Blog

Spearphishing APT-itude Test

My latest blog for SC Magazine's Cybercrime Corner looked at the recent APT (Advanced Persistent Threat) attack on RSA, in the light of Uri Rivner's blog on the implementation of the attack. Unfortunately, the exact nature of the target and damage remains somewhat obscure, so while I certainly consider Rivner's blog worth reading, I also found myself clarifying why I don't find the APT buzzword particularly useful (hat tip to SC Magazine UK's Dan Raywood for turning my thoughts in that direction).Randy Abrams subsequently raised another point worth thinking about, though. Rivner's blog classifies the targeted attack as spear-phishing, and like a number of other commentators, I've taken his word for it.

Threat Trends Report

The March Threatsense report at http://www.eset.com/us/resources/threat-trends/Global_Threat_Trends_March_2011.pdf includes, apart from the Top Ten threats:a feature article on Japanese-disaster-related scamming by Urban Schrott and myselfnews of the Infosec Europe expo in London on the 19th-21st April, the AMTSO and CARO workshops in Prague in May, and the EICAR Conference in Austria that followsthe story of a fake AV package passing itself off as an ESET productcommentary on a premature requiem for the firewallcommentary on a lo-tech ATM scam reported by Randy AbramsWhile the top ten ran like this:INF/AutorunWin32/ConfickerWin32/PSW.

How to Avoid a Phishing Attack

With the breach of Epsilon, we are going to see a huge influx of phishing attacks before it settles back down to the normal level of tons of phishing attacks. So you aren’t a computer expert, how do you protect yourself?Don't worry about spotting the phish, it is more important that you do not take the actions that make the attack successful.There are a few simple rules to follow that will almost certainly prevent you from becoming a victim… if you are diligent.Fundamentally there are two ways the phishing attacks work.

Information Wants to be Free – So Epsilon Thinks

Information Wants to be FreeIf you are a member of the technology advocate crowd that uses this slogan for a mantra, you are going to love the Epsilon Company. Reports starting coming out on April 2nd that the mega email marketing giant, Epsilon was breached and millions of names and email addresses of customers of very large banks and retailers were “liberated”.If Epsilon isn’t familiar to you that is understandable They are a kind of behind the scenes company that major retailers and banks use who don’t really want you to know how much information about you they have aggregated use. Epsilon is the email machine these companies use to generate massive amounts of something that most people call spam.

Samsung and I Got Bit by a VIPRE

Yesterday I reported that Samsung laptops were infected with a keystroke logger. This certainly appeared to be the case as a Samsung supervisor reportedly confirmed (http://www.networkworld.com/newsletters/sec/2011/040411sec1.

Three questions on World Backup Day: What? How? When?

A number of organizations dedicated to online hosting have launched an interesting initiative by naming this day, March 31th, World Backup Day. Who hasn’t ever lost a USB device and has regretted not having a backup? Who hasn’t experienced the death of a hard drive only to lose information that won’t ever be able to be recovered? I’m sure most of the readers have been through this, and that is why I invite you to take this day to think about the importance of backups.So, if moved by the premise you want to take advantage of today's date to start backing up your systems, I’m sharing the three questions that must be answered before any backing up takes place:What information should be backed up? A backup is not only the indiscriminate storage of all system files, therefore it is important in some way (at least in a simple one) to prioritize the information and decide which data needs to be backed-up. For example, a folder containing pictures of your family and children is not equal in value to a folder containing interesting wallpapers.

More SC Magazine Blogs

In Giving the cybercriminals a helping hand, Randy Abrams discusses how most Facebook app developers are making session hijacking too easy for the cybercriminals.In A tsunami is also a crime wave I talk about the range of cybercrimes that have come out of the Japan earthquakes and tsunami.And in Supporters Club I return to the topic of support desk scams, offering to sell you services to deal with malware that isn't on your system.David Harley CITP FBCS CISSPESET Senior Research Fellow.

Facebook Fixes Flaw – Farmville Compromises Facebook

After the release of FireSheep, Facebook took an important step to help protect Facebook user accounts by allowing users to choose to keep an encrypted connection as long as they used just Facebook and intelligently designed apps.Savvy users immediately discovered that if they tried to use grossly insecure apps such as Farmville, 21 Questions, or a variety of apps by Rockyou then you were switched back to an unencrypted connection.Having an unencrypted connection means that if you are on an unsecured network, such as those frequently found in coffee shops, airports, and many other public places, then another person can mess around with your account and do things like post messages as if they were you. In fact, they are actually logged into your account for the session, but they don’t have your password, so there are some security features they can’t change.

Got a Samsung? You Got Owned

If you have a Samsung computer check it out. If there is a directory called c:\windows\SL. This is a directory used to house a commercial keystroke logger that it appears Samsung is using to steal your passwords, screen shots, and other data.An article at http://www.

The End of Win32/Swizzor?

It appears that the group behind the Win32/Swizzor malware family has put an end to their operation. This malware family has been around since 2002. Security companies have seen hundreds of thousands of unique binaries classified as this family, which was installed on PCs through "affiliate" programs. The malware is used to display unsolicited advertisements on infected systems.

TDSS: The Next Generation

Win32/Olmarik (also known as TDSS, TDL, Alureon and sundry less complimentary names) has gone through some interesting evolutions in the last couple of years.TDL4 is no exception, with its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.In a new ESET white paper on The Evolution of TDL: Conquering x64,  Eugene Rodionov and Aleksandr Matrosov look at the GangstaBucks gang that has been distributing TDSS since DogmaMillions shut up shop, then dive deeper into analysis of the bootkit.You may also find their previous white paper TDL3: The Rootkit of All Evil? and Virus Bulletin article Rooting about in TDSS* of interest.

The Stuxnet Train Rolls On…

… albeit more slowly than previously. Added to the resources page at http://blog.eset.com/2011/01/23/stuxnet-information-and-resources-3 today:A nice article by Mark Russinovich on Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1.

Facebook Parenting Skills

Many parents are rightfully concerned about their kid’s participation in social networks. There are a number of areas to be concerned with. Who are the kids talking to? Is there a pedophile stalking them? Parents might worry about the friends their kids are making online and what kind of people, even their kid's own age, they are associating with. Some parents will be concerned about how much time their kids are spending online versus out in the sun and developing interpersonal skills in person.

Do You Like My Body?

The subject lines of our blog posts may, or may not be appealing to you, but we hope you’ll enjoy the body of our posts, and if you do, there is now a “Like” button down at the bottom of the page for each blog post.For those of you using NoScript, you’ll need to allow (or temporarily allow) facebook.net or you won’t see the button. Why a “Like” button, but no “Dislike” button? Well, “Liking” a post is like tipping the messenger, but disliking a post is like shooting the messenger, and that just isn’t cool If you really want to express your disapproval, you can always leave a comment.

Facebook Retains Right to Exploit Minors

Facebook is really, really good at coming up with new ideas, but reasonably well thought out ideas from Facebook seem a bit harder to come by.This is an issue that recently came up when Facebook decided that they would start allowing third party developers to gather address and phone number information and share it with other people. It didn’t take long for more rational people to figure out that randomly giving out a 13 year old girl’s phone number was at best a completely mindless idea, although it might just be evil intent. You can see my interview on the subject for FOX TV if you wish to.

More Spam for Tripadvisor.com users

It is unfortunate, but a fact that many organizations are going to suffer hacks. The internet was designed to be a cybercriminal’s dream. That was not the intent of the internet, but the design certainly is such that it serves the purpose well. Fortunately it also serves many great purposes quite well too.

The Sleazy, Sneaky, Facebook Marketing Brigade

My good friend David Harley just blogged about Facebook’s brand new way to misappropriate your data without your consent. Alas, in underestimating how far Facebook will go to attempt to avoid allowing you to control your privacy, David missed the second setting that is required if you do not want Facebook to decide what companies your name and face are used to endorse.You see when you go to “account settings” and then the Facebook Ads tab, only one of the two settings will show up on most computers. You actually have to scroll down to the bottom of the page in order to access the setting that makes you an unwitting and unpaid spokesperson for some advertiser that you may or may not wish to publicly endorse.

Fining Support Scammers

The Australian Communications and Media Authority is planning to impose harsh penalties on support desk scammers. (Hat tip to Andrew Hayter for drawing my attention to that item.)According to chairman Chris Chapman, nearly half of all the complaints they've received about calls to numbers on the Do Not Call Register have been about cold-calling scam calls of this type. So they aim to impose penalties of up to $110,000 AUS on telemarketers offering online virus removal and technical support.

SC Magazine: Cybercrime Corner

You may not be aware that ESET writers have been supplying blogs to SC Magazine for a while now. Recently, Randy Abrams and I were drafted in after the original contributors moved on, and we started contributing this week:Poachers and Gamekeepers considers whether there is a conflict of interest when AV companies work with companies and individual s who are or have been active in the malware research field to the point of writing "malicious" code, in response to some very pertinent ethical questions asked by Kurt Wismer.Randy asks Who are the cybercriminals?, observing that there are many more types of cybercriminal than those who make the big splash headlines.AV company, heal thyself looks in more detail at a fake security package that I've mentioned here before, and places it a wider context.

Facebook Ads: the Likes of You

Many Facebook users are annoyed to discover that their names and faces can be used in sponsored FB ads. Indeed, according to Dan Tynan in IT World, the next phase will to allow 3rd-party advertisers to do the same thing inside Facebook apps.I'm not a great fan of the FB principle of all your datum are belong to us, but I suppose it isn't unreasonable to make use of your Likes as long as you agree to it. Or in this case, don't opt out.

Another VB Cybercrime Seminar

One that will be of most interest to our readers in the UK, I guess.Our friends at Virus Bulletin are holding another "Securing Your Organization in the Age of Cybercrime" seminar, this time on the Open University Campus at Milton Keynes on the 24th May. The full agenda is already available on that page, and includes some excellent speakers. I was at the previous seminar, which ESET sponsored (and at which our own Juraj Malcho presented), and it was well worth the trip.

More unflattering imitation

Last October, my colleague Tasneem Patanwala blogged about rogue antivirus masquerading as an ESET product. In that instance it was a product calling itself Smart Security, and Tasneem's blog includes lots of useful information about that particular malware, and fake AV in general.Looking through my huge backlog of mail just now, I notice mail from Aryeh Goretsky, another of my colleagues, about a program calling itself E-Set Antivirus 2011. I'll be looking at in more detail later, but I can tell you now that it has nothing to do with ESET, which has not changed its name and does not have a product called Antivirus 2011.

Smart Phone, Bad App

As the number of apps for smartphones continues to grow, perhaps your paranoia about such apps should be growing as well. In an unusual statement, the former director of the CIA has warned that the government isn’t sharing enough information about cyber security.In an article at http://www.wired.

Hacking by Proxy

The BBC program Panorama last night investigated claims that the News of the World hired a hacker to break into a subject's PC to steal emails. In fact, it appears that the unnamed hacker installed a Trojan on the victim's PC. Which sounds like a fairly unequivocal breach of the Computer Misuse Act, which outlaws unauthorized access and unauthorized modification.I haven't seen the program yet (UK viewers can see it on iPlayer using the link above), so I don't know if the BBC inquisitors who fired questions at Alex Marunchak made any reference to the legality or otherwise of the BBC's own Click programme, which apparently paid several thousand dollars a while ago to rent a botnet in the name of investigative journalism.

BingDings* Force Change of Tune

* Sorry, but I couldn't resist a Crosby reference.I was more than a little irritated over the weekend – see Faith, Hope, Charity and Manipulation - by Microsoft's use of the Japanese disaster to give the Bing search engine a little extra exposure using a chaintweet technique:How you can #SupportJapan – http://binged.it/fEh7iT. For every retweet, @bing will give $1 to Japan quake victims, up to $100K.

The Hole in the Wall Gang*

We've already discussed a lo-tech but surprisingly effective attack on ATM users here and elsewhere.However, Brian Krebs has recently posted on more conventional skimming attacks: Green Skimmers Skimming Green. An interesting and useful comment thread too. However, in view of the mentions there of chip and pin technology, it's worth pointing out that while chip and pin has been pretty successful in Europe and elsewhere in mitigating fraud, it's not the complete answer, as discussed previously here and here.

Disaster Scams and Resources

I've added some commentary and resources on the Japan earthquake/tsunami disasters to an independent blog I maintain that specializes in hoaxes, scams and so forth, but here are a few of the same resources that aren't already included in my recent blogs here on the topic:Analysis from Kimberley at stopmalvertising.com: http://stopmalvertising.com/blackhat-seo/recent-japanese-earthquake-search-results-lead-to-fakeav.htmlGuy Bruneau at Internet Storm Center: http://isc.

Disasters: Getting Involved

From my friend Rob Slade.He was writing at the time of the Haiti earthquake over a year ago, but the advice still stands, and not just for those who are uncomfortably near all those fault lines that seem to have been particularly restless in the last year or two.Thoughts on Haiti, Olympics, and other disastersThere's even an information security angle, though that may seem less significant at times like this.David Harley CITP FBCS CISSPESET Senior Research Fellow.

Japanese Earthquake: inevitable SEO

As you'd expect, there have already been reports of Black Hat SEO (Search Engine Optimization) being used to lure people looking for news of the earthquake and subsequent tsunami onto sites pushing fake AV. (Stop me if you've heard this before…)My colleague Urban Schrott, however, offered some pretty good advice on what to look out for on the ESET Ireland blog even before I started to see reports of actual abuse.I recommend that you take a look at his blog, but I hope he won't mind if I reproduce his short but to-the-point list of things you shouldn't do:DO NOT click on social media and email “shocking news” or “shocking video” links.DO NOT go to untrusted websites for news.

Sticky Criminals

CBS in San Francisco is reporting a rather novel cash machine attack. .It seems that crooks are applying superglue to the clear, enter, and cancel buttons on cash machines at banks. A customer goes to the cash machine, inserts their card and enters their PIN.

Stuxnet, SCADA and malware

Kelly Jackson Higgins in a Dark Reading article tells us that Malware Attacks Decline In SCADA, Industrial Control Systems, quoting a report published by the Security Incidents Organization drawing on its Repository of Industrial Security Incidents (RISI) database.One aspect that's attracted attention on specialist lists is the mention of a large US power company that experienced infections of 43 operator and programming stations.Added to the Stuxnet resources blog at http://blog.eset.

Relying on GPS: which way is the washroom?

The Royal Academy of Engineering yesterday released a report on Global Navigation Space Systems: reliance and vulnerabilities as reported by Sophie Curtis in eWeek Europe in an article on Britain’s GPS Reliance Could Lead To ‘Loss Of Life’ (who quoted me, by the way, on what could happen in the event of a criminal attack). Well, it's not an entirely hypothetical issue: there are a number of scenarios where jammers are used to disrupt signals for criminal purposes, and there's no absolute reason why the approach couldn't be used for a more dramatic 21st century Italian Job (I think I feel a movie script coming on).Why, apart from the vehicle larceny that already happens, would you (or a criminal version of you) do something like this? Well, one obvious possibility is to disrupt logistics. It doesn’t take much imagination to think of ways in which a victim might, with a combination of a satnav deadspot and physical interference, might be herded into a vulnerable location, or law enforcement might be diverted from an active crime scene.

Ginger Rogers hoax

I've been coming across several references to an email and Facebook hoax relating to a YouTube that's claimed to show 92-year-old Ginger Rogers dancing with her great-grandson. Of course, it isn't: she died in 1995 in her 80s.This isn't a threat: it's a genuine movie and an interesting enough story to stand on its own, so I won't go into it all on the ThreatBlog. However, if you're interested in hoaxes in general and this story in particular, you might want to check out my blog here.

Email malware: blast from the past

It is, as Aryeh Goretsky remarked to me recently in a slightly different context, almost like Old Home Week. He was referring to recent work by a number of luminaries formerly prominent in antivirus research like Eugene Spafford, Ken van Wyk, and even Fred Cohen.But today I'm waxing nostalgic about a piece of malware. Not one of those anniversaries that have filled so many blogs, articles and videos recently (happy birthday, dear Brai-ain….

Stuxnet analyses: more jaw-jaw*, more cyberwar, less precision

Added 5th March 2011 to the Stuxnet resources page at http://blog.eset.com/?p=5945.Myriam Dunn Cavelty at Parliamentary Brief Online (29 October 2010): The real cyberwar is about beating the crooks and the spooksMyriam Dunn Cavelty and Oliver Rolofs for Munich Security Conference: MSC Booklet Paper: From Cyberwar to Cybersecurity: Proportionality of Fear and CountermeasuresHat tip to @vmyths, especially for the first article, which I hadn't spotted previously.

Langner, Stuxnet, US and Israel.

Added to the Stuxnet resources page at http://blog.eset.com/2011/01/23/stuxnet-information-and-resources-3 on 4th March 2011:Ralph Langner at the TED Conference, as summarized by the BBC: US and Israel were behind Stuxnet claims researcher.As previously mentioned at http://blog.

Politicians Better at Security than Twitter, Yahoo, and Amazon

Recently Senator Schumer from New York wrote a letter (http://www.infosecurity-us.com/view/16328/senator-schumer-current-internet-security-welcome-mat-for-wouldbe-hackers/) to Twitter, Yahoo, and Amazon asking them to make SSL the default for internet connections. What this means is that instead of an http connection they should provide and https connection by default.

Here’s my support desk!

I guess someone in the general area of Kolkata reads my blog posts. At any rate, after I posted a blog yesterday bemoaning the fact that I had to do my own systems support, I got a phone call from a gentleman with a pronounced accent wanting to help me with my virus problem.It's Raining Men (And Wooden Horses)You didn't know I had a virus problem? Neither did I, but he assured me that I was spraying malware all over the part of town I live and work in. Well, I suppose that explains why I tripped over a Conficker and got fake AV all over my trousers on the way back from the library.

Facebook Spam: the Fifth Wave

My colleague from ESET Ireland, Urban Schrott, reports that the company has seen a megawave of Facebook spams:  five separate spams in 24 hours.I've no idea of the numbers involved, but Urban's "think before you click" message is well worth repeating. The post is to ESET Ireland's CyberThreats Daily blog post: the company also has a Facebook page at http://www.facebook.

WordPress.com Survives DDOS Attack

WordPress.com is a popular blogging host. Recently, for unknown reasons miscreants launched a massive distributed denial of service attack (DDOS) against WordPress.com.

Where’s your IT support desk when you need it?

First of all, the guys at ESET North America have just added a paper to the ESET white papers page at http://www.eset.com/us/documentation/white-papers:Hanging on the Telephone By David Harley, Urban Schrott and Jan Zeleznak, February 2011As if fake anti-virus products weren’t bad enough, nowadays we have unsolicited phone-calls from fake AV helpdesks. ESET researchers tell you more about support scams.

Nice Stuxnet Commentary and Hype Deflation

Some extra resources:J. Oquendo takes a cold, clear look on Infosec Island at some of the hype that surrounds the Stuxnet story: Cyberterrorism – As Seen On TVWhile Visible Risk, while by no means entirely negative about the Vanity Fair Stuxnet story (see http://blog.eset.com/2011/03/02/more-on-stuxnet), makes an entirely reasonable point about Irresponsible Sensationalism.

Androids and Gingerbread Men

[Update: Just spotted another useful blog, this time by Vanja Svajcer, on the Aftermath of the Droid Dream Android Market malware attack.]Further to my post yesterday about Android malware, there's an additional resource by Costin Raiu and Denis Maslennikov that you may find interesting and useful, if you have a slightly techie turn of mind.If not, you may be reassured by the fact that all the relevant malware they've seen uses exploits that are restricted to Android OS 2.2 and below: if you have 2.

Social Security Numbers: deja vu all over again

My attention was just grabbed by a Infosec Island post on Social Security Numbers Easily Cracked, by Robert Siciliano. That's because I remembered quite a lot of fuss about it being made back in 2009.And it turns out that the article, though posted today, is actually referring back to an article from July 2009 by Robert Westervelt for SearchSecurity: Researchers predict SSNs, crack algorithm putting identities at risk. Which is fine: there's still an issue, and Siciliano makes one or two interesting points.

Stuxnet Resources Update

Added to the resources blog at http://blog.eset.com/2011/01/03/stuxnet-information-and-resources:Report of a Stuxnet-unrelated vulnerability in SCADA softwareA speculative cyberwar link Some links on Iranian post-Stuxnet "cybermilitia" recruitment.http://www.

Changes at ESET

This isn't really Threatblog fodder, but I'd like to take the opportunity to congratulate Richard Marko and Andrew Lee on their accession to ESET CEO superstardom.Richard has been appointed as global CEO of the ESET group, while Andrew has returned to ESET LLC as its CEO. It's good to know, though, that Miroslav Trnka and Anton Zajac, who formerly occupied those positions, will continue to be active within the companies.David Harley CITP FBCS CISSP.

Thanks for your support scam

...In fact, while the season for the traditional end of year crystal ball-gazing is pretty much over, I'll venture a few extra predictions based on recent observations of the support scam business...

Soothsaying, Forsooth!

If you haven't yet had enough of the crystall balls that have been bouncing all over the media and the blogosphere in the past few weeks...

Arrested for Cheating the Cheaters

Picture from https://secure.wikimedia.org/wikipedia/en/wiki/File:Casino_slots.jpgThis is a really bizarre computer crimes case.

Facebook Security Lockdown Guide

..."It" is a ZDNet article - well, more like a slide show - by Zack Whittaker, called January 2011: The Definitive Facebook Lockdown Guide...

Is it the iPhone or the User?

The folks at Trusteer got their hands on the logs from some phishing sites and found that people using iPhones are more likely to fall for phishing attacks than users of other devices, including PCs.Some of the findings included:Mobile users get to the phishing site sooner than PC users.Mobile users are 3 times more likely to submit their credentials to a phishing site than desktop users8 times as many iPhone users accessed these phishing sites than did BlackBerry users.It should come as no surprise that mobile users get to the phishing sites first.

Stuxnet Analysis 1.31 and TDSS article

...version 1.31 of "Stuxnet Under the Microscope" is now available on the white papers page ... Until now Rooting about in TDSS was only available to VB subscribers, but it too is now available on the ESET white papers page.

Stuxnet Information and Resources

The Stuxnet analysis "Stuxnet Under the Microscope" ... has, unlike most ESET white papers, been subject to a number of revisions as we've come to know more about the malware itself, and as the purposes of its perpetrators have become clearer. However, since all the known vulnerabilities exploited by Stuxnet have now been patched, version 1.3x of the document is likely to be the last substantial revision.

Comment Spammers Welcome

...one interesting trend in blog comment spam that I