LinkedIn Blackhole Spam Fails the Smell Test
Looks like someone’s spam campaign got up on the wrong side of the bed this morning: A badly malformed message appears to be trying to convince the reader it originates with LinkedIn, the business-centric social network.
Hardly any message at all, the spam body consists entirely of ReportIDA161580AD75, which precedes a goo.gl shortlink. The laughable pidgin-English quality of the spam’s subject – last login was Failed xxxxxxxxxxxxx — breaks the illusion completely. The fact that whoever sent this didn’t even try to mask the message’s true origin (a Yahoo mail account) just makes this kind of sad, really.
And yet, on any campaign such as this, some people will be taken in by this phony, broken down soundstage of a ruse, peeling paint and all. When that happens, if those likely-victims happen to click the wrong link in the wrong spam, on a computer with a vulnerable browser, and do so quickly enough to hit the malicious Web site while it’s still online. Well, it’s a bit like this.
Digitally Signed Rogues: As Dumb As The Rest
Both the installer and payloads of a rogue system utility named System Restore (a type of fraudulent software that, in this case, is named exactly like the Windows system utility) sport an unusual characteristic: a digital signature. Digitally signed Trojans such as these are less rare than they used to be, but still unusual, so it was notable that the entire soup-to-nuts infection package being delivered to victims since November uses signed executables.
The rogue installer was delivered by a spam email claiming to originate with the US postal service. The message’s attachment is, allegedly, a PDF document with details about a failed delivery. Of course, as you can see at right, the “PDF documents” are just executable files with an Adobe Reader icon (from the Adobe Reader program, not the icon used by a real PDF document).
One theory that attempts to explain why they’d go to the trouble goes something like this: Some network admins set security policies that only permit digitally-signed executable files to traverse the networks they control. But these policies don’t actually check the validity of the certificates, only that the code itself is signed. Therefore, even invalidly-signed code could, in this hypothetical situation, bypass this rudimentary policy check.
I’m not sure I buy into that. I want to believe that CSOs and IT admins know that such a policy is brain-dead, but you have to assume there’s a reason the malware creator would go to the trouble to generate crypto keys and go through the signing process. However, because we’re talking about subgenius-class malware creators here, it’s not as if this new “feature” bypasses any real security checks. In fact, the certificate is demonstrably false, but it’s only clear this is the case if you go looking for the information.
Security Resolutions for 2012 and Beyond
Welcome back to the office, everyone (except postal and some bank workers). The first Monday after the new year is a great time to jot down a quick list of business-related resolutions. You can even put them into your calendar app, if you’re so inclined, to give yourself an extra nudge.
Here are my (security-themed) new year’s resolutions for 2012:
- I’ll change my passwords at least once a month
This one could be tough, but not to remember. I’m going to schedule the reminder in my phone’s calendar. For my own sake, the password itself has to meet some stringent standards, including a minimum length and some diversity of character types. But what’s tough is the sheer number of passwords this entails. I already use a different password for all of my various online accounts, but the idea of changing them all, so often, seems daunting.
It has to be done, but fortunately, you don’t have to do it alone. In my case, I’m also going to rely heavily on a biometric finger scanner, helpfully preinstalled in the bezel of my laptop, and some third-party password manager software to keep up. You could also use a password manager like KeePass, which generates an optional password “best before” date, to keep you honest.
I’m doing this today, so listen up any criminals who might have been handed on a platter ahem, stolen, or audio-captcha-cracked any of my ‘victim test account’ passwords: use ‘em if you got ‘em.
A Visit from Cyber Nicholas
T’was the night before Christmas, and all over the ‘net
hardly a packet was stirring; Well…’bout 6 gigs a sec.
The Internet background noise whizzes nonstop
– even after the last Admin has punched off the clock.
But buried deep in that noise was a stray protocol.
A command-and-control message within the firewall.
A lone zombie replies to a ping and chirps out
secret signals, to a group who carry some clout.
Legion elves, running ops, scan the networks they’ve pwned;
Seek out mischief, find the troublemakers entrenched in their zones.
With this singular mission they tap at their keys,
and run nmap with umit, and Nessus, as they please.
While sniffing the wires and logging results,
the elf Red Team trades barbs and exchanges insults.
Not with other elves, but with their botmaster rivals,
who work feverishly to pump out some network denials.
For the malware guys knew Santa’s spies were inside,
and they knew their activities they couldn’t hide.
The fat man frowns on phishing, spam attacks,
and false accusations of unpaid income tax.
The bad guys fired off withering DDoS volleys
hoping their adversaries wouldn’t recover from the follies.
But the wily elves weren’t put off by that distraction,
and launched, in return, their own group action:
A packet flood of Christmas cheer so profound
it drove the cybercriminals deeper underground.
It killed all their malware, delisted bad ISPs,
and brought the miscreant operators to their knees.
And today we give thanks to those noble cyberelves,
who took it upon their little elf-hatted selves
to do battle with bad nerds in the middle of the night,
so we could sleep soundly, for once, and with no end in sight.
– Andrew Brandt
(with apologies to Clement Clarke Moore)
If you know me, you know I’m not really prone to spreading security FUD. I’ve been asked to prognosticate a bit about the near-term future, and I have to say, without intending to sound like a fearmonger, the next year is shaping up to be pretty messy from a security perspective. I have a hard time finding any silver linings to the massive storm clouds that seem to hang all around and on top of us.
Right now, the climate for attacks is just brutal. Based on what I’ve been seeing since Halloween, if the pace and volume of attacks keep up, the coming year doesn’t look like it’s going to be pretty. Rampant spam-driven attacks, multiple manifestations of classic social engineering scams, corporate espionage, and malware malware malware look to be on the table for 2012. It was hard to winnow my worst-of-the-worst list down to only five items, but I had to draw the line somewhere, and it seems like a nice, round number.
So, with that in mind, click through the jump to read my top five threats to watch for in 2012.
Someone in the office stumbled upon the domain name Firefox.io and passed the info along to me. Apparently, the person had mistyped the domain name of a Web site (one unrelated to Firefox), adding an additional character. The domain he ended up on was parked, registered but unused; However, one of the ads that loaded on the parked page opened a popunder ad, which redirected this person’s browser to a page on Firefox.io.
This is what he found. I dunno…looks bogus to me. It resembles a really, really out of date Firefox installer download page.
The .io top-level domain, by the way, belongs to the British Indian Ocean Territories, and its TLD is administered from a charming village in England. At least, that’s where they pick up their mail. Not so with Firefox.io.
Spam Campaign Exploits Open Google Redirect
A spam campaign currently underway appears to be abusing a redirection script operated by Google. Redirection scripts aren’t typically left wide open. In fact, when I reported a similar campaign that was exploiting an open redirect in Bing to Microsoft, to their credit, they shut down the redirect the same day. That was two years ago.
Fast forward to today, where the spam messages contain a link to an open redirection script on Google — something that was reported to them a week ago — that continues to do what it’s been programmed to do: push the browser to another Web site. That’s not a problem unless you have a spammer doing exactly what you wouldn’t want them doing: Abusing your redirect, and ruining your reputation in the process.
Google says open redirection, such as what has been abused here, isn’t worthy of its bug bounty program because if a not-smart user can’t figure out what’s going to happen just by looking at the URL, eliminating the redirection scripts that enable malicious behavior won’t fix the problem. So go ahead, take a look at that URL in the screenshot above. It’s just so clear what’s about to happen, right? What do you mean, you can’t decode long strings of seemingly-random characters just by looking at them? I guess we can’t all be Mentats.
Turning down the sarcasm for a moment, it looks like this type of attack is here to stay, for now at least. And it has another unintended consequence: Because Google is such a well-known and trusted domain, Google links often pass through email spam content filters unnoticed. So it’s only natural that criminals would try to exploit the inherent trust of the brand if it’s possible. It’s a fairly effective, low cost way to get spammed links to a target audience.
The email message in which the link arrives had a Subject line of just Konnor Bargo, whatever (or whoever) that is. The body is just the name of a song — in one example, Boston’s 1976 More Than a Feeling. Who knew spammers were such aficionados of ’70s power chord rock?
The redirection using Google is only the first step in the process; You can see the next destination in the screenshot above: free-two-botlles.in. (Sounds like some slavic spammer’s getting hammered for the holidays, and in fact, that’s closer to the truth than I initially thought. The domain — if you believe the WHOIS data — is registered to one “Valery Orlova” of Krasnoyarsk, Russia.)
That page, in turn, redirects the browser to a malicious page (named qwe.php) placed on a compromised public server hosting an outdated, vulnerable WordPress plugin. Qwe.php bounces us to an IP address, 62.122.74.109, assigned to an entity known as Leksim Ltd., an “evil” ISP that caters to criminals’ malicious activities. That IP springs the browser on its final destination, 31.44.184.96, a server in the IP address space registered to Laveco Ltd., hosting the javascript code (and the executable payload, named vclean.exe) of a rogue antivirus “Fakealert.”
We’re putting out a warning today to business owners and employees of both large and small businesses that spammers are now targeting you for infection with malware. In the past few days, we’ve seen a number of email messages in the guise of reports from the Better Business Bureau that claim a complaint has been filed against the email recipient’s company. A link in the message points to drive-by download sites which use a number of different exploits against your computer’s browser and other applications to force the computer to download and execute a Trojan installer.
The messages started showing up in inboxes this week, “signed with the address of the Council of Better Business Bureaus, the national office of the BBB system,” says the BBB announcement, and from email addresses the BBB does not use, such as risk.manager@bbb.org or manager@bbb.org. The messages, which sometimes include a fictitious case number in the subject line, deliver the following example of complete tripe:
Subject: BBB Complaint activity report
The Better Business Bureau has been filed the above-referenced complaint from one of your associates concerning their business relations with you.
The details of the consumer’s concern are explained in enclosed file.
Please give attention to this issue and inform us about your standpoint.
We encourage you to click here to answer this complaint.We look forward to your prompt response.
Seriously? The Better Business Bureau has been filed the above-referenced complaint? How’d they get that whole agency into a file cabinet? And does the so-called complaint come from “one of [my] associates” or a “consumer?” This spam has more grammatical fail per square inch than I’ve seen in a while.
Looking more closely at the linked click here text, it’s clear that the URL does not point to the BBB.org Web site, but to one of a number of IP addresses or unrelated domain names. The URL path almost always contains six random alphanumeric characters, another giveaway.
A spam campaign currently underway links unsuspecting recipients to drive-by attack Web sites. Those sites are responsible for the distribution of a predictable panoply of malware, using exploits. US-CERT, the Internet incident first-responders in the US, decided to issue a warning about the spam because they’ve been getting reports about it, too.
The messages allege that some form of electronic payment made by the recipient has not passed muster with an agency of dubious nomenclature: It runs a number of variations on “The Electronic Payments Association,” with the space characters between those words, and others in the message subject and body, replaced with underscores and/or hyphens, at random intervals. The gist of the message: Some sort of Internet purchase or electronic payment has failed, and “The details regarding this matter are available in our secure section.” Indeed. My advice? Leave other people’s secure sections alone.
The campaign, which I’ve seen for less than a week, links to the malicious pages using Google’s own link-shortening service, goo.gl. They don’t remain active for very long — Google has been, to its credit, actively policing its service for this kind of abuse — but if you are unfortunate (or, in my case, fortunate) enough to click one of the links while it’s still live, the site hosting the exploits pushes a malicious executable down to your computer in less than 30 seconds. Beat that, Memphis Raines!
As another Thanksgiving rolls around, I’d like to take a moment to give thanks for the things that make my life and work a little easier. So, thank you, cybercriminals, for having so little ability to craft an original scam or thought. The fact that you’re using tired, hackneyed social engineering scams in your attempt to infect computers with malware makes it far easier for everyone to identify those same boring, repetitive attacks—and avoid them. Your laziness and sloppy consistency is a gift.
For the past several weeks, we’ve been watching the criminals rev up their activities with email spam and exploit kits. You might recognize some of the names of companies referenced in the spam email we’ve been receiving: The trade association NACHA; UPS, DHL, the US postal service (whose initials, USPS, these criminal masterminds cannot help but confuse with UPS); and online stores like Athleta and YesAsia.
Regifting: It’s what the cybercriminals are doing this holiday season.
While all of the scam messages eventually lead to an infection, some of the messages contain Zip attachments, while others appear to link to documents on external Web sites. In most cases, the messages appear to be a confirmation that you’ve ordered something online and either (a) your “order” has gone through, (b) your “order” has shipped, or (c) your credit card transaction (usually for a high-ticket item) has been cancelled.
Of course, at this time of year, it’s far easier for the average person to mistake one of these malicious emails for a real one, which is why it seems to always ramp up around the holidays. As always, it pays to use a little caution and closely scrutinize any email’s links, especially when you didn’t order the thing(s) the message says you did, and avoid opening those Zip attachments.
