Last week Heartland Payment Systems Inc reported a data breach of over 100 million credit card numbers and cardholder names. Monster.com is now also reporting a compromise of passwords, user IDs, names, email addresses, and other PII of an undisclosed number of accounts and is advising all of its users to change their passwords immediately. It's too bad that most of monster.com's users only regularly access their accounts when they are actually looking for a job which means that many may never get the message or take the time to update their password. This leaves a lot of accounts as wide open opportunities for identity and data theft.
Combine all of this news with this report on CNN Money that over 71,400 jobs were lost today alone (when I last looked at the report it was 68,000 so the number is getting larger as the day wears on!) and we have a dangerous cocktail for fraud and fraud victims!
So, it is a given that there will be more (and already has been) fraudulent activity related to the monster.com and Heartland breaches. The bigger problem that comes out of this is that we now have over 71,400 people now trying to figure out how they are going to support their families and themselves while they look for new employment.
These newly unemployed job seekers are now prime targets for cyber crime. Whether it be stock pump and dump scams, fraudulent IRS refunds, phony job announcements (work at home opportunities appearing to come from monster.com?), or "make a quick buck" schemes, people in vulnerable positions are frequently the most likely victims of criminal activity. As such, it is important for everyone to be more diligent than ever in trying to separate the wheat from the chaff as it relates to any kind of "too good to be true" offer. Good social engineering preys on weaknesses and stresses a potential victim's urge to "act now". During times of unemployment or uncertainty your inherent ability to judge is clouded and irrational decisions are often made resulting in more complicated problems. Be educated, be aware, and be diligent. Don't be a victim.
Following on the heels of last week's announcement of a trojan horse being installed as part of some pirated copies of iWork '09 for the Mac being distributed on peer-to-peer file sharing services comes another announcement that a trojan has also been identified in pirated versions of Adobe Photoshop CS4 for the Mac.
No word yet on whether the new Photoshop trojan was created by the same people who created the iWork trojan that was used to launch DDoS attacks.
It is important to note that these trojans do not attempt to infect other computers, rather they stay resident on the local machine. Since the trojans run as root, it is possible that once it has been installed it could be used to affect other applications. Since these trojans also have a phone home component it could (not confirmed) be used for information theft as well.
Trojans being distributed via applications shared through peer-to-peer file sharing services are nothing new in the PC world, but have recently been garnering more attention for Macs as Apple's computers have been gaining market share. The Mac fallacy of invulnerability is being challenged more frequently now. It looks like Apple has finally gained enough penetration into the computer market that cyber criminals are targeting them and their users with more regularity. This is a trend that will certainly continue especially if you consider the number of Mac users who have resisted purchasing security software in the past.
Starting during the 8pm MST hour on Thursday night (January 22nd) our Threat Operations Center observed a new Valentine's Day themed spam that appears to be coming from the Waledac botnet (new Storm botnet) gang, following in the tradition of Storm by sending out holiday themed emails further lending validation to the theory that the folks who are behind Waledac are likely the same ones that created Storm.
Emails are short and sweet one liners with content like "Me and You", "In Your Arms", and "With all my love" followed by a web site link. No malware is attached to the email itself. Subject lines also have a love theme to them. Some of the examples that our Threat Operations Center have observed include "Falling in love with you", "I belong to you", and "I love being in love with you". Once the link in the email is clicked the user is brought to a site that has an image of 12 hearts and has the bold text "Guess, which one is for you?" and looks like the following:
Clicking anywhere within the hearts is a link to an executable file that the user can download an install to infect themselves. Infection does not occur merely by visiting the page. The executable file (e.g. you.exe or love.exe) must be run to install the malware.
This page is also using Google Analytics to track number of visitors and where those visitors are coming from.
Volumes have been modest, but have accounted for about 10% of the malicious email that we have seen within the past 24 hours. Traffic has been steadily Increasing since they were first observed as illustrated in the graph below:
Clearly the old Storm folks are working as hard as they can in efforts to build up their new botnet and are following the old tried and true methods of centering their social engineering tactics around holiday themes. It was very successful for them the last time around so why fix what isn't broken, right? Nevertheless, it still impresses me that tactics like this continue to work and be so effective despite how many times it gets recycled.
*** UPDATE 1/23/2009 3:20pm MST *** Volumes have been steadily increasing over the course of the day. Average volume since 9am is about 11k per hour. We will continue to monitor over the course of the weekend and will post updates as necessary.
*** UPDATE 1/26/2009 8:30am MST *** No significant morphs of this tactic over the weekend. The folks over at shadowserver.org have posted a list of the domains being spamvertised as part of this campaign. If you are not already doing so, you may want to consider blocking access to them. Volumes of this email have been hovering at around 4,000 per hour for the last 36 hours and appeared to take a brief 5 hour hiatus Saturday afternoon between the hours of 2-7pm MST. Maybe they were watching the NHL All Star Festivities :) Current volume graph below ***
....or so spammers would have you believe.
A couple of days before the inauguration of president-elect Barack Obama spammers are sending out political propaganda that would have you believe that Barack Obama no longer wishes to be President of the United States.
Spam emails are being sent out with subject lines such as "Haven't you heard latest news about our president-elect?" (Funny enough, one of these samples originated in Brazil. Is Obama about to be President down there too? :) ), "End-time for USA", and "Who will be our president now?". The messages are single line spam messages with phrases of only a few words followed by a link to a barackobama.com look-alike site. Some of the phrases being used in the emails that we have observed are "Barack Obama abandoned sinking ship" and "Obama doesn't wany anymore to be a president".
The site that users are lured to if they click the link in the email looks like this:
All of the links on the site link to a file named pdf.exe which McAfee is calling part of the Waledec family of malware. Waledec is widely considered to be the new incarnation of the Storm Worm based on its similarities in behavior to the original Storm which has been eradicated.
As is often the case with these new outbreaks, AV detection is scarce so be aware of this new tactic. Taking a brief opportunity to toot our own horn, we predicted this type of attack in the January edition of our Threat Forecast and Report.
Volumes are currently averaging about 4,000 per hour hitting the MX Logic systems. We will continue to monitor this over the weekend and update as necessary.
*** UPDATE 1/19/2009 3:30pm MST *** Volumes have averaged between 5-16k messages per hour over the weekend and into Monday with today's average hovering around 10,000 per hour. No new significant variants have been observed. Below is an updated volume graph:
As you can see, there are still significant peaks and valleys in Obama email message flow which means that this campaign is still actively sending out spam. With Tuesday's inauguration we will continue to monitor for either another resurgence of this tactic or the emergence of another new variant from the PCs responsible for sending out this current spam wave. As soon as anything crops up, we will be sure to make you all aware.
Yesterday, security experts from more than 30 United States and international cyber security organizations jointly released a list of the top 25 most dangerous programming errors that lead to security bugs and are enablers for cyber crime according to this article posted on sans.org.
Most security professionals speak to these coding standards fairly religiously, but the article points out something that I don't think we talk enough about. That is, ingraining secure coding practices into software developers during their education at the high school and college levels. As it stands now, software development courses taught at most schools (at least this is how it was when I was in high school and college, so if there is a more dedicated effort on secure coding practices now, please correct me!) focused on the results of the application (i.e. what is the output and does it match what was expected), but did not enforce proper boundary and input checking to ensure that the application could not potentially be compromised in a real world situation. As a result, programmers entering the business world aren't used to coding for these exceptions which end up leading to applications that crash frequently when put in the hands of users. As the article also mentions, if these best practices are part of how software developers are taught to code from the beginning businesses will receive the trickle down effect of having better applications released from version 1.0 which decreases the company's risk of a security breach and embarrassment.
If your organization is one that is responsible for developing software applications, be sure your coding standards also include ensuring that best secure coding practices are being followed. Do not just do this for new application development. Be sure to review your existing code base to incorporate these standards there as well. You'll reduce the number of bugs that have to be fixed later as users uncover unhandled exception cases, and you'll improve the quality of your product overall.
It is a bit of a long read to get through all of the recommendations, but I would encourage you to take the time to read and evaluate how these best practices can be incorporated into your own software development processes if they are not already. If you are an educator and teach classes on software development, look for ways to integrate these practices both into your teaching, but into how you do code evaluation. If you are a software developer, start using these practices in your own coding and encourage your colleagues to do the same and make these part of your required coding standards before code is released into your "production" environments.
Security awareness concepts reach far beyond teaching users what they should and shouldn't click on and what web sites they should stay away from and where it is and is not safe to provide their personally identifiable information. It also extends down to your company's SDLC and releasing rock-solid code.
Recently, SC Magazine posted an article that quotes a report by Forrester Research which claims that security spending will be higher for both SMBs and Enterprises in 2009. This makes sense to me.
As businesses are looking for ways to cut costs across every department security remains one of, if not the most, important IT matter they still need to be sure is addressed over the course of 2009. As such, matters like inbound spam, viruses, application level intrusions, data leakage protection, web threats, archiving, and compliance will still need to receive top priority as cyber criminals are not feeling the same effects of a downturned economy as everyone else is. As such, their efforts will not be slowed which means that businesses of all sizes need to be as diligent as ever. Organizations are looking to outsource some of their daily tasks that are outside their core competencies so that they can refocus their IT resources towards the company's business objectives, typically at less cost and more effectively than can be accomplished internally.
2009 will certainly be an interesting and exciting year for security as network and application threats become more undetectable and uncleanable by existing technologies and businesses look for ways to protect their intellectual property. The definition of the "network endpoint" has become more and more unclear with mobile and social networking technologies becoming the norm rather than the exception. This creates a large burden as companies try to come to grips with how much of their confidential, proprietary information is floating around freely on the web. As such, IT security spending will be a more prominent a budget line item than in years past. If it isn't, then a company's level of risk increases exponentially.
Starting at about 6:50am MST this morning we started to see a new spam outbreak alleging to be from CNN. Emails will appear to be from several different senders such as "CNN News Centre - Headline News", "Media News", and "News Centre" with addresses such as support@cnn.com and hot@cnn.com. The email that our Threat Operations Center has observed thus far is centered around the current Israel conflict in Gaza.
Here is a sample message of what we have seen:
Israel offers short respite from strikes.
Israel will halt its bombardment of Gaza for three hours every day to allow residents of the Hamas-ruled Palestinian territory to obtain much-needed supplies, a military spokesman says.
The images broadcast here were graphic and striking.
The Al Jazeera English report below captures the extent of the devastation caused by the initial strikes.
Proceed to view details:
hxxp://edition.cnn.2009.companies.world-3lqpkmhos.gazaisraelbbc.com/israel-gaza.htm?/completeserv/VIDEO=abbbflubhkg4w02
2009 Cable News Network. A Time Warner Company. All Rights Reserved.
The URL being linked to is changing from message to message , however the "edition.cnn.2009" at the start of the URL appears to be static through the samples we have observed thus far. Also, the page "israel-gaza.htm" has been linked to in all samples we have seen.
Volumes started out fairly modest at about 50 instances seen within the first 45 minutes, but started to pick up pace very quickly at around 8am MST where we saw another 1,300 within about 10 minutes. We are continuously collecting volume numbers and will post more updates as needed.
If the link in the email is clicked, the user is brought to a fake news page like the following:
Some sample subject lines include:
Hamas launching rocket war after Gaza evacuation
Hamas Goads Israel into War
Israel's War Crimes
War in Gaza: while Israel and Hamas fight
This tactic is similar to the CNN fake news update that we originally saw back in August 2008 where an email purporting to be from CNN was sending users to fake video sites where they were then directed to download a video codec in order to watch the video. The video codec is actually malware.
Due to the effectiveness of the previous CNN outbreak (our Threat Operations Center intercepted about 835M fake CNN messages during a two week period back in August) and the worldwide interest in what is currently happening in Gaza we felt it was appropriate to send out this threat alert to raise awareness in this campaign that appears to be quickly picking up steam.
We will continue to actively monitor this tactic for changes both in volume and content and will report on those as they surface.
**** UPDATE 1/8/2009 2:00pm MST *** After monitoring this threat for the past several hours, peak volumes have so far occurred during the 10am MST hour where our Threat Operations Center observed just over 80,000 of these messages.
Current volume graph:
It also does not appear that the domains being used are fluxing across many IP addresses. Of the domains that we have observed being pointed to by these CNN emails, they have been pointing to 5 IP addresses. Those are 99.135.187.5, 173.21.75.102, 75.45.181.113, 91.123.159.112, and 98.141.74.204. We will continue to monitor in the event that this changes.
The fact that volumes have dropped from their peak is not to say that this tactic is waning. Recall that during the original CNN outbreak back in August it took 3 days for volumes to peak so it is still possible that as developments continue to evolve in Gaza that additional variants of this email and malware may crop up. Additional updates to follow as they become available.
*** UPDATE 1/8/2009 3:20pm MST *** I stand corrected on my previous update. The domains being used to host the fake video codec downloads are indeed fluxing, albeit not very quickly. Current volumes are still holding steady at about 15,000 per hour.
Starting Tuesday morning our Threat Operations Center started to observe a new wave of fake UPS Delivery Notifications. These emails contain an infected zip file that when opened will install malware onto the user's PC.
Fake UPS delivery notifications are nothing new as a tactic. We originally spoke about them back in October 2008 here. Since that time, we have seen a number of similar UPS variants, each with very limited success. Although this new lure is not much different than the ones sent previously, it appears to be having greater penetration rates based on the volumes we are seeing. Although the actual volume is not significant, it is currently representing about 75% of the infected emails that we have seen over the past 24 hours.
The fake notifications that we have seen thus far have been straight forward to identify. They appear to be from "United Postal Service" contain a subject line of "Delivery Problems" and an attachment of UPSinvoice.zip. The email content is as follows:
Hello!
Sorry, we were not able to deliver postal package you sent on December the 25th in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your UPS Support Team
You'll notice that the text of the message is almost exactly the same as the variant that we saw back in October save for the date referenced in the message and who the message is signed as.
Similar to the previous tactics that we have seen, the email is very generic. It does not reference neither where the package was attempted to be sent to nor does it say where to pick up the package. Couple that with the fact that UPS does not ask does not ask for a contact email address when a package is shipped, there is no chance that messages of this type should be considered legitimate.
I wanted to take a few minutes and post a follow up to my blog the other day about an article written by Lance Winslow that was originally written in 2005 and reposted here by ezinearticles.com with the date of December 31, 2008 making it appear as if the content was written recently by Lance.
Businesses do have a lot of choices when making decisions about protecting their network infrastructures. They can choose to do it in-house using a number of open source solutions or commercial desktop software. They can also purchase a network based appliance which also typically has to be maintained in-house or businesses can look to in-the-cloud solutions using a Managed Service like MX Logic (I'll reiterate my partiality to Managed Services :) ). No matter which type of solution you prefer for your organization, most all are effective at stopping spam. Some of the bigger questions that must be answered by any company when making these decisions is how much control they want to have, how much risk they deem to be acceptable in the event of a large outbreak from a bandwidth perspective and what they want their internal resource allocation to be to managing these solutions.
Overall, spam rates are still down about 45% from their most recent peak in August to now as a result of the McColo shutdown. Despite the movement to the web as a primary malware delivery vehicle and with occasional peaks and valleys in mail flow over short periods of time, spam volumes historically continue to increase and will continue to do so. The biggest reason for these historical increases are improved attack precision (i.e. more targeted attacks and less en masse spam campaigns) and refined social engineering which dupe users into opening attachments and visiting web sites that enlist their PC into botnets.
I do agree with Lance's point with respect to the efforts already put forth by the FTC as being largely fruitless. There have been few arrests since CAN-SPAM went into effect 5 years ago. At the end of the day, spammers are criminals and should be arrested, but cooperation is needed by many others outside of law enforcement like the upstream bandwidth providers and domain registrars if we are really to make a dent in the spam problem.
At the end of the day whether spam volumes are up or down, cyber crime is both a criminal as well as a social problem. I think the criminal part is pretty self-explanatory, but the what drives people to cyber crime? Money. Lots of it. WIth the relatively few arrests that have been made in comparison to the number of spammers trying to fill our inboxes on an everyday basis, cyber crime is considered to be a low risk, high reward venture. Considering the difficult economic times we are now in the middle of where companies are tightening their belts as much as possible and unemployment is rising on a daily basis it would not be surprising if you see more people getting involved in cyber crime activities.
So, to come back to my original point before going on a bit of a tangent: Is an article written back in 2005 about spam volumes, tactics, and defenses entirely relevant today? I would say both yes and no. Although tactics have evolved and businesses are feeling more and more pressure every day to find ways to keep their mail servers online and prevent confidential data from leaking out of their networks, there are a lot of options available. Businesses need to evaluate which type of solution provides them with the options and features that best suit their business and compliance needs.
On Saturday, Twitter posted this security alert on its web site to make users aware of a phishing campaign that was going around via Twitter direct message attempting to steal login information for the social networking site.
Phishing campaigns are certainly nothing new. So, what makes this interesting or different?
Phishing emails are certainly something we have become accustomed to in our inboxes and they are becoming more popular on personal profile pages on social networking sites like Facebook and Myspace. In the December version of the MX Logic Threat Report and Forecast the very first prediction we made for 2009 was an increase in (ab)use of social networking technologies by spammers and other cyber criminals.
Twitter presents a bit of an interesting twist because URLs posted to "tweets" (status updates posted by Twitter subscribers) and direct, private messages sent person to person are shortened using URL abbreviation tools like tinyurl.com and bit.ly. These types of services allow a cyber criminal to easily hide a potentially malicious or fraudulent URL behind the covers of a legitimate looking one. For example, a user could unknowingly be directed to a web site that silently injects a keylogger on their PC by clicking on one of these links. URL abbreviation tools can also be utilized to hide a nasty URL within the body of an email as well so this is not an attack that is solely abused by spammers using social networking technologies.
There is more to this potential threat than just the risk of the redirection to a phishing site. Cross site scripting and SQL injection vulnerabilities can also easily be exploited using this tactic if the vulnerability is exploitable via URL code injection. The malicious code can be hidden in the URL, compacted using tinyurl.com, then distributed in an email as a DDoS against a spammers target.
For the potential risk that sites like tinyurl.com and bit.ly can potentially introduce they certainly do have their place. Sites like monster.com for example sometimes create URLs that are extremely long when copied and pasted into an email so abbreviating the link address is a great way to keep your message professional looking. As with all other online threats, diligence is of the utmost importance. Spam and phishing threats via social networking applications is still new territory in many regards when compared to email (for example) so many users do not think about the potential security ramifications that come along with using these technologies. That education is occurring rapidly, but is also happening partly by necessity as more and more users are falling victim to quickly evolving tactics on the part of cyber criminals.
An MXL co-worker (Thanks, Grant!) directed me to this blog posting by a guy named Lance Winslow titled "SPAM Killing Small Business Productivity". It is no surprise to anyone that any small business that has not taken steps to protect their infrastructure with some kind of anti-spam/traffic shaping/traffic control device or service (I am partial to the managed service form factor, BTW :) ) is feeling the effects of the amount of spam flying over the internet on a daily basis. So, in that respect Lance hasn't started off his post with anything revolutionary.
Then things start to get weird...
Lance states "...the Federal Trade Commissions; FTC’s war on SPAM is killing small businesses and flooding their inboxes with junk mail". What?! Last I checked, a LOT more people than just who are involved in the FTC are fighting spam on a daily basis and doing a pretty decent job of it. I work with many of them on a daily basis both at MX Logic and at our many competitors. Secondly, how is the FTCs war on spam killing small businesses and flooding inboxes with junk mail? Last I checked, that was the spammers who were responsible for that....oh yeah, and the infected PCs that they use to do their dirty work. I'll concede that CAN-SPAM hasn't done much, but spam hasn't increased as a result of CAN-SPAM. Spam has increased due to money chasing criminals using spam as a vehicle to make money.
Lance then goes on to say "America Online indicated that it culls 75% of the incoming SPAM thru filters and many other companies are able to do this too. But what if you are a small business which does not have such features on your website? What do you do then? You cannot do a thing." Strike 2! Firstly, I know quite a few of the anti-spam folks over at AOL personally and I'll be more than happy to publicly defend them and say that I am sure they are catching more than 75% of incoming spam. If that were MX Logic's catch rate I surely would have been fired years ago! It certainly hasn't been my looks that has gotten me by! :) Further, how can Lance ascertain that there is nothing you can do if you do "not have such features on your website"? I am going to guess that he is really referring to inboxes here and not web sites (as web sites are a bit of a different animal than what he originally started out his post with). Has he ever looked into the cost of a Managed Security Service or a network appliance? Anyone can deploy anti-spam defenses at fairly low cost per user. The cost can even be free if you are willing to do the work yourself to maintain your own installation of a software based service like Spamassassin.
His final paragraph states "A concocted report from MX Logic purports that SPAM is down a whopping 9%? If you believe that you are on drugs just like the FTC. If you are a small business getting 300 junk mails per day, obviously this is not going to help you in the least as it still means you are getting over 275 junk mails a day. Worse the figure of nine-percentile is said to be a complete misrepresentation and convenient fabrication." Perhaps Lance should do a bit more reading about the decline in spam volumes since the shutdown of McColo back on November 11th (although I do appreciate that he is reading our report!). Although the botnets that were originally debilitated as a result of the McColo shutdown are back online, spam volumes overall are still down from where they were pre-McColo. Now, I will agree with Lance's point where he said that if you were getting 300 spam emails per day and are still getting anywhere from around 275 per day, you are still getting deluged (perhaps our sales folks should try to sell Lance an anti-spam solution :) ). At a micro level this doesn't seem like a big deal, but when looked on a much more macro scale in an environment like ours and other major ISPs who process hundreds of millions of emails per day, the effects are dramatic.
I'm curious as to what authority he stands on or interviewed to make the statement that drops in spam volume are a "complete misrepresentation and convenient fabrication" ? How is saying that spam volumes are down convenient for us? In our business, spam sells. The more there is, the better sales numbers grow as businesses become more aware of the inadequacies of their own systems in trying to manage spam themselves. They realize that they NEED an alternative so that they can focus on their core competencies and not just on keeping their mail servers online. As a result, crises and large spam events like the CNN outbreak from back in August are great for our sales numbers. It certainly makes selling the need for a solution easier on them. I've been accused during media interviews by less tech savvy reporters of trying to spread FUD because "I have to say that spam volumes are up because fighting spam is the business that we are in", but never that I'm lowering numbers for convenience. I don't quite see how that argument makes any sense.
The closing of his post is the coup de gras: "If you have innovative thoughts and unique perspectives, come think with Lance." I would certainly say that Lance's perspectives are unique (and completely uninformed), but his thoughts are not quite so innovative (however quite imaginative!).
|
