The Zeus botnet is making another attempt at stealing your personal information this week. Starting early in the morning on 1 December 2009, email messages began going out telling recipients that they need to register themselves in the CDC’s H1N1 program. Messages with subject lines like “Create your personal Vaccination Profile” and “Governmental registration program on the H1N1 vaccination” are enticing recipients to visit a webpage proudly displaying the Center for Disease Control logo, from which they can download their “H1N1 Vaccine Profile Archive”. The ‘archive’ is, in reality, the installer program for the Zeus bot, which will place a keylogger on your machine and try to steal your personal data.

Most anti-virus vendors have signature updates that will mark this installer as malware, so one way to protect yourself is to make sure that your A/V software is up to date. All of the fake CDC URLs we visited were detected as forgeries by the newest versions of Firefox, as well.

It seems like a simple and basic concept of email marketing. Get permission from the intended recipient before sending. Confirm permission. Maintain records of when, where, and how you got permission. Engage the recipient with your mailings to compel them to purchase your product/service. Nurture your relationship with your customers and grow them into a loyal evangelist.

Instead of following these basic tenets of email marketing, I am seeing marketers (clients of ESPs) engaging in practices which are questionable at best.

They rent or purchase lists of email addresses, obtain addresses through co-registration programs in which users did not expect their email addresses to be indiscriminately distributed, and acquire addresses from email appending vendors through fuzzy logic matching.

In any of the situations above, did the recipient give undeniable permission to you, the sender? Just because you acquire an email address does not mean you have the right to send to it.

ESPs, you are not off the hook. You need to require permission practices of your clients, or you need to reconsider your relationship with these clients. Is what the client is paying you enough to cover the cost of resolving deliverability issues and the damage to the reputation of your IP addresses and the reputation of your company?

- Having clients who do not know the provenance of the email addresses in their mailing lists should not be acceptable.
- “Inadvertently” mailing to a suppression list should not be acceptable.
- Having clients who also send through another ESP and do not remove invalids or respect unsubscribes should not be acceptable.
- Providing the excuse of  “But, my client is a large and recognizable brand!” for a client’s bad practices should not be acceptable.

ESPs who require and enforce best permission practices should be applying peer and industry pressure within the ESP community to adopt these policies. Ultimately, ESPs need to take responsibility for their clients’ practices. If you are aware that your clients are engaging in questionable or bad practices, address those issues before contacting an ISP or anti-spam vendor to resolve the issue.

Cloudmark has been monitoring a new virus attack which started around 8:30AM Pacific time on Monday, November 16, 2009. With subject lines saying “payment request from” and mentioning a random, very large company, they’re attention-getting and coming in huge quantities. As of 3PM Thursday, November 19, almost 2.5 million attempts have been made to deliver copies of this to customers protected by Cloudmark Desktop.

Some sample subject lines:

Subject: payment request from "DuPont"
Subject: payment request from "Converse"
Subject: payment request from "Mars Incorporated"
Subject: payment request from "Morgan Stanley"
Subject: payment request from "Big Lots"

The payloads for these messages have nothing to do with any of the companies mentioned, of course. Those companies are just innocent victims whose familiar names are called out to trick you into opening the email message. Instead, the attached ZIP files are intended to bring your computer under the control of someone else. Kaspersky is identifying the attachments as Trojan.Win32.Sasfis.vbw; Trend Micro calls them TROJ_AGENTT.WTRA.

Safe computing practices can protect you from being infected. Make sure your anti-virus and anti-malware programs, your operating system, and your other programs are up to date and take care to only open attachments from trusted correspondents (only AFTER verifying that they intended to send you the attachment).

Affiliate marketing, where a company provides compensation for affiliates driving traffic (and potentially sales) to their sites, may have adverse ramifications if not properly managed. Over the past week, affiliate-driven spam has once again migrated to the top of our radar. It is unclear whether legitimate brands have decided not to police their rogue affiliates, or they do not fully understand the negative effects of an unmanaged affiliate program.

In one example this week, messages advertising the products and services of a major brand were sent out containing rotating, disposable domains and hashbuster text from multiple netblocks of IP addresses, a practice commonly known as “snowshoe.” The affiliate is sending unsolicited bulk email and engaging in practices to evade spam filters and IP reputation services.

Ultimately, turning a blind eye to the action of affiliates can lead to a decrease in engagement and an increase in spam reports from recipients due to increased frequency, damage to a brand’s reputation, and possibly, litigation.  CAN-SPAM requires companies to be responsible for their affiliate programs. According to the Institute for Social Internet Public Policy, “if the affiliate is dishonest, and hides their true identity, then the affiliate program for the product featured in the email (which will be the product being sold under the affiliate program) becomes responsible. In other words, if you are advertised in the affiliate’s email, and the affiliate cloaks who they are, you become responsible.”

Before CAN-SPAM, AOL successfully sued Cyber Entertainment Network “based on the principle of negligent enablement and negligent hiring and retention. The lawsuit said that they had retained affiliates they either knew or should have known were engaged in spam to advertise their Web sites.”

Hopefully, these brands will realize the potential long-term fallout outweighs the short-term gains and make changes to prevent further misuse of their affiliate programs.

Mixed in with the fake Facebook password update email we reported yesterday is another, possibly more dangerous phish. Messages with subjects like “Facebook Update Tool” and “Facebook Account Update” are circulating. These are more typical phish, and they include a link to a fake account login page.

Most users, by now, know to be cautious of things like this in their inbox. For Facebook user with Blackberries, though, there’s another danger. There are reports, verified through experimentation by Stuart Paton, Senior Solutions Architect here at Cloudmark, that the Facebook for Blackberry app provided by Research in Motion can be fooled by these phishes. The app can be configured to monitor your Blackberry’s email inbox for alerts from Facebook; those alerts are then moved to the Facebook app’s internal inbox, which makes them appear to be legitimate. Users are much more likely to respond to these phishes when they appear to be coming directly from Facebook.

Our experimenting shows that these messages only show up in the Facebook for Blackberry app, and will not be seen if you log into your Facebook account through a web browser. Until Research in Motion and Facebook can issue a fix for this behavior, Facebook for Blackberry users should take care to verify that links in Facebook alerts are legitimate by viewing their Facebook inbox in a web browser.

(Thanks go to Stuart Paton for researching this issue, and for providing screenshots of his Facebook inbox for this article)

Facebook users may be able to relax a little – the Facebook/malware messages that we reported yesterday are starting to morph to other social networking sites. Starting around 10AM Pacific time today, Cloudmark started to see the subject of those messages change to “Myspace Password Reset Confirmation”. Aside from changing “Facebook” to “Myspace” throughout the messages, they’re the same thing, and they still carry a .zip file that will try to add your computer to the Bredolab botnet. As with Facebook, Myspace is a victim here, as well, and is not responsible the messages.

It’s probable that we’ll see this morph again in the next few days, so users should be especially wary of messages purporting to be from the social networks. Cloudmark’s systems have already generated fingerprints for these messages, and Cloudmark customers are being protected from this mutation.

The last three days have seen a sharp uptick in social engineering, as one or more of the malware distributors are, once again, playing on the popularity of Facebook to convince people to open their email. Emails with the subject “Facebook Password Reset Confirmation” have been flooding inboxes over the last few days, enticing people to open a zip file which purportedly contains the user’s new password. Of course, it contains no such thing – the zip file is actually just another piece of malware. Samples that I have looked at include what Kaspersky is identifying as “Packed.Win32.Krap.w”, a trojan designed to download and install other programs without the user’s knowledge. ZDNet’s coverage is calling this the return of the Bredolab botnet, known to be responsible for both spam and identity theft.

Cloudmark saw these emails starting just before 1PM Pacific time on Monday, October 26th. By mid-day Tuesday, October 27th, almost half a million attempts had been made to deliver copies to mailboxes protected by Cloudmark Desktop, and by mid-day Wednesday, October 28th, that number had risen to almost three-quarters of a million. Cloudmark Desktop protects almost 2 million active mailboxes.

I cannot stress enough – these emails are not coming from Facebook, and they do not mean that your Facebook account has been taken over, or that someone is trying to get your password. The emails are coming from already compromised computers from all over the world, and all they are trying to do is to add your computer to the growing legion of bots. Facebook, unfortunately, is just another victim here; they can’t stop bad guys from using their name to dangle as bait in front of you.

You can take several steps to protect yourself. Make sure your anti-virus is up-to-date, and consider running more than one flavor of anti-virus or malware detector. Do not open attachments you’re not expecting. Use different passwords for all of the websites that you use so that, even if one is compromised, others can’t be.

Social networking has grown in adoption and now it seems like every person has some sort of an account.  For students returning back to school, Cloudmark recommends these safety tips for a safe and secure social networking experience.

• Know Your Friends—Be wary of “friending” people you don’t know and never reciprocate friend requests from complete strangers. Also, be careful of clicking on links in messages sent to you from strangers––these requests may be from spammers, who can send out links to viruses or other forms of malicious content (Example 1 & 2).

• Choose Applications Wisely—New applications can enhance your social networking experience, but unfortunately some are at the expense of your privacy. Read the fine print and pay attention to the information you expose and the actions you enable when adding applications to your profile. Only install applications from companies that you trust and use privacy settings to manage the information you expose.

• Don’t Share Personal Contact Information—Do not disclose your cell phone number on your social networking page, this is an easy way for spammers to send spam, viruses, or fraud attacks to your cell phone. Also, consider setting up a separate email account specifically for social networks.

• Remember, the Internet is Permanent—Do not post content that you might be embarrassed about in the future. Companies are increasingly screening social media profiles as part of their due diligence for prospective job candidates. Photos and comments that may seem harmless now could cause you to not get your dream job.

• Limit Location-specific Details— Be cautious about posting up-to-the minute status updates. While it’s great to let your friends know where you are or what you’re doing, it could also make you an easy target for stalkers, or a candidate for robbery if you frequently post about when you’ll be away from home.

• Be Smart with Your Passwords— Do not use the same password on multiple social networks and avoid obvious passwords, such as a pet’s name. Store your passwords in a safe place or use a password manager to keep record of your passwords.

• Practice Safe Computing— Do not use a computer that you can’t trust to be clean of viruses, such as public library computers or computers at Internet cafes. If you must use a public PC, do not exchange or save personal or financial information, such as banking ids, passwords, social security numbers, etc.

• Fortify Your Defenses—Run up-to-date anti-virus and anti-spam tools and software.  Many companies offer free software trials that you can try out before you purchase – just make sure it is a reputable company before downloading anything.

• Check the Fine Print—Read the fine print or terms and conditions before signing up or filling out a survey. Make sure your information is not sold or used for other purposes and guarantee the company is legitimate (Example 3).

EXAMPLES

This is an example of a message sent to a social networking user notifying them of a video with them in it. If a user clicks on the link, malware is installed on their computer.

This is an example of a message sent to a social networking user notifying them of a $500 gift card they received through a URL. If the user clicks on the link, malware is installed on their computer.

This is an example of a fradulent advertisement using a popular brand name on a social networking site. This fake survey was offering a $500 gift card. People who signed up received reoccurring monthly charges on their cell phone bill, which was listed in the fine print.

The recently announced SMS vulnerability discovered by Charlie Miller that affects Apple iPhone, Palm Pre, Windows Mobile and Google Android devices highlights the importance of network level protections for the mobile network. The vulnerability, which can enable an attacker to gain full access of a device by sending specially coded SMS messages to the device, was first released to mobile device manufacturers and mobile operating system providers in early July. However, several device manufacturers and OS providers have not yet made a patch available to users that addresses the vulnerability.

Once a patch is available, the process of getting millions of subscribers on the network to update their devices to the latest patch level, across multiple smartphone operating systems is ominous. Some of these devices, including the Apple iPhone do not support over the air provisioning for a patch – meaning that users would have to manually upgrade their devices themselves. Waiting for users to do this on their own may take months–all the while leaving users vulnerable to this serious attack.

Conversely, solutions that provide SMS protection in the network infrastructure could prevent this attack from infecting devices immediately. Network level solutions are able to block malicious SMS messages before they are sent to the device, preventing the messages from ever arriving at the device in the first place. This has several benefits. The network level solution would:
1. Be able to protect multiple device types
2. Provide protection without user involvement or awareness
3. Provide protection without device manufacturer or operating system vendor involvement
4. Immediately protect all subscribers upon deployment

This type of protection requires a relatively advanced solution to be in place in the mobile network infrastructure. Today, not all network infrastructures support this type of capability. However, Cloudmark believes that we will see this become more and more common as a means to protect against attacks of this nature in the coming months and years.

First day at Black Hat, and aside from it being very hot here, the show is going very well. There is a lot of chatter regarding the practical implications of an MD2 preimage attack as well as how several white-hat hackers were compromised in the past week. There is also the typical chattering of the standard fare of web application security research and associated attacks and defense techniques.

The most interesting material will probably be presented today, during the mobile threats track – got a sneak preview at a new SMS attack that is pretty impressive and may cause migraines for unprepared mobile providers in the next few months. Other than that, curious to see what the other presenters have to say about the mobile platforms they have examined.

http://www.blackhat.com/