Posts filed under 'Security'
May 9th, 2008 by Fatima Bancod (Email Security Analyst)
The Trend Micro Content Security Team has recently encountered a phishing attack similar to what affected the Bank of America and Comerica recently. The scheme, that involves a malicious digital certificate supposedly downloaded from a link found on the spammed email is now used to fool Merill Lynch Business Center customers. Below is a screenshot of the spammed email message:
The visible link in the said email is a hypertext string that leads to the phishing URL:
hxxp://wcma.businesscenter.mlbank.bcprivate9054.wcmaloginea.aspxsystem.meetingid.12469.
programs.dvppserv.1291logon.info/WCMALoginEA.htm posed as the Business Centre’s home page.
Clicking on the said link connects the user to a URL where they are prompted to download a required “digital certificate.” However, the phishing site is already inaccessible as of this writing.
Sunbelt also warns users in their blog that this scheme is highly likely being used for other schemes as well.
May 7th, 2008 by Paul Ferguson (Advanced Threats Researcher)
“The Tragedy of the Commons is a type of social trap, often economic, that involves a conflict over finite resources between individual interests and the common good.”
- Wikipedia
In a perfect world, we all understand that certain situations should not exist which put our critical infrastructure at risk — we all like to be able to have electricity, water, and other common utilities which we normally take for granted.
But we do not live in a perfect world, of course.
I have written about SCADA (Supervisory Control And Data Acquisition) issues before on this blog, but I’d like to renew & enjoin the public interest in certain recent events & issues which may put these resources at risk.
First, let’s look at the issue of “convergence”, or rather, “premature convergence” which seems to be a better definition:
“…premature convergence means that a population for an optimization problem converged too early, resulting in being suboptimal.”
- Wikipedia
This is similar to — what I believe to be — the situation wherein some unknown portion of the SCADA controls & operations community has strategically moved itself into: using the same platforms, operating systems, and software, which are now susceptible to the vulnerabilities that we all know too well. Buffer overflows, remote exploitation, denial of service vulnerabilities, and so forth and so on.
Now, this wouldn’t be a problem if these system were, in no uncertain terms, not connected to the Internet in any way, shape, or form.
But that is increasingly not the case.
Due to operational “optimization” (meaning: it is cheaper to use publicly available connectivity to manage these systems), the SCADA threat landscape now begins to look a lot like the network security landscape that we all know and respect — one of constant vigilance and constant defensive threat posture.
Within the past couple of days, there have been a couple of SCADA systems management platform vulnerabilities announced which could result in some rather serious exploitation. The SANS ISC reported yesterday a situation in which one software suite which “…provides unauthorized access, allows partial confidentiality, integrity, and availability violation, allows unauthorized disclosure of information, allows disruption of service.”
This seems rather serious. And I have been informed that there is at least one more similar vulnerability which has not been publicly disclosed yet.
As utility companies make operational decisions based on economic business savings (using the Internet, or an Internet VPN, to manage their client-control base to save money), the unintended consequences can be severe. When they occur. If they occur.
Throw the dice.
Let’s keep our fingers crossed that the SCADA community quickly comes to grips with the nature of network security.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
May 7th, 2008 by Macky Cruz (Technical Communications)
Spam turns thirty this month, and it has no signs of abating.
Throughout the years, bulk mail has only morphed into various different forms (from text, to images, some bearing attachments, some links), with some forms evolving from mere unsolicited advertisements, to harbingers of phishing and even malware attacks.
On the antispam work grind, however, things look a little bit too familiar: the spammers faking “Better Business Bureau” (BBB) are at it again.
Unfortunate recipients who click on the link are brought to the following Web site:
This site requires” IE 5.5 or higher, which is incredibly strange, considering that the latest IE version today is already at 7. The 65kb file downloaded from the link (named ACROBAT.EXE) is detected as TROJ_AGENT.AOAR.
Around the same time last year we caught spam pretending to come from BBB telling the recipients that a complaint has been filed against them. The spam comes with an attachment which is actually TROJ_ARTIEF.A.
In a more recent instance, our Content Security team has found a phishing email which asks the user to visit a booby-trapped site. However, when a victim visits the site, the Web site displays a message informing them that an ActiveX control is required to view the page. Downloading the ActiveX control is, of course, not a good idea.
While these spammers never grow tired of recycling old tricks, it seems users are just as wont to open email messages out of curiousity anyways. Users are highly advised to activate antispam filters in their email applications along with antispam features that come with their security suite.
May 7th, 2008 by Paul Oliveria (Technical Communications)
Iron Man just made almost a hundred million dollars during its opening weekend in the US. Yes, summer movie season has just kicked in. You know, that time of the year (even if one’s not in the said country) when all the big blockbuster flicks are jockeying for the “box office hit” title. Almost every week there a new highly anticipated film or sequel (or the now-overused term “threequel”) opens in theaters, much to the delight of moviegoers and, in some cases, cyber criminals as well.
The use of movies as a social engineering bait by hackers is not new; in fact, it has sort of become a tradition that one has to expect every year. So while reading Entertainment Weekly’s “fearless” predictions for the season, we decided to come up with predictions of our own. Only this time we’re calling them “fearful” predictions, mainly because these are the types of predictions we hope would not come true.
1. Spammers and phishers will lure potential victims with raffle entries for tickets or merchandise. In 2005, Revenge of the Sith became the bait of choice of a Yahoo! phishing attack. Last year, spammers sent a supposedly short survey related to The Simpsons Movie in an attempt to gather email addresses. It will not be surprising if a similar tactic pops up this year, just in time when the anticipation for movies like Sex and the City or the X-Files sequel reaches fever pitch. After all, in the gaming arena, it has already happened with the release of Grand Theft Auto IV.
2. At least one malware will pose as an “exclusive” trailer, free movie passes for the premiere, or the “uncut version” of a movie. Unfortunately one has to download the “codec” or the “raffle entry form” first.
3. The official site of one movie will get compromised. Or a high-traffic fan site or blog, for that matter. Users who would want more information about a particular flick (show times, reviews, etc.) will click on the compromised page, where a slew of malware will be downloaded onto the unknowing victim’s computer.
Then again, with the ongoing trend of SEO poisoning and creating fake pages from scratch (which are laden with spammy links and keywords), users only need to Google a keyword in order to get infected. Speaking of SEO poisoning…
4. “Heath Ledger” will be once again a good keyword for poisoned pages. As the buzz surrounding the actor’s portrayal of The Joker in the upcoming The Dark Knight grows louder — some already claim it’s his finest role yet worthy of a posthumous Oscar — whose interest won’t be piqued?
May 7th, 2008 by Paul Ferguson (Advanced Threats Researcher)
It would appear that we have a developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.
Over at the SANS Internet Storm Center, John Bambenek has posted (and also provided at least one update at this hour) a daily handler’s diary entry explaining that that they have had reports of a possible SQL worm, involving some domains, JavaScript, and URLs that first popped up on our threat radar on Monday (5 May 2008) morning.
Trend Micro has already proactively blocked access to these malicious domains and URLs (and the associated malicious “back-channel” background activity) while we push out a pattern update for malicious file and JavaScript detection.
Having said that, that’s the beautiful thing about hybrid Web Threat Protection (WTP) — we shrink the “time-to-exploit” window immediately by breaking the infection chain.
For now, please be assured that we are burning the midnight oil working on these issues, and will update this blog post as more details become clear. For now, please refer to the SANS ISC Daily Handler’s Diary for details, and we’ll post more as this developing incident unfolds.
One further note: While the numbers are only in the ~4,000 to ~5,000 range (still not small!), there are some very high-profile Web sites that seem to have been compromised in this attack.
PLEASE DO NOT GO SEARCHING FOR WEB SITE COMPROMISES. In this particular case, if you are not adequately prepared and protected, you can become a victim of your own curiosity.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
Image source: Fugato.net
Previous Posts
