Archive for the ‘ID Theft’ Category

Newer Entries »

Facebook-themed spam targets CEOs, steals passwords

Monday, April 11th, 2011

by David Michmerhuizen – Security Researcher

The spam traps at Barracuda Labs have detected an ongoing malicious email campaign that leverages the Facebook brand and seems to targets CEOs, particularly fat ones.

Sample spam

Spam

Like many of the best spam emails, it is stark in its simplicity.  The body is HTML format which may not work for every mail viewer. For those that do, a single intriguing link is presented with the Facebook domain used in the link to make it look innocent.  Even if you’re not a fat CEO yourself, who doesn’t want to see what fat CEO is being referred to in the message?

Of course, the careful computer user will check the real destination of the link that is provided.   As the variant below shows, they are not the same.  Facebook isn’t even involved.

Showing link destination in status bar

Showing link destination in status bar

Clicking on one of these links causes a set of exploits to be quietly delivered to the browser, primarily malicious PDF files.

While the browser is being exploited, some Facebook page (which may be real) is displayed to make it appear that your click had some actual purpose.

Decoy Facebook page

Decoy Facebook page

Sad to say, there is no CEO on this Facebook page at all, just an ugly cat.

As is so often the case with malware attacks, it’s what you can’t see that hurts you.  If one of the exploits finds a vulnerability to take advantage of, a version of Trojan.Zeus is downloaded.

Zeus trojan traffic

Zeus trojan traffic

This common family of malware inserts itself into the HTTP transmission chain and intercepts Web pages that contain user account and password information.  The trojan then sends that data back to a command and control server.    Zeus has been implicated in hundreds of cases of online bank account theft.   Even without the direct theft of banking credentials, the trojan can steal passwords for other online services which can then be tried against more lucrative targets.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall protected from these spam mailings, and  Barracuda Web Filters and the Barracuda Web Filtering Service block access to the linked malware.

 

 

 

 

Share

Posted in Email Security, ID Theft, Security, Uncategorized | No Comments »

73 Percent of Organizations Have Been Hacked At Least Once In The Last 24 Months Through Insecure Web Applications

Tuesday, February 8th, 2011

By: Barracuda Labs

  • Report from Ponemon Institute finds website attacks are the biggest concern for companies, yet 88 percent spend more on coffee than securing Web applications
  • 69 percent of organizations rely on network layer firewalls to protect their websites, leaving Web applications wide open for attack
  • 72 percent of organizations test less than 10 percent of their Web applications for security holes, some knowing they have been hacked in the past

Barracuda Networks Inc., Cenzic Inc. and the Ponemon Institute, today announced the results of the “State of Application Security Survey,” which reveals respondents’ perceptions and experiences protecting Web applications. The survey underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security.

According to 74 percent of respondents, Web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily Web application firewalls and vulnerability assessment.

“While it is encouraging to see that Web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks. “The fact that 69 percent of respondents are relying upon network firewalls to secure Web applications is like relying upon a cardboard shield for protection in a sword fight – eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall.”

“The fact that a quarter of respondents could not provide a range for how many Web applications they have is a huge red flag right off the bat,” said Mandeep Khera, CMO for Cenzic. “Furthermore, that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their Web applications is shocking. And, most of these companies have been hacked multiple times through insecure Web applications. If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?”

Other key findings in the study include:

  • Data protection (62 percent) and compliance (51 percent) were the top reasons for securing Web apps. Job protection was also a significant reason cited by 15 percent of respondents.
  • Despite 51 percent listing compliance as a key driver for Web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.
  • With 41 percent reporting they have over 100 Web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.
  • More than half (53 percent) expect their Web hosting provider to secure their Web applications.
  • Of those respondents who own a Web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure Web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure Web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession. The full survey analysis can be found at http://www.barracudanetworks.com/ns/downloads/White_Papers/Barracuda_Web_App_Firewall_WP_Cenzic_Exec_Summary.pdf.

Share

Posted in ID Theft, Internet Security Tips, phishing, Research, Security, Social Networking, Statistics, Web Security | No Comments »

Gawker Compromise, Password Lessons

Tuesday, December 14th, 2010

by Daniel Peck, Research Scientist

Today any news/blog site remotely technical most likely has a blurb about about the recent Gawker media compromise.  Most people are making a big deal out of the release of the password files, but honestly, there’s not a lot to that part.  These were clearly very low priority passwords for almost everyone using them. While there was probably some amount of password reuse between Gawker sites and the users’ email addresses, the overlap is still relatively small.

But everyone loves a few stats, so here we go… Out of 188,281 passwords (this is from the parsed_db.txt file in the torrent floating around) the top passwords used are:

3057 – 123456
1955 – password
1119 – 12345678
661 – lifehack
418 – qwerty
333 – abc123
311 – 111111
300 – monkey
273 – consumer
253 – 12345
247 – letmein
241 – trustno1
233 – dragon
213 – baseball
208 – superman
202 – iloveyou
202 – 1234567

Additionally,

~50k of the accounts had a Gmail address, ~45k had a Yahoo address, and ~29k had a Hotmail account.

855 of the passwords contained one of George Carlin’s 7 Dirty Words.

930 contained Love.

And honestly, I’m a bit surprised that that many people who comment on blog sites are into baseball enough to have it as a password.

The bigger story should be about how complete the compromise appears to be.  All of the source code Gawker owns appears to have been released, and that is a very large piece of intellectual property out there for anyone to take apart.  Not only does it allow others to find problems in the source code, but it also allows them to see what Gawker is planning for in the future, what capabilities they have but haven’t unlocked, and of course allows any hacker worth his salt to find vulnerabilities in the code for future attacks.  All around, this is not a good situation for any company to be in and will likely lead to a major code rewrite/audit in order to deal with this effectively.

So in light of recent events, now is as good of a time as any to share some good password advice:

1. Developers – Hash your passwords using salt.  It seems (though, I haven’t verified this yet) that this database was simply DESing the passwords without doing any sort of salt using a username/etc.  This is bad since it means that a simple rainbow table can be looked up, and that collisions are much easier to come by.

2.  Users – Don’t use easy-to-guess passwords (if your password is in the Gawker list, that’s bad.)   An easy way to make a strong password is to start with an easy-to-remember phrase, like “The quick brown Fox jumped over the lazy Dog.”  Then take the first letter from each word, like so – “TqbFjotlD”.   Add in a number such as your age and you have a fairly strong password that’s still easy for you to recall.

3.  Users – Don’t share passwords between sites.  Instead, use the technique in item 2 to create a strong password “root” which you can reuse on sites by appending a special character such as @ and a two or three letter mnemonic for the site.  For example, the above password root could be “TqbFjotlD32@GM”  for Gmail,  “TqbFjotlD32@HM” for a home computer, and even “TqbFjotlD32@GK” for Gawker media.

I’m sure we will be hearing more about the Gawker compromise over the next few days, and will keep you updated if anything interesting pops up.

Share

Tags: , , , ,
Posted in ID Theft, Internet Security Tips, Research, Security, Uncategorized, Web Security | No Comments »

The Here-you-Have Trojan taught new malware some old tricks

Tuesday, November 23rd, 2010

By Dave Michmerhuizen, Security Researcher

Two months ago the a Trojan called Here-you-have had it’s fifteen minutes of fame, infesting mail servers around the world and clogging the networks of more than a few large institutions.

One key feature that allowed this trojan to replicate was a deception that, while not exactly new, fooled a large number of people. The file carrying the trojan had the extension of .SCR, which Windows uses for screensavers.  A Windows screensaver is just another type of program, but many users are unaware of this and clicked on run – and spread the Trojan.

Since the Here-you-have outbreak, Barracuda Labs has seen a very significant increase in the number of attacks that attempt to deliver malware by disguising the payload in the very same way.  According to Barracuda Networks Security Researcher Luis Chapetti, at one point in early November over 50% of all emails containing HTML-style links seen by our honeypots were attempting to deliver malware with a .SCR extension.  The examples seen are silent, but deadly, as we show below.


A typical attack starts with a convincing tax form spam targeting financial professionals

A close reading shows not only the aforementioned .SCR extension but a tell-tale misspelling and a suspicious domain as well.  Still, it’s not always easy to stop and do a close reading.  Instead, a harried office worker might just click the link to see what the tax forms in this .PDF are all about.   Doing so does give you a warning dialog

But of course if you’re in a hurry you might just see the letters “PDF” and click on Run anyway.  What happens if you do?

Nothing.

At least nothing you can see.  You could click that link multiple times and see nothing at all, eventually assuming something was wrong somewhere and just giving up and moving on.   What really does happen though is that a file is downloaded and added to Internet Explorer

The file is downloaded with the .SWF extension, making it appear to be an Adobe Flash file.  This is done to evade firewall rules that might prevent the downloading of a .DLL, which is what the file actually is.

The .DLL file is a BHO – a Browser Helper Object, a piece of software designed to extend and enhance Internet Explorer.  Add-on toolbars and Adobe’s PDF reader are examples of legitimate BHOs.  The file downloaded by clicking on the spammed link is an example of a malicious BHO.

Browser Helper Objects have access to everything that the browser does, including web page traffic before encryption is applied.   Therefore, what the malicious AcroIEHelper2.dll does chillingly well is to steal any username and password pair that you enter into your browser, even if the site is HTTPS enabled.     We tested this with Chase Bank’s secure online banking logon page

Note that we are viewing the actual Chase logon page, not a phishing site hosted somewhere else.   We entered dummy credentials – BarracudaTest and TestPassword – pressed “Log on” and watched the network traffic behind the scenes

The username and password we had entered were winging their way to servers that have nothing to do with Chase Bank.  They can plainly be seen in this reconstruction of the traffic.

We tested a number of websites tested such as WellsFargo, NetFlix and Google’s service login page.   In every case the supplied credentials were sent to the malware drop points.    The goal here is to steal online banking credentials and then drain the associated accounts, particularly small business accounts which do not have the same protection as consumer accounts.

it’s worth noting that the BHO would not install if the Vista or Windows 7 user account has User Access Controls enabled, or if the XP user account is a limited account.  Limited accounts and UAC may seem inconvenient but they exist to keep things like this from happening.

The bottom line message is clear – don’t click on links you don’t recognize, and learn the lesson that here-you-have has been teaching the malware you are exposed to – .SCR files are not something you want to open or run.

Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.

Share

Posted in Email Security, ID Theft, phishing | No Comments »

HTML is Not Harmless – Email Security Update

Thursday, September 23rd, 2010

By Dave Michmerhuizen, Security Researcher

Barracuda Labs has seen an enormous increase – in fact, well over one million instances a day – of spam containing malicious HTML attachments. The attackers are trying every trick in the book, from using trending news topics to sending deliberately vague messages, with the hope that users will be curious enough to open the HTML. After all, what harm can an HTML file do?

The answer is - plenty.

For years computer professionals have been telling email users to be particularly careful with emails from sources they do not recognize, and to even be careful with unusual looking email from sources that they do trust.  Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email. But many people assume that an HTML file is just a webpage and that webpages are safe. This assumption is misleading, and the examples below show why HTML attachments are just as serious of a threat as other attachment types.

On September 16, this particular campaign started with spams tied to current Google trending topics:

Attracting attention by latching on to the latest breaking news is a technique that attackers have been using for quite some time. In fact, several examples of SEO poisoning and search malware are explored throughout barracudalabs.com and this blog. Google hot topic search results frequently are littered with links to hacked sites that serve up malicious JavaScript.  Now, the attackers are taking that a step further and not requiring the user to come to their hacked sites but rather simply emailing the same malicious JavaScript sites straight to an inbox.

These campaigns evolved slightly over the following days, with the subject lines changing from trend topics to more nonspecific email subjects that one might receive from a business associate:

With messages to match:

These emails are presented as something just innocent enough that a user might allow curiosity to overrule caution and click “open”.  However, once that happens, the HTMLs suddenly don’t seem so harmless.

The attachments include 100% obfuscated JavaScript – JavaScript deliberately made confusing to read or scan in order to make it harder for anti-virus products to identify it.

When opened in a browser window, this JavaScript sends the browser to a variety of destinations depending on the spam flavor of the moment. In some instances, that is fake pharmacy sites which are harmless:

In others, it may be fake codec sites which are harmless as long as the fake codec is not downloaded (note: a codec should never be downloaded in this manner):


And finally, some instances lead to fake anti-virus sites which can carry a variety of problems:

Consider the HTML behind the fake anti-virus site redirect:

The HTML that serves this redirect also contains an IFRAME element that attacks the browser and installs a backdoor, as seen below:

What makes this a real problem is that although the fake anti-virus site can be defeated by simply terminating the browser, the backdoor has already quietly been installed.

After several days, the spammers then shifted gears and started embedding the malicious JavaScript directly in otherwise innocent looking HTML files:

This is what the email attachment looks like when viewed with JavaScript disabled.   This inclusion strategy helps disguise the JavaScript from email scanners and reassure users whose email clients preview HTML content without evaluating JavaScript.

But there is malicious JavaScript inside, just waiting for the attachment to be opened in a browser:

In a browser, this displays the seemingly legitimate attachment very briefly and then blanks out the screen.  Once the screen is blank, the malicious code is busy exploiting the browser and downloading malware culminating in the installation of a Trojan from the Zeus family.

The absence of any significant visual feedback means the user typically has no idea what has just happened or that they have contracted one of the most dangerous pieces of malware on the Internet.  Zeus Trojans are a stealthy family of malware that steal online credentials, particularly those used for online banking.

So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless.

Barracuda Spam & Virus Firewalls block these emails, and Barracuda Web Filters and the Barracuda Web Filtering Service stop the malicious traffic.


Share

Tags: , , , , , , , ,
Posted in Email Security, ID Theft, phishing, Security | 7 Comments »

Phishing Spam Targets Netflix Users

Tuesday, September 14th, 2010

By Dave Michmerhuizen, Security Researcher

Just yesterday, Barracuda Labs intercepted thousands of copies of a spammed phishing attack aimed at customers of the popular online video rental service Netflix. While phishing attacks are nothing new, especially against financial institutions, this attack is particularly well done.

Below we present the details of the attack, showing how the unsuspecting Netflix member might fall victim, as well as what to look for to avoid it.

The email is simple enough and looks convincing:

Taking a deeper look, the recipient will noitice that the email was not sent to anyone by name.  Also, mousing over the link shows that it does not go to Netflix.com. Instead, it goes to a deceptively similar domain, netflixus.com. This could be easily confused by the recipient since it is so similar, and also could be perceived as a geographical notation (US).

Netflixus.com was registered on the same day that the phishing attack began, September 13:



Clicking on the “update” link sends the user to a login page that looks like what one would expect from Netflix:

One exception is the domain in the address bar: still netflixus.com.  Additionally, the protocol used is not HTTPS, which reputable sites always use when asking for login names and passwords or for credit card information. All of the other links on this page and on the following pages point to netflix.com, so if the user mouses over this form it is extremely deceptive. The ‘Continue’ button takes the user to another part of the phishing site.

As part of this experiment, we signed in with a fake username and password:



Once signed in, there is a landslide of warnings. The first is that the user is immediately asked for credit card information:

This page is very well designed, right down to an image of the back of a credit card to help identify the security code.    Netflixus.com still displays in the address bar, and although credit card information is being requested, the HTTPS protocol is not being used.

We responded with a dummy credit card number as indicated below:

Once that happens the site obligingly sends the user’s browser to the real netflix.com home page:

This final step is one last step to make the user feel comfortable with the just completed transaction.

This attack serves as a great reminder to always pay attention online. Regardless of how “real” an email or site looks, users should be especially wary of those requesting the user to click on links to enter credit card information, passwords and so forth. There are several tell-all signs to check legitimacy, many of which we have outlined above.

Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.

Share

Tags: , , , , , ,
Posted in Email Security, ID Theft, phishing, Security, Web Security | No Comments »

The Wireless Router Insecurity You Might be Overlooking

Tuesday, June 15th, 2010

By Barracuda Labs

Many savvy computer users have experience setting up a wireless access point in their home or office. It’s not that hard, really. Change the SSID, change the password, and perhaps change the channel. Set the IP and you’re good to go.

But if that’s all you’ve done, you could be leaving open an attack vector that malware authors have been targeting for years. They’re still targeting it today.

Many routers, including those that are part of wireless access points, implement the Universal Plug and Play (UPnP) interface. This interface allows programs running on computers connected to the router to control the router.  No authentication is necessary. The bad news is that this makes it easy for malware to change router settings.

While scanning for malware, we found this bogus forum post pretending to be a video recipe for Yankee Pot Roast. However, when looking a bit closer, it revealed itself as TROJ_TDSS.AKA, a downloader that initially downloads a fake antivirus but, as demonstrated, also tries to open a port in the gateway, leaving your computer and personal information exposed.

Malware automatically opening a port in the gateway is significant because most router users, particularly most home wireless access point users, assume a few simple security steps are all they need – enable WEP or WPA, set a strong password and you’re good (enough) to go. The UPnP vulnerability doesn’t have very high non-geek visibility, even though it’s still being exploited – and by Conficker no less.  And despite it having been around for quite a while now (referenced in this ZDNet article at http://www.zdnet.com/blog/soho-networking/wi-fi-routers-vulnerable-to-upnp-attack-from-hackers/120), it’s still alive and incredibly widespread. In fact, Google gives approximately 1,870,000 results for sites linking to the primary attack site, hxxp://vixensandschoolgirls.com.

Users should check to see if their routers allow for more secured startups. For example, it is recommended to disable UPnP and to use forced static IP so that the system will not be subject to unannounced attacks leaving the DHCP server open to assign an IP to any system that breaches your WiFi security.

Further, this once again reiterates the importance of knowing the source of information online, and to not click on links from unknown sources.

Screenshots of the attack follow for reference.

1)  Clicking on this ‘video’ brings up another window displaying a video prompt.

2) At this point, the astute user might wonder why the Yankee Pot Roast recipe is being offered up by hxxp://vixensandschoolgirls.com, but then the standard Windows warning message appears.

3) Running the offered program doesn’t seem to do anything at first. After a long delay, a fake anti-malware program named Defense Center is downloaded and executed.

4) Meanwhile, behind the scenes, multiple attempts are made against the router, followed by this UPnP payload. The payload changes the firewall settings of the router to open a port for additional malicious traffic. Conficker uses this same internal UPnP attack against routers to open up ports for its peer-to-peer control mechanism. UPnP is sometimes used for file or printer sharing, but in most cases it can be disabled with no ill effects.

5) The setting used on the Linksys router used in testing.

Share

Tags: , , , ,
Posted in ID Theft, Internet Security Tips, Security, Uncategorized | No Comments »

Online Safety: Tips to Protect Your Information

Monday, December 21st, 2009

Posted by: Barracuda Labs

With the increased awareness and attention around incidents of identity theft, consumers are becoming more vigilant in how they provide personal information online. At the same time, businesses that require such information to complete a transaction also must evaluate how they collect that information online from consumers.

For example, a colleague recently forwarded the email below from Southwest requesting personal information to complete the Transportation Security Administration’s (TSA) Secure Flight verification. Because the email was sent after the flight reservation was booked, it was unclear to the recipient whether or not the email was legitimate. Upon examination, it is clear that this is a legitimate email from Southwest; however, it is one that could easily be forged by a spammer or hacker attempting to collect a user’s personal information.

As people are making final travel arrangements and gift purchases online in this last week leading up to the holidays, Barracuda Networks has compiled a number of tips to help consumers discern legitimate emails and Web sites from malicious attempts, as well as recommendations for businesses to better serve their consumers online.

Online consumer safety:

1. Real or fake? Do not click on links included in an email. Instead, type the address directly into your Internet browser.

2. Email security and anti-virus solutions up-and-running. Make sure you have a strong email security solution in place that can block spam and phishing emails as well as detect and block viruses and other malware (including malicious Web links) contained in the email. As an extra precaution, make sure your desktop anti-virus protection is up-to-date and running. This will keep any viruses/malware not sent over email from infecting your computer or adding you to a larger botnet.

3. Strong Web filtering. Having a strong Web filter in place will allow you to block access to potentially dangerous Web sites. Web filters can block downloads by file type and applications that access the Internet (i.e. IM, music services, etc.) that are often used by hackers as a means of transporting malware onto your computer.

4. When in doubt, check it out. If you receive an email from a business that you recently have done an online transaction with – retail, bank, airline, etc. – and are not sure of its authenticity, check it out. Call or email the business to verify that the request is legitimate. Also, you can go directly to that company’s Web site to look for warnings listed of recent Web scams that have targeted the business.

Helping businesses serve customers:
1. On-site, at-once. Request all necessary customer information at the time of purchase, while the consumer is on the Web site. In the case of the Southwest email, if the consumer had been directed to the “MySouthwest Account” to provide this information at the time of flight reservation and purchase, it would have expedited the process for the consumer and eliminated the need to send a follow up email that raised the suspicion of the recipient.

2. Avoid follow up email. Consumers are likely to be more suspicious of emails requesting that they log back into – or create – an account to provide personal information.

3. Provide clear instructions. If sending a follow up email to complete the transaction is unavoidable, provide a clear message to the consumer at the end of the initial online transaction – before they leave the Web site – so that they know to expect an email that will require additional information and what that required information will be.

4. Privacy Policy. Be sure to provide a privacy policy that’s easy to find and is clear on what the Web site will and won’t do with the information entered.

5. Protect customer information on your site. Businesses are responsible for ensuring that the customer information that it collects online is protected from those with malicious intent. Implementing a strong Web application firewall protects the business Web site from being hacked and customer information from being stolen.

The underlying goal here is to enure that businesses that legitimately require user information receive it in a timely and secure fashion. That will keep the bad guys out of consumer’s wallets and bank accounts, and from stealing their identities.

If you look at the email you will see that we have identified the hyperlinks take you to a legitimate Southwest domain. We know it is a legitimate Web site because the URL contains the Southwest domain.

Share

Posted in Email Security, ID Theft, Internet Security Tips, Security, Web Security | No Comments »

Newer Entries »