According to this article posted at PC Pro, ScanSafe says that remote employees are more than twice as likely to be surfing porn than employees who work in the office. 

This is not a surprising stat as telecommuting takes a level of discipline on the part of the teleworker that is far and away greater than office-bound employees.  What is surprising to me is that companies are ALLOWING this type of web surfing to be taking place on their corporate computers!

Porn sites are one of the biggest security risks out there.  Porn sites commonly install malware, adware,  tracking cookies, and other security risks that could cause a security breach to your organization. 

In most cases you want to use technology as an enabler for employees to be as efficient as possible, particularly your remote employees who are frequently less scrutinized because most of management's attention is focused on the employees that are in the office every day.  This, however is one of those instances where technology needs to enforce the policies of the organization so that the company can protect itself and its intellectual property from compromise and disclosure.  Data leakage as a result of inappropriate employee web surfing and irresponsible organizational content filtering policies is one of the easiest insider threats to mitigate.  Companies should be doing everything that they can be to assure that this is not an avenue of information disclosure.

Right on cue we are starting to see phishing scams with an economic stimulus payment flavor.  As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments.  We are starting to see some of the first iterations of those scams today.

As has been common with most of the government agency spoofs that we have seen over the past year, this one has an IRS logo at the top of the message that is being pulled directly from the IRS web site at irs.gov.

The samples that we are seeing allege to be from "service@irs.gov" and have a subject line of "2008 Economic Stimulus Refund."

The phish content is as follows:

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

To access Economic Stimulus Refund, please click here.

The "click here" link takes the user to a prototypical phishing site where they are asked for their bank routing number and checking account number so that the rebate can be directly deposited into their checking account.  The scammers are also trying to establish a sense of urgency to get you to click the link by saying that you have to fill out and submit the form before April 24th if you want to get your stimulus payment on time.  Failure to do so will result in delays.  This could be an effective tactic against those who may not be scheduled to receive their rebate until July or against the extremely impatient who think that this could be a shortcut to getting their rebate quicker.

This is about the time that we expected to start seeing these scams start coming out, and this certainly won't be the last of them, especially since the distribution of the stimulus payments is expected to last a couple of months.

As with all of the IRS scams that we have seen to date, there are a couple of things that you should remember:

-- The IRS does not communicate with the public over email. 
-- To that point, the IRS does not even know what your email address is.  If you use at home tax software the software vendor might ask you for your email address, but this is for the purpose of sending you status updates with respect to your tax filing.  These emails are not from the IRS.

With respect to the economic stimulus payments, also remember:

-- The economic stimulus payments are being distributed based on your 2007 tax filing.  The information for how to distribute your rebate to you will be done based off of your tax forms. 
-- The payment schedule for the economic stimulus payments has already been established by the IRS.  There is no way to accelerate this process. 

We're seeing a new Google Spam run with a malware component making the rounds where the subject line of the message alleges that some of the more popular news agencies have released a Special Report with respect to a new video having been released from Osama bin Laden.  Volume is currently only less than 1% of total inbound virus traffic, so it is pretty low, but is yet another abuse of the Google PageRank system in an attempt to deliver malware.

Some of the subject lines that we have seen include:

Special issue of news from  CNN! Urgent  Fresh News Usama Ben Laden!
Special issue of news from  CNBC! Urgent  Fresh News Usama Ben Laden!
Special issue of news from  Financial Times! Urgent  Shocking News Usama Ben Laden!
Special issue of news from  CNN! Urgent  Apocalyptic News Usama Ben Laden!
Special issue of news from  Bloomberg! Urgent  Fresh News Usama Ben Laden!


You can see a fairly common theme here. 

The email itself is somewhat lengthy and mostly discusses the tragedies that bin Laden has orchestrated against targets around the world.  The most pertinent parts of the message appear at the top (as usual, many grammatical errors exist throughout the message):

Special issue of news from Reuters! Urgent Dangerous News!

hxxp://www.google.com/pagead/iclk?sa=l&ai=PBXCNHM&num=03311&adurl=http://cavalldemar.org/news_usa.php 

 

Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist

 activity, and similarly the largest leaders of terrorist organization of Al

 Kaeda, detained American soldiery force in Iraq.

 

This particular sample was taken from a message where the subject says that the news update is from CNN so you can see that the news agency in the subject line is not necessarily consistent in the actual message itself.  If the link from the message is followed, it directs the user to a page where they download a file named videousa.exe, which contains the malware.

Also, as of the time of this posting the link to hxxp://cavelldemar.org/news_usa.php (domain registered in Spain) is still active and AV identification is spotty:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.4.22.0	2008.04.21	Win-Trojan/Agent.77824.DX
AntiVir	7.8.0.8	2008.04.21	TR/Crypt.XPACK.Gen
Authentium	4.93.8	2008.04.20	-
Avast	4.8.1169.0	2008.04.21	-
AVG	7.5.0.516	2008.04.21	Downloader.Zlob.12.AH
BitDefender	7.2	2008.04.21	-
CAT-QuickHeal	9.50	2008.04.19	(Suspicious) - DNAScan
ClamAV	0.92.1	2008.04.21	-
DrWeb	4.44.0.09170	2008.04.21	-
eSafe	7.0.15.0	2008.04.17	Suspicious File
eTrust-Vet	31.3.5720	2008.04.21	-
Ewido	4.0	2008.04.21	Backdoor.Agent.gxg
F-Prot	4.4.2.54	2008.04.20	-
F-Secure	6.70.13260.0	2008.04.21	Backdoor.Win32.Agent.gxg
FileAdvisor	1	2008.04.21	-
Fortinet	3.14.0.0	2008.04.21	-
Ikarus	T3.1.1.26	2008.04.21	Trojan.Win32.Revelation
Kaspersky	7.0.0.125	2008.04.21	Backdoor.Win32.Agent.gxg
McAfee	5277	2008.04.18	-
Microsoft	1.3408	2008.04.21	TrojanDropper:Win32/Nuwar.gen!lds
NOD32v2	3043	2008.04.21	-
Norman	5.80.02	2008.04.18	-
Panda	9.0.0.4	2008.04.20	-
Prevx1	V2	2008.04.21	-
Rising	20.41.02.00	2008.04.21	-
Sophos	4.28.0	2008.04.21	Mal/Generic-A
Sunbelt	3.0.1056.0	2008.04.17	-
Symantec	10	2008.04.21	-
TheHacker	6.2.92.285	2008.04.19	-
VBA32	3.12.6.4	2008.04.16	Trojan.Win32.Revelation
VirusBuster	4.3.26:9	2008.04.21	-
Webwasher-Gateway	6.6.2	2008.04.21	Trojan.Crypt.XPACK.Gen

Fake video downloads and updates have been a pretty common theme for the Storm Worm folks for quite some time now.  This "news story" social engineering tactic is what Storm originally used to get most people infected back in January, 2007, so many people have already "been there, done that" which is likely why infection rates are staying pretty low.

Over the past 10 months or so we've often discussed different social engineering tactics as it relates to different types of spam and malware campaigns.  These tactics range from using pinpoint precision to identify individual scam recipients (like CEOs and other C-Level Executives) to using tragic current events, naked celebrity videos, holiday e-cards, IRS tax refunds, or free/discounted sporting event tickets as a lure to get people to open malicious email attachments or click links that redirect them to web sites that are infested with malware.

So, the question is: How far will cyber criminals go in an attempt to get a foothold on your PC or steal your personally identifiable information?

The answer is simple: As far as they need to. 

Cyber criminals will go to whatever lengths are necessary to trick you into doing what they need you to do in order to get infected with malware.  This means that the success of their campaign is almost solely related to their ability to establish trust and to make their campaign appear as legitimate as possible.  As an example, some of the IRS tax refund scams that we have been seeing this tax season even go so far as to link to or display the real IRS web site's logo, Privacy Policy and Online Help.  The Federal Subpoena scam that we spoke about earlier this week included not only the name of the person that the scam was being sent to and their company name, but also their phone number! 

As cyber criminals continue to hone their social engineering tactics, it is becoming more and more critical that people understand, are aware of, and keep a keen watch out for new potential threat vectors and the techniques that are being used in order to trick them into giving up information that could result in loss of identity, company secrets, or their life savings. 

Losses being incurred as a result of cyber crime are increasing at an alarming rate and now we have reached the point where people are more fearful of being a victim of cyber crime than they are physical crime.  According to Gartner, losses as a result of phishing alone could top the $4B mark in 2008!  That increase is no accident and does not appear to be slowing anytime soon. 

I just had to take a moment and share a couple of spam messages that came into our spamtraps over the past couple of days that I thought were somewhat humorous.

So, apparently if I had bought my Viagra on Sunday, I would have gotten a 73% discount:




However, if I held out until Monday, I would get an 81% discount:




At this rate, if I hold out a couple more days I should be due about a 115% discount and actually be able to make money off the spammers and beat them at their own game!  :)

It looks like the folks who were spoofing government agencies and targeting C-level executives are at it again; this time spoofing the U.S. District Court. 

If you recall, starting around the end of May, 2007 we started to see a month and a half long wave of messages that were being targeted to C-level executives that carried a keylogger payload and used a lure of fake complaints against that executive's company in an attempt to get them to infect themselves.  This tactic was, unfortunately, very successful which is why it hung around for as long as it did.  These spoofs used an effective social engineering tactic that included both the name of the person receiving the scam as well as the name of their company.   This fooled many into believing that the message was indeed legitimate because it didn't carry the earmark of most of your scams that are generically blasted en masse. 

This new scam follows this same basic social engineering tactic except it takes it one step further in that it also includes the phone number of the company being targeted.  This is just another way that the scammers are attempting to establish legitimacy with their intended target since it doesn't look like your everyday, run of the mill type of spam.

By targeting C-level executives, the technique used in this type of attack is called "whaling."  It is called whaling because they are trying to get the largest fish that they can on the hook; people who are generally more affluent and stand more to lose, both personally and professionally.

Below is an example of one of these messages (Some personal information has been redacted):

AO 88(Rev.11/94) Subpoena in a Civil Case

________________________________

Issued by the

UNITED STATES DISTRICT COURT   

________________________________

Issued to:      XXXXXXXXXXXXXXXXXXX

COMPANY NAME HERE

COMPANY PHONE NUMBER HERE    

SUBPOENA IN A CIVIL CASE

Case number:    91-201-NKE

United States District Court    

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States 
District Court at the place, date, and time specifiied below.        

________________________________

Place:   United States Courthouse

880 Front Street

San Diego, California 92101     

Room:    Grand Jury Room

room 5217       

Date and Time:   May 7,2008

9:00 a.m. PST   

Issuing officers name and address: O'Mevely & Meyers LLP; 400 South Hope Street, Los 
Angeles, CA 90071       

________________________________

Please download the entire document on this matter(follow this link) and print it for your 
record. <hxxp://cacd-uscourts.com/ViewCase.php?case=91-201-NKE>  
 

This subpoena shall remain in effect until you are granted leave to depart by the court or 
by an officer on behalf of the court. 
 

Any organisation not a party to this suit thas is subponaed for the taking of a deposition 
shall designate one or more offcers, directors, or managing agents, or other persons 
to testify on its behalf, and may set forth, for each person designated, the matters on 
wich the person will testify. Federal Rules of Civil Procedures,20(b)(6).
 

Failure to appear at the time and place indicated may result in a contempt of court 
citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct 
any questions to the person requesting you to appear: City Prosecutor. 

You'll notice a few spelling errors which is your typical dead giveaway that something isn't quite right here (of course, the US District Court trying to communicate with you via email, which it never does, should have been the first one).  They also went to the trouble of registering a new domain, cacd-uscourts.com. 

Here is where it gets funny:

-- cacd-uscourts.com is the domain used.  If this were really a government domain, would it have a .gov TLD?
-- This domain was registered two days ago to someone named Michael Rice who lives in the U.K.
-- Registration for the domain was done by a company named WEB4AFRICA

It's been a while since we have seen this type of scam outside of the IRS spoofs that we have been seeing in accordance with tax season so I am sure it will get its share of victims.  No solid information yet on whether these new phish are being sent to the same C-level execs who were targets of last year's scams.  More information to come as it becomes available.


**** UPDATE 1 (4/15/2008 12:00pm MDT): We are still seeing these emails hitting our system at a rate of about 30 per hour.  Obviously very low overall volume, but that speaks to the precision of the targeting being used.  The highest hour that we have seen so far today was the 10am hour where we saw 50, and we basically saw none between midnight and 7am.  It appears that the cacd-uscourts.com domain that was hosting the malware yesterday has had its registration suspended by WEB4AFRICA.  The web site is no longer accessible.

Never to rest on their laurels, the Storm Worm gang brings us yet another new twist in how they are trying to get you to infect your PC. 

This new Storm variant follows in the footsteps of the Google Spam with a purported video download that I blogged about on April 3rd except that Storm is trying to convince you that you want to view a new music video that has just been released.

Here is an example of one of the messages that came into our Threat Operations Center:

Eagles just made a new video. See it here before it releases. Cut and
paste the link in your browser to get the video:
hxxp://zbrkfdxd[deleted].blogspot.com

All of the examples that we have seen thus far have been random subdomains off of blogspot.com, a popular, free blog hosting site.  When the link in the email is clicked you are immediately redirected to hxxp://giftapplys.cn (registered on April 8th) which serves up the below page:



Both the fake video player and the "Download it" link point to the malware download.  Interestingly enough, the video player points to a file named StormCodec.exe and the Download It link points to a file named StormCodec8.exe.  These files have the same md5 checksum (2f16017932e729b8a9f1f5c07eec9b99), however so despite their different names, they are actually the same file.

We've only seen about 50,000 of these messages over the last 24 hours (I say "only" because many Storm Worm variants are in the millions within their first day) so this tactic isn't too popular at the moment, but is new and different from previous tactics so is definitely something to keep on the lookout for.

According to a blog entry posted recently by Websense, it looks like spammers have found a way to break the Hotmail email account signup CAPTCHA. 

Ever since the story broke in late February about Gmail's CAPTCHA technology being broken, we've been seeing large numbers of both spam and backscatter (at the rate of about 40-50% of all mail traffic) from Google's mail servers.  This has also caused some of Google's servers to trigger our automated blocks on an occasional basis.  It looks like other anti-spam vendors have followed suit in this approach as well.
  It looks like Hotmail will soon be in that same boat unless they can figure out a new system and get the spam accounts shut down.

Last week the FBI released its Internet Crime Report for 2007, and there are some interesting trends when comparing this report to the past couple of years. 

Total monetary loss as a result of internet crime continues to increase.  Between 2005 and 2007 total loss from cases of fraud went from just over $185M to over $239M.  That's an increase of 30% over two years! 

So, what constituted these losses? 
According to the report Financial Institutions Fraud has increased over 400% as a percentage of total complaints received) between 2005 and 2007 from 0.5% of complaints received to 2.7%.  Computer fraud also substantially increased as a percentage of overall complaints during that same time frame (1.4% to 5.3%).   Almost a  300% increase!

That's interesting in and of itself, but how does it translate to real dollars? 

As one might expect (lack of education on the threat, perhaps?), the types of fraud that generated the greatest amount of loss per complaint were actually some of the least prevalent types.  In 2005  and 2006, Nigerian Letter Fraud didn't even appear in the top 10 list of types of fraud, however it topped the list of loss per complaint at $5,000 and $5,100 respectively.  Compare that to 2007, where it cracked the list at number 10, but accounted for the third highest loss per complaint at $1,922.  Auction Fraud, which was the most common fraud complaint for all 3 years had consistently one of the lowest loss/complaint numbers ranging from $385 (2005) and $602 (2006).  Thanks to the increase of stock pump and dump scams investment fraud topped the 2007 list at $3,547 per complaint!  Interestingly though, despite the amount of attention and press that these scams have received over the past year and a half investment scams still didn't crack the top 10 complaint percentage list.

How people were contacted in order to be defrauded stayed pretty static between 2006 and 2007 with email leading the charge at just under 74% for both years.  Where the report shows movement, however is in the increase of the web and phone (vishing) being used as a more frequent vector of communication with victims.  In 2005, the internet and telephone accounted for 16.5% and 4.5% of communication vectors, respectively.  In 2006 and 2007 those numbers were in the low to mid 30s for the internet and around 18% for telephone.

So, if you're still with me these obviously are a lot of stats, but what does it all boil down to? 

What this outlines, among other things, is the constantly changing threat landscape and that the least seen threats are the most dangerous.  As such, it is important to not only educate yourself, but educate your organizations as to the types of threats that are out there.  Make sure they also know what is real and what is not.  There are so many virus hoaxes, some several years old, that still make the rounds on a regular basis that it is easy to see how people either get confused as to what is viable and what isn't, and why others think that internet threats are just the industry crying wolf in an attempt to get people to continue to buy product.  It is these types of threats that have also caused a serious drop in consumer confidence in some brands to the point where many users have developed an aversion technique to any email or correspondence from them because they have a hard time determining whether the message is a scam or not.  This loss of confidence has caused a serious problem for when these brands actually do send out legitimate mail because their response rates have suffered.

Is there an answer? 

Many solutions have been on the table for quite some time between email authentication technologies like SPF/Sender ID and DomainKeys Identified Mail (DKIM), botnet detection technologies, and brand protection companies who (among other services) monitor for look alike domains being registered that are intended to look like common brands to be used in phishing campaigns.  Unfortunately, at this point so much social damage has been done to these brands because they are so frequently targetted for phishing and other fraud campaigns that restoring consumer confidence is an extremely difficult mountain to climb.  I'm not saying that it can't be done, but I am saying that the cyber criminals act much quicker than some of these technologies can react and that doesn't appear to be changing anytime soon.

Yet another new twist in the never ending array of Google Spam that we have been seeing over the past 2 months.  The sample that just hit our spamtraps within the last hour has a bit of a new twist to it.

When I first opened this message I thought "Neat!  Google video spam!"  It wasn't until I looked at the source code of the message that I realized that this was just another link to malware redirecting through Google with a fake video as the lure.

Here is a screenshot of the spam:



Clicking any of the links downloads a file named  video_codec-v2.12.384.exe.

So far AV pickup is pretty spotty (stats courtesy of Virustotal):

Antivirus	Version	Last Update	Result
AhnLab-V3	-	-	-
AntiVir	-	-	TR/Dropper.Gen
Authentium	-	-	-
Avast	-	-	Win32:Agent-GPS
AVG	-	-	-
BitDefender	-	-	DeepScan:Generic.Malware.FBldld.D22058AD
CAT-QuickHeal	-	-	-
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	suspicious Trojan/Worm
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	-
F-Prot	-	-	W32/Agent.Q.gen!Eldorado
F-Secure	-	-	Suspicious:W32/Malware!Gemini
Ikarus	-	-	Virus.Win32.Agent.GPS
Kaspersky	-	-	-
McAfee	-	-	Proxy-Agent.af.dr
Microsoft	-	-	Trojan:Win32/Danmec.gen!A
NOD32v2	-	-	a variant of Win32/Agent.NEQ
Norman	-	-	-
Panda	-	-	-
Prevx1	-	-	Heuristic: Suspicious File With Bad Child Associations
Rising	-	-	-
Sophos	-	-	Troj/Bdoor-AJR
Symantec	-	-	-
TheHacker	-	-	-
VBA32	-	-	suspected of Trojan-PSW.Pinch.12 (paranoid heuristics)
VirusBuster	-	-	-
Webwasher-Gateway	-	-	Trojan.Dropper.Gen