IT Security Blog

It looks like Western Union is the target of yet another spoofing campaign by spammers.  We've seen these come and go on a fairly constant basis over the past few months where several different brands have been targeted (we've also blogged about them before), but since this one appears to be coming out in pretty high volumes, I thought it was worth mentioning. 

The message itself appears to come from the Western Union Support Team (see sample below) and follows the same basic tactic that many of its UPS, DHL, FedEx, and previous Western Union scams employed whereby it is trying to trick the recipient into believing that a package or transfer that they had attempted to send was not delivered and to print out and bring the attached invoice (read: malware) to their local branch.  Note the lack of specificity as to where to actually go which has been a common thread in previous scams as well.





Our Threat Operations Center is currently monitoring approximately 100,000 of these new Western Union emails per hour.  Below is a graph showing the timeline and prevalence of the most recent Western Union scams starting from the 11th of May.  The spike on the far right is this most recent variant.





As is usual, if there is a question about a transaction that you had made with a vendor, use the tracking number that they provided you and visit their web site or call them directly to lookup and verify your transaction.  Do not fall victim to these scams. 

Be on the lookout this morning for a phishing scam floating around Facebook asking you to visit http://areps.at, a domain registered only a few days ago to someone named Andrew Morov out of Russia.  (UPDATE 5/21/2009 11:30am MST - According to this CNet article, the domain bests.at is also being used for this scam, registered to the same person as areps.at)

personname:     Andrey Morov
organization:   
street address: Schelkovskiy proezd d.11 korp.1 kv.3
postal code:    105425
city:           Moscow
country:        Russland
phone:          +74956211281
fax-no:         +74956211281
e-mail:         ******@nameclub.at
nic-hdl:        AM5009456-NICAT
changed:        20090515 15:23:43
source:         AT-DOM

Visiting this site will also infect your Facebook profile and cause messages to be sent to your friends inviting them to also visit.  Below is a screen shot illustrating the contents of the message you may receive from an infected friend.







If you do receive any of these, contact the person who sent it to you and ask them to change their password ASAP.  If you believe that you might have fallen victim to this scam, change your own profile password before whoever has hijacked your account changes it for you and locks you out of your own account!

Every so often our Threat Operations Center runs across things that are either too interesting or too humorous to not pass along.  Yesterday, we saw another one of those examples.

It is not uncommon to see messages spoofing government entities.  We've blogged many times in the past year about scams targeting entities like the US Tax Court, the Internal Revenue Service, the US District Court, the US Department of Justice, and most recently the Social Security Administration (external link to SC Magazine). 

The scam du jour targets the US Treasury.  The email appears to come from the U.S. Treasury Support Center and has a subject line containing the words "Federal Reserve Bank" with various other words/phrases like "Attention" or "Read Carefully" either prepended or appended in an effort to grab the attention of the reader.  As is commonplace with most of the scams that we run across, it has share of grammatical comedies. 






I found two things most interesting in this case: 1) The actual email does not do anything to convince the user that they have to do something RIGHT NOW in order to avoid some loss of privilege or convenience (e.g. their online bank account will get locked out) as most do.  2) (and in my opinion the more comical) The URL in the email contains the word "phishing" in it.  Now, I understand that the phishing reference is likely in relation to the content of the message, but I found it simultaneously funny and ironic that an obvious scam would risk tipping off a would-be victim by including a word that would set off as many red flags with someone as obvious as "phishing." 

As of the time of this writing the domains that are associated with this scam are still up, however the web sites that are being pointed to by these particular scams appear to be down.  The fact that the domains still exist is reason to believe that they will be recycled for future federal bank related scams. 

It's 10pm.  Do you know where your data is?

One of the strengths of Web 2.0 applications is also one of its greatest weaknesses.  As information sharing has become all the rage on Web 2.0 social networking and, blogging, and micro-blogging sites like Facebook, MySpace, and Twitter (and the subsequent mining of that data by search engines like Google), we need to be aware not only of the data that we are sharing about ourselves, but also be more diligent about qualifying what we read. 

Case in point: a Twitter user going by the name of @officethemovie started posting content about an upcoming Zune/Windows phone to rival the iPhone.  As one would guess, word started to spread quickly and @officethemovie quickly gathered over 1,000 followers.  Some of the major technology publications, like PC Magazine (@pcmag on Twitter) understandably became interested as well.  Come to find out @officethemovie had only created the post on Twitter in an effort to raise iPhone piracy visibility to Apple via his blog and that the Zune/Windows phone wasn't real.  I feel that I've given enough publicity to @officethemovie already via his numerous mentions throughout this post, so I won't link to his blog here.  Trying to drive traffic to your blog through deception is lame and basically ruins all of your credibility.

No matter what the communication medium information is traveling quicker and is more distributed than ever before.  What's the saying?  "If it is on the internet, it must be true" ?  Obviously that is meant tongue-in-cheek, and maybe I am paraphrasing a bit, but the moral of the story is that misleading information can run rampant very quickly.  Misleading information is the basis behind most of the social engineering attacks employed by cyber criminals today so it is of the utmost importance that whether it is something reasonably benign like a phony phone announcement or something more serious like a scam that can lead to identity theft that we don't take the risks associated with Web 2.0 technologies lightly.  Perhaps what we are dealing with is the Web 2.0 version of hacktivism?

Just as a general Public Service Announcement, if you are interested in Cross Site Scripting exploit news, and if you are not following @xssexploits on Twitter, do so (and of course follow @smasiello too :) ).

The reason that I mention that is, in addition to wanting to stay up to date on some of the latest XSS announcements, @xssexploits is also one of the first places that I was informed about the recently made public XSS vulnerabilties found on several McAfee web sites. 
So, why are these exploits of consequence?

One of the sites mentioned as being vulnerable to cross site scripting vulnerabilties is McAfee's Rebate and Promotion Center web site.  One of the fields that a user must populate when filling out the form to obtain a rebate is the date that you purchased one of McAfee's qualifying products in mmyydddd format.  By using a technique known as HTML code injection a user could get redirected to another (potentially malicious) McAfee look alike web site used for phishing unsuspecting user's sensitive information or a malware distribution site that looks like an official McAfee web site. 

Many security vulnerabilities are introduced by software not doing proper input checking.  Following a "whitelist model" where as part of the input checking code you specify the valid types of input as allowed (generally a small list) as opposed to identifying all of the input that is not allowed (a much larger list) is common practice.  In this case, it doesn't appear as if the form was doing any kind of input checking.  Why the form would allow HTML characters such as quotation marks, less than, and greater than symbols in a field that is clearly expecting only numerical input is only asking for trouble.

I am not trying to pick on McAfee here, but they are a prime example of the reality that if it can happen to a company where security is their business you would expect them to have a pretty keen eye towards security vulnerabilities within their own web site.  Back in January, CWE and SANS posted their list of the top 25 programming errors that occur most frequently within applications and Improper Input Validation is at the top of that list.  It tops the list because it is the most common flaw and because it is the easiest to exploit.  Improper input checking can be exploited with even the simplest of test cases which means that even your lowest level hacker who only knows the bare minimum about XSS and code injection could take advantage of this flaw. 

Protect your brand.  Protect your web site.  Protect your users.  Follow secure coding practices and incorporate a security mindset into the products and applications that you build.  You don't have to be a security company to think securely.

I wanted to take a moment to write about a topic that we discussed during the recording of Episode 29 of the Security Buzz podcast earlier today.  That topic is based off of a post found on DarkReading that discussed Microsoft's decision to release an update to disable the Autorun feature in Windows for USB drives in response to the variant of the Conficker worm which would spread via these devices.  The question at hand was whether or not this move is happening too little too late given Conficker's already large presence.

My opinion is that not only is the move too little too late, but it is also a completely irrelevant one for the main reason that according to the folks over at mtc.sri.com, who have posted in depth research as to how the Conficker worm operates, most of the machines that are infected with this worm are still running versions of the Windows XP operating system with Internet Explorer 6 installed on them.  This means that most of the machines infected are not one or two patch levels behind on their updates from Microsoft.  They are likely years behind and have never been patched, and may in fact be running the original version of Windows XP originally released in October 2001 and have never had a single security patch applied to them meaning that they are vulnerable to every Windows XP vulnerability ever patched.

USB drives, although an important infection avenue to consider (although in my opinion are more of a risk from a data leakage perspective than they are a malware distribution point), are still only a small portion of the infection problem.  Emails with attachments, malicious web sites and compromised legitimate web sites that distribute malware, and peer-to-peer downloads of pirated software with embedded trojans are all far more prevalent issues with respect to current worm and malware propagation than USB drives. 
Unfortunately, this move by Microsoft will do little to solve the Conficker problem or slow its' spread.  It also will not do much overall to prevent further malware propagation in the future because the machines that need to be cleaned up are not the ones that are following best practices by keeping up to date on security patches, running up to date antivirus, and defending in layers.  It's those that aren't are and continue to be the real problem.