AppRiver

2011 was a year riddled with data breaches and malware outbreaks. Less than 3 weeks into 2012 and we are already seeing a few of our security predictions for 2012 coming to true.  

More High Profile Data Breaches- Data breaches were rampant in 2011 with businesses such as Sony, HB Gary Federal, RSA, WordPress, Episilon and many others being infiltrated and pillaged. It seemed like the there was a different breach for every day of the week. Well it did not take long in 2012 for the trend to continue. A few days ago Zappos (online shoe and clothing retailer) reported being hacked and exposing data for a whopping 24 million customers. Client information exposed in the breach included names, address, email, phone numbers, last four digits of credit card on file and passwords(although scrambled). Although no full credit card information was reported to have been exposed, there is still some danger. If the passwords are recovered by the hackers, they could be used to access the emails of the many individuals that are in the habit of using the same password across all of their personal accounts. Believe it or not this happens a lot more often than you might think. Additionally, the collected personal data could be used in more directed or personalized attacks as well as kept to be later correlated with other stolen data. The fallout for the companies that suffer these types of breaches can be detrimental. In the case of Zappos there will almost certainly be cancelled accounts, lost sales and a hit to their reputation. There is even news today that there has been a class action lawsuit filed on behalf of the customers involved. There is a high degree of certainty that these breaches will continue throughout 2012

Malware Using Social Media- Social Networking sites such as Facebook, Twitter and the like have all become a very popular vector for malware distribution. Whether it is being distributed on the social sites themselves or spam emails posing as correspondence from the site, this method has only been growing in popularity and will proliferate in 2012. We are currently monitoring many malicious campaigns that are attempting to pose as legitimate social networking communications. One campaign is coming in droves today and poses as a friend invite from Facebook. The message includes a link to a website hosting a malicious Javascript. In just a few seconds the victim’s machine has communicated with a host and installed a Trojan.

Here is a look at the message:

These attacks are nothing new but sometimes less really is more and let’s face it who isn’t at least a little curious about that friend request they just got? So what if you don’t recognize the name.. It is just one little click. Given their effectiveness, these attacks will be numerous in 2012.

Earlier today we announced the release of an end-of-year overview of the spam and other threats we tracked during 2011 and a look forward to the security threat trends we see on the horizon for 2012. You can read the entire 2011 Spam and Threatscape report, or if you prefer spend five minutes watching our video overview.

Today we discovered a malware campaign posing as Twitter invitations. These messages appear to come from invitations@twitter[dot]com. They inform you that a friend has invited you to join twitter.  The messages contain a legitimate link to twitter but they also have an attachment (Invitation Card[dot]zip). The attached file is in fact a dangerous worm that has been around for some time but is still making the rounds.

Copy of the message:

This malicious program contained in the .zip file, is an Email & P2P worm that intercepts user requests to websites and redirects them to a malicious URL. When executed the worm creates an executable with autorun enabling keys to ensure that it is launched each time the system is restarted.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"RTHDBPL"="%appdata%\SystemProc\lsass.exe"

The malicious program terminates the processes of many commonly used antivirus programs. The malicious program then monitors web pages that are visited waiting for certain keywords to appear in a webpage’s headers. When one is visited with headers containing one of these words, it forces a redirect to a malicious webpage. The malicious program also harvests email addresses from various locations on the machine, then begins sending them phishing messages for popular banking websites.

Of course all of our customers are safe from this threat as well as the phishing messages that it produces.

A Christmas Gift from AppRiver to Celebrities (and the Rest of Us)

We are always looking to warn people of the many additional threats that proliferate during the holiday season. One threat that we see on the rise this time each year is malware spreading under the guise of fake gift cards.

This morning a particular campaign caught our attention.  These messages pose as a Gift Card from Amazon. Of course with all the online shopping, gift giving/receiving this time of year, there is an added aura of authenticity to these messages. In fact, I ordered an Amazon gift card just yesterday.

The messages are straight forward. They are addressed from Amazon and claim to contain an attached gift card that “You have received”. The [Gift_Card(dot)exe] attached is actually a trojan downloader belonging to the virus family “Yakes”(also known as Dofoil).

Here is a look at the message:(gift card amounts vary)

These types of threats always run rampant during the holidays. In addition to these fake Amazon gift cards we are seeing thousands of other threats utilizing every social engineering technique imaginable. Be wary of emailed gift cards, credit card purchase receipts, holiday promos, airline ticket confirmations, greeting cards, etc..   This cast net approach by spammers is always more effective this time of year so don’t be a victim. As usual, we are blocking all known variants of this threat.

An expected 42.5 million people will be traveling for the Thanksgiving holiday next week. Many of these folks will be traveling by air to their destination. In light of this, this week is perfect timing for a malware attack that poses as an email confirmation from an Airline. A few weeks ago we started monitoring a malicious email campaign that was posing as email notices from American Airlines. These messages were delivering a malware infection that has been often linked to scareware scams in the past. Today, we are seeing a new message campaign that reports to come from Delta Airlines and also poses as a ticket confirmation.

The ‘from’ address is made to appear from DeltaElectronicTicketReceipt@delta[dot]com. The message is peppered with links that lead to a website containing some malicious JavaScript, utilizing a heap spray attack and of course leading to malware installation. Our analysis of the newly added files indicates an infection of our old friend Pushdo (aka Cutwail, Pandex). Pushdo botnet has been around since 2007 and has often been known to utilize fake invoices as a preferred social engineering tactic.  

Here is a look at the message:

While these types of attacks have become very common, it is a vulnerable time for people around the holidays. With so many holiday travelers flying this Thanksgiving, these messages may peak some additional interests than they ordinarily would. In addition to travel related attacks, spammers will also be looking to capitalize on fake store receipts and other shopping related attacks throughout the holidays. Be on the lookout for an escalation of this activity this holiday season.

This morning we began monitoring a new malware campaign posing as a ticket purchase confirmation from American Airlines. Just before 9 a.m. (CST) we saw a huge influx of these messages. To this point (9:40 am,CST) 43 major AV providers do not have any definitions in place for this piece of malware. A scan on ‘Virus Total’ yielded a result of 0/43 AV engines recognizing this threat.

Here is an example of the message in question:

 The messages claim to be from American Airlines and aim to convince the recipients that their credit card has been used to purchase a ticket. Each message has a .zip file attached that alleges to contain the ticket. As you may have guessed, the attachment is in fact a fresh piece of malware. The malicious file in question is identified as [Trojan.Anamkia] which has been associated with infections by the “Incognito” toolkit. In the past these infections have resulted in the installation of rogue AV. Once infected the malware will attempt to reach connect to [FALSHOP2011.RU] 91.220.35.39. This is a newly registered domain located in Ukraine.

Our real time monitoring and quick propagation time allowed us to have this threat blocked within seconds after it began and before 43 AV providers. At the time of this post we have quarantined nearly 10,000 of these message. As usual, all of our customers are protected from all known variants of this threat.

If you have ever used the SpamLab tab you have probably seen the summary of your Inbound Mail. Hosted Exchange customers will now have a new Mailbox Summary that provides a similar instant snapshot into mailbox usage on your domain.

You can instantly see how many mailboxes you are using, how many mobile devices are connected to those mailboxes and other relevant information.

Of course, AppRiver Hosted Exchange includes unlimited storage, but as mailboxes grow, mobile devices and mail clients can encounter performance issues.

Mailbox heath is important and with this update you will now be able to instantly determine which mailboxes could be impacted by poor performance due to item count or mailbox size.

This morning we started tracking a phishing campaign that is attempting to steal login credentials of StubHub[dot]com accounts. The messages claim that your account has a charge pending for the handsome amount of $2766.95 for two tickets to the Pacquiao vs Marquez boxing event in Las Vegas this November.  In the past few hours we have seen 6000(and counting) of these messages. The messages all contain a link to one of the five (below) listed domains where phishing sites are being hosted to capture your login information. All five of the domains appear to have been legitimate websites that have been compromised. All of the sites being used are hosted by Earthlink.

·         fullertonfs.com

·         rainmaven.com

·         10kcal.net

·         arcadiacitrus.com

·         hendrycompany.com

 Once your credentials have been entered you are redirected to the actual StubHub website.

Here is a look at the message:

Phishing Page:

There are reports that some users who have upgraded to iOS 5 are experiencing major battery-life issues. It appears that it is affecting iPhone and iPad users more so than those who have an iPod Touch. There are some new features that have been added to iOS that may cause higher power consumption. With these additions shorter battery life is to be expected, but not at the accelerated levels that are being seen on some devices. There is no "official word" as to the cause at this point, but fingers have been pointed at e-mail, location services, and iCloud, as potential culprits. Here are are a few suggestions to address this problem if you encounter it on your device.

Step 1

Make sure all your apps are up to date. Go to the App Store on your device and select Updates. The number of available updates should be displayed, and you may wish to connect to Wi-fi for these updates to avoid data overages. Once all of your updates have been applied, restart your device by holding the Home and Lock buttons until you see the Apple logo. Monitor your battery usage to see if this resolves the issue.

Step 2

Try toggling these settings individually to determine if they may be causing your battery to drain faster than normal. You can also turn this all off and toggle back on individually if you prefer.

Disable Diagnostic & Usage Reports: 
     Tap on “Settings” > General > About > Diagnostic & Usage > Don’t Send

Disable Time Zone Adjustment: 
     Tap on “Settings” > “Location Services” > ‘System Services’ > Setting Time Zone to OFF

Disable Ping: 
     Settings > General > Restrictions > Enable Restrictions > Ping > OFF

Reset Network Settings:
     Tap on “Settings” > Reset > Reset Network Settings

Disable Bluetooth:
     Settings > General > Bluetooth > “OFF”

Disable Notifications & Apps in Notification Center:
     Settings > Notifications > Turn OFF for anything you don’t need

Disable iCloud:
     Settings > General > iCloud > Turn everything to OFF

Disable Location Services:
     Settings > Location Services > Disable selectively for services you don’t use

Delete eMail Accounts, Reset Network Settings, Re-add eMail Accounts:
To do this, follow these steps:
     1. Delete your email accounts by going to “Settings” > Mail, Contacts, Calendars > Account Name > Delete Account.
     2. Now Reset Network Settings in “Settings > Reset > Reset Network Settings
     3. Reboot the iOS device.
     4. Re-add email accounts back in “Settings” > Mail, Contacts, Calendars > Add Account

Step 3
As a last resort, it has been suggested that restoring the device via iTunes might resolve the issue. Make sure you have performed a complete backup of your device before proceeding.

These simple steps should get the batteries in your iOS device back on track.

Jim Rhodes is a Mobility Solutions Engineer for AppRiver, a leading hosted Exchange and e-mail security provider.