IT Security Blog

Are grade schoolers writing the spam these days?

What does: “revert ASAP” mean?

From: From International Commercial Bank of Ghana [felistax@yahoo.com]
Sent: Friday, September 03, 2010 2:15 PM
Subject: Attn: Beneficiary, From International Commercial Bank of Ghana.

Attn:Beneficiary,

This is to notify you that $4.5 million has been credited in your favor, contact Mr. James Appiah, with the following information to enable your fund transferred via bank to bank, AS THE CASE MAY BE.

Your full name, Age, Sex, Nationality, Direct phone number, Residential Address, Occupation.

Thank you for banking with us
Revert ASAP
Regards,
James Appiah

You’d think a bank official would have a title and company email instead of a Yahoo account.

Tom Kelchner

GFI Sunbelt Internet connectivity was lost when a fiber optic line was cut in Clearwater, Fla., near the end of the business day yesterday.

Service provider Time Warner said the line was accidentally cut by a construction crew near the GFI Sunbelt headquarters about 4:50 p.m. Service was restored about 11:10 p.m.

VIPRE definition Version 6827 was issued at 11:17 p.m. (GMT-5)

Alex Eckelberry, general manager of GFI’s Security Business Unit said: “We are currently in the process of reorganizing our data center locations to avoid such an occurrence again.”

Tom Kelchner

While Eugene’s busy taking bets (wonder how much he’s going to make?), I’ve been having a think about the Winlock case.

Russian law enforcement is estimating that the bad guys could have raked in as much as $1 billion. While it’s difficult to be certain about the exact amounts involved (obviously they spread their money across a lot of different accounts to avoid attracting attention), a little bit of simple math makes me think this figure isn’t as crazy as it might sound.

Our statistical analysis tells us there could be around a million people who’ve been infected. 10 cybercriminals, each getting a cut of a ransom between $10 and $30 - even though they were paying out $3 per infection to the people willing to spread this malware, the numbers add up pretty quickly.

Zombies. Whether they’re shuffling Romero types, the wisecracking “send more cops” variety or even the crumbling Fulci efforts it’s important to be prepared (no, I’m not counting the ones that run. Those are stupid).

As you can see, I’m ready for pretty much anything:







Nobody is immune to the zombie menace, however, so I thought it might be useful to let you go forth and warn friends & relatives about a new zombie scam popping up on the internet.

Dead Rising: Case Zero has just been released on XBox Live as a standalone chapter for the upcoming Dead Rising 2, and of course scammers want a tasty slice of zombie pie.




Forums and sites such as Youtube (surprise!) are filling up with posts and videos promoting various websites claiming to offer “cracks” and redeemable download codes to let you get your hands on the game for free.


Click to Enlarge

I’ve also seen a few videos claim to offer up a PC version (lies) and another one offering up a “Wii version” (more lies, these versions of the game don’t exist).

Here’s a sample:


Click to Enlarge

I took this screenshot a day or two ago; let’s make a tenuous reference to zombies and say they’re now multiplying uncontrollably, and you’ll probably have to go live in a supermarket or whatever.

Anyway. The majority of the videos seem to link to one particular website – deadrising2casezero(dot)blogspot(dot)com. Here it is:


Click to Enlarge

There’s a lot of nonsense on the site about the download being restricted to the first 2,000 users – and the “total downloads so far” indicator seems to be stuck on 354 people. Following a similar pattern to the recent DC Universe Online scam, attempting to download the program will give you some wonderful surveys to fill in.


Click to Enlarge

I’m almost certain I have more important things to worry about in the middle of a zombie apocalypse than whether or not I’m Justin Bieber’s ideal girl but oh well. Filling in one of the surveys will give you this somewhat unimpressive program on your desktop:



I say unimpressive, because it’s about as much use as slapping a zombie in the face with a wet newspaper. Just like the DC Universe fakeout, the program will “generate” about 20 or so codes that just repeat themselves endlessly.

A bit like these "free app / here's a survey" scams, perhaps.

Now if you’ll excuse me, I’m off to meet an ironic doom at the hands of some running zombies. While I’m donating my brains to the undead community, please try to avoid any and all “freebies” related to Dead Rising: Case Zero.

Christopher Boyd

In 2009, there were a reported 140 million records compromised, compared to 360 million in 2008. In 2010 there have been almost 13 million records stolen. But don’t have a party just yet. Criminals are fine-tuning their craft and getting better. The industry just isn’t making it as easy. 97% of those records were stolen using malware – malicious software designed to attack the target’s existing systems and software in place.

A reported 50% of the malware was installed remotely. Almost 20% came from visiting infected websites and almost 10% was installed when employees clicked infected links that conned or “socially engineered” them.

A recent Verizon report stated, “Over the last two years, custom-created code was more prevalent and far more damaging than lesser forms of customization, the attackers seem to be improving in all areas: getting it on the system, making it do what they want, remaining undetected, continually adapting and evolving, and scoring big for all the above.”

This may be also attributed to an inside job. A rogue employee on the inside always has the advantage of knowing exactly how to remain undetected.

The report further stated that organized crime rings may “recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score, the smaller end of these schemes often target cashiers at retail and hospitality establishments while the upper end are more prone to involve bank employees and the like.”

In the past three years that’s a total of 513 million records. On average, every citizen has had his or her data compromised almost twice. Where’s your Social Security number in that mix?

It is important to observe basic security precautions to protect your identity. However, the safety of your information with corporations and other entities that you transact business with is very often beyond your control. Consumers should consider an identity theft protection product that offer daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection includes all these features in addition to live help from fraud resolution agents if your identity is ever compromised. For more tips on protecting yourself, please visit http://www.counteridentitytheft.com

Robert.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Fox News. (Disclosures)

Robert_Siciliano@McAfee.com
www.CounterIdentityTheft.com

This article describing Hurricane Earl shows a woman putting a pattern of duct tape on the window. Does this duct tape really help?

No, of course not. Duct tape does nothing to stop the glass for shattering, and does almost nothing to stop fragments flying around.

What it does give people is a false sense of security. For whatever reason, they’ve decided not to buy hurricane shutters (even though they live in a hurricane zone) and not board up their windows with plywood. But they can’t just do nothing, so they resort to sympathetic magic like taping up windows. At least they are putting something on their windows.

Such ignorance is not just useless, but in some cases, can be harmful. Some people believe they should leave their windows open a crack during a hurricane, in order to equalize pressure. The opposite is true: this makes it more likely that the hurricane will pop your roof off. The reason is that wind traveling over your roof creates low pressure above, and wind entering your house creates high pressure inside. This lifts your roof off, in precisely the same manner it lifts an airplane wing when flying.

There are obvious analogies with cybersecurity. People do things, like install anti-virus, firewalls, or WEP, because “doing something” makes them feel good. But they haven’t thought through the cause-and-effect whether doing such things actually work.

The cyber-criminal groups behind fake anti-virus (scareware/rogueware) infections have run into some significant roadblocks over the last few years, but there is much more to the overall story.


Some groups have been arrested. Some have had their operations and entire call support centers
shut down.

Some groups attracted too much attention, picked off
the low hanging fruit and eventually walked away from their botnets.

In some cases, the groups just weren't very skilled
at developing anti-anti-malware techniques, blackhat SEO, and malware distribution. They couldn't keep up with the changes in anti-malware technologies,
weren't exactly dedicated to the effort, and simply fell off the map.


However, some of the remaining scareware distribution gangs upped the ante and are aggressively developing difficult-to-detect polymorphic installers and difficult-to-remove support components. And the newest of these malware components include some of the first ITW 64-bit malware components to be taken seriously. But, for the most part, the scareware program itself remains the same. The development continues to change and progress, all for the purpose of evading anti-malware solutions and helping coerce the end-user to pay for the fake product, including support/rootkit components like TDSS (and its extreme complexities) or the more recent Black Internet (also known as "Trojan-Clicker.Win32.Cycler") support/rootkit components. These complex Mbr infectors and other rootkit components meant to maintain money-making scareware on the system are signs of this somewhat extreme development effort.

We have received this file today. Rogue creators are spending less time creating interface and spending more time to find a new name. Malware name: Adware/MySecurityShield VirusTotal File name: 622ed7d54cbeb06ef977ee111e2b97ddf3f78dd5 Submission date: 2010-09-02 16:09:43 (UTC) Result: 24/ 43 (55.8%) Domain List report.countdom.net update1.best-pc-guardever.com update2.safe-your-pcnow.net Domain Owner Registrant Contact: UIS Garritt Kooken gkook@checkjemail.nl +86.592257788 fax: +86.592257788 Rue de Virton 237 Evegnee Evegnee 11111 in Screenshot The sample we received today: Sample ...

Safe Web Surfing Rule # 2: See Rule # 1

Email and social networking sites might be a global phenomena, but English remains widely used in URLs and elsewhere on the Internet. In the English verbiage in malicious email, URLs and web sites there are words that instantly raise red flags to native speakers. However those red flags may not wave for those who speak no English or it is their second language. Here is yet one more example.

It starts with a Facebook post with a picture of a cute girl (not shown since the photo might be misappropriated) and a link to what looks like Facebook chat. The hyphens that are used in the URL instead of periods should be one giveaway. The fact that it’s a URL with a country domain TK should be another giveaway (probably in any language). That's Tokelau, a territory of New Zealand in the South Pacific.

(click on graphic to enlarge it)

So the unwise Albanian Web user, seeking to chat with a pretty girl in Tokelau, possibly thinking she's in Turkey (country domain "TR" ) , goes to the site:

(click on graphic to enlarge it)

The Facebook page is initially grayed out, so the average computer user clicks on it. The gray goes away. However, if he (and you can be sure this would be a he) watches the browser bar, the site has redirected to: http://h1.ripway.com/hacker1992/login.php.

(click on graphic to enlarge it)

Oh, that’s just adding insult to injury – actually putting the word “hacker” in the URL – assuming you know enough English to recognize the word “hacker” and know the implications. Of course “ripway.com” is almost as blatant.

The ripway.com site was registered yesterday with an address in Highlands Ranch, Colorado.

Google Translate says the language is Albanian. You can be sure it’s a scheme to snatch email addresses and Facebook logins of Albanian-speaking Facebook users or get them to set up new accounts AND snatch their information:
(click on graphic to enlarge it)

Tom Kelchner

Holidays are times when we see a big uptick in email retail advertising. They are also a time when we should be especially aware of threats from phishing schemes in all those ads.

In that surge of emails promoting holiday sales we can expect fraudulent messages with links to sites that download malicious software or phishing sites set up to steal personal information.

Phishing tracker site Phishtank.com, estimates there are more than 2,900 active phishing web sites currently verified on the internet. Popular social media sites such as Facebook and Twitter are increasingly attractive platforms for holiday-themed attacks.

Here are three simple rules that can help you reduce your risk of becoming a victim:

-- Make sure your computer is protected against the newest malware threats by installing a combined antivirus and antispyware solution. This is your first point of protection against dangerous viruses and Trojans – and one without the other is no longer effective.

-- Never click on a link in an email to make a credit card purchase. The email you’ve received may look legitimate, but there’s a high probability that the link will take you to a spoofed site where your credit card information will be stolen by cyber criminals.

Instead, navigate to the retailer’s Web site directly through your browser. The email may look harmless, but it’s better to be safe than sorry.

-- Even when you visit a trusted Web site, be vigilant about anything that looks out of the ordinary. Social networking sites like Facebook, Twitter and MySpace have all served as points of infection recently. Do not download anything, even from a trusted site, unless you are 100 sure it’s safe.

Every Labor Day, we see a wave of phishing attacks taking advantage of consumers’ expectations of increased retail email promotions connected with the holiday

Cyber criminals see an opportunity to slip by unnoticed among the legitimate promotions. Along with making sure virus updates and security software patches are current, consumers need to stay vigilant and use common sense in order to avoid any unnecessary headaches that these fraudulent emails look to deliver over the long weekend.

Tom Kelchner