According to this PC World Article, spammers have started using political hacktivism by reaching out to keep voters from going to the polls during this election season.  Emailed warnings have been sent to people in Maryland telling them that they cannot vote in the election if their homes have been foreclosed on.  There have also been reports in Florida that emails have been circulating that your driver's license and social security information will need to match up with federal records in order to be able to vote. 

I am certainly no political guru, but the thing that interests me the most about this is what is intended to be gained by spammers by employing this tactic?  These emails have been sent out en masse and have not been targeted towards a particular party affiliation.  So, it isn't like they are going out and trying to specifically keep Democrats or Republicans from voting in an attempt to steer the vote towards one candidate or the other.  Either way, in this financially motivated underground economy, it isn't clear to me what a spammer would have to gain by spreading these types of messages.  There is no proof at this time that these emails are in any way associated with either the Obama or McCain campaigns. 

This certainly isn't the first time that email has been used to spread false political messages, but in many of those cases there has been a target or some kind of agenda associated with it.  Barack Obama has been the social engineering lure used in a couple of spam and malware campaigns since the Democrating National Convention concluded, but those have been attempts to discredit Obama by associating him with non-existent online sex videos. 

The long and short of all of this is, with one week to go until the election there are likely to be more email campaigns with similar political themes.  It is also entirely possible that as users are visiting more and more political web sites to ensure that they are informed about all of the local issues that they will be voting on that some of those web sites may become compromised by cyber criminals.  Compromise of legitimate web sites is becoming more and more common.  So, be sure that your computer is up to date with all of its latest security updates and patches. 

In the event that you were not aware, a new critical update (rated as Important on Vista and Server 2008, but critical for Windows XP, 2000, and Server 2003) has been released as an out of band patch from Microsoft. 

It is of utmost importance that this vulnerability be patched as soon as you are able to.  The primary reason for this patch being released outside of the typical Patch Tuesday schedule is in response to exploits available in the wild and the potential for damage as a result of becoming infected. 

The vulnerability being patched is a network level vulnerability.  This means that once one machine within the network becomes infected, it will immediately start looking for other vulnerable machines within the network to exploit.  As a result, this exploit could have SQL Slammer like implications.  The primary difference here is that SQL Slammer was an exploit of IIS, an individual application where this exploit is taking advantage of a vulnerability in the operating system which means that the potential attack surface is much larger.

In the past 24 hours our Threat Operations Center has seen over 100,000 emails with attached exploits that appear to be taking advantage of this vulnerability.  All instances that we have seen thus far have been in German so their viability in the United States is limited.  We are on the lookout for additional variants, and will report them as they are seen.

*** UPDATED 10/24/2008 1:06pm MDT *** Upon further review It appears that the German emails are not related to the Microsoft exploit.  We are currently researching whether there is an email delivery vector being used to deliver exploit code to take advantage of this vulnerability.  The German emails are actually a different piece of malicious code.  More information here.  This update is also to correct the brief mention that was made in this morning's edition of the Security Buzz podcast that there might be an email attack vector sending out exploits.  That does not CURRENTLY appear to be the case.

*** UPDATED 10/24/2008 2:20pm MDT *** Exploit code for yesterday's patched vulnerability is freely available via popular security sites like SecurityFocus.  Blocking RPC ports such as 135-139, and 445 at your firewalls will not mitigate this attack.  Now that exploit code is so easily available it is not out of the realm of possibility that attacks will come from many different angles, email included, looking to get into your network.  It is definitely advised that you test and deploy this patch ASAP. 

As if the election season didn't wear on everyone's nerves enough between all of the empty promises, rhetoric, and smear campaigns, now we have to deal with candidate "spam" on top of everything else.

Why is spam in quotes?

As we mentioned in the September version of our Threat Report and Forecast (download it here), because of how the CAN-SPAM law is written, it is targeted towards what is defined as "commercial" email messages.  Political campaign ads that are not attempting to sell anything do not fall into this category.  Hence, politicians can send out as much politically motivated email as they want without penalty.

...and boy have they....

From our observations, Obama has taken the clear technological lead as it relates to using email as a medium to reach out to potential voters.  According to our statistics, we are processing about 20,000 messages per day on behalf of the barackobama.com domain, and that doesn't account for the tens or hundreds of other domains that are also likely registered on behalf of the Obama campaign.  We are only tracking barackobama.com.  On the flip side, the number of messages that we are seeing for johnmccain.com is quite small (a couple hundred per day) in comparison.

Unfortunately, the people running Obama's email campaign and/or web site have some issues to resolve with respect to how their emails are being sent to potential voters.  For starters, there is no confirmed consent when an email address is signed up to receive Obama updates.  So, nothing stops me from going to the barackobama.com web site and signing up some of my John McCain supporting friends from receiving daily updates on Barack Obama (to be fair, the John McCain web site has this same problem!) as he blazes the campaign trail.  Yes, there is a link to unsubscribe from these messages at the bottom of the email, but many users do not believe that these links work, especially in instances where they never asked to receive the mail in the first place.  They think "If I didn't ask to receive this, why would I believe they would actually stop if I ask them to?"  Note that I am not making any claims as to whether or not their particular unsubscribe mechanisms work, rather the mindset of a person who received an email they didn't ask for.

The Obama folks also seem to have a problem targeting their emails to the proper audience.  This has caused people receiving their emails to report them as spam to their service providers which has resulted in a number of providers starting to block their emails unless the user has added the sender to their personal allow list. 

I'll illustrate with my own example.

A few weeks ago I signed up a throwaway account at a free webmail provider to sign up for emails from Obama off of his web site.  The emails starting flooding in...like this one:



This message was sent by illinois@barackobama.com asking me to attend an event in Wisconsin (Ahem, I live in Colorado).  This email is similar to about 8-10 that I receive daily from the Obama campaign telling me about events in New Hampshire, Virginia, North Carolina, Ohio, New Mexico....and on and on. 

This is where we get into the argument that I am in very frequently with bulk emailers with respect to "content vs. consent".  Many bulk emailers will argue that "You signed up on the site, so they can email you."  Although I partially agree with that, many users take a different tact, one of relevance.  As a user of email, although I signed up to receive email from barackobama.com, I also gave them my zip code during that sign up process.  As such, they should be able to target which messages I receive and which ones I do not.  I don't care about Obama rallies in Ohio, North Carolina, Virginia, or any of the other states that aren't either where I live or within some relatively close proximity.  To most people these types of emails are considered junk.  The content isn't relevant to them.  Although we consented to receive emails from Obama, there is a level of expectation that based on the fact that you know where I live, you will send me content that I have a chance of caring about.  This sort of targeting is not difficult to do.

Disclaimer: Do not consider this post as an endorsement or lack thereof for either candidate.  This is simply data that I have collected based on my own personal experiences.

As if Windows users didn't fear Patch Tuesday enough, today there is a new email-borne malware campaign attempting to trick people into installing a piece of malware posing as an official update from Microsoft. 

As with many poorly constructed malware campaigns, there is a lot of broken English in the email (even in the Subject line!).  The PGP signature at the bottom of the message also appears to be random. 

The subject line of the message is "Security Update for OS Microsoft Windows" and alleges to contain an update for several unsupported versions of Windows.  This is likely to attempt to infect users who are still on these ancient versions of the Windows OS.  Considering the fact that versions of Windows like Windows 98 have been unsupported for so long, if you are still using it, you are likely already infected with lots of other malware and are already a part of many other botnets.

Fake Microsoft Updates are certainly nothing new.  We've been seeing them for a couple of years now, but the timing coinciding with Patch Tuesday throws in a wrinkle that I do not recall seeing previously. 

It is important to note and remember that all Microsoft Windows updates are distributed either by download off of the Microsoft Web site or through the Windows Update service.  Microsoft never releases official patches by email.  It is likely that most people are not even seeing this email arrive in their inboxes because most organizations filter out executable attachments (the email comes with a .exe attached to the message) by default. 


The message follows:

-----------------------------------------
Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

1RX0EOI070TX9C0CMDCBL4GNR7M6F5ADE5HG40SBZCS0AZ8Q12WOXXWS7Q54QXJI1
T627U7IN4N75ESPT0JSYANAB87PPX68FBUB1D740V3WSFO4C8LW8PEV74VF69A4C6
Z805OCL1H9Z7B41U2WA4UO8GXYMRSA6XYYH2R6PLMQIBEHC556EH3U2I9LS8NQKBT
Q1M0Q79GU6MIL3EGB3L950O9MVV9E7S40O7124ZU5V3H6F5MQIL6JTNFHFYIKZWQN
WXGI4N3Z8RZOKGVSCH2UA9C31R8239S1Y44==
-----END PGP SIGNATURE-----

-----------------------------------------

Never a dull moment lately in our space, is there? :)

It was announced today that Symantec has acquired fellow SaaS provider MessageLabs for $695 million cash.  Click here for the official announcement from Symantec.  Although they are a competitor of ours, I have a few people over at MessageLabs who I keep in contact with on at least a semi-regular basis and am very happy for them.  Today marks the beginning of a new chapter of their professional lives as part of a new organization and leadership.  I sincerely hope it works out well for them!

On the flip side, what are my thoughts as to what that means for MX Logic?  For one, it now makes us the largest independent vendor focused on Managed Security Services.  Over the past 4 years we have seen several major acquisitions in our space.  Over the past 3 years major players have spent close to $2B to acquire Software as a Service (SaaS) companies.  Back in 2005 Microsoft acquired Frontbridge (financial terms were not disclosed, but I have heard the deal was worth upwards of $550M.  That may or may not be entirely true, but certainly seems reasonable.), Postini was purchased by Google in 2007 (for $625M) and MessageLabs by Symantec in 2008.  What this shows to me is an increased spotlight on the Software as a Service (SaaS) model as an ever increasingly viable and important part of how organizations are looking to protect their infrastructures.  More and more organizations are moving technologies that are not part of their core competencies into the cloud to relieve stress and support off of their internal IT staff and reduce costs.  In today's slumping economy, who wouldn't want to do something to save money and give their employees more bandwidth to focus on higher priority internal matters?

This announcement is timely because in the copy of eWeek that was waiting in my mailbox this morning there is an article on page 39 which discusses the increased momentum of the SaaS model, but also explains that some large organizations are not necessarily ready to take the plunge yet. 

My question is "Why not??" 

Obviously SaaS encompasses a lot more than the filtering, archiving, and business continuity services that MX Logic offers, but the model continues to prove itself out.  More and more organizations are jumping on the bandwagon every day and in my opinion cloud-based services are the model of the future and of the present.  Call us ASPs, SaaS providers, MSSPs (Managed Service Security Providers) or whatever the next acronym for the space is going to be, but cloud based services have been around in various forms for over a decade now and the recognition of the value of these types of services by companies like Microsoft, Google, and Symantec only further proves that the form factor is here to stay!

The October 2008 edition of the MX Logic Threat Report and Forecast has been posted and can be downloaded here.

This month we look at the rapid rise in email borne malware over the past 4 months (more than 1 in 20 emails in September contained some piece of malicious code) in addition to the increased likelihood of spammers and cyber criminals taking advantage of the recent economic downturns to try and sell debt consolidation "services."

Several other trends from September are covered as well as some of our predictions for October moving toward the end of 2008.

As is typical with any high profile news story, our Threat Operations Center is immediately on the lookout for any new spam campaigns that might start using that story as a social engineering lure.

This post is an alert that we are likely to start seeing spam campaigns (none have been observed by our TOC as of yet) related to the OJ Simpson guilty verdict from last week.  Similar to the CNN and MSNBC campaigns from August it is likely that these spam emails will use a lure to an online video to trick users into visiting malicious web sites that download alleged video codecs that are actually malware.

It appears that some search engines are already being poisoned with links to malicious video downloads based off of certain search criteria related to the verdict.  It is typical for these types of tactics to start bleeding into email as well. 

If/When we start observing these tactics, we'll be sure to post them along with their details.

ClickJacking.  One of the newest and most talked about, yet at the same time one of the most secretive new buzz words in Internet Security.  Clickjacking is actually a rebrand of what was originally called "UI Redress".  I guess ClickJacking was considered a sexier term.

What is it? 

Don't get me wrong, the concept of ClickJacking is not new.  The term has been floating around for about a year now.  Jeremiah Grossman and Robert "RSnake" Hansen were supposed to give a talk about it at the OWASP NYC Appsec conference, but were asked by people at Adobe to not give the talk as the vulnerability affects one of their products.

Essentially what ClickJacking entails is using iframes and web page layers in DHTML such that you overlay a potentially malicious button (for example) on top of an existing legitimate web page button such that when a user clicks it they believe they are clicking the legitimate button instead of your malicious overlay.  This all happens transparently to the user.  At this point the users click on the button has been "ClickJacked"

Since ClickJacking does not require Javascript (as so many of today's other web based attacks do) using plugins like NoScript will not provide any relief.  In Firefox you can turn off iframes, but this is a global setting, not a per site setting.  So, if you turn off iframes in your Firefox config you've now disabled them for every web site, and there is no telling what you could break on how a web site is supposed to render if you do this. 

In case you are interested there is a fairly detailed write up here that defines the problem and why it is difficult to fix.  It also outlines some potential solutions, all of which have their positives and negatives.  It's fairly wordy so if you don't generally like to have to hack through the technical weeds of a problem you may not find it interesting.

ClickJacking is an interesting problem to address because right now so little is known on a wide scale about what the issue is and how to identify whether or not your application is being compromised.  Additionally, there are virtually no tools to assist web site designers to protect themselves.  I am sure that will change as more is learned about this type of attack, but typically those tools are developed well after the attack vector is being actively exploited.  It's too late then.  That's like installing the burglar alarm after your house has already been robbed.

Although it is nice that Adobe wants details withheld until they can patch the vulnerability within their own application, that does nothing for the other web site application developers who will be playing a serious game of catch up after the fact...

Today must be "Return of the Old Tactics" day.  A little while ago I wrote about a new tactic being employed for an old Google AdWords phish, and now we are seeing a spin on the fake FedEx delivery notification emails that have been so prevalent over the past month, except now they are targeting UPS.

We are seeing a number of emails hitting our spamtraps that appear to be from "United Postal Service" with a subject line of "[NO-REPLY] UPS Tracking Number 89259281"  (the eight digits at the end are random).  These messages have an attachment of UPS_LETTER.zip which contains an executable file of UPS_LETTER_N839925.doc.exe.  (the 6 digits in the filename may be random as well.  We are still collecting more samples to be sure).

The message body has the following text:

Unfortunately we were not able to deliver postal package you sent on Sept the 18 in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS


This tactic is similar to the FedEx scam (see original post from August 22nd here) in that the message claims to be a notification of non-delivery of a package that you sent and the spammer wants you to open a copy of an "invoice" (read: malware).  Also similar to the FedEx tactic, the message is very non-descript as to where to pickup the package, which should be an obvious tipoff that something is not quite kosher with this email.  
We are still collecting volume stats on this new tactic, so as soon as I have those, I will update this post.


*** UPDATE 10/2/2008 13:45 MDT *** As of 9am today average hourly volume is approximately 100,000 fake UPS notifications per hour.  We are continuing to monitor to see if this increases or decreases but as of the time of this update we have seen over 2M of these messages processed by our systems.

I figured that I should write about something timely before I started getting into the things that I have been backlogging lately. 

If you recall, back in May we wrote about Google AdWords Phishing (click here for the original post) where the phishing message body was a plain text email alerting users that their AdWords payment could not be processed and that they had to login to the AdWords site (via a link in the email that lead to a fraudulent web site). 
The latest tactic has a couple of different twists.  The first one of note is that this particular spammer is using an image within the email to render the phishing content.  See the below screen shot which is a sample of the email:




The email looks like an HTML formatted message, but it is actually a single image with the spam content contained inside and an image map where the link is.  The link points to a legitimate sounding domain as well: selectadwords.net, hosted out of Spain.

The second twist from the original scam is that this message is telling you that you need to renew your AdWords service or else the account will be deactivated.  As with many other scams, this is to try to instill a sense of urgency on the part of the recipient and to try to get them to take action before they have a chance to think about the fact that this might be fraudulent....all in all I would say this is a pretty well done scam.

So, why phish Google AdWords?  AdWords accounts are separate from Gmail accounts (even though they are all under Google, you use different logins to access each) so they aren't using the information to compromise legitimate accounts to send out spam.  They are likely using them to try to extract the payment information used on the account to either steal money or use it as an intermediary account to transfer funds as part of a larger fraud scheme.

As always, if you receive any messages that look like this, promptly delete it.

It's definitely good to be back in the saddle again!

For those who are interested, my wife's labor was induced on September 17th at about 11am, and at 8:42pm that same day our second daughter, Lauren, was born.  She weighed in at 7lbs 10ozs and was 20 inches long.  It's definitely been interesting and fun trying to adjust (all of us; our first daughter as well) to having another baby in the house.  I think we are finally starting to get a routine down, but now that I am back to work as of today, I have a feeling that will soon need to be rethought. 
I'd like to thank our webmaster, Jeremy, for filling in and writing that great story on the AARP site vulnerability.  Now get off my blog, Jeremy :)   (I guess I can't yell at him too loudly since he DOES own the web site!)

I've been queuing up a couple of things that I have been wanting to write about while I was out.  I'll be writing about those as I find the time over the next couple of days.  As with any time off I am now facing the task of trying to get back above water as it relates to emails and day to day activities. 

I am definitely looking forward to interacting with you all again.  Before I went on leave we were working on some pretty exciting things for the Threat Center web site as well, so stay tuned for some forthcoming announcements about those in the coming weeks as well. 

The best of health and happiness to you all!