SophosLabs blog

After I leave the lab after a busy day, I often ponder what tricks scammers will use next? For example, we see a constant stream of fake security applications that fraudulently suggest a user should offload a sum of money to have phantom security problems erased. Scammers often use social engineering tricks to get these fraudulent applications, better termed Trojans, infecting PCs. Of course if one were to fall for such a scam, the only thing erased would be the sum of money paid from one’s disposable income. Will we start seeing “magic tax software” that claims to recover as much tax as possible for a modest price but delivering nothing? Maybe it will be “magic stock trading software” that guarantees a high return for a modest sum that again delivers nothing. Where there is an interest, I am sure a scammer will target it for exploitation and ensure the usual hidden bonus of adware or malware, that actually does deliver on its promise, is diligently installed.

Phishing too has evolved over the years. While we continue to see the usual scams using the claim of account closure if no action is taken, others like the scam pictured below (which by the way is still being spammed out) offer a faux cash reward in return for the opportunity to strip your bank account.

The link redirects to a site with the following form:

I truly hope that this type of scam no longer fools anyone because future scams may become much harder to discern.

This morning President Obama announced that he would be appointing a Cybersecurity Coordinator. The appointment is one of the many recommendations of the 60 day cyberspace policy review (PDF) commissioned in February. Along with publication of the review itself comes a list of the papers that in part informed the reviewers.

The review itself outlines 10 near term goals for the US Government and while many are concerned with governmental or international policy there are two that are just as applicable to the safe and secure operation of an enterprise network.

Initiate a national public awareness and education campaign to promote cybersecurity

Education should be a key part of any security strategy. One of the largest security risks in any organization is the connection between the keyboard and the chair. It is undoubtedly true that there are many users who will not understand or care about network security. However, changing the behavior of those who do understand will reduce your risk, which is the purpose of security measures. No single policy, education program or technology solution will provide complete security, each must be used together as part of a coherent strategy to secure your network.

Prepare a cybersecurity incident response plan

To quote President Obama: “ad-hoc response will not do”. Despite your efforts to minimize risk there will almost inevitably be security incidents on your network that require a response. Planning that response in advance will lead to a more calm and controlled incident. Last year SANS Internet Storm Center published a series of articles about preparing for and responding to security incidents during their Cyber Security Awareness Month. In fact some data protection laws, such as the one in Massachusetts, require a “comprehensive, written information security program”.

It is refreshingly honest for the US Government to admit that “We are late in addressing this critical national need and our response must be focused, aggressive, and well-resourced.” Unfortunately many other organizations are also well behind when it comes to implementing good security practices. If yours is one of them perhaps this is a good time to rethink your security strategy.

Image source : Randy Son Of Robert’s Flickr photostream (Creative Commons 2.0)

Here in SophosLabs, we are quite used to seeing popular musician’s images and names being used to spread malware.

But this piece of malware I saw today attempts to stop global music piracy, which incidentally seems to be on the rise lately because of the economic downturn.

It looks to have been written by some Indonesian script kiddies who seem to think that by infecting people’s computers they can stop piracy.

The malware  attempts to use the Indonesian band Samsons and their song Naluri Lelaki to entice users to click on the file. The file itself comes with a Winamp icon on it, so it looks like a regular mp3 file to the user. When the file is clicked it modifies some registry entries related to WinLogon, so the victim’s computer displays the following message box before they can log onto their computers:

“Stop pembajakan Musisi Dalam Negeri, Jangan Gunakan MP3 lagi (sok sok an) huahahahahaha!!!”

Loosely translated to:

“Stop piracy Musician Affairs, Do not Use MP3 again (quasi quasi-an) huahahahahaha!”

The Trojan will copy itself onto any mp3s found on the victim’s computer (with the same name as the mp3 file and an appended “.exe” at the end), thus destroying all mp3 files on the system.

The Trojan will also shutdown Winamp as well as copy itself to the Windows folder on the victim’s computer. A full description of the malware is here.

Needless to say it’s a lame attempt.

Spam campaigns often include text from commonly-available books and websites to try to make them look more like legitimate emails. This week I’ve seen runs that are using lines from the nonsense poetry of Edward Lear in their hashbuster, for example:

Subject: Far and few, far and few

And my jug without a handle Which they ate with a runcible spoon tkpr

http://xxxxxx.net/gg.html
tuu pgtsasf

“Far and few, far and few, Are the lands where the Jumblies live”. These spammers are unfortunately more prolific than the Jumblies, but let’s hope the example is followed and that they go to sea in sieve.

“You shall have my chairs and candle, And my jug without a handle!” - so said the Yonghy-Bonghy-Bo, and more heartfelt an offer than the merchandise being peddled here.

“They dined on mince, and slices of quince, Which they ate with a runcible spoon” - the sites linked to by this campaign are trying to sell the Owl and the Pussy-Cat something quite different to go with their mince and quince, as they’re run by our old friends at Canadian Pharmacy:

When the spammers move on to the limericks, I fully expect to see messages selling me two owls and a hen, four larks and a wren - it’s certainly more entertaining for this analyst than the regular nonsense hashbusters.

Today I came across a phish, nothing new there but it was targeted at one of Australia’s biggest banks, Commonwealth Bank.  The phish claims to be from the Commonwealth Bank, and looks like this

——————————————————————————————————————————–

Dear Member,

Your Online banking account has been locked

To Login, please click the link below:

http://www.xxxxxx.com/online/

——————————————————————————————————————————–

The link goes to a page which looks very much like Commonwealth Banks page. (with genuine links to “Netbank centre” and “Forgotten client number”).

This again highlights the need for users of Internet banking websites to be aware at all times, when accessing their accounts. Fraudulent emails like this one are on the rise and some simple steps can keep you safe. Some tips are:

1. Look at the sender information - This phish came from the sender

Commonwealth Bank of Australia<memberservice@commonweahtl.com>.

There is an obvious typo there in “@commonweahtl.com”.

2. Read up on your financial institution’s policy with regards to sending/requesting personal banking information.

3. Look at the links - This phish asks the user to log into their online bank account. I have purposely obfuscated the phishing link used in this blog post however it is clearly different from the link available directly from the real Commonwealth Bank website.

Some other samples seen are

——————————————————————————————————————————–

Dear Commonwealth Bank of Australia customer,

During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information.

This might be due to either of the following reasons: 1. A recent change in your personal information ( i.e.change of address). 2. Submiting invalid information during the initial sign up process. 3. An inability to accurately verify your selected option of payment due to an internal error within our processors.

Please update and verify your information by folowing this link:

http://www.xxxxxx.com

If your account information is not updated within 48 hours then your ability to access your account will become restricted.

Thank you

© Commonwealth Bank of Australia 2009 ABN 48 123 123 12

——————————————————————————————————————————–

and

It is perfectly normal to see Viagra related spam hitting our spam traps. In many cases the spammers attempt to be professional, offering great discounts and “guaranteed satisfaction” on their products. They often use celebrity pictures as well, to add more authenticity to the products they are trying to sell. In the case of one of the Viagra campaigns we have seen today, the celebrity in question is a famous Bollywood actress.

The images used in this particular campaign are being hosted on the Bebo social networking site. SophosLabs are successfully blocking such spam messages, but as always, users are reminded to never open any untrusted emails (and, of course, not run suspicious attachments).

Computer malware history is full of those Doh! moments. Occasions where you are left at worst speechless, at best dumbfounded. In many cases, user error or ignorance is the root cause, but often it is the software at fault. I am not talking about defects in the software, which may subsequently get exploited. I am talking about technology that opens a user up for attack whilst delivering very little advantage to that user in terms of product features.

I am not against functionality. Far from it. But the evolution of software and operating systems is no excuse for poor design, or ill-thought technology. I am sure malware authors must love what we seem to accept as the natural side effects of software evolution - an increased attack surface. You only need to think back a few years to the huge problems caused by macro viruses for a good example of where additional functionality significantly changed the game as far as security was concerned.

On the last two occasions where I have had to help to clean up infected machines for friends, both infections could easily have been prevented by a more intelligent choice of default product configuration.

In one case, the user was infected via a malicious PDF sample. Sadly, this is a common occurrence nowadays - one of the reasons Adobe have taken steps to tighten up their patching process (very welcome). The fact that Adobe Reader by default runs embedded JavaScript is quite simply an open door to the attacker. And what would be the cost of disabling this “feature” in terms of loss of functionality for the typical user? Minimal, I suspect. Given the growth in malware using PDFs as a point of entry, why do we accept the decision to enable such functionality by default? (See here for details on how to disable Javascript.)

The curse of autorun functionality within Windows is another example, where a single piece of functionality enabled attackers to infect hoards of victims. In this case, as previously reported, good news is finally on the horizon, with Microsoft planning to restrict the functionality in Windows 7 (and XP/Vista as well at some point) to CD/DVD drives.

Most software vendors are acutely aware of the importance of security in their products. But I do believe that users could be better protected if more thought was given to the default product configuration. In addition to protecting certain applications with buffer overflow protection (BOPs), Sophos also provide the ability to control the applications that organizations wish to permit on their networks. The time is nigh for organizations to review and control the precise configuration of such applications as well.

So another AusCert has come to a successful close much to the delight of our Marketing Department, which in one fell swoop has managed to all but exterminate the “pulling power” of competing vendor stands :-P

AusCert2009 stand

Both myself and Paul Ducklin presented technical talks and spent the rest of the time socializing with other techies at a bar somewhere. I’d say more but I’m lost for words while I wait for the hangover haze to clear…

Apple’s products such as the iMac, the Mac Mini, the iPod and the iPhone tend to generate a lot of interest and publicity around the world. Media publicity regarding the iPhone and its successor, the iPhone 3G have become so huge that these phrases have become such big buzz words.

As a result, it comes as no surprise that these Apple products are fast gaining more and more notoriety as targets of abuse by spammers, phishers and malware authors.

Today, an eBay phishing scam came in the form of a seemingly innocent query about the sale of iPhones. The scam message is quite simple and appears as follows:

At first sight, it appears to be a product spam campaign to promote the iPhone. However, when clicking the link that came with the attached email, a fake eBay page comes up. This email is actually a ruse designed to steal an eBay user’s information.

SophosLabs analysts have encountered many instances of such misdirection of legitimate websites. They range from internet banking websites to online retail websites. As always, online users should take precautions and never attempt to follow an embedded weblink to an online store or a banking website from an email, even if by first appearances, it looks legitimate.

SophosLabs analysts have since blocked this scam campaign.

There’s a game out there a few of you may have heard of called World of Warcraft that’s been in the news a lot over the years. I admit, I was once one of “them”, playing long hours everyday to get the latest in “phat lootz” (Translation: Items that are highly sought after).

I’d kicked the gaming habit years ago, but recently I made the mistake of letting a friend talk me into playing it again.

One of the things that used to really bug me were the spammers in the game (people who register for the game with the sole intent of automatically sending bulk messages) that would repeatedly send you private messages trying to sell you virtual gold for real world currency.

They would send you a message with a price (say 5000 virtual gold coins for 50 real dollars) along with a URL where you can make the payment at. Once you’ve purchase their gold with your Visa they arrange a virtual meeting place in game to make the exchange.

The good news is that during the past two weeks that I’ve been playing, I have yet to receive a single one of these messages. The bad news is, it seems they’ve moved on to a new business.

Last night, while playing the game, I received the following message.

Being the curious fellow that I am, I decided to look into it by doing a WHOIS on the domain which revealed that the domain was registered just last week. Sure enough, it was a phishing scam.

Searching for similarly named domains I actually found a few other examples, some of which seem to be down and no longer resolving to an IP as of this morning. When I loaded up the page with a browser, sure enough I was greeted with a World of Warcraft account management login screen.

Knowing full well what was going on here, I entered a bogus login and password to see what else there was. Of course, any login and password was accepted followed by another screen asking me if I wanted to change my password. It requested my current email address, a secret question and the answer.

Not only are these people looking to steal your game login credentials, but they also want your email address and the answer to your secret question.

Why you ask? Well, if you’re like a lot of people you probably sign up at multiple websites with your same email, same password, same secret question and the same secret answer.

Unfortunately, that means that all someone needs is to find your login information for one site, and they’ll have it for all of them.

It’s important to always pay attention to detail and go with your gut.

First of all, if a company needed to contact you with some sort of special announcement they would send you an email, not a message with poor grammar and a suspicious looking link.

Second, if you read the text near the bottom of the account login page you’ll see a message saying the following.

For security reasons, close your web browser when you are done accessing services that require authentication. Secure Blizzard Entertainment web pages that request your account name and password will contain URLs such as worldofwarcraft.com, blizzard.com, and battle.net.

For anyone who does happen to fall victim to this phish site, it’s likely that the phisher’s will attempt to log into their accounts and steal any virtual gold or items of value that they could profit.

If you do fall victim to a phish, there is a support page with steps for you to follow.

For the paranoid people out there there’s also an added layer of security you can add to your account by purchasing an authenticator, that way even if they do get your login and password they still can’t login to your account.

Just remember, phishing won’t always come in the form of an email, and isn’t limited to targeting just your bank accounts. When in doubt, always start online transactions from the original domain, be it World of Warcraft, Google or online banking.