Here’s something we hear regularly at Barracuda Labs…

“My mom called me and said that someone posted something bad on her facebook.  How did they do that? What should I tell her?”

Our two-part answer is simple.  First, mom probably clicked on something and unwittingly gave it permission to post to her wall.  Second, there is always a possibility that mom had her password stolen.   She should change her Facebook password at once, as well as change the password on any service where she might have used that same password.

Facebook passwords do get stolen.  Below is one example of how that happens.

It starts with a message like this one that spreads from one wall to another.

Clicking on the link in the message opens up what looks like a Facebook login page.

(click to open full-size image)

Facebook will pop up a login page in certain situations to make certain that you are properly authenticated.   In this case the login page is entirely fake and is not part of Facebook at all.

Suppose you were in a hurry and didn’t take time to look at the URL of the page.   If you fill in your information and press the Login button, here’s what happens:

(click for full-size image)

As you can see in the image, your exact username and password are sent off to the Russian domain.   Once this is done, the browser is sent to a Facebook themed ‘survey’ site.

(click for full-size image)

These ‘survey’ sites offer some gift in exchange for participating in an endless cycle of marketing schemes, many of which ask for personal information and none of which ever deliver the the promised gift.

The remaining question is why criminals steal Facebook passwords

and there are three good answers.

1. Personal information on your Facebook account can be used to piece together full-fledged identity theft.

2. A stolen Facebook account is the perfect vehicle for carrying out the Stranded Traveler scam.

3.  Survey scammers such as the ones shown here have to start their viral campaigns somewhere, and a stolen account, with its hundreds of trusting friends, is the perfect place to start.

With the new Facebook Timeline rolling out this week, users should be particularly careful with the personal information they make available on their pages.  As always, Barracuda Networks recommends that you be cautious with what you click on and change your password regularly as a matter of course.

For Immediate Release

NINE OUT OF 10 PEOPLE ATTACKED AND ONE OUT OF FIVE PEOPLE DAMAGED BY PRIVACY LAPSE ON SOCIAL NETWORKS

Barracuda Labs Releases 2011 Social Networking Security & Privacy Study

• View the Infographic – http://www.barracudalabs.com/SNS

• View the Report – http://www.barracudalabs.com/SNSreport

Campbell, Calif. (Oct. 12, 2011) – Barracuda Labs today released its 2011 Social Networking Security & Privacy Study. The complete study and infographic can be seen at www.barracudalabs.com. Barracuda Labs is the research arm of Barracuda Networks Inc., the leading provider of security, application delivery and data protection solutions to businesses.

“Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially,” said Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks and users are living in fear.”

The study focuses on social networking usage, security and privacy, and is based on survey results from hundreds of users representing over 20 countries. The study was conducted over a two-week span between September and October 2011. Overall, users value security and privacy almost equally to popularity and ease of use. Major highlights from the study are included below.

Social Networking Usage

• LinkedIn is the most accepted social network by businesses with only 20 percent of companies blocking or limiting its usage, as compared to 31 percent of companies that block or limit Facebook.

Social Networking Security

• Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network.

Social Networking Privacy

• One in five people has been negatively affected by information that was exposed on a social network.

2011 Social Networking Security & Privacy Study – Resources:

• Infographic – http://www.barracudalabs.com/SNS

• Report – http://www.barracudalabs.com/SNSreport

About Barracuda Labs

Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. Barracuda Labs’ threat research areas include email, Web, network and cloud security and technology. Barracuda Labs aims to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime.

About Barracuda Networks

Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats, as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

Recently Dutch certificate authority DigiNotar suffered a compromise that resulted in the issuance of over 200 forged certificates for a variety of well known web domains including Google, Yahoo and Mozilla.

The certificates have been revoked and certificate users have been quick to update their products. Spammers and malware distributors have been just as quick to take advantage of the confusing stories about SSL certificates that have been appearing in the mainstream media.

Consider this spam that we recently started seeing at Barracuda Labs. The message, pitched directly to business customers of the Royal Bank of Canada tries to convince them that their SSL certificate has expired.

(Click for larger image)

While it may look like  garden variety phishing spam, this message is much more dangerous. The spammers try to create a sense of urgency with the hope that you will click one of the links to see what happens; which, in this case, is a particularly bad idea because the second link in the message directs the browser to a server hosting an exploit kit. Once the browser visits that site a series of attacks begin which can result in the download of Trojan.Buzus. This nasty payload steals login credentials and opens a backdoor allowing remote control of the now-infected computer.

(Click for larger image)

Ever since the blackhole exploit kit became widely available earlier this year, the Barracuda Networks Real Time Protection System has been seeing more and more overtly malicious spam directing users to sites such as these which attempt to force malware onto users computers.  All it takes is one initial click on a link to set off a chain of exploits which require no further interaction to infect a computer. As always, we recommend you treat spam messages with great care.

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus.   The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan.  Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies.  Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers.   One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Fake wire transfer spam

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals.  Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

Windows security warning

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF.  This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program.   Don’t run it.

If you do, you’ve installed Zeus:

Zeus network traffic

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

The spam monitoring systems at Barracuda Labs have uncovered an especially objectionable spam campaign that poses as a sign-up email from the Chase Bank credit card processing service Chase Paymentech.

We see lots and lots of spam at Barracuda Labs.  Even if the sender isn’t suspect, it is still generally easy to spot either because of the subject matter or flaws in the content.

What makes this spam dangerous is a combination of convincing content and deceptive payload.  Examining this spam highlights the risk that comes with assuming one can always judge spam by its appearance alone.

These spams are particularly well done.  The only suspicious element is that the From: address is not Chase bank, an unusual failure given how easy it is to fake the From: field in an email.

The email invites you to activate a credit card payment account and tells you that your first step is to find your merchant ID and user ID in the attached Microsoft Word document.   That Word document is what indirectly delivers the malware payload.

Vulnerabilities in Microsoft Word have mostly been patched or mitigated, and it’s been years since Word document attachments were something most users had to worry about. While users have become more suspicious of programs that must be downloaded and run, they’re more likely to open a document which is “just something you read.”

Unfortunately, malware distributors have recently discovered that common vulnerabilities in Adobe’s Flash player can be exploited by embedding the malicious Flash file into a Word document.  This takes users who aren’t likely to suspect a Word document of malicious intent and puts them at risk if they open it.

That’s what happens here.  If you open the attached merchant_info.doc, you can’t see the Flash control embedded in the document.  You really don’t see much of anything for the minute or two that it takes the Flash code to download and install malware on your Windows computer.

Once the infection is accomplished, this Word document closes and you’re back to staring at the email and wondering what went wrong.   Meanwhile your computer is running Trojan.Zeus in the background.

Zeus quietly monitors your Internet traffic looking for username and password data.  It saves them and periodically sends them off to control servers elsewhere on the Internet.

The content of this spam is of particular interest to financial professionals, making the installation of a password stealer that much worse.  Trojan.Zeus has been implicated in many instances of online theft from small business accounts, especially since small business banking involves higher dollar amounts and does not carry the same level of theft protection as consumer accounts do.

The Adobe vulnerabilities that allow this to succeed have been used in a number of recent email attacks.  We strongly recommend you upgrade all of your Flash installations by visiting http://get.adobe.com/flashplayer.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Barracuda Labs researchers have recently seen emails from PayPal Inc. that initally seem to be phish but ultimately appear to be a security fail by a company that surely should know better.

It is a well-accepted email security best practice to never click on links in emails.  Most businesses, particularly ones that are phishing targets, explicitly advise their users not to click on emails.  As you would expect, PayPal does so on their website.

Warning on PayPal website

Consider that warning and then take a look at this email from Paypal, via servers at responsys.net, a software service that allows marketers to manage email campaigns…

PayPal "enhanced account statement" email

The email contains ELEVEN hyperlinks, all pointing to an email response servelet which records your click and then transfers the browser to the PayPal login screen.   “At first I was sure it was a phishing email,” commented a Labs researcher who received one of the emails.   Although PayPal has declined to comment on the email,  close examination shows no malicious content.    Instead, this appears to be a case of a Marketing department in need of a little security education.

It’s unfortunate that this is the case, because security professionals have been trying to teach good email security practices for years.  An email from a bank or online service should be considered suspect by default.   PayPal’s own advice is the safest advice, always open your web browser and type in the URL you intend to visit – never click on a link embedded in an email.

Given that email is still the primary vector for identity theft and that PayPal is one of the most phished brands on the Internet, we would expect them to be particularly sensitive to this issue.   Phishing emails like this one are so common that only a blanket rule against clicking on embedded links can be effective.   When PayPal sends out their own emails containing links they confound customers who have been long been told not to click on those very links.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from phishing emails.

Facebook is immensely successful.  It is estimated that nearly 40% of the population of the United States has a Facebook account and that more people visit Facebook than visit Google.

However, many organizations consider Facebook to be both a distraction and a security risk.  While it has been very common for Web filtering solutions to block all access to Facebook, many organizations are realizing the need to safely allow access, at least to some degree.

As you might expect, enthusiastic Facebook users aren’t very happy with being kept from their favorite website, even during work or school hours.   Some of the more popular searches on Google are for “access facebook” and “unblock facebook.”  These searches return lists of Facebook proxy sites.

Proxy software serves as an intermediary for internet traffic.  To use a proxy to ‘unblock’ Facebook, users direct their web browsers to send requests to the proxy.  The proxy performs the request and sends the results back to the web browser.   Since the users do not deal directly with Facebook, blocking Facebook has no effect.

The sites that are returned by searching for “unblock Facebook” usually wrap proxy software with a Facebook-specific web user interface, offering themselves as web proxies so that frustrated Facebook users can sneak around the firewall and make that all important status post.

Here’s an example, the home page of accessexists.com

accessexists.com - a Facebook proxy site

The links work fairly well, allowing you to log in to Facebook and use most functions seamlessly.

The problem with using one of these so-called Facebook proxy sites is you don’t know who’s running it, where there are located, or what might be done with your user name and password.   Consider what network traffic gets sent in the clear when you use the proxy to log on to Facebook.

Network traffic to accessexists.com

In this case our username and password are part of a POST transaction that is sent.   Where is it being sent?    WHOIS shows us that accessexists.com is owned by someone named Vladimir in Russia.

accessexists.com whois record

Vlaidmir is saving usernames and passwords, because after a day or so they get around to asking for money.

An unsophisticated user might see this as an immediate solution to an unfair problem, but it carries a great deal of risk. Valid Facebook usernames and passwords are sold to scammers on underground markets for a variety of purposes.  One of the most common ones is simply sending spam messages to everyone on your friends list.   Another is to use your account to carry out a variant of the Grandmother scam.

Trusting your Facebook username and password to an unknown third party is simply not worth the headaches it can cause.

Barracuda Networks customers using  Barracuda Web Filters can restrict access to Facebook within the organization and can also block access to web proxy sites.

Just in time for the U.S. tax filing deadline, the Barracuda Labs spam honeypots have detected a surge in spam intended to scare harried tax filers into letting down their guard.

Tax time is stressful and many of us are sifting through piles of forms and receipts.  It can be difficult to remember to be skeptical of that official-looking that appears to be from the Internal Revenue Service.   Yet skeptical is what you should be, because the the IRS is a favorite target for spammers and phishers to impersonate.    Lets look at three samples.

The first spam is from a phishing campaign that has been active since at least 2008.  Aimed primarily at immigrants, it presents a dense thicket of poorly written gobbledygook stating that the recipient is not subject to taxes on certain unspecified interest.

Fake non-resident exemption

A PDF of form W-4100B2 is attached and you are encouraged to fill it out and fax it to a number provided in the email.  The form asks for practically every piece of sensitive financial information an identity thief could want, including Social Security numbers, debit and credit card numbers with codes and even passport numbers.

However, the fact is that there is no IRS form W-4100B2. The IRS has specifically stated that they “do not request detailed personal information through email.”    Messages like this should be ignored.

The second spam has been used for phishing in the past, but in this year’s incarnation it carries a nasty payload.

"Rejected EFTPS" spam

The salutation of “Hello Dear” isn’t very convincing coming from the IRS.  Still, the basic message that an electronic tax payment might be rejected might be enough to cause a harried office worker to open up the attachment.  That would be a big mistake because although clicking on the attachment does not appear to do anything it actually does install Trojan.Zeus in the background.  This Trojan horse runs silently, steals usernames and passwords and in this case sends them to a command and control server in Asia.

The last sample is from a campaign that is noteworthy for how it is carefully targeted to specific individuals.   Usually spam campaigns are scatter shot affairs that send out large numbers of emails addressed to “Dear Sir / Madam”, as our first example showed.   This “rule change notification” was seen using individual email addresses of real people, addressing them by their real name and company name.

Targeted "Rules Change" spam

Instead of new tax rules, the attached .zip file contains a Trojan.Downloader which installs a variety of other malware.

Again, the IRS has stated that it “does not initiate taxpayer communications through email,” and “does not request detailed personal information through email.”  If a taxpayer has questions about emails such as these they should check with the IRS using contact information found in their local phone directory or www.irs.gov.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these spam emails. The Barracuda Web Filter, and/or the Barracuda Web Filtering Service block the traffic involved in the attacks.

The spam traps at Barracuda Labs have detected an ongoing malicious email campaign that leverages the Facebook brand and seems to targets CEOs, particularly fat ones.

Spam

Like many of the best spam emails, it is stark in its simplicity.  The body is HTML format which may not work for every mail viewer. For those that do, a single intriguing link is presented with the Facebook domain used in the link to make it look innocent.  Even if you’re not a fat CEO yourself, who doesn’t want to see what fat CEO is being referred to in the message?

Of course, the careful computer user will check the real destination of the link that is provided.   As the variant below shows, they are not the same.  Facebook isn’t even involved.

Showing link destination in status bar

Clicking on one of these links causes a set of exploits to be quietly delivered to the browser, primarily malicious PDF files.

While the browser is being exploited, some Facebook page (which may be real) is displayed to make it appear that your click had some actual purpose.

Decoy Facebook page

Sad to say, there is no CEO on this Facebook page at all, just an ugly cat.

As is so often the case with malware attacks, it’s what you can’t see that hurts you.  If one of the exploits finds a vulnerability to take advantage of, a version of Trojan.Zeus is downloaded.

Zeus trojan traffic

This common family of malware inserts itself into the HTTP transmission chain and intercepts Web pages that contain user account and password information.  The trojan then sends that data back to a command and control server.    Zeus has been implicated in hundreds of cases of online bank account theft.   Even without the direct theft of banking credentials, the trojan can steal passwords for other online services which can then be tried against more lucrative targets.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall protected from these spam mailings, and  Barracuda Web Filters and the Barracuda Web Filtering Service block access to the linked malware.

• Report from Ponemon Institute finds website attacks are the biggest concern for companies, yet 88 percent spend more on coffee than securing Web applications
• 69 percent of organizations rely on network layer firewalls to protect their websites, leaving Web applications wide open for attack
• 72 percent of organizations test less than 10 percent of their Web applications for security holes, some knowing they have been hacked in the past

Barracuda Networks Inc., Cenzic Inc. and the Ponemon Institute, today announced the results of the “State of Application Security Survey,” which reveals respondents’ perceptions and experiences protecting Web applications. The survey underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security.

According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment.

“While it is encouraging to see that Web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks. “The fact that 69 percent of respondents are relying upon network firewalls to secure Web applications is like relying upon a cardboard shield for protection in a sword fight – eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall.”

“The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat,” said Mandeep Khera, CMO for Cenzic. “Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?”

Other key findings in the study include:

• Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.
• Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
• With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.
• More than half (53 percent) expect their Web hosting provider to secure their Web applications.
• Of those respondents who own a Web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure Web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure Web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession. The full survey analysis can be found at http://www.barracudanetworks.com/ns/downloads/White_Papers/Barracuda_Web_App_Firewall_WP_Cenzic_Exec_Summary.pdf.