There haven't been many dull moments in Threat Operations Center over the past few weeks.  Between multiple CNN spam updates which then morphed into MSNBC spam followed by fake FedEx non-delivery notifications last week, Britney Spears tabloid spam, and up to 30% increases in total spam volume, everyone has certainly been drinking from the fire hose. 

We had a new guy named Tyler start recently as well who hasn't yet run for the hills screaming in the midst of all of the chaos.  Sounds like a keeper to me!

Beginning yesterday we started tracking the return of Hallmark E-Card spam.  If you recall, sending out fake e-cards that lead to malware sites was a popular tactic of the Storm Worm.  These new messages appear as if they are being distributed via the Srizbi botnet, but are largely the same as their Storm counterparts.

Below is a screen shot of a sample message that landed in one of our spamtraps:




As with most spammers nowadays, you can tell that they went to some great lengths to ensure that the email looks as legitimate as possible. 

In many previous e-card variants all of the links within the email would point directly to the malware hosting site.  This trend has recently been shifting and this new Hallmark E-Card tactic improves upon that by only pointing the "here" link above to the malicious web site.  All of the other links like Customer Service, Store Locator, etc actually point to the same locations that the real hallmark.com site point to.  So, if a suspicious recipient of one of these messages clicks on any link in the email other than the malware download link they may be tricked into believing the message is legitimate since it will direct them to the Hallmark site.  Seeing this, they may be more apt to click on the download link and become infected.

Emails associated with this new "e-card" appear to be from "E-Cards@Hallmark.com" and will have subject lines like "You've Recieved a Hallmark E-Card!".  The other tell tale sign of these fakes can be found if you mouse over (but don't click!!) the "here" link as it links to an executable file like postcard.gif.exe as opposed to an actual web page.

Be on the lookout for these new fake Hallmark E-Cards, especially as we move closer to the Holiday Season (it's still a ways off, but I am sure some stores will have Christmas items on the shelves soon!) as these are likely to become a popular tactic again for Halloween, Thanksgiving, and Christmas.

According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station.  The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.

You are thinking "So what?  What risk does an online game keylogger pose to a laptop on the space station?  Why should I care?"

As you know, we like to think bigger picture here.

Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus?  I don't know about you, but that sends up lots of red flags to me!  This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines?  Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to?  What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network?  What was done with these laptops once the virus was detected?  Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed? 
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries.  Where else within the federal government does the potential for similar security breaches exist?   Are potential data leakages like this something that the Department of Homeland Security is focused on preventing?  If not, they should be!  Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!

Over the last 24 hours we have seen a large influx of a new email borne malware campaign alleging to be a notification of non-delivery from FedEx.  
The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered.  It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).

Sample subject lines that we have seen in our Threat Operations Center include:

You Have A Package!!!
Tracking N <fake tracking number>

Volumes have been pretty high as we have seen over 21M of these fakes hit our systems within the last 24 hours, accounting for about 80% of all of the email borne malware that we have seen over that same period.

It's times like this that we are reminded that although many of the large scale malware campaigns that we now see are hosted on infected web sites, static malware distributed over email is still an active, viable tactic being employed by cyber criminals.

According to a small, recent study performed by Marshal, up to 30% of internet users admit to buying items like sexual enhancement pills, adult entertainment, software, luxury items, and clothing from spam that they have received.  These kinds of studies come up every few months or so and the percentages of email users who admit to buying from spam vary wildly (see this Techdirt article which briefly mentions a couple of them).  Many of these studies have small sample sizes and little information is given as to the some of the other demographics of the participants in the survey (which I think would also be VERY interesting).  No matter whether you believe the real number is closer to 4% or 30%, the underlying moral of the story is that a significant number of people are purchasing products from spammers.  The answer to the spam-old question of "Who would actually get tricked into buying \/1agra?" is "A lot of people!"  Spammers wouldn't continue to spam if it wasn't a profitable venture.

The 30% figure seems a bit high to me in today's internet, especially with the prevalence of spam filters which keep almost all of the junk mail out of user's inboxes.  This does lend credence to the theory though that improved social engineering and targeting of spam emails does have a significant effect on the ROI for the spammer.  Even though far less spam is arriving in the inbox, a significant percentage of people are still buying it. 

I like to play with numbers and derived (what I thought are) a few interesting stats.

Let's do some math (everyone's favorite subject):

Number of spam messages per day on the internet: 150B (industry estimate)
Cost to send a spam message $0.000001 (estimate)
Amount in losses from phishing in 2008: $4B (estimated by Gartner)

So, if you assume 150B spam messages per day at $0.000001 per spam message.  That works out to spam costing spammers approximately $150,000 per day to send. 
If you divide the $4B in losses from phishing ALONE by 365 (the number of days in a year) you get almost $11M per day in losses!  This doesn't even include profits from the things the things that we mentioned at the start of this post such as porn and enhancement pills or even stolen credit cards and compromised bank and brokerage accounts.  Cha-Ching!

To be fair, this isn't an apples to apples comparison because we are considering the cost to send ALL spam every day compared with the losses incurred just from phishing, but even just to compare these numbers is staggering!  Just using the $11M and $150,000 numbers spammers make over 73x what they spend, just in phishing returns. 

How many businesses do you know that would like a 730% daily profit margin?  Raise your hand if yours would :)

So, as we've said before: Spam is easy.  Spam works.  Spam makes huge profits for the criminals behind it all.  The numbers are hard to deny.  Look for more spam headed toward the inbox, mobile device, or blog nearest you!

Every few months another story comes out that talks about the vulnerability of the United States to a cyber-terrorism/warfare/attack.  Today, CNN.com posted another one of these stories.

The fact of the matter is that cyber-warfare is occurring every day.  Every day the network infrastructures of internet service providers, organizations, and every connected network node in the United States and around the world are under siege from network attacks.  Could they all be the type of attack that could bring down a network and cause hundreds, thousands, or millions of dollars in lost productivity?  To some degree, yes.  Botnets hold enormous distributed computing power that, when fully harnessed, are capable of launching distributed denial of service attacks that could overwhelm any network and bring it to its knees.  Everywhere infrastructures are overbuilt in part to manage growth, but in larger part to attempt to protect server farms from becoming overloaded and unresponsive in the event of an attack. 

Spam (the most popular use for botnets) costs in the United States alone are estimated to be in the $200B (with a B) realm for 2008.  That's just email!  That doesn't take into account the number of web sites that are now hosting malware (both sites that were setup for the sole purpose of malware hosting and now legitimate web sites also) with keylogger payloads which leads to problems like identity theft
and corporate espionage which only add to that $200B figure. 

The cyber war is being fought every day with attacks originating from all over the globe aimed at equally dispersed targets.  Although it is true that many of the networks and service providers in the United States can better handle an attack than some in the former Soviet republic of Georgia, bandwidth is still finite and if a botnet launches an attack against you that is larger than your pipes and servers can handle, you have problems and that isn't just a United States issue.

Typically when a new, effective, high volume spam or worm tactic is released into the wild (Paris Hilton Videos, Free World Cup Tickets, Fake News Headlines, etc) the copycats are waiting in the wings and ready to latch onto whatever that tactic is hoping that they might see some success from it as well.  This time, however it appears that the people responsible for the CNN Spam outbreak last week (original post here and update here) are now responsible for a new outbreak today alleging to be MSNBC news updates.

Similar to the CNN outbreak from last week these new MSNBC messages are identifiable by a very distinct subject line.  All of the messages that we have seen thus far appear to be from "MSNBC Breaking News" and have a subject line that starts with "msnbc.com - BREAKING NEWS:" followed by some fake news headline. 

Here are some examples of what we have seen in our Threat Operations Center thus far (and as usual, some that are just bizarre):

msnbc.com - BREAKING NEWS: Americans love law suits for breakfast

msnbc.com - BREAKING NEWS: Bomb scare grounds thousands of flights at UK Heathrow airport

msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus

msnbc.com - BREAKING NEWS: I will be suing you

msnbc.com - BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger's death

msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak

Once opened, the email itself looks like this:

Find out more at http://breakingnews.msnbc.com
=======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.
=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.

To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
http://www.msnbc.msn.com/id/25384336, select unsubscribe, enter the
email address receiving this message, and click the Go button.

Microsoft Corporation - One Microsoft Way - Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/)

If a user is tricked into clicking on the breakingnews.msnbc.com link (which doesn't really go to an MSNBC page, but you probably already guessed that), they are presented with a page that looks like this:




This is the same tactic that we saw with the CNN fake news updates from last week as well as with the Porntube malware tactic that we saw back in June (original post here).  At this point, you are caught in an endless loop where you either need to kill your browser session or click the OK button, but doing that infects you with the malware.

So far we have seen two variants of these emails.  The first links to a file named up.html at the end of the "breakingnews.msnbc.com" URL which linked to a page that is branded CNN, not MSNBC.  This should be an immediate red flag to any user that something is not right.  The newer variant that we just recently started seeing within the past hour links to msn.html.  This page uses the same logo that is on top of the real msnbc.com site and will likely look more legitimate to users.

So far volumes have been ranging in the 1.5 to 2 million message per hour range.  Although nowhere near the peaks that we saw with the CNN outbreak from last week, it also took 3 days for the CNN spam to reach those volumes.  So, I would say that at this point since we have only been tracking this new variant for about 12 hours the lower volumes are no indication of what is to come, but just like in movies, the sequel usually isn't as good as the original...

The MX Logic Threat Operations Center has been a hoppin' place since the CNN Fake News updates that we originally reported the other day started coming in. 

Volumes peaked at over 10M messages per hour (stopping just short of 11M) on the morning of the 7th and have been on a very slow, but steady decline since then.  That isn't to say that the threat has gone away, however as since midnight we are still seeing an average of 8M per hour hitting our systems. 

Below is a graph showing per hour volumes of the fake CNN news updates starting from 8/4 at 5pm MDT:



We've also seen several morphs of this spam over the past couple of days.  Initial variants used the same subject line of "CNN.com Daily Top 10" linking to malware infected sites using the filename index2.htm (e.g. http://infectedsite.com/index2.html)l.  Up until this morning we have seen several different filenames at the end of the URL (e.g. cnnlive.html, cnnnews.html, cnnonline.html, cnnplus.html, cnntop.html, and cnnvideo.html), but no movement in the subject line.  As of this morning we are seeing a new morph using the subject line of "CNN Alerts: My Custom Alert."  This is likely in response to all of the media attention and awareness that has been brought up over the past couple of days with respect to the original fake news update spam. 

We've also noticed that in some cases the pages being linked to in these spam messages are being hosted on legitimate web sites.  One of the recent variants that we have seen linked to hxxp://scsroofing.com/cnntop.html.  Scsroofing.com is (according to the site) "UK based company offering specialist independent advise on all aspects of industrial and commercial roofing" 

According to Websense, they are also seeing this campaign being distributed via blog spam, which could account for some of the drops in volume that we have been seeing over the past 24 hours.

Continue to be on the lookout for these new variants as well as others that may crop up.  Also be aware that with the Olympics now underway in Beijing that we may see similar types of messages relating to news and video updates related to the Games.

We will continue to post updates as they come in.

A day late, but never a dollar short, the August edition of the MX Logic Threat Forecast and Report has been posted.

This month we look ahead to the Olympics, the upcoming NFL season (who else is as happy as I am that football season is back?  Go Broncos!), and the upcoming presidential election as well as look back to the prevalent email scams and statistics from the previous month. 

Download the latest edition of the report here.

According to this story a laptop that contained approximately 33,000 records of customers of the Clear system (Clear is a for-pay system that allows customers to go through a separate security line at some airports using a smartcard). 

Apparently the laptop has been found....in the same room that it was allegedly lost in.  The title of the article linked to above is "Laptop Discovery May End SFO Security Scare"....I couldn't disagree more.

If someone unauthorized had access to the room that the laptop was in when it disappeared, that same person had access to put the computer back after they were done with it (stealing data, installing a trojan to steal more data...the list goes on).  According to the story customer data on this laptop was NOT encrypted which means anyone who had access to the computer had unfettered access to all of the customer information stored on it which included names, addresses, birth dates, driver license numbers, and passport numbers.  Of course, now the TSA is saying that the computers must use encryption, but that is like buying flood insurance while your basement is under 8 feet of water.  Too little, too late.

This is a huge black eye for Verified Identity Pass, the company that operates the Clear program.  My favorite line in the article is where their CEO Steven Brill states "We don't believe the security or privacy of these would-be members will be compromised in any way."  The fact that their CEO would make a statement like that just underscores what little he and his company understand about security and the protection of customer information. 
Hopefully this will prompt the TSA into doing a more security oriented deep dive on all of their vendors.  It is important for them to know just how many other basements either are currently or are headed for 8 feet of water in their respective basements.  As a member of the DHS, the TSA already doesn't have a very good record as it relates to security.  Any proactive measures that they can take to ensure the security posture of their organization and the vendors they do business with will help mitigate future high-profile breaches.

Heads up on a new, very high volume Fake CNN News Update spam run that is making the rounds.  The subject of the email is "CNN.com Daily Top 10."  Our Threat Operations Center has seen over 5 million of these just in the last hour alone and over 80 million in the last 24 hours. 

Below is a screen shot of the message. 




Over the last few weeks we have been seeing large spam runs of what we are calling single-line spam where an email contains a brief lure based on fake news headlines such as "US track team disqualified from Olympics" or "Beijing Olympics postponed indefinitely" followed by a link.  The web site linked to in the message is a link to a "video codec" (er, malware) that the user is prompted to download in order to view the online video.

The tactic being used here is similar to what we saw with the Porntube malware that we saw back in June (click here for original Porntube blog post) where the user is prompted to download the video codec when the page initially loads.  If the user clicks "Cancel" to not download the codec, another popup is presented where the user is told that they have to download the codec to view the video.  This endless loop continues until the user kills their browser session at the operating system level or installs the "codec." 

This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN.  This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site.  If you see this message come into your inbox, delete it immediately.