Phishing

Google Safe Browsing Diagnostic Page

Thanks to Google, there’s a tool you can use to check any site and see if Google lists it as hosting any suspicious files or acting as a malware intermediary. Yes, I know there’s a Firefox extension and that the Google Toolbar for Firefox incorporates the tool, but what if you’re out in the field on a machine that doesn’t have the tool installed and you want to check a site? Simple. Use this URL:

“http://google.com/safebrowsing/diagnostic?site=[URL of site you want to check]” (Leave off the http://).

For example, this URL produced the report shown in the screen shot (click on the image to view it full size):

http://google.com/safebrowsing/diagnostic?site=itknowledgeexchange.techtarget.com

Try it out for yourself on your favorite sites. You might be surprised at what you find out.

(Thanks to Steve Gibson and Leo Laporte of Security Now! for presenting a reader comment that brought this to my attention.)

What do you think? Leave a comment!

Have You Noticed? Phishing Attacks Are Down

It’s just not in fashion anymore; phishing attacks are ‘way down, falling out of favor with cybercriminals who now prefer malicious websites and password-stealing Trojan horse programs.

IBM’s security research and development division, X-Force, recently issued a report that found throughout 2008 , phishing volume was around 0.5 percent of overall spam volume. But in the first half of 2009, the volume of phishing attacks fell to around 0.1 percent of spam volume. Not only did the volume of phishing attacks drop, but the targets also changed: in 2008, 90 percent of all phishing attacks targeted the financial industry; in the first half of 2009, that percentage had dropped to 66 percent.

That’s the good news. The bad news is that, according to the report, the number of malicious Web links is up 508 percent in the first half of 2009 and many of these links appear on otherwise trusted sites such as search engines. X-Force Director Kris Lamb says, “There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."

A copy of the IBM report can be downloaded here (PDF).

As always, let the surfer beware.

Twitter Security: TwitBlock Blocks the Spammers

Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.

Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.

Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:

You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs - the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.

An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)

The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.

“Of Course, I Never Reply to Spam – Except Sometimes”

Sounds funny, doesn’t it?  But that’s part of the title of a consumer survey recently completed by the Messaging Anti-Abuse Working Group (MAAWG): “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam – Except Sometimes.‘” The report is issued in two parts: Part 1 is a summary of the results; Part 2 is the actual survey data complete with charts. Here’s an excerpt from the report’s abstract:

This survey was commissioned by the Messaging Anti-Abuse Working Group (MAAWG) to gain a better understanding of consumers’ awareness of the risks associated with viruses and “bots” spread through email and to determine how the industry can best work with consumers in dealing with important messaging threats.  The research covers bot awareness and also asks the frequently voiced question: “Why did you click on that spam link?”  It identifies the specific actions consumers take to protect themselves against viruses and junk mail, looks at consumers’ attitudes toward virus mitigation, and seeks to quantify and understand consumers’ email habits.

One of the most striking results from this research is that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected.

What surprises me is the high percentage of consumers who are aware of bots; what doesn’t surprise me is that most of those have a “won’t happen to me” attitude.

The real eye opener in this study is the responses to survey question 12: “If you have ever clicked on a link or replied to an email that you suspected was spam, why did you take this action?” The majority of respondents (52%) said they had clicked or replied. 17% said they “made a mistake.” It happens, especially if you have a twitchy clicker finger. There’s no excuse for the 12% who said they were “interested in the product/service” being offered nor the completely clueless 6% who “wanted to see what would happen.” Unbelievable! It’s these people who are the reason spam won’t go away. They’re also the folks whose PCs I have to clean up on a regular basis.

Fellow security professionals, we have our work cut out for us.

Spam, Phishing, and Malware Related to Recent Celebrity Deaths

Michael Jackson malware? Farrah Fawcett phishing attempts? Billy Mays spam? Ed McMahon notifies you—from the other side of the grave–that you’ve just won the million-dollar Publisher’s Clearinghouse (but you have to send him some money, first)? Yes, expect it. US-CERT is monitoring reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths. Here’s a typical example:

To: <redacted>
Subject: Confidential===Michael Jackson
Date: Thu, 25 Jun 2009 19:25:50 –0400

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secrective to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us.

Notice the blatant misspellings, lack of punctuation and obvious grammatical mistakes from someone who is clearly not a native English-speaking person. If you get this email, delete it immediately. Same with anything related to any of the other celebrities’ deaths.

They’re all from scammers (criminals) either trying to steal your money, your identity or both.

Beware the Phone Phishing Scam

In my area, there has been a rash of phishing calls targeting bank customers. Coincidentally, today’s WXP News (Vol. 8, #59 - Feb 24, 2009 - Issue #367) addresses the same issue:

You might never click a link in an email purporting to be from your bank, but what if someone from the bank called you on the phone and informed you that your account may have been compromised, and asked for your credentials? The best of these scammers will express concern for “security” and insist that you call them back to “verify” that the call is legitimate. And of course, the number that they give you to call is answered with the bank’s name. Some even go so far as to spoof the caller ID information so your phone displays the name of the bank when they call.

The countermeasure to this is to hang up, dial the bank’s main, published phone number and ask to speak to someone in their security department (some banks call it their “Bank Protection” section). Tell them you believe you may be the target of fraudulent activity. Most banks adhere to some variation of this policy: [XYZ Bank] does not contact customers via email, phone or mail to request or verify security information about passwords, personal identification numbers (PINs), credit card numbers or Social Security numbers.

Check your bank’s website for more information and current security alerts. And don’t give out any information over the phone unless you are absolutely sure who is on the other end.

CastleCops Shuts Down Operations

CastleCops, the largest and most effective volunteer security community on the Internet, has shut down operations. Their website has this announcement posted:

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

CastleCops, founded by Paul Laudanski in 2002, spent six years investigating malware and phishing scams, working closely with law enforcement and the Internet security community to take down malicious websites. Because of their effectiveness, CastleCops’ websites were often the target of DDoS attacks and other attempts by cybercriminals to discredit them.

The group also ran volunteer training programs and provided assistance in malware cleanup. Some of their most popular resources were the lists of Windows CLSIDs, Startup programs, toolbars and the like that helped people identify and remove malware. I’m glad to see that those resources continue to be maintained by former CastleCops volunteers at the SystemLookup.com website.

They’ll be missed.

No More Security Updates for Firefox 2

Security Fix reports that on December 16, Mozilla released its final update to Firefox 2, and plans no further updates for this version. From the Firefox 2 Release Notes page:

Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox 2.0.0.19 does not include Phishing Protection.

Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.

If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.

So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.

Have a safe and happy holiday season, both on and off the web!

Microsoft Security Intelligence Report Released

For the past couple of years, Microsoft has been issuing a semi-annual report on the security threat landscape. The latest version of the Security Intelligence Report (SIR), v5, was released last Monday. Microsoft appears to be taking security seriously these days: “…during the frst half of 2008 (1H08), there were fewer disclosures of Microsoft vulnerabilities than for the industry as a whole; in fact, Microsoft vulnerabilities were down 33.6 percent in 1H08.

“However, it is alarming to see that more than 90 percent of vulnerabilities disclosed in 1H08 affected applications, and nearly half of all industry vulnerabilities are rated as High Severity. Additionally, 1H08 showed how threats are increasingly affecting a variety of vendors beyond Microsoft. Issues now cross multiple vendors and illustrate how different technologies behave together and then create complex, blended threats.”

At 150 pages, the SIR is no light read; it’s a thorough analysis of the security threat landscape based on several well-known industry sources as well as “Telemetry from several customer-focused Microsoft security products and services, including the Malicious Sofware Removal Tool (MSRT), Windows Defender, Windows Live OneCare, and Exchange Hosted Services, representing a total user base of several hundred million computers…”

The announcement, Microsoft Security Intelligence Report Volume 5 is Now Available, posted on the Microsoft Malware Protection Center blog, describes a couple of interesting key findings from the report.

Highly recommended.

Beware Google AdWords Phishing Attack

Criminals are targeting Google AdWords customers with phony emails requesting the victim download a 128-bit SSL certificate. A client received this version (there are quite a few variations):

From: Google Adwords account [mailto:adwordsupdate@google.com]
Sent: Monday, September 29, 2008 8:52 PM
To: <potential victim>
Subject: Google Adwords Alert

Attention GOOGLE ADWORDS Customers!

For certain services, such as our advertising programs, we request 128-bit SSL security information which we maintain in encrypted form on secure servers.
We take appropriate security measures to protect against unauthorized access to our unauthorized alteration, disclosure or destruction of data.
Please download latest SSL protection certificate

Read more>>

Unprotected browsers will not be able to Log in after September 30, 2008
Sincerely, Genaro Escobar.

2008 Google Adwords, Developing new services.

Unsuspecting victims who click on the “Read more” link are taken to a malicious website where their machine is infected with a keylogger rootkit. The URL of the site varies, but is similar to this one:

 hxxp://adwords.google.select.starter.sig…

Of course, the actual domain the person arrives at isn’t google.com, but, in this case, mekefri.com.

A good rundown on this attack can be found at: Digital Certificate Spammer Goes for Google Adwords