Spammers have been busy thus far in 2014. One group in particular has been especially active over the past 10 days. We have been following a massive spam campaign that is undertaking the classic “Pump and Dump” stock scam with unusual relentlessness. If you are unfamiliar with the scam, it goes like this… The scammers buy shares in a penny stock (usually one costing less than $1 per share). Once they have taken their position (in this case snapping up shares of Rich Pharmaceuticals, Inc), they send massive amounts of spam to users around the globe to generate interest in the stock. Believe it or not, there are plenty of people willing to make stock purchases based on a “tip” they received from a source as suspect as an unsolicited email. Once these real world investors have bought shares and “pumped up” the stock price, the scammers will “dump” their shares and reap the profit. This might sound very familiar to some of you since it is nearly indistinguishable to the plot of the recent film “The Wolf of Wall Street”. The only real difference being that the scammers used cold calling instead of spam emails in the film.
Early this morning, in a very ironic fashion, the spammers started using the name Oakmont Stratton in the [from:] field within their emails. We quickly noticed the striking resemblance to the firm Stratton Oakmont that appears in the recent Scorsese film. We couldn’t help but wonder if the scammers found some inspiration in the film and felt influenced to use the name. Of course, the cybercriminals are never short on tactics to pique people’s interest. They have been changing the sender address along with other message details several times a day. Another version of these messages we have been seeing today appear from “JtMorgan” which is almost as reputable as JP Morgan.
Here is a look at one of the messages:
This campaign is quite unique as far as “Pump and Dump” spam campaigns go. They have been pushing the same stock for longer than we see on average. Also, they have created a remarkable amount of variables in the generating algorithm for these messages, enough to continue sending unique versions of this message for days on end. Last, the amount of bandwidth behind this campaign is also quite notable. We have consistently quarantined over 1 million messages per hour from this one campaign. At times this spam has accounted for as much as 15 percent of total spam traffic.
Recently the OpenSSL group released an advisory about a critical bug in the OpenSSL software that could "reveal up to 64k of memory to a connected client or server". This was puzzling at first but it quickly came in to light of how serious an issue this is.
OpenSSL is a framework used for securing a large part of the internet by providing SSL services to a server. This helps secure a connection from peeping eyes online. So obviously a problem with this software can be disastrous from a security standpoint, and this particular problem has proven that. Memory on a server is essentially where everything happens. Keys are stored there, certificates, even user data is stored there while the server is using it. So a bug in security software that can allow up to 64k of that to be revealed undermines the whole point of securing the connection. Further testing from individuals online has shown that the 64k of memory they can get isn't just a one-time deal. They were able to get 64k per request sent to a server. And this isn't a man in the middle attack or anything, this is an attack that can be sent directly to a server.
A quick summary is that a heartbeat request consists of sending data to a server and having that server reply back with the same data. It's used to keep an ssl connection open even though data may not be getting transmitted. The inital heartbeat data sent to the server has a specified size in it for how large the data is. This is where the main problem lies. An attacker could send a 1k piece of data to a server and say it's 64k. The vulnerable implementation of OpenSSL does not verify this size specified. So when the server goes to reply to the heartbeat using the data in memory, it will reply back with 64k of memory from the starting point of the initial saved data. So if only 1k was sent and the server replies back with 64k, that means that 63k of that data was pulled from the memory and could contain almost anything.
While they may only get bits and pieces of server memory, a large amount of requests could be used to start gathering a large amount of data. Furthermore this collection of data is not recorded in logs. This is a major concern with the bug since the listed version that is vulnerable (1.0.1) shows it has been released since March 2012.
There's no way to tell for sure but it's very possible this vulnerability has already been exploited on servers prior to its heads up release to the public. This essentially means that there could be many servers that have had their certificates stolen or user data mined from memory, and there isn't a way to tell who has been effected. A scary part for an end user is that they may not be aware of what servers they communicated with that were vulnerable and there's not really anything a user could have done to prevent an issue like this.
Heartbleed is a big blow to internet security in general given how widely used OpenSSL is. One of the larger providers that was noted as being vulnerable was yahoo.com. With the millions of users they have, that could be a very large leak in user data if anyone attacked with the Heartbleed method. Fortunately most companies, including Yahoo, seem to have reacted very quickly to this incident by changing the software version used or disabling the heartbeat functions altogether until they can permanently fix it. Many providers are also taking steps in getting new certificates issued since it's possible the old ones may have been compromised.
At AppRiver, we don't rely on the OpenSSL library for most of our SSL needs. The few components that did use OpenSSL have been addressed and fixed to avoid any problems. If you run a server and think it may be vulnerable to the Heartbleed attacks or want to check websites you visit, there are places you can check servers at HERE and HERE. If you want to play it safe, it can't hurt to change any passwords at secure sites you frequent as well. This can help you stay safe just in case there are servers out there that have been compromised.
Candian Pharmacy spam has always been sort of the de facto reference for when people ask me what types of things I see throughout a normal day. We see unique campaigns all the time but there is always some sort of pharmacy spam going on somewhere. They have been so common that hopefully everyone knows about these scam sites by now and to avoid falling for them if you end up on one.They're just out to get any personal information and banking info for victims.
Normally I wouldn't write about Canadian Pharmacy emails since they usually aren't that interesting for the most part. It's almost always an email coming in saying you can buy some sort of cheap drug and a link to the site. Very straightforward. However some recent ones have been changing the tactic a little bit. They are coming in as WhatsApp emails saying you have a voicemail and to click the play button. Some are also claiming to come from Google as missed Hangout notices (hangout being Google's messaging service now). I've seen a small amount of these a few months ago but they seem to be slowly coming back in to focus.
Upon first seeing a sample, I just assumed it was going to be malware since that's been the theme with all of the recent WhatsApp blasts. There was no attachment though and just a link leading to a website. The link format was along the line of "http://example.com/cgi-bin/<rand_word>.pl". All of the websites involved appear to be compromised but legitimate websites. Some of the links no longer work but many still do. The pharmacy links they end up redirecting to were two domains registered in Canada and Russia. And of course they were both that classic Canadian pharmacy site look.
On a side note, usually the redirect for a compromised site is pretty straightforward with an html meta refresh line. A new thing I noticed was these used a script with hex encoded data, which seemed a little overkill at first for what they did. My best guess is this was to obfuscate the data to an admin that may look at the file on a compromised server. If they see a .pl file and it has a lot of hex in it, they may just overlook it.
In total there were 25 of these WhatsApp/Hangout spam domains being tracked this morning, with messages totaling to be a little over 1.4 million and all of them failing spam tests. This was also just one particular Candian Pharmacy campaign. There are countless others out there always trying to get someone roped in to falling for the scam.
Just over a week ago a man by the name of Neil Trotter became the UK's 4th largest lottery winner. That's to say the amount of money he won, £107.9m, was the 4th largest in history, Neil Trotter is actually a fairly slender fellow. Fast forward to this week and we're beginning to see scammers piggybacking on Mr. Trotter's success.
These scams are coming in the form of the classic 419 style, or advance fee fraud technique. We're actually seeing a few different versions of these and judging by the routes the various versions took to get to their destinations, it would appear that they are each from different groups. One version consistently comes from Nigeria by way of a quick hop in Brazil, and the others appear to originate from many different locations suggesting the use of a botnet for delivery. The latter uses a brief email with the subject "my Euro Million win" and suggests that perhaps Mr. Trotter feels that you as the recipient are quite poor. "I am willing to donate
£1,000,000(One Million Pounds) to you and as part of my effort to
alleviate poverty and care for the less privileged around the world, I
have decided to donate part of my win to few persons around the globe and
you are lucky to be one of them.", the email reads.
The other versions are much more long winded explaining the scenario, essentially giving a synopsis of the heavily circulated news stories that can be found around the internet. In fact they provide links to these stories in order to "To verify the genuineness of this email and our winnings". Because we all know that the internet is the source of all truth! The scam goes on to request tons of personal information from the recipient, all of the usual stuff, Name, date of birth, phone number, that sort of thing. All of this information can be used to further tailor the story to fit the target and possibly be used for additional identity theft. It is confusing though that Mr Neil Trotter's email address is apparently firstname.lastname@example.org, doesn't seem very intuitive, but the very wealthy can be quite eccentric too, so who knows?
Although I can't derive any exact figures, it would appear that this campaign/campaigns is/are fairly large as we're seeing a good amount of them in our filters. These 419 scams are tried and true. People are still falling for them for some reason and this is why we continue to see tens to hundreds of thousands of this type of email on a daily basis. Do your best to stay informed and hold on hope that you will get your big break one day, but also be aware that if it's too good to be true, it probably is.
Cybercriminals have been using ransomware for quite a while now and while Cyrptolocker has captured most of the headlines lately, there are still plenty of other variants making the rounds. One of those variants we are currently seeing takes a simple(yet effective) approach to lure its victims.
This malicious email campaign utilizes several subject lines such as “You look terrible on this photo” or “Shame on you” and is accompanied by only a smiley face in the message body. Each message has an attached file designed to look at first glance like only a JPG image. Malware distributors are certainly never short on social engineering tactics but this type of simple and intriguing technique will always work to some extent.
The attachments are actually .zip files that contain a malicious .scr file which leads to the install of a Trojan Downloader. After gaining a foothold on the machine this malware currently reaches out to one of several domains with a (.su) tld and downloads more malicious files from the remote server. Currently this process leads to the install of a fake AV style ransomware. Once installed the program will lock the machines apps and generate pop-ups designed to mimic a legitimate AV program. The pop-up demands payment that will remove the infection. The computer is unusable until either payment is made or the user gets wise and removes the malware.
This type of ransomware has been in circulation for years but can be just as troublesome for some users as the now infamous Cryptolocker can be. Take for example, the unwitting user that suffers this infection and believes that the alerts are from their (actual) AV provider. In many cases the user will reach for their credit card and submit the required payment without hesitation, thinking that they are paying an actual AV provider. Most of the time paying the ransom will unlock your machine for the time being… However, the backdoor to your machine still remains in place and there is nothing to stop this process from repeating again or some other form of malware being installed at the cybercriminals whim. Also, in this process you have not only made a payment to the criminals but have also divulged your credit card information. Of course there are many users who would recognize this ransomware technique (as a scam) and take the appropriate steps to remove the infection.
Yesterday morning we began seeing a rather disturbing attempt to get users to click on malicious attachments. This malware campaign was made to look as if it came from The National Institute for Health and Care Excellence which is an offshoot of the Department of Health in the United Kingdom. It claims that the institute received a sample of the recipient's blood, though it doesn't say how or when it came across this sample which should alert people right away that something is amiss, and it goes on to say that after doing a complete blood count test on the sample the results showed very low white blood cell counts and a suspicion of a cancer.
This campaign was also only directed at domains with a .co.uk tld suggesting that the targets were all meant to be in the UK and familiar with NICE. It began around 4am local time (CST) which is 9am in the UK peaking at 6am CST or 11am in the UK, and we’ve seen roughly 300,000 pieces.
This campaign randomizes the name of the signing doctor and utilizes three different subject lines –
IMPORTANT:Complete blood count (CBC)result
IMPORTANT:Blood analysis result
The email further instructs the recipient to print out the results and take them to their family doctor, the results being a malicious zip file attached to the email. The name of the file is CBC_Result_[random alphanumeric string].zip. Inside the archive is a file with a double extension made to look like a PDF file but in actuality is an executable with a PDF icon.
If the attachment is unzipped and executed the user may see a quick error window pop up and then disappear on their screen like this:
But what they won’t see is the downloader then taking control of the victim PC. It immediately begins checking to see if it is being analyzed by making long sleep calls and checking to see if it is running virtually or in a debugger. It also makes several duplicate instances of itself just in case someone was attempting to shut down the original process. Next it begins to steal browser cookies and MS Outlook passwords from the system registry. The malware in turn posts this data to a server at 188.8.131.52 with the command /ppp/ta.php and punches a hole in the firewall to listen for further commands on UDP ports 7263 and 4400.
This is all very common behavior for the Zeus family of malware which is still very common in today’s attacks. Keep yourself informed and watch out for some of the common flaws that these malware campaigns employ such as addressing people by their email addresses as opposed to their actual names. Oftentimes generalities are used in the greeting with no names at all; this is a big red flag, especially when the content is trying to appear so personal. If there are any questions as to the legitimacy of any email, contact the supposed sender directly to authenticate.
This past week I spent some time at the annual RSA convention in San Francisco as I have done for the past several years. RSA is primarily a vendor-centric event with IT security as its focus. The conference gives security professionals the opportunity to feel out where others in the industry have been and where they're headed by way of trends, techniques, and sometimes tragedies.
Before this year's event even began we all knew at least one issue was going to be first and foremost after a long year of talks about breaches and privacy. I knew going in that during the many keynote speeches, presentations, and chatter on the show floor that I would hear the acronym NSA and the name Edward Snowden ad nauseam during the week, and this year's RSA did not disappoint in that area. One thing I wasn't quite expecting however was the twist that was thrown into the mix thanks to an article by Reuters a week before the event that linked the RSA business entity and a purposefully flawed encryption algorithm with the NSA directly through a contract to distribute this reversible encryption.
This news was enough to cause many others in the security field into an uproar of sorts as the event was immediately boycotted by some and a protest conference by the name of TrustyCon sprung up directly across the street and selling out its 400 person capacity.
This made us very curious as to what people were most concerned about now that all of these other vectors of attack to both our security and our privacy seem to be popping up on all sides. We decided to do a face to face survey with conference attendees one on one to ask them a few simple questions about these issues compile the data and see what is on people's minds. These are people that deal with security every day, whose jobs depend on keeping networks secure, and who use threats as a practical problem not a theoretical or philosophical issues.
We ended up surveying just over 110 people on these subjects, and when we asked them what they felt was the number one threat to their organization, the response was more swayed than I had expected.
• 56.2% of respondents report cybercrime from external sources as most problematic
• 33% say insider threats with non-malicious intent give them the most trouble
• 5.3% blame malicious insiders for causing the biggest security headache
• 5.3% point the finger at external threats from government as chief offender
Malware, including email-borne and web-based threats, topped the list of most concerning threat vectors followed by personally identifiable information (PII) and social engineering. The majority of respondents, 71.4%, cited people as the most frequent (or most likely) point of failure for IT security. 21.4% faulted process and 7.2% labeled technology as the weak link.
As a new breed of cybercriminal gets more sophisticated, IT security pros find themselves increasingly wary that employees are not keeping pace. This chasm demands a comprehensive security strategy that takes into account all threat vectors from technological and human standpoints. Organizations need a combination of technology, training, knowledge and awareness to keep both inadvertent and intentional attacks from happening.
We were also curious as to whether or not all of this recent information has driven people to believe in the need for psychometric testing to determine employee honesty. Over two thirds of our respondents said no. When asked if these security professionals would be willing to take such a test themselves, again nearly two thirds of them said that they would be willing.
Of course security and privacy will always be concerns within businesses and a strict "need to know" policy should be implemented and enforced to help protect important data, but it would seem that forcing everyone to a polygraph test for employment regardless of what data they are exposed to may be a bit on the paranoid side and those surveyed seemed to agree.
Everyone continues to have their own philosophical and ethical stances, but the real concern as this survey points out is the everyday tangible malware that continues to barrage inboxes and networks millions of times a day.
Today we are still monitoring a blast of malicious emails that began on February 5,2014. Since that day, we have seen the virus traffic increase to unusually high levels that have continued to reach higher peaks over the last few days. January was the second most active month for malicious emails to date. Though the spike we saw in January was unusually large, the spike in message traffic that we have been seeing over the past few days has been even larger. So far in February we have quarantined over 150 million email messages containing malware attachments, at this rate February has a good chance of surpassing the previous records setting levels that we recorded way back in 2008.
This malware campaign is still going strong but the technique is nothing new. The malware distributors are sending large blasts of emails with varying premise. Attached to each message is a file that attempts to appear legitimate but in actuality contains malicious code. The theme of these emails continue to vary.
For example, today many of these messages were posing as alerts from Visa/MasterCard alerting the recipient that their account had been blocked due to unusual activity (fake security warnings are a favorite social engineering tactic for the blackhats). The file attached to each message is in fact a Trojan that will infect your machine upon execution. Once infected the attackers will have a backdoor to that machine and can further install malware that most commonly includes programs designed to harvest personal and financial information.
While the initial analysis of many of these malicious files have pointed to the Andromeda botnet or even the [not so recently defunct] Bredo botnet, these trojans are mostly identified with generic names. In turn, some of us here at AppRiver have taken to referring to this botnet activity as TidalWave or TidalBot (due to its enormous ebbs and flows). Whether or not this botnet is an completely new build from the ground up or built up from an existing piece, one thing is certain… they have spent some time and effort compiling a large swath of compromised machines to have at their disposal.
You could draw several conclusions as to what danger this all poses to the user. First, it illustrates that people are still clicking on attachments and links in unsolicited email (if they were not cybercriminals would not be relying so heavily on this technique). The users that unknowingly click on one of these attachments are likely to have their activity monitored leading to stolen financial information, personally identifiable information and login credentials. But the impact of this type of malicious activity is not only felt by the recipient of these messages but can also have a cascading effect. It poses an inherent risk to information security in general. Most of the time we just think about an individual falling victim to this sort of attack but what if that individual is your CPA or Banker (or anyone that has access to personal data for that matter)? If they fall victim while on a work computer then it is not just their data that is at risk but your information may now be exposed as well.
Over the last month we’ve caught and blocked a set of virus campaigns that use new and novel tactics designed specifically to beat filtering engines. One common component of all these campaigns is enormous volumes of traffic being sent to data centers, with peaks reaching three or four times normal network traffic.
Earlier today, AppRiver experienced such a spike, although this one was quite unlike anything we’ve seen to this point. Our data center processed 10 to 12 times the normal amount of our normal traffic. This graph will give you an idea of what we saw:
These spikes have been driven by a tremendous increase in the number of incoming messages being sent with viruses attached. AppRiver's systems blocked the messages and our analyst team discovered they were designed to deliver a new Bank of America trojan. However, the sheer volume of the traffic caused some of our customers delays in sending and receiving mail. Once we were able to isolate and analyze the malicious messages, we quickly choked them off and mail flow returned to normal.
Our security analysts spent some time looking at this virus and found it was being classified by at least one AV vendor as being a Bredo virus. Running the message through a variety of virus scanners showed that only 11 of 51 antivirus vendors were classifying it as malware. The main goal of this virus is to steal information such as banking info or recording keystrokes. The software may also have abilities to further infect a system by downloading more malware on to the machine. Here's a screenshot of what this message looks like:
As always our engineering, security, and support teams are here to answer any additional questions and help ensure your email experience is as fast, secure, and safe as possible. If you have any questions please give us a call at 866-223-4645.
This past month of January we saw a pretty incredible spike in virus traffic. Other unsolicited emails ebbed and flowed throughout the month resulting in a regular average amount of traffic after all was said and done.
The biggest news that everyone was talking about at the top of the2014 was all of the major breaches that made the headlines. Target was the first to enter the spotlight first announcing that between the period of Black Friday and December 6th malware that was placed directly on their POS systems siphoned off around 40 million customer credit and debit card numbers as well as information associated with those accounts. Though as time went on that number began to increase, first to 70 million and then on to over 100 million accounts compromised. After Target other companies began announcing similar breaches including Neiman Marcus and Michael’s.
This brought to light new strains of malware that were written to attack right at the source, at the point of sale itself. The moment customers swiped their cards in-store at the business, the malware would take all of that card information directly from RAM on the POS computer. Several variants of this POS malware began to surface that used this very technique known as RAM scraping. Malware such as BlackPOS, Alina, Dexter and vSkimmer to name a few have become popular in underground forums.
BlackPOS or Kaptoxa as it’s known to some was accredited as the malware used in the Target breach. It was being sold at the time for around $2000 USD by a Russian seventeen year old named Sergey Taraspov who authored the malicious code. Even though Taraspov created this malware it is assumed that he was not to blame for the attacks on these major retailers, rather it was one of Sergey’s customers that was responsible for this major breach.
In addition to these attacks, Yahoo also announced a major breach of their email accounts. Though not related to the Target, Neiman Marcus breaches, this one also proved to be rather alarming. The goal here for the attackers was passwords. Once the Yahoo users’ passwords were stolen from a third party database hack, the attackers then accessed and monitored email for these accounts looking for mentions of other accounts that the victims may have, such as bank accounts or even other email accounts. The attackers then attempted to use the stolen Yahoo passwords on other accounts owned by the victims. For those who like to use the same password across several accounts, this proved to be a costly security oversight. We’ve said it a thousand time before and we’ll continue to ad nauseum, in addition to making sure your password is strong, never use the same one twice and the Yahoo breach is a perfect example as to why.
Here are a few metrics that we saw in January:
Though traffic was close to normal, the four day spike from the 7th-10th was enough to push this month’s total virus message count to the highest monthly total since Q3 of 2008. (269,108,311 virus-laden messages were quarantined in January 2014.) The traffic on Jan.7th-10th was roughly 40 times the daily average, which is typically about 2+million emails containing a virus attachment.
Spam was high and low throughout the month which led to an average total for January. 2,501,096,184 messages were quarantined total in January.