CounterMeasures - A Security Blog � spam

70 million customers affected by the Sony breach

Rik Ferguson — Wed, 27 Apr 2011 07:28:18 +0000

The most recent update update from Sony unfortunately confirms the worst fears of many. Between April 17th and 19th an “unauthorised person” gained access to the personal information of Sony’s more than 70 million customers. The information confirmed stolen is as follows:

– Name
– Address
– Email address
– date of birth
– PlayStation Network/QRiocity login name and password and online ID

Information “possibly obtained”:
– Billing address
– Purchase history
– PlayStation Network/Qriocity password security question responses
– all above data for any dependent accounts (your children’s sub-accounts)

Although there is no evidence at this time that payment card information has been accessed, Sony are “unable to rule out this possibility” and are advising their customers accordingly.

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Aside from this, given the nature of the warning from Sony keep aeather eye on your bank statements for any unauthorised activity.

Data mining for bad guys

Rik Ferguson — Tue, 05 Apr 2011 09:22:24 +0000

My notification mail from Hilton HHonors

Over the past three days many of us have woken up to an unwelcome sight in our email inboxes. A notification that your email address was among those exposed in what may be the biggest data theft of its kind, the data breach at the “database marketing vendor” Epsilon. Today I got my first one and I’m far from alone.

The list of companies affected by this intrusion is already long, but seems to still be growing. The notification mail I received was from Hilton HHonours, the loyalty scheme for Hilton hotels. Other affecetd companies include: American Express, BestBuy, Borders, Capital One, Citibank, Disney, The Home Shopping Network, JP Morgan Chase, Marriott Rewards, Ritz Carlton, TiVo, US Bank, Verizon & Visa, to name but some.

No details have been made available regarding how the data was accessed beyond the initial statement made on the 1st April by Epsilon and the breach notification mails continue rolling in to affected individuals.

Epsilon state that the “unauthorized entry into Epsilon’s email system” affected just 2% of their customers and that they comprise only a subset of the clients to whom Epsilon provide email services. Given the list of names of affected institutions known thus far then, you have to wonder if the attackers were able to browse the entire database at will and extract only what they considered to be the most valuable information.

Every notification email and also the public statement from Epsilon reassures us that “only” names and email addresses were “obtained” (read stolen) and that no other information, financial or otherwise is at risk. Unfortunately, this downplays the level risk to customers and is also misleading.

Not only do the criminals know your name and email address, they know where you go shopping, where you bank, which hotels you stay at and much more. If you are unfortunate enough to have received multiple notifications, just imagine what kind of profile is now in criminal hands.

The risk from spear-phishing (highly targeted phishing) is hugely increased as a result of this data breach and people should be more vigilant that usual when receiving emails from affected institutions that may request personal information.

It is important to remember though, that phishing is not the only criminal activity facilitated by this fraud. This gold mine of information makes credible malicious mails much more simple to design. An email may appear to come from from an organisation or shop of which you are known to be a customer. It will be designed solely to get you to click on a link. In the complex world of online crime you are often only one click away from compromise and infection without any user interaction beyond that first click. If a criminal can own your PC, they don’t have to ask your for your personal details, they can simply take them, and much else besides.

So, for those affected by this breach, (note to self):

Pay careful attention to emails your receive in the coming months, perhaps years.
Never surrender personal information to a website without having used one of your own bookmarks to get there or typing it yourself (i.e. don’t follow links in mails).
Before giving out personal details, ensure that the connection is secured with SSL. You can see this is the case if the address starts with “https://“. If it’s not encrypted they don’t deserve your data.
Read the privacy agreement carefully before you hand over any details. If there is anything you are unhappy with reconsider your decision to sign up.
To better insure yourself against this kind of eventuality in future consider using unique addresses for each service, I wrote an article on how to easily achieve this here.

And for all of the companies out there that process, store or transmit personal data belonging to other people… ENCRYPT IT, no excuses, no get out clause. This is only the beginning and you owe your customers a duty of care.

Email this!

Rik Ferguson — Sun, 12 Dec 2010 00:13:17 +0000

Spammers are abusing the social media sharing functionality of popular web sites, to bypass spam filters.

I received an email this evening with the subject line “NYTimes.com: Money for Social Science”, turns out it was a story that a spammer had chosen to share with me from the New York Times web site. Of course the spammer was not aware of my hidden passion for Social Science funding projects, he was simply trying out a new avenue to get his scam into my inbox.

The article sharing functionality allows the sender to specify their own message to go along with the story and of course that was where the much more traditional 419 scam was to be found.

Spam sent through NYT article sharing

Although this tactic means that the Spam will be sent from an IP address that is unlikely to be blacklisted, and contain much content that is unlikely to set off a spam filter, it certainly doesn’t add any credibility, to a 419 scam at least.

That said though, if this technique were to be adopted by criminals seeking to spread socially engineered malicious links it could be made to look much more convincing. Interestingly this abuse of the New York Times web site happens in spite of the fact that users need to create an account in order to share stories by email. Perhaps web sites offering this kind of functionality would do well to invest in technology to scan the content of their outbound emails in order to stomp on this sort of abuse. If it becomes widespread they are very likely to find themselves blacklisted which would be a serious blow to their social media capabilities.

Targeted to appeal to executive vanity

Rik Ferguson — Wed, 17 Nov 2010 23:52:52 +0000

A friend of mine received an “interesting” email today. The friend in question is a senior director with an global software company and this targeted spear phishing attack was clearly designed to appeal to his executive vanity. Presumably with the aim of harvesting enough details to build a valuable contact database. Click the thumbnail below to view the original mail.

: Click to enlarge: The Phish!

The email in question was adressed to the victim’s correct first name and informs them that they have been

“selected by the nomination committee to represent your industry in the Top 100 Business Leaders of 2010“

All the unfortunate mark needs to do is “verify your biographical information and obtain your photo and/or company logo prior to the upcoming publication deadline“.

There are a couple of clues in the mail that should serve as warning signs… Firstly there is no mention of when the spurious deadline actually falls, clearly an attempt to prolong the shelf life of the scam, also both URLs embedded within the mail have been obfuscated with URL shortening services.

The eventual landing page of the phishing mail looks like the below:

If the mail itself wasn’t enough to make you suspicious, the website should be! It is one single page, there are no links to any contact or corporate information and the only quote on the site is of course unattributed. Finally the graphic on the site seems to suggest issues of the Top 100 magazine dating back to 2004, the domain was only registered in October of this year and of course the details of the registrant are protected.

In the case of unsolicited mail, always look a gift horse in the mouth; after all that’s where the Greeks hid their spies.

Bredolab, dead, dying or dormant?

Rik Ferguson — Tue, 26 Oct 2010 16:14:07 +0000

As I blogged earlier today, Dutch law enforcement took action to remove 143 servers from the internet which were acting as command & control servers for the Bredolab botnet.

In an update to that news, they have also announced the arrest of a 27 year old Armenian citizen suspected of being the brains behind the operation.

So is Bredolab, dead, is it dying or is it simply dormant?

The glib answer is that we don’t know, but let’s consider the current situation. Many if not most of the victim machines infected by Bredolab remain infected, the botnet has simply been decapitated. How effective has that decaptiation been? The graph below shows the marked decrease in the number of Bredolab samples collected from a pool of Bredolab C&C servers, this shows clearly the effectiveness of the law enforcement action.

Bredolab binaries downloaded over time

What we do know though, is that there is at least one Bredolab C&C server still active and that it is not hosted in the Netherlands, where there is one, there is the potential for more.

TrendLabs continue to monitor the situation, but it is clear from past experience with botnets such as Mega-D and Cutwail that criminal software displays remarkable tenacity and a disturbing ability to rise phoenix-like from the ashes of a concerted take-down attempt. Let’s hope that is not the case with Bredolab.

Dutch Authorities move on Bredolab

Rik Ferguson — Tue, 26 Oct 2010 10:53:49 +0000

According to a press release today from the High Tech Crime Team of the National Crime Squad in the Netherlands, action has been taken to isolate 143 servers from the Internet.

The servers were actively involved in the Bredolab botnet, from the release they would appear to be command and control servers. The servers were hosted by a company called LeaseWeb, one of the largest hosting providers in the Netherlands, who fully cooperated in the coordinated takedown operation.

Bredolab infection mails

Bredolab is primarily a downloading platform and has served to distribute fake AV and ZeuS to victim computers. The botnet, which originated in Russia, only rose to prominence in August 2009. Dutch Authorities estimate that it was capable of infecting 3 million computers per month at its peak. The primary initial trigger for infection with Bredolab was usually though mail, but infection vectors have been widely abused and also include drive-by download and even propagation through other forms of malware, for example, Cutwail has been seen to drop Bredolab as a payload, and Bredolab has been known to return the favour!

It is unclear right now whether the botnet has been effectively decapitated or it this only represents a setback to the criminals behind it. The bots remain infected with the malware so if alternative command & control servers exist, then reconfiguration and regrouping remains a possibility. TrendLabs are investigating current activity levels of the botnet and I will update this blog as soon as new information is available.

New malicious Twitter spam

Rik Ferguson — Tue, 15 Jun 2010 14:36:25 +0000

Just a couple of hours ago I started getting some very shady looking tweets like the below.

Malicious Tweet

The link in the post is abbreviated, but leads on to a site hosting some obfuscated JavaScript.



If this JavaScript is executed by the browser an unpleasant payload is delivered to the victim. So far we have seen both malicious PDF documents and executable files. These Trojans attempt to connect to additional locations to download further malware. TrendLabs are currently investigating, watch the blog for updates.

This latest Twitter malspam follows hot on the heels of the Gaza and FIFA spam run earlier this month.

Be careful where you click and make sure your security software is blocking those evil links.

Who’s checking your Facebook profile? Scammers.

Rik Ferguson — Sun, 14 Mar 2010 21:08:08 +0000

Yet another variation on a Spam theme for Facebook to deal with tonight. I have identified at least 25 different copies of the same rogue app with names such as peeppeep-pro, profile-check-online and stalk-my-profile

A wave of applications have been published that promise to reveal the truth about which of your friends are viewing your Facebook profile. The promise is worthless and the apps are bogus.

Rogue App wall post

Facebook users may notice wall posts or receive notifications from their friends, unwitting victims all, encouraging them to install the rogue app, along with bogus assurances on its reliability.

Rogue App "Configuration" screen

The app itself is designed to look convincing enough, but none of the many “Continue” buttons it offers will activate some under-the-counter profile checking functionality, they will just push you into another Facebook app earning the scammer advertising revenue in the process.

Notifications from two versions of the rogue app

In an interesting twist on the now familiar theme, at least one version of the rogue app will create a photo montage of all the infected user’s friends, tag it so that they all receive notifications and then post the photo.

Bogus photo montage from rogue app

These changes in scam tactics are clearly designed to overcome the changes that Facebook made recently to application functionality, including removing the ability for applications to send notifications directly.

I can see that Facebook are actively combating these applications as they are posted, even on a Sunday evening, which is commendable but… I said it first back in February 2009, isn’t it time Facebook at least had a review of their application publishing policy? The idea was dismissed back then, but now that these things are becoming a regular occurrence there must be a tremendous burden being placed on the incident response handlers at Facebook that could be better channeled into an application vetting process.

For now though, just don’t click the links, they will disappear from your streams as Facebook remove the offending apps. There is no officially sanctioned Facebook functionality that will allow you to view who has been checking your profile.

A quick look in your Photo stream will show you how widespread the victims of this scam are:

Screenshot of my own Photo stream

Rogue Facebook app “Like” pushing Zwinky & MyWebSearch

Rik Ferguson — Sat, 27 Feb 2010 17:09:25 +0000

Initially I wasn’t going to blog about this, as I didn’t want to appear to be on a run of Facebook related posts. However this has been ongoing for over a week now, this same rogue app keeps reappearing, several of my own friends have fallen victim, so a warning seems like a good idea!

The rogue Facebook app in question has appeared for at least the third time in the space of a week and is clearly designed to fool victims into clicking the spam notifications it sends out, in order to earn the scammer some cash through affiliate based advertising.

The app is named “Like” and borrows the icon from the official Facebook “Likes” function. The Spam notifications it sends out have also been designed to resemble the real Facebook functionality. The name of the application contained in the Facebook URL has equally been designed to fool each time, it has been ”im_best_app”, “farn_ville” and “pet_villeik” respectively.

Rogue app Facebook notification.

If you click the link in the notification you are invited to allow the rogue app access to “your profile information, your photos, your friends’ info and other content it requires to work”. Of course with the app having ‘borrowed’ so freely from official Facebook look and feel many otherwise cautious users are falling for the ruse.

Rogue app "Like".

If you do click the “Allow” button you will very briefly see an application page that simply reads “Error! Error! ERROR!” before being forwarded to an external (to Facebook) website hosted at Dizzy Networks.

Like Facebook app page

Dizzy Networks is a “technology focused advertising company” whose advertisers are apparently “hand selected and control their campaigns to fully optimize your overall performance“. Although, if you were interested in signing up as an advertiser for Dizzy Networks you’ll need to be trusting because the terms and conditions that you must agree to are “coming soon”!

The page at Dizzy Networks contains only a JavaScript that redirects once more to the landing page at Zwinky proposing the installation of the Zwinky software. The URL of that landing page contains the partner ID ZJxdm493 which would perhaps identify the person behind the scam. At the very least it would appear that Zwinky may be paying out commission under false pretences and Facebook users are having their personal information put at risk.

Facebook staff have responded to user complaints and to the information that I have sent them very rapidly in the two previous cases and I am sure this third example will also be removed quickly. Wouldn’t it be great though if some mechanism could be put in place to protect their hundreds of millions of users proactively?

Twitter.Grader.com hacked?

Rik Ferguson — Thu, 11 Feb 2010 20:07:29 +0000

Twitter Grader home page

UPDATE: You will see in the comments on this post an update from HubSpot with a link to their blog explaining the incident, I know a lot of folks don’t read the comments, so here it is in full.

“We are very sorry for the mistake. It is completely our fault. As your article mentions, we have contained the situation and stopped the malicious tweets.

We do want to make clear that by design, the HubSpot software applications are on different servers and systems from our free Grader.com tools. This attack did NOT affect the HubSpot software used by our 2,100 customers. Again, there is no impact on our paid product or paying customers.

We have posted an article on our company blog with more information:

http://www.hubspot.com/blog/bid/5594/One-Lesson-From-The-Twitter-Grader-Screw-up-OAuth-Rocks

- Mike Volpe
HubSpot (makers of Twitter Grader)”

…and that, ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot.

__________________________________________________________________________________________

In what looks like another compromise related to Twitter services, a large number of Twitter users who have granted access to their accounts to the web service Twitter.Grader.com have all begun tweeting a bizarre and unauthorised message.

: Example of affected accounts (search by Twitscoop)

Fortunately the link that has been endlessly tweeted by grader users does not appear to host any malicious content. It points to a blog with an embedded YouTube video of Biz Stone back in 2006 promoting Twitter.

The domain name of the destination site however might give us a clue to the motivation behind the attack. Seonix presumably refers to Search Engine Optimisation and perhaps that is the real purpose of this attack. Forcing large numbers of Twitter users to tweet a link to the site may well be an effective method of pushing it up the search engine rankings. The domain seonix.org was created on the 11th February 2010 and the details of the owner have been anonymised.

Embarassingly the victims of this attack also include Dharmesh Shah, the founder of Grader

: Dharmesh Shah on Twitter

UPDATE: Hubspot, the parent company have tweeted that they are aware of the hack and working on a solution. In the meantime, if you are a Grader user, you may want to consider temporarily revoking Access to Grader in your Twitter profile via Settings -> Connections.