Two weeks ago, I attended RSA 2013 Conference in San Francisco and was impressed by the number of participating security vendors. The addition of the Human Element and Breaking Research in the technical track sessions also provided a refreshing stroke to this year’s presentations.

Below are some of my experiences and insights on some noteworthy discussions involving security awareness, hacking back, and going offensive legally.

The 7 Highly Effective Habits of a Security Awareness Program

Samantha Manke and Ira Winkler of Secure Mentem discussed their views on the difference between security training and security awareness. They highlighted the importance of a security culture in companies in enabling employees to apply best computing practices on a daily basis, resulting to long-term security awareness within the organization.

They presented the results of their recent study conducted among Fortune 500 companies in the Health, Manufacturing, Food, Financial and Retail sectors. This study focuses on security awareness campaigns that companies implemented and how effective these were. They came up with key findings that lead them to create their 7 Highly Effective Habits of a Security Awareness Program, which are:

1. Create a Strong Foundation
2. (Have) Organizational Buy-in
3. (Encourage) Participative Learning
4. (Have) More Creative Endeavors
5. Gather Metrics
6. Partner with Key Departments
7. Be the Department of HOW

My key takeaway for this session is of course the last part.  We, the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems.

While I understand the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.

Read the rest of this entry »

World of Warcraft: Mists of Pandaria is the fourth expansion for the massively multiplayer online role-playing game (MMORPG) World of Warcraft. It was first unveiled to the public last October 2011 during the BlizzCon 2011 conference in Anaheim, California.

TrendLabs researchers started seeing increased phishing activity inside World of Warcraft after Blizzard started the closed beta testing for Mists of Pandaria last March 2012.

In these new rounds of phishing attempts, scammers are trying to abuse the WoW’s in-game mail system. In this phishing attempt, the malicious URLs are sent via in-game mail and are received by players in their in-game mailboxes.

In this phishing try, the scammer entices would-be victims to join the Mist of Pandaria beta testing and win an exclusive in-game item, the Dragon Turtle Mount, by visiting and registering in their website. The Dragon Turtle Mount was previously announced by Blizzard as the racial mount for the Pandarens, the new additional playable character race available in the Mist of Pandaria expansion.

The phishing URL in the in-game email goes to a phishing website that closely resembles the actual Battle.net website. The phishing URL tried to add some credibility by adding the string Mist of Pandaria abbreviation (MOP) to the domain name.

If unsuspecting users input their Battle.net credentials it will definitely result to Battle.net account theft. Battle.net is the central account management for all Blizzard games like World of Warcraft, Starcraft 2, and Diablo III.

In contrast to what we discussed in our previous World of Warcraft post, we observed that recent scamming attempts seem to be targeted at low level characters and not high level or level-capped (Level 85) ones. This may be part of the scam detection avoidance strategy of the bad guys, as high level characters may have more awareness to this security issue as they have spent more time in the game.

We analyzed the malicious domain further and found some great discovery: The same server also hosts other phishing sites targeting World of Warcraft players:

• http://{BLOCKED}p.us-support.net
• http://{BLOCKED}p.wow-support.net
• http://for{BLOCKED}t-eu-wow-account-blizzard.com
• http://for{BLOCKED}t-wow-us-account-blizzard.com
• http://{BLOCKED}a-pandaria.net

The newly discovered malicious websites are using Mist of Pandaria, World of Warcraft, and their corresponding abbreviations in their URLs.

Trend Micro users need not worry about these threats, as they are protected from these World of Warcraft phishing attacks via the Trend Micro™ Smart Protection Network™, which blocks access to the phishing websites.

It is interesting to note that some of the phishing websites were registered just days after Blizzard announced that Mist of Pandaria will be the next World of Warcraft expansion. This clearly shows that the bad guys are up to date and are always in the lookout for events and opportunities to expand their nefarious schemes.

Blizzard on their part have stepped up their security measures. They have published a dedicated security page to help users understand their security commitment; raise awareness on different types of account thefts, highlight a gamer’s security checklist, and a step by step guide on what to do when users suspect that their account is being compromised.

Blizzard also promoted their authenticator (available as an app for iOS and Android devices, and as a keychain fob) by giving away an exclusive World of Warcraft Corehound pet to users availing the authentication services.

We also advice our readers, casual and hardcore gamers alike to view our latest Security and Gaming e-Guide to get helpful tips to help secure their online game experience.

Thanks to Paul Pajares for additional technical details.

In August 2011, we released our Snapshot of Android Threats, which stated that there was a significant increase in the number of Trojanized Android apps and actual malware targeting the Android platform.

In our 12 Security Predictions For 2012, we mentioned that smartphone and tablet platforms, especially Android, will suffer from more cybercriminal attacks.

In our continuous monitoring of this threat, we soon noticed that the problem was growing at an alarming rate. From a mere handful of malicious apps at the start of the year, it skyrocketed to more than a thousand malicious Android apps by the middle of December 2011. The average month-on-month growth rate for the second half of 2011 was more than 60%.

If this growth rate is sustained this year, then 2012 will definitely be an “exciting” year for Android. Why is this so? If current trends hold, we may be able to see more than 120,000 malicious Android apps by December.

There are several factors that are causing this explosive growth:

• The increasing popularity of Android, as highlighted both by the number of total downloaded apps (more than 10 billion via the official Android Market) and the number of users and activations, as stated by Gartner and Google Senior Vice President of Mobile Andy Rubin.
• The openness of the Android app distribution model. Unlike other mobile OSes, users are free to install applications without passing through any filtering process. This lowers the barriers to installing malicious apps considerably.
• The cybercriminal mindset: Bad guys attack where the money is.

2011 already saw a wide variety of threats emerge for Android, as we discussed in our year in review. Android malware is definitely here to stay for 2012.

Like my colleagues, I also attended RSA 2011 Conference in San Francisco last week. As they have shared in their posts on the hackers and threats sessions, I would like to share some of my experiences and learnings on sessions involving social media, spies and security.

Mapping an Organization’s DNA Using Social Media

Abhilash Sonwane of Cyberoam discussed the findings of their research involving 20 random small and medium companies across the globe. His team tracked the social media activities of these companies’ employees via Facebook, Twitter and LinkedIn streams. This was done without employing any malicious tactics such as spear phishing or malware infection.

It is interesting to know that by simply correlating the employees’ social media presence, the researchers were able to map the DNA of the company. By DNA, we pertain to a collection of data like the morale of employees and the company as a whole. This includes sensitive information such as who makes the buying decisions. While such information per se may not be directly related to any kind of threat, it can be used by competitors (and potentially, the bad guys) to their advantage.

My key takeaway from this session is that it is very important for companies to strive to create a balance between the benefits and risks of social media. Companies should have solid social media policies to raise awareness among employees about its proper use and corresponding challenges. Furthermore, to cover both internal and external risks, social media policies should be aligned with technology solutions that security companies offer.

Read the rest of this entry »

Blizzard’s World of Warcraft (more popularly known as WoW) is one of the most popular massively multiplayer online role-playing games (MMORPGs) in the world. With more than 11.5 million subscribers as of 2008, WoW is plagued by a thriving underground online gaming economy.

The most common scam in WoW that Trend Micro has seen uses the in-game chat/whisper system.

An unsuspecting player will receive an in-game chat/whisper from an unknown player offering free gifts (usually in-game pets, riding mounts, and vehicles) that they can avail of by registering at the website that is included in the chat message.

The website included is, of course, a phishing site that will gather the user’s Battle.net account name and password. Read the rest of this entry »