Posts Tagged ‘ID Theft’

Spam targeting tax professionals automatically installs malware

Wednesday, June 29th, 2011

by David Michmerhuizen & Luis Chapetti – security researchers

 

Tax forum spam

 

The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction.  Already seen targeting their emails at credit point-of-sale users and wire transfer users, their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication.  What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

The messages don’t give you much to be suspicious about at first.  They come from a generic looking name and use the email-id of the recipient as the subject.

Tax Forum Spam

Tax Forum Spam

The text itself is very well written, as well it should be.  It is an almost exact cut and paste of an IRS announcement from 2004.  To be precise,  IR-2004-67.

The item to examine closely is the link embedded near the bottom of the message.  Although it says irs.gov, this link actually points to a set of malicious domains with vaguely official sounding names.  In this case it’s irsgovnews.com  (warning: do not visit that domain in your Web browser!)

The job of these domains is to send Javascript to your browser to accomplish two things.  First it displays a pop-up message saying that your browser cannot reach the site.

Fake alert

 

…which is not true.  The alert comes from the site itself!  This is to keep you from suspecting what comes next.

What comes next is that the Javascript directs the browser off to another domain that hosts the Blackhole exploit kit.  This kit sends specially crafted messages to the browser that try to take advantage of unpatched weaknesses in browser helpers such as Java or Windows Media Player.

If any weakness is found then Zeus is downloaded and installed automatically behind the scenes.

Exploit and Zeus network traffic

Exploit and Zeus network traffic

Previous spam efforts required you to click “Run” in order to install the malware payload.  The use of an exploit kit in this case means that Zeus is installed without user interaction.   Once you click the link in the email, it’s game over.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, Internet Security Tips, phishing, Security, Spam | No Comments »

Huge amounts of Federal Reserve spam delivering Zeus password stealer

Tuesday, June 21st, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus.   The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.

When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan.  Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies.  Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers.   One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.

The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:

Fake wire transfer spam

Fake wire transfer spam

Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals.  Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.

Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:

Windows security warning

Windows security warning

While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF.  This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program.   Don’t run it.

If you do, you’ve installed Zeus:

Zeus network traffic

Zeus network traffic

It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

 

Share

Tags: , , , , , ,
Posted in Email Security, ID Theft, Internet Security Tips, phishing, Security, Spam | No Comments »

Fake Chase Bank invite delivers password stealer

Friday, June 17th, 2011

by David Michmerhuizen & Luis Chapetti – Security Researchers

Chase Paymentech logo

The spam monitoring systems at Barracuda Labs have uncovered an especially objectionable spam campaign that poses as a sign-up email from the Chase Bank credit card processing service Chase Paymentech.

We see lots and lots of spam at Barracuda Labs.  Even if the sender isn’t suspect, it is still generally easy to spot either because of the subject matter or flaws in the content.

What makes this spam dangerous is a combination of convincing content and deceptive payload.  Examining this spam highlights the risk that comes with assuming one can always judge spam by its appearance alone.

These spams are particularly well done.  The only suspicious element is that the From: address is not Chase bank, an unusual failure given how easy it is to fake the From: field in an email.

Chase Paymentech spam
Fake Chase Paymentech email

The email invites you to activate a credit card payment account and tells you that your first step is to find your merchant ID and user ID in the attached Microsoft Word document.   That Word document is what indirectly delivers the malware payload.

Vulnerabilities in Microsoft Word have mostly been patched or mitigated, and it’s been years since Word document attachments were something most users had to worry about. While users have become more suspicious of programs that must be downloaded and run, they’re more likely to open a document which is “just something you read.”

Unfortunately, malware distributors have recently discovered that common vulnerabilities in Adobe’s Flash player can be exploited by embedding the malicious Flash file into a Word document.  This takes users who aren’t likely to suspect a Word document of malicious intent and puts them at risk if they open it.

That’s what happens here.  If you open the attached merchant_info.doc, you can’t see the Flash control embedded in the document.  You really don’t see much of anything for the minute or two that it takes the Flash code to download and install malware on your Windows computer.

Word document
Word document

Once the infection is accomplished, this Word document closes and you’re back to staring at the email and wondering what went wrong.   Meanwhile your computer is running Trojan.Zeus in the background.

Trojan.Zeus network traffic
Trojan.Zeus network traffic

Zeus quietly monitors your Internet traffic looking for username and password data.  It saves them and periodically sends them off to control servers elsewhere on the Internet.

The content of this spam is of particular interest to financial professionals, making the installation of a password stealer that much worse.  Trojan.Zeus has been implicated in many instances of online theft from small business accounts, especially since small business banking involves higher dollar amounts and does not carry the same level of theft protection as consumer accounts do.

The Adobe vulnerabilities that allow this to succeed have been used in a number of recent email attacks.  We strongly recommend you upgrade all of your Flash installations by visiting http://get.adobe.com/flashplayer.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Tags: , , , , ,
Posted in Email Security, ID Theft, phishing, Security, Spam | No Comments »

Gawker Compromise, Password Lessons

Tuesday, December 14th, 2010

by Daniel Peck, Research Scientist

Today any news/blog site remotely technical most likely has a blurb about about the recent Gawker media compromise.  Most people are making a big deal out of the release of the password files, but honestly, there’s not a lot to that part.  These were clearly very low priority passwords for almost everyone using them. While there was probably some amount of password reuse between Gawker sites and the users’ email addresses, the overlap is still relatively small.

But everyone loves a few stats, so here we go… Out of 188,281 passwords (this is from the parsed_db.txt file in the torrent floating around) the top passwords used are:

3057 – 123456
1955 – password
1119 – 12345678
661 – lifehack
418 – qwerty
333 – abc123
311 – 111111
300 – monkey
273 – consumer
253 – 12345
247 – letmein
241 – trustno1
233 – dragon
213 – baseball
208 – superman
202 – iloveyou
202 – 1234567

Additionally,

~50k of the accounts had a Gmail address, ~45k had a Yahoo address, and ~29k had a Hotmail account.

855 of the passwords contained one of George Carlin’s 7 Dirty Words.

930 contained Love.

And honestly, I’m a bit surprised that that many people who comment on blog sites are into baseball enough to have it as a password.

The bigger story should be about how complete the compromise appears to be.  All of the source code Gawker owns appears to have been released, and that is a very large piece of intellectual property out there for anyone to take apart.  Not only does it allow others to find problems in the source code, but it also allows them to see what Gawker is planning for in the future, what capabilities they have but haven’t unlocked, and of course allows any hacker worth his salt to find vulnerabilities in the code for future attacks.  All around, this is not a good situation for any company to be in and will likely lead to a major code rewrite/audit in order to deal with this effectively.

So in light of recent events, now is as good of a time as any to share some good password advice:

1. Developers – Hash your passwords using salt.  It seems (though, I haven’t verified this yet) that this database was simply DESing the passwords without doing any sort of salt using a username/etc.  This is bad since it means that a simple rainbow table can be looked up, and that collisions are much easier to come by.

2.  Users – Don’t use easy-to-guess passwords (if your password is in the Gawker list, that’s bad.)   An easy way to make a strong password is to start with an easy-to-remember phrase, like “The quick brown Fox jumped over the lazy Dog.”  Then take the first letter from each word, like so – “TqbFjotlD”.   Add in a number such as your age and you have a fairly strong password that’s still easy for you to recall.

3.  Users – Don’t share passwords between sites.  Instead, use the technique in item 2 to create a strong password “root” which you can reuse on sites by appending a special character such as @ and a two or three letter mnemonic for the site.  For example, the above password root could be “TqbFjotlD32@GM”  for Gmail,  “TqbFjotlD32@HM” for a home computer, and even “TqbFjotlD32@GK” for Gawker media.

I’m sure we will be hearing more about the Gawker compromise over the next few days, and will keep you updated if anything interesting pops up.

Share

Tags: , , , ,
Posted in ID Theft, Internet Security Tips, Research, Security, Uncategorized, Web Security | No Comments »

HTML is Not Harmless – Email Security Update

Thursday, September 23rd, 2010

By Dave Michmerhuizen, Security Researcher

Barracuda Labs has seen an enormous increase – in fact, well over one million instances a day – of spam containing malicious HTML attachments. The attackers are trying every trick in the book, from using trending news topics to sending deliberately vague messages, with the hope that users will be curious enough to open the HTML. After all, what harm can an HTML file do?

The answer is - plenty.

For years computer professionals have been telling email users to be particularly careful with emails from sources they do not recognize, and to even be careful with unusual looking email from sources that they do trust.  Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email. But many people assume that an HTML file is just a webpage and that webpages are safe. This assumption is misleading, and the examples below show why HTML attachments are just as serious of a threat as other attachment types.

On September 16, this particular campaign started with spams tied to current Google trending topics:

Attracting attention by latching on to the latest breaking news is a technique that attackers have been using for quite some time. In fact, several examples of SEO poisoning and search malware are explored throughout barracudalabs.com and this blog. Google hot topic search results frequently are littered with links to hacked sites that serve up malicious JavaScript.  Now, the attackers are taking that a step further and not requiring the user to come to their hacked sites but rather simply emailing the same malicious JavaScript sites straight to an inbox.

These campaigns evolved slightly over the following days, with the subject lines changing from trend topics to more nonspecific email subjects that one might receive from a business associate:

With messages to match:

These emails are presented as something just innocent enough that a user might allow curiosity to overrule caution and click “open”.  However, once that happens, the HTMLs suddenly don’t seem so harmless.

The attachments include 100% obfuscated JavaScript – JavaScript deliberately made confusing to read or scan in order to make it harder for anti-virus products to identify it.

When opened in a browser window, this JavaScript sends the browser to a variety of destinations depending on the spam flavor of the moment. In some instances, that is fake pharmacy sites which are harmless:

In others, it may be fake codec sites which are harmless as long as the fake codec is not downloaded (note: a codec should never be downloaded in this manner):


And finally, some instances lead to fake anti-virus sites which can carry a variety of problems:

Consider the HTML behind the fake anti-virus site redirect:

The HTML that serves this redirect also contains an IFRAME element that attacks the browser and installs a backdoor, as seen below:

What makes this a real problem is that although the fake anti-virus site can be defeated by simply terminating the browser, the backdoor has already quietly been installed.

After several days, the spammers then shifted gears and started embedding the malicious JavaScript directly in otherwise innocent looking HTML files:

This is what the email attachment looks like when viewed with JavaScript disabled.   This inclusion strategy helps disguise the JavaScript from email scanners and reassure users whose email clients preview HTML content without evaluating JavaScript.

But there is malicious JavaScript inside, just waiting for the attachment to be opened in a browser:

In a browser, this displays the seemingly legitimate attachment very briefly and then blanks out the screen.  Once the screen is blank, the malicious code is busy exploiting the browser and downloading malware culminating in the installation of a Trojan from the Zeus family.

The absence of any significant visual feedback means the user typically has no idea what has just happened or that they have contracted one of the most dangerous pieces of malware on the Internet.  Zeus Trojans are a stealthy family of malware that steal online credentials, particularly those used for online banking.

So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless.

Barracuda Spam & Virus Firewalls block these emails, and Barracuda Web Filters and the Barracuda Web Filtering Service stop the malicious traffic.


Share

Tags: , , , , , , , ,
Posted in Email Security, ID Theft, phishing, Security | 7 Comments »

Phishing Spam Targets Netflix Users

Tuesday, September 14th, 2010

By Dave Michmerhuizen, Security Researcher

Just yesterday, Barracuda Labs intercepted thousands of copies of a spammed phishing attack aimed at customers of the popular online video rental service Netflix. While phishing attacks are nothing new, especially against financial institutions, this attack is particularly well done.

Below we present the details of the attack, showing how the unsuspecting Netflix member might fall victim, as well as what to look for to avoid it.

The email is simple enough and looks convincing:

Taking a deeper look, the recipient will noitice that the email was not sent to anyone by name.  Also, mousing over the link shows that it does not go to Netflix.com. Instead, it goes to a deceptively similar domain, netflixus.com. This could be easily confused by the recipient since it is so similar, and also could be perceived as a geographical notation (US).

Netflixus.com was registered on the same day that the phishing attack began, September 13:



Clicking on the “update” link sends the user to a login page that looks like what one would expect from Netflix:

One exception is the domain in the address bar: still netflixus.com.  Additionally, the protocol used is not HTTPS, which reputable sites always use when asking for login names and passwords or for credit card information. All of the other links on this page and on the following pages point to netflix.com, so if the user mouses over this form it is extremely deceptive. The ‘Continue’ button takes the user to another part of the phishing site.

As part of this experiment, we signed in with a fake username and password:



Once signed in, there is a landslide of warnings. The first is that the user is immediately asked for credit card information:

This page is very well designed, right down to an image of the back of a credit card to help identify the security code.    Netflixus.com still displays in the address bar, and although credit card information is being requested, the HTTPS protocol is not being used.

We responded with a dummy credit card number as indicated below:

Once that happens the site obligingly sends the user’s browser to the real netflix.com home page:

This final step is one last step to make the user feel comfortable with the just completed transaction.

This attack serves as a great reminder to always pay attention online. Regardless of how “real” an email or site looks, users should be especially wary of those requesting the user to click on links to enter credit card information, passwords and so forth. There are several tell-all signs to check legitimacy, many of which we have outlined above.

Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.

Share

Tags: , , , , , ,
Posted in Email Security, ID Theft, phishing, Security, Web Security | No Comments »

Barracuda Labs 2010 Midyear Security Report

Wednesday, July 28th, 2010

 Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

  • Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
  • The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
  • Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
  • The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.  Key highlights:

  • In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • Only 28.87 percent of Twitter users are actual True Twitter Users.
  • Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
  • One in every eight Twitter users has at least 10 times more followers than they are following.
  • Only one in 10 users is following more than 100 users, and almost half are following less than five.
  • The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

 

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

Share

Tags: , , , , , , ,
Posted in Uncategorized | 3 Comments »

Think You Want a New Social Security Number?

Friday, July 23rd, 2010

by Barracuda Labs

This week, we have seen a surge in the number of spams like the one below, promising a new Social Security Number (SSN) to victims of Identity Theft.

Most people would take one look at this spam and hit the delete button, but it is worth taking a moment to understand what’s being offered.

The scam behind the spam

If you are a citizen of the United States, your SSN is a de facto personal identification number.  With your name, your SSN and a few other bits of personal information, an identity thief can ruin your credit and turn your life into a nightmare.

Since a stolen SSN is at the center of the nightmare, this scam attempts to convince identity fraud victims that a new SSN will take care of their problems and that for a fee, the company – Get New SSN – will help.  Calling the number in the spam connects you to a slick sounding recording and then a human operator who takes your personal information.

What really happens is that the victim of these scams is given a Federal Employer Identification Number (FEIN), which looks just like a SSN but serves a completely different purpose.  The victim uses this FEIN as if it were a SSN without realizing that they are committing fraud.  What’s more, by using the FEIN in place of their real SSN, they are doing permanent harm to their Social Security record since income earned when using an FEIN is not eligible for Social Security reporting.

The Social Security Administration issues new numbers only in the event of severe identity theft, and even then only rarely, and all Social Security services are offered at no cost.

As you would expect of a scam, these spams contain no valid reply information.  Not only do the scammers send out email spam, they post spam to unprotected online forums as well.  This is done automatically by ‘bots’ which are indiscriminate in their targets.  Below is an example of the “New SSN” posted to a Japanese blog:

The email mentioned in these forum spams, getnewssn@gmx.com, is hosted at a free German email service. Not quite what one would expect from a company offering to help with an American government agency.

Barracuda Spam & Virus Firewalls block these spam messages.

Share

Tags: , , , ,
Posted in Uncategorized | No Comments »