IT Security Blog

MX Logic is always looking to find out more about the folks we serve, so we can do a better job at helping to make life just a little easier for IT Managers the world over. To that end, we've just put together a simple, short survey for IT professionals that will provide a better picture of spam and email security concerns facing businesses.

Care to share your opinion? It will only take 2-3 minutes. Once we have enough responses, we'll share the results here on the MX Logic IT Security Blog.



Many thanks!

There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines. Today we discovered that the AARP’s website has been compromised by a two-pronged attack.

First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites. Second, hackers employ bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles.

This provides hackers with multiple benefits. Among them:

• Search engines rank sites based upon links from other sites. If a high-ranking site like the AARP (to which Google has assigned a Page Rank of 8/10) links to the hacker’s site, it increases the recipient site’s ranking and traffic.
• The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself.
• Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware "anti-virus" applications to help them "fix" the problem.

Typically, most blog platforms do a fair job of limiting comment spam. Even so, a cursory check for inbound links to some of the hacked AARP.org profiles shows many blogs now have the AARP.org bot-submitted links in their comment areas.

As we’ve covered before, spam makes a lot of people a lot of money. Hackers have great incentive to find vulnerabilities in email systems as well as web-based content management platforms. They're also increasingly using SEO (search engine optimization) to help stack the odds in their favor. The possibility of being able to inexpensively market on such a massive scale means the threat will never completely go away.

Whether it’s your website or your email network, constant vigilance is necessary to keep your organization from getting egg on its face.

Just ask the AARP.

(Note: The above image is from a non JavaScript auto-redirecting post.)

It looks like the spammers using image spam are on the move again.

We've written before about spammers sending out links in emails that point to images that are being housed on free image hosting services like ImageShack and Flickr as vehicles for delivering image spam (see here and here for the original posts from May and June 2007).  Other folks have recently written about Google's Picasa image hosting service recently being abused in the same way. 

In a spin on blog spam, we've now recently started to see image spam being hosted on Windows Live Spaces, a blogging and social networking platform by Microsoft.  In this new tactic, spammers are setting up bogus Live Spaces, hosting an image in the blog section of the page, then spamming out links to the site.  So far the spam images that we have seen have had a debt consolidation flavor like this one:




Most of the spamvertised links that are pointing to these images are very obviously suspect and have the format of http://cid-[series of alpha characters].spaces.live.com (e.g. hxxp://cid-8bbc31c85ef08898.spaces.live.com/).  Current volumes of these types of emails is about 11,000 per hour.

There is no malware component associated with these campaigns that we are currently observing.  It is usually the next logical step so I wouldn't be surprised if we started seeing them soon.

I've taken a bit of heat internally because I neglected to announce last week's posting of the monthly MX Logic Threat Report and Forecast for September.  The latest edition can be downloaded here.

In that report we mention our prediction that as the Democratic and Republican National Conventions concluded and as the campaign season kicks into high gear that we expected to see a continuation of some of the more recent spam tactics that have been employed where hackers were using tabloid like news headlines as a lure to get people to open malicious emails, but with a political twist.  So, instead of using fake Britney Spears or Oprah headlines as a means to get unsuspecting users to view a video or news clip the movement has started toward targeting Barack Obama using similar means.

Some of the subject lines that we are currently seeing targeting Obama are:

Obama is ponstar now
Porno with Obama
Sex Video with Obama
Obama Sex Video
Barack Obama Hardcore
Barack Obama sex story with girl
Obama private porno
Barack Obama sex story with Ukrainian girl

Note that we have not yet seen any similar tactics targetting John McCain.

Volume on this tactic is currently extremely low (under 100 total have been seen thus far), but this is likely a proof of concept method that will play itself out over the next two months where more believable tactics are used by spammers.  Instead of using tabloid like headlines, be on the lookout for emails containing attachments or links to sites claiming to be hosting the latest candidate television commercial or video with excerpts from a speech at their latest campaign stop.

Obviously there is a bit of a shock factor with these tabloid like headlines that grab people's attention, but since this tactic has been around for several weeks now, expect it to morph to using lures that are far more plausible in the very near future.

Since I am not gone yet, and because I have had quite a few thoughts building over the past several days, I wanted to take a couple of minutes to talk about something that has given me a LOT of job satisfaction over the past few months.  That is, the tangible fruits of a lot of effort to increase internal security awareness.

In the midst of the everyday chaos I do try to sprinkle in my personal thoughts about the importance of security awareness within your organization and the fact that no company is immune to the need for it, even though it might be well outside the focus of the company.  Obviously, after a breach is certainly a great time to enhance whatever security measures that you might have, but one of my favorite lines as it relates to security (and this could be applicable just about anywhere) is "Perspective is good.  Being proactive is better."  In other words, don't wait for a breach to act.  The damage is already done.

Information Security has always been a significant part of my role at MX Logic and at other companies that I have been at in different capacities.  It's been a primary part of my role here for about the past one and a half years.  During that time I have put a lot of work into internal education as well as implementation of best practice policies and procedures.  As one would expect, there were some who grasped onto the concept immediately, understood what the end goal was, and were supportive from the word "go."  Others were detractors and took a bit more working with either because they didn't truly understand the need for such a program or for security in general (it's much easier for me to do what I need to do if there are no restrictions!) or thought it was going to significantly impact the way that they do their jobs. 

As in most organizations though, there is more than just your own data or your own intellectual property that you are a custodian of.  You are also responsible for the confidentiality, integrity, and availability of your customer's data.  They are entrusting you with protecting them as much as your executive teams are expecting you to protect them as well as the company's IP.

Over the past few months, one of the things that I have noticed from an internal perspective is the increased awareness of security in just about every conversation or meeting that I am a part of.  Feature planning discussions don't go by without a mention of the multiple security aspects associated with a particular new piece of functionality (and I am not always the one to bring them up!); how we are going to protect the data (not only from hackers, but from curious customers or someone who just accidentally stumbles upon something that they aren't supposed to be able to do/see), how we are going to protect the underlying infrastructure, and how we are going to maintain the feature going forward.

I can't express how satisfying it has been to hearing these security related sentiments coming from other areas of the company.  I still feel as if I am the one leading the charge, but my army of supporters has gotten larger and the number of supporters has outnumbered the detractors to the point where the detractors have been forced to jump on the bandwagon or be left behind.  I hope you all reach that same point as you go forward with your own internal security programs.  It's a great rush and a sense of accomplishment that I hope every security professional gets the opportunity to feel.

No, no THAT kind of #2.

Not Web 2.0, iPhone 2.0 or any other kind of 2.0 either.

Baby #2.

I've been a bit remiss about posting over the past couple of weeks because my wife and I are expecting our second child (another girl....there is going to be WAY too much estrogen in my house :) ) shortly and as such a lot of my time at MX Logic lately has been making sure that all of my projects are squared away prior to my departure.  Our doctor has been keeping us on pins and needles too because due to some complications throughout the pregnancy he has been holding the threat of induction over our head for a while now. 

So, my time to check in over the next couple of weeks will be brief, sporadic, and potentially non-existent.  As much as I would love to, I will also not be attending the MAAWG meeting in Florida in a couple of weeks.  If you are attending have fun, learn lots (it should be a GREAT program!), and hopefully I'll see you in San Francisco early next year.

Thank you very much for all of the well wishes that we have received thus far.  They've been greatly appreciated.  I'll be sure to post some pictures after Lauren is born.