There haven't been many dull moments in Threat Operations Center over the past few weeks.  Between multiple CNN spam updates which then morphed into MSNBC spam followed by fake FedEx non-delivery notifications last week, Britney Spears tabloid spam, and up to 30% increases in total spam volume, everyone has certainly been drinking from the fire hose. 

We had a new guy named Tyler start recently as well who hasn't yet run for the hills screaming in the midst of all of the chaos.  Sounds like a keeper to me!

Beginning yesterday we started tracking the return of Hallmark E-Card spam.  If you recall, sending out fake e-cards that lead to malware sites was a popular tactic of the Storm Worm.  These new messages appear as if they are being distributed via the Srizbi botnet, but are largely the same as their Storm counterparts.

Below is a screen shot of a sample message that landed in one of our spamtraps:




As with most spammers nowadays, you can tell that they went to some great lengths to ensure that the email looks as legitimate as possible. 

In many previous e-card variants all of the links within the email would point directly to the malware hosting site.  This trend has recently been shifting and this new Hallmark E-Card tactic improves upon that by only pointing the "here" link above to the malicious web site.  All of the other links like Customer Service, Store Locator, etc actually point to the same locations that the real hallmark.com site point to.  So, if a suspicious recipient of one of these messages clicks on any link in the email other than the malware download link they may be tricked into believing the message is legitimate since it will direct them to the Hallmark site.  Seeing this, they may be more apt to click on the download link and become infected.

Emails associated with this new "e-card" appear to be from "E-Cards@Hallmark.com" and will have subject lines like "You've Recieved a Hallmark E-Card!".  The other tell tale sign of these fakes can be found if you mouse over (but don't click!!) the "here" link as it links to an executable file like postcard.gif.exe as opposed to an actual web page.

Be on the lookout for these new fake Hallmark E-Cards, especially as we move closer to the Holiday Season (it's still a ways off, but I am sure some stores will have Christmas items on the shelves soon!) as these are likely to become a popular tactic again for Halloween, Thanksgiving, and Christmas.

According to this story posted on Wired yesterday, a keylogger has been found on laptops being used in the space station.  The reported malware, W32.Gammima.AG (see here for description on Symantec's web site), has been around since August 2007 and steals passwords from a few (rather obscure here in the United States) online games.

You are thinking "So what?  What risk does an online game keylogger pose to a laptop on the space station?  Why should I care?"

As you know, we like to think bigger picture here.

Let's start with the obvious question of why the anti-virus software running on the laptop didn't immediately identify and stop a one year old virus?  I don't know about you, but that sends up lots of red flags to me!  This obviously begs the question of how long this keylogger has actually been resident on the laptop and if there are other, yet undetected, rootkits and keyloggers on those machines?  Also, what other computers were potentially exposed to these infected machines that this virus could have propagated to?  What information has been exposed to theft or compromise either from the laptops or from other exposed machines on the NASA network?  What was done with these laptops once the virus was detected?  Were they merely cleaned to the virus scanners standards (which clearly aren't that high!) or was the computer completely taken out of commission so that it could be wiped to Department of Defense specifications and re-imaged before it was redeployed? 
Obviously there are a lot of unanswered questions in relation to this story, and of course NASA will never make the answers to those questions public, but this certainly calls into question the validity of the security measures employed by one of the most important programs of the 20th and 21st centuries.  Where else within the federal government does the potential for similar security breaches exist?   Are potential data leakages like this something that the Department of Homeland Security is focused on preventing?  If not, they should be!  Let's be sure we aren't aiding and abetting the bad guys by giving them the exact information we are looking to protect!

Over the last 24 hours we have seen a large influx of a new email borne malware campaign alleging to be a notification of non-delivery from FedEx.  
The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered.  It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).

Sample subject lines that we have seen in our Threat Operations Center include:

You Have A Package!!!
Tracking N <fake tracking number>

Volumes have been pretty high as we have seen over 21M of these fakes hit our systems within the last 24 hours, accounting for about 80% of all of the email borne malware that we have seen over that same period.

It's times like this that we are reminded that although many of the large scale malware campaigns that we now see are hosted on infected web sites, static malware distributed over email is still an active, viable tactic being employed by cyber criminals.

According to a small, recent study performed by Marshal, up to 30% of internet users admit to buying items like sexual enhancement pills, adult entertainment, software, luxury items, and clothing from spam that they have received.  These kinds of studies come up every few months or so and the percentages of email users who admit to buying from spam vary wildly (see this Techdirt article which briefly mentions a couple of them).  Many of these studies have small sample sizes and little information is given as to the some of the other demographics of the participants in the survey (which I think would also be VERY interesting).  No matter whether you believe the real number is closer to 4% or 30%, the underlying moral of the story is that a significant number of people are purchasing products from spammers.  The answer to the spam-old question of "Who would actually get tricked into buying \/1agra?" is "A lot of people!"  Spammers wouldn't continue to spam if it wasn't a profitable venture.

The 30% figure seems a bit high to me in today's internet, especially with the prevalence of spam filters which keep almost all of the junk mail out of user's inboxes.  This does lend credence to the theory though that improved social engineering and targeting of spam emails does have a significant effect on the ROI for the spammer.  Even though far less spam is arriving in the inbox, a significant percentage of people are still buying it. 

I like to play with numbers and derived (what I thought are) a few interesting stats.

Let's do some math (everyone's favorite subject):

Number of spam messages per day on the internet: 150B (industry estimate)
Cost to send a spam message $0.000001 (estimate)
Amount in losses from phishing in 2008: $4B (estimated by Gartner)

So, if you assume 150B spam messages per day at $0.000001 per spam message.  That works out to spam costing spammers approximately $150,000 per day to send. 
If you divide the $4B in losses from phishing ALONE by 365 (the number of days in a year) you get almost $11M per day in losses!  This doesn't even include profits from the things the things that we mentioned at the start of this post such as porn and enhancement pills or even stolen credit cards and compromised bank and brokerage accounts.  Cha-Ching!

To be fair, this isn't an apples to apples comparison because we are considering the cost to send ALL spam every day compared with the losses incurred just from phishing, but even just to compare these numbers is staggering!  Just using the $11M and $150,000 numbers spammers make over 73x what they spend, just in phishing returns. 

How many businesses do you know that would like a 730% daily profit margin?  Raise your hand if yours would :)

So, as we've said before: Spam is easy.  Spam works.  Spam makes huge profits for the criminals behind it all.  The numbers are hard to deny.  Look for more spam headed toward the inbox, mobile device, or blog nearest you!

Every few months another story comes out that talks about the vulnerability of the United States to a cyber-terrorism/warfare/attack.  Today, CNN.com posted another one of these stories.

The fact of the matter is that cyber-warfare is occurring every day.  Every day the network infrastructures of internet service providers, organizations, and every connected network node in the United States and around the world are under siege from network attacks.  Could they all be the type of attack that could bring down a network and cause hundreds, thousands, or millions of dollars in lost productivity?  To some degree, yes.  Botnets hold enormous distributed computing power that, when fully harnessed, are capable of launching distributed denial of service attacks that could overwhelm any network and bring it to its knees.  Everywhere infrastructures are overbuilt in part to manage growth, but in larger part to attempt to protect server farms from becoming overloaded and unresponsive in the event of an attack. 

Spam (the most popular use for botnets) costs in the United States alone are estimated to be in the $200B (with a B) realm for 2008.  That's just email!  That doesn't take into account the number of web sites that are now hosting malware (both sites that were setup for the sole purpose of malware hosting and now legitimate web sites also) with keylogger payloads which leads to problems like identity theft
and corporate espionage which only add to that $200B figure. 

The cyber war is being fought every day with attacks originating from all over the globe aimed at equally dispersed targets.  Although it is true that many of the networks and service providers in the United States can better handle an attack than some in the former Soviet republic of Georgia, bandwidth is still finite and if a botnet launches an attack against you that is larger than your pipes and servers can handle, you have problems and that isn't just a United States issue.

Typically when a new, effective, high volume spam or worm tactic is released into the wild (Paris Hilton Videos, Free World Cup Tickets, Fake News Headlines, etc) the copycats are waiting in the wings and ready to latch onto whatever that tactic is hoping that they might see some success from it as well.  This time, however it appears that the people responsible for the CNN Spam outbreak last week (original post here and update here) are now responsible for a new outbreak today alleging to be MSNBC news updates.

Similar to the CNN outbreak from last week these new MSNBC messages are identifiable by a very distinct subject line.  All of the messages that we have seen thus far appear to be from "MSNBC Breaking News" and have a subject line that starts with "msnbc.com - BREAKING NEWS:" followed by some fake news headline. 

Here are some examples of what we have seen in our Threat Operations Center thus far (and as usual, some that are just bizarre):

msnbc.com - BREAKING NEWS: Americans love law suits for breakfast

msnbc.com - BREAKING NEWS: Bomb scare grounds thousands of flights at UK Heathrow airport

msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus

msnbc.com - BREAKING NEWS: I will be suing you

msnbc.com - BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger's death

msnbc.com - BREAKING NEWS: Sandwich recall amid Salmonella outbreak

Once opened, the email itself looks like this:

Find out more at http://breakingnews.msnbc.com
=======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.
=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.

To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
http://www.msnbc.msn.com/id/25384336, select unsubscribe, enter the
email address receiving this message, and click the Go button.

Microsoft Corporation - One Microsoft Way - Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/)

If a user is tricked into clicking on the breakingnews.msnbc.com link (which doesn't really go to an MSNBC page, but you probably already guessed that), they are presented with a page that looks like this:




This is the same tactic that we saw with the CNN fake news updates from last week as well as with the Porntube malware tactic that we saw back in June (original post here).  At this point, you are caught in an endless loop where you either need to kill your browser session or click the OK button, but doing that infects you with the malware.

So far we have seen two variants of these emails.  The first links to a file named up.html at the end of the "breakingnews.msnbc.com" URL which linked to a page that is branded CNN, not MSNBC.  This should be an immediate red flag to any user that something is not right.  The newer variant that we just recently started seeing within the past hour links to msn.html.  This page uses the same logo that is on top of the real msnbc.com site and will likely look more legitimate to users.

So far volumes have been ranging in the 1.5 to 2 million message per hour range.  Although nowhere near the peaks that we saw with the CNN outbreak from last week, it also took 3 days for the CNN spam to reach those volumes.  So, I would say that at this point since we have only been tracking this new variant for about 12 hours the lower volumes are no indication of what is to come, but just like in movies, the sequel usually isn't as good as the original...

The MX Logic Threat Operations Center has been a hoppin' place since the CNN Fake News updates that we originally reported the other day started coming in. 

Volumes peaked at over 10M messages per hour (stopping just short of 11M) on the morning of the 7th and have been on a very slow, but steady decline since then.  That isn't to say that the threat has gone away, however as since midnight we are still seeing an average of 8M per hour hitting our systems. 

Below is a graph showing per hour volumes of the fake CNN news updates starting from 8/4 at 5pm MDT:



We've also seen several morphs of this spam over the past couple of days.  Initial variants used the same subject line of "CNN.com Daily Top 10" linking to malware infected sites using the filename index2.htm (e.g. http://infectedsite.com/index2.html)l.  Up until this morning we have seen several different filenames at the end of the URL (e.g. cnnlive.html, cnnnews.html, cnnonline.html, cnnplus.html, cnntop.html, and cnnvideo.html), but no movement in the subject line.  As of this morning we are seeing a new morph using the subject line of "CNN Alerts: My Custom Alert."  This is likely in response to all of the media attention and awareness that has been brought up over the past couple of days with respect to the original fake news update spam. 

We've also noticed that in some cases the pages being linked to in these spam messages are being hosted on legitimate web sites.  One of the recent variants that we have seen linked to hxxp://scsroofing.com/cnntop.html.  Scsroofing.com is (according to the site) "UK based company offering specialist independent advise on all aspects of industrial and commercial roofing" 

According to Websense, they are also seeing this campaign being distributed via blog spam, which could account for some of the drops in volume that we have been seeing over the past 24 hours.

Continue to be on the lookout for these new variants as well as others that may crop up.  Also be aware that with the Olympics now underway in Beijing that we may see similar types of messages relating to news and video updates related to the Games.

We will continue to post updates as they come in.

A day late, but never a dollar short, the August edition of the MX Logic Threat Forecast and Report has been posted.

This month we look ahead to the Olympics, the upcoming NFL season (who else is as happy as I am that football season is back?  Go Broncos!), and the upcoming presidential election as well as look back to the prevalent email scams and statistics from the previous month. 

Download the latest edition of the report here.

According to this story a laptop that contained approximately 33,000 records of customers of the Clear system (Clear is a for-pay system that allows customers to go through a separate security line at some airports using a smartcard). 

Apparently the laptop has been found....in the same room that it was allegedly lost in.  The title of the article linked to above is "Laptop Discovery May End SFO Security Scare"....I couldn't disagree more.

If someone unauthorized had access to the room that the laptop was in when it disappeared, that same person had access to put the computer back after they were done with it (stealing data, installing a trojan to steal more data...the list goes on).  According to the story customer data on this laptop was NOT encrypted which means anyone who had access to the computer had unfettered access to all of the customer information stored on it which included names, addresses, birth dates, driver license numbers, and passport numbers.  Of course, now the TSA is saying that the computers must use encryption, but that is like buying flood insurance while your basement is under 8 feet of water.  Too little, too late.

This is a huge black eye for Verified Identity Pass, the company that operates the Clear program.  My favorite line in the article is where their CEO Steven Brill states "We don't believe the security or privacy of these would-be members will be compromised in any way."  The fact that their CEO would make a statement like that just underscores what little he and his company understand about security and the protection of customer information. 
Hopefully this will prompt the TSA into doing a more security oriented deep dive on all of their vendors.  It is important for them to know just how many other basements either are currently or are headed for 8 feet of water in their respective basements.  As a member of the DHS, the TSA already doesn't have a very good record as it relates to security.  Any proactive measures that they can take to ensure the security posture of their organization and the vendors they do business with will help mitigate future high-profile breaches.

Heads up on a new, very high volume Fake CNN News Update spam run that is making the rounds.  The subject of the email is "CNN.com Daily Top 10."  Our Threat Operations Center has seen over 5 million of these just in the last hour alone and over 80 million in the last 24 hours. 

Below is a screen shot of the message. 




Over the last few weeks we have been seeing large spam runs of what we are calling single-line spam where an email contains a brief lure based on fake news headlines such as "US track team disqualified from Olympics" or "Beijing Olympics postponed indefinitely" followed by a link.  The web site linked to in the message is a link to a "video codec" (er, malware) that the user is prompted to download in order to view the online video.

The tactic being used here is similar to what we saw with the Porntube malware that we saw back in June (click here for original Porntube blog post) where the user is prompted to download the video codec when the page initially loads.  If the user clicks "Cancel" to not download the codec, another popup is presented where the user is told that they have to download the codec to view the video.  This endless loop continues until the user kills their browser session at the operating system level or installs the "codec." 

This new CNN tactic is likely to be more successful than the single-line spam tactic that we had been seeing over the past several weeks as this message looks like it could be an news update email sent by CNN.  This new message also attempts to trick the user into believing that they signed up to receive it because of their email preference settings at the CNN web site.  If you see this message come into your inbox, delete it immediately.

According to a recent study done on email addiction, Denver is the ninth most email addicted city in the United States (click here for more info and for the other cities in the top 10.  BTW, I LOVE the picture on the top of that linked page.  Even if you don't care about the list, go for the picture.  It's worth it!).

This is not surprising considering the technical culture that exists in and around Denver and I would say its ranking is about right in comparison with the other cities.  My biggest surprise was Detroit.  I have never been to Detroit, but it has never struck me as a tech-centric city so I am surprised that one is on the list.  You could easily win an argument with me on that point though since I really have no personal experience of the city to speak of.

As I sit here in the San Jose airport, I see a number of people checking email on their laptops an on Blackberries (this is San Jose!  Where are the iPhones?!).  People who are addicted to email need effective email filtering to keep all of the junk off of their mobile devices and out of their inboxes.  As more and more malware is developed for mobile devices and as more and more personal information is being stored on those devices, that need will only continue to increase. 

This list will be definitely be making it over to our sales folks :)

Happy emailing!

According to information being posted by many news outlets the DNS cache poisoning vulnerability that we commented on back on July 9th, the window that researchers and network operators had hoped would be open to patch DNS servers until the Blackhat conference has closed.  Several examples of exploit code have been released out into the wild which show how to take advantage of this vulnerability and attacks have also been spotted in the wild (Thanks to Websense for providing some of the links). 

The folks working on the Metasploit Project were one of the first to jump on the bandwagon by making the exploit available via their freely available Metasploit application. 

So, if you have not yet updated your DNS servers, the time is now to test the patch and update your production servers.  Patches are available from all of the major vendors.  It was widely expected that once the details of the vulnerability were released, exploits would follow very quickly afterward. 

Many have bemoaned the fact that the details of this vulnerability were kept under wraps for so long while others viewed it as a commercial ploy for the Blackhat conference.  My personal opinion is that in the name of responsible disclosure this situation was handled with 100% professionalism and sensitivity as to the nature and severity of the problem.  Based on the amount of coordination that was required to get all of the vendors together, discuss the problem, and patch their applications, there was no way that this could have been done such that it would please everyone involved.  The overly vocal minority is trying to put a black eye on a process that worked as well as it possibly could given the number of stakeholders involved.  It is truly impressive to me that the details were not disclosed sooner. 

It cannot be said strongly enough.  Protect your users and your network.  This is not a problem you can ignore.

I've officially had enough of the moniker "Spam King."  In an attempt to continually overplay the significance of every American spammer arrest, the media insists on calling every arrested, indicted, and convicted spammer a "Spam King."

The latest example is Eddie Davidson who recently walked away from a minimum security lockup in Florence, CO (By the way, how is Colorado getting so popular for spammers lately?) while serving his 21 month sentence for mass mailing stock pump and dump spam on behalf of nearly 20 companies.  According to this article, he is yet another to earn the spam monarch title.

If the numbers reported in the article posted by thedenverchannel.com are true, hundreds of thousands of stock pump and dump spam (over what time frame these messages were sent was not given) hardly puts Mr. Davidson in the realm of a king in the spammer community.  Compare that to the hundreds of millions of messages that MX Logic processes alone on a daily basis and I would put him more into the realm of a child learning to walk.   If you want your true Spam Kings, check out the Top 10 Worst ROKSO Spammers according to Spamhaus here.
As I've stated previously, I am certainly not bemoaning the fact that governments around the world are stepping up their efforts in order to get as many spammers off the streets as they possibly can, but can we please not sensationalize them by calling them Spam Kings?

CAPTCHAs - Completely Automated Public Turing test to tell Computers and Humans Apart.

In other words, an attempt at verification that a human is filling out a web form as opposed to an automated agent/bot.

Or, in other other words, a test that has become almost impossible for humans to even pass due to the increased levels of obfuscation being put into the tests themselves.

Usually CAPTCHAs are done via some kind of image where the user types in the contents of said image into a text box at the end of a web form.  If the user's guess is correct, then the form is successfully submitted, and whatever follow up action that is supposed to happen afterward is performed (e.g. successful signup to a mailing list, comment post to a blog, etc).

The problem is that in an effort to make these CAPTCHA images more and more difficult for software to break down to allow bots to bypass them, they have also been made very difficult for humans, those who are supposed to be able to read them, to figure out.

Take the following image that I was presented with on Facebook, a popular social networking site, this morning:

 

Are you kidding me?

Obviously the second word is "mountains", but I challenge even the most competent forensic experts to tell me what the first word is supposed to be.

Despite it's fallibilities, I can understand as a technical person the need to have technologies like this in place.  As a technical community, we need to make sure that we aren't making our products and systems impossible to use "in the name of security."  Users will only accept a certain amount of inconvenience before they go find solutions that are simpler to use while still providing acceptable levels of security.

Those who know me know that I enjoy listening to podcasts.  In particular, I enjoy security related podcasts, especially when waiting for a flight or during the 50 minute drive into work every day. 

One podcast that recently raised my ire a bit is one that I listen to quite frequently, the Security Now podcast which is done by Steve Gibson (of Gibson Research Corporation) and Leo Laporte.  I am a frequent listener of this podcast, and was somewhat excited to hear the MX Logic name mentioned in episode #150,  "Listener Feedback Q&A" (audio version here).  Unfortunately, that joy quickly turned to aggravation as I listened to Steve not only give a completely uninformed response, but then also basically accuse us of using tactics similar to what spammers use to track active email accounts.  Unfortunately, I have yet to receive a response to my letter to Steve, so I wanted to be sure to clear the air on any misconceptions that he created during his podcast.

If you aren't familiar with the Security Now podcast format, every other week he and Leo go through the Security Now mailbag and select 12 questions from listeners that they will address on-air.  Question number 12 of episode 150 was from one of our customers.  Essentially he was concerned about tracking devices in email because he noticed that as he read an email on his Blackberry we were supposedly injecting graphics into his email.

Steve immediately jumped on the bandwagon and said "...this is absolutely tracking.  And this is why I'm so down on third-party cookies"  Here is where everything started to go completely wrong for him, especially since immediately afterward he also said "...there's no other information in the URL".  So, on one hand he says that "it is absolutely tracking" but on the other hand he says "there is no other information in the URL."  So, if there is no tracking information in the URL and we aren't setting a cookie of some kind when the image is pulled (another thing he got wrong since he mentions third-party cookies in his original response), what are we possibly tracking?  Sure, the IP address of the client pulling the image will appear in our web server logs, but that doesn't tell us anything.

The truth of the matter is Steve completely missed the mark in his response. 
The reason that this "injection" happened is a result of a customer configurable feature of our offering called HTMLShield.  With HTMLShield customers can configure their email filtering options such that certain HTML tags (such as javascript and iframes which are frequently the cause of drive-by malware downloads) within an email message are stripped (note that this is off by default, so customers have to specifically configure how they want this feature to work).  As part of HTMLShield, customers can also choose to have image links within an email replaced with a transparent GIF image (note that this is also turned off by default, even if HTMLShield is enabled.  So to enable this feature, a customer has to not only enable HTMLShield, but then also separately enable the feature to replace image links).  No tracking is done of images that are replaced.  We simply substitute the image link with a transparent gif, then pass the message down to our customer.

I would've hoped that someone with as much experience in the security industry would have been a bit more responsible in his answer and done a bit more homework before responding to the listener's question the way that he did, especially knowing that his podcast is so widely listened to amongst security professionals.  Since I have been a long time listener of Steve's podcast I like to think that his desire to jump all over this question and even go so far as to at one point agree with Leo that what we are doing is similar to spammer's "spam beacon" tracking mechanisms wasn't a backhanded plug for his primary sponsor, Astaro.....I guess I am just not that trusting.