of online holiday shopping while at work.

Online safety should be of paramount concern during the holiday season. With numbers like $608M in one day of online spending looking them in the face, that is too large a number for criminals to not try to get a piece of the action on. As aware as you need to be of threats on the internet (like phishing) during the other 47 weeks of the year, the 5+ of the holiday season present the biggest risk of fraud.

To help, here are some tips to follow during the holiday shopping rush (they really aren't any different than the rest of the year, but require extra diligence during the holidays because people are often in a rush to buy items quickly and easily online and don't always pay attention to the warning signs):

-- Shop only at retailers you know and trust, just like you would do if you were shopping in the local mall. Also, if you want to visit that retailers web site, type their URL directly into your browser. Don't follow links from email marketing email as that email could direct you to a fraudulent site setup to look like the real one.

-- Look for security indicators. All legitimate security retailers should protect your confidential information (even your login to their site) with encryption. Make sure that not only does the little padlock that indicates encryption appear in your browser window, but that the site that the security certificate is registered to matches the site that you are expecting to be buying from. If it doesn't, then assume that to be suspicious.

-- Do not shop from public Wi-Fi hotspots. Many of these networks either employ no encryption of your data or very weak encryption leaving you open for potential identity theft.

-- Do not use a computer that you are not familiar with/public computers to do your online shopping. Web browsers often store information entered onto web forms within their memory for easy reuse later. Someone could easily walk up to one of these available computers, go to a couple of common shopping sites and start writing down whatever information they can find.

Holiday shopping is supposed to be a fun time of year, but it also can be very hectic and stressful at the same time. As such, make sure that in your haste to find the best deals and the right gifts you also keep sensible browsing and shopping habits in mind. For all of the conveniences and speed that the web brings to holiday shopping, it also brings many potential risks.

Be safe! Have fun! Have a great holiday season!

Those who know me know that I could do without some of the new terms that people come up with in an attempt to get their names attached to something (e.g. vishing, smishing, and bacn), but I read about a new term today which caught my attention mostly because I thought it was pretty clever.

That term is "Whale Phishing."

So what? People are phishing whales now? That seems like a pretty fruitless venture. Last I heard, whales can't read email.

No, "whale phishing" is a targeted phishing attack against affluent people in an attempt to (like most phishing attacks) get them (the "whale") to reveal sensitive financial/account information. So, if people are now being compared to whales, I guess that would make most of us calfs (A "calf" is what you call a baby whale. I learned that while typing up this blog entry!). Even if the term doesn't catch on, I thought it at least interesting and witty enough to chuckle at.

For the record, yes, I am aware that MX Logic coined the term "pharming", but before you go and call me a hypocrite for having this opinion I'd like to go on record as saying that was before my time and as such I am hereby absolving myself from that :)

Machines infected with the Storm Worm now have a new way to deliver spam to their owners: browser popup spam!

Joe Stewart, a security researcher for Secureworks, has been actively tracking the Storm Worm and its activities for quite some time now and has posted this image with a sample of the spam that users are receiving.

The scam is for stock symbol HPGI which is for a company named Hemisphere Gold. This stock was actually the target of a pump and dump email spam run which started a couple of days ago.

You can track the spam volumes sent out for this particular stock here.

You can track the ups and downs of the stock price here.

So, now you're thinking "Well, now I'll know if my PC is infected with Storm. I can just run my virus scanner and it'll be removed! What a dumb move on the part of the Storm authors!" Unfortunately, this won't work. One of the elements of Storm is that it contains a rootkit component which embeds itself into Windows drivers that handle primary operating system functions. You can't just delete these files because then you will be removing system files that Windows needs to run.

There are applications which exist that will look for and detect rootkits on your system, but it is unknown at this time whether or not those products have been updated in order to detect new Storm variants. Even if they detect this variant, Storm is very nimble and updates itself regularly. Even if it can identify and remediate one variant doesn't mean it has caught them all.

Just like 2005 was the year of the Sober worm, 2007 will be known as the year of the Storm Worm (and likely well into 2008 until something else comes along which is even more dastardly than Storm, which is a very scary concept!). This example is just another though in the theory that email is most certainly not the only threat vector anymore and that it is only a matter of time before the web passes email as a primary malware delivery vehicle.

After much ballyhoo and anticipation, yesterday marked the release of the Android SDK. The Android SDK is a project sponsored by the Open Handset Alliance which allows for applications to be built on top of the Android Platform which is a software stack for mobile devices. This will allow developers to create feature rich, interactive mobile applications in Java on top of a Linux kernel. Based on the libraries that are included as part of the SDK, the possibilities of the types of applications that can be developed are virtually limitless. This would be a great opportunity for organizations who are trying to give more tools to the mobile or traveling employee so that they can be more productive, but also more efficient outside of the office.

For all of the positive aspects of the SDK, one element of the SDK that has me concerned regards the implementation of the SDK's security model. According to the web site, "At application install time, permissions requested by the application are granted to it by the package installer, based on checks with trusted authorities and interaction with the user. No checks with the user are done while an application is running: it either was granted a particular permission when installed, and can use that feature as desired, or the permission was not granted and any attempt to use the feature will fail without prompting the user."

Eek!

Essentially what this means is that if a user is tricked into installing some kind of malicious application, once it is installed it basically has the run of the system.

Is anyone else concerned by this?

Ok, so this isn't much different than what we have today where if you attempt to install an application on top of Windows (for example). If you confirm to the UAC that you want to let the application install, it does so and you could potentially have introduced any level of malcode to your system.

If this is no different than what we have today, then why care?

As we continue to open more technologies and platforms to make them easier to use and more adaptable, let's make sure that we are not further perpetrating a poor security model. There is a natural general divergence between ease of use, the addition of features, and security. Even though it is impossible to please all of the people all of the time, it is a poor ongoing practice to not find a middle ground between these 3 and to continue to allow for the open use and distribution of new technology without also heavily considering the security model is irresponsible.

As a follow up to the Halloween Storm Alert that we posted back on October 31st, it appears that we are seeing more of these dancing skeleton emails today. In fact, we have already seen about 4 times the volume of this Storm Worm variant today (at 2:30pm MST) than we saw all of Halloween day (over 4 million so far today, about 1 million on Halloween and only a few thousand per day in between).

Looks like the dancing skeleton enjoyed the first dance so much he came back for an encore.

I just wanted to take a moment to throw out a dubious congratulations to Italy who briefly overtook Poland this morning as the #2 spam sending country in the world (according to our Threat Operations Center stats). The victory was short lived, however as Poland has already regained their runner up spot still lagging behind the United States. Italy has dropped to third.

So who is Ron Paul, you ask? He is a Texas Congressman running for the Republican nomination for President of the United States in the 2008 election.

Who else is Ron Paul, you ask? He is the subject of a massive spam campaign over the last week (which continues today) where emails are being blasted out on his behalf in an effort to drum up support for his candidacy.

Unlike most spam which generally has all sorts of randomized content in an effort to get past spam filters, the content of these messages are pretty static save for the subject line and a small snippet of random characters at the very end of the message which are otherwise meaningless. Some of the subject lines that we have seen associated with the Ron Paul spam are:

Who is Ron Paul?

Vote Ron Paul 2008!

Iraq Scam Exposed, Ron Paul

IRS Fears Ron Paul?

Ron Paul Exposes Federal Reserve!

Ron Paul Wins GOP Debate!

Each of these subjects have a commonality in that they have 7 random letters at the very end of the subject line in mixed case (upper and lower case) presumably in an effort to throw off anti-spam filters. Folks from the Ron Paul campaign deny having anything to do with the spam run which is originating mostly from botnet machines and open email relays.

This isn't the first time that email has been used as a vehicle to distribute large spam runs containing political motivated propaganda. Back in May, 2005 machines that were infected with the Sober-N worm were being used to mass distribute spam that decried the Dresden bombing and the admittance of Turkey into the European Union. Like those emails the Ron Paul spam messages had no further action required by the end user. Meaning that there was no link to click in the email to visit an internet web site nor was there a distributed attachment.

This brings up a couple of interesting threat scenarios from where I sit:

As the 2008 presidential campaign wears on I would definitely expect to see more political campaign based propaganda spammed out. This particular spam run happened to be pro Ron Paul, but expect to see smear campaigns sent out as well in an effort to build up negative public opinion. It'll be up to the public to be much more diligent in understanding what the candidates true opinions are on the important issues and not assuming what they read in email or on the internet to necessarily be true.

Another possibility that exists here is the potential for the distribution of malware via these spam messages. I could easily see a lure where political messaging is used as a social engineering technique to get people to open an infected attachment or get someone to click a link which takes them out to a malicious web site infected with malware.

As with any current event or subject that people are passionate about criminals will also try to prey upon those feelings and will likely also setup phishing sites posing as campaign contribution sites (similar to how we see fake donation web sites pop up after natural disasters).

So, as always there is a wide open potential for further abuse here and I would not be surprised at all to see them all used over the next year leading up to the elections (exactly one year from today, in fact). Always be careful about what you read, be careful about who you are giving your confidential or personally identifiable information to, but ALWAYS be careful about what you click on. Things are not always as they appear to be.

We have received a sample this morning of a new phishing message making the rounds today. The sample that we have received is a message which purports to be from the IRS (yes, another government agency scam) and has a subject line of "Help for California Wildfire Victims".

The content of the message is a solicitation for donations for victims of the wildfires in Southern California. The top of the message has an IRS logo to make it appear legitimate (the logo is being loaded from customersarealways.com which does not have any IRS affiliation).

Here is a snippet of the message text which tries to lure the victim in:

For these Americans, every night brings uncertainty, every day requires new courage, and in the months to come will bring more than their fair share of struggles. In the task of recovery and rebuilding, some of the hardest work is still ahead, and it will require the creative skill and generosity of a united country. Right now California is asking you for help ! If you chose to take part in our program (initiated by IRS & U.S GOVERNMENT) click on the link below and make a small contribution. Together we can rebuild California ! BE HUMAN GET INVOLVED ! BE AMERICAN ! CALIFORNIA NEEDS YOUR HELP !

Sincerely, Julia Brownley

Of course the IRS does not send unsolicited emails looking for public donations to assist with relief efforts. In fact, it never sends unsolicited emails nor do they send anonymous emails. Just receiving an email such as this should always be the first tell-tale sign that the email is a scam and should not be acted upon.

From the sample that we received, the link at the bottom of the message directs the user to a web server hosted in France. When this link was followed the web page that was served was a broken redirect to a web page that is already offline.

This is not to say, however that this is a dead phish. Other variants of this message pointing to other sites likely exist and are being actively distributed.

The key point to remember here is that if the IRS wants to get a hold of you, they won't do it via email. They certainly wouldn't ask you for a donation via email. If you receive any examples of this scam, please forward it to the IRS at phishing@irs.gov.