AppRiver

Malicious emails claiming to be from the Better Business Bureau have been hitting our spam and virus filters en-masse today. These messages attempt to convince the recipient that the BBB has received a complaint from a customer and that it the file attached to the email contains a summary of the complaint. You are instructed to open and read the attached “report” and reply with your response to the claim. The problem is that the “report” is actually an executable file that contains a nasty Trojan/Virus.

Here is a look at the message:

Preliminary examination of the file indicates that it is a variant of the ever popular Zeus or Zbot. However, some behaviors differ slightly from some of the most recent Zbot infections we have examined. Once this variant launches and hides itself it does a good job of disarming the host machine by making the following changes :

Disables the TaskManager:

REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem"DisableTaskMgr" = 0x00000001                           

Malware disabling signed binary check: 

REGISTRYUSERS-1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftInternet ExplorerDownload"CheckExeSignatures" = no                                             

Malware modifying windows explorer settings:                              

REGISTRYUSERS-1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments"SaveZoneInformation" = 0x00000001       

Malware reduced executable download risk  

REGISTRYUSERS-1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations"LowRiskFileTypes" = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi,.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;

Communication is observed with the following domains:

·         unocardgam(dot)com

·         whatisadebima(dot)com

·         wisudarel(dot)com

·         fokuslol(dot)com

·         froukloro(dot)com

Currently only 9 of 42(21%) AV providers are identifying this threat as malicious and in the past 24 hours we have seen nearly one half million of these messages hit our filters.  The Zbot or Zeus malware family has been stealing money from people’s bank accounts and other sensitive logins since 2008. In addition to capturing your bank account login credentials Zeus has been known to steal Facebook logins as well. In addition to information theft, Zbot also hijacks your machine and enslaves it to a botnet. Avoid falling for this attack and if your ever in doubt pick up the phone and call the sender to see if it is real.

As the iPhone and iPad have grown in popularity, so have the problems associated with them and Exchange ActiveSync (EAS). The problems described in this article are with Exchange 2007/2010, on both Enterprise and Office365, caused by Apple iOS (iPhone/iPad) devices. If you are on Exchange 2007/2010 and have users with Apple devices using Exchange ActiveSync (EAS) then you are most certainly affected by these problems as well. Apple iOS devices can modify and resync large portions of your contacts if modified after a search. Not only does this put an unnecessary load on your network entry devices and Client Access Servers (CAS) servers in both 2007/2010, it also causes the Versions Dumpster in 2010 to consume large amounts of needless disk space. Here are the scenarios in which we have seen these complications arise.

Issue 1: A large number of contacts in a user's mailbox get modified.

Issue 2: In Exchange 2010, with SingleItemRecoveryEnabled enabled, the Versions Dumpster will be unreasonably large compared to the mailbox size. If you have the RecoverableItemsQuota set to unlimited and RetainDeletedItemsFor set to lengthy period of time you could unknowingly consume all of your available drive space.

To reproduce the problem, go to the Contacts app on your Apple iOS device and use the search bar to find and then edit a contact. Once you save the change you will find that ALL contacts that have a word that started with the first letter in your search will show a modification. To recreate this you must locate a contact using search bar and then edit that contact's information. If you only open Contacts and then edit the contact, without searching for it, you will not see the behavior described above.

For instance, I opened the Contact app on an iPhone and typed "mich" in the search field. I then scrolled down and selected Michael Smith to modify his phone number. However, you can make a change to any field. All contacts in the mailbox with a word that started with the letter "m", over 1,000 in this case, were shown to be modified when looking at the modified date in Outlook. As you can imagine, if 1,000 contacts were modified by my mobile device, not only do the changes sync from my device, my Outlook client has to do the same. To make matters worse, if you're on Exchange 2010, with the SingleItemRecoveryEnabled option enabled, all the modifications get copied over to the Versions Dumpster. If you have a high number of users with Apple devices it wouldn't take long for the Versions Dumpster to reach several GBs in size.

Until Microsoft/Apple fix the issue, the only options available to address this issue are to ask your users to not use the search feature when looking for contacts or keep the RecoverableItemsQuota and RetainDeletedItemsFor set to a low value. On the extreme end of the spectrum, you could block iOS devices from using ActiveSync using ABQ in Exchange 2010.

This issue has been tested with several iPhones and iPads against Exchange 2007 SP3, Exchange 2010 SP1/SP2 and Office 365 with similar results.

Thank you to Rand Singer and Brian Goldstein at Singer Consulting, Inc. for helping pinpoint this issue.

James Dean is the Manager of UC Engineering at AppRiver, a leading email security and Hosted Exchange provider.

This isn't the newest of campaigns as we first began seeing it a couple of weeks ago. However, the same ruse is being recycled today and it is just unique enough that it made me want to take a closer look. As is often the case these are arriving in our filters aimed as users' inboxes. So today, we've seen just under 1 million pieces coming in at a rate of 1500 per minute. The emails pretend to  be a receipt from a pizza place from which the recipient apparently made a fairly large order. The actual order and final cost varied from email to email, but the format remained the same. 

Towards the end of the order was this line "If you haven't made the order and it's a fraud case, please follow the link and cancel the order."  Most likely one would definitely agree that this  "is a fraud case" and go ahead to click the "Cancel Order Now" link.

Out of the million or so emails we've seen of these, the "Cancel Order Now" links are sharing references to  40 different domains. All of which host a page that displays the heading "WAIT PLEASE" in bold letters followed by "Waiting..." below. Beneath the surface though, the page is running three different scripts attempting to download and run another script by the name of "js.js" from three different places, all of these do the same thing and is done simply for redundancy in case any of the three sites go down. The "js.js" script pulls down several files from the IP 208.117.43.8 which is located in Chicago, IL. All of these belong to the SpyEye family. Among the ones pulled down is a Pdf exploit as well as a Java exploit. Once these do their thing and weasel their way into the newly infected system, a myriad of further downloads and communications take place, including a couple of components that make encrypted POSTs to 91.121.84.204 in France.

SpyEye became somewhat infamous in the underground economy when it appeared on the scene three years or so ago and went against then front runner Zeus. Both of these were being sold as automated malware toolkits on underground forums. It seemed that the authors of these toolkits were in sort of a competition against one another until the author of Zeus gave in and sold his source code to the SpyEye author who then incorporated it into his kit. Zeus is still available for purchase, but it has been replicated and reused by many different groups, especially since the code was released. Therefore there are many different unsupported versions going around. SpyEye, however, in its current form is available at a cost of around upwards of $10,000 US. This version is specifically customized and supported by the author. The cost of the kit often comes with complete support with a year's license where the author will answer any questions to help users get it off the ground, and help to repack its payload into new undetected variants as many times as necessary for the length of the license. This just goes to illustrate the professionalism that goes on on both sides of the coin.

Don't worry though, AppRiver is taking care of this one for you. All known variants are currently blocked.

Twitter and other forms of social media have exploded in popularity and there are many tools that have cropped up to help anyone monitor this activity. You can use these tools to help track keywords based on  a hobby, interest, or your business.

I've used Topsy to search historical tweets, Tweetdeck for real time monitoring, and RSS feeds of keyword activity. I've had a hard time finding a reliable email notification tool for monitoring a keyword(s) on Twitter. That all changed when If This Then That launched.

If This Then That (http://ifttt.com) is a platform that allows you to create tasks based on actions in web-based services you use. So you can tell Twitter to save one of your favorite tweets to Evernote, or post pictures from Instagram to Facebook. Maybe you don't use all of those services and you're scratching your head as to how this can help your business. I've got a simple recipe to share with that will send you an email every time someone mentions a keyword you'd like to track.

First you need to create an ifttt account. Next you'll need to activate your Twitter channel. To do this you'll need to sign in to your Twitter account or you can create a new one. Once your Twitter channel is active go to this ifttt recipe, enter the keyword you'd like to track, create task, and repeat as needed.

A couple of details to note. ifttt will run this task every 15 minutes, so don't expect real-time notifications in your inbox. It will send a maximum of 15 emails every time it runs. I personally use this task as a way to keep a copy of messages that mention AppRiver. Tweets that are more than a couple of weeks old don't appear in Twitter search results and this allows me to easily search a folder for any tweets I need to reference.

Here's a handy 5 step guide to help you set this up or share with your friends to help them complete these steps.

ifttt is just one of many tools you can use to monitor keywords, so feel free to share your favorite method in the comments. I'd also love to hear about any of your favorite ifttt tasks/recipes. 

Remember the days when spam was free? Forget the fact that you hate it and had just now gotten used to the fact that it was constantly aiming for your inbox. Now these pesky messages are everywhere, including your phone. Also, they're not just annoying, but they're costing unlucky recipients money. For a lot of people every text to their phone translates to another little charge on their bill. Given the ease that smartphones allow people to follow links in their SMS messages, spammers are attempting to cash in on this. These texts are growing more an more prevalent., often offering free gift certificates, iPads, and iPhones. Just for fun, I took the bait, so you wouldn't have to. Here's one from yesterday:

It appears I was randomly selected, which is sort of true. These spammers are using automated dialers to send these out en masse. Don't be tricked into responding to them or clicking on the links. If you respond, they'll often be able to tell that they've got a live one, and you'll quickly become a favorite.

This particular campaign is simply an attempt to trick you into willfully accepting their unrelenting "marketing" blasts. They never really give you anything, nor does it seem that they ever offer anything real. Often times though, these can lead to malware, the mobile market is a growing target for these guys as operating systems become more and more predicable (read: iOS/Android). Back to this campaign though - The way this one works for them is the same way it works in another shady practice called "Pay Per Install". The PPI business is all over the place, but can probably be best exemplified by those sneaky toolbars that people accidentally install while trying to install another piece of software. In the PPI business people will become affiliates for other software makers, some "legitimate", others not so much, and for every unique install of this person's software, that that affiliate gets, they make a little money. The only way for them to make anything noticeable is by sending these things to as many people as possible in the hopes that enough people will fall for it. These texts messages work the same way. The person blasting out these texts are affiliates of other people trying to rip you off. You can see this person's affiliate id appended to the back of the URL in the link above. Every time a unique IP visits that website, this affiliate makes a little money. If you had followed this link, you would have noticed that you would have been redirected to about six or seven different sites, each one with a different affiliate ID. This is likely the same person attempting to utilize and capitalize on several different programs at once. Eventually though, the viewer will end up here:

Any email will do, they just want to keep in touch! Next they want you to complete an innocuous 3 question survey, I'm not even sure what they could've used that information for, but I'm sure they have something in mind.

Pick your gift.

Weird, didn't I already do this?! I just clicked "Validate" this time, and Gandalf let me pass.

Now they collect even more information at which to annoy you. Let's check this fine print. The usual deal with these survey scams is that they'll get you to agree to receive several very high cost text messages to your phone, I thought for sure that's what they had planned here, but instead they just want you to understand that you have to make purchases from their affiliates and continue making purchases from them, and then make some more, and then they will be able to say that you didn't hold up your end of the bargain and broke the contract so they won't have to send you anything. Just in case somehow you do legally stay true to their ridiculous demands, they also have a clause that says"Company reserves the right to substitute a product of comparable value for the reward. "Comparable value" shall be determined by Company in its sole discretion". "Company" doesn't even have a name. Also included is an agreement to further accept their future spam onslaught, which was certainly not legal in the first place thanks both to the CAN-SPAM Act as well as the Telephone Consumer Protection Act. I'm not sure how binding this electronic contract is, but they've certainly put forth the effort.

Email virus traffic has spiked to very high levels over the past few days and we are seeing levels on par with those normally seen in peak times. Today is on pace to be the highest level of email-borne virus that we have seen in over 5 months.  

As usual, cybercriminals are using numerous social engineering tactics in attempts to infect your computer. This morning we began seeing a huge flood of messages posing as security notifications from Bank of America. The messages purport to be from the “BoA Security Department” and inform you that the bank is making security upgrades. There is of course a file attached that you are asked to open and run. The .zip file contains an .exe that once executed will infect your computer with the ever-popular ZBOT malware family.

Here is the message:

Ironically the victim that was hoping to avoid banking fraud is now host to the sinister banking Trojan. The Zbot or Zeus malware family has been stealing money from people’s bank accounts and other sensitive logins since 2008. In addition to capturing your bank account login credentials Zeus has been known to steal Facebook logins as well. In addition to information theft, Zbot also hijacks your machine and enslaves it to a botnet. When we began blocking this particular iteration of the Zeus Trojan it was not being recognized by any of the 42 Antivirus Engines that we scanned it against, making us the first to identify it as malicious and get signatures in place. 

Lately we have been seeing a large message campaign attempting to infect recipients with a Trojan.  These messages pose as a notification that you have received several scanned documents from an office printer. This attack theme is one that we have seen used before but lately the method of infection that it employs has been growing in popularity. These messages come with an attached .zip file and within the .zip is an HTML page. The HTML page contains some Java Script that will redirect you to a webpage where you will be served up with a Trojan infection.

Here is a look at the messages:

With these types of message campaigns the emails do not always come archived in a .zip, sometimes they are just attached .html files. This method of attaching the HTML file has become very popular over the past year or so as browsers such as Mozilla Firefox, IE and Chrome have become better at detecting phishing and malicious web sites. By attaching the HTML file the phishers can successfully avoid being detected by the anti-phishing protection that is built into the browser. Most of these messages used to be Phishing based attempts but have slowly but surely become a popular method of malware delivery. 

Earlier today we released our tips to protect yourself as you prepare and file your taxes online. We also published our Spam and Threatscape report for April 2012. Here’s a brief video that outlines our tips for staying safe during tax season. I’ve also included the tips below the video.

• The IRS will never initiate contact with a taxpayer through email. 
• The IRS will never ask for your PIN or credit card information via email.
• Never click on a link, or an attachment, from an unsolicited email.
• Avoid financial transactions over public or free Wi-Fi hotspots.
• Log out when you’re done. Closing the window may not completely end your session.
• Avoid using the same computer as your children. Many scam’s today target them and using a machine that is compromised makes you vulnerable.
• Lower your risk by using a security suite that includes email and Web filtering solutions with real-time updates.

Be sure to read our April Spam and Threatscape report for the latest tax related spam campaigns, Pinterest scam surveys, and other security stories we’ve been tracking. 

This morning we are seeing a slew of malicious emails masquerading as confirmation receipts from US Airways. These emails are graphic heavy and light on text. They're confirming a flight out of Washington DC this evening at 10pm, destination unknown. One apparent benefit of keeping text at a minimum in this case is that they never had a chance to misspell anything or have any major grammatical errors as is the norm. The use of actual US Airways logos will certainly add to the illusion that these are actual confirmation emails. This could cause confusion to those who don't actually have any flights booked or even to those who do, thinking perhaps there had been a mistake. The emails offer a link to check their reservations online. These links do not go to the US Airways site, but instead to one of around 1000 websites that are offering up exploit code. A lot of exploit code. In fact we are seeing this malware serve its victims with Adobe Acrobat exploits, Java exploits, and even Zeus. Currently we have seen several million of these hitting our filters at a rate of up to 125 per minute per domain which translates to roughly 100k malicious messages per minute.

Just before lunch today a large email campaign began hitting our filters. The subject read "Fwd: FDIC About your business account" this was followed by a random string of letters and numbers presumably attempting to mimic an account number. The email body went on to inform the recipient that this email contained important information about their bank, as well as possible loans and accounts were to be affected. This information was supposedly contained within the attachment named FDIC_Detailed_Report_About-Your-Business-Account-mar2012-ZWZAY3Q4X.zip. Inside this archive file was and executable by the same name minus the superfluous characters and numbers at the end.

Once this file was executed it went right to work. First the executable hides itself and spawns several other processes beneath the surface. The first of which began to install what, on the surface, appears to be an onboard version of the Rapport software by the company Trusteer. Though it is possible that the software is simply mimicking Rapport, or installing a manipulated version of the software. The real Rapport is utilized and supplied for free by many legitimate institutions such as Wells Fargo, Bank of America, and Merrill Lynch. It is meant to launch when a user accesses their account on any of the sites they've entrusted Rapport with, and acts in addition to SSL to provide additional protection from account credential and transaction altering attacks. Currently it is unclear exactly how the malware is leveraging this software for its own purposes, but research continues.

Next the trojan begins installing a basic debugger on the compromised system to monitor system activity such as console commands and file activity and creates logs that can be stored and shipped to the attacker. In the process of doing so it creates these registry entries which are normally used to troubleshoot network related problems.

Next the malware attempts to make a connection to the fast flux domain rosefuture.com. This domain is shared by four different IPs  - 124.133.228.122, 208.115.203.138, 60.19.30.135, and 217.24.246.7 - that are housed across the world including China, Albania, Texas and Italy. Initially it is looking for a response from http://rosefuture.com/login/hi.php?id=CC863B1B374E49576461&stat=0 which when contacted at the time of analysis only returned "0308 E9C2". This could possibly be an "Ok" or acknowledgment code to the new bot to maintain its connection.

As is with 99% of trojans out there today, this one is looking for banking credentials and other sensitive account information. Keep yourself safe by maintaining a defense in depth approach to security that utilizes several layers of protection. These should include Anti-virus, email and web filtering, a good firewall, and whatever else makes good sense for your organization. Start with the basics and only add what you can handle. If a defensive layer is added that requires constant attention (e.g. log monitoring) and human interaction to be effective, it could end up creating a larger hole than you began with if you're unable to provide it the resources.

The Blackhole crimeware toolkit is certainly getting some serious play time over the past couple of months. Just over the past couple of weeks we've seen virus laden emails pretending to come from the Better Business Bureau as well as Intuit, a company known for their accounting software. All of this seems to be targeting US taxpayers as we lead up to April 15th, the deadline for filing federal income taxes in the United States. This morning we're seeing yet another similar ploy, however it seems to be targeted at tax preparers instead of the tax payer. Much like the aforementioned BBB and Intuit emails, these come with convincing graphics and formatting. They appear to come from the American Institute of CPA's claiming that the recipient accountant has been inolved in fraudulent filing practices, details of which are presented in an attached pdf entitled Complaint.pdf. Of course this isn't the case, in fact the attachment link isn't an attachment at all, but a link to one of about 100 websites we're currently seeing that is hosting this malware. All of which are currently labeled as "aic.html". So far we've seen just over 7 million pieces from this campaign coming in at an average of 300 - 400 pieces per minute.

This week we have been seeing a huge influx of messages posing as legitimate Facebook alerts. The brunt of these messages report “You have a new message on Facebook” while many others are fake alerts the “Your Facebook password has been changed”. Each of these two message campaigns contains its own unique executable although it appears that both lead to a Zbot infection.

Let us take a look at the first campaign described. The message appears to be sent from update@facebookmail[dot]com. Although this is what show in the emails friendly “from’ field it can easily be spoofed to read anything the sender likes. The messages inform you that you have received a message from a Facebook friend and you can read said message in the email attachment. Of course herein lay the danger.

The file is obfuscated, compressed and stored inside another program, which decodes the malicious file and loads it. It spawns a new malicious process named “NvTaskbarInit.exe” attempting to pose as a legit Nvidia process. The malicious process quickly adds itself to Windows Startup Areas to ensure it runs each time you turn your computer on. The initial behavior we observed was keystroke logging by the malicious program, as well as leaving open a back door for further malware installs.

There are some indications that this malware is in fact the popular Zbot Trojan. The executable that is used to compromise computers are generated using a toolkit that is available in marketplaces for online criminals. The toolkit allows an attacker a high degree of control over the functionality of the final executable that is distributed to targeted computers. This Trojan has mostly been designed steal confidential information from the computers it compromises. It specifically targets system information, online credentials, and most commonly, banking details. However, it can be customized through the toolkit to gather other sorts of information and can be found within an email containing an attachment or by drive by download on a web page.

All together we have quarantined tens of thousands of these messages. Rest assured we are currently blocking all known variants of these messages.

The Blackhole toolkit has been ubiquitous in the past few months. This toolkit leaves behind a tell-tale fingerprint and is easily spotted by its use of obfuscated JavaScript and redirects. This code has, until recently, found its place residing on malicious websites out in the dark murky backwaters of the internet. Today though, it decided it was going to come in for a closer look. Some emails belonging to one of its most recent campaigns started hitting our filters today masquerading as a scanned document from its recipient's domain's network printer.

The body gives little info about what's attached other than a scan, the number of pages, and the sender. These are all things you'd expect to see from a scan sent via the network, although the attachment is suspect. Normally you would expect to receive these images in something such as a PDF format. This one arrives as an HTM file. Once executed, the page launches locally, and victim's would see the page open in their browser that looked like this -

Meanwhile beneath the surface, their browser was interpreting this -

The malware attempts to make a connection to the domain cserimankra[dot]ru on port 8080 to download another script from /images/aublbzdni.php. If the destination is unreachable, the malware will begin to ping the domain stopbadware.org in order to establish whether or not it has connectivity to the web. Additionally, the malware makes all of its requests through port 1063 which is commonly used for the KyoceraNetDev protocol, which makes it look like normal network printer share traffic. Granted, it's Kyocera traffic and not HP traffic like it shows in the email, but still a pretty good way to hide its tracks a bit.

If allowed to connect to its command and control server, it downloads and creates a file by the name of gsxohsapcpklkti[dot]exe. This executable copies itself to Windows start-up areas where it's sure to run every time the victim PC is started, and begins pulling other exploit code packages from the sites samaragotodokns[dot]ru, hmvmgywkvayilcwh[dot]ru, and xvmzegestulhtvqz[dot]ru. After several files are created, run, hidden and deleted, the malware actively begins monitoring the victim's machine for sensitive information.

We have these variants blocked, but stay on your toes, and watch out for attacks such as these. Look for vague information, poor graphics, improper or even convincing attachments and links, and anything that may be out of place. Note that these emails appeared to have come from within the recipients' domain. This tactic is used a lot to lead potential victims into a false sense of security, don't let them fool you, and keep it safe out there!

While perusing through our filters in attempt to find the inevitable love and hearts themed spam and malware campaigns, amongst the tons of Valentine's Day themed pharma spam, I noticed a malware campaign leveraging a site called Booking[dot]com. Booking is a company owned by a more familiar brand by the name of Priceline[dot]com, and as you can imagine, helps visitors find good deals on hotel stays. This is the first time I've noticed these guys be used as a cover for malicious activity, but it makes sense.

The emails arrive as a hotel confirmation for the Adobe Inn. After a Google search, it seems that this could be referring to any of many hotels sharing this name. The email is dated Tuesday, 14 February 12, which I'm assuming the 12 part is supposed to mean 2012, and the reservation is for arrival on Sunday, 19 February 12.



Anyone receiving this email may be tricked into believing that even though they know they didn't make this reservation, that perhaps their Valentine's sweetie had something romantic planned. Curiosity just may lead them into sneaking a peek into what their surprise may be. In order to be fooled though, they will have to overlook some HTML formatting that accidentally shows up in the email itself, the strange date format, as well as the lack of any personalization.


Keep love in your heart and be not afraid though, as AppRiver is currently blocking all known variants of this malware. Happy Valentine's Day!

It is February and that time of the year again. Many have already filed their taxes, while many others are still waiting to collect those last few tax documents so that we can file our tax return for 2011. This time every year we begin to see a massive influx of tax related virus and phishing messages. This year is no different and we are seeing many such scams.

Today the most prevalent attack is one that invokes the INTUIT name in an attempt to gain the end users trust. For those of you who don’t recognize the INTUIT name, they are the maker of the ever-popular tax software TurboTax. The scam begins with an email that appears to come from INTUIT INC. The message body informs you that they have uncovered an issue with your account that requires your attention. Of course you are provided with a link to do so. While most people are savvy enough to know not to click on a link in an unsolicited email, there may be some who don’t really see this as ‘unsolicited’. If one had recently filed via TurboTax or had recently logged in to start the process for this year, then it may not seem strange that they are contacting them now. Of course this is what the scammers are looking for when they choose this social engineering tactic this time each year.

The link in the message leads to an invisible install of a Trojan horse via some malicious Java script. Once this is in place the attacker will fit them with whatever malware suits his fancy.

Here is a look at the malicious email:

These well timed malware campaigns will always be more effective when the scammers can add an air of authenticity. Most people know that the IRS will not send links in an email but it may seem reasonable that their tax software provider would, especially if they were using it recently. Steer clear of this and all the many other tax scams this year and keep that refund in your hands.

Remember hearing the advice that if you don't recognize the sender of an email, or its relevance to simply delete it before you even open it? Well, that advice remains strong, especially this week as we're beginning to hear reports of malicious emails that are circulating the web and that simply need a victim to open an email and view it to become infected.
 
Normally emails with malicious intent deliver their payload in one of two ways. One way is to provide their intended victims with a link that, once clicked, will lead them to a compromised website where the infection takes place. The other most popular method of email infection is the trojan attachment. In these cases the attachment is pretending to be something it's not, like an invoice, or even a subpoena, but instead it contains malicious code determined to collect personal information for profit. These attachments require the intended victim to take several steps in order to infect themselves. First they'll have to open and view the email, and then double click the attachment to execute it. In addition, many malicious attachments these days are stuffed inside compressed zip files to help them evade signature based detection by altering their fingerprint. This requires yet another step to be taken by their victims, first to unzip the virus, and then another double click to finally execute the virus. It's not until this stage that the target will become infected.

Now emails are beginning to attempt to bypass all of these steps to get right to the infection by placing malicious Javascript within HTML directly in the body of emails. Everyone is likely familiar already with HTML emails. They are used rather heavily by department stores and various newsletters to add fancy graphics to their mailers. This is the same thing that the bad guys are now sending out, except they're slipping a little extra code in there (Javascript code, specifically) that auto-initiates the infection process. Now all a potential victim has to do is open up the infected email, and the code runs immediately without any additional work from the target. Except all of the work it's going to take to clean up their credit after a successful attack.

Here's how you can protect yourself. The quick and easy way would be to sign up for AppRiver's SecureTide service and you'll be all set. This attack has been on our proof of concept radar for quite sometime and we had pre-emptive blocking in place for all of our subscribers. This also includes the now ever-popular obfuscated Javascript that is used quite a bit to mask malicious intent.

If you're not an AppRiver subscriber, it can be advised to not allow any sort of scripts to run without approval. Especially in email! Javascript really has no place in email, and many security advocates feel the same way about HTML in email, as it only adds to the possible attack vectors that someone is opening themselves up to. Many browsers have available plug-ins that can be used while viewing web mail that will stop all scripts from running such as NoScript for FireFox. Having individual control over what scripts can run and which can't can also help protect browsers from potential drive-by downloads on the web. Or a user can simply turn off Javascript altogether in their browser options which may be the best bet. In addition to this, as mentioned above, it is advised to turn off HTML in their email clients, as HTML is totally unnecessary and can only lead to possible trouble. However, if you have to keep the pretty pictures, a strong spam filter, as well as a strong anti-virus product is a must. Most importantly, if you don't recognize the sender, or its relevance - Delete It!

2011 was a year riddled with data breaches and malware outbreaks. Less than 3 weeks into 2012 and we are already seeing a few of our security predictions for 2012 coming to true.  

More High Profile Data Breaches- Data breaches were rampant in 2011 with businesses such as Sony, HB Gary Federal, RSA, WordPress, Episilon and many others being infiltrated and pillaged. It seemed like the there was a different breach for every day of the week. Well it did not take long in 2012 for the trend to continue. A few days ago Zappos (online shoe and clothing retailer) reported being hacked and exposing data for a whopping 24 million customers. Client information exposed in the breach included names, address, email, phone numbers, last four digits of credit card on file and passwords(although scrambled). Although no full credit card information was reported to have been exposed, there is still some danger. If the passwords are recovered by the hackers, they could be used to access the emails of the many individuals that are in the habit of using the same password across all of their personal accounts. Believe it or not this happens a lot more often than you might think. Additionally, the collected personal data could be used in more directed or personalized attacks as well as kept to be later correlated with other stolen data. The fallout for the companies that suffer these types of breaches can be detrimental. In the case of Zappos there will almost certainly be cancelled accounts, lost sales and a hit to their reputation. There is even news today that there has been a class action lawsuit filed on behalf of the customers involved. There is a high degree of certainty that these breaches will continue throughout 2012

Malware Using Social Media- Social Networking sites such as Facebook, Twitter and the like have all become a very popular vector for malware distribution. Whether it is being distributed on the social sites themselves or spam emails posing as correspondence from the site, this method has only been growing in popularity and will proliferate in 2012. We are currently monitoring many malicious campaigns that are attempting to pose as legitimate social networking communications. One campaign is coming in droves today and poses as a friend invite from Facebook. The message includes a link to a website hosting a malicious Javascript. In just a few seconds the victim’s machine has communicated with a host and installed a Trojan.

Here is a look at the message:

These attacks are nothing new but sometimes less really is more and let’s face it who isn’t at least a little curious about that friend request they just got? So what if you don’t recognize the name.. It is just one little click. Given their effectiveness, these attacks will be numerous in 2012.