ESET Threat Blog

An Australian company claims to have launched a “virusproof” computer. They even say “
A fast, easy to use, computer that never gets viruses, EVER !” and then on the same page say “In the rare event that you manage to catch a virus on your virusproof computer, we will re-load both Zone 1 and Zone 2 onto your computer." In other words, poof! All of your saved documents, pictures, and personal data are gone.

Doh, if your virusproof computer catching a virus in a rare event, then it really isn’t virusproof, is it? If it won’t catch a virus ever, then why do you only get a 5 year warranty? After all, they boldly proclaim it will not get a virus EVER. Additionally, if you return it multiple times because of viruses, then they reserve the right to start charging you for repairs. So, you pay to return the product that did not perform as advertised.

If you don’t care about losing all of your data and personalizations, you can reinstall Windows if you get a virus and you don’t have to pay shipping. You see, under their 5 year warranty if you send in your computer due to a virus, you must first back up all of your data since they aren’t going to be responsible for your data, they will obliterate it.

I can buy a new computer with a CDROM or built in recovery partition and restore my computer to factory condition without paying for shipping or waiting for it to be returned.

If it sounds too good to be true, it probably is. A company that boldly tells you its computers are virus proof and reserves the right to charge you for repairing infected virusproof computers is really not to be trusted.

It takes a trained nose and palette to taste a wine and tell exactly where it came from, but snake oil is really pretty easy to spot… even from over 7,500 miles away!!!

Randy Abrams
Director of Technical Education

Even in Europe, we have a rough idea of what Thanksgiving is about, though we don't celebrate it at the same time or in the same way. However, Black Friday and Cyber Monday are rather less well known outside the US.

Since Randy has already blogged on Cyber Monday and its security implications at http://www.eset.com/threat-center/blog/2009/11/19/is-cyber-monday-the-end-of-shopping-as-we-know-it, I took the opportunity to air a slightly more Eurocentric view at http://blog.isc2.org/isc2_blog/2009/11/they-call-it-cyber-monday-but-tuesdays-just-as-bad.html.

While you're away from this blog site, you might also be amused, in a cynical sort of way, by the fact that Qinetiq and New Scientist have solved the virus problem once and for all: http://avien.net/blog/?p=92. I believe they'll be starting on solving the Millennium Bug issue any year or now.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/
 

Cyber Monday is the Monday that follows Thanksgiving in the USA. This is said to be the busiest online shopping day of the year. Does that mean that there is more risk of cybercrime? The answer is yes and no. There is more risk simply because more people are shopping online so malicious web pages, fake holiday specials, and other attractions are bound to get more traffic.

 In reviewing our threat statistics for the past couple of years what we discovered was that we do not see an increase in the number of threats, so as an individual your risk is pretty close to the same as any other time of year, but that means there is some risk and there are steps you can take to minimize your chances of becoming a victim of cybercrime. Here are a few tips to consider.

1)    Beware of the unsolicited emails for promotions that seem too good to be true. Things like “We’ll give you a free copy of Windows 7 for filling out this survey”, or “Get $100 for filling out this survey”. Often times these are ploys to get your credit card information and other personal information. It may be for the purpose of sending you spam or it may be for financial or identity theft.

2)    Watch out for anything related to banks, PayPal, and other online financial providers. NEVER click on a link in an email having to do with financial institutions. For some really simple tips on protecting yourself from phishing see my “Antiphishing Made Easy” tip on the San Diego Chamber of Commerce web site at http://www.sdchamber-members.org/TechTip.htm.

3)    Shop at reputable websites. Do not believe things like a BBB logo, check with the Better Business Bureau to see that they say the company is a member. It’s best if you know somebody who has done business with the company before. Crooks will post fake positive reviews of their web sites

4)    When you go to enter payment information, make sure the address in the browser starts with https, and not just http. Https encrypts the information, such as your credit card number. It isn’t enough to see the https, the bad guys can use that too, but you want to use a reputable site and verify they are encrypting your data.

5)    You might want to consider getting a credit card with a low spending limit and using that exclusively when you shop online… especially if you can’t resist that offer that is too good to be true!

6)    Do not click on the links in emails. If you want to shop at Fry’s online, type in www.frys.com and find the item you are looking for.

Following these tips will greatly improve your odds of safely shopping on line on Cyber Monday and every other day of the year.
 
If you believe that you have become a victim of a phishing attack, contact your bank immediately.

Randy Abrams
Director of Technical Education

Recently I blogged (Once Upon A Cybercrime…) about a survey ESET commissioned which indicated that Mac users are victims of cybercrime as often as PC users. This finding was not the main point of the survey, but was an interesting finding. The survey is titled “Securing Our e-City National Cybercrime Survey” and was commissioned to gather more information about how we can better target education as part of our Securing our e-City project. You can learn more about Securing Our e-City at http://securingourecity.org/

I want to share with you some additional findings of the study over the coming days and weeks. Extrapolating the losses of those surveyed it appears that cybercrime has cost Americans 11 billion dollars.

First I’ll give you a breakdown of the educational levels of our survey participants.

5% had less than a high school education. 25% had a high school education. 29% had some college. 27% had a college degree. 14% had advanced degrees.

Now let’s look at the victimization rates.

2% of those with less than a high school education had been victims
2% of those with a high school education had been victims
9% of those with some college education reported being victims
7% of those with a college degree reported being victims
18% of those with advanced degrees reported being victims

Given this data, the logical conclusion is that the number one way to avoid cybercrime is to avoid college!

But seriously, I don’t really think it is education that makes one stupid, or makes them a victim. A more likely explanation is that those with higher earnings make more attractive targets. It is also quite possible that those with higher education feel they are smart enough to avoid being tricked. A PhD in psychology does not translate to internet security knowledge. A degree in dentistry does not afford a higher level of computer security knowledge. Even people with computer science degrees often fail to learn enough about computer and Internet security.

I am a firm supporter of education, but when it comes to computers there is specific education required if you wish to avoid becoming a victim of cybercrime. Knowing tips and techniques, such as I describe at  AntiPhishing Made Easy  can make a big difference. Education won’t always protect you. When a TJ Maxx or Heartland compromises your credit card information, your computer savvy isn’t going to help. When you receive and email claiming that information is needed to secure your web mail account, then security knowledge is quite useful. When something tells you that you need a codec to view a movie, just a little bit of security knowledge protects you. When you see something that says you need a new flash player, knowing to go to Adobe for the update and not accepting it anywhere else on the web is what is going to prevent you from infecting your computer.

Yeah, you might have a lot of college education, but if you do, you probably have more money and are a much more attractive target to the cyber criminal. If you have more to lose then you have more to gain by becoming a savvy computer user.

Randy Abrams
Director of Technical Education
 

Remember Microsoft Bob? It was a shiny new windowing system on top of a windows kernel. Now Google is announcing the imminent release of the Chrome OS which, according to the official Google blog http://googleblog.blogspot.com/2009/07/introducing-google-chrome-os.html is a new windowing system on top of a Linux kernel. So is it an OS or a GUI?

Chrome OS is certainly not what one would typically call an operating system, but perhaps Google is trying to redefine OS for marketing purposes. That might work, Google has some very talented marketing people, as well as talent in many other areas.

Don’t get me wrong, Chrome Os may end up being great, but a critical look at the blog reveals a lot of Google claims that simply aren’t necessarily entirely accurate.

Can you spot the hype and cut through it?

“the operating systems that browsers run on were designed in an era where there was no web. So today, we're announcing a new project that's a natural extension of Google Chrome — the Google Chrome Operating System. It's our attempt to re-think what operating systems should be.”

While Linux was designed when the web existed, it was written to be a clone of an OS designed well before the web existed. Chrome appears to be a Linux distribution, not a new operating system. Additionally, since Windows 95 Microsoft has been writing and releasing operating systems designed with the web in mind. Apple has been doing the same thing.

“we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates.”

This is interesting. Is Google really redesigning the security architecture of Linux? As vulnerabilities appear in the Linux kernel from time to time will they not have to be patched, or does Google mean that they will silently be updated regardless of the user’s desires? Additionally, malware is no longer limited to the operating system. Facebook worms, twitter worms, and other social networking malware will still be an issue.

Google isn’t the first company to bolt a GUI on an operating system and call it a new OS. Windows started as a GUI for MS DOS.

It will be interesting to see and play with Chrome, but I don’t think we will see a radically new operating system.

Randy Abrams
Director of Technical Education

Recently ESET commissioned Competitive Edge Research and Communications, Inc. to conduct a study about attitudes, beliefs, and experiences of Americans with respect to cybercrime. There were some interesting results.

One of the findings is that most American’s are not aware that cybercrime is linked to organized crime. Viruses and Trojans are no longer the purview of pimple-faced punks who never see the sun. Malware has become a tool of the organized crime, but only about one out of 5 Americans realize it is not the lone wolf who is biting them.

Not at all surprising is the fact that both PC and Mac users perceive the Mac as being safer, but the statistics show that Mac users are victims of cybercrime just as frequently as PC users. The most probable explanation for this would be confusing viruses as being cybercrime. 57% of Mac users feel it is safe to use their computers without antivirus software where only 27% of PC users feel it is safe to do so. Much of the losses associated with cybercrime are related to phishing attacks. Phishing attacks are just as effective on Macs, Linux, Windows, Solaris, and any operating system since they rely on tricking the user and not upon malicious software or any software vulnerabilities. The Mac offers no immunity to phishing attacks and so we see a virtually equal percentage of victim representation across the board.

A significant part of the phishing problem is ignorance. The survey found that less than 50% of Americans even know what phishing is. It is difficult to defend against something one is not aware of.

An interesting finding was that it appears that when a Mac user is a victim of phishing they tend to lose more money on average than a PC user. I’m not ready to proclaim this as fact since we can’t explain the finding, but that was the undeniable trend found by this specific study.

With respect to online banking, 84% of the general public feels it is at least somewhat safe to bank online. When you look at the reasons given for not banking online then you see that well of over half of those people who shun online banking do so because of security concerns.

Of note, we did find a lower rate of cybercrime victims among people who use both a Mac and a PC. This is probably due to a higher level of computer and internet knowledge. Being educated to the threats and defenses is a quite effective in decreasing the odds of a user becoming a victim of cybercrime.

Randy Abrams
Director of Technical Education

Today I read an article in the National Journal concerning cyberwarfare. You can read the article at http://www.nationaljournal.com/njmagazine/cs_20091114_3145.php.

I think people have some misconceptions about “cyberwar”. There isn’t going to be a war, at least anytime soon which is fought with only computers. Computers are simply being used as a weapon in conjunction with traditional warfare.

The article discusses the digital attack against cell phones. Jamming the cell phones using computers is essentially a denial of service attack. Depending upon how the technology was used to spread misinformation it may have been much the same as a man in the middle attack.

Fundamentally the difference between cybercrime and cyberwarfare lies in the objectives and that in the country where the attacks are being carried out, the attackers operate with legal authority.

Sometimes the terms cybercrime and cyberwarfare are used indiscriminately. As an example, I recently returned from Malaysia where I found that for the past year or so Malaysian websites have been under attack from computers that are in Indonesia. Malaysia and Indonesia are not at war and the attacks appear to have nothing to do with war at all. This is an example of cybercrime. Now if the countries were at war, such attacks might be deployed in order to disrupt the government, spread propaganda, or otherwise gain a tactical advantage. Still, without a physical conflict it would not be a war… at least not one that would be won.

From a defensive perspective, much is the same as it is when defending against cybercrime. You patch vulnerabilities in your software, you use defense in depth, such as antimalware, firewalls, intrusion detection, intrusion prevention, and auditing software. You also use a lot of education.

For national defense this is a huge project because you not only have to protect the military computers, but the critical infrastructure and a large array of private computers belonging to civilian suppliers. That’s why the Department of Homeland Security (DHS) is collaborating with the private sector to help increase cybersecurity across the board.

For more information on what DHS is doing to protect the federal network check out http://www.dhs.gov/files/programs/gc_1234200709381.shtm.

If you have any general security questions, feel free to email me at askeset@eset.com

Randy Abrams
Director of Technical Education

Specifically spear-phishing, where the target is deliberately selected, as opposed to a random untargeted attack.

An article at Dark Reading.com discusses the entirely unsurprising results of a test that concluded that the iPhone, BlackBerry, and Palm have essentially no protection against spear-phishing attacks. http://www.darkreading.com/insiderthreat/security/app-security/showArticle.jhtml?articleID=221100150&cid=nl_DR_WEEKLY_T

LinkedIn was used as the service to send a fake invitation from. LinkedIn users are completely ripe for spear-phishing attacks as LinkedIn supports and embraces anti-phishing worst practices with incredible gusto. Of course, MySpace, FaceBook, Twitter, and a myriad of other social networking site also do all in their power to assure the success of phishing and spear-phishing attacks.

There’s no problem with getting an email inviting you to add a contact, a follower, etc., but including a link in the email is simply ignorant. Yes, it is very convenient, but even more so for cyber criminals to exploit. If you knew that a legitimate social networking email never contained a link then the phishing attacks would be much more ineffective.

If you don’t want to be the victim of a phishing attack, then don’t click on the links in the emails for any sites you must log on to. If you click on a link and it leads to a log on page, close your browser, delete yout temporary internet files, and then open your browser and type in the Url for the service (not using the email you received as a reference. Log into your account and then make decisions knowing that you logged into your real account.

The researcher is right that technology provides little protection against social engineering attacks, but missed the fact it is the abuse of technology by social engineering sites, banks, credit unions, credit card companies, and others that make phishing so effective!

Randy Abrams
Director of Technical Education

For many years banks and credit card vendors have accepted that there will be some amount of fraud and built those costs in to the operational model. The thinking goes that if the loss is small enough then it isn’t worth pursuing so they simply pass the cost on to the public through fee structures, such as return check fees, ATM fees, and differentials in the rate that they borrow money at and the rate they loan money at.

Perhaps this was a viable model before the internet gained popularity, but today it accounts for significant losses, perhaps in the billions of dollars if the polls are to be believed.

The lack of an aggressive stance against phishing means that banks are clearly not the enemy of the cyber criminal and facilitate their nefarious deeds.

The fact is that many financial institutions actively teach their customers to become victims through insanely ignorant worst practices. American Express sends a monthly statement with a link to your account. Financial institutions should not be sending links to pages that require a login… this is what phishers do and reinforces unsafe cyber habits.

My own credit union, First Technology Credit Union accepts complaints/feedback on line, but when they reply they send a link that the customer must use to provide more information or comments, etc. Granted this link does not ask for log on information, but it is also teaches customer to follow the same practices that lead to successful phishing attacks.

The Industrial Credit Union (http:icu.org) recommends “If you receive an email from the IRS requesting information, we recommend you simply delete or ignore it.” but the IRS wants you to report the emails. http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1. The Marine Federal Credit Union offers similar advice to that misguidedly given by the Industrial Credit Union

Recently the FDIC recommended that Banks step up efforts to spot money mule related activity http://www.wired.com/threatlevel/2009/10/money_mules/. A money mule is a person who is recruited to illegally transfer stolen money from the victim’s account to the criminal’s account. Many, perhaps even most, money mules do not know they are participating in an illegal activity until they also become a victim.

That the FDIC has to recommend this course of action shows how completely out of touch the financial services industry is with their responsibility to assist in online security.

Currently the banking and credit card industry are the educational and operations arms of cyber crime. It is long past time for banks, credit card companies, and credit unions to stop sending links in email and to step up to the plate when it come to fighting cyber crime. Until the financial institutions stop teaching people to be phishing victims and start playing a proactive role in fighting cybercrime, they are finding cyber crime through apathetic and ignorant complicity, much as a misguided money mule does.

Randy Abrams
Director of Technical Education

One of the problems about trying to teach people to avoid Phishing attacks is that the banks often use the exact same tactics that the phishers use. It is mind-numbingly stupid of them to do so, but still we see emails from banks that contain links in them. As a rule I tell people not to click on the links in these emails, but rather to log into their account by typing in the address of their bank by hand.

I had a question for my credit union about one of my accounts with them. The response came back and contained a link that I had to follow in order to reply. The email specifically said not to reply to the email because it wouldn’t be read. So, how do I know this isn’t a phishing attack? First of all I looked at exactly who the email came from. Believe me, this is far from foolproof. Email addresses can be spoofed. The more important sign was that when I followed the link I was not asked for any information at all. I did not have to login, I did not have to verify anything. In addition to this, the email came in response to an inquiry that I initiated and not out of the blue. The reply was relevant to the question I had asked.

I am a little dumbfounded by the approach the bank used. If I was using my Comcast email account with the configuration that Comcast specifies as being valid for use with a wireless network, then someone could have intercepted the contents of the email and responded to the bank on my behalf.

Between security ignorant ISPs, such as Comcast, and banks using emails with some of the same significant attributes that phishers use, it is no wonder that so many people fall for phishing attacks and have accounts compromised.

So, do as I say and not as I do! Don’t click on the links in the emails. The proper thing for me to have done would have been to call my credit union and responded. I did file another comment asking them to stop teaching people to fall for phishing attacks. I wonder what they’ll say!

To tell the truth, I am seriously considering publishing their reply, including the public link that can be used to reply back to them on my behalf!

Anyone want to tell them not to send links to their customers in email?

Randy Abrams
Director of Technical Education