ESET Threat Blog

Specifically spear-phishing, where the target is deliberately selected, as opposed to a random untargeted attack.

An article at Dark Reading.com discusses the entirely unsurprising results of a test that concluded that the iPhone, BlackBerry, and Palm have essentially no protection against spear-phishing attacks. http://www.darkreading.com/insiderthreat/security/app-security/showArticle.jhtml?articleID=221100150&cid=nl_DR_WEEKLY_T

LinkedIn was used as the service to send a fake invitation from. LinkedIn users are completely ripe for spear-phishing attacks as LinkedIn supports and embraces anti-phishing worst practices with incredible gusto. Of course, MySpace, FaceBook, Twitter, and a myriad of other social networking site also do all in their power to assure the success of phishing and spear-phishing attacks.

There’s no problem with getting an email inviting you to add a contact, a follower, etc., but including a link in the email is simply ignorant. Yes, it is very convenient, but even more so for cyber criminals to exploit. If you knew that a legitimate social networking email never contained a link then the phishing attacks would be much more ineffective.

If you don’t want to be the victim of a phishing attack, then don’t click on the links in the emails for any sites you must log on to. If you click on a link and it leads to a log on page, close your browser, delete yout temporary internet files, and then open your browser and type in the Url for the service (not using the email you received as a reference. Log into your account and then make decisions knowing that you logged into your real account.

The researcher is right that technology provides little protection against social engineering attacks, but missed the fact it is the abuse of technology by social engineering sites, banks, credit unions, credit card companies, and others that make phishing so effective!

Randy Abrams
Director of Technical Education

The anti-malware industry isn't a suitable environment for the thin-skinned. We get used to receiving "more kicks than ha'pence" (see http://www.virusbtn.com/spambulletin/archive/2006/11/vb200611-OK)..

In particular, I've grown accustomed to the fact that many people expect all the following from an AV product:

• Absolute Protection
• Absolute Convenience
• Absolutely no  False Positives
• Absolutely no charge

False positives (FPs) are not a minor issue: my experience is that many people (especially in corporate environments) are more infuriated by an FP than by a false negative (i.e. where security software fails to detect real malware).

So it was a pleasant surprise to come across a blog from a source not usually associated with fulsome praise of the AV industry that was actually rather positive, in a backhanded sort of way. The author states "…while I rant quite a bit about the AV industry, you have to give this one to them: the number of false positives is really low. For example, in the AV-Comparatives test 20 false positives is considered many, even though the collection is over 1 500 000 samples (so the acceptable FP rate is below 0.0015%!)." [Sadly, this calculation doesn't altogether make sense, either to us or to AV-Comparatives. In fact, it seems to be based on comparing the number of "acceptable" false positives to the AV-Comparatives malware test set. It isn't based on the AV-Comparatives clean set: AV-C don't publish that information, as they consider FP ratios in percentages to be potentially misleading.]

The blog isn't actually about us, I should make clear: it's about the importance of false positives in intrusion detection, an area with just enough methodology and terminology shared with anti-malware to be confusing – for instance, both technologies talk about FPs and signatures, but often mean something slightly different by them. This led me to another blog that makes a useful distinction between "real" false positives – misdetection of innocent objects as being malicious – and "noise" such as "inappropriate traffic that is legitimately detected that we just don't care about." Actually, because modern anti-malware has a much wider remit than traditional virus detection, that is a concern we share with IDS and IPS vendors – of course, there's an overlap – most AV products now include some IPS (Intrusion Protection System) functionality. But it also has an analogue in more traditional anti-malware detection, which tends to cover "noise" programs such as adware and "possibly unwanted" code as well as out-and-out malware. 

Then there's the miscellaneous detritus that may be left behind when malware is removed: it may be harmless in itself, but what happens when two security programs are used on the same system and one is more cautious about what it removes than the other? Which is "correct" is a subjective judgement rather than a right/wrong issue.

To take another common case, no-one wants to see those misidentifications of innocent system files as malicious that affect even the most cautious products from time to time, but what about files that are detected as malicious because they're packed with a run-time packer that's often (but not necessarily always) used by malware authors? Well, that's not an issue I'm going to be able to give a short and simple answer to here. But I will say this (and often have before): given the complexity of the malware problem, not to mention the sheer volume of samples, the wonder is that mainstream anti-malware generates so few FPs. And it's a real pleasure to find someone agreeing on that point who can't be accused of undue bias in favour of this industry.

By the way, these blogs reminded me of an old but still relevant paper on "The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection" by Stefan Axelsson. If you're interested in the false positive conundrum and  the words "Bayes Theorem" don't strike terror to your heart, you might find it well worth reading.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

For many years banks and credit card vendors have accepted that there will be some amount of fraud and built those costs in to the operational model. The thinking goes that if the loss is small enough then it isn’t worth pursuing so they simply pass the cost on to the public through fee structures, such as return check fees, ATM fees, and differentials in the rate that they borrow money at and the rate they loan money at.

Perhaps this was a viable model before the internet gained popularity, but today it accounts for significant losses, perhaps in the billions of dollars if the polls are to be believed.

The lack of an aggressive stance against phishing means that banks are clearly not the enemy of the cyber criminal and facilitate their nefarious deeds.

The fact is that many financial institutions actively teach their customers to become victims through insanely ignorant worst practices. American Express sends a monthly statement with a link to your account. Financial institutions should not be sending links to pages that require a login… this is what phishers do and reinforces unsafe cyber habits.

My own credit union, First Technology Credit Union accepts complaints/feedback on line, but when they reply they send a link that the customer must use to provide more information or comments, etc. Granted this link does not ask for log on information, but it is also teaches customer to follow the same practices that lead to successful phishing attacks.

The Industrial Credit Union (http:icu.org) recommends “If you receive an email from the IRS requesting information, we recommend you simply delete or ignore it.” but the IRS wants you to report the emails. http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1. The Marine Federal Credit Union offers similar advice to that misguidedly given by the Industrial Credit Union

Recently the FDIC recommended that Banks step up efforts to spot money mule related activity http://www.wired.com/threatlevel/2009/10/money_mules/. A money mule is a person who is recruited to illegally transfer stolen money from the victim’s account to the criminal’s account. Many, perhaps even most, money mules do not know they are participating in an illegal activity until they also become a victim.

That the FDIC has to recommend this course of action shows how completely out of touch the financial services industry is with their responsibility to assist in online security.

Currently the banking and credit card industry are the educational and operations arms of cyber crime. It is long past time for banks, credit card companies, and credit unions to stop sending links in email and to step up to the plate when it come to fighting cyber crime. Until the financial institutions stop teaching people to be phishing victims and start playing a proactive role in fighting cybercrime, they are finding cyber crime through apathetic and ignorant complicity, much as a misguided money mule does.

Randy Abrams
Director of Technical Education

We told you to watch out, didn't we? (see Randy's blog at http://www.eset.com/threat-center/blog/2009/10/23/this-is-the-funniest-video-ever). But it's not just Michael Myers, zombies and vampires you need to watch out for. It's also Funny Halloween Costumes, Harvey Milk, Pumpkin Carving Stencils, candy, Pokemon, and McDonalds Monopoly online.

Yes, the fake/rogue AV gang have started on their Halloween special, and this time it's… well, it's the same old SEO (Search Engine Optimization) poisoning ploy. Right now, after a very interesting conversation with Juraj Malcho, head of our lab in Slovakia, I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year.

I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here: I don't suppose you'd read it from top to bottom if I did. However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software.  This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example.

Many of the search terms I'm looking at here relate to fairly specific stuff like halloween costumes; lots are fairly generic but have the word Halloween added (often at the start of the term, but not invariably); some don't relate to Halloween at all, as far as I can see; and some are just bizarre. ("Halloween originated in mt kilamanjaro (sic)")

So much for the social engineering aspect: what about the malware? Juraj has been checking samples, and most of is already covered by our generic detections. There'll be more specific naming in our next update. Of course, we'd expect the bad guys to do some tweaking as their campaign develops, to try to regain the advantage, so you can't assume that anti-virus products, even those with good proactive detection (like ours!) will catch everything.

Anti-virus is a useful layer of protection against threats like this, but we can't always save you from your own lack of caution. If you're looking for Halloween-related material, you might want to check out my previous blog at http://www.eset.com/threat-center/blog/2009/10/24/fake-anti-malware-blurring-the-boundaries for other resources that will tell you more about fake security programs.

 [Particular thanks to Sean-Paul Correll and Patrick Mullen for spreading the word on this.]

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

It won’t come as a surprise to regular readers of this blog that there’s a lot of fake/rogue anti-malware about. (see http://www.eset.com/threat-center/blog/category/fake-anti-malware-fake-software). However, a report released at RSA Europe goes some way towards quantifying that threat, and has created something of a stir in the media.

That’s to be expected: journalists tend to love facts and figures. Anti-malware researchers (well, this anti-malware researcher) have/has a tendency to be more cautious, and while the statistics in the report from Symantec certainly give a flavour of the sheer scale of the problem, they’re a snapshot taken from a particular viewpoint, not the whole panorama. (That said, a lot of resources seem to have been expended on this report: it’s probably not a million miles out.) 

Unfortunately, some journalists have simply gone to the highlights page in the executive summary and recycled the figures (one newscast infuriated me by advising "don’t allow pop-ups" as if that was all there is to fixing the problem), whereas the really interesting and useful content is in the descriptions of the mechanisms behind these scams. We have an overview paper on the topic at http://www.eset.com/download/whitepapers/Free_but_Fake.pdf by ESET Latin-America’s Cristian Borghello, but for a more detailed approach, the much longer paper based on a longitudinal study is well worth looking at.

However, Rob Rosenberger’s reaction is also interesting: he took the opportunity to tweet a reminder of an article he wrote back in March about fake AV and virus hysteria. Somewhat predictably, he regards the anti-malware industry as a major contributor to the fake (or rogure) anti-malware problem. An interesting idea, coloured by his preoccupation with the idea that "virus hysteria" – an unpleasant phenomenon that I too have seen much too much of in the past 20 years – is partly the creation of the anti-malware industry. Well, I’m not going to tell you that the entire anti-malware industry is (and always has been) whiter than white. Still, I don’t think that a similarity in pricing and addiction to signature updates really accounts all by itself for the success of fake AV syndrome.

At this year’s Virus Bulletin conference, there was an interesting and amusing panel session that addressed both free anti-virus and fake AV, and I think there’s a clue there. Many people mistrust anti-malware products, and quite a few think they should be free. (No, that wouldn’t work for me: I have this addiction to food, which requires me to earn a living.)

Fake AV often exploits this desire for something for nothing, by offering a free product that turns out to be far from free. It does, to some extent, mimic a legitimate model of "This product has detected such and such malware on your system, but you’ll have to pay us to remove it", but that model hasn’t been particularly associated with mainstream AV. (A number of shareware products have used a similar model, though.) And I certainly can’t think of a legitimate product that forces itself onto your PC as a pop-up and scans it without asking permission before asking for payment before removing the malware it finds, real or not.

Where there is confusion, though, it derives from the ways that fake AV products try to blur the boundaries between fake and real, using spoofed web sites, forged certifications, advertising collateral and other information stolen from real products, and so on.

Another approach we’ve seen much more of in recent years is the use of legal action to try to restrict the ability of real security vendors to detect not only fake AV, but nuisances such as certain kinds of adware that may not be considered to be malware in the strictest sense of the word. Juraj Malcho, head of ESET’s lab in Bratislava, presented a fascinating paper on the topic "Is there a lawyer in the lab?" at Virus Bulletin 2009, as I mentioned in a previous blog. We can’t put up the paper itself until the end of the year because of the terms of the agreement made with Virus Bulletin when a conference paper is accepted, but a PDF version of the presentation is available here and here.

Other links:
http://tech.yahoo.com/news/nm/us_cybersecurity_symantec
http://news.bbc.co.uk/1/hi/technology/8313678.stm 
http://www.theregister.co.uk/2009/10/20/scareware_psychology/ 
http://www4.symantec.com/Vrt/wl?tu_id=TeCm125590003756772344

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

One of the problems about trying to teach people to avoid Phishing attacks is that the banks often use the exact same tactics that the phishers use. It is mind-numbingly stupid of them to do so, but still we see emails from banks that contain links in them. As a rule I tell people not to click on the links in these emails, but rather to log into their account by typing in the address of their bank by hand.

I had a question for my credit union about one of my accounts with them. The response came back and contained a link that I had to follow in order to reply. The email specifically said not to reply to the email because it wouldn’t be read. So, how do I know this isn’t a phishing attack? First of all I looked at exactly who the email came from. Believe me, this is far from foolproof. Email addresses can be spoofed. The more important sign was that when I followed the link I was not asked for any information at all. I did not have to login, I did not have to verify anything. In addition to this, the email came in response to an inquiry that I initiated and not out of the blue. The reply was relevant to the question I had asked.

I am a little dumbfounded by the approach the bank used. If I was using my Comcast email account with the configuration that Comcast specifies as being valid for use with a wireless network, then someone could have intercepted the contents of the email and responded to the bank on my behalf.

Between security ignorant ISPs, such as Comcast, and banks using emails with some of the same significant attributes that phishers use, it is no wonder that so many people fall for phishing attacks and have accounts compromised.

So, do as I say and not as I do! Don’t click on the links in the emails. The proper thing for me to have done would have been to call my credit union and responded. I did file another comment asking them to stop teaching people to fall for phishing attacks. I wonder what they’ll say!

To tell the truth, I am seriously considering publishing their reply, including the public link that can be used to reply back to them on my behalf!

Anyone want to tell them not to send links to their customers in email?

Randy Abrams
Director of Technical Education

Oh brother, don’t tell me you fell for that one! All capital letters, lots of exclamation marks, the classic signs of bad news. Yeah, Halloween is around the corner and it is about time for the fake e-cards to make their rounds and the emails with links to “videos” that are not really videos at all. This happens every year.

If you receive an email purporting to be an e-card make sure it is addressed to you specifically. Make sure the email comes from someone you know. You will not get a legitimate e-card from “a friend”, “a family member”, “an admirer”, or anyone else not explicitly stated by name. Next make sure the link to the e-card points to a legitimate e-greeting site. If you don’t know then either don’t click on the link or do some research.

The next attack will be the fake video. This is the scariest, the grossest, the funniest, the freakiest… “Hey check this out” and so on. In most cases these links will either tell you that you need a video codec or start a fake scan and tell you that your computer is infected, or both.

You effectively never need a new codec, it is virtually always a scam designed to install malicious software on your computer. If you need a new codec than download the current version of your media application and it will have the appropriate codec 99.999999% of the time.

The twist this year is the malicious emails, tweets, instant messages, and social networking site messages that come from someone you know. A lot of webmail accounts and social network accounts have been hijacked in recent times. This means that the message will come from the account of someone you know, but they won’t really be the ones who send it. If you receive a link to an e-card, a video, a song, whatever, from someone you know via Hotmail, Gmail, Yahoo mail, any web mail, or from IM or social networking sites, talk to your friend before you click on the link. Make sure it really is the person you know who deliberately sent the link and not an imposter who hijacked their account.

Watch out for Twitter this Halloween. I will be shocked if Twitter is not used extensively to send links to malicious websites. The medium is perfect for this type of abuse and the extensive use of obfuscated URLS makes it so easy to hide the malicious links.

Finally, before you click on anything make sure your operating system is fully patched and your antivirus is current. For Windows go to http://update.microsoft.com, even if you have automatic updates turned on it is a good idea to periodically check and make sure it is working. Automation breaks. But you are not done yet for home users your next stop is either http://secunia.com/vulnerability_scanning/online/ or the more thorough http://secunia.com/vulnerability_scanning/personal/ to make sure all of your other applications are fully patched. Yes, some of the websites the links point you to will infect your PC when you simply visit the site if you are not patched.

Have a safe Halloween and don’t take candy, e-cards, videos, or tweets from strangers.

Randy Abrams
Director of Technical Education

[Update: I notice that at about the same time that I posted this, Sophos also flagged a blog reporting a somewhat similar fake update for Microsoft Outlook/Outlook Express (KB910721). The message is a lot different and links to a different site pretending to be Microsoft's update site, but is clearly not to be trusted. So the take-home messages are (1) don't trust links in a message if you can't be dead certain it comes from the source it seems to come from: go to a known authentic URL, or use the update mechanism within Windows itself (2) Check the link below on how Microsoft really disseminates update information.]

[Update 2: Spanish speakers might like to check out ESET Latin-America's version of this blog, now at http://blogs.eset-la.com/laboratorio/2009/10/22/falsos-correos-de-microsoft-propagan-malware/. Nice that we can give them something to write about occasionally rather than vice versa!}

A trusted source (thanks, Steve!) has just sent us (among other security organizations) an example of a fake windows update. It claims to be an out-of-cycle security update sent from Microsoft, but redirects to an executable on a site which has, of course, nothing to do with Microsoft, and which ESET products detect as Win32/Injector.ACX.

For information on what Microsoft really does when it sends information on security updates, see http://www.microsoft.com/protect/yourself/phishing/msemail.mspx?wt_svl=10233EWNa1&mg_id=10233EWNb1
 

From: Microsoft [mailto:team@microsoft.com] [This is spoofed, of course]
Sent: 22 October 2009 11:49
Subject: Update : DNCSKEUPXR [I'd presume that this is a randomized string, meant to foil simple filtering by subject]
Importance: High

Security update

When necessary, Microsoft provides a new security update on the second Tuesday of each month and publishes a bulletin to announce the update.
Occasionally, updates are released more often.[This is true, of course. However...]
The links below go to the latest update download.[...the link, which I've removed, is not to a Microsoft site.]

(Privat secured new link)
[removed]

Each bulletin includes links to the security updates.Microsoft has submitted a new update for all Windows OS web browsers, which brings a more stable and secure application, Internet Explorer version 7.0.195.24.
The new version has no new functionality but fixes one security vulnerability that has been classified as "high", the highest level.
Vulnerability refers to the possibility of external attacks through Internet Explorer and Outlook Express . We recommend installing the update to keep you and your system safe .[Obviously, it would be a mistake to take any of this af face value!]

Thank you, Adrian King Director of Security Assurance Microsoft Corp. [There was an Adrian King at Microsoft who was Director of Operating Systems Products: he left many years ago. Messages like this commonly cite the same job title with different names.]
 
IHSOHKWZMNFOKEXCNRKOOGUBQZDDJQBIOTCRIL [Presumably randomized, probably as a simple "hashbuster".] 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Comcast has announced that they are trialing a new service that alerts users when their computers are infected. You can read about it here: http://news.cnet.com/8301-27080_3-10370996-245.html. Essentially what happens is that when Comcast notices traffic that looks like bot related traffic they will pop up a message on the subscriber’s computer that indicates there is a problem and suggests steps to help clean up the computer.

I believe this is an exploratory step toward what we call the “walled garden”. In the “walled garden” scenario a user’s computer is not allowed out on the internet until they have cleaned up the infection. The walled garden approach is perhaps somewhat draconian, but does have merit. The problem is that false positives will be exceptionally annoying and troublesome for consumers and ISPs alike. The pop-up notice approach will allow Comcast to fine tune the detection mechanisms.

I applaud Comcast for this trial, but I wish Comcast took user account security seriously. What do I mean? If you use POP3 with a Comcast email account the way they have you set up your account means that your username and password are transmitted in plain text. This is an egregious security problem and it is hard to believe that Comcast might get their pop ups right when they appear to be so callous about user account credentials.

In the security community we are expecting to see the bad guys start spoofing ISP virus warnings if the practice becomes widespread enough. The measure of how significant the problem becomes will be the count of computer cleaned up by the notification verses the number of users social engineered but the notifications.

For the time being, Comcast is on the right path, but appears to lack the security awareness to pull this maneuver of properly.

Randy Abrams
Director of Technical Education

October is National Cyber Security month. Groups like the National Cyber Security Alliance are promoting awareness of cyber security.

On Tuesday at 11 AM Eastern Daylight Time (8 AM PDT and 4 PM GMT) Department of Homeland Defense Secretary Janet Napolitano will be giving a speech that will be broadcast live at www.dhs.gov.
 
The Secretary will discuss the:
• urgent need to counter the threat of cyber attacks
• shared responsibility for staying safe online
• leadership role DHS is playing on cybersecurity

If you are able to view the speech I think it will be interesting.

Randy Abrams
Director of Technical Education