Our Threat Operations Center has recently noticed a new type of phishing campaign attempting to phish login credentials to Yahoo!'s Local Search Marketing tool. This is similar to the Google Adwords phishing campaign that we reported back in May 2008 attempting to obtain login credentials to Google's Adwords site from customers. In this instance the email that is being sent is spoofing a from address @yahoo-inc.com (Yahoo's internal email domain) and trying to convince the user that their account is about to be suspended. Sounds like just about every other phishing campaign, right?
The phish reads as follows:
Dear Advertiser,
We just want to remind you that, on August 25, 2009, your Local Sponsored Search account will be discontinued. You will be upgraded to a new Sponsored Search account with geo-targeting and other great new features.
Please note the following: In order for us to upgrade your account you need to verify your user/password of your account. Please remember to input your Sponsored Search user and password correctly NOT your email and password.
Please visit the following link to verify your account:
hxxp://onlinemarketingyahoo.com/adui/signin/loadSignin.htm
Sincerely,
Your Partners at Yahoo! Search Marketing Copyright 2009 Yahoo!, Inc. All rights reserved.
Note the generic nature of the introduction, which should generally be one of your first tipoffs that the email is not authentic. If you have a personal relationship with a company and they wanted to send you an important email communication they would use your real name. Also note the missing period between "onlinemarketing" and "yahoo" in the URL. If you weren't looking closely, this could be easily missed by someone reading the email (even if it were present, the actual URL for Yahoo!'s Local Advertising tool is "searchmarketing.yahoo.com", not onlinemarketing,yahoo.com. This point might also be missed by the casual recipient.
The potential audience being targeted by this email is somewhat limited because it will only make sense to those who are customers of this Yahoo product. That rarely seems to stop most spammers.
Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites. This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.
The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites.
We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see. They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity. No work required on a hacker's part to organically generate interest. That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years.
An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera. These fake websites are being used to inject malware onto curious users' computers. They could also very easily be used in phishing campaigns to steal user's personal information.
Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post.
Is It Too Little, Too Late?
In a story released a few days ago, BITS (Banking Infrastructure and Technology Services) released a paper titled "Email Sender Authentication Deployment" focusing primarily on how financial institutions can implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) technologies to authenticate mail coming from their domains as opposed to spoofed emails sent by spammers.
In a release done by the Online Trust Alliance (OTA) in 2008, it was reported that 51% of the Fortune 500 consumer facing brands, 52% of the Fortune 500’s consumer-facing financial service brands, and 54% of the Internet Retailer top 300 brands were currently authenticating their email.
Many major financial insitutions are on-board this bandwagon as well, but clearly there is room for improvement. As pointed out by Paul Smocer, VP of Security for BITS, only about 10-15% of BITS 100 members are currently using any form of email authentication. A statistic that seems to be quite different than the adoption rates of F500 brands. For those who haven't yet implemented sender authentication, BITS has released this guide to help financial institutions understand the business value in the implementation of these solutions.
Will SPF and DKIM stop spoofing? No, but what they will do is help email receivers to identify messages that are actually being sent by a financial institution like Bank of America versus an email that was sent by a spammer to merely look like an official BofA message in an attempt to steal someone's identity or web site login credentials.
The question that I would pose here is that for the increased consumer confidence that is attempting to be fostered by using email authentication technologies, is it too little too late? I've heard people from some of the largest banks in the country state that their studies have found that many of their own customers don't even open email from them anymore or have moved away from online banking entirely solely because of their concerns of having their identities stolen. In their eyes, it is easier to avoid the potential for risk entirely (even if it costs additional fees to walk into a branch to conduct business) by not even dealing with their bank via online means. This is because they cannot distinguish between legitimate communications from their bank and what is being sent by cyber criminals.
Trust is very hard to earn and even more difficult to re-establish once lost, especially if you are dealing with matters involving someone's wallet. To that point, when I think about where we are today with the low level of trust that users have overall with email as a communication and marketing vehicle, I believe that as an industry that we should be doing everything that we can to help email senders and receivers proactively identify malicious email, but users might be too jaded to care.
Be on the lookout this morning for a phishing scam floating around Facebook asking you to visit http://areps.at, a domain registered only a few days ago to someone named Andrew Morov out of Russia. (UPDATE 5/21/2009 11:30am MST - According to this CNet article, the domain bests.at is also being used for this scam, registered to the same person as areps.at)
personname: Andrey Morov
organization:
street address: Schelkovskiy proezd d.11 korp.1 kv.3
postal code: 105425
city: Moscow
country: Russland
phone: +74956211281
fax-no: +74956211281
e-mail: ******@nameclub.at
nic-hdl: AM5009456-NICAT
changed: 20090515 15:23:43
source: AT-DOM
Visiting this site will also infect your Facebook profile and cause messages to be sent to your friends inviting them to also visit. Below is a screen shot illustrating the contents of the message you may receive from an infected friend.
If you do receive any of these, contact the person who sent it to you and ask them to change their password ASAP. If you believe that you might have fallen victim to this scam, change your own profile password before whoever has hijacked your account changes it for you and locks you out of your own account!
Over the coming days, please be on the lookout for any spam campaigns related to the recent outbreak of the Swine Flu. With the number of confirmed swine flu cases rising in the United States (currently at 40 according to this recent article posted on bloomberg.com) and around the world coupled with the threat looming that the World Health Organization (WHO) will raise its pandemic alert because of the illness, and you have a combination of circumstances that creates a dangerous cocktail that we frequently see spammers and phishers jump all over.
Although we are yet to see any specific fraudulent campaigns related to the Swine Flu in our Threat Operations Center, our team is on high alert looking for anything that may crop up. Due to the nature of today's blended threat landscape, it is possible that we could see phishing campaigns related to donations to help victims of Swine Flu purporting to be from the WHO or other related organizations. We could also see emails that attempt to lure users to news oriented web sites that play videos which are setup as spoofs for the intention of distributing malware.
News grabbing events like the Swine Flu outbreak are exactly the type of social engineering lures that spammers love to latch onto because of the public's interest in learning more about the topic. Be aware. If you would like to learn more about the recent Swine Flu, or any other breaking news story topic, visit the site of your most trusted news organization directly. Clicking on links within emails is an invitation for trouble.
I thought it was appropriate to issue a "Threat Warning" (ala the National Weather Service) for tax related scams for today and for the coming days and weeks considering today's midnight tax deadline. By a warning I am implying that conditions are ripe for something to occur even though we have not seen anything specific yet.
Considering current economic conditions and the fact that it is likely that more people who owe money are likely to be delinquent in payment this year it is also possible that we might see a new twist this year from: tax filing extension "services" that for a fee will grant you an extension on paying your taxes without additional interest penalties if you do not file on time.
It is also likely that we could see scams like we have seen in years past related to tax refunds that can be received faster if applied to your credit card or purported errors made by the IRS that results in you receiving additional refund money that can be applied to your credit card or directly into your bank account.
Be on the lookout for these and other potential scams spoofing the IRS. It is most important to remember that the IRS does not discuss tax refund related issues directly to consumers over email so if you receive anything like what I have described above in your email box or anything else similar, delete those messages immediately. Our Threat Operations Center is on high alert for any IRS related scams and when any arise we will report them here.
Short and Sweet post this time. Need to go meet with a prospective customer, but I had to post this first. It's not very often that you meet an honest spammer. The following header came into one of our spamtraps today on a 419 phishing scam attempting to get me to engage with the scammer on purchasing residential and commercial property. They requested that I open foreign bank accounts to which the sum of one billion (doing my best Dr. Evil impression) dollars.
Anyway, what made this particular scam somewhat humorous was the subject line of the message:
It isn't every day that a spammer will tell you his email is spam before you even read it. I'm willing to bet the uptake on this one probably wasn't that great :-D
I have been starting to feel like I have hardly been in the office over the past month. After attending MAAWG in San Francisco for a week in mid-February I was in town for a week and a half before going on an extended vacation/business trip to Orlando for InfoSec World 2009 and some time visiting my wife's family. I am finally back in town and expect to be so for about the next month until RSA rolls around in late April so expect to see regular blog updates rolling out again.
I wanted to take a few minutes to talk about something that has kind of been bothering me lately. It is something that I have been hearing more and more of in passing conversation as it relates to browser security, in particular between Firefox and Internet Explorer. Similar to the debates that have been raging for a few years now between the "security" of Apple's OS X (and previous versions) as compared to Microsoft Windows are debates between how using Firefox is a more secure browser than Internet Explorer.
Is it, really? Or Is it just a matter of perception?
At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates. The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides.
Take this recent analysis of the Conficker worm/botnet as an example. According to the report, more than 90% of the users who got infected with Conficker got infected while using Internet Explorer 6, the default browser that comes with Windows XP. Windows XP is also the OS that has the highest concentration of infected Conficker users, but that is to be expected as it is currently the most deployed Windows OS version. What this tells me is that many users who are running Internet Explorer 6 are not keeping it up to date with updates and patches. This is also somewhat to be expected because the largest concentration of infections are in countries like China, Brazil, Russia, and India who also have some of the highest numbers of pirated copies of Windows in the world. You could argue that this might not be the best example of browser security because Conficker is an exploit for an OS level vulnerability, but the reasoning is still sound in that if you aren't applying OS patches you likely aren't patching your browser either. If you aren't familiar with the "insecurity iceberg" report, I would recommend it. It is a good read as it outlines browser and plugin usage across many different data cross-sections to illustrate that browser security is about more than just the browser. It also includes the many plugins that are available such as Adobe Flash, Java, Apple Quicktime, and Adobe PDF Reader.
So, to go back to my original question, is Firefox really more secure than Internet Explorer? In addition to my previous argument about patching, I believe this also comes down to an issue of perception. For example, Firefox releases security updates more frequently than Internet Explorer. Does that make it more secure or less secure? Additionally, Firefox has a "nagware" type of feature where it regularly throws popups at you when a new version is available encouraging you to upgrade to the latest and greatest version of the browser. This gives the impression to the user that they are being kept safer. Second, Firefox has an active community of developers creating plugins for Firefox that help create additional security features on top of what the browser already provides. Neither Firefox nor IE have any native protection against what is known as Clickjacking. With Noscript, a plugin available for Mozilla based browsers like Firefox (et al), Clickjacking protection can be added. IE currently has no protection available although it is being planned for IE 8. Another security threat that I have written about previously is the danger that can be introduced by URL abbreviation services like TinyURL and SnipURL. Firefox has a plugin that will allow users to preview where these abbreviated URLs will really take the user before they click the link. URL abbreviation services are being used more and more by phishers and malware creators to trick users into clicking on legitimate looking links and redirecting them to malicious web sites. So, there are security related addons that users can plug into their browsers if you know what the good, actively maintained ones are and know where to look, but this functionality isn't native to the browser and leaves the user with having yet even more software to have to update.
You could make analogies between the OS X and Windows debate here too. Apple users claim they don't have the malware problem that Windows users have. In sheer volume of released exploits, this is certainly true, however you are also dealing with a much smaller market share. Is the reason that Firefox exploits haven't been more widely targeted that they just don't have the market share to support the effort on the part of cyber criminals?
My point is that there are compelling arguments on both sides of the browser security war debate, but at the end of the day is onus is still on the user to make sure their software (includes both browser and plugins!) is patched regularly, and that they are employing additional security measures like anti-virus and outbound traffic blocking firewalls to reduce their risk. More online threats are moving to the browser every day so having multiple layers of defenses in place at different points of the network remains your best method to minimize risk.
On Saturday, Twitter posted this security alert on its web site to make users aware of a phishing campaign that was going around via Twitter direct message attempting to steal login information for the social networking site.
Phishing campaigns are certainly nothing new. So, what makes this interesting or different?
Phishing emails are certainly something we have become accustomed to in our inboxes and they are becoming more popular on personal profile pages on social networking sites like Facebook and Myspace. In the December version of the MX Logic Threat Report and Forecast the very first prediction we made for 2009 was an increase in (ab)use of social networking technologies by spammers and other cyber criminals.
Twitter presents a bit of an interesting twist because URLs posted to "tweets" (status updates posted by Twitter subscribers) and direct, private messages sent person to person are shortened using URL abbreviation tools like tinyurl.com and bit.ly. These types of services allow a cyber criminal to easily hide a potentially malicious or fraudulent URL behind the covers of a legitimate looking one. For example, a user could unknowingly be directed to a web site that silently injects a keylogger on their PC by clicking on one of these links. URL abbreviation tools can also be utilized to hide a nasty URL within the body of an email as well so this is not an attack that is solely abused by spammers using social networking technologies.
There is more to this potential threat than just the risk of the redirection to a phishing site. Cross site scripting and SQL injection vulnerabilities can also easily be exploited using this tactic if the vulnerability is exploitable via URL code injection. The malicious code can be hidden in the URL, compacted using tinyurl.com, then distributed in an email as a DDoS against a spammers target.
For the potential risk that sites like tinyurl.com and bit.ly can potentially introduce they certainly do have their place. Sites like monster.com for example sometimes create URLs that are extremely long when copied and pasted into an email so abbreviating the link address is a great way to keep your message professional looking. As with all other online threats, diligence is of the utmost importance. Spam and phishing threats via social networking applications is still new territory in many regards when compared to email (for example) so many users do not think about the potential security ramifications that come along with using these technologies. That education is occurring rapidly, but is also happening partly by necessity as more and more users are falling victim to quickly evolving tactics on the part of cyber criminals.
I figured that I should write about something timely before I started getting into the things that I have been backlogging lately.
If you recall, back in May we wrote about Google AdWords Phishing (click here for the original post) where the phishing message body was a plain text email alerting users that their AdWords payment could not be processed and that they had to login to the AdWords site (via a link in the email that lead to a fraudulent web site).
The latest tactic has a couple of different twists. The first one of note is that this particular spammer is using an image within the email to render the phishing content. See the below screen shot which is a sample of the email:
The email looks like an HTML formatted message, but it is actually a single image with the spam content contained inside and an image map where the link is. The link points to a legitimate sounding domain as well: selectadwords.net, hosted out of Spain.
The second twist from the original scam is that this message is telling you that you need to renew your AdWords service or else the account will be deactivated. As with many other scams, this is to try to instill a sense of urgency on the part of the recipient and to try to get them to take action before they have a chance to think about the fact that this might be fraudulent....all in all I would say this is a pretty well done scam.
So, why phish Google AdWords? AdWords accounts are separate from Gmail accounts (even though they are all under Google, you use different logins to access each) so they aren't using the information to compromise legitimate accounts to send out spam. They are likely using them to try to extract the payment information used on the account to either steal money or use it as an intermediary account to transfer funds as part of a larger fraud scheme.
As always, if you receive any messages that look like this, promptly delete it.
Thanks to James in our Threat Operations Center for forwarding me a sample of one of the funnier phishing tactics that I have come across. I thought an appropriate name for this type of scam would be "Dead Phish."
Here is a copy of the email (in all it unedited glory filled with spelling and grammatical errors):
Dear Sir,
We are in receipt of a Death Certificate certifying you dead and seeking the transfer of your over due contract funds to an Account in London.
All the local financial contractural obligations have been met and the funds is ready for transfer to the London account.
Please understand that if we do not hear from you in the next 7 days we shall treat you as dead and the funds shall be duly transferred.
You have been notified.
If this is false please write and let us have an affidevid to counter
this claims.
Yours faithfullly,
Mrs.callister Ibe
Chairman of Contract Review Panel
Phone:234-805-6135520.
This is another phish by phone tactic similar to what I have blogged about previously where the scammers are avoiding using web site links within their messages in an attempt to get by URL filters and built-in browser phishing detection.
My favorite part is where it says "You have been notified." What if I were actually dead? It's true that you can get your email just about anywhere nowadays, but I never knew that also extended to beyond the grave! This was a good way to start the post-holiday work week.
Sometimes the depths to which spammers will stoop really sickens me.
Even in today's criminally infested internet I sometimes naively hope that there is still some kind of Code of Conduct where trying to capitalize off of certain catastrophic events was considered taboo. As we've seen before, such as with the devastation caused by Hurricane Katrina back in 2005, the Indian tsunami in 2004, and now with the earthquake and aftershocks that have already killed over 28,000 people in southwest China's Sichuan province (with estimates that the death toll will be over 50,000 before the final counts are tallied) over the past week and a half, scams looking to tug at both your heart strings and purse strings have started popping up.
I'll abbreviate the message that we received for the sake of brevity (it's about the longest phish I have ever seen) as it gives a fairly detailed account of the plight of the person allegedly sending the message:
Dear friend,
I don't know your exact name. I can only guess.
I ask you to read my letter up to the end. After that you will be in the right to send my letter in a garbage basket or.......
My letter is caused by despair. I don't know to whom to address. I am compelled to ask for help any person. Namely you. I hope that mine letter has got to the person which has sympathy and compassion. I wish to trust in it.
My name is Arnulfo. My situation plunges me into depression and despair.
I will tell you shortly. I do not even know how to express correctly my thoughts. How to write you about it. I can tell with confidence that my hands shiver when I press on the buttons of the keyboard. Several days ago I could not think that I shall address to the stranger with such situation. Probably it's stupid or incorrectly. But it's the only thing that is left to do. I just ask to understand me. I even must say that it is a shame to do it.
I will continue. I don't know where you are. And I do not know what news you watched on TV or listened by Radio. I think that you could hear about Earthquake in China. My God, it's awful...
Me and my wife have flied to the country of Philippines two weeks ago. We wanted to search for a new place in this world, where we could create our new world. There where we
could live and create good family. We have got married a year ago. The matter is that my wife is a chinese woman, and I was born on Philippines, but has grown in Spain. My father is Spaniard, and my mum is Philippine. My parents have died several years ago. I have left to study in the university to another country. I studied Chinese
language and culture. There I also have got acquainted with Jin It's my wife. We have got married. And yes, we were happy. I will tell - We are happy together. But parents of Jin were against our marriage. And we have decided to search a place which will make us happy. We thought of Philippines.
All. Everything was good. Yes, everything was simply magnificent. Until the first impact has happened. We have heardabout it in the news. I do not want to describe that occured with Jin when she has heard about that her native city was completely destroyed. Her native city has been destroyed. Me and Jin were in panic. We have decided at once to come back to China to my wife's parents. Jin was in despair.
But the destiny has made a new turn. We had no money for air flight to China for two. We had money. We have made money transfer to the bank account in Philippines for purchase of a small house. But I can receive this money only on the 1st of June. Not earlier. Bank bureaucracy exists all over the world. We did not know what to do. Then we have found only one output. We have received all money which were on our ATM-cart. Me collected the sum of money for air flight only for my wife. It was a hard moment in our life. But then I did not know that the worst will be ahead. We have solved that my wife will go to China alone. It was a difficult decisions for me. But I could not stop Jin. And I could not fly together with her. Jin has quickly gathered and has departed. When she left tears flew on our cheeks . I do not know how to explain that I felt during this moment. But I understood that my wife felt. Mine Jin. Her parents were in trouble. I have remained alone not having money. My hotel accommodation has been paid for some days.
[ SEVERAL UNIMPORTANT PARAGRAPHS REMOVED ]
Also some kind people which know about my situation have helped me. I shall have the small sum of money. But a greater sum of money is required . I am lack of 1500$. I have no opportunity to find such sum of money. I tried all ways to find thó money. I do not wish to think that money solve everything in this world. I believe that the main thing is people and love. And I want to believe that I will be able to be beside my Jin soon . We are sure will be happy together.
Only despair has compelled me to write you this letter. Probably it sounds silly. You have a right to think about me all that you want. I shall understand you.I I address to you for a help. Your help is required to me. I will tell directly that I ask you to help me with money. I will return you money
later, right after as soon as I receive my money which are in the bank. I can return to you money on the first of June. I shall see the wife. I shall be with her. I can take care of her. After that I will return on Philippines to take back money. And I will return to you even more Money. I only ask to help me now.I have been explained that I will be able to receive money in Western Union. And I shall return the money to you in the same way. I am ready to return you more.
I will hope that my letter will not offend you because we are unfamiliar. I do not even know your name. I have taken yours e-mail from Internet. And I have hope that e-mail to which I write is of a good person.
I will understand you in any case. Iask to excuse me . I only want you to understood me. Only despair and love have compelled me to write this letter to you. I wish to use all variants To be near to my love.
And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.
I don't know what to tell you more . I believe in love and destiny. I ask you to answer me to this e-mail:
arnulfoqramos@yahoo.com.ph
I have registered it right now. I shall wait fo your answer to this e-mail. If you want to answer me
Yours faithfully Arnulfo
The words that I want to use to describe people who would try to capitalize on an event that has affected hundreds of thousands of people aren't appropriate for corporate blog nor for any other conversation for that matter. Every time I see these types of things, it further lowers my faith in humanity.
Please be on the lookout for this and other related scams over the coming weeks as we are sure to see more of them, likely alleging to be from relief organizations and/or companies who claim to be affiliated with them.
If you wish to make a donation to your favorite relief organization to help them to provide assistance to people around the world being affected by these horrific natural disasters please contact them directly. Do not respond to solicitations via email, even if they look legitimate or come from an email address that potentially looks legitimate.
*** UPDATE 5/21/2008 11:20am MDT *** Here are some of the subject lines that we are seeing associated with this scam:
-- Help me
-- Help me please. Read through the letter
-- Last hope. Help me please
-- I ask to help. Please
Please be on the lookout for yet another government agency tax scam making the rounds today; this one not spoofing the IRS, but rather the US Tax Court.
Here is an elided sample that has been received by our Threat Operations Center:
|
UNITED STATES TAX COURT
WASHINGTON, DC 20217
|
|
Docket No. 622-555. Filed May, 2008.
COMMISSIONER OF INTERNAL REVENUE
Petitioner.
v.
EXECUTIVE NAME HERE
COMPANY NAME HERE
COMPANY PHONE NUMBER HERE
Respondent.
PETITION
The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008
Please download a Copy of the Order, Letter, Notice or Other Document Being Appealed
This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006. As motions, without prejudice, and remand this case to respondent.s Office of Appeals.
Respectfully submitted,
Bennett H. Klein
Tax Court Bar No KB0214
400 Second Street, N.W.,
Washington, D.C. 20217.
|
The link in above sample goes to a web page hosted at the domain us-tax.org, which was just registered 4 days ago, May 8th. Based on the format of the scam URL in the above message this looks very much like some of the other recent executive targeted scams (like the US District Court scam that I also blogged about) that we have seen lately. It would not surprise me if the same people behind those scams are also originating from the same group of people.
*** UPDATE 5/12/2008 12:40pm MDT *** We are currently seeing these whaling scams hit our systems at the rate of about 150 per hour. Very low volumes in an attempt to fly under the radar as much as possible.
The folks over at Trend Micro have a good write up on a new type of phishing scam that has started floating around over the last week or so: Google AdWords Phishing.
It looks like the scammers are using the same general content in their phish with a couple of different variations on the subject line and the tagline that appears at the end of the message.
The phishing link mentioned in Trend's blog points to a Chinese registered domain that appears to have been taken down as of the time of this posting, but being the resilient type that cyber criminals are they have started to send out a new spam run with links pointing a new domain (also Chinese registered): adwords.google.com.s0leo9.cn, which is currently still active.
Below is a screen shot of one of the phish examples that we saw hit one of our spamtraps (note where it is different between here and the screen shot posted on Trend's blog):
From a volume standpoint these phishing attempts appear to be coming in waves. For example, on Tuesday, May 6th our Threat Operations Center was seeing approximately 2,200 of these hitting our systems in the early morning hours up to about 7:00am. After that it dropped off to about 2 per hour. In the early morning hours of May 7th we were again seeing up to 550 per hour.
This tactic won't resonate very well with most people as even though there are quite a few organizations out there who are using Google Adwords to promote their products on Google search result pages, the actual audience that this type of scam will make sense to is pretty limited.
Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.
As has been common with most of the government agency spoofs that we have seen over the past year, this one has an IRS logo at the top of the message that is being pulled directly from the IRS web site at irs.gov.
The samples that we are seeing allege to be from "service@irs.gov" and have a subject line of "2008 Economic Stimulus Refund."
The phish content is as follows:
Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.
Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.
The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.
Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.
Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.
To access Economic Stimulus Refund, please click here.
The "click here" link takes the user to a prototypical phishing site where they are asked for their bank routing number and checking account number so that the rebate can be directly deposited into their checking account. The scammers are also trying to establish a sense of urgency to get you to click the link by saying that you have to fill out and submit the form before April 24th if you want to get your stimulus payment on time. Failure to do so will result in delays. This could be an effective tactic against those who may not be scheduled to receive their rebate until July or against the extremely impatient who think that this could be a shortcut to getting their rebate quicker.
This is about the time that we expected to start seeing these scams start coming out, and this certainly won't be the last of them, especially since the distribution of the stimulus payments is expected to last a couple of months.
As with all of the IRS scams that we have seen to date, there are a couple of things that you should remember:
-- The IRS does not communicate with the public over email.
-- To that point, the IRS does not even know what your email address is. If you use at home tax software the software vendor might ask you for your email address, but this is for the purpose of sending you status updates with respect to your tax filing. These emails are not from the IRS.
With respect to the economic stimulus payments, also remember:
-- The economic stimulus payments are being distributed based on your 2007 tax filing. The information for how to distribute your rebate to you will be done based off of your tax forms.
-- The payment schedule for the economic stimulus payments has already been established by the IRS. There is no way to accelerate this process.
Over the past 10 months or so we've often discussed different social engineering tactics as it relates to different types of spam and malware campaigns. These tactics range from using pinpoint precision to identify individual scam recipients (like CEOs and other C-Level Executives) to using tragic current events, naked celebrity videos, holiday e-cards, IRS tax refunds, or free/discounted sporting event tickets as a lure to get people to open malicious email attachments or click links that redirect them to web sites that are infested with malware.
So, the question is: How far will cyber criminals go in an attempt to get a foothold on your PC or steal your personally identifiable information?
The answer is simple: As far as they need to.
Cyber criminals will go to whatever lengths are necessary to trick you into doing what they need you to do in order to get infected with malware. This means that the success of their campaign is almost solely related to their ability to establish trust and to make their campaign appear as legitimate as possible. As an example, some of the IRS tax refund scams that we have been seeing this tax season even go so far as to link to or display the real IRS web site's logo, Privacy Policy and Online Help. The Federal Subpoena scam that we spoke about earlier this week included not only the name of the person that the scam was being sent to and their company name, but also their phone number!
As cyber criminals continue to hone their social engineering tactics, it is becoming more and more critical that people understand, are aware of, and keep a keen watch out for new potential threat vectors and the techniques that are being used in order to trick them into giving up information that could result in loss of identity, company secrets, or their life savings.
Losses being incurred as a result of cyber crime are increasing at an alarming rate and now we have reached the point where people are more fearful of being a victim of cyber crime than they are physical crime. According to Gartner, losses as a result of phishing alone could top the $4B mark in 2008! That increase is no accident and does not appear to be slowing anytime soon.
C-level execs on the radar once again
It looks like the folks who were spoofing government agencies and targeting C-level executives are at it again; this time spoofing the U.S. District Court.
If you recall, starting around the end of May, 2007 we started to see a month and a half long wave of messages that were being targeted to C-level executives that carried a keylogger payload and used a lure of fake complaints against that executive's company in an attempt to get them to infect themselves. This tactic was, unfortunately, very successful which is why it hung around for as long as it did. These spoofs used an effective social engineering tactic that included both the name of the person receiving the scam as well as the name of their company. This fooled many into believing that the message was indeed legitimate because it didn't carry the earmark of most of your scams that are generically blasted en masse.
This new scam follows this same basic social engineering tactic except it takes it one step further in that it also includes the phone number of the company being targeted. This is just another way that the scammers are attempting to establish legitimacy with their intended target since it doesn't look like your everyday, run of the mill type of spam.
By targeting C-level executives, the technique used in this type of attack is called "whaling." It is called whaling because they are trying to get the largest fish that they can on the hook; people who are generally more affluent and stand more to lose, both personally and professionally.
Below is an example of one of these messages (Some personal information has been redacted):
AO 88(Rev.11/94) Subpoena in a Civil Case
________________________________
Issued by the
UNITED STATES DISTRICT COURT
________________________________
Issued to: XXXXXXXXXXXXXXXXXXX
COMPANY NAME HERE
COMPANY PHONE NUMBER HERE
SUBPOENA IN A CIVIL CASE
Case number: 91-201-NKE
United States District Court
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States
District Court at the place, date, and time specifiied below.
________________________________
Place: United States Courthouse
880 Front Street
San Diego, California 92101
Room: Grand Jury Room
room 5217
Date and Time: May 7,2008
9:00 a.m. PST
Issuing officers name and address: O'Mevely & Meyers LLP; 400 South Hope Street, Los
Angeles, CA 90071
________________________________
Please download the entire document on this matter(follow this link) and print it for your
record. <hxxp://cacd-uscourts.com/ViewCase.php?case=91-201-NKE>
This subpoena shall remain in effect until you are granted leave to depart by the court or
by an officer on behalf of the court.
Any organisation not a party to this suit thas is subponaed for the taking of a deposition
shall designate one or more offcers, directors, or managing agents, or other persons
to testify on its behalf, and may set forth, for each person designated, the matters on
wich the person will testify. Federal Rules of Civil Procedures,20(b)(6).
Failure to appear at the time and place indicated may result in a contempt of court
citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct
any questions to the person requesting you to appear: City Prosecutor.
You'll notice a few spelling errors which is your typical dead giveaway that something isn't quite right here (of course, the US District Court trying to communicate with you via email, which it never does, should have been the first one). They also went to the trouble of registering a new domain, cacd-uscourts.com.
Here is where it gets funny:
-- cacd-uscourts.com is the domain used. If this were really a government domain, would it have a .gov TLD?
-- This domain was registered two days ago to someone named Michael Rice who lives in the U.K.
-- Registration for the domain was done by a company named WEB4AFRICA
It's been a while since we have seen this type of scam outside of the IRS spoofs that we have been seeing in accordance with tax season so I am sure it will get its share of victims. No solid information yet on whether these new phish are being sent to the same C-level execs who were targets of last year's scams. More information to come as it becomes available.
**** UPDATE 1 (4/15/2008 12:00pm MDT): We are still seeing these emails hitting our system at a rate of about 30 per hour. Obviously very low overall volume, but that speaks to the precision of the targeting being used. The highest hour that we have seen so far today was the 10am hour where we saw 50, and we basically saw none between midnight and 7am. It appears that the cacd-uscourts.com domain that was hosting the malware yesterday has had its registration suspended by WEB4AFRICA. The web site is no longer accessible.
About an hour ago we started to see yet another new variant of the IRS Refund Scams, this time using " Vishing" or Phish By Phone as a lure.
Here is a sample of the message that we received:
Internal Revenue Service Tax Refund
After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $215.
Tax Refund Number:84730004332 - Will Expire on 29 March 2008
Attention!
Tax refunds can be sent only to VISA or Mastercard DEBIT CARDS.
To receive your tax refund please call the IRS Tax Refund Department at: 602-427-5984 .
Internal Revenue Service
Upon calling the number (602 is an Arizona area code) listed in the email you are greeted by a digital voice which introduces itself as being the Internal Revenue Service then asks you to enter your social security number, credit card number, expiration and PIN. The interesting thing here is that the recording appears to be a poorly repurposed scam. After asking for your PIN it tells you to please wait while it is "activating your account".
Wait a minute! I thought I was getting a refund!
'Tis certainly the season for tax scams and we've been seeing quite a few of them in the Threat Operations Center between the phishing scams that ask for your credit card number on a fake web site with promises of a refund to malware based scams that claim to "update the tax software installed on your computer". We'll likely only see more of them over the next 2-3 weeks as well as the tax deadline nears. I would also expect to see similar types of scams with promises of things like advances on your economic stimulus payments as we get closer to early May which is when the initial payments are scheduled to be distributed.
Those who know me know that I could do without some of the new terms that people come up with in an attempt to get their names attached to something (e.g. vishing, smishing, and bacn), but I read about a new term today which caught my attention mostly because I thought it was pretty clever.
That term is "Whale Phishing."
So what? People are phishing whales now? That seems like a pretty fruitless venture. Last I heard, whales can't read email.
No, "whale phishing" is a targeted phishing attack against affluent people in an attempt to (like most phishing attacks) get them (the "whale") to reveal sensitive financial/account information. So, if people are now being compared to whales, I guess that would make most of us calfs (A "calf" is what you call a baby whale. I learned that while typing up this blog entry!). Even if the term doesn't catch on, I thought it at least interesting and witty enough to chuckle at.
For the record, yes, I am aware that MX Logic coined the term "pharming", but before you go and call me a hypocrite for having this opinion I'd like to go on record as saying that was before my time and as such I am hereby absolving myself from that :)
We have received a sample this morning of a new phishing message making the rounds today. The sample that we have received is a message which purports to be from the IRS (yes, another government agency scam) and has a subject line of "Help for California Wildfire Victims".
The content of the message is a solicitation for donations for victims of the wildfires in Southern California. The top of the message has an IRS logo to make it appear legitimate (the logo is being loaded from customersarealways.com which does not have any IRS affiliation).
Here is a snippet of the message text which tries to lure the victim in:
For these Americans, every night brings uncertainty, every day requires new courage, and in the months to come will bring more than their fair share of struggles. In the task of recovery and rebuilding, some of the hardest work is still ahead, and it will require the creative skill and generosity of a united country. Right now California is asking you for help ! If you chose to take part in our program (initiated by IRS & U.S GOVERNMENT) click on the link below and make a small contribution. Together we can rebuild California ! BE HUMAN GET INVOLVED ! BE AMERICAN ! CALIFORNIA NEEDS YOUR HELP !
Sincerely, Julia Brownley
Of course the IRS does not send unsolicited emails looking for public donations to assist with relief efforts. In fact, it never sends unsolicited emails nor do they send anonymous emails. Just receiving an email such as this should always be the first tell-tale sign that the email is a scam and should not be acted upon.
From the sample that we received, the link at the bottom of the message directs the user to a web server hosted in France. When this link was followed the web page that was served was a broken redirect to a web page that is already offline.
This is not to say, however that this is a dead phish. Other variants of this message pointing to other sites likely exist and are being actively distributed.
The key point to remember here is that if the IRS wants to get a hold of you, they won't do it via email. They certainly wouldn't ask you for a donation via email. If you receive any examples of this scam, please forward it to the IRS at phishing@irs.gov.
How at risk are you to be a victim of identity theft?
According to the folks over the Privacy Rights Clearinghouse approximately 165 million data records of U.S. residents have been exposed due to security breaches since January, 2005. In 2007 there have been 278 breaches reported which account for over 75 million records.
Keep in mind that these numbers are for *reported* breaches by companies who are required to report such incidents. This only represents a small percentage of the number of businesses out there who might have your personally identifiable information.
Even if we take the 165M records number as being accurate, this means that we are all roughly at about a 50% risk of having our identities stolen as a result of these breaches! Granted, the information obtained could vary greatly from a hacker only obtaining your name and email address all the way to exposure of credit card numbers and your social security number. Both types are just as dangerous though. For example, if a hacker only obtains your name and email address they could use that information to send legitimate looking phishing messages to your inbox in an effort to get the rest of what they want.
So, what to do if you believe that your identity might have been stolen? Privacy Rights Clearinghouse has a comprehensive guide posted on their website which discusses not only how to pro actively stay on top of your credit (I would also recommend the Identity Theft Resource Center, but also things that you can do to prevent further damage from being done once your information does end up in the wrong hands.
One of the most important things to remember is that just because your data might have been compromised does not mean that you will be a victim of identity theft. Unfortunately, there is little that you can do to prevent this sort of thing from happening, but it is important, however to remain diligent in order to minimize how it will affect you.
|
