This past week I spent some time at the annual RSA convention in San Francisco as I have done for the past several years. RSA is primarily a vendor-centric event with IT security as its focus. The conference gives security professionals the opportunity to feel out where others in the industry have been and where they're headed by way of trends, techniques, and sometimes tragedies.
Before this year's event even began we all knew at least one issue was going to be first and foremost after a long year of talks about breaches and privacy. I knew going in that during the many keynote speeches, presentations, and chatter on the show floor that I would hear the acronym NSA and the name Edward Snowden ad nauseam during the week, and this year's RSA did not disappoint in that area. One thing I wasn't quite expecting however was the twist that was thrown into the mix thanks to an article by Reuters a week before the event that linked the RSA business entity and a purposefully flawed encryption algorithm with the NSA directly through a contract to distribute this reversible encryption.
This news was enough to cause many others in the security field into an uproar of sorts as the event was immediately boycotted by some and a protest conference by the name of TrustyCon sprung up directly across the street and selling out its 400 person capacity.
This made us very curious as to what people were most concerned about now that all of these other vectors of attack to both our security and our privacy seem to be popping up on all sides. We decided to do a face to face survey with conference attendees one on one to ask them a few simple questions about these issues compile the data and see what is on people's minds. These are people that deal with security every day, whose jobs depend on keeping networks secure, and who use threats as a practical problem not a theoretical or philosophical issues.
We ended up surveying just over 110 people on these subjects, and when we asked them what they felt was the number one threat to their organization, the response was more swayed than I had expected.
• 56.2% of respondents report cybercrime from external sources as most problematic
• 33% say insider threats with non-malicious intent give them the most trouble
• 5.3% blame malicious insiders for causing the biggest security headache
• 5.3% point the finger at external threats from government as chief offender
Malware, including email-borne and web-based threats, topped the list of most concerning threat vectors followed by personally identifiable information (PII) and social engineering. The majority of respondents, 71.4%, cited people as the most frequent (or most likely) point of failure for IT security. 21.4% faulted process and 7.2% labeled technology as the weak link.
As a new breed of cybercriminal gets more sophisticated, IT security pros find themselves increasingly wary that employees are not keeping pace. This chasm demands a comprehensive security strategy that takes into account all threat vectors from technological and human standpoints. Organizations need a combination of technology, training, knowledge and awareness to keep both inadvertent and intentional attacks from happening.
We were also curious as to whether or not all of this recent information has driven people to believe in the need for psychometric testing to determine employee honesty. Over two thirds of our respondents said no. When asked if these security professionals would be willing to take such a test themselves, again nearly two thirds of them said that they would be willing.
Of course security and privacy will always be concerns within businesses and a strict "need to know" policy should be implemented and enforced to help protect important data, but it would seem that forcing everyone to a polygraph test for employment regardless of what data they are exposed to may be a bit on the paranoid side and those surveyed seemed to agree.
Everyone continues to have their own philosophical and ethical stances, but the real concern as this survey points out is the everyday tangible malware that continues to barrage inboxes and networks millions of times a day.
Today we are still monitoring a blast of malicious emails that began on February 5,2014. Since that day, we have seen the virus traffic increase to unusually high levels that have continued to reach higher peaks over the last few days. January was the second most active month for malicious emails to date. Though the spike we saw in January was unusually large, the spike in message traffic that we have been seeing over the past few days has been even larger. So far in February we have quarantined over 150 million email messages containing malware attachments, at this rate February has a good chance of surpassing the previous records setting levels that we recorded way back in 2008.
This malware campaign is still going strong but the technique is nothing new. The malware distributors are sending large blasts of emails with varying premise. Attached to each message is a file that attempts to appear legitimate but in actuality contains malicious code. The theme of these emails continue to vary.
For example, today many of these messages were posing as alerts from Visa/MasterCard alerting the recipient that their account had been blocked due to unusual activity (fake security warnings are a favorite social engineering tactic for the blackhats). The file attached to each message is in fact a Trojan that will infect your machine upon execution. Once infected the attackers will have a backdoor to that machine and can further install malware that most commonly includes programs designed to harvest personal and financial information.
While the initial analysis of many of these malicious files have pointed to the Andromeda botnet or even the [not so recently defunct] Bredo botnet, these trojans are mostly identified with generic names. In turn, some of us here at AppRiver have taken to referring to this botnet activity as TidalWave or TidalBot (due to its enormous ebbs and flows). Whether or not this botnet is an completely new build from the ground up or built up from an existing piece, one thing is certain… they have spent some time and effort compiling a large swath of compromised machines to have at their disposal.
You could draw several conclusions as to what danger this all poses to the user. First, it illustrates that people are still clicking on attachments and links in unsolicited email (if they were not cybercriminals would not be relying so heavily on this technique). The users that unknowingly click on one of these attachments are likely to have their activity monitored leading to stolen financial information, personally identifiable information and login credentials. But the impact of this type of malicious activity is not only felt by the recipient of these messages but can also have a cascading effect. It poses an inherent risk to information security in general. Most of the time we just think about an individual falling victim to this sort of attack but what if that individual is your CPA or Banker (or anyone that has access to personal data for that matter)? If they fall victim while on a work computer then it is not just their data that is at risk but your information may now be exposed as well.
Over the last month we’ve caught and blocked a set of virus campaigns that use new and novel tactics designed specifically to beat filtering engines. One common component of all these campaigns is enormous volumes of traffic being sent to data centers, with peaks reaching three or four times normal network traffic.
Earlier today, AppRiver experienced such a spike, although this one was quite unlike anything we’ve seen to this point. Our data center processed 10 to 12 times the normal amount of our normal traffic. This graph will give you an idea of what we saw:
These spikes have been driven by a tremendous increase in the number of incoming messages being sent with viruses attached. AppRiver's systems blocked the messages and our analyst team discovered they were designed to deliver a new Bank of America trojan. However, the sheer volume of the traffic caused some of our customers delays in sending and receiving mail. Once we were able to isolate and analyze the malicious messages, we quickly choked them off and mail flow returned to normal.
Our security analysts spent some time looking at this virus and found it was being classified by at least one AV vendor as being a Bredo virus. Running the message through a variety of virus scanners showed that only 11 of 51 antivirus vendors were classifying it as malware. The main goal of this virus is to steal information such as banking info or recording keystrokes. The software may also have abilities to further infect a system by downloading more malware on to the machine. Here's a screenshot of what this message looks like:
As always our engineering, security, and support teams are here to answer any additional questions and help ensure your email experience is as fast, secure, and safe as possible. If you have any questions please give us a call at 866-223-4645.
This past month of January we saw a pretty incredible spike in virus traffic. Other unsolicited emails ebbed and flowed throughout the month resulting in a regular average amount of traffic after all was said and done.
The biggest news that everyone was talking about at the top of the2014 was all of the major breaches that made the headlines. Target was the first to enter the spotlight first announcing that between the period of Black Friday and December 6th malware that was placed directly on their POS systems siphoned off around 40 million customer credit and debit card numbers as well as information associated with those accounts. Though as time went on that number began to increase, first to 70 million and then on to over 100 million accounts compromised. After Target other companies began announcing similar breaches including Neiman Marcus and Michael’s.
This brought to light new strains of malware that were written to attack right at the source, at the point of sale itself. The moment customers swiped their cards in-store at the business, the malware would take all of that card information directly from RAM on the POS computer. Several variants of this POS malware began to surface that used this very technique known as RAM scraping. Malware such as BlackPOS, Alina, Dexter and vSkimmer to name a few have become popular in underground forums.
BlackPOS or Kaptoxa as it’s known to some was accredited as the malware used in the Target breach. It was being sold at the time for around $2000 USD by a Russian seventeen year old named Sergey Taraspov who authored the malicious code. Even though Taraspov created this malware it is assumed that he was not to blame for the attacks on these major retailers, rather it was one of Sergey’s customers that was responsible for this major breach.
In addition to these attacks, Yahoo also announced a major breach of their email accounts. Though not related to the Target, Neiman Marcus breaches, this one also proved to be rather alarming. The goal here for the attackers was passwords. Once the Yahoo users’ passwords were stolen from a third party database hack, the attackers then accessed and monitored email for these accounts looking for mentions of other accounts that the victims may have, such as bank accounts or even other email accounts. The attackers then attempted to use the stolen Yahoo passwords on other accounts owned by the victims. For those who like to use the same password across several accounts, this proved to be a costly security oversight. We’ve said it a thousand time before and we’ll continue to ad nauseum, in addition to making sure your password is strong, never use the same one twice and the Yahoo breach is a perfect example as to why.
Here are a few metrics that we saw in January:
Though traffic was close to normal, the four day spike from the 7th-10th was enough to push this month’s total virus message count to the highest monthly total since Q3 of 2008. (269,108,311 virus-laden messages were quarantined in January 2014.) The traffic on Jan.7th-10th was roughly 40 times the daily average, which is typically about 2+million emails containing a virus attachment.
Spam was high and low throughout the month which led to an average total for January. 2,501,096,184 messages were quarantined total in January.
Spam filtering can keep out mail generated by online creeps, but what about mail you’ve asked to receive? If your email experience is anything like mine, you probably get a mix of newsletters and updates that you have to sift through to find email you need to tackle for work.
This mail may feel unwanted, but it’s most likely coming from a sender that actively prevents spammers from using their system. These mailing lists are generated through an opt-in process. Think about all the times you’ve been asked for your email address online or in person and you get a sense for how quickly your inbox can become cluttered with bulk email you’ve authorized in some way.
Handling bulk email is a challenge for every email security provider. Here’s one reason why: Most of us have shopped at a favorite online store, and in the process given them our email addresses. We don’t necessarily want to see these messages in our work inbox, but maybe we still want to know about any great deals before they expire.
The ideal experience would be to have these messages filed in a folder we can check daily or a couple of times per week. You probably don't want these messages to be part of our normal workflow.
Here at AppRiver, this is something we’ve spent a lot of time managing and thinking about: How can we deliver a better bulk email experience to your mailbox? We know this is a headache for many of you because about 50 to 60 percent of the messages forwarded to our rule technicians fall into this category.
To address this problem we’ve added a new feature to SecureTide. Admins can turn on a test to mark these incoming messages with a label of their choosing. Turning this on will cause these messages to be checked against an extra 800 rules based on characteristics these messages typically share. We’re already checking messages against 6 million other rules faster than you can blink your eye, so you won’t even notice when we check against these new ones.
To turn this feature on, your admin needs to log in to the AppRiver Customer Portal and follow the steps in this article:
Once this test has been turned on, any user can follow these steps to create a rule to filter messages with the flag created by their admin:
You can customize how the filter works by adding email from certain addresses as an exception so that messages you want to see in your inbox immediately will behave exactly as you want.
Over the next few months we are going to continue refining this test and will continue to evaluate how to deliver a high-quality inbox experience. Keep an eye on http://blogs.appriver.com for news about updates to this feature, and let us know what you think in the comments.
Today we're seeing another malicious offering from the Asprox botnet, a botnet that has come roaring back to life as of late. Asprox had not been known for being quite this tenacious in the past, that is until the author of the formerly most widely used exploit toolkit, Blackhole, was arrested back in October. Since then, customers of Blackhole jumped ship out of concern that continued use of the toolkit would lead authorities right to their doorsteps. In order to maintain business continuity, spammers and malware authors had no choice but to turn to other alternatives. It would certainly appear that this sudden lull in business created an opportunity for the Asprox botnet, first discovered around 2007, to make a major move.
Today's ploy poses as an invitation to attend a funeral on Thursday Jan. 22nd 2014, which happens to be rather short notice considering it's tomorrow. It also doesn't mention anywhere in the invitation who has deceased, just the time date and fictitious funeral home Eubank Funeral Home & Cremation Services for which it doesn't provide an address or even a general hint as to where it's located. For the rest of these seemingly critical details, the recipient is given a link. Of course this link doesn't supply these details, but instead reaches out to any one of hundreds of possible sites that are hosting the malicious payload. A lot of these sites in the past have had the ability to limit IPs to a single visit. If the same IP tries to connect to the malicious site more than once it simply returns a 404 not found error thereby limiting the effectiveness of researchers. It would also discern between the different browsers that would visit the malicious site to determine whether or not to serve up the malware or the 404 page. Currently though I am having no problem getting malicious samples from any of these pages.
As has also been the case in the past, the malicious host utilizes IP geolocation to customize the malicious payload to appear to be local to the recipient. The file that I receive is named "FuneralCeremony_Gulf_Breeze_32561.zip" which is the city and zip code that I am currently in.
Once the victim is infected, the malware goes to work by injecting itself into running processes to avoid detection, adds itself to startup areas, checks to see if it is running in a debugger, and attempts to disable SafeBoot to make sure it doesn't go anywhere. After all of the initial formalities the malware invites all of its other friends to the party and they start going through all of the victim's things stealing things like browsing histories and cookies, account credentials and passwords and whatever else that catches their attention.
Some of the past Asprox campaigns from this month have included fake notifications from Walmart, Best Buy, Costco and a few different Utility companies masquerading as a monthly statement.
We have been seeing an ongoing malware campaign claiming to be package delivery emails from places like Walmart, BestBuy, and Costco. The emails say a delivery was missed and contain a link to a form to fill out. The link actually leads to an external compromised site containing a malware zip download. The downloaded zip is similar to the previous WhatsApp and Wedding Invitation campaigns in previous posts in which the downloaded file uses a geolocation script to customize the file name. This time it’s also including a zipcode in the name as well. The exe inside is named the same.
An interesting thing this time around is that it seems the links that lead to the malware are only a one time use link. After clicking the link and downloading a zip, any repeat vists to the linked URL would lead to a 404 page. The full url looks to be a customized link for the recipient and looks similar to a base64 string but does not decode.
This malware and the malware that is downloaded appear to be a part of the Asprox botnet. After running the virus, a short while later it will start blasting out emails. Not just spam though, the sample was sending more of the same malware we have seen coming in as well.
As always, be wary of any unexpected emails wanting you to download anything. It could be easy to spot like a zip with an exe in it or it could be something a little more unavoidable like a drive by malware link.
Details are slowly emerging in what is shaping up to be the biggest retail breach of 2013. Anyone who swiped a credit or debit card at a ‘brick and mortar’ Target store between Nov.27th and Dec. 15th is a potential victim. Currently Target is estimating that 40 million credit/debit cards may have been stolen between those dates. If these figure hold up that would make this one of the largest retail data breaches ever.
It is not totally clear if it was every US based store that was affected but certainly the majority of stores were breached. Details as to how the attackers were able to compromises Targets systems have also yet to be disclosed, we only know that the attackers were able to compromise the POS systems of this retail giant. Since the breach appears to have occurred via the POS terminals themselves, shoppers of Targets online store do not appear to be affected.
These data thieves will likely sell the card information to groups that will carry out fraud on these accounts. This could take the form of bogus charges on your credit card accounts or funds withdrawn directly using reproduced debit cards.
Perhaps the most concerning part of this breach is that there is nothing at all the consumer could have done to prevent this from happening to them but at least if you have not been victimized as a result of this breach yet, it is not too late to take some defensive measures. Consumers who did make credit or debit card transactions in a Target store during these dates should go over their account transactions with a fine tooth comb. It also may be best to play it safe and contact your card issuer to have the card number frozen and in turn have the card replaced.
Every year around the holidays we begin seeing fake E-Cards laden with malware hitting our filters. This year is no exception. The bad guys know that this little disguise of theirs just may get their intended victims to drop their guard for just long enough to be successful. Some people prefer the ease of creating and sending these electronic versions of holiday cards in lieu of licking all of those envelopes. As a result many people are used to receiving these, sometimes en masse, during this time of the year. This is just the cover that the malware authours thrive on.
One of the more common themes that cybercriminals like to spoof is from a company that is well known for its greeting cards, Hallmark. A big wave of them came in not too long ago that were missing some of their graphics, but usually they're dressed to the 9's and can be quite convincing. A couple of the dead giveaways here are, the aforementioned lack of graphics, and more importantly, the use of an attachment. I personally have never seen a legitimate ecard sent via attachment, always a link to "open" the card. Now, with that being said, I must clarify that just because you receive an ecard with a link, doesn't always make it legitimate, quite the contrary. Many of these are dressed up much better than this most recent example and utilize these links to get you to malware that is remotely hosted.
This particular malware behaves a little like Zeus in that it injects itself into running processes to hide itself and waits for account credentials. In addition, this malware makes a firewall exception for a newly created file by the name of AdobeARME.exe and adds this file to all startup areas so that if the victim computer is shut down, the malware will reload when it's turned back on. The malware then modifies the security settings by disabling security notifications and begins to search for and disable any active Anti-Virus on its new host.
As is always the case, be on the look out for these malicious ecards. Only click on links that you know are safe and are from known sources and you will help make sure that your holidays will remain cheerful ones.
It has recently come to light that millions of passwords for major accounts such as Facebook, Google, LinkedIn, ADP, and Twitter have been stolen over the past month according to Trustwave researchers. This is in thanks to malicious keylogging software that had found its way onto hundreds of thousands of victim computers and leached away at private data. No one is completely sure at how this malware was successful at making its way onto all of these computers but what's important to know at this point is what to do in order to protect oneself in case you were one of those affected.
First things first, change your passwords! Make sure you interrupt any access that the thieves may have had to these accounts as soon as possible. Alot of these companies have warned their users that their accounts may have been compromised, but some have not, air on the side of caution here. If you have an acount with Facebook, GMail, Google+, YouTube, Yahoo, Twitter, Odnoklassniki, ADP or LinkedIn, it's possible that the bad guys may have access to your accounts, change all of these passwords.
A couple of very important password rules come to mind here as well:
Use Different Passwords- There is a great deal of damage that can occur after an intrusion if you are using the same password for all of your online accounts. Doing this places all of your online accounts behind a single entry point or single point of failure. If a hacker somehow gets their hands on your email password (for example) they will commonly attempt to access other accounts using the same credentials. So, though it can be cumbersome at first, make the extra effort to use different passwords for different accounts.
Stronger Passphrase- In the wake of recent data breaches where the attackers have posted stolen passwords online, it is still quite evident that while most people are aware of the importance of a strong password, not all are practicing this. A strong passphrase should consist of upper and lower case letters, numbers and symbols. It is also critical that it be no less that 8 characters in length (the longer the better). An easy way to come up with one is to start with a phrase that you can easily remember. Take “chicken and waffles” for example. You could use something like” ch1ck3n@ndWaffl3S!”. Also remember to avoid using the same password across multiple accounts.
Do your best to prevent this malware from getting onto your machines in the first place by practicing strong security procedures through layers such as a strong (properly configured) firewall, anti-virus, and email filtering, but also know what to do in case all of those layers didn't work.