Download - Help Net Security

More documents

Recommendations

Info

On a daily basis, online spammers and hackers are hard at work conjuring up crafty ways to compromise unsuspecting PC users. E-mail inboxes and social networking sites are two popular attack targets. This article looks at a selection of nefarious Internet activity that has made recent headlines, including geolocation and URL shortening e-mail attacks, along with emerging threats plaguing sites like Twitter. In each case discussed below, you will notice that the techniques used by scammers are actually simple by design, but are quite effective and can often have damaging effects. Geolocation In recent months, a malware variant known as Waledac has resurfaced. Believed to be a reincarnation of the infamous Storm Worm, the Waledac worm is embedded in an e-mail attachment and spreads using the infected computer!s e-mailing networks. Waledac has generated several spam campaigns in 2009 - a number of which have featured a technique called geolocation. Geolocation, also known as IP geolocation, is relatively simple. When in action, it looks at the IP address of a person visiting a Web page and cross references that IP address against a database that tells it exactly where the IP address is assigned. The result is a Web page that appears to be customized for you. This is similar to the frequently seen banner ads promoting dating sites, such as “Hot Singles in Kalamazoo are waiting for you,” or something along those lines where “Kalamazoo” would obviously be your city of residence. By utilizing a visitor!s IP address when they arrive at Waledac!s target sites, the information can be customized to appear to be local to the visitor. However, Waledac attacks do not usually wait for the user to download the malicious executable on his or her own. Oftentimes, a hidden iframe on the landing page will begin the download without the need to click any of the links. These domains are always on the same fast flux type of networks that this group has www.insecuremag.com 34
een using since the early days of Waledac, back when it was known as Storm. Although there is no exact science to the timing of Waledac appearances, we have come to expect visits during major holidays based on previous incidents. One example of such a strike occurred during the last week of February 2009. A short e-mail barraged inboxes with a link to the “Couponizer” Web site. In a feigned attempt to soften the economic blow, the “Couponizer” appeared to offer a slew of coupons for deals relevant to the recipient!s locale. One subject line read, “I hope it will be useful for you,” which directed readers to the malicious Web site. Each link on the page, however (which was really just one big link appearing to be many), led to the file download, “sale.exe.” Interestingly, it was not necessary to actually download the file since a hidden iframe - as previously mentioned - pulled malicious binaries from another source, a fast flux site with the name chatloveonline.com. Similarly, the March 2009 St. Patrick!s Day spam campaign featured an attack that personalized its messages with recipients! locales utilizing geolocation. In this case, Waledac wanted its victims to believe that a terror attack had just occurred in their home town. The attack included a fake news story, supposedly from Reuters, that claimed, “At least 12 people have been killed and more than 40 wounded in a bomb blast near market in [insert your town here].” Directly below the Reuters story appeared a video claiming to contain footage of the reported devastation, which, in true spammer fashion, you were told to download the latest version of Flash in order to view it. Instead of Flash, however, a file named Run.exe (malicious payload) was downloaded. Though geolocation is not a difficult task to implement, it is a new and effective touch for Waledac. It would not be a stretch of the imagination to assume Waledac, or any other botnet, may bring this highly effective social engineering tactic back when we are more than sure to see new malware campaigns attempting to get the better of us. ONE CAMPAIGN UTILIZING THIS TECHNIQUE CAME IN WITH A BANG IN JUNE 2009, ARRIVING AT NEARLY 10,000 PIECES PER MINUTE WITH AROUND 18 MILLION PIECES CAUGHT IN APPRIVER FILTERS URL shortening A second effective spammer technique involves URL shortening, which essentially exchanges an original URL for a shorter version. URL shortening is free through services such as ShortURL, TinyURL or Bit.ly, to name a few. When someone clicks on the short URL, the Web site looks up the longer URL and redirects the user to the actual destination. One campaign utilizing this technique came in with a bang in June 2009, arriving at nearly 10,000 pieces per minute with around 18 million pieces caught in AppRiver filters. The attack began as a plain text e-mail promising a financial way out of the current recession and displayed itself in two forms. In one form, it presented a link to a news article supposedly from “The Business News,” and in the other form, it showed “proof” of its authenticity from a concerned friend. In both forms, the e-mails used URL shortening services to provide a unique hyperlink to the Web-based story. The obfuscated links, by means of the shortening services, made it near impossible to block these spam e-mails based on the links themselves. In this way, spammers could keep the landing site on fewer servers and simply mask the redirection to them, thereby decreasing their workload and need for unique Web addresses. In the example mentioned above, when the user follows the short URL, they arrive at a Web page that appears to be a news story titled “Jobs: Is Working Online At Home The Next Gold Rush?” Not only does the story sound compelling, but the fact that the page is www.insecuremag.com 35
Page 5 and 6: VPN management for Linux networks N
Page 7 and 8: Splunk 4 supercharges IT search Spl
Page 9 and 10: Mobile Guardian Enterprise Edition
Page 12 and 13: Integrating the results from a vuln
Page 14 and 15: continuous scans are expensive, the
Page 16 and 17: The fine folks at Origin Storage sh
Page 18 and 19: Further customization There is an a
Page 21 and 22: When you think about celebrities, y
Page 23 and 24: The ultimate guide to Nmap Besides
Page 25 and 26: information wherever it is or where
Page 27 and 28: to externally hosted services that
Page 29 and 30: Practical Intrusion Analysis By Rya
Page 31 and 32: Information Security Management Met
Page 36 and 37: arranged in the same manner that ot
Page 38 and 39: Have you ever left the light, radio
Page 40: With some imagination, they create
Page 43 and 44: The work “Above the Clouds,” pu
Page 45 and 46: Second, using cloud services betwee
Page 47 and 48: "My IT department came to me with a
Page 49: As expected, cybercrime is soaring
Page 52 and 53: Authors: Felicia Donovan, Kristyn B
Page 55 and 56: In light of recent wireless breache
Page 57 and 58: Myth #4 - We have upgraded all of o
Page 59 and 60: Recent studies show that securing t
Page 61: Another best practice to protect an
Page 64 and 65: malicious users. Other attacks exis
Page 66 and 67: Web Application Frameworks An ideal
Page 68: IT Showcase Asia 2009 6 October-7 O
Page 71 and 72: model (80 percent) for the creation
Page 73 and 74: The case for authentication The rea
Page 75 and 76: In a least privilege computing envi
Page 77 and 78: seriousness of the security threat
Page 80 and 81: Today!s IT security professionals e
Page 82 and 83: sensitive customer data, such as e-
Page 84 and 85:
Whether driven by data security man
Page 86 and 87:
Intelligent routing also includes a
Page 89 and 90:
PE Explorer (www.net-security.org/s
Page 91 and 92:
Policy Policy is an overused word,
Page 93 and 94:
with insiders. With malware, at lea
Page 96 and 97:
This article discusses the impact o
Page 98 and 99:
According to the Californian law, p
Page 100 and 101:
lost or stolen, but also for import
Page 103 and 104:
It!s a common scenario right now, p
Page 105:
3. How quickly can you and your IT
Page 108 and 109:
Manage network security Attacks on
Page 110 and 111:
Endpoint or host security is critic
show all

Download - Help Net Security

Create successful ePaper yourself

Delete template?

Save as template?