December | 2011

CNET is warning about a phishing scam in which the bad guys are sending emails that are fake billing error notices from Apple.

Apple Phishing Scam

CNET reports that unlike other Apple phishing scams, in this scam the bad guys have created a reasonably convincing fake. The grammar and spelling are correct and the message is formatted to look like a real Apple message. The email address that is displayed looks like it could be from Apple — “appleid@id.apple.com.” However, it isn’t real. Following the links will land at a fake Apple website that also looks pretty convincing. The fake Apple website requests your Apple ID and password. It then prompts you to update your personal data, including your credit card information. DON”T DO IT!

CNET provides useful advice on detecting the scam. CNET explains how to unwind URLs and then how to compare the fake URLs to real Apple URLs.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications. You should be careful. But you need to do more. You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard. Being conversant with all the real URL’s is impossible. You need a tool to identify real email. You need eMail ID from Iconix.

Know Who. No Doubt. Use eMail ID.

IID has released its predictions of the big cyberattacks for 2012. Of the 5 predicted cyberthreats, 4 depend upon phishing scams for their evil success.

Here’s the IID predictions:

1) Phishing – London Summer Olympics cyber attacks — Cybercriminals will try to capitalize on the Olympics by tricking people into installing malware with phishing scams impersonating the Summer Olympics official website and/or official Summer Olympics vendors. Once malware is on a victim’s computer, the miscreants can monitor or control both personal and business computer activity — enabling them to steal data, send spam, and commit fraud.

2) Phishing – Elections altered — The 2012 U.S. presidential election year will create opportunities for deceiving voters and other skullduggery. Cybercriminals are expected to impersonate voting websites and political emails with phishing and malware attacks. Many U.S. states allow military and overseas voting via the Internet — creating the opportunity to alter votes. There are also concerns about the security of voting machines.

3) Phishing – 12/21/2012 danger — The Mayan “end of times” of December 21, 2012 will allow bad guys to play into this fear through targeted phishing and malware attacks playing on people’s heightened awareness surrounding 12/21/2012.

4) Internet infrastructure attacks for financial gain — While hacktivism will persist, expect DNS (Domain Name System) and BGP (Border Gateway Protocol) attacks for financial gain to grab headlines in 2012. The December 2010 DNS hijacking of large European payment processor ChronoPayis an example of this theat.

5) Spearphishing – Infrastructure Attacks. IID predicts attacks on physical infrastructure attacks. The Stuxnet hack caused substantial damage to the Iranian nuclear program. The recently discovered DUQU hack is distributed by spearphishing.

This is an interesting forecast. While it is hard to predict the precise events and vulnerabilities that the badguys will use, there is little doubt that clever criminals will use current events and zero day exploits to cause havoc.

The Wall Street Journal is reporting that Chinese hackers accessed data of the U.S. Chamber from November of 2009 until May of 2010. Using a network of over 300 IP addresses, the hackers gained access to everything stored on its systems, including information about its three million members and lobbying efforts of the Chamber. The attack probably started with a spearphishing email.

In a stark demonstration of how hard it is to detect malicious activity, The Wall Street Journal reported:

It is possible the hackers had access to the network for more than a year before the breach was uncovered, according to two people familiar with the Chamber’s internal investigation.

One of these people said the group behind the break-in is one that U.S. officials suspect of having ties to the Chinese government. The Chamber learned of the break-in when the Federal Bureau of Investigation told the group that servers in China were stealing its information, this person said. The FBI declined to comment on the matter.

The Wall Street Journal summarized the data breach in a graphic:

You can view the original graphic by clicking here.

What can be done to defend the enterprise against spearphishing? The enterprise can adopt a tool that identifies trusted email so that the target of the spearphishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

List View. There is an integrity indicator in the list view of the email client.
Message. The open message has a further indicator of authenticity.
Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement. This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

Timeline, the new feature just announced by Facebook, will make it even easier for bad guys to mine the Facebook social network for personal information they can use to launch malicious attacks. As this blog has noted many times, the most important element of an effective spearphishing attack is the persuasiveness of the fake email. Social networks are an ideal source of personal information that can be used to craft a spearphishing attack.

Networkworld quotes Sophos security expert Chet Wisniewski:

“Timeline makes it a heck of a lot easier
[for attackers] to collect information on people. It’s not that the data isn’t already there on Facebook, but it’s currently not in an easy-to-use format. ”

Cybercriminals often unearth personal details from social networking sites to craft targeted attacks, noted Wisniewski, and Timeline will make their job simpler.

“And Facebook encourages people to fill in the blanks [in the Timeline],” said Wisniewski, referring to the new tool’s prompting users to add details to sections that are blank.

What kind of personal information can bad guys mine from social networking sites? When the bad guy is willing to devote a little work to the project, even the identity of a CIA agent can be uncovered. Timeline makes the work of cybercriminals more efficient.

backtosecurity.com has written a step by step description of how it used social networking data that it discovered on Facebook to craft a spearphishing attack on an Australian advertising agency. This was a whitehat hack.

The posting describes how the hacker used information from the target’s website to learn about the management structure and key names. The hacker then correlated the employee names with Facebook profiles to locate a likely person to exploit. The hacker targeted an executive’s assistant for the attack. The hacker was able to easily determine which executives of the firm did not have Facebook accounts. The hacker set up a Facebook account masquerading as an executive who was new to Facebook and used this new Facebook account to “friend” the targeted employee. Yes, people use Facebook at work. Exploiting the trust that was gained as a Facebook friend, the hacker was then able to take control of the target computer. On the assumption that this assistant logged into her supervisor’s email account, the hacker searched the assistant’s machine for supervisor’s credentials. And found the supervisor’s passwords.

In a second posting, backtosecurity.com explains how social networking can be used to discover email addresses. In this posting, backtosecurity.com summarizes the spearphishing problem:

Spear Phishing attacks can have numerous ‘end games’ associated with them. This has been the most popular method in recent times for hackers to gain access to huge corporations and banks. Usually with the goal of stealing private company information to stealing millions of customer’s credit card numbers which are then sold on the cyber black-market.

What makes Spear Phishing so successful is the fact that you are exploiting human weaknesses more so than technical weaknesses. If a company spends hundred of thousands of dollars on the latest state of the art Firewalls, Intrusion Detection/Prevention technologies and expensive all in one Anti Virus suites their users, then they may operate on a misguided sense of security.

What happens if a staff member receives an email or a social network request from somebody they believe they know and which seems legitimate? If they click on this link or open this attachment, then those hundreds of thousands of dollars of security equipment is now pointless.

backtosecurity.com provides a powerful reminder that social engineering deceives the email recipients into becoming the agents of the criminals. What can be done to defend the enterprise against spearphishing? The enterprise can adopt a tool that identifies trusted email so that the target of the spearphishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

List View. There is an integrity indicator in the list view of the email client.
Message. The open message has a further indicator of authenticity.
Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

Today the United States Patent and Trademark Office issued Iconix its fifth patent titled “USER INTERFACE FOR EMAIL INBOX TO CALL ATTENTION DIFFERENTLY TO DIFFERENT CLASSES OF EMAIL.” The abstract for U.S. Patent 8,073,910, dated December 6, 2011, states: “A user interface for email users which calls attention to one or more categories of emails in different ways.” Iconix filed the patent application on March 3, 2005.

Technology from this patent is used in all of the Iconix^® offerings, including the Iconix Truemark^® service, which helps protect consumer users from phishing attacks, and Iconix SP Guard^TM, which protects enterprises from spear-phishing attacks. The Iconix services highlight legitimate email messages with an icon in the inbox and open messages, giving users an intuitive “visual ID” for key email messages, thus allowing them to easily distinguish real from fake. The result is increased trust and confidence in email and increased safety for users and businesses.

The FBI Denver Cyber Squad issued the following warning on November 23, 2011:

With the holiday shopping season upon us, the FBI Denver Cyber Squad would like to advise citizens of a new spear phishing campaign involving personal and business bank accounts, financial institutions, money mules, and jewelry stores. The campaign involves a variant of the “Zeus” malware called “Gameover.” The spam campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication.

After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found). A portion of the wire transfers (not all) are being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).

Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as “pending” and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.

The FBI in Denver is asking all consumers to be cautious of opening communications from senders that would not normally send you e-mail or are not from the normal sender e-mail address.

This is the link to the original FBI Press Release: http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign

Apple Phishing Scam Alert

2012 Cyberattacks Predicted by IID

Spearphishers Compromise U.S Chamber of Commerce

Spearphishers’ New Tool — Facebook Timeline