Exchange

Law, PR Firms Being Targeted by Hackers says FBI

According to the Washington Post, “Hackers are increasingly targeting law firms and public relations companies with a sophisticated e-mail scheme that breaks into their computer networks to steal sensitive data, often linked to large corporate clients doing business overseas.”

Needless to say, I’ve informed all of my clients who may be affected.

The attacks turn out to be classic “spear phishing” attacks and they can be very convincing. (Recall that a couple of years ago, dentists were targeted.) Here’s what the FBI has to say about the current round of attacks:

[The FBI says hackers are using] spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms. During the course of ongoing investigations, the FBI identified noticeable increases in computer exploitation attempts against these entities. The specific intrusion vector used against the firms is a spear phishing or targeted socially engineered e-mail designed to compromise a network by bypassing technological network defenses and exploiting the person at the keyboard. Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link. Network defense against these attacks is difficult as the subject lines are spoofed, or crafted, in such a way to uniquely engage recipients with content appropriate to their specific business interests. In addition to appearing to originate from a trusted source based on the relevance of the subject line, the attachment name and message body are also crafted to associate with the same specific business interests.

I wasn’t able to find the text of the latest emails floating around in this spear phishing campaign, but the above description should give you a clue.

Panda Security Finds Automotive Industry Hit Hardest by Spam

Interesting study. It seems that spam content received is constant across all industries and the majority of it is pharmaceutical related. This could mean one of two things: either very few spammers are responsible (likely); or, a lot of men fall for the v-i-AGR*A spam. Anyway, check it out:

Panda Security has just completed a 3-month long study of spam across 11 different industries, exposing that automotive industry is most heavily targeted. The study found that 99.89 percent of all e-mail received by the automotive industry is spam, with just .11 percent being legitimate messages. The automotive industry was closely followed by the electronics industry and governmental sector as the top spam targets.

When analyzing the survey, Panda found it particularly interesting that while industries are targeted in different ratios, the content of the spam they receive (the majority of which is pharmaceutical related) is constant across all industries.

View the full press release online here: http://www.pandasecurity.com/usa/homeusers/media/press-releases/viewnews?noticia=9906

Panda has posted a breakdown of how each industry is affected to its Flickr page:  http://www.flickr.com/photos/panda_security/4026424134/

Hacking Skills Challenge - Level 5

So far, we’ve explored the first 4 basic missions at HackThisSite.org. As we get to each new level, the difficulty increases, but they’re still pretty easy.

Today, we solve level 5:

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.

If you try the same tactic we used to solve level 4, you’ll get the error message, “Invalid referrer. The requested URL /missions/basic/5/level5.php will not be loaded.” You get this because the script checks the HTTP headers to see where you are viewing the page from. If the url is not /missions/basic/5/ or /missions/basic/5/index.php then it will give an error. Since you’re viewing it from a local file, the script fails.

There are two approaches we can take here: 1. Change the email address in the script using some form of code injection; 2. Use an online monitor/debugger that allows us to edit a page on the fly.

For the first approach, Javascript injection allows us to change the email address using the following code: javascript:alert(document.forms[0].to.value=”put_your@email. here”); Enter that in the address bar, hit Enter, and you’ll be greeted with an alert box show the email address you entered. If you then click the “Send Password to Sam” button, the password will be revealed. Copy the password, paste it into the password field, click Submit and you’re in. Like the last exploit, the page won’t actually send the password to the email address. In fact, you don’t even have to change the email address in the code; it will work as shown.

For the second approach, if you use Firefox, you can install a cool add-on called Firebug. This powerful tool allows you edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. I installed it, went to the challenge page and used the “Inspect Element” feature to see what was behind the “Send Password to Sam” button. Then, within Firebug, I changed the email address. When I clicked the “Send Password to Sam” button, the password was revealed.

Either way, mission accomplished!

(In a future post, I’ll show you how to hack any stored password using a similar javascript approach. And I’ll make sure you adopt a policy to never used a “remember me on this computer” check box on a publicly accessible PC ever again!)

Gmail Vulnerability Points Up the Need for Strong Password Policy

There’s a vulnerability affecting Gmail accounts that was recently announced by security researcher Vincente Aguilera Diaz. You can read the posting on the Full Disclosure security list which contains complete details on how a Gmail authentication attack is accomplished and how it can be automated.

Basically, if you have a Gmail account, you are permitted to guess another Gmail user’s password 100 times every two hours. That’s 1200 guesses per day. If a hacker controls 100 Gmail accounts (easy enough to do, since they’re free, and they probably have many more than this), that’s 120,000 guesses per day. Google has no intention of changing the 100 guesses/2 hrs. limit, saying it’s robust enough. Considering that the Conficker worm’s password table needed only 200 entries to compromise many systems, it’s conceivable that many Gmail accounts could be compromised easily within slightly more than 2 hours.

Gmail does require a password of 8 characters or more, but it does no further parsing, so extremely weak passwords such as aaaaaaaa,  12345678 and the like, are allowed as are dictionary words of sufficient length. What this means is that it’s up to you, the Gmail account holder, to protect your own account; Google isn’t going to enforce strong passwords (other than a length requirement) on the general public any time soon. So, it’s important that you have your own strong password policy.

Eight characters is sufficient length (though I consider it an absolute minimum) to create a very strong password using random upper- and lowercase letters, numbers and symbols. The trouble with those things is that they’re hard to remember. Better to come up with a phrase you can easily remember and use it as your password hint. Then, figure out a standard pattern you can apply to the hint to come up with a strong password. For example, choose the phrase My address is 555 Main St. Now, reverse the order of words and eliminate the spaces: St.Main555isaddressMy; eliminate all repeating letters and numbers: St.Main5drey; finally, make sure every other letter is shifted: St.MaIn5DrEy. That’s a very strong password.

If you want to play around with different scenarios to come up with your own strong password policy, test your passwords with The Password Meter. It’s a pretty cool app.

“Of Course, I Never Reply to Spam – Except Sometimes”

Sounds funny, doesn’t it?  But that’s part of the title of a consumer survey recently completed by the Messaging Anti-Abuse Working Group (MAAWG): “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam – Except Sometimes.‘” The report is issued in two parts: Part 1 is a summary of the results; Part 2 is the actual survey data complete with charts. Here’s an excerpt from the report’s abstract:

This survey was commissioned by the Messaging Anti-Abuse Working Group (MAAWG) to gain a better understanding of consumers’ awareness of the risks associated with viruses and “bots” spread through email and to determine how the industry can best work with consumers in dealing with important messaging threats.  The research covers bot awareness and also asks the frequently voiced question: “Why did you click on that spam link?”  It identifies the specific actions consumers take to protect themselves against viruses and junk mail, looks at consumers’ attitudes toward virus mitigation, and seeks to quantify and understand consumers’ email habits.

One of the most striking results from this research is that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected.

What surprises me is the high percentage of consumers who are aware of bots; what doesn’t surprise me is that most of those have a “won’t happen to me” attitude.

The real eye opener in this study is the responses to survey question 12: “If you have ever clicked on a link or replied to an email that you suspected was spam, why did you take this action?” The majority of respondents (52%) said they had clicked or replied. 17% said they “made a mistake.” It happens, especially if you have a twitchy clicker finger. There’s no excuse for the 12% who said they were “interested in the product/service” being offered nor the completely clueless 6% who “wanted to see what would happen.” Unbelievable! It’s these people who are the reason spam won’t go away. They’re also the folks whose PCs I have to clean up on a regular basis.

Fellow security professionals, we have our work cut out for us.

Accused Spam King Alan Ralsky Pleads Guilty

Once again, I’m behind on the news. This Security Fix report is almost a week old:

Alan Ralsky, a 64-year-old Michigan man that federal investigators say was among the world’s top spam kingpins, pleaded guilty on Monday to running a multi-million dollar international stock fraud scam powered by junk e-mail.

Ralsky … and his son-in-law and chief financial officer Scott K. Bradley, 38, also of Michigan, pleaded guilty to conspiracy to commit wire fraud, money laundering and to violate the CAN-SPAM Act.

Under the terms of his plea agreement, Ralsky faces a federal prison sentence of 87 months and a fine of $1 million. He allegedly earned up to $3 million on the Chinese penny stock scam that he promoted using junk mail sent out by various botnets. It’s interesting that the plea agreement doesn’t call for the forfeiture of his profits. So, he’ll spend his time in a minimum-security “camp” at taxpayer expense and, probably get released well before his full sentence is up the while earning interest on the money he has squirreled away somewhere.

BTW, my apologies for being lax in keeping this blog up to date. I do have an excuse: I tore ligaments in my left hip and have been unable to sit, stand or lie down for the better part of two weeks.  Look for a more regular posting schedule next month.

Real Spam Statistics

Depending on whose reports you view, spam accounts for from 85 to 95 percent of all emails sent. This may hold true over the Internet at large, but as with any other statistical data, there are local and regional variations. My own inbox is an exception to the general rule; I get far more legitimate emails than spam.

The company I work for provides spam filtering for several SMBs, so I have to hand real data that I can evaluate. Based on last week’s numbers, we processed nearly 100,000 messages in our filters. Of those messages, nearly 70,000–70%–were spam; nearly 30,000–30%–were accepted as legitimate. Our data has its own wild variations: one set is very low with only 18% spam; another set reaches a high of 92% spam.

I’m not a statistician, but it’s easy for me to see how big a problem spam has become. I’m not ready to say email is dead as a business communication medium, but it certainly needs an overhaul.

Swine Flu Breeds Spam

As usually happens with major disaster events—in this case the impending Swine Flu pandemic—email scammers are busy perpetrating pharmaceutical and other types of scams. In some cases, they’re using celebrity names to grab attention. Spam is hitting inboxes with various subjects. The following list, compiled by McAfee and posted on the McAfee Avert Labs Blog, shows some of the subject lines they’ve seen:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

They also report a 30x increase in the number of domain name registrations mentioning “swine.” It’s a good bet that many of those names will be used by scammers.

I’ve alerted my clients to this latest wave and sent reminders to everyone that should they receive any such emails, they should immediately delete them. That’s good advice to pass along.

Beware U.S. Tax Phishing Scams

It’s tax time in the U.S. and with that generally comes an increase in the number of phishing scams directed at taxpayers. The IRS, whether we like them or not, has an excellent anti-scam/anti-phishing web site. One key thing to remember is that the IRS does not initiate taxpayer communications through e-mail. Here’s an excerpt from their site:

The IRS does not initiate taxpayer communications through e-mail.

* The IRS does not request detailed personal information through e-mail.
* The IRS does not send e-mail requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site,

* Do not reply.
* Do not open any attachments. Attachments may contain malicious code that will infect your computer.
* Do not click on any links…

Additional information is provided by the IRS in a recent press release:

Beware of IRS’ 2009 “Dirty Dozen” Tax Scams

IR-2009-41, April 13, 2009

WASHINGTON — The Internal Revenue Service today issued its 2009 “dirty dozen” list of tax scams, including schemes involving phishing, hiding income offshore and false claims for refunds….

The IRS urges taxpayers to avoid these common schemes:

Phishing

Phishing is a tactic used by Internet-based scam artists to trick unsuspecting victims into revealing personal or financial information. The criminals use the information to steal the victim’s identity, access bank accounts, run up credit card charges or apply for loans in the victim’s name.

Phishing scams often take the form of an e-mail that appears to come from a legitimate source, including the IRS. The IRS never initiates unsolicited e-mail contact with taxpayers about their tax issues. Taxpayers who receive unsolicited e-mails that claim to be from the IRS can forward the message to phishing@irs.gov. Further instructions are available at IRS.gov. To date, taxpayers have forwarded scam e-mails reflecting thousands of confirmed IRS phishing sites. If you believe you have been the target of an identity thief, information is available at IRS.gov.

I highly recommend you visit the IRS site and heed their excellent advice: How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites

Software for Secure Computing: Easy Email & File Security with AxCrypt

Most of the email we send and receive from our co-workers, family, and businesses contains little that requires any degree of confidentiality. The same goes for most of the files we have stored on our hard drives and thumb drives. Occasionally, however, we need to pass on or store some information that wouldn’t be prudent for us to send or store in clear text, i.e., unencrypted. To go through all of the effort (and it’s a bit of effort, believe me) to set up secure email or create encrypted partitions or directories on the hard drive is a waste of time for most people. Fortunately, there’s a simple, free solution: AxCrypt.

AxCrypt is open source file encryption software for Windows. It integrates seamlessly with Windows to encrypt, decrypt, store, send and work with individual files. It runs on Windows 2000/2003/XP/Vista and uses AES-128 encryption.

Once installed, AxCrypt is integrated into Windows Explorer’s context menu. You simply right-click files and folders in Windows Explorer, select AxCrypt and then select the action you want from the sub-menu (see screen shot). If you choose Encrypt Copy to .EXE, AxCrypt makes a copy of the document, asks you for a passphrase, and creates a standalone, self-decrypting file that you can safely send across the network or store anywhere you choose.

To use AxCrypt for secure email, simply create a text file that contains all of the sensitive information you want to send, make a self-decrypting EXE file, and send it as an attachment. You’ll have to make contact with the recipient off-line to give them the passphrase, but your information will be secure in transit.

The AxCrypt site has plenty of information on how to use the program, as well as an excellent FAQ and command line reference.

Check it out. It’s a great addition to your secure computing software collection.