Archive for July, 2010

Barracuda Labs 2010 Midyear Security Report

Wednesday, July 28th, 2010

 Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

  • Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
  • The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
  • Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
  • The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.  Key highlights:

  • In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • Only 28.87 percent of Twitter users are actual True Twitter Users.
  • Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
  • One in every eight Twitter users has at least 10 times more followers than they are following.
  • Only one in 10 users is following more than 100 users, and almost half are following less than five.
  • The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

 

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

Share

Tags: , , , , , , ,
Posted in Uncategorized | 3 Comments »

Think You Want a New Social Security Number?

Friday, July 23rd, 2010

by Barracuda Labs

This week, we have seen a surge in the number of spams like the one below, promising a new Social Security Number (SSN) to victims of Identity Theft.

Most people would take one look at this spam and hit the delete button, but it is worth taking a moment to understand what’s being offered.

The scam behind the spam

If you are a citizen of the United States, your SSN is a de facto personal identification number.  With your name, your SSN and a few other bits of personal information, an identity thief can ruin your credit and turn your life into a nightmare.

Since a stolen SSN is at the center of the nightmare, this scam attempts to convince identity fraud victims that a new SSN will take care of their problems and that for a fee, the company – Get New SSN – will help.  Calling the number in the spam connects you to a slick sounding recording and then a human operator who takes your personal information.

What really happens is that the victim of these scams is given a Federal Employer Identification Number (FEIN), which looks just like a SSN but serves a completely different purpose.  The victim uses this FEIN as if it were a SSN without realizing that they are committing fraud.  What’s more, by using the FEIN in place of their real SSN, they are doing permanent harm to their Social Security record since income earned when using an FEIN is not eligible for Social Security reporting.

The Social Security Administration issues new numbers only in the event of severe identity theft, and even then only rarely, and all Social Security services are offered at no cost.

As you would expect of a scam, these spams contain no valid reply information.  Not only do the scammers send out email spam, they post spam to unprotected online forums as well.  This is done automatically by ‘bots’ which are indiscriminate in their targets.  Below is an example of the “New SSN” posted to a Japanese blog:

The email mentioned in these forum spams, getnewssn@gmx.com, is hosted at a free German email service. Not quite what one would expect from a company offering to help with an American government agency.

Barracuda Spam & Virus Firewalls block these spam messages.

Share

Tags: , , , ,
Posted in Uncategorized | No Comments »

New Spam Pretends to be Xerox Scanner Output

Friday, July 16th, 2010

by Barracuda Labs

Barracuda Labs spam monitoring systems have picked up a massive new spam campaign whose messages pretend to be output files from a popular Xerox office copier.

Hundreds of thousands of these messages are circulating around the globe, titled Scan from a Xerox WorkCentre Pro and containing a single .zip file attachment tagged with a random number that helps them avoid detection by anti-spam technology. In fact, Virus Total calculates detection rates at around 19.5% as referenced by certain TechHerald employees today.

The message format closely mimics the one used by a real Xerox WorkCentre Pro, except for one detail – Xerox scanners do not email their outputs using the .zip format. The WorkCentre Pro from Xerox typically scans documents to PDF, email or FTP accounts.

The message text claims that the attachment is a zipped .doc file, and the .zip file itself hides the true extension of the file contained within.  It is not until you go to open the file that you see its true nature.  It is an executable and it is not scanner output – it is a variant of Trojan Oficla.

Choosing  Run (which you should not do) seems to do nothing at all – the Trojan runs but does not display any decoy image.  Rather, it simply installs itself and gets to work in the background downloading other malware.

Samples executed at Barracuda Labs quickly start up a Spambot which sends out more copies of the same message.

As always, never trust unexpected emails, and in particular, never press the “Run” button unless you are 100% certain of what you are doing.  Word documents are “opened” and they are not “run” at any time. And, of course, always keep your security software updated on your system. If this message lands in your inbox, please delete and make sure to spread this message with your friends and colleagues.

Barracuda Spam & Virus Firewall customers are protected from this attack.

Share

Posted in Email Security | 1 Comment »

Watch Out for Fake Adobe Flash Updates

Wednesday, July 7th, 2010

by Barracuda Labs

Barracuda Labs has found compromised sites in the wild which present unwary visitors with an official-looking Adobe Flash update page. Even though this page looks convincing, downloading this ‘update’ only provides the user with a nasty piece of malware that McAfee currently classifies as Downloader-CEW.f.

We recommend getting Adobe Flash updates directly from the source – http://get.adobe.com/flashplayer.

How it happens

Performing a quick search for a breaking news topic, such as LeBron James opening his own Twitter account, starts the process. Searching for “LeBron James Twitter” gives the highlighted result a rank of 62.

Google Results for LeBron James Twitter

Google Results for trend topic "LeBron James Twitter"

Clicking on the highlighted result  sends the user directly to the fake upgrade page. Note that the actual domain is registered in the Cocos Islands.  Also note that the dialog offers Adobe Flash Player 11, while (at this writing) the current version of Flash is 10.1.

Fake Adobe Flash Update Dialog

Fake Adobe Flash Update Dialog

Another sign that this dialog box is bad news is that none of the buttons close the dialog.  Clicking both “Cancel” and “Details” implores the user to click “Ok”  (which is not a button name).   Only “Continue” offers the user a path forward, to a Windows Security Warning dialog.

If the user does run the file, it will download a background clicker that uses the Internet connection to generate fake Internet traffic.  While this activity goes on unseen, additional scamware and spyware programs are downloaded, as seen below.

PC infected with malware

The unsuspecting user can be compromised in no time, which is why it is recommended to get Adobe Flash updates directly from the source.

Barracuda Web Filter and Barracuda Purewire Web Security Service customers are protected from these attacks.

Share

Posted in Uncategorized | 2 Comments »