REMINDER: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
In the latest social engineering tactic targeting people who like to play games online, a new spam campaign has emerged attempting to lure users into downloading a Monopoly game, which is more like a game of Russian Roulette. The email arrives as a seemingly innocuous invite from a random user (usually your first clue that this is something to avoid!) using an inviting subject line like "Play Online Together" or "Tom has invited you to play Monopoly":
If the recipient follows the link to the monopoly2009.com web site, they are greeted with a web page that actually looks fairly well done advertising the Monopoly "game" and encouraging the user to download using several links dispersed throughout the page after giving a brief history of the game and providing some fun facts.
No code is injected on the user's computer just by visiting the web page. They need to download and install the monopoly.exe executable file that the site tries to deliver. The executable file is just the first stage of the process, however. A fairly common tactic being deployed by hackers is that the code that is installed as a result of the web site download is only the beginning. At this point the trojan is activated on your computer, and now it is going to go out to another computer behind the scenes and download the second stage of the malware, the piece that turns your machine into a spam sending zombie touting Canadian Pharmacy products.
As the icing on the cake, the folks who created the page also included a hit counter at the bottom to lead you to believe that there are people playing the game online right now. Don't be fooled. This is merely a counter of how many people have visited the page thus far.
ALERT: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog. Please continue to follow me there.
Now onto today's blog post :)
Another celebrity death. Another recycled scareware tactic attemping to lure users to download malware by telling them that their PC is infected with a virus. We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year. Now the attention of cyber criminals has turned to Monday's death of Patrick Swayze as the soup du jour for malware distribution.
Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed will lead users to a site that looks like this:
This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms. The Windows Explorer-like screen presented to the user also uses geolocation to attempt to identify the country and city that the user is coming from in an attempt to make the user believe that their data is actively under attack. Popups with phrases like "Scan procedures finished. 34 Potential aggressive items was found!" and "Your computer remains infected by threats! They might lead to data loss and file structure damage, and needed to be heal as soon as possible. Return to Total Security and download it secure to your PC" also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.
Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme. Conficker/Downadup largely popularized scareware with its success (although it wasn't the first to use it) and now others are riding of that popularity to repurpose it for their own scams.
Earlier this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet that is sending out emails spoofing the IRS. We are currently observing traffic averaging about 90,000 messages per hour using this tactic.
The email that users are receiving which appears to come from no-reply@irs.gov is attempting to get them to believe that they misreported their income on their taxes and that the IRS is giving them an opportunity to fix it.
The email provides a link for the user to view their recent tax statement online. This link does not directly infect the user's machine, but instead directs them to a website where the malicious code is being delivered from.
If the user clicks on any of the links on this page, they are directed to download an application called tax_statement.exe. As of the time of this posting, AV detection for this new variant is low.
Please remember that the IRS does not know your email address and will not conduct official business with you over email. Any email purporting to do so is a scam and should be deleted immediately.
In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed. Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that. I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake.
So, the question that I pose to myself is "What's Next?" Taking even just the events of the last decade into account, where are we headed for the next few years? Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today.
Since this is a blog post, I'll try to keep this relatively brief. Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today. I like them and I've had the opportunity to write for them twice now) at some point soon.
Some things to think about:
-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization. Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before. Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft. We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.
-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate. This is happening not only in the enterprise space, but in the consumer market. Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state. VoIP implementations at organizations are also becoming ever popular as well. As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like. Throw away phone numbers used to make spam phone calls have started to become more common. There are services available online which allow you to purchase throw away numbers in blocks. Spammers and can use and abuse these numbers just like they do IP addresses now.
Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities. Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users. As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data.
-- Mobile Malware
Let's face it. The phones that we carry in our pockets are little personal computers. Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on. I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ). As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device. The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market. The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices. Secure sandboxing of third party applications is a must, but that is only a start. Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.
-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window. This has really opened the door for cyber criminals. With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet). The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them. It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.
-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause. Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely.
These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road. Hackers will go where the money is and the money is where the people are. So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.
Our Threat Operations Center has recently noticed a new type of phishing campaign attempting to phish login credentials to Yahoo!'s Local Search Marketing tool. This is similar to the Google Adwords phishing campaign that we reported back in May 2008 attempting to obtain login credentials to Google's Adwords site from customers. In this instance the email that is being sent is spoofing a from address @yahoo-inc.com (Yahoo's internal email domain) and trying to convince the user that their account is about to be suspended. Sounds like just about every other phishing campaign, right?
The phish reads as follows:
Dear Advertiser,
We just want to remind you that, on August 25, 2009, your Local Sponsored Search account will be discontinued. You will be upgraded to a new Sponsored Search account with geo-targeting and other great new features.
Please note the following: In order for us to upgrade your account you need to verify your user/password of your account. Please remember to input your Sponsored Search user and password correctly NOT your email and password.
Please visit the following link to verify your account:
hxxp://onlinemarketingyahoo.com/adui/signin/loadSignin.htm
Sincerely,
Your Partners at Yahoo! Search Marketing Copyright 2009 Yahoo!, Inc. All rights reserved.
Note the generic nature of the introduction, which should generally be one of your first tipoffs that the email is not authentic. If you have a personal relationship with a company and they wanted to send you an important email communication they would use your real name. Also note the missing period between "onlinemarketing" and "yahoo" in the URL. If you weren't looking closely, this could be easily missed by someone reading the email (even if it were present, the actual URL for Yahoo!'s Local Advertising tool is "searchmarketing.yahoo.com", not onlinemarketing,yahoo.com. This point might also be missed by the casual recipient.
The potential audience being targeted by this email is somewhat limited because it will only make sense to those who are customers of this Yahoo product. That rarely seems to stop most spammers.
Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites. This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.
The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites.
We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see. They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity. No work required on a hacker's part to organically generate interest. That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years.
An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera. These fake websites are being used to inject malware onto curious users' computers. They could also very easily be used in phishing campaigns to steal user's personal information.
Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post.
In the vein of beating a dead horse, our Threat Operations Center has found another fake Microsoft Outlook/Outlook Express scam with a link to malware making the rounds. This new variant shows a bit more effort in attempting to make the email appear as if it is actually from Microsoft.
This new tactic is similar to the twoprevious instances that we have seen over the course of the last 3 weeks where emails were being sent out that claimed to link to updates for Microsoft Outlook and Outlook Express. The previous emails were text based, however and outside of using the names of Microsoft products as a lure, didn't contain any convincing social engineering to convince the recipient that the message was authentic. This new tactic does go one step further to create an HTML based message that looks similar to the formatting that one would see when viewing a Microsoft Tech Bulletin.
A screen shot of the received message is below:
As you can see, this isn't the full message, but the pertinent parts are included. There are several links at the bottom of the message labeled "Contact Us", "Privacy Statement", and a couple of others which link off to the Microsoft site in an effort to make the email appear more authentic.
The creators of this new variant also put a little extra care into how they crafted the URL used in the email. As you can see from the example above the display URL appears as if it is going off to update.microsoft.com, which isn't uncommon. In the background these links are typically either going directly to an IP address or to a domain that is clearly not associated with the company they are spoofing. The tactic being used here is the latter of the two, but you have to pay close attention because if you just quickly glance at the URL, you'll miss something important.
For example, here is one of the URLs that our TOC observed:
You'll notice that the link is really going to "hfhilf.com", clearly a domain not associated with Microsoft, but prepended to the domain is "update.microsoft.com" followed by a query path that looks very much like it could be a legitimate Microsoft Office update path.
As usual, there are a couple of grammatical errors that are your basic tipoff that this message is not from Microsoft. Couple that with the fact that Microsoft does not generally blast out update notifications in this manner and you have two tell-tale signs that this email is the work of cyber criminals, not an official update notification.
In a story released a few days ago, BITS (Banking Infrastructure and Technology Services) released a paper titled "Email Sender Authentication Deployment" focusing primarily on how financial institutions can implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) technologies to authenticate mail coming from their domains as opposed to spoofed emails sent by spammers.
In a release done by the Online Trust Alliance (OTA) in 2008, it was reported that 51% of the Fortune 500 consumer facing brands, 52% of the Fortune 500’s consumer-facing financial service brands, and 54% of the Internet Retailer top 300 brands were currently authenticating their email.
Many major financial insitutions are on-board this bandwagon as well, but clearly there is room for improvement. As pointed out by Paul Smocer, VP of Security for BITS, only about 10-15% of BITS 100 members are currently using any form of email authentication. A statistic that seems to be quite different than the adoption rates of F500 brands. For those who haven't yet implemented sender authentication, BITS has released this guide to help financial institutions understand the business value in the implementation of these solutions.
Will SPF and DKIM stop spoofing? No, but what they will do is help email receivers to identify messages that are actually being sent by a financial institution like Bank of America versus an email that was sent by a spammer to merely look like an official BofA message in an attempt to steal someone's identity or web site login credentials.
The question that I would pose here is that for the increased consumer confidence that is attempting to be fostered by using email authentication technologies, is it too little too late? I've heard people from some of the largest banks in the country state that their studies have found that many of their own customers don't even open email from them anymore or have moved away from online banking entirely solely because of their concerns of having their identities stolen. In their eyes, it is easier to avoid the potential for risk entirely (even if it costs additional fees to walk into a branch to conduct business) by not even dealing with their bank via online means. This is because they cannot distinguish between legitimate communications from their bank and what is being sent by cyber criminals.
Trust is very hard to earn and even more difficult to re-establish once lost, especially if you are dealing with matters involving someone's wallet. To that point, when I think about where we are today with the low level of trust that users have overall with email as a communication and marketing vehicle, I believe that as an industry that we should be doing everything that we can to help email senders and receivers proactively identify malicious email, but users might be too jaded to care.
My apologies for being a bit light on posting this week. I have been in Amsterdam for the 16th MAAWG Conference. It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!
It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.
This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured. Many of the samples that I have reviewed use different mail client names between the message subject and the body. A couple of examples:
Message Subject: Microsoft Outlook Setup Notification
Message Body:
Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again. I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.
These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101.
Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack. This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.
Either way, be on the lookout for this respin of last week's news.
The MX Logic Threat Operations Center has observed a new type of malware in the wild being sent out as an email posing as a reconfiguration notification for Microsoft Outlook.
The message subject is "Outlook Setup Notification" and contains the following text within the message body:
You have (1) message from Microsoft Outlook.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
The attached file is named micr__outlook_update_6556.zip and has and md5 checksum of 7aa706c521dd8a11ef23b35fc5c4d543.
So far we are not seeing any variants to neither the attachment name (which could easily be made more random with the digits on the end) nor the hash so the malware is not morphing at this point. That could easily change as it is trivial for AV vendors and spam filters to block this particular threat.
The graph below shows hourly volumes of this new threat since about 11:30am MST on 6/2, when we originally started to observe it hitting our systems.
It looks like Western Union is the target of yet another spoofing campaign by spammers. We've seen these come and go on a fairly constant basis over the past few months where several different brands have been targeted (we've also blogged about them before), but since this one appears to be coming out in pretty high volumes, I thought it was worth mentioning.
The message itself appears to come from the Western Union Support Team (see sample below) and follows the same basic tactic that many of its UPS, DHL, FedEx, and previous Western Union scams employed whereby it is trying to trick the recipient into believing that a package or transfer that they had attempted to send was not delivered and to print out and bring the attached invoice (read: malware) to their local branch. Note the lack of specificity as to where to actually go which has been a common thread in previous scams as well.
Our Threat Operations Center is currently monitoring approximately 100,000 of these new Western Union emails per hour. Below is a graph showing the timeline and prevalence of the most recent Western Union scams starting from the 11th of May. The spike on the far right is this most recent variant.
As is usual, if there is a question about a transaction that you had made with a vendor, use the tracking number that they provided you and visit their web site or call them directly to lookup and verify your transaction. Do not fall victim to these scams.
Every so often our Threat Operations Center runs across things that are either too interesting or too humorous to not pass along. Yesterday, we saw another one of those examples.
The scam du jour targets the US Treasury. The email appears to come from the U.S. Treasury Support Center and has a subject line containing the words "Federal Reserve Bank" with various other words/phrases like "Attention" or "Read Carefully" either prepended or appended in an effort to grab the attention of the reader. As is commonplace with most of the scams that we run across, it has share of grammatical comedies.
I found two things most interesting in this case: 1) The actual email does not do anything to convince the user that they have to do something RIGHT NOW in order to avoid some loss of privilege or convenience (e.g. their online bank account will get locked out) as most do. 2) (and in my opinion the more comical) The URL in the email contains the word "phishing" in it. Now, I understand that the phishing reference is likely in relation to the content of the message, but I found it simultaneously funny and ironic that an obvious scam would risk tipping off a would-be victim by including a word that would set off as many red flags with someone as obvious as "phishing."
As of the time of this writing the domains that are associated with this scam are still up, however the web sites that are being pointed to by these particular scams appear to be down. The fact that the domains still exist is reason to believe that they will be recycled for future federal bank related scams.
One of the strengths of Web 2.0 applications is also one of its greatest weaknesses. As information sharing has become all the rage on Web 2.0 social networking and, blogging, and micro-blogging sites like Facebook, MySpace, and Twitter (and the subsequent mining of that data by search engines like Google), we need to be aware not only of the data that we are sharing about ourselves, but also be more diligent about qualifying what we read.
Case in point: a Twitter user going by the name of @officethemovie started posting content about an upcoming Zune/Windows phone to rival the iPhone. As one would guess, word started to spread quickly and @officethemovie quickly gathered over 1,000 followers. Some of the major technology publications, like PC Magazine (@pcmag on Twitter) understandably became interested as well. Come to find out @officethemovie had only created the post on Twitter in an effort to raise iPhone piracy visibility to Apple via his blog and that the Zune/Windows phone wasn't real. I feel that I've given enough publicity to @officethemovie already via his numerous mentions throughout this post, so I won't link to his blog here. Trying to drive traffic to your blog through deception is lame and basically ruins all of your credibility.
No matter what the communication medium information is traveling quicker and is more distributed than ever before. What's the saying? "If it is on the internet, it must be true" ? Obviously that is meant tongue-in-cheek, and maybe I am paraphrasing a bit, but the moral of the story is that misleading information can run rampant very quickly. Misleading information is the basis behind most of the social engineering attacks employed by cyber criminals today so it is of the utmost importance that whether it is something reasonably benign like a phony phone announcement or something more serious like a scam that can lead to identity theft that we don't take the risks associated with Web 2.0 technologies lightly. Perhaps what we are dealing with is the Web 2.0 version of hacktivism?
Over the coming days, please be on the lookout for any spam campaigns related to the recent outbreak of the Swine Flu. With the number of confirmed swine flu cases rising in the United States (currently at 40 according to this recent article posted on bloomberg.com) and around the world coupled with the threat looming that the World Health Organization (WHO) will raise its pandemic alert because of the illness, and you have a combination of circumstances that creates a dangerous cocktail that we frequently see spammers and phishers jump all over.
Although we are yet to see any specific fraudulent campaigns related to the Swine Flu in our Threat Operations Center, our team is on high alert looking for anything that may crop up. Due to the nature of today's blended threat landscape, it is possible that we could see phishing campaigns related to donations to help victims of Swine Flu purporting to be from the WHO or other related organizations. We could also see emails that attempt to lure users to news oriented web sites that play videos which are setup as spoofs for the intention of distributing malware.
News grabbing events like the Swine Flu outbreak are exactly the type of social engineering lures that spammers love to latch onto because of the public's interest in learning more about the topic. Be aware. If you would like to learn more about the recent Swine Flu, or any other breaking news story topic, visit the site of your most trusted news organization directly. Clicking on links within emails is an invitation for trouble.
Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009.
As we know, where there are users, there are hackers. Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals. As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence. So far, that fallout does not appear to have taken place with Twitter. At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months. Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits. Rest assured, those are coming!
So, what can we learn as a result of Twitter's recent security woes?
I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public. This is true for online applications like Twitter as well as boxed software that you buy in the stores. Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do. At that point you have put your customers at risk also. It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.
Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances. I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been. Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.
Let's take the Mikeyy worm as a primary example. One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw. Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also. Rinse and repeat. In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet. What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker? In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites. Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.
In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online. Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online. I use it myself. As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.
Over the past several weeks we have been watching the Waledac botnet go through a couple of different phases. Back in late January we reported on Waledac resorting back to its familiar roots of sending out spam to malware infected web sites. Frequently these messages were tied to some sort of holiday and used e-cards as a lure to get potential victims to open the email and visit a malicious web site.
We saw a couple of different iterations of their most recent Valentine's Day campaigns. One was for a Valentine Devkit (see above link) and another was a lure for the ever popular e-card. Since February 22nd, Waledac has taken a bit of a different twist on its typical holiday themes and have focused their efforts on something just as timely; the economy. Making a copy of a legitimate web site that focuses on helping you save money (who wouldn't want to do that given current economic conditions?), couponizer.com, the Waledac folks sent out emails linking to their spoofed lookalike sites. As with many other Waledac/Storm generated web sites, just about everything on the page is an image. This is generally a dead giveaway to folks who have been tracking Waledac/Storm for quite some time, but is a minor fact that is likely lost on most users who are unaware they are being duped. These images link to a binary executable file where when downloaded and run by the user enlist their PC into the botnet.
Below is a screenshot representation of the fake couponizer site:
Take a moment to visit the real couponizer.com and you will notice that the look alike and legitimate sites bear some similarity.
Since this new variant launched the MX Logic Threat Operations Center has been processing about 15,000 of these messages per hour, a trend that continues 5 days after the tactic's original launch.
Below is a graph that illustrates volumes and shifts in Waledac tactics since 1/23/2009 (the date we started tracking the Devkit variant):
You'll notice that there is no overlap in tactics as Waledac shifts from one template to the next. The Valentine's e-card tactic started on February 9th and the latest Couponizer spoof started on February 22nd.
Another interesting thing to notice from the graph is that we actually saw more Valentine's day e-card spam coming from Waledac AFTER Valentine's Day than before.
Nevertheless, it is clear that the Waledac folks are working very hard to build their botnet back up to levels that it was at prior to Microsoft releasing its September 2007 MSRT update which Microsoft claims was responsible for mostly taking down its predecessor, Storm. This botnet clearly isn't just about holidays anymore.
Starting earlier this morning our Threat Operations Center started tracking a new Classmates.com themed spam email that links to a video site that contains malware.
The sample messages that we have received have a from line that spoofs that classmates.com domain and would appear in your mail client as "Classmates [random word] Center" where [random word] is words like "updates" or "manager" (So, it would appear in your mail client as "Classmates updates Center" or "Classmates manager Center" (note the lack of capitalization of the added middle word) where "Classmates" and "Center" are capitalized.
The message content is fairly static with a few variations between the samples. Below is a copy of one of the emails:
Special video report February 25, 2009:
One of your classmates has sent you a video invitation:
"Read the story and see photos of my wedding and our tour,Please discover our video invitation to your family. I hope to get back from you soon..."
Sincerely, Corine Sutherland.
2009 Classmates Organisation Message Centre.
The elements that we have seen vary between samples are the link to the malware site and the name in the closing of the message.
Once clicked the user is brought to a classmates.com branded site with a link to a executable file posing as a video. The file name downloaded is "Adobemedia10.exe".
Volumes have ranged in the 30-70k per hour range since the 6am MST hour this morning.
The subject lines that we have observed associated with this campaign are:
2009 Annual Meeting
2009 Classmates - 2009 Meeting
2009 Classmates - Annual Meeting
2009 Classmates - Getting Video
2009 Classmates - Ill have more to say about the specifics of the meeting soon
2009 Classmates - Meetings
2009 Classmates - Save video fragments from movies with the simplicity of pressing ...
2009 Classmates Annual Meeting
2009 Classmates Annual Meeting -- Coming Soon! - Modern ...
It looks like the Waledac botnet folks are at it again...new e-card spam with links to malware using a Valentine's Day theme.
The email itself is your standard fare e-card Valentine's Day lure (subject lines starting with "You've got an e-card at <random greeting card domain>", however differing from many previous incarnations of e-card spam the From address does not try to spoof any of the common greeting card web sites (mistake number 1):
----------------------------------------
Ted just mailed to you an Online greeting card and wrote this to you:
"You're So Sweet!"
You may pick it up from:
hxxp://yyiet.worshiplove.com/?ID=769bdb96a22c0866ea1ecb731
Your eCard will be available for the next 20 days.
----------------------------------------
We have also seen samples of this tactic linking to yourgreatlove.com, a known Waledac domain.
Clicking the link in the email will bring you to a cute web site with puppies giving you "the eyes" enticing you to download their malware:
Clearly there is a disconnect between the email which is telling you to pick up your e-card and the web site which is asking you to download a "Valentine Devkit" (mistake number 2). As a result of this perceived error, volumes are very low (only a few here and there thus far), but this does appear to be a sign that the Waledac gang is gearing up for some kind of Valentine's Day campaign.
The commercial AV guys don't appear to be up on this one yet so keep your eyes open! We'll be monitoring the Waledac guys up to and through Valentine's Day this weekend and will post any new variants that we see coming from these guys here.
Here's a great story about social engineering from the folks over at the Internet Storm Center that originates with fake parking tickets being placed on car windshields. The recipient of the "ticket" is then asked to visit a website to get more information about the ticket. When the "offender" visits the web site, they would see photos of various cars parked in parking lots.
The article gives much more detailed information about how the plan was carried out and some of the technical analysis of the malware, if you are interested.
Although the lure used by putting a fake parking ticket on someone's car is certainly something new and different (and probably duped a few people). Based on the description of the behavior of the BHO that was installed where it tries to get users to download a fake antivirus application, this tactic sounds very similar to the Confickr/Downadup botnet that has received quite a bit of press lately although no definitive link has been made yet between the two. One would guess that there was some customization of the malware that users were downloading that would benefit the person who was placing the "tickets" as this method of social engineering is clearly not conducive to wide scale infection.
Last week Heartland Payment Systems Inc reported a data breach of over 100 million credit card numbers and cardholder names. Monster.com is now also reporting a compromise of passwords, user IDs, names, email addresses, and other PII of an undisclosed number of accounts and is advising all of its users to change their passwords immediately. It's too bad that most of monster.com's users only regularly access their accounts when they are actually looking for a job which means that many may never get the message or take the time to update their password. This leaves a lot of accounts as wide open opportunities for identity and data theft.
Combine all of this news with this report on CNN Money that over 71,400 jobs were lost today alone (when I last looked at the report it was 68,000 so the number is getting larger as the day wears on!) and we have a dangerous cocktail for fraud and fraud victims!
So, it is a given that there will be more (and already has been) fraudulent activity related to the monster.com and Heartland breaches. The bigger problem that comes out of this is that we now have over 71,400 people now trying to figure out how they are going to support their families and themselves while they look for new employment.
These newly unemployed job seekers are now prime targets for cyber crime. Whether it be stock pump and dump scams, fraudulent IRS refunds, phony job announcements (work at home opportunities appearing to come from monster.com?), or "make a quick buck" schemes, people in vulnerable positions are frequently the most likely victims of criminal activity. As such, it is important for everyone to be more diligent than ever in trying to separate the wheat from the chaff as it relates to any kind of "too good to be true" offer. Good social engineering preys on weaknesses and stresses a potential victim's urge to "act now". During times of unemployment or uncertainty your inherent ability to judge is clouded and irrational decisions are often made resulting in more complicated problems. Be educated, be aware, and be diligent. Don't be a victim.
Starting during the 8pm MST hour on Thursday night (January 22nd) our Threat Operations Center observed a new Valentine's Day themed spam that appears to be coming from the Waledac botnet (new Storm botnet) gang, following in the tradition of Storm by sending out holiday themed emails further lending validation to the theory that the folks who are behind Waledac are likely the same ones that created Storm.
Emails are short and sweet one liners with content like "Me and You", "In Your Arms", and "With all my love" followed by a web site link. No malware is attached to the email itself. Subject lines also have a love theme to them. Some of the examples that our Threat Operations Center have observed include "Falling in love with you", "I belong to you", and "I love being in love with you". Once the link in the email is clicked the user is brought to a site that has an image of 12 hearts and has the bold text "Guess, which one is for you?" and looks like the following:
Clicking anywhere within the hearts is a link to an executable file that the user can download an install to infect themselves. Infection does not occur merely by visiting the page. The executable file (e.g. you.exe or love.exe) must be run to install the malware.
This page is also using Google Analytics to track number of visitors and where those visitors are coming from.
Volumes have been modest, but have accounted for about 10% of the malicious email that we have seen within the past 24 hours. Traffic has been steadily Increasing since they were first observed as illustrated in the graph below:
Clearly the old Storm folks are working as hard as they can in efforts to build up their new botnet and are following the old tried and true methods of centering their social engineering tactics around holiday themes. It was very successful for them the last time around so why fix what isn't broken, right? Nevertheless, it still impresses me that tactics like this continue to work and be so effective despite how many times it gets recycled.
*** UPDATE 1/23/2009 3:20pm MST *** Volumes have been steadily increasing over the course of the day. Average volume since 9am is about 11k per hour. We will continue to monitor over the course of the weekend and will post updates as necessary.
*** UPDATE 1/26/2009 8:30am MST *** No significant morphs of this tactic over the weekend. The folks over at shadowserver.org have posted a list of the domains being spamvertised as part of this campaign. If you are not already doing so, you may want to consider blocking access to them. Volumes of this email have been hovering at around 4,000 per hour for the last 36 hours and appeared to take a brief 5 hour hiatus Saturday afternoon between the hours of 2-7pm MST. Maybe they were watching the NHL All Star Festivities :) Current volume graph below ***
I wanted to take a few minutes and post a follow up to my blog the other day about an article written by Lance Winslow that was originally written in 2005 and reposted here by ezinearticles.com with the date of December 31, 2008 making it appear as if the content was written recently by Lance.
Businesses do have a lot of choices when making decisions about protecting their network infrastructures. They can choose to do it in-house using a number of open source solutions or commercial desktop software. They can also purchase a network based appliance which also typically has to be maintained in-house or businesses can look to in-the-cloud solutions using a Managed Service like MX Logic (I'll reiterate my partiality to Managed Services :) ). No matter which type of solution you prefer for your organization, most all are effective at stopping spam. Some of the bigger questions that must be answered by any company when making these decisions is how much control they want to have, how much risk they deem to be acceptable in the event of a large outbreak from a bandwidth perspective and what they want their internal resource allocation to be to managing these solutions.
Overall, spam rates are still down about 45% from their most recent peak in August to now as a result of the McColo shutdown. Despite the movement to the web as a primary malware delivery vehicle and with occasional peaks and valleys in mail flow over short periods of time, spam volumes historically continue to increase and will continue to do so. The biggest reason for these historical increases are improved attack precision (i.e. more targeted attacks and less en masse spam campaigns) and refined social engineering which dupe users into opening attachments and visiting web sites that enlist their PC into botnets.
I do agree with Lance's point with respect to the efforts already put forth by the FTC as being largely fruitless. There have been few arrests since CAN-SPAM went into effect 5 years ago. At the end of the day, spammers are criminals and should be arrested, but cooperation is needed by many others outside of law enforcement like the upstream bandwidth providers and domain registrars if we are really to make a dent in the spam problem.
At the end of the day whether spam volumes are up or down, cyber crime is both a criminal as well as a social problem. I think the criminal part is pretty self-explanatory, but the what drives people to cyber crime? Money. Lots of it. WIth the relatively few arrests that have been made in comparison to the number of spammers trying to fill our inboxes on an everyday basis, cyber crime is considered to be a low risk, high reward venture. Considering the difficult economic times we are now in the middle of where companies are tightening their belts as much as possible and unemployment is rising on a daily basis it would not be surprising if you see more people getting involved in cyber crime activities.
So, to come back to my original point before going on a bit of a tangent: Is an article written back in 2005 about spam volumes, tactics, and defenses entirely relevant today? I would say both yes and no. Although tactics have evolved and businesses are feeling more and more pressure every day to find ways to keep their mail servers online and prevent confidential data from leaking out of their networks, there are a lot of options available. Businesses need to evaluate which type of solution provides them with the options and features that best suit their business and compliance needs.
On Saturday, Twitter posted this security alert on its web site to make users aware of a phishing campaign that was going around via Twitter direct message attempting to steal login information for the social networking site.
Phishing campaigns are certainly nothing new. So, what makes this interesting or different?
Phishing emails are certainly something we have become accustomed to in our inboxes and they are becoming more popular on personal profile pages on social networking sites like Facebook and Myspace. In the December version of the MX Logic Threat Report and Forecast the very first prediction we made for 2009 was an increase in (ab)use of social networking technologies by spammers and other cyber criminals.
Twitter presents a bit of an interesting twist because URLs posted to "tweets" (status updates posted by Twitter subscribers) and direct, private messages sent person to person are shortened using URL abbreviation tools like tinyurl.com and bit.ly. These types of services allow a cyber criminal to easily hide a potentially malicious or fraudulent URL behind the covers of a legitimate looking one. For example, a user could unknowingly be directed to a web site that silently injects a keylogger on their PC by clicking on one of these links. URL abbreviation tools can also be utilized to hide a nasty URL within the body of an email as well so this is not an attack that is solely abused by spammers using social networking technologies.
There is more to this potential threat than just the risk of the redirection to a phishing site. Cross site scripting and SQL injection vulnerabilities can also easily be exploited using this tactic if the vulnerability is exploitable via URL code injection. The malicious code can be hidden in the URL, compacted using tinyurl.com, then distributed in an email as a DDoS against a spammers target.
For the potential risk that sites like tinyurl.com and bit.ly can potentially introduce they certainly do have their place. Sites like monster.com for example sometimes create URLs that are extremely long when copied and pasted into an email so abbreviating the link address is a great way to keep your message professional looking. As with all other online threats, diligence is of the utmost importance. Spam and phishing threats via social networking applications is still new territory in many regards when compared to email (for example) so many users do not think about the potential security ramifications that come along with using these technologies. That education is occurring rapidly, but is also happening partly by necessity as more and more users are falling victim to quickly evolving tactics on the part of cyber criminals.
There has been quite a bit of press over the last day or two with respect to a design flaw with SSL that could allow an attacker to forge a security certificate such that it circumvents the built-in authentication methods within your browser. This means that your browser could believe that a malicious, look-alike web site for your bank could authenticate to your browser as your real bank web site if this attack is carried out correctly. See this story from CNET that has a graphical proof of concept example using Bank of America.
If you are not familiar with MD5, essentially it is a 128-bit hashing algorithm that is used by many security applications. For example, an MD5 hash is commonly used as a checksum by system integrity validators (SIV) to ensure that key binaries on your system have not changed their default composition (if they have, this could indicate a trojan or rootkit has been installed on your system).
MD5 checksums have been known for some time to not be completely secure as it is typically expressed as a 32-bit hexadecimal number. This means that there are only a finite number (2^128) of potential hash possibilities. This has been considered to be good enough for many applications, but with the power of today's clustered computing environments (also including botnets), it has been found that the time it takes to generate a targeted MD5 collision has been greatly reduced. According to the CNET article, performing the initial forgery proof of concept took about 2 weeks on a cluster of 200 Playstation PS3s. This kind of computing power is infinitesimal compared to most botnets. Quite a few articles on the web (do a Google search for "md5 collision example" and some will yield source code) already discuss how easy it is to create an MD5 collision.
Web site forgeries are only one example of how MD5 collisions can be used to circumvent security technologies. My friend Adam O'Donnell from Cloudmark points out in a Twitter update that an MD5 collision could also be utilized to make malicious software look legitimate. Take our SIV example from earlier. If a malicious version of a binary was created with the same md5 checksum as its legitimate counterpart, your security checks may never identify that the original executable was modified if your PC were to get infected with some type of trojan or rootkit. This could also cause AV companies to have to rethink how they do some of their own scanning methods also.
What all of this really highlights is the fact that MD5 is no longer a "good enough" (and in reality hasn't been, but that hasn't stopped people from using it) hashing algorithm if your intention is to create a hash that will be used as part of any kind of security/authentication system. I agree with Paul Kocher's statements from the CNet article in that although this is certainly not one of the biggest security issues facing us right now. Between all of the other application based attacks that exist, this one could be potentially very dangerous as it is another one of those that we have discussed that do not require elaborate social engineering to be carried out effectively (at least for web site forgeries) as the redirection to a malicious site can be carried out at the network level.
This is not one of those types of attacks that is likely to occur on a large scale against many widely used web sites (like the Bank of America proof of concept) as it would likely get sniffed out very quickly, but if used for smaller, more localized attacks could prove to be effective.
Just hours after Barack Obama was projected by all of the major news outlets to become the 44th President of the United States, cyber criminals have already launched a link-based malware campaign using Obama as a lure. Uncle Sam wants you to vote. Spammers want you to join their botnets!
As with most effective malware campaigns, timeliness is everything. From what we are seeing so far, the social engineering tactic being used coupled with the interest of the election and its outcome, high volumes of this tactic are already being observed as many users are being tricked and infecting their PCs with this malware which will be used to send out more of this type of spam.
Starting at about 8am MST this morning we started to see messages come into our spamtraps purporting to be from various credible news organizations using from addresses like news@bbc.com, news@cnn.com, election@usatoday.com, among others. The emails have subject lines such as "Barack Obama Wins", "Election Night Results", and "Fear of a Black President".
The messages themselves vary a bit, but the basic premise is the same across the different variants that we have observed so far.
Here is one sample:
-----------------------------------------------
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
------------------------------------------------
As usual, note the grammatical errors.
The link in the message brings the user to a look alike news web site which alleges that the user must download an updated version of flash to view the video of Obama's speech:
Clicking on the download link attempts to download a file called adobe_flash9.exe, which contains the malware.
If early indications are any result of future success, this campaign is going to be a success, but won't win the popular vote (ok, sorry for my bad political humor). In the first 2 hours we have already seen almost 1M of these messages (over 350k in the 8am MST hour and over 600k in the 9am hour).
The folks over at Websense reported another Obama malware campaign in Spanish. This, however appears to be a very low volume, targeted campaign. We have seen less than 50 of these total, but it underlines the fact that cyber criminals are definitely jumping on the post-election bandwagon and doing it in a big way. Strangely enough, if this trend continues we might see more post-election spam than we saw pre-election. Who would've expected that?
According to this PC World Article, spammers have started using political hacktivism by reaching out to keep voters from going to the polls during this election season. Emailed warnings have been sent to people in Maryland telling them that they cannot vote in the election if their homes have been foreclosed on. There have also been reports in Florida that emails have been circulating that your driver's license and social security information will need to match up with federal records in order to be able to vote.
I am certainly no political guru, but the thing that interests me the most about this is what is intended to be gained by spammers by employing this tactic? These emails have been sent out en masse and have not been targeted towards a particular party affiliation. So, it isn't like they are going out and trying to specifically keep Democrats or Republicans from voting in an attempt to steer the vote towards one candidate or the other. Either way, in this financially motivated underground economy, it isn't clear to me what a spammer would have to gain by spreading these types of messages. There is no proof at this time that these emails are in any way associated with either the Obama or McCain campaigns.
This certainly isn't the first time that email has been used to spread false political messages, but in many of those cases there has been a target or some kind of agenda associated with it. Barack Obama has been the social engineering lure used in a couple of spam and malware campaigns since the Democrating National Convention concluded, but those have been attempts to discredit Obama by associating him with non-existent online sex videos.
The long and short of all of this is, with one week to go until the election there are likely to be more email campaigns with similar political themes. It is also entirely possible that as users are visiting more and more political web sites to ensure that they are informed about all of the local issues that they will be voting on that some of those web sites may become compromised by cyber criminals. Compromise of legitimate web sites is becoming more and more common. So, be sure that your computer is up to date with all of its latest security updates and patches.
As if Windows users didn't fear Patch Tuesday enough, today there is a new email-borne malware campaign attempting to trick people into installing a piece of malware posing as an official update from Microsoft.
As with many poorly constructed malware campaigns, there is a lot of broken English in the email (even in the Subject line!). The PGP signature at the bottom of the message also appears to be random.
The subject line of the message is "Security Update for OS Microsoft Windows" and alleges to contain an update for several unsupported versions of Windows. This is likely to attempt to infect users who are still on these ancient versions of the Windows OS. Considering the fact that versions of Windows like Windows 98 have been unsupported for so long, if you are still using it, you are likely already infected with lots of other malware and are already a part of many other botnets.
Fake Microsoft Updates are certainly nothing new. We've been seeing them for a couple of years now, but the timing coinciding with Patch Tuesday throws in a wrinkle that I do not recall seeing previously.
It is important to note and remember that all Microsoft Windows updates are distributed either by download off of the Microsoft Web site or through the Windows Update service. Microsoft never releases official patches by email. It is likely that most people are not even seeing this email arrive in their inboxes because most organizations filter out executable attachments (the email comes with a .exe attached to the message) by default.
The message follows:
-----------------------------------------
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.
As is typical with any high profile news story, our Threat Operations Center is immediately on the lookout for any new spam campaigns that might start using that story as a social engineering lure.
This post is an alert that we are likely to start seeing spam campaigns (none have been observed by our TOC as of yet) related to the OJ Simpson guilty verdict from last week. Similar to the CNN and MSNBC campaigns from August it is likely that these spam emails will use a lure to an online video to trick users into visiting malicious web sites that download alleged video codecs that are actually malware.
It appears that some search engines are already being poisoned with links to malicious video downloads based off of certain search criteria related to the verdict. It is typical for these types of tactics to start bleeding into email as well.
If/When we start observing these tactics, we'll be sure to post them along with their details.
I figured that I should write about something timely before I started getting into the things that I have been backlogging lately.
If you recall, back in May we wrote about Google AdWords Phishing (click here for the original post) where the phishing message body was a plain text email alerting users that their AdWords payment could not be processed and that they had to login to the AdWords site (via a link in the email that lead to a fraudulent web site).
The latest tactic has a couple of different twists. The first one of note is that this particular spammer is using an image within the email to render the phishing content. See the below screen shot which is a sample of the email:
The email looks like an HTML formatted message, but it is actually a single image with the spam content contained inside and an image map where the link is. The link points to a legitimate sounding domain as well: selectadwords.net, hosted out of Spain.
The second twist from the original scam is that this message is telling you that you need to renew your AdWords service or else the account will be deactivated. As with many other scams, this is to try to instill a sense of urgency on the part of the recipient and to try to get them to take action before they have a chance to think about the fact that this might be fraudulent....all in all I would say this is a pretty well done scam.
So, why phish Google AdWords? AdWords accounts are separate from Gmail accounts (even though they are all under Google, you use different logins to access each) so they aren't using the information to compromise legitimate accounts to send out spam. They are likely using them to try to extract the payment information used on the account to either steal money or use it as an intermediary account to transfer funds as part of a larger fraud scheme.
As always, if you receive any messages that look like this, promptly delete it.
Hackers combine bots, malware and search engine expertise to drive porn traffic
There has been a considerable increase in the use of comment and profile spam to promote pornographic or phishing sites in search engines. Today we discovered that the AARP’s website has been compromised by a two-pronged attack.
First, hackers found vulnerabilities in AARP.org’s user profile functionality, allowing them to post JavaScript redirect code and HREF links to porn sites. Second, hackers employ bots in a massive campaign to submit blog comments containing links to the hacked AARP.org user profiles.
This provides hackers with multiple benefits. Among them:
Search engines rank sites based upon links from other sites. If a high-ranking site like the AARP (to which Google has assigned a Page Rank of 8/10) links to the hacker’s site, it increases the recipient site’s ranking and traffic.
The bot-driven blog comment spam drives increased visibility of the hacked AARP profiles, driving higher traffic numbers and ranking to the AARP profile itself.
Users who view the seemingly innocent AARP member profiles are automatically redirected to porn sites, and served up malware "anti-virus" applications to help them "fix" the problem.
Typically, most blog platforms do a fair job of limiting comment spam. Even so, a cursory check for inbound links to some of the hacked AARP.org profiles shows many blogs now have the AARP.org bot-submitted links in their comment areas.
As we’ve covered before, spam makes a lot of people a lot of money. Hackers have great incentive to find vulnerabilities in email systems as well as web-based content management platforms. They're also increasingly using SEO (search engine optimization) to help stack the odds in their favor. The possibility of being able to inexpensively market on such a massive scale means the threat will never completely go away.
Whether it’s your website or your email network, constant vigilance is necessary to keep your organization from getting egg on its face.
Just ask the AARP.
(Note: The above image is from a non JavaScript auto-redirecting post.)
I've taken a bit of heat internally because I neglected to announce last week's posting of the monthly MX Logic Threat Report and Forecast for September. The latest edition can be downloaded here.
In that report we mention our prediction that as the Democratic and Republican National Conventions concluded and as the campaign season kicks into high gear that we expected to see a continuation of some of the more recent spam tactics that have been employed where hackers were using tabloid like news headlines as a lure to get people to open malicious emails, but with a political twist. So, instead of using fake Britney Spears or Oprah headlines as a means to get unsuspecting users to view a video or news clip the movement has started toward targeting Barack Obama using similar means.
Some of the subject lines that we are currently seeing targeting Obama are:
Obama is ponstar now
Porno with Obama
Sex Video with Obama
Obama Sex Video
Barack Obama Hardcore
Barack Obama sex story with girl
Obama private porno
Barack Obama sex story with Ukrainian girl
Note that we have not yet seen any similar tactics targetting John McCain.
Volume on this tactic is currently extremely low (under 100 total have been seen thus far), but this is likely a proof of concept method that will play itself out over the next two months where more believable tactics are used by spammers. Instead of using tabloid like headlines, be on the lookout for emails containing attachments or links to sites claiming to be hosting the latest candidate television commercial or video with excerpts from a speech at their latest campaign stop.
Obviously there is a bit of a shock factor with these tabloid like headlines that grab people's attention, but since this tactic has been around for several weeks now, expect it to morph to using lures that are far more plausible in the very near future.
There haven't been many dull moments in Threat Operations Center over the past few weeks. Between multiple CNN spam updates which then morphed into MSNBC spam followed by fake FedEx non-delivery notifications last week, Britney Spears tabloid spam, and up to 30% increases in total spam volume, everyone has certainly been drinking from the fire hose.
We had a new guy named Tyler start recently as well who hasn't yet run for the hills screaming in the midst of all of the chaos. Sounds like a keeper to me!
Beginning yesterday we started tracking the return of Hallmark E-Card spam. If you recall, sending out fake e-cards that lead to malware sites was a popular tactic of the Storm Worm. These new messages appear as if they are being distributed via the Srizbi botnet, but are largely the same as their Storm counterparts.
Below is a screen shot of a sample message that landed in one of our spamtraps:
As with most spammers nowadays, you can tell that they went to some great lengths to ensure that the email looks as legitimate as possible.
In many previous e-card variants all of the links within the email would point directly to the malware hosting site. This trend has recently been shifting and this new Hallmark E-Card tactic improves upon that by only pointing the "here" link above to the malicious web site. All of the other links like Customer Service, Store Locator, etc actually point to the same locations that the real hallmark.com site point to. So, if a suspicious recipient of one of these messages clicks on any link in the email other than the malware download link they may be tricked into believing the message is legitimate since it will direct them to the Hallmark site. Seeing this, they may be more apt to click on the download link and become infected.
Emails associated with this new "e-card" appear to be from "E-Cards@Hallmark.com" and will have subject lines like "You've Recieved a Hallmark E-Card!". The other tell tale sign of these fakes can be found if you mouse over (but don't click!!) the "here" link as it links to an executable file like postcard.gif.exe as opposed to an actual web page.
Be on the lookout for these new fake Hallmark E-Cards, especially as we move closer to the Holiday Season (it's still a ways off, but I am sure some stores will have Christmas items on the shelves soon!) as these are likely to become a popular tactic again for Halloween, Thanksgiving, and Christmas.
Over the last 24 hours we have seen a large influx of a new email borne malware campaign alleging to be a notification of non-delivery from FedEx.
The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered. It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).
Sample subject lines that we have seen in our Threat Operations Center include:
You Have A Package!!!
Tracking N <fake tracking number>
Volumes have been pretty high as we have seen over 21M of these fakes hit our systems within the last 24 hours, accounting for about 80% of all of the email borne malware that we have seen over that same period.
It's times like this that we are reminded that although many of the large scale malware campaigns that we now see are hosted on infected web sites, static malware distributed over email is still an active, viable tactic being employed by cyber criminals.
According to a small, recent study performed by Marshal, up to 30% of internet users admit to buying items like sexual enhancement pills, adult entertainment, software, luxury items, and clothing from spam that they have received. These kinds of studies come up every few months or so and the percentages of email users who admit to buying from spam vary wildly (see this Techdirt article which briefly mentions a couple of them). Many of these studies have small sample sizes and little information is given as to the some of the other demographics of the participants in the survey (which I think would also be VERY interesting). No matter whether you believe the real number is closer to 4% or 30%, the underlying moral of the story is that a significant number of people are purchasing products from spammers. The answer to the spam-old question of "Who would actually get tricked into buying \/1agra?" is "A lot of people!" Spammers wouldn't continue to spam if it wasn't a profitable venture.
The 30% figure seems a bit high to me in today's internet, especially with the prevalence of spam filters which keep almost all of the junk mail out of user's inboxes. This does lend credence to the theory though that improved social engineering and targeting of spam emails does have a significant effect on the ROI for the spammer. Even though far less spam is arriving in the inbox, a significant percentage of people are still buying it.
I like to play with numbers and derived (what I thought are) a few interesting stats.
Let's do some math (everyone's favorite subject):
Number of spam messages per day on the internet: 150B (industry estimate)
Cost to send a spam message $0.000001 (estimate)
Amount in losses from phishing in 2008: $4B (estimated by Gartner)
So, if you assume 150B spam messages per day at $0.000001 per spam message. That works out to spam costing spammers approximately $150,000 per day to send.
If you divide the $4B in losses from phishing ALONE by 365 (the number of days in a year) you get almost $11M per day in losses! This doesn't even include profits from the things the things that we mentioned at the start of this post such as porn and enhancement pills or even stolen credit cards and compromised bank and brokerage accounts. Cha-Ching!
To be fair, this isn't an apples to apples comparison because we are considering the cost to send ALL spam every day compared with the losses incurred just from phishing, but even just to compare these numbers is staggering! Just using the $11M and $150,000 numbers spammers make over 73x what they spend, just in phishing returns.
How many businesses do you know that would like a 730% daily profit margin? Raise your hand if yours would :)
So, as we've said before: Spam is easy. Spam works. Spam makes huge profits for the criminals behind it all. The numbers are hard to deny. Look for more spam headed toward the inbox, mobile device, or blog nearest you!
Typically when a new, effective, high volume spam or worm tactic is released into the wild (Paris Hilton Videos, Free World Cup Tickets, Fake News Headlines, etc) the copycats are waiting in the wings and ready to latch onto whatever that tactic is hoping that they might see some success from it as well. This time, however it appears that the people responsible for the CNN Spam outbreak last week (original post here and update here) are now responsible for a new outbreak today alleging to be MSNBC news updates.
Similar to the CNN outbreak from last week these new MSNBC messages are identifiable by a very distinct subject line. All of the messages that we have seen thus far appear to be from "MSNBC Breaking News" and have a subject line that starts with "msnbc.com - BREAKING NEWS:" followed by some fake news headline.
Here are some examples of what we have seen in our Threat Operations Center thus far (and as usual, some that are just bizarre):
msnbc.com - BREAKING NEWS: Americans love law suits for breakfast
msnbc.com - BREAKING NEWS: Bomb scare grounds thousands of flights at UK Heathrow airport
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: I will be suing you
msnbc.com - BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger's death
Find out more at http://breakingnews.msnbc.com
=======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.
=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
http://www.msnbc.msn.com/id/25384336, select unsubscribe, enter the
email address receiving this message, and click the Go button.
Microsoft Corporation - One Microsoft Way - Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/)
If a user is tricked into clicking on the breakingnews.msnbc.com link (which doesn't really go to an MSNBC page, but you probably already guessed that), they are presented with a page that looks like this:
This is the same tactic that we saw with the CNN fake news updates from last week as well as with the Porntube malware tactic that we saw back in June (original post here). At this point, you are caught in an endless loop where you either need to kill your browser session or click the OK button, but doing that infects you with the malware.
So far we have seen two variants of these emails. The first links to a file named up.html at the end of the "breakingnews.msnbc.com" URL which linked to a page that is branded CNN, not MSNBC. This should be an immediate red flag to any user that something is not right. The newer variant that we just recently started seeing within the past hour links to msn.html. This page uses the same logo that is on top of the real msnbc.com site and will likely look more legitimate to users.
So far volumes have been ranging in the 1.5 to 2 million message per hour range. Although nowhere near the peaks that we saw with the CNN outbreak from last week, it also took 3 days for the CNN spam to reach those volumes. So, I would say that at this point since we have only been tracking this new variant for about 12 hours the lower volumes are no indication of what is to come, but just like in movies, the sequel usually isn't as good as the original...
Heads up on a new, very high volume Fake CNN News Update spam run that is making the rounds. The subject of the email is "CNN.com Daily Top 10." Our Threat Operations Center has seen over 5 million of these just in the last hour alone and over 80 million in the last 24 hours.
Below is a screen shot of the message.
Over the last few weeks we have been seeing large spam runs of what we are calling single-line spam where an email contains a brief lure based on fake news headlines such as "US track team disqualified from Olympics" or "Beijing Olympics postponed indefinitely" followed by a link. The web site linked to in the message is a link to a "video codec" (er, malware) that the user is prompted to download in order to view the online video.
The tactic being used here is similar to what we saw with the Porntube malware that we saw back in June (click here for original Porntube blog post) where the user is prompted to download the video codec when the page initially loads. If the user clicks "Cancel" to not download the codec, another popup is presented where the user is told that they have to download the codec to view the video. This endless loop continues until the user kills their browser session at the operating system level or installs the "codec."
This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN. This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site. If you see this message come into your inbox, delete it immediately.
Starting yesterday (June 18th) we began seeing evidence of a new Storm Worm variant claiming news of a new Earthquake in China.
Some of the subject lines associated with these messages include:
2008 Olympic Games are under the threat
A new powerful disaster in China
A new deadly catastrophe in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Death toll in China exceeds 1000000
Death toll in China is growing
Earth tremors in China is going on
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
Terrible earthquake devastated Beijing
The capital of China were collapsed by earthquake
The most powerful quake hits China
Toll mounts in China earthquake
Unprecedented earthquake in China
This is a pretty typical tactic for Storm: ride on the wave of current events as a social engineering lure to get users to click on links in emails. This variant is primarily targeting the Chinese earthquakes, but there is also a mention of the Beijing Olympics as well stating that the Olympics will be "under the threat."
If a user clicks the link within one of these emails, they are not immediately infected with Storm. They will be directed to a web site (all of the ones that we have seen so far have a .cn TLD) that looks like this:
It is important to note that this is not a real video player, but clicking the player will launch a file named beijing.exe which will infect your PC.
Volume of this variant is pretty low. We are currently seeing on the order of about 900 per hour in our Threat Operations Center. Expect to see similar stories of this nature threatening the safety of the Olympics as well as its participants and visitors as the event gets closer.
Sometimes the depths to which spammers will stoop really sickens me.
Even in today's criminally infested internet I sometimes naively hope that there is still some kind of Code of Conduct where trying to capitalize off of certain catastrophic events was considered taboo. As we've seen before, such as with the devastation caused by Hurricane Katrina back in 2005, the Indian tsunami in 2004, and now with the earthquake and aftershocks that have already killed over 28,000 people in southwest China's Sichuan province (with estimates that the death toll will be over 50,000 before the final counts are tallied) over the past week and a half, scams looking to tug at both your heart strings and purse strings have started popping up.
I'll abbreviate the message that we received for the sake of brevity (it's about the longest phish I have ever seen) as it gives a fairly detailed account of the plight of the person allegedly sending the message:
Dear friend,
I don't know your exact name. I can only guess.
I ask you to read my letter up to the end. After that you will be in the right to send my letter in a garbage basket or.......
My letter is caused by despair. I don't know to whom to address. I am compelled to ask for help any person. Namely you. I hope that mine letter has got to the person which has sympathy and compassion. I wish to trust in it.
My name is Arnulfo. My situation plunges me into depression and despair.
I will tell you shortly. I do not even know how to express correctly my thoughts. How to write you about it. I can tell with confidence that my hands shiver when I press on the buttons of the keyboard. Several days ago I could not think that I shall address to the stranger with such situation. Probably it's stupid or incorrectly. But it's the only thing that is left to do. I just ask to understand me. I even must say that it is a shame to do it.
I will continue. I don't know where you are. And I do not know what news you watched on TV or listened by Radio. I think that you could hear about Earthquake in China. My God, it's awful...
Me and my wife have flied to the country of Philippines two weeks ago. We wanted to search for a new place in this world, where we could create our new world. There where we
could live and create good family. We have got married a year ago. The matter is that my wife is a chinese woman, and I was born on Philippines, but has grown in Spain. My father is Spaniard, and my mum is Philippine. My parents have died several years ago. I have left to study in the university to another country. I studied Chinese
language and culture. There I also have got acquainted with Jin It's my wife. We have got married. And yes, we were happy. I will tell - We are happy together. But parents of Jin were against our marriage. And we have decided to search a place which will make us happy. We thought of Philippines.
All. Everything was good. Yes, everything was simply magnificent. Until the first impact has happened. We have heardabout it in the news. I do not want to describe that occured with Jin when she has heard about that her native city was completely destroyed. Her native city has been destroyed. Me and Jin were in panic. We have decided at once to come back to China to my wife's parents. Jin was in despair.
But the destiny has made a new turn. We had no money for air flight to China for two. We had money. We have made money transfer to the bank account in Philippines for purchase of a small house. But I can receive this money only on the 1st of June. Not earlier. Bank bureaucracy exists all over the world. We did not know what to do. Then we have found only one output. We have received all money which were on our ATM-cart. Me collected the sum of money for air flight only for my wife. It was a hard moment in our life. But then I did not know that the worst will be ahead. We have solved that my wife will go to China alone. It was a difficult decisions for me. But I could not stop Jin. And I could not fly together with her. Jin has quickly gathered and has departed. When she left tears flew on our cheeks . I do not know how to explain that I felt during this moment. But I understood that my wife felt. Mine Jin. Her parents were in trouble. I have remained alone not having money. My hotel accommodation has been paid for some days.
[ SEVERAL UNIMPORTANT PARAGRAPHS REMOVED ]
Also some kind people which know about my situation have helped me. I shall have the small sum of money. But a greater sum of money is required . I am lack of 1500$. I have no opportunity to find such sum of money. I tried all ways to find thó money. I do not wish to think that money solve everything in this world. I believe that the main thing is people and love. And I want to believe that I will be able to be beside my Jin soon . We are sure will be happy together.
Only despair has compelled me to write you this letter. Probably it sounds silly. You have a right to think about me all that you want. I shall understand you.I I address to you for a help. Your help is required to me. I will tell directly that I ask you to help me with money. I will return you money
later, right after as soon as I receive my money which are in the bank. I can return to you money on the first of June. I shall see the wife. I shall be with her. I can take care of her. After that I will return on Philippines to take back money. And I will return to you even more Money. I only ask to help me now.I have been explained that I will be able to receive money in Western Union. And I shall return the money to you in the same way. I am ready to return you more.
I will hope that my letter will not offend you because we are unfamiliar. I do not even know your name. I have taken yours e-mail from Internet. And I have hope that e-mail to which I write is of a good person.
I will understand you in any case. Iask to excuse me . I only want you to understood me. Only despair and love have compelled me to write this letter to you. I wish to use all variants To be near to my love.
And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.
I don't know what to tell you more . I believe in love and destiny. I ask you to answer me to this e-mail:
arnulfoqramos@yahoo.com.ph
I have registered it right now. I shall wait fo your answer to this e-mail. If you want to answer me
Yours faithfully Arnulfo
The words that I want to use to describe people who would try to capitalize on an event that has affected hundreds of thousands of people aren't appropriate for corporate blog nor for any other conversation for that matter. Every time I see these types of things, it further lowers my faith in humanity.
Please be on the lookout for this and other related scams over the coming weeks as we are sure to see more of them, likely alleging to be from relief organizations and/or companies who claim to be affiliated with them.
If you wish to make a donation to your favorite relief organization to help them to provide assistance to people around the world being affected by these horrific natural disasters please contact them directly. Do not respond to solicitations via email, even if they look legitimate or come from an email address that potentially looks legitimate.
*** UPDATE 5/21/2008 11:20am MDT *** Here are some of the subject lines that we are seeing associated with this scam:
-- Help me
-- Help me please. Read through the letter
-- Last hope. Help me please
-- I ask to help. Please
Please be on the lookout for yet another government agency tax scam making the rounds today; this one not spoofing the IRS, but rather the US Tax Court.
Here is an elided sample that has been received by our Threat Operations Center:
UNITED STATES TAX COURT
WASHINGTON, DC 20217
Docket No. 622-555. Filed May, 2008.
COMMISSIONER OF INTERNAL REVENUE
Petitioner.
v.
EXECUTIVE NAME HERE
COMPANY NAME HERE
COMPANY PHONE NUMBER HERE
Respondent.
PETITION
The Petitioner hereby petitions for a redetermination of forth by the Commissioner of Internal Revenue in his notice of deficiency (AP:FE:BOS:JHK) dated May 4, 2008
This matter is before the Court on respondent.s Motion for Summary Judgment, filed May 10, 2006, and respondent.s Motion for Penalty under I.R.C. Section 6673, also filed May 10, 2006. As motions, without prejudice, and remand this case to respondent.s Office of Appeals.
Respectfully submitted,
Bennett H. Klein
Tax Court Bar No KB0214
400 Second Street, N.W.,
Washington, D.C. 20217.
The link in above sample goes to a web page hosted at the domain us-tax.org, which was just registered 4 days ago, May 8th. Based on the format of the scam URL in the above message this looks very much like some of the other recent executive targeted scams (like the US District Court scam that I also blogged about) that we have seen lately. It would not surprise me if the same people behind those scams are also originating from the same group of people.
*** UPDATE 5/12/2008 12:40pm MDT *** We are currently seeing these whaling scams hit our systems at the rate of about 150 per hour. Very low volumes in an attempt to fly under the radar as much as possible.
According to Peter Gabriel'sweb site sometime on Sunday Night or Monday Morning their web servers were stolen from their data center.
I wonder if they broke in with a Sledgehammer? Or if they were Quiet and Alone? I wonder if the RIAA will sue the thieves for stealing music?
Ok, enough jokes....
Kind of makes you wonder how they got in....or does it? I've been speaking to several colleagues lately who either currently perform social engineering engagements or did them in previous lives and it is amazing to me the areas of buildings that they have been able to access and the confidential information that they have uncovered just by every day, common techniques that we all do: tailgating, acting like you misplaced your access badge, or just looking like you belong somewhere.
Then once they were in the data center, how did they access the cabinet that the servers were in? Many cabinets go from the floor to the ceiling or have safeguards in place to prevent the cabinet from being compromised from on top. They should also have at minimum either a keylock or combination lock (or both), not to mention that the data center should also have security cameras covering every square inch of floor space.
We talk about proofs of concept very frequently where the occurrence of one crime is a finger pointing towards the potential occurrence of something much more damaging. This is definitely one of those types of crimes. If it can happen at this data center, what is to say that this same thing couldn't happen at any number of others as well? What security policies does your data center have? How well do they follow them?
We make a lot of assumptions with regards to the security of data centers, but all the technology controls in the world don't make a bit of difference if they can easily be bypassed.
Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.
As has been common with most of the government agency spoofs that we have seen over the past year, this one has an IRS logo at the top of the message that is being pulled directly from the IRS web site at irs.gov.
The samples that we are seeing allege to be from "service@irs.gov" and have a subject line of "2008 Economic Stimulus Refund."
The phish content is as follows:
Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.
Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.
The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.
Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.
Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.
To access Economic Stimulus Refund, please click here.
The "click here" link takes the user to a prototypical phishing site where they are asked for their bank routing number and checking account number so that the rebate can be directly deposited into their checking account. The scammers are also trying to establish a sense of urgency to get you to click the link by saying that you have to fill out and submit the form before April 24th if you want to get your stimulus payment on time. Failure to do so will result in delays. This could be an effective tactic against those who may not be scheduled to receive their rebate until July or against the extremely impatient who think that this could be a shortcut to getting their rebate quicker.
This is about the time that we expected to start seeing these scams start coming out, and this certainly won't be the last of them, especially since the distribution of the stimulus payments is expected to last a couple of months.
As with all of the IRS scams that we have seen to date, there are a couple of things that you should remember:
-- The IRS does not communicate with the public over email.
-- To that point, the IRS does not even know what your email address is. If you use at home tax software the software vendor might ask you for your email address, but this is for the purpose of sending you status updates with respect to your tax filing. These emails are not from the IRS.
With respect to the economic stimulus payments, also remember:
-- The economic stimulus payments are being distributed based on your 2007 tax filing. The information for how to distribute your rebate to you will be done based off of your tax forms.
-- The payment schedule for the economic stimulus payments has already been established by the IRS. There is no way to accelerate this process.
We're seeing a new Google Spam run with a malware component making the rounds where the subject line of the message alleges that some of the more popular news agencies have released a Special Report with respect to a new video having been released from Osama bin Laden. Volume is currently only less than 1% of total inbound virus traffic, so it is pretty low, but is yet another abuse of the Google PageRank system in an attempt to deliver malware.
Some of the subject lines that we have seen include:
Special issue of news from CNN! Urgent Fresh News Usama Ben Laden!
Special issue of news from CNBC! Urgent Fresh News Usama Ben Laden! Special issue of news from Financial Times! Urgent Shocking News Usama Ben Laden! Special issue of news from CNN! Urgent Apocalyptic News Usama Ben Laden!
Special issue of news from Bloomberg! Urgent Fresh News Usama Ben Laden!
You can see a fairly common theme here.
The email itself is somewhat lengthy and mostly discusses the tragedies that bin Laden has orchestrated against targets around the world. The most pertinent parts of the message appear at the top (as usual, many grammatical errors exist throughout the message):
Special issue of news from Reuters! Urgent Dangerous News!
Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist
activity, and similarly the largest leaders of terrorist organization of Al
Kaeda, detained American soldiery force in Iraq.
This particular sample was taken from a message where the subject says that the news update is from CNN so you can see that the news agency in the subject line is not necessarily consistent in the actual message itself. If the link from the message is followed, it directs the user to a page where they download a file named videousa.exe, which contains the malware.
Also, as of the time of this posting the link to hxxp://cavelldemar.org/news_usa.php (domain registered in Spain) is still active and AV identification is spotty:
Antivirus
Version
Last Update
Result
AhnLab-V3
2008.4.22.0
2008.04.21
Win-Trojan/Agent.77824.DX
AntiVir
7.8.0.8
2008.04.21
TR/Crypt.XPACK.Gen
Authentium
4.93.8
2008.04.20
-
Avast
4.8.1169.0
2008.04.21
-
AVG
7.5.0.516
2008.04.21
Downloader.Zlob.12.AH
BitDefender
7.2
2008.04.21
-
CAT-QuickHeal
9.50
2008.04.19
(Suspicious) - DNAScan
ClamAV
0.92.1
2008.04.21
-
DrWeb
4.44.0.09170
2008.04.21
-
eSafe
7.0.15.0
2008.04.17
Suspicious File
eTrust-Vet
31.3.5720
2008.04.21
-
Ewido
4.0
2008.04.21
Backdoor.Agent.gxg
F-Prot
4.4.2.54
2008.04.20
-
F-Secure
6.70.13260.0
2008.04.21
Backdoor.Win32.Agent.gxg
FileAdvisor
1
2008.04.21
-
Fortinet
3.14.0.0
2008.04.21
-
Ikarus
T3.1.1.26
2008.04.21
Trojan.Win32.Revelation
Kaspersky
7.0.0.125
2008.04.21
Backdoor.Win32.Agent.gxg
McAfee
5277
2008.04.18
-
Microsoft
1.3408
2008.04.21
TrojanDropper:Win32/Nuwar.gen!lds
NOD32v2
3043
2008.04.21
-
Norman
5.80.02
2008.04.18
-
Panda
9.0.0.4
2008.04.20
-
Prevx1
V2
2008.04.21
-
Rising
20.41.02.00
2008.04.21
-
Sophos
4.28.0
2008.04.21
Mal/Generic-A
Sunbelt
3.0.1056.0
2008.04.17
-
Symantec
10
2008.04.21
-
TheHacker
6.2.92.285
2008.04.19
-
VBA32
3.12.6.4
2008.04.16
Trojan.Win32.Revelation
VirusBuster
4.3.26:9
2008.04.21
-
Webwasher-Gateway
6.6.2
2008.04.21
Trojan.Crypt.XPACK.Gen
Fake video downloads and updates have been a pretty common theme for the Storm Worm folks for quite some time now. This "news story" social engineering tactic is what Storm originally used to get most people infected back in January, 2007, so many people have already "been there, done that" which is likely why infection rates are staying pretty low.
Over the past 10 months or so we've often discussed different social engineering tactics as it relates to different types of spam and malware campaigns. These tactics range from using pinpoint precision to identify individual scam recipients (like CEOs and other C-Level Executives) to using tragic current events, naked celebrity videos, holiday e-cards, IRS tax refunds, or free/discounted sporting event tickets as a lure to get people to open malicious email attachments or click links that redirect them to web sites that are infested with malware.
So, the question is: How far will cyber criminals go in an attempt to get a foothold on your PC or steal your personally identifiable information?
The answer is simple: As far as they need to.
Cyber criminals will go to whatever lengths are necessary to trick you into doing what they need you to do in order to get infected with malware. This means that the success of their campaign is almost solely related to their ability to establish trust and to make their campaign appear as legitimate as possible. As an example, some of the IRS tax refund scams that we have been seeing this tax season even go so far as to link to or display the real IRS web site's logo, Privacy Policy and Online Help. The Federal Subpoena scam that we spoke about earlier this week included not only the name of the person that the scam was being sent to and their company name, but also their phone number!
As cyber criminals continue to hone their social engineering tactics, it is becoming more and more critical that people understand, are aware of, and keep a keen watch out for new potential threat vectors and the techniques that are being used in order to trick them into giving up information that could result in loss of identity, company secrets, or their life savings.
Losses being incurred as a result of cyber crime are increasing at an alarming rate and now we have reached the point where people are more fearful of being a victim of cyber crime than they are physical crime. According to Gartner, losses as a result of phishing alone could top the $4B mark in 2008! That increase is no accident and does not appear to be slowing anytime soon.
Yet another new twist in the never ending array of Google Spam that we have been seeing over the past 2 months. The sample that just hit our spamtraps within the last hour has a bit of a new twist to it.
When I first opened this message I thought "Neat! Google video spam!" It wasn't until I looked at the source code of the message that I realized that this was just another link to malware redirecting through Google with a fake video as the lure.
Here is a screenshot of the spam:
Clicking any of the links downloads a file named video_codec-v2.12.384.exe.
So far AV pickup is pretty spotty (stats courtesy of Virustotal):
Antivirus
Version
Last Update
Result
AhnLab-V3
-
-
-
AntiVir
-
-
TR/Dropper.Gen
Authentium
-
-
-
Avast
-
-
Win32:Agent-GPS
AVG
-
-
-
BitDefender
-
-
DeepScan:Generic.Malware.FBldld.D22058AD
CAT-QuickHeal
-
-
-
ClamAV
-
-
-
DrWeb
-
-
-
eSafe
-
-
suspicious Trojan/Worm
eTrust-Vet
-
-
-
Ewido
-
-
-
FileAdvisor
-
-
-
Fortinet
-
-
-
F-Prot
-
-
W32/Agent.Q.gen!Eldorado
F-Secure
-
-
Suspicious:W32/Malware!Gemini
Ikarus
-
-
Virus.Win32.Agent.GPS
Kaspersky
-
-
-
McAfee
-
-
Proxy-Agent.af.dr
Microsoft
-
-
Trojan:Win32/Danmec.gen!A
NOD32v2
-
-
a variant of Win32/Agent.NEQ
Norman
-
-
-
Panda
-
-
-
Prevx1
-
-
Heuristic: Suspicious File With Bad Child Associations
Rising
-
-
-
Sophos
-
-
Troj/Bdoor-AJR
Symantec
-
-
-
TheHacker
-
-
-
VBA32
-
-
suspected of Trojan-PSW.Pinch.12 (paranoid heuristics)
I came across an article this morning on the SC Magazine site talking about a new virus called "MonaRonaDona" which takes a bit of a different twist when put next to most strains of malware released over the past couple of years.
As we know malware made the move from a vehicle used to achieve fame or notoriety to a method used to make large amounts of money a few years ago. Similar to how MBR rootkits are a bit of a throwback to a time when attacking the MBR was a popular method of virus infection, the MonaRonaDona worm is a throwback to the time when worms were written mostly for recognition. Granted, there is a financial component to MonaRonaDona as well, it is not likely to be very successful.
MonaRonaDona appears to be spreading via malicious advertisements being posted on web sites. The user will not know they are infected until they reboot their machine when they will receive a popup that states: "Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity." This malware will also prevent the user from opening common programs on their PC such as Microsoft Office and Adobe applications.
Very noble, but I fail to see how preventing me from opening Word does anything to remedy crimes against humanity in places like Darfur.
Part of the intention of the worm author as well is to socially engineer the user of the infected PC to perform a search in the Google search engine for the name of the worm. Among other fake sites engineered by the malware authors is a site to purchase a product named Unigray. For $40 Unigray alleges that it can clean your PC of MonaRonaDona. Of course, all it really cleans is your wallet out of $40 :)
Personally, this worm seems like a lot of work for what will likely be very little reward. It is different though, especially with the hacktivism angle, from most other malware which makes it interesting.
We've discussed before that we expect to see more political based spam as the presidential election year wears on, especially closer to Democratic and Republican convention times. Expect to see more political based hacktivism type malware lures as the year progresses and as the race for the White House intensifies. As we saw with the Ron Paul spam last November, the stage has been set to use spam as a method for propaganda distribution pertaining to the upcoming election!
Looks like the government agency spoofs from last summer have returned!
During May/June, 2007 we saw nearly weekly variants of emails being spammed that were spoofing different government agencies largely targetted towards C-level executives containing a keylogger payload. These emails started off with the malware attached to the email message itself, then migrated to a pull infection model where the user downloaded the malware off of a web site via a link embedded within the message.
Starting today we've started to see a resurgence of this tactic, but this new variant is spoofing the Department of Justice. This department had not been one of the spoof targets of the previous spam runs. Below is a redacted screen shot of the new scam (courtest of McAfee):
As you can see from the above screen shot, the message has an attachment named complaint.zip which contains the malware payload.
A couple of similarities in social engineering tactics between this scam and the previous scams from this summer are the inclusion of the name of the person and the name of the company that the message is being sent to. You'll notice from the screen shot that there are also grammatical errors and misspellings.
A few particular examples that I have seen were sent from IPs in Italy. Somehow I doubt the DoJ has contracted with anyone in Italy to start sending legitimate complaint notices :)
Volumes of this scam have been pretty low; on the order of a few hundred being seen by our Threat Operations Center per hour. No information yet as to specific targetting of this scam. This post will be updated as more information becomes available.
I'm sure nobody saw this coming (tongue firmly lodged in cheek), but the folks that have brought us Storm Worm variants like e-cards and Christmas Greetings have brought us a Valentine's Day variant just in time for the February 14th holiday.
Traffic that we have seen thus far in relation to this worm peaked during the 1am and 2am (mountain standard time) hours this morning and has been steadily dropping ever since, but I have a hard time believing that this trend will continue with Valentine's Day still two days away!
This new variant follows the same paradigm as the ones that we have seen previously: Subject line and message body related to the upcoming holiday and a random link which points the user to a web site where they download an executable (like valentine.exe) and get infected. Nothing new.
Some of the subject lines that we have seen in relation to this worm include:
Is Anything Beautiful As A Rose?
You're my Velentine! (note the misspelling)
You Stay In My Heart
Smiley Kiss
Sample message bodies potentially include the same text as the subject line. We've seen some variances here, but it looks like the subject line and message text are pulling from just about the same static list.
Playing on emotion and holiday themes continues to be a successful social engineering tactic for the Storm Worm gang, and will continue to be popular until such time as it ceases to be effective. As with all of the other variants, don't get hit by this Cupid's arrow. There is no love to be found here!
I ran across this article this morning which states that according to Deloitte that human error is the leading cause of security threats. I agree with this to a point.
I thought it was important to mention this concept as it is also a major point in the Security Awareness presentations that I do. Where my opinion differs is that I believe that human error is the leading cause of *insider* security threats, but not the leading cause of all security threats.
Perhaps I am being myopic because of the type of company that I work for, but I view intrusion as the result of public server vulnerability, virus infection, and social engineering to be a much larger issue.
That isn't however to take away from the importance of the insider threat. When I say "insider threat" am I referring to employees who are going out of their way to do something malicious or to try to access data that they know they shouldn't have access to? Yes, but I am also referring to employees to who stumble upon information due to lack of proper security controls or the maintenance thereof. For example, if you work in your Customer Support department and happened to stumble upon a spreadsheet named "Executive Salaries 2008.xls" somewhere out on a network share, that you had permission to view, would you open it? Perhaps you would report it, but I'll bet you a nickel that you would look at it first, maybe save a copy for yourself, or print it out on the closest printer to show your friends. These are examples of insider threats just as much as the over-eager security novice who is attempting cross site scripting attacks against your production systems in an attempt to learn.
According to the 2006 E-Crime Watch Survey insiders were responsible for 27% of all security incidents and 55% of respondents reported at least one incident that was the result of insider activity. That's more than 1 in 4 security incidents that happen as a result of an internal employee! That's a lot, especially in an age where most of what you read about in security publications talks about the latest worms, keyloggers, and other maladies looking to steal your financial data.
The article also states that "Another security worry is many line-of-business executives' tendency to see information security as solely IT's problem." If your company puts the responsibility of security solely with the IT department, they are missing the boat. Security should not rest with IT for the same reasons that it should not rest with Production Operations or Quality Assurance or any other department; they have their own agendas and their own core competencies to focus on. Adding "make sure we are secure" to that mix is a certain recipe for failure. Your security program implementation, maintenance, and enforcement should be handled by an independent (could be internal) source whose *main responsibility is the security program*.
The article concludes by making a statement in regards to the implementation of a corporate security program, "A prerequisite for effective information security is the implementation of a proactive information security strategy that is closely linked to the company's overall business strategy, business requirements, and key business drivers." This is completely true. One thing I would add onto it is "...and has the full support of the company's executive team." Without the support of the people who run the company, your program will barely get off the ground.
I have to admit that as much as I am tired of talking about the Storm Worm, it keeps giving such great fodder for discussion. Over the past year we have seen fake video clips for current events and e-cards. Now Storm has expanded its horizons and has started sending out one-liner spam with the prospect of a better life between the sheets.
Some of the sample subject lines that we have seen from this new Storm variant include:
-- why you're so unhappy with your bedroom life?
-- Ladies and Gents want to have perfect nights!
-- Become a super-lover-2008!
-- What you will learn from us will change your sensual life for better!
All of the samples that we have received have had one-liner spam where the message body is sometimes the same as the subject line (many times not) followed by a URL pointing to a random IP address like hxxp://61,79,172,152/rqokyj/ (modified so you can't actually click the link).
As if we don't see enough health related spam already, now Storm has jumped on the bandwagon as well. I guess if it works for the spammers...
In keeping with form the gang responsible for the Storm Worm (and its many variants) has been releasing updates to correspond with the New Year holiday coming up next Tuesday (they also released some Christmas joy as well on Christmas eve for those who wanted early "presents").
They've been changing domains linked to in the email that is directing you to the malware download. So far we have seen:
happycards2008.com
newyearcards2008.com
happynewyearcards2008.com
uhavepostcard.com
All of the above sites are currently active except for happynewyearcards2008.com which appears to be offline.
If the link in the email is clicked it takes you to a site where it tells you that your download will begin shortly (actually it is scanning for vulnerabilities for it to exploit on your PC) and that if your download doesn't start to click to download the file manually. When the link is clicked the malware is downloaded so that people can infect themselves. This is akin to other Storm Worm variants which operated in a similar fashion.
The downloaded file is changing names also. Currently the file is happynewyear2008.exe, but previous variants have downloaded happy2008.exe, happy-2008.exe, and happynewyear.exe.
Have a Happy New Year, but don't party with the Storm Worm Gang!
So who is Ron Paul, you ask? He is a Texas Congressman running for the Republican nomination for President of the United States in the 2008 election.
Who else is Ron Paul, you ask? He is the subject of a massive spam campaign over the last week (which continues today) where emails are being blasted out on his behalf in an effort to drum up support for his candidacy.
Unlike most spam which generally has all sorts of randomized content in an effort to get past spam filters, the content of these messages are pretty static save for the subject line and a small snippet of random characters at the very end of the message which are otherwise meaningless. Some of the subject lines that we have seen associated with the Ron Paul spam are:
Who is Ron Paul?
Vote Ron Paul 2008!
Iraq Scam Exposed, Ron Paul
IRS Fears Ron Paul?
Ron Paul Exposes Federal Reserve!
Ron Paul Wins GOP Debate!
Each of these subjects have a commonality in that they have 7 random letters at the very end of the subject line in mixed case (upper and lower case) presumably in an effort to throw off anti-spam filters. Folks from the Ron Paul campaign deny having anything to do with the spam run which is originating mostly from botnet machines and open email relays.
This isn't the first time that email has been used as a vehicle to distribute large spam runs containing political motivated propaganda. Back in May, 2005 machines that were infected with the Sober-N worm were being used to mass distribute spam that decried the Dresden bombing and the admittance of Turkey into the European Union. Like those emails the Ron Paul spam messages had no further action required by the end user. Meaning that there was no link to click in the email to visit an internet web site nor was there a distributed attachment.
This brings up a couple of interesting threat scenarios from where I sit:
As the 2008 presidential campaign wears on I would definitely expect to see more political campaign based propaganda spammed out. This particular spam run happened to be pro Ron Paul, but expect to see smear campaigns sent out as well in an effort to build up negative public opinion. It'll be up to the public to be much more diligent in understanding what the candidates true opinions are on the important issues and not assuming what they read in email or on the internet to necessarily be true.
Another possibility that exists here is the potential for the distribution of malware via these spam messages. I could easily see a lure where political messaging is used as a social engineering technique to get people to open an infected attachment or get someone to click a link which takes them out to a malicious web site infected with malware.
As with any current event or subject that people are passionate about criminals will also try to prey upon those feelings and will likely also setup phishing sites posing as campaign contribution sites (similar to how we see fake donation web sites pop up after natural disasters).
So, as always there is a wide open potential for further abuse here and I would not be surprised at all to see them all used over the next year leading up to the elections (exactly one year from today, in fact). Always be careful about what you read, be careful about who you are giving your confidential or personally identifiable information to, but ALWAYS be careful about what you click on. Things are not always as they appear to be.
We have received a sample this morning of a new phishing message making the rounds today. The sample that we have received is a message which purports to be from the IRS (yes, another government agency scam) and has a subject line of "Help for California Wildfire Victims".
The content of the message is a solicitation for donations for victims of the wildfires in Southern California. The top of the message has an IRS logo to make it appear legitimate (the logo is being loaded from customersarealways.com which does not have any IRS affiliation).
Here is a snippet of the message text which tries to lure the victim in:
For these Americans, every night brings uncertainty, every day requires new courage, and in the months to come will bring more than their fair share of struggles. In the task of recovery and rebuilding, some of the hardest work is still ahead, and it will require the creative skill and generosity of a united country. Right now California is asking you for help ! If you chose to take part in our program (initiated by IRS & U.S GOVERNMENT) click on the link below and make a small contribution. Together we can rebuild California ! BE HUMAN GET INVOLVED ! BE AMERICAN ! CALIFORNIA NEEDS YOUR HELP !
Sincerely, Julia Brownley
Of course the IRS does not send unsolicited emails looking for public donations to assist with relief efforts. In fact, it never sends unsolicited emails nor do they send anonymous emails. Just receiving an email such as this should always be the first tell-tale sign that the email is a scam and should not be acted upon.
From the sample that we received, the link at the bottom of the message directs the user to a web server hosted in France. When this link was followed the web page that was served was a broken redirect to a web page that is already offline.
This is not to say, however that this is a dead phish. Other variants of this message pointing to other sites likely exist and are being actively distributed.
The key point to remember here is that if the IRS wants to get a hold of you, they won't do it via email. They certainly wouldn't ask you for a donation via email. If you receive any examples of this scam, please forward it to the IRS at phishing@irs.gov.
We've been talking quite a bit lately about the move from "push" based malware to "pull" based. So I figured it was time to dedicate a full blog posting to it and its significance.
Again, pull based malware is generally web site hosted malware where the user "pulls" the content from the web site by virtue of visiting the site with their web browser.
This type of malware is especially dangerous for a couple of reasons:
-- It evades attachment filtering techniques (since there is no email attachment. The content comes via a web site link) -- The user generally has no idea that the site they visited is malicious -- Hackers can employ technologies like server side polymorphism to repack binaries for every download, thus rendering traditional signature based anti virus engines useless
We are starting to see more and more instances of common web site compromises where users can get infected without any lure (for example the 1st Congressional District GOP of Wisconsin was reported as compromised about a week ago by the same group that brought us the Storm Worm. In general, however these types of infections are still the exception, not the norm.
Speaking of the Storm Worm gang, they have actually created a hybrid between push and pull infections for some of their variants. These will look for a number of unpatched vulnerabilities on a victim's PC when launched and if it can't find any that it is looking for will direct the user to download and install the file manually. Even Vista's UAC system only provides rudimentary protection here. Since applications executed directly by the end user are considered trusted (Vista will ask you if you are sure you want to install the program, but who doesn't just click "Yes" to that prompt?) the user falls on their own sword and infects themselves. Nice, eh?
Typically when a user is being lured to a malicious web site multiple communication mediums are leveraged. Something has to let the user know that the site is available and accessible, right? That lure in many cases comes via email.
There is a distinct crossover between email and web defense solutions such the data collected from one can be used to make the other one more effective, creating a synergistic relationship between the systems. At least for the foreseeable future hackers are going to have to continue to use technologies like email in an attempt to get users infected. During that time having a solution which not only monitors and protects your inbound mail flow but also your outbound web browsing activities provides an effective defense-in-depth solution against malware and fraud.
Just like 2005 was the year of the Sober worm, 2007 will be known as the Year of the Storm.
Since late January we have seen Storm worm variants using social engineering tactics like news stories, current events, and e-cards in an attempt to get unsuspecting victims to open attachments, click links, and get infected to become the latest addition to the Storm Worm bot army.
The latest and greatest social engineering tactic that we started seeing on Saturday has now started using porn. This tactic, as with the e-card tactic, is using a pull based method of infection where the malware content is not "pushed" to the user via an attachment, rather the email sent contains a link where when clicked by the user causes them to "pull" it down.
The messages that we have been seeing with this new variant include the following either in the subject line or message body (this is only a partial list): "I need someone to please me. Check out my pictures", "Want me to show you what my room mate and I do when we get lonely at night", and "Taking these pictures made me so hot. I bet they will make you hot too" (I'll bet this post gets caught by a few spam filters :) ). This new variant is currently accounting for about 1 in 6 virus infected messages seen by the MX Logic Threat Operations Center within the last 24 hours.
So, why the movement to "pull" based malware instead of "push" based. For one, it is more difficult for end users to submit samples of the malware. If the attachment is pushed to the end user, they have all of the information that they need at their fingertips to submit to the anti-virus vendors. Secondly, with the pull based model users may not even know that they are going to a malicious web site so that when the visit the site it may display some kind of error message saying that the site was not available (or something innocuous as to not arouse suspicion) when in the background the user's PC just got infected with malware. This model also enables the malware authors to utilize a tactic known as "Server Side Polymorphism" where the way that the malware is packed can continually change on a per download basis thus rendering traditional signature based anti-virus engines ineffective. The version of the malware that I download could have an entirely different signature than the version someone else downloads even though we may have clicked through to the site at the exact same time.
We've been seeing more examples of pull based malware over the last couple of months, mostly related to the Storm worm but the BBB scam from a couple of months ago used this method as well. Pull based infection provides much greater flexibility for the malware authors in their attempts to stay one step ahead of the anti-virus engines and is something we will continue to see not only from Storm, but from other worm authors who learn from Storm's successes in their attempts to come up with new methods to get onto our PCs.
