Archive for April, 2011

Paypal account statement emails: Do as we say, not as we do.

Thursday, April 28th, 2011

by Dave Michmerhuizen and Denis Kieft – security researchers

Barracuda Labs researchers have recently seen emails from PayPal Inc. that initally seem to be phish but ultimately appear to be a security fail by a company that surely should know better.

It is a well-accepted email security best practice to never click on links in emails.  Most businesses, particularly ones that are phishing targets, explicitly advise their users not to click on emails.  As you would expect, PayPal does so on their website.

Warning on PayPal website

Warning on PayPal website

 

Consider that warning and then take a look at this email from Paypal, via servers at responsys.net, a software service that allows marketers to manage email campaigns…

PayPal "enhanced account statement" email

PayPal "enhanced account statement" email

The email contains ELEVEN hyperlinks, all pointing to an email response servelet which records your click and then transfers the browser to the PayPal login screen.   “At first I was sure it was a phishing email,” commented a Labs researcher who received one of the emails.   Although PayPal has declined to comment on the email,  close examination shows no malicious content.    Instead, this appears to be a case of a Marketing department in need of a little security education.

It’s unfortunate that this is the case, because security professionals have been trying to teach good email security practices for years.  An email from a bank or online service should be considered suspect by default.   PayPal’s own advice is the safest advice, always open your web browser and type in the URL you intend to visit – never click on a link embedded in an email.

Given that email is still the primary vector for identity theft and that PayPal is one of the most phished brands on the Internet, we would expect them to be particularly sensitive to this issue.   Phishing emails like this one are so common that only a blanket rule against clicking on embedded links can be effective.   When PayPal sends out their own emails containing links they confound customers who have been long been told not to click on those very links.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from phishing emails.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Uncategorized | 1 Comment »

Anatomy of a SQL Injection Attack

Tuesday, April 26th, 2011

Posted by: Oliver Wai, product marketing manager

As you probably heard from our previous blog posting, Barracuda Networks suffered a breach from a SQL Injection attack on the weekend of April 8. While the overall impact of the breach turned out to be relatively minor (only contact names, including names and emails), such an event always involves a post-mortem. As is often the case in events such as data breaches or data center outages, there is never one single error that leads to the outage or attack but rather a series of interrelated errors that ultimately results in a failure or vulnerability that can be exploited. Taken individually, each event is usually accounted for by the organization and there are redundancies in place to handle any failure issues. However when taken together, the unexpected – in this case an attack on our site – occurs. In analyzing the attack, we observed:

  • In the rush to continually add timely and fresh content to the corporate Web site, a few mistakes were made in the PHP code.
  • Code vulnerability scanning of the affected part of the Web site was scheduled but had not yet occurred.
  • The Web Application Firewall that was put in place to harden the Web site was put into Passive Mode by human error during a maintenance window.

So while there were redundancies in place to secure our Web site, an unfortunate confluence of events last weekend left a vulnerability in our Web site exposed; this resulted in the SQL injection attack by a group we believe to be originating in Malaysia. The upside? Since the Barracuda Web Application Firewall was still inspecting traffic even in Passive Mode, it gave us a detailed audit trail of the SQL Injection probe and the subsequent attack. This gave us the necessary forensics to quickly analyze the breach, contain the damage and reach out to those affected.

Analyzing the Attack

From our Barracuda Web Application Firewall logs we determined that there were two clients used to probe and attack the barracudanetworks.com Web site:

 

Using the information reported by the Barracuda Web Application Firewall, we were able to quickly filter and find the corresponding entries on our Web server logs:

( NOTE: the Web server logs use Greenwich Mean Time (GMT) whereas the Web Application Firewall uses Pacific Daylight Time (PDT) zone)

Drilling down into details of each entry on the Barracuda Web Application Firewall logs gives us clues on the attackers and the tools used in the attack:

The first attack started at 5:07pm PDT on April 9 and had an IP address of 115.134.249.15 which resolved to somewhere near Kuala Lumpur, Malaysia. This confirms online reports of the hacks originating from Malaysia. We also noticed that the attackers launched the attacks using a modified version of a pentest tool designed by “white hats” to probe Web sites for SQL injection vulnerabilities. This also seems to corroborate reports that the hackers responsible for the attacks hung out on “white hat” online communities. Looking at our Web server logs, we also see the same entries, enabling us to trace down what was attempted and what succeeded on our backend systems.

(NOTE: the Web server logs use GMT whereas the Web Application Firewall uses PDT)

From the recorded logs, it was clear that the first attacker used the automated tool to recursively crawl through the barracudanetworks.com Web site and blindly injected a series of SQL commands against each input parameter to find potential vulnerabilities. The SQL Injection tool finds the first vulnerability at 5:16pm PDT but continues to probe the Web site. At 8:10pm PDT a second client using the IP address of 87.106.220.57 joined the attack. The second IP address resolved to a server in Germany but it is unclear at this time if the server was a relay point or if it was a second attacker. Nevertheless, activities from the second IP were recorded and logged by the Barracuda Web Application Firewall:

Below is the screenshot of the corresponding Web server log:

(NOTE: the Web server logs use GMT whereas the Web Application Firewall uses PDT)

From the logs captured in the Barracuda Web Application Firewall, it seems that the attacker used the second client to launch manual attacks against discovered vulnerabilities while the primary attack script continued to scan the Web site for vulnerabilities. Ultimately, the attackers focused their efforts on a single line of weakness in a peripheral Web page where the input parameters were not properly sanitized. Here is the pseudo-code of the underlying vulnerability:

<?=Foo_Function( $_GET['parameter'] )?> //Takes user input

By not sanitizing the input value, it gave the attackers the ability to inject SQL commands into the HTML input parameter to attack the underlying database.

All developers are taught to never trust user inputs and that all inputs must be sanitized before sending it to underlying servers. However, what you can see from this example is that it is often not obvious to the naked eye that there is anything wrong with the code. This is why in addition to using defensive coding, Barracuda Networks also uses code scanners and our own Web Application Firewall to guard against possible vulnerabilities. Unfortunately in a Web site of tens of thousands of lines of code, all it takes is a single mistake. We have since fixed the code to protect against future attacks by adding a single line of code to sanitize the inputs on the affected page:

$parameter = @is_sanitized($_GET['parameter']) ? $_GET[' parameter '] : 0;

<?=Foo_Function($parameter)?>

From Vulnerability to Breach

Once the attackers found the vulnerable page, they attempted to steal the database user accounts. Over the next 10 hours, they tried a number of different attacks in an attempt to break into the underlying database but failed each time. At 3:06am PDT, the attackers changed strategy to focus on the underlying database schema. This proved to be a correct strategy and by 3:19am PDT the first set of database records containing contact email addresses was stolen.

Barracuda Networks discovered the breach at 10:30am PDT and the Barracuda Web Application Firewall was re-enabled to Active Mode at 10:39am PDT. Once in place, the Barracuda Web Application Firewall immediately blocked all subsequent attacks from the 115.134.249.15 IP address. The attacker continued to cycle through attacks against the remaining pages for the next few hours, even when the Barracuda Web Application Firewall blocked all of the attacks. This seems to confirm that an automated pentest tool was used to blindly inject SQL commands. In all, a total of 110,892 SQL injection commands from both attacking IP addresses were sent against 175 URLS at a rate of 42 per minute.

In tracing the Web Firewall and Access logs on the Barracuda Web Application Firewall, we determined that the attackers compromised a Marketing database and stole two sets of records containing a total of 21,861 names and emails. However since there were a number of duplicates between the two sets and the fact that many of the entries were from users who are no longer with the original organizations, the number of affected users is substantially lower.

Any breach is a serious issue and we have reached out to the affected users documenting what has happened and any necessary precautions that they may need to take in response. We believe that the users affected by the breach are at minimal risk. We do not store any sensitive information in our Marketing database other than names and email addresses. Moreover, since Barracuda Networks primarily uses this data to send emails on upcoming events, Webinars, or other corporate news, the risk of spear-phishing is low as the all of communications are one-directional and informational in nature. Finally since most users are existing Barracuda Spam & Virus Firewall customers, the vast majority of potential spam would likely be blocked regardless.

Conclusion

In hindsight, it was clear the Barracuda Web Application Firewall would have been able to detect and protect our Web site from the recent SQL Injection attack that occurred. However the reality of the situation is that with most breaches, the weak link is typically not with the technology itself but rather with the human element and the processes associated with security. Unfortunately attackers today have more sophisticated tools at their disposal to find victims. They can now automate the tedious task of finding vulnerabilities and focus solely on the “last mile” once a vulnerability is detected. What this means to the rest of us is that attacks will likely become more common and affect a much wider range of organizations.

The silver lining to this experience was that it helped us to demonstrate the effectiveness of the Barracuda Web Application Firewall in providing the necessary protection and auditing capabilities to defend against SQL injection attacks. The Barracuda Web Application Firewall was able to identify the SQL injection attack and would have blocked the attack if had it been placed in Active Mode. Nevertheless even in Passive Mode, the Barracuda Web Application Firewall was able to gather detailed forensic information that we used to investigate, contain and audit the affected systems. Using this data, we were able to quickly identify how the attacks occurred, what was breached and who we needed to reach out to after the incident.

While we have definitely advised customers on the risks of not securing their Web applications and we certainly have heard the worst-case scenarios from our customers as a vendor, we did not imagine that we would find ourselves having first-hand experience with such a scenario. We learned some valuable lessons in this situation and we hope that our story serves as evidence of how important it is to harden and secure your Web applications.

Share

Posted in Internet Security Tips, Uncategorized, Web Application Security | No Comments »

Why Facebook proxies are a bad idea

Monday, April 25th, 2011

by Dave Michmerhuizen,  Security Researcher

Facebook is immensely successful.  It is estimated that nearly 40% of the population of the United States has a Facebook account and that more people visit Facebook than visit Google.

However, many organizations consider Facebook to be both a distraction and a security risk.  While it has been very common for Web filtering solutions to block all access to Facebook, many organizations are realizing the need to safely allow access, at least to some degree.

As you might expect, enthusiastic Facebook users aren’t very happy with being kept from their favorite website, even during work or school hours.   Some of the more popular searches on Google are for “access facebook” and “unblock facebook.”  These searches return lists of Facebook proxy sites.

Proxy software serves as an intermediary for internet traffic.  To use a proxy to ‘unblock’ Facebook, users direct their web browsers to send requests to the proxy.  The proxy performs the request and sends the results back to the web browser.   Since the users do not deal directly with Facebook, blocking Facebook has no effect.

The sites that are returned by searching for “unblock Facebook” usually wrap proxy software with a Facebook-specific web user interface, offering themselves as web proxies so that frustrated Facebook users can sneak around the firewall and make that all important status post.

Here’s an example, the home page of accessexists.com

accessexists.com - a Facebook proxy site

accessexists.com - a Facebook proxy site

The links work fairly well, allowing you to log in to Facebook and use most functions seamlessly.

The problem with using one of these so-called Facebook proxy sites is you don’t know who’s running it, where there are located, or what might be done with your user name and password.   Consider what network traffic gets sent in the clear when you use the proxy to log on to Facebook.

Network traffic to accessexists.com

Network traffic to accessexists.com

In this case our username and password are part of a POST transaction that is sent.   Where is it being sent?    WHOIS shows us that accessexists.com is owned by someone named Vladimir in Russia.

accessexists.com whois record

accessexists.com whois record

Vlaidmir is saving usernames and passwords, because after a day or so they get around to asking for money.

An unsophisticated user might see this as an immediate solution to an unfair problem, but it carries a great deal of risk. Valid Facebook usernames and passwords are sold to scammers on underground markets for a variety of purposes.  One of the most common ones is simply sending spam messages to everyone on your friends list.   Another is to use your account to carry out a variant of the Grandmother scam.

Trusting your Facebook username and password to an unknown third party is simply not worth the headaches it can cause.

 

Barracuda Networks customers using  Barracuda Web Filters can restrict access to Facebook within the organization and can also block access to web proxy sites.

Share

Posted in ID Theft, Internet Security Tips, Security, Social Networking, Uncategorized | No Comments »

IRS spam arrives just in time for April 18 tax deadline

Monday, April 18th, 2011

by Dave Michmerhuizen & Luis Chapetti – security researchers

Just in time for the U.S. tax filing deadline, the Barracuda Labs spam honeypots have detected a surge in spam intended to scare harried tax filers into letting down their guard.

Tax time is stressful and many of us are sifting through piles of forms and receipts.  It can be difficult to remember to be skeptical of that official-looking that appears to be from the Internal Revenue Service.   Yet skeptical is what you should be, because the the IRS is a favorite target for spammers and phishers to impersonate.    Lets look at three samples.


The first spam is from a phishing campaign that has been active since at least 2008.  Aimed primarily at immigrants, it presents a dense thicket of poorly written gobbledygook stating that the recipient is not subject to taxes on certain unspecified interest.

Fake non-resident exemption

Fake non-resident exemption

A PDF of form W-4100B2 is attached and you are encouraged to fill it out and fax it to a number provided in the email.  The form asks for practically every piece of sensitive financial information an identity thief could want, including Social Security numbers, debit and credit card numbers with codes and even passport numbers.

However, the fact is that there is no IRS form W-4100B2. The IRS has specifically stated that they “do not request detailed personal information through email.”    Messages like this should be ignored.


The second spam has been used for phishing in the past, but in this year’s incarnation it carries a nasty payload.

"Rejected EFTPS" spam

"Rejected EFTPS" spam

The salutation of “Hello Dear” isn’t very convincing coming from the IRS.  Still, the basic message that an electronic tax payment might be rejected might be enough to cause a harried office worker to open up the attachment.  That would be a big mistake because although clicking on the attachment does not appear to do anything it actually does install Trojan.Zeus in the background.  This Trojan horse runs silently, steals usernames and passwords and in this case sends them to a command and control server in Asia.


The last sample is from a campaign that is noteworthy for how it is carefully targeted to specific individuals.   Usually spam campaigns are scatter shot affairs that send out large numbers of emails addressed to “Dear Sir / Madam”, as our first example showed.   This “rule change notification” was seen using individual email addresses of real people, addressing them by their real name and company name.

Targeted "Rules Change" spam

Targeted "Rules Change" spam

Instead of new tax rules, the attached .zip file contains a Trojan.Downloader which installs a variety of other malware.

Again, the IRS has stated that it “does not initiate taxpayer communications through email,” and “does not request detailed personal information through email.”  If a taxpayer has questions about emails such as these they should check with the IRS using contact information found in their local phone directory or www.irs.gov.


Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these spam emails. The Barracuda Web Filter, and/or the Barracuda Web Filtering Service block the traffic involved in the attacks.

Share

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Uncategorized | No Comments »

Learning the Importance of WAF Technology – the Hard Way

Monday, April 11th, 2011

Posted by:  Michael Perone, EVP & CMO

Wow.  What a weekend.  In case you haven’t heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information.  The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords.  However, all active passwords for applications in use remain secure.

So, the bad news is that we made a mistake.  The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time.  Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters.  After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market.  As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees.  The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later.  We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.

This latest incident brings home some key reminders for us, including that:

  • You can’t leave a Web site exposed nowadays for even a day (or less)
  • Code vulnerabilities can happen in places far away from the data you’re trying to protect
  • You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF technology deployed

Before responding prematurely to the press or to anyone else, we wanted to make sure we had time to sift through our logs and do a bit of communication.  We’re glad that the impact will be very minimal, but we’re not happy about the amount of bandwidth we’ve spent assessing what happened, responding to affected parties and putting in place the steps to prevent it in the future.

We are working to notify everyone whose email addresses were exposed, and we apologize for the inconvenience.

 

Share

Tags: , ,
Posted in Security, Web Application Security, Web Security | 9 Comments »

Facebook-themed spam targets CEOs, steals passwords

Monday, April 11th, 2011

by David Michmerhuizen – Security Researcher

The spam traps at Barracuda Labs have detected an ongoing malicious email campaign that leverages the Facebook brand and seems to targets CEOs, particularly fat ones.

Sample spam

Spam

Like many of the best spam emails, it is stark in its simplicity.  The body is HTML format which may not work for every mail viewer. For those that do, a single intriguing link is presented with the Facebook domain used in the link to make it look innocent.  Even if you’re not a fat CEO yourself, who doesn’t want to see what fat CEO is being referred to in the message?

Of course, the careful computer user will check the real destination of the link that is provided.   As the variant below shows, they are not the same.  Facebook isn’t even involved.

Showing link destination in status bar

Showing link destination in status bar

Clicking on one of these links causes a set of exploits to be quietly delivered to the browser, primarily malicious PDF files.

While the browser is being exploited, some Facebook page (which may be real) is displayed to make it appear that your click had some actual purpose.

Decoy Facebook page

Decoy Facebook page

Sad to say, there is no CEO on this Facebook page at all, just an ugly cat.

As is so often the case with malware attacks, it’s what you can’t see that hurts you.  If one of the exploits finds a vulnerability to take advantage of, a version of Trojan.Zeus is downloaded.

Zeus trojan traffic

Zeus trojan traffic

This common family of malware inserts itself into the HTTP transmission chain and intercepts Web pages that contain user account and password information.  The trojan then sends that data back to a command and control server.    Zeus has been implicated in hundreds of cases of online bank account theft.   Even without the direct theft of banking credentials, the trojan can steal passwords for other online services which can then be tried against more lucrative targets.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall protected from these spam mailings, and  Barracuda Web Filters and the Barracuda Web Filtering Service block access to the linked malware.

 

 

 

 

Share

Posted in Email Security, ID Theft, Security, Uncategorized | No Comments »

Stolen Epsilon email lists will mean personalized phishing attacks

Tuesday, April 5th, 2011

by Dave Michmerhuizen & Luis Chapetti – security researchers

Sometime on April 1, email marketing firm Epsilon revealed that it had been hacked and that some of its customer lists had been stolen in what some news outlets are calling the biggest data breach ever.

Specifically what was stolen were names and email addresses, along with the implicit linking of that data with a particular client of Epsilon such as Best Buy, Target or Kroger Inc.    A partial list of affected clients is available at SecurityWeek and includes three of America’s largest banks – J. P. Morgan Chase, Citibank and U.S. Bank.

Security researchers at Barracuda Labs believe that these lists will prove to be valuable in the underground marketplace for email address lists.   They directly link verified email addresses and customer names with companies that do business online.  Phishers will find this additional data very useful.

Phishing emails are a type of spam that pose as emails from legitimate institutions, such as your bank or phone company, and attempt to trick you into divulging your username, password and other account information.  The phishers then use this to take over your online account and steal from it or use it to commit other crimes.

Under normal circumstances phishers send generally worded emails to purchased lists of email addresses.   Since they don’t have the names that go with the email address the best they can address the phish is to “Dear Customer” or “Attention”.   These purchased email address lists contain addresses indiscriminately harvested from the internet and the chances that any given addressee will even be associated with the company that is being fished is low.   To make up for this phishers send huge numbers of emails using many lists and ultimately attract the attention of authorities who block their spam and take action against their activities.

Contrast this to the quality of the email lists stolen from Epsilon.  Phishers using one of these lists have a name to associate to the email address, allowing them to craft much more convincing emails.  They know that every email address on the list is likely to work, and that each one is associated with the company whose account information they are trying to phish.  Fewer emails need to be sent which attracts less attention to the servers and Web sites used by the phishers, and even with fewer emails the hit rates from these lists are likely to be much much higher than they are from the typical slapdash phishing campaign.

Example of CitiBank phishing spam

Example of CitiBank phishing spam

 

The bottom line here is that people whose email addresses are on those stolen lists will be getting many more phishing emails that appear to be from companies they do business with already.  These phishing emails will be even more personal and convincing.   The best advice we can give is to exercise good email security.  Never open attachments you aren’t explicitly expecting.  When an email from a company you do recognize and do business with contains a link, rather than click on that link we recommend that users should independently visit the site by entering the URL directly into a Web browser.

 

Share

Posted in Uncategorized | 1 Comment »

The Lizamoon attack – do you protect your web users as well as you protect your endpoints?

Monday, April 4th, 2011

by Dave Michmerhuizen – security researcher

Most of our readers spend plenty of time and money to secure endpoints and mail servers.  Protecting users is certainly important, but what about the users who aren’t even part of your organization?  Do you know what your Web applications are up to?   The recent massive SQL injection attack dubbed ‘LizaMoon’ showed pretty clearly that hundreds of thousands of Web site operators don’t.

Do you have an externally available Web site, support forums or even just a blog?  You might want to take some extra steps to making sure your Web site and Web applications are secure. Our Barracuda Web Application Firewall product manager took a deeper look at this attack earlier today. Check it out.

Share

Posted in Uncategorized | No Comments »