Internet Security Tips | The Barracuda Labs Internet Security Blog

Archive for the ‘Internet Security Tips’ Category

Google+ Gets a “+1″ for Browser Security

Thursday, July 21st, 2011

by Ray Kelly, Manager of Client Side Technologies

Launching a new Web app today comes with a few certainties, and one of them is, “I will be a target for hackers” for sure. So when an app as large and as high profile as Google+ launches, it will surely be one of the top targets for malicious activity. This happened to Facebook the more popular it grew and it still is a favorite platform for malicious activity. I did some analysis of the HTTP traffic between Google+ and the browser and found that Google is off to a good start in regards to browser security. Below are several take-aways:

Only SSL!
All Google+ traffic is sent over SSL and non SSL is not even an option. This protects users’ traffic from getting sniffed and their sessions from being hijacked. It is good to know that Google understands that sensitive information is being shared and SSL is really the only option for transmitting data.

Secure Headers
Here is what a typical response looks like from Google+:
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 184942 Set-Cookie: ULS=somehash; Path=/; Secure; HttpOnly Date: Fri, 15 Jul 2011 14:29:05 GMT Expires: Fri, 15 Jul 2011 14:29:05 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE
There are a few headers in this response that are specific to browser security, for example:

Set-Cookie Secure – This tells the browser to only send cookies over a secure (SSL) connection. So if the site happens to hit a page that is not SSL, then the cookie will not be sent.

Set-Cookie HttpOnly – This prevents the cookie from being accessed by client side script.

Both of these cookie attributes help to prevent session hijacking by only sending cookies when appropriate.

X-Content-Type-Options: nosniff – This prevents “mime” based attacks. The header instructs the browser not to override the response content type. For example, some browsers try to be smart by deciding for themselves if the content is really is text/html or an image. So with the nosniff option, if the server says the content is text/html, then the browser needs to render it as text/html.

X-Frame-Options: SAMEORIGIN – This tells the browser to only render frame pages from the URL hosting the main page. This prevents Clickjacking attacks against the user. Clickjacking is a browser-based attack that tricks the user into clicking on one thing but then performs a different action, such as following a user on Twitter.

X-XSS-Protection: 1; mode=block – This allows the browser to detect a cross site reflection attack. If the browser sees a potential reflection attack, it will prevent the page from rendering in the browser. Instead, you will see something similar to this depending on the browser:

What about Facebook?
While these preventions are by no means ground breaking or new, the fact that Google is thinking about and using them is a good step. In contrast, let’s look at a typical Facebook response:

HTTP/1.1 200 OK Cache-Control: public, max-age=604800 Content-Type: application/x-javascript; charset=utf-8 Expires: Fri, 22 Jul 2011 14:46:37 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY Set-Cookie: _e_syaN_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly X-FB-Server: 10.52.238.45 X-Cnection: close Date: Fri, 15 Jul 2011 14:46:37 GMT Content-Length: 24032

It is surprising that Facebook has not taken the same simple precautions that Google+ has taken. Here, we can see the differences:

	Secure Cookie	Nosniff	XSS Protection	X-Frame	HttpOnly Cookie	SSL
Google+	Yes	Yes	Yes	Sameorigin	Yes	Yes
Facebook	No	No	No	Deny	Yes	Optional and not default

In fact, just yesterday Microsoft’s Vulnerability Research team released advisory MSVR11-007: “Clickjacking Vulnerability in Facebook.com Could Allow Account Compromise”. According to the advisory, Facebook has resolved the issue. I did another check of the headers and still did not see any change to the response. It is possible that Facebook closed the hole on the server side with input validation in order to prevent the malicious data from entering their database, but they still did not implement the simple browser precautions that Google+ has. Here is the link to the official MSVR advisory:
http://www.microsoft.com/technet/security/advisory/msvr11-007.mspx

The folks from SecTheory/WhiteHat Security have an excellent write-up on Clickjacking. For detailed information on this vulnerability visit:
http://www.sectheory.com/clickjacking.htm

Conclusion
Unfortunately, not all of these headers are supported in all browsers, meaning any of you still using IE6 won’t be able to take advantage of these headers. What’s this mean for you? Make sure you are using an up-to-date browser to take full advantage of these protections.

Do these security measures make Google+ impervious to malicious activities? Absolutely not. Is it a good start? Yes, it is. And further, it is good to see an app make its debut with security in mind. It actually gives us Infosec folks a bit of hope that developers are listening and doing the right thing.

Tags: Facebook, Google+, Internet Security, Security, social networking security, Web Security
Posted in Internet Security Tips, Research, Security, Social Networking, Web Security | 9 Comments »

Fake Google+ invites used to harvest Facebook profiles

Wednesday, July 13th, 2011

by David Michmerhuizen – Security Researcher

A common denominator of Facebook scams is that they offer you something you can’t resist. Whether it be free Farmville coins, a ‘Dislike’ button, or just a girl in a short plaid skirt, if it’s desirable then you’ll eventually see it offered on Facebook as part of a scam.

And so it is with the latest must-have digital chotchka, an invitation to the new social networking offering from Google, Google+. Since Google’s new project is aimed squarely at Facebook you would hardly expect to see such invitations offered on Facebook, but that’s where they’re showing up

Google Plus invite in Facebook news feed

Clicking on one of these news feed items brings up an actual Facebook application page. These app pages are being taken down by Facebook and scammers are creating new ones, as seen here:

Facebook fake Google plus invite application

The reason for selecting an application for this scam is that applications can, if allowed, access otherwise private information from your Facebook profile. That’s just what this app does. Clicking on any of these links takes you to a page where the application requests permission to access your Facebook data, and it really does ask for quite a bit

Permissions request

This appears to be the entire point of this scam – email and account data harvesting. The only other thing the application does is to spread to your friends. First you are asked to ‘Like’ the app, which will cause it to appear in your friends’ news feeds.

"Like" step

Then, just in case items from you don’t appear in your friends’ news feeds, there is one more step: you are asked to explicitly send “invites” to your friends.

Fake "invite" step

Instead of actually sending invites, you’re sending Facebook requests that will appear in the notification queue of each friend you select.

Once you are past this point you wind up on the Google+ home page, and when you try to log in – surprise – you haven’t been invited.

As always, we at Barracuda Networks recommend that you approach any wall post that appears in your news feed with great caution. If they seem to be too good to be true, double-check with the person whose name appears on the post. Additionally, Barracuda Web Filters give IT departments the ability to selectively block Facebook within the organization.

Posted in Internet Security Tips, Social Networking, Web Security | No Comments »

Spam targeting tax professionals automatically installs malware

Wednesday, June 29th, 2011

by David Michmerhuizen & Luis Chapetti – security researchers

The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction. Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication. What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

The messages don’t give you much to be suspicious about at first. They come from a generic looking name and use the email-id of the recipient as the subject.

Tax Forum Spam

The text itself is very well written, as well it should be. It is an almost exact cut and paste of an IRS announcement from 2004. To be precise, IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message. Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names. In this case it’s irsgovnews.com (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things. First it displays a pop-up message saying that your browser cannot reach the site.

…which is not true. The alert comes from the site itself! This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit. This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.

Exploit and Zeus network traffic

Previous spam efforts required you to click “Run” in order to install the malware payload. The use of an exploit kit in this case means that Zeus is installed without user interaction. Once you click the link in the email, it’s game over.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Tags: Anti-Spam, Email Security, ID Theft, Internet Security, Security, spam
Posted in Email Security, Internet Security Tips, phishing, Security, Spam | No Comments »

Huge amounts of Federal Reserve spam delivering Zeus password stealer

Tuesday, June 21st, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus. The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan. Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies. Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers. One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Fake wire transfer spam

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals. Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

Windows security warning

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF. This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program. Don’t run it.

If you do, you’ve installed Zeus:

Zeus network traffic

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Tags: Anti-Spam, Email Security, ID Theft, Internet Security, phishing, Security, spam
Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

Spammers Offer iPhone 5, Deliver Malware

Monday, May 23rd, 2011

by Dave Michmerhuizen – Security Researcher

The iPhone 5 isn’t due to be released until fall, or even Christmas, but the spam honeypots at Barracuda Labs are already detecting malicious messages targeting anxious Apple acolytes.

Fake Phone

The image of a beautiful see-through phone is actually a concept photo that is over two years old.

All of the links in the email lead to a copy of Trojan.Zapchast, an IRC-controlled backdoor.

Fake iPhone spam

Naturally the apple.com from: address is spoofed.

If you do click on one of the links and run the offered executable, another old iPhone concept photo is displayed in order to distract you from the installation of the backdoor.

Photo distracts you from backdoor installation

In this case, if you’re curious about iPhone products, visit the Apple iPhone pages at http://www.apple.com/iphone. And never click on links in emails, especially from unknown sources.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Tags: Anti-Spam, Email Security, Security, spam
Posted in Email Security, Internet Security Tips, phishing, Security, Spam, Uncategorized | No Comments »

Paypal account statement emails: Do as we say, not as we do.

Thursday, April 28th, 2011

by Dave Michmerhuizen and Denis Kieft – security researchers

Barracuda Labs researchers have recently seen emails from PayPal Inc. that initally seem to be phish but ultimately appear to be a security fail by a company that surely should know better.

It is a well-accepted email security best practice to never click on links in emails. Most businesses, particularly ones that are phishing targets, explicitly advise their users not to click on emails. As you would expect, PayPal does so on their website.

Warning on PayPal website

Consider that warning and then take a look at this email from Paypal, via servers at responsys.net, a software service that allows marketers to manage email campaigns…

PayPal "enhanced account statement" email

The email contains ELEVEN hyperlinks, all pointing to an email response servelet which records your click and then transfers the browser to the PayPal login screen. “At first I was sure it was a phishing email,” commented a Labs researcher who received one of the emails. Although PayPal has declined to comment on the email, close examination shows no malicious content. Instead, this appears to be a case of a Marketing department in need of a little security education.

It’s unfortunate that this is the case, because security professionals have been trying to teach good email security practices for years. An email from a bank or online service should be considered suspect by default. PayPal’s own advice is the safest advice, always open your web browser and type in the URL you intend to visit – never click on a link embedded in an email.

Given that email is still the primary vector for identity theft and that PayPal is one of the most phished brands on the Internet, we would expect them to be particularly sensitive to this issue. Phishing emails like this one are so common that only a blanket rule against clicking on embedded links can be effective. When PayPal sends out their own emails containing links they confound customers who have been long been told not to click on those very links.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from phishing emails.

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Uncategorized | 1 Comment »

Anatomy of a SQL Injection Attack

Tuesday, April 26th, 2011

Posted by: Oliver Wai, product marketing manager

As you probably heard from our previous blog posting, Barracuda Networks suffered a breach from a SQL Injection attack on the weekend of April 8. While the overall impact of the breach turned out to be relatively minor (only contact names, including names and emails), such an event always involves a post-mortem. As is often the case in events such as data breaches or data center outages, there is never one single error that leads to the outage or attack but rather a series of interrelated errors that ultimately results in a failure or vulnerability that can be exploited. Taken individually, each event is usually accounted for by the organization and there are redundancies in place to handle any failure issues. However when taken together, the unexpected – in this case an attack on our site – occurs. In analyzing the attack, we observed:

In the rush to continually add timely and fresh content to the corporate Web site, a few mistakes were made in the PHP code.
Code vulnerability scanning of the affected part of the Web site was scheduled but had not yet occurred.
The Web Application Firewall that was put in place to harden the Web site was put into Passive Mode by human error during a maintenance window.

So while there were redundancies in place to secure our Web site, an unfortunate confluence of events last weekend left a vulnerability in our Web site exposed; this resulted in the SQL injection attack by a group we believe to be originating in Malaysia. The upside? Since the Barracuda Web Application Firewall was still inspecting traffic even in Passive Mode, it gave us a detailed audit trail of the SQL Injection probe and the subsequent attack. This gave us the necessary forensics to quickly analyze the breach, contain the damage and reach out to those affected.

Analyzing the Attack

From our Barracuda Web Application Firewall logs we determined that there were two clients used to probe and attack the barracudanetworks.com Web site:

Using the information reported by the Barracuda Web Application Firewall, we were able to quickly filter and find the corresponding entries on our Web server logs:

( NOTE: the Web server logs use Greenwich Mean Time (GMT) whereas the Web Application Firewall uses Pacific Daylight Time (PDT) zone)

Drilling down into details of each entry on the Barracuda Web Application Firewall logs gives us clues on the attackers and the tools used in the attack:

The first attack started at 5:07pm PDT on April 9 and had an IP address of 115.134.249.15 which resolved to somewhere near Kuala Lumpur, Malaysia. This confirms online reports of the hacks originating from Malaysia. We also noticed that the attackers launched the attacks using a modified version of a pentest tool designed by “white hats” to probe Web sites for SQL injection vulnerabilities. This also seems to corroborate reports that the hackers responsible for the attacks hung out on “white hat” online communities. Looking at our Web server logs, we also see the same entries, enabling us to trace down what was attempted and what succeeded on our backend systems.

(NOTE: the Web server logs use GMT whereas the Web Application Firewall uses PDT)

From the recorded logs, it was clear that the first attacker used the automated tool to recursively crawl through the barracudanetworks.com Web site and blindly injected a series of SQL commands against each input parameter to find potential vulnerabilities. The SQL Injection tool finds the first vulnerability at 5:16pm PDT but continues to probe the Web site. At 8:10pm PDT a second client using the IP address of 87.106.220.57 joined the attack. The second IP address resolved to a server in Germany but it is unclear at this time if the server was a relay point or if it was a second attacker. Nevertheless, activities from the second IP were recorded and logged by the Barracuda Web Application Firewall:

Below is the screenshot of the corresponding Web server log:

(NOTE: the Web server logs use GMT whereas the Web Application Firewall uses PDT)

From the logs captured in the Barracuda Web Application Firewall, it seems that the attacker used the second client to launch manual attacks against discovered vulnerabilities while the primary attack script continued to scan the Web site for vulnerabilities. Ultimately, the attackers focused their efforts on a single line of weakness in a peripheral Web page where the input parameters were not properly sanitized. Here is the pseudo-code of the underlying vulnerability:

<?=Foo_Function( $_GET['parameter'] )?> //Takes user input

By not sanitizing the input value, it gave the attackers the ability to inject SQL commands into the HTML input parameter to attack the underlying database.

All developers are taught to never trust user inputs and that all inputs must be sanitized before sending it to underlying servers. However, what you can see from this example is that it is often not obvious to the naked eye that there is anything wrong with the code. This is why in addition to using defensive coding, Barracuda Networks also uses code scanners and our own Web Application Firewall to guard against possible vulnerabilities. Unfortunately in a Web site of tens of thousands of lines of code, all it takes is a single mistake. We have since fixed the code to protect against future attacks by adding a single line of code to sanitize the inputs on the affected page:

$parameter = @is_sanitized($_GET['parameter']) ? $_GET[' parameter '] : 0;

<?=Foo_Function($parameter)?>

From Vulnerability to Breach

Once the attackers found the vulnerable page, they attempted to steal the database user accounts. Over the next 10 hours, they tried a number of different attacks in an attempt to break into the underlying database but failed each time. At 3:06am PDT, the attackers changed strategy to focus on the underlying database schema. This proved to be a correct strategy and by 3:19am PDT the first set of database records containing contact email addresses was stolen.

Barracuda Networks discovered the breach at 10:30am PDT and the Barracuda Web Application Firewall was re-enabled to Active Mode at 10:39am PDT. Once in place, the Barracuda Web Application Firewall immediately blocked all subsequent attacks from the 115.134.249.15 IP address. The attacker continued to cycle through attacks against the remaining pages for the next few hours, even when the Barracuda Web Application Firewall blocked all of the attacks. This seems to confirm that an automated pentest tool was used to blindly inject SQL commands. In all, a total of 110,892 SQL injection commands from both attacking IP addresses were sent against 175 URLS at a rate of 42 per minute.

In tracing the Web Firewall and Access logs on the Barracuda Web Application Firewall, we determined that the attackers compromised a Marketing database and stole two sets of records containing a total of 21,861 names and emails. However since there were a number of duplicates between the two sets and the fact that many of the entries were from users who are no longer with the original organizations, the number of affected users is substantially lower.

Any breach is a serious issue and we have reached out to the affected users documenting what has happened and any necessary precautions that they may need to take in response. We believe that the users affected by the breach are at minimal risk. We do not store any sensitive information in our Marketing database other than names and email addresses. Moreover, since Barracuda Networks primarily uses this data to send emails on upcoming events, Webinars, or other corporate news, the risk of spear-phishing is low as the all of communications are one-directional and informational in nature. Finally since most users are existing Barracuda Spam & Virus Firewall customers, the vast majority of potential spam would likely be blocked regardless.

Conclusion

In hindsight, it was clear the Barracuda Web Application Firewall would have been able to detect and protect our Web site from the recent SQL Injection attack that occurred. However the reality of the situation is that with most breaches, the weak link is typically not with the technology itself but rather with the human element and the processes associated with security. Unfortunately attackers today have more sophisticated tools at their disposal to find victims. They can now automate the tedious task of finding vulnerabilities and focus solely on the “last mile” once a vulnerability is detected. What this means to the rest of us is that attacks will likely become more common and affect a much wider range of organizations.

The silver lining to this experience was that it helped us to demonstrate the effectiveness of the Barracuda Web Application Firewall in providing the necessary protection and auditing capabilities to defend against SQL injection attacks. The Barracuda Web Application Firewall was able to identify the SQL injection attack and would have blocked the attack if had it been placed in Active Mode. Nevertheless even in Passive Mode, the Barracuda Web Application Firewall was able to gather detailed forensic information that we used to investigate, contain and audit the affected systems. Using this data, we were able to quickly identify how the attacks occurred, what was breached and who we needed to reach out to after the incident.

While we have definitely advised customers on the risks of not securing their Web applications and we certainly have heard the worst-case scenarios from our customers as a vendor, we did not imagine that we would find ourselves having first-hand experience with such a scenario. We learned some valuable lessons in this situation and we hope that our story serves as evidence of how important it is to harden and secure your Web applications.

Posted in Internet Security Tips, Uncategorized, Web Application Security | No Comments »

Why Facebook proxies are a bad idea

Monday, April 25th, 2011

by Dave Michmerhuizen, Security Researcher

Facebook is immensely successful. It is estimated that nearly 40% of the population of the United States has a Facebook account and that more people visit Facebook than visit Google.

However, many organizations consider Facebook to be both a distraction and a security risk. While it has been very common for Web filtering solutions to block all access to Facebook, many organizations are realizing the need to safely allow access, at least to some degree.

As you might expect, enthusiastic Facebook users aren’t very happy with being kept from their favorite website, even during work or school hours. Some of the more popular searches on Google are for “access facebook” and “unblock facebook.” These searches return lists of Facebook proxy sites.

Proxy software serves as an intermediary for internet traffic. To use a proxy to ‘unblock’ Facebook, users direct their web browsers to send requests to the proxy. The proxy performs the request and sends the results back to the web browser. Since the users do not deal directly with Facebook, blocking Facebook has no effect.

The sites that are returned by searching for “unblock Facebook” usually wrap proxy software with a Facebook-specific web user interface, offering themselves as web proxies so that frustrated Facebook users can sneak around the firewall and make that all important status post.

Here’s an example, the home page of accessexists.com

accessexists.com - a Facebook proxy site

The links work fairly well, allowing you to log in to Facebook and use most functions seamlessly.

The problem with using one of these so-called Facebook proxy sites is you don’t know who’s running it, where there are located, or what might be done with your user name and password. Consider what network traffic gets sent in the clear when you use the proxy to log on to Facebook.

Network traffic to accessexists.com

In this case our username and password are part of a POST transaction that is sent. Where is it being sent? WHOIS shows us that accessexists.com is owned by someone named Vladimir in Russia.

accessexists.com whois record

Vlaidmir is saving usernames and passwords, because after a day or so they get around to asking for money.

An unsophisticated user might see this as an immediate solution to an unfair problem, but it carries a great deal of risk. Valid Facebook usernames and passwords are sold to scammers on underground markets for a variety of purposes. One of the most common ones is simply sending spam messages to everyone on your friends list. Another is to use your account to carry out a variant of the Grandmother scam.

Trusting your Facebook username and password to an unknown third party is simply not worth the headaches it can cause.

Barracuda Networks customers using Barracuda Web Filters can restrict access to Facebook within the organization and can also block access to web proxy sites.

Posted in ID Theft, Internet Security Tips, Security, Social Networking, Uncategorized | No Comments »

IRS spam arrives just in time for April 18 tax deadline

Monday, April 18th, 2011

by Dave Michmerhuizen & Luis Chapetti – security researchers

Just in time for the U.S. tax filing deadline, the Barracuda Labs spam honeypots have detected a surge in spam intended to scare harried tax filers into letting down their guard.

Tax time is stressful and many of us are sifting through piles of forms and receipts. It can be difficult to remember to be skeptical of that official-looking that appears to be from the Internal Revenue Service. Yet skeptical is what you should be, because the the IRS is a favorite target for spammers and phishers to impersonate. Lets look at three samples.

The first spam is from a phishing campaign that has been active since at least 2008. Aimed primarily at immigrants, it presents a dense thicket of poorly written gobbledygook stating that the recipient is not subject to taxes on certain unspecified interest.

Fake non-resident exemption

A PDF of form W-4100B2 is attached and you are encouraged to fill it out and fax it to a number provided in the email. The form asks for practically every piece of sensitive financial information an identity thief could want, including Social Security numbers, debit and credit card numbers with codes and even passport numbers.

However, the fact is that there is no IRS form W-4100B2. The IRS has specifically stated that they “do not request detailed personal information through email.” Messages like this should be ignored.

The second spam has been used for phishing in the past, but in this year’s incarnation it carries a nasty payload.

"Rejected EFTPS" spam

The salutation of “Hello Dear” isn’t very convincing coming from the IRS. Still, the basic message that an electronic tax payment might be rejected might be enough to cause a harried office worker to open up the attachment. That would be a big mistake because although clicking on the attachment does not appear to do anything it actually does install Trojan.Zeus in the background. This Trojan horse runs silently, steals usernames and passwords and in this case sends them to a command and control server in Asia.

The last sample is from a campaign that is noteworthy for how it is carefully targeted to specific individuals. Usually spam campaigns are scatter shot affairs that send out large numbers of emails addressed to “Dear Sir / Madam”, as our first example showed. This “rule change notification” was seen using individual email addresses of real people, addressing them by their real name and company name.

Targeted "Rules Change" spam

Instead of new tax rules, the attached .zip file contains a Trojan.Downloader which installs a variety of other malware.

Again, the IRS has stated that it “does not initiate taxpayer communications through email,” and “does not request detailed personal information through email.” If a taxpayer has questions about emails such as these they should check with the IRS using contact information found in their local phone directory or www.irs.gov.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these spam emails. The Barracuda Web Filter, and/or the Barracuda Web Filtering Service block the traffic involved in the attacks.

Posted in Email Security, ID Theft, Internet Security Tips, phishing, Uncategorized | No Comments »

The Barracuda Labs Internet Security Blog

Archive for the ‘Internet Security Tips’ Category

Spam targeting tax professionals automatically installs malware

Huge amounts of Federal Reserve spam delivering Zeus password stealer

Spammers Offer iPhone 5, Deliver Malware

Paypal account statement emails: Do as we say, not as we do.

Anatomy of a SQL Injection Attack

IRS spam arrives just in time for April 18 tax deadline

Search

Links

Connect with us!

Recent Posts

Categories

Blog Roll

Archives