Social Engineering

New IRS Scam and It Could Cost You More Than Taxes!

You usually see this around tax season, but it seems the cyber-crooks have figured out that fear of the IRS is an evergreen topic.

US-CERT is aware of public reports of malicious code circulating via spam email messages related to the IRS. The attacks arrive via an unsolicited email message and may contain a subject line of “Notice of Underreported  Income.” These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.

The Zeus Trojan is a keylogger that steals sensitive data, especially targeting online banking credentials. According to “New IRS Scam E-mail Could Be Costly”, in Brian Krebs’ Security Fix column, Landfill Service Corp. (LSC), a solid waste company based in Apalachin, NY is a recent victim of the Trojan. The firm may end up losing at least $92,000 from the incident. Not good.

The Zeus keystroke logging Trojan’s engine is a file called “sdra64.exe.” At least that’s what LSC’s tech guy found (Variations are sure to surface).

Rather than repeat it in my own words, here’s the US-CERT list of recommendations:

• Review the How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites document on the IRS website.
• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Have You Noticed? Phishing Attacks Are Down

It’s just not in fashion anymore; phishing attacks are ‘way down, falling out of favor with cybercriminals who now prefer malicious websites and password-stealing Trojan horse programs.

IBM’s security research and development division, X-Force, recently issued a report that found throughout 2008 , phishing volume was around 0.5 percent of overall spam volume. But in the first half of 2009, the volume of phishing attacks fell to around 0.1 percent of spam volume. Not only did the volume of phishing attacks drop, but the targets also changed: in 2008, 90 percent of all phishing attacks targeted the financial industry; in the first half of 2009, that percentage had dropped to 66 percent.

That’s the good news. The bad news is that, according to the report, the number of malicious Web links is up 508 percent in the first half of 2009 and many of these links appear on otherwise trusted sites such as search engines. X-Force Director Kris Lamb says, “There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."

A copy of the IBM report can be downloaded here (PDF).

As always, let the surfer beware.

Twitter Security: TwitBlock Blocks the Spammers

Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.

Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.

Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:

You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs - the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.

An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)

The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.

Spam, Phishing, and Malware Related to Recent Celebrity Deaths

Michael Jackson malware? Farrah Fawcett phishing attempts? Billy Mays spam? Ed McMahon notifies you—from the other side of the grave–that you’ve just won the million-dollar Publisher’s Clearinghouse (but you have to send him some money, first)? Yes, expect it. US-CERT is monitoring reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths. Here’s a typical example:

To: <redacted>
Subject: Confidential===Michael Jackson
Date: Thu, 25 Jun 2009 19:25:50 –0400

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secrective to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us.

Notice the blatant misspellings, lack of punctuation and obvious grammatical mistakes from someone who is clearly not a native English-speaking person. If you get this email, delete it immediately. Same with anything related to any of the other celebrities’ deaths.

They’re all from scammers (criminals) either trying to steal your money, your identity or both.

Scareware – Yes, People Do Fall for the Ruse

What happens when people fall for the scareware ruse and actually install the stuff? Oddly enough, they may not even know they’ve been duped. Their systems may run a little slower, but they may be fooled into thinking they’re now being protected by the malware they’ve installed. What follows is a real-life example of someone who wrote in to a well-known security forum. (So as not to cause embarrassment to the victim, I have changed names and details.)

Question one, [Miss K] is very upset that Microsoft uninstalled her new antivirus program.  [Gentlemen], she writes, “I turned on my computer a few days ago, and I got a message saying that Microsoft MSRT had removed AV 2009 from my computer.  So now I don’t have an antivirus installed.  I tried to download another copy of AV 2009, but I couldn’t remember where I got it.  Can you tell me…” [the gentleman reading this question actually thinks it’s a joke] “Can you tell me where to find it, or recommend a free AV program?”

Here is some of the conversation between the hosts:

Host1:  And a lot of people have been getting it.  And MSRT has been removing it from a lot of machines.  So in case [Miss K] is serious, we’re not laughing at you, we’re laughing with you.

Host2:  Yes, because you’re not alone.  There are many, many, many people who’ve fallen for this.  I get - literally I get this call on the radio show all the time.

Host1:  Yes.  Yes.  So do not go looking for another copy of it.  Actually it’ll probably find you, without you having to look for it, and happily crawl into your computer.  It is malicious.  It’s good that Microsoft MSRT removed it.

Beware of the Fake Video Codec Malware Trick

A variant of Win32/Zlob is being spread by cybercriminals via the fake video codec trick. Through misdirection or outright deception (including social engineering), users are sent to a site that has what appears to be embedded video. When they arrive at the page, there’s a message in the viewer similar to the one shown at “The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats.” If the user falls for the trick, Zlob trojan is downloaded and installed.

The variant, posing as “MediaTubeCodec.1.220.2.exe”–a name that should arouse suspicion in savvy users, but probably looks “official” to the unenlightened–was recently analyzed by Microsoft (see “Another Reason to Avoid Piracy” in their Microsoft Malware Protection Center blog). Microsoft updated its detection signatures to detect this variant as TrojanDownloader:Win32/Zlob.gen!CD. If diagnostics on a user’s PC (netstat, for example) reveal connections to any of the following, assume infection and take appropriate action:

• hxxp://64.247.39.247
• hxxp://second-reason.com
• hxxp://viacodecright2.com

According to the blog, “Only the first two are responding at the time of writing—both appear to be running nginx [pronounced "engine X"] (a lightweight web/mail server), one server is hosted in the USA and the other in China. So please folks—avoid piracy, and be wary when a website insists that you download a new codec in order to watch a video or listen to a song.”

Wireless Headset Security Nightmare

Being a Ham Radio operator, I’ve always understood the risk inherent in using radio signals to transmit sensitive information: anyone with the right equipment can receive and record anything transmitted over the air. These days, I’m noticing a lot of people in various offices walking around with these cute wireless headsets hooked up to their office phones.

Ever wondered what kind of security risk these things might pose to your company? Yeah, me too. So, did the folks at Secure Network Technologies as evidenced by their article “Hacking Wireless Headsets” that appeared Jan. 22, 2008 at DarkReading.com, a site that provides in-depth security news and analysis. Here’s an excerpt:

To perform the work, we purchased a commercially available radio scanner. These devices are available at any local electronics retailer at prices ranging from $80 to several thousand dollars. We chose a scanner capable of monitoring frequencies from 900-928 Mhz and the 1.2 Ghz ranges, which is where many of the popular hands-free headsets operate.

We took a position across the street from the facility and started up the scanner. Within seconds of turning on the device we were able to listen to conversations that appeared to be coming from our client’s employees. Several of these conversations discussed the business in detail, as well as very sensitive topics. After some careful listening, we determined that the conversations were indeed coming from our customer.

See the nightmare coming? With the right information you can then use social engineering techniques to get your tentacles very deep into the company. And that’s exactly what they did:

Our plan was to assume an identity of an employee who had never been to the office we were testing. Using that identity, we would enter the building, commandeer a place to sit and work, then see how long we could stay inside the building. After zeroing in on a particular employee, we gathered as much intelligence on him as we could. To prepare for the entry into the facility, we printed a business card with our assumed identity. I put on my best suit, and then went to work.

In all, they spent three days “working” in the company, gaining access to all sorts of information, technology, and resources. Not only that, but they also discovered that the headsets acted as bugging devices; even when disconnected, the headsets continued to transmit. The impersonators were able to listen in on conversations carried on by the wearers.

Be afraid. Be very afraid Seriously, read the article and if your office uses these things, do your own tests to find out where you’re leaking. Then, plug the leaks.