Security « The Barracuda Labs Internet Security Blog

Posts Tagged ‘Security’

Wedding Bells Ringing in Malware

Wednesday, August 18th, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down. The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

: Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal. In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all. Nothing displays. However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords. The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

Tags: Anti-Spam, Email Security, Internet Security, Rogue AV, Security, spam
Posted in Email Security, Security, phishing | No Comments »

Kanye’s First Week on Twitter: An Infographic Review

Tuesday, August 10th, 2010

By Barracuda Labs

For the past year, we have released analysis on user behavior and malicious activity on Twitter. Just last week, Barracuda Labs released our 2010 Midyear Security Report that focuses on The Dark Side of Twitter and Search Engine Malware. On the same day, Kanye West joined Twitter. In March we explored the effect of celebrities joining Twitter in what we called the Twitter Red Carpet Era. We showed that during that six-month period, more than half of the top 100 users joined Twitter, causing a spike in overall usage and a subsequent spike in the Twitter Crime Rate (the number of accounts created and later suspended by Twitter because of suspicious or malicious use).

Kanye joined Twitter with a splash. First of all, he visited the Twitter offices that morning, but what’s more interesting is the rate at which he attracted followers. Since we have access to this data and machines constantly analyzing it, we decided to have a little fun. This week, Barracuda Labs will present a series of infographics that illustrate Kanye’s first week on Twitter.

Today, we show the first view. The first question that we wanted to answer was what kind of people are attracted to follow Kanye? For example, do they follow other musicians or other types of people? We looked into several notable users to examine the overlap between Kanye’s followers and their followers.

Let’s review:

Taylor Swift: Taylor Swift and Kanye shared a moment on stage at last year’s MTV Awards when he interrupted her speech. He has since apologized to her and she accepted. Their followers seem to have followed suit as a substantial amount of people follow both Kanye West and Taylor Swift. In fact, 20% of Kanye’s followers also follow Taylor Swift. By the way, Taylor Swift joined Twitter 20 months ago during the Red Carpet Era and has since attracted 3.8 million followers.

Amber Rose: Amber Rose and Kanye West dated for several years, frequently an item at photoshoots and fashion shows. They recently moved on; however, their followers still appreciate both of them. In Kanye’s first week, more than half of Amber’s followers already follow Kanye. Further, Kanye has seven times more followers than Amber who joined two months ago.

Power: Kanye’s new song is called “Power” but let’s compare him to the most powerful person on Earth: the President of the United States. Kanye was a vocal supporter of Obama during his campaign. More than 190,000 of Obama’s followers already follow Kanye, showing that over one-third of Kanye’s followers also follow the President.

Perhaps Kanye’s followers are into political leaders of all parties. How about Newt Gingrich? Less than 5,000 of Newt Gingrich’s followers have decided to follow Kanye. This means that less than 1% of Kanye’s followers also follow Newt.

Stay tuned for more analysis on Kanye’s first week on Twitter – and on the overall Red Carpet effect. We think you’ll find the next few days very interesting… and possibly worth a Retweet of your own.

Meanwhile, follow us on Twitter at @barracudalabs for ongoing updates!

Tags: Security, social networking security, twitter
Posted in Research, Social Networking, Statistics | No Comments »

Barracuda Labs 2010 Midyear Security Report

Wednesday, July 28th, 2010

Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware and Twitter use and crime rate.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors. Key highlights:

Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users¹, Twitter Crime Rate², and Tweet Number³. Key highlights:

In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
Only 28.87 percent of Twitter users are actual True Twitter Users.
Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
One in every eight Twitter users has at least 10 times more followers than they are following.
Only one in 10 users is following more than 100 users, and almost half are following less than five.
The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

Download the Barracuda Labs 2010 Midyear Security Report at http://www.barracudalabs.com/research_resources.html.
View the Barracuda Labs security research portal at http://barracudalabs.com.
Follow Barracuda Labs on Twitter at @barracudalabs.

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

Tags: ID Theft, Internet Security, search engine malware, Security, SEO Poisoning, social networking security, twitter, Web Security
Posted in Uncategorized | 3 Comments »

Who can you trust?

Thursday, May 20th, 2010

by Barracuda Labs

In slasher movies, there’s often a scene where terrified teenagers try to trace the phone calls of a homicidal maniac only to discover that the phone calls are coming from inside the building.

A recent spam case that was referred to the Lab reminded us of one of those scenes and underscored the fact that everyone should be suspicious of unsolicited emails. This is especially true of unsolicited emails that ask you to run something on your computer, no matter WHO they come from at any time.

In this particular case, the spam emails were sent to users within a medium-sized professional firm. They were carefully crafted to appear to be an Adobe security update originally sent to the Assistant Director of Information Technology and then individually forwarded from her. (Names and domains in the message have been changed.)

The bulk of the message looks like a security update from Adobe regarding vulnerability CVE-2010-0193. The linked executable actually is a malicious file that installs a Trojan backdoor program. The linked .PDF also contains a clickable link to the Trojan. Adobe already has reported this spam campaign here:

http://blogs.adobe.com/psirt/2010/05/alert_adobe_security_update_em.html

What’s particularly interesting is just above the forwarded message. The information about the sender of the email – Jane Doe, Assistant Director of Information Technology, JaneDoe@phished.com – is ‘real’ data, most likely harvested from elsewhere on the Internet, and would appear to be normal to co-workers within her company. Her email address is used in the body of the forwarded message as well, making it appear that it really was sent directly to Jane and then she is forwarding it along. Except that she isn’t.

The ‘From’ field of the email has been spoofed (i.e., faked), something spammers easily can do. Instead, examination of the internal email headers reveals that the entire message was sent from a compromised computer in West Virginia.

It is common for spam to be sent with faked ‘From’ data; however, this case takes that even a step further. The ‘From’ name was chosen specifically in order to gain the trust of the users at phished.com who received the messages. This was a deliberate and targeted batch of spam, sometimes called “spear” phishing, which demonstrates just how clever the bad guys are and just how cautious we as users have to be.

Barracuda Spam Firewalls block these emails.

Below are various screenshots of the targeted attack in action.