Looks like the government agency spoofs from last summer have returned!

During May/June, 2007 we saw nearly weekly variants of emails being spammed that were spoofing different government agencies largely targetted towards C-level executives containing a keylogger payload.  These emails started off with the malware attached to the email message itself, then migrated to a pull infection model where the user downloaded the malware off of a web site via a link embedded within the message.

Starting today we've started to see a resurgence of this tactic, but this new variant is spoofing the Department of Justice.  This department had not been one of the spoof targets of the previous spam runs.  Below is a redacted screen shot of the new scam (courtest of McAfee):



As you can see from the above screen shot, the message has an attachment named complaint.zip which contains the malware payload. 

A couple of similarities in social engineering tactics between this scam and the previous scams from this summer are the inclusion of the name of the person and the name of the company that the message is being sent to.  You'll notice from the screen shot that there are also grammatical errors and misspellings. 

A few particular examples that I have seen were sent from IPs in Italy.  Somehow I doubt the DoJ has contracted with anyone in Italy to start sending legitimate complaint notices :)

Volumes of this scam have been pretty low; on the order of a few hundred being seen by our Threat Operations Center per hour.  No information yet as to specific targetting of this scam.  This post will be updated as more information becomes available.

Nice to be back!

Between our webmaster working on a new blogging tool for me to use and the first of three Messaging Anti Abuse Working Group (MAAWG) meetings for the year in San Francisco last week (I am now Chairing the Botnet/Zombie Subcommittee), I've not had nearly the time that I normally have for blogging over the past couple of weeks.  I've been queuing up topics in the meantime though so we should be back on our regular posting cadence now. 

In comparison to most previous years, 2008 is off to a pretty fast start as it relates to spam and malware.  Save for last year when the Storm Worm started January off with a bang, the months of January to April are typically a bit slow from the perspective of new worms, malware, and spam volume. The primary reason for this "slow season" is that a good number of your malware writers are of high school/college age.  Those folks are in school or otherwise occupied during the early months of the year.  Come May or thereabouts, schools start letting out for the summer, kids find themselves with more idle time, and the flood of malware and spam begins.  Infections rise, spam levels rise, and things quickly start hopping around our TOC.

2008 has somewhat bucked the trend in that regard as we have seen a number of developments just in the first two months of the year alone: MBR Rootkits, Drive-By Pharming, and continually high spam volumes which normally drop off by as much as 30% after the first of the year.  In fact, the spam volumes that we have been observing this week are UP about 20%  from any other week so far this year!

We've also seen social engineering tactics like Fake Microsoft updates with links to malware and IRS phishing scams claiming that you are due a refund from the IRS that will be gladly credited to your credit card if you provide them with your card number (not new tactics, but worth noting nonetheless) as well as Google spam (email with links to Google search results which forward you to sites that have abused Google's PageRank system).

Google spam is currently accounting for around 100,000 messages per hour that we are seeing in our Threat Operations Center.  Although this doesn't represent a significant percentage of volume, it is the most prevalent spam tactic that we are currently observing.   Compare that to IRS phishing which we are currently seeing at a rate of less than 100 per hour.

If the first two months of 2008 are any indication of what the rest of the year will be like, perhaps it is appropriate that it is the year of the rat according to the Chinese calendar :)

I'm sure nobody saw this coming (tongue firmly lodged in cheek), but the folks that have brought us Storm Worm variants like e-cards and Christmas Greetings have brought us a Valentine's Day variant just in time for the February 14th holiday.

Traffic that we have seen thus far in relation to this worm peaked during the 1am and 2am (mountain standard time) hours this morning and has been steadily dropping ever since, but I have a hard time believing that this trend will continue with Valentine's Day still two days away!

This new variant follows the same paradigm as the ones that we have seen previously: Subject line and message body related to the upcoming holiday and a random link which points the user to a web site where they download an executable (like valentine.exe) and get infected. Nothing new.

Some of the subject lines that we have seen in relation to this worm include:

Is Anything Beautiful As A Rose?

You're my Velentine! (note the misspelling)

You Stay In My Heart

Smiley Kiss

Sample message bodies potentially include the same text as the subject line. We've seen some variances here, but it looks like the subject line and message text are pulling from just about the same static list.

Playing on emotion and holiday themes continues to be a successful social engineering tactic for the Storm Worm gang, and will continue to be popular until such time as it ceases to be effective. As with all of the other variants, don't get hit by this Cupid's arrow. There is no love to be found here!

 

I ran across this article this morning which states that according to Deloitte that human error is the leading cause of security threats. I agree with this to a point.

I thought it was important to mention this concept as it is also a major point in the Security Awareness presentations that I do. Where my opinion differs is that I believe that human error is the leading cause of *insider* security threats, but not the leading cause of all security threats.

Perhaps I am being myopic because of the type of company that I work for, but I view intrusion as the result of public server vulnerability, virus infection, and social engineering to be a much larger issue.

That isn't however to take away from the importance of the insider threat. When I say "insider threat" am I referring to employees who are going out of their way to do something malicious or to try to access data that they know they shouldn't have access to? Yes, but I am also referring to employees to who stumble upon information due to lack of proper security controls or the maintenance thereof. For example, if you work in your Customer Support department and happened to stumble upon a spreadsheet named "Executive Salaries 2008.xls" somewhere out on a network share, that you had permission to view, would you open it? Perhaps you would report it, but I'll bet you a nickel that you would look at it first, maybe save a copy for yourself, or print it out on the closest printer to show your friends. These are examples of insider threats just as much as the over-eager security novice who is attempting cross site scripting attacks against your production systems in an attempt to learn.

According to the 2006 E-Crime Watch Survey insiders were responsible for 27% of all security incidents and 55% of respondents reported at least one incident that was the result of insider activity. That's more than 1 in 4 security incidents that happen as a result of an internal employee! That's a lot, especially in an age where most of what you read about in security publications talks about the latest worms, keyloggers, and other maladies looking to steal your financial data.

The article also states that "Another security worry is many line-of-business executives' tendency to see information security as solely IT's problem." If your company puts the responsibility of security solely with the IT department, they are missing the boat. Security should not rest with IT for the same reasons that it should not rest with Production Operations or Quality Assurance or any other department; they have their own agendas and their own core competencies to focus on. Adding "make sure we are secure" to that mix is a certain recipe for failure. Your security program implementation, maintenance, and enforcement should be handled by an independent (could be internal) source whose *main responsibility is the security program*.

The article concludes by making a statement in regards to the implementation of a corporate security program, "A prerequisite for effective information security is the implementation of a proactive information security strategy that is closely linked to the company's overall business strategy, business requirements, and key business drivers." This is completely true. One thing I would add onto it is "...and has the full support of the company's executive team." Without the support of the people who run the company, your program will barely get off the ground.