Phishing

The First Phishing Email I Almost Fell For

By Rich

Like many of you, I get a ton of spam/phishing email to my various accounts. Since my email is very public, I get a little more than most people. It's so bad I use 3 layers of spam/virus filtering, and still have some messages slip through (1 cloud based filter [Postini, which will probably change soon], one on-premise UTM [Astaro], and SpamSieve on my Mac). If something gets through all of that, I still have some additional precautions I take on my desktop to (hopefully) help against targeted malware. Despite all that, I assume that someday I'll be compromised, and it will probably be ugly.

This morning I got the first phishing email in a very long time that almost tricked me into clicking. It came from "Administrator" at one of my hosts and read:

Attention!

On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.[cut for safety]

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

Two things tipped me off. First, that system is a private one administered by a friend. While he does send updates like this out, he always signs them with his name. Second, the URL is clearly not really that domain (but you have to read the entire thing). And finally, it leads to an Active Server Pages domain, which that administrator never uses since our system is *nix based.

But it was early in the morning, I hadn't had coffee yet, and we often need to upgrade our SSL after a system update on this server, so I still almost clicked on it.

According to Twitter this is a Zbot generated message:

SecBarbie: RT @mikkohypponen ZBot malware being spammed out right now in emails starting "On October 22, 2009 server upgrade will take place" Ignore it.

Thanks Erin!

It's interesting that despite multiple obvious markers this was malicious, and be being very attuned to these sorts of things, I still almost clicked on it. It just goes to show you how easy it is to screw up and make a mistake, even when you're a paranoid freak who really shouldn't be let out of the house.

–Rich

Friday Summary - October 9, 2009

By Adrian Lane

A lot of not this week. I was not at SECtor, although I understand it was a good time. I am not going to Oracle Open World. I should be going, but too many projects are either beginning or remain unfinished for me to travel to the Bay Area, visiting old friends and finding a good bar to hang out at. That is lots of fun I will not be having. I will not be going to Atlanta in November as the Tech Target event for data security has been knocked off the calendar. And I am not taking a free Mexican holiday in Peurta de Cancun or wherever Rich is enjoying himself. Oh well, weather has been awesome in Phoenix.

With the posts for Dark Reading this week I spent a bunch of time rummaging around for old database versions and looking through notes for database audit performance testing. Some of the old Oracle 7.3 tests with nearly 50% transactional degradation still seem unreal, but I guess it should not surprising that auditing features in older databases are a problem. They were not designed to audit transactions like we do today. They were designed to capture a sample of activity so administrators could understand how people were using the database. Performance and resource allocation were the end goals. Once a sample was collected, auditing was turned off. Security was not really a consideration, and no thought given to compliance. Yet the order of use and priority has been turned upside down, as they fill a critical compliance need but require careful deployment.

While I was at RSA this year, one database vendor pointed out some of the security vendors citing this 50% penalty as what you could expect. Bollocks! Database security and compliance vendors who do not use native database auditing would like you to embrace this performance myth. They have a competitive offering to sell, so the more people are fearful of performance degradation, the better their odds of selling you an alternative to accomplish this task. I hear DBAs complain a lot about using native auditing features because it used to be a huge performance problem, and DBAs would get complaints from database and application users.

Auditing produces a lot of data. Something has to be done with that data. It needs to be parsed for significant events, reported on, acted upon, erased or backed up, or some combination thereof. In the past, database administrators performed these functions manually, or wrote scripts to partially automate the responsibility, and rewrote them any time something within IT changed. As a form of self preservation, DBAs in general do not like accepting this responsibility. And I admit, it takes a little time to get it set up right, and you may even discover some settings to be counter-intuitive. However, auditing is a powerful tool and it should not be dismissed out of hand. It is not my first choice for database security; no way, no how! But for compliance reporting and control validation, especially for SOX, it's really effective. Plus, much of this burden can be removed by using third party vendors to handle the setup, data extraction, cleanup, and reporting.

Anyway, enough about database auditing. On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Adrian's Dark Reading post on Database Auditing Essentials.
• David Mortman's Diversity of Thinking article on Threatpost.
• Adrian's follow-up Dark Reading post on Auditing Pitfalls.

Favorite Securosis Posts

• Rich: Database Audit Events. This is a lot of research!
• Adrian: This week's Friday Summary. No link necessary!
• David Meier & David Mortman: Visa's Data Field Encryption.

Favorite Outside Posts

• Rich: Coconut Television. "No tequila yet, but we will see how the night goes."
• Adrian & Mortman: JJ on SecTor's Wall of Shame.
• Meier: Comcast pop-ups alert customers to PC infections. It may be effective, but why are you inspecting my traffic? How do I opt out?

Top News and Posts

• Bloggers who review products must disclose compensation. But nothing says you need to disclose compensation for not writing about a product (wink-wink). Payola may be illegal, but hush money is bueno!
• Statistics from the Hotmail Phishing Scam. This closely mimics some of the weak password detection and dictionary attack work I conducted. You will notice any dictionary attack must be altered for regional preferences.
• Express Scripts notifying 700,000 in Pharma data breach.
• Bank fraud Malware that rewrites your bank statement.
• PayPal Pissed!
• Why the FBI Director does not bank online.
• Botnet research conducted by University of California at Santa Barbara. Full research paper forthcoming.
• AVG launches new AV suite while Microsoft is breathing down their necks.
• Hundreds arrested in Phishing scam where as much as $1M US was stolen. What I found most interesting about this is MSNBC and Fox News only mention 'overseas' participants, while small investigative papers like the Sacramento Bee and others gave details and noted the cooperation of Egyptian authorities. I guess 'fair and balanced' does not necessarily mean 'complete and accurate'.
• McAfee and Verizon partnership.
• Passwords for Gmail, Yahoo and Hotmail accounts leaked. What's wrong with a wall of sheep? Kidding.
• People who don't understand security grasping at straws.
• Malware Flea Market.

Blog Comment of the Week

This week's best comment comes from Adam in response to Mortman's Online Fraud Report:

It's sort of hard to answer without knowing more about what data he has, but what I'd like is raw data, anonymized to the extent needed, and shared in both data and analyzed forms, so other people can apply their own analysis to the data.

–Adrian Lane

Twitter Phish Alert

By Adrian Lane

Update: Some additional information was just posted on the Twitter Blog. Along with some comments on how their soon to be Beta '0auth' would not have prevented this attack, there is also some information on the extent of the scam. Seems that Barack Obama's account was hacked along with a few others. Did this strike anyone else as odd: if Obama has not been twittering since being elected, does that mean a staffer logged in on his behalf?

An interesting note popped up on Twitter this morning about a Phishing attack through direct messages and direct email. The Phish is very well done and looks legit, so it will probably be effective. It is asking for you to provide access credentials to Twitter, but the domain is accesslogins.com. The WHOIS for Access-Logins shows it owned by XIN NET Technology Corp from Beijing, with all of the 126.com email accounts hosted from Netease.com. That's a long way from San Francisco. Access-Logins is the home of a few dozen other Phishing sites, from McAfee to Defcon. Needless to say, don't click on email links.

The real question on my mind is: once you have clicked onto the Phishing login page, will Twitter's real reset password function be vulnerable to an XSS attack? I do not have a copy of the original email so I am unable to test. If you fall victim to this you will want to clear all of your private data from the browser and restart it before trying to reset your password. Or shut down your current browser and use the password reset from a different one- otherwise other passwords may be captured as well.

–Adrian Lane