SIRT Roundtable RecogniziscamngEmailScams(1)
Post on 04-Jun-2018
218 Views
Preview:
Transcript
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 1/47
Recognizing Email ScamsSIRT IT Security Roundtable
Harvard TownsendChief Information Security Officer
harv@ksu.eduDecember 4, 2009
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 2/47
Agenda
The problem – why should we care?
Types of email scams
Recent examples at K-State and why theytricked so many people
Characteristics of scam emails – things to lookfor and tools to help
How to determine if a web link is safe
How to evaluate email attachments Reporting scams or other malicious emails
Useful information sources
Q&A2
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 3/47
Many vectors for attack
Vulnerable operating system (i.e., Windows)
Vulnerable applications
Hackers scanning our network from outside or inside the campusnetwork
Passwords stolen by a key logger
USB flash drives
Malicious web links, even sponsored ads at the top of a Googlesearch
Malicious Facebook ads
Extra goodies in P2P downloads
Instant messaging Redirected DNS queries
Hijacked duplicate web site
Phishing email
Malicious web links in an email
Email attachments 3
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 4/47
Many vectors for attack
Vulnerable operating system (i.e., Windows)
Vulnerable applications
Hackers scanning our network from outside or inside the campusnetwork
Passwords stolen by a key logger
USB flash drives
Malicious web links, even sponsored ads at the top of a Googlesearch
Malicious Facebook ads
Extra goodies in P2P downloads
Instant messaging Redirected DNS queries
Hijacked duplicate web site
Phishing email
Malicious web links in an email
Email attachments 4
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 5/47
What’s the big deal?
130+ K-State computers infected in November whenpeople opened malicious email attachments – the same emails that hit campus in July and infected 100+computers
289 spear phishing scams at K-State thus far in 2009resulting in 421 compromised email accounts used tosend spam
These forms of “social engineering” currently one of themost effective ways to compromise a computer and
steal financial or personal identity information Information loss/theft (personal, institutional, passwords,
acct info)
Identity theft
Financial fraud
5
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 6/47
It doesn’t just affect you
When stolen K-State email accounts are used to send spam,K-State is seen as a spam source and sometimes ends up onspam block lists such that ALL email from K-State to thoseemail providers is blocked (examples include Hotmail, Gmail,
Comcast, AT&T, Road Runner…) – a huge headache forfaculty-student communication
Compromised computers become part of a “botnet” used forillegal purposes
A recent compromised K-State computer became a “botnetcontroller” that controlled 12,000 other compromised
computers around the world Compromised computers are used to send spam, host scam
web sites, spread malware, steal data, launch denial ofservice attack, etc.
One careless mouse click can affect thousands of otherpeople, not just yourself
6
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 7/47
What’s the big deal?
Tactics constantly changing so can’t
let down your guard
Malware constantly changing so anti-virus software can’t always prevent
infection
Technology can’t stop them all – you, the user, is critically important in
our security defenses
7
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 8/47
Definitions Malware – malicious software
Virus, Worm, Trojan, etc . - types of malware, specific definitionsnot that important now; “virus” sometimes used as a catch-all formalware
Keylogger – watches your keystrokes and intercepts data ofinterest; often sends it to the perpetrator. Typically looks forthings like username/password, bank account info, credit cardinfo
Rootkit – malware that tries to hide the fact that it compromisedthe computer. Think of it as stealth malware.
Spyware – watches your online activity and sends informationabout you or your habits to others w/o your informed consent
Adware – automatically displays ads on your computer,usually in annoying pop-ups
Scareware – tries to trick you into buying something of little orno value using shock, anxiety or threats (like Anti-virus2008/2009). Common tactic is to claim your computer isinfected and you have to buy their software to clean it up.
8
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 9/47
9
Scareware
examples
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 10/47
Definitions
Phishing – attempt to acquire sensitiveinformation by posing as a legitimateentity in an electronic communication
Spear phishing – phishing that targets aspecific group
Social engineering – manipulating ortricking people into divulging privateinformation
Spam – unsolicited or undesiredbulk email/messages
10
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 11/47
11Spear phishing example that targets K-State
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 12/47
Let’s look at some examples
Check IT Security Threats blog for
examples of spear phishing scams:
threats.itsecurity.k-state.edu Analysis of actual scams received by
people at K-State
12
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 13/47
13
Most
EffectiveSpear
Phishing
Scam
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 14/47
14
Most
EffectiveSpear
Phishing
Scam
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 15/47
15
Most
EffectiveSpear
Phishing
Scam
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 16/47
Most effective spear
phishing scam
At least 62 replied with password, 53 of which wereused to send spam from K-State’s Webmail
Arrived at a time when newly admitted freshmenwere getting familiar with their K-State email – 37 of
the 62 victims were newly-admitted freshmen Note characteristics:
“From:” header realistic: "Help Desk" <helpdesk@k-state.edu>”
Subject uses familiar terms:
“KSU.EDU WEBMAIL ACCOUNT UPDATE” Message body also references realistic terms:
“IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State”
Asks for “K-State eID” and password
Plausible story (accounts compromised by spammers!!)16
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 17/47
Another effective spear
phishing scam
This one
also tricked
62 K-Staters into
giving away
their eID
password
17
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 18/47
How to identify a scam
General principles:
Neither IT support staff nor any legitimatebusiness will EVER ask for your
password in an email!!! Use common sense and logic – if it’s too
good to be true, it probably is.
Think before you click – many have fallen
victim due to a hasty reply Be paranoid
Don’t be timid about asking for help fromyour IT support person or the IT Help Desk
18
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 19/47
How to identify a scam
Characteristics of scam email Poor grammar and spelling
Uses unfamiliar or inappropriate terms (like “send youraccount information to the MAIL CONTROL UNIT”)
It asks for private information like a password oraccount number
The message contains a link where the displayedaddress differs from the actual web address
It is unexpected (you weren’t expecting Joe to sendyou an attachment)
The “Reply-to:” or “From:” address is unfamiliar, or isnot a ksu.edu or k-state.edu address
Does not provide explicit contact information (name,address, phone #) for you to verify the communication.Good example is spear phishing scam that tries tosteal your eID password is signed “Webmail
administrator” 19
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 20/47
How to identify a scam
Beware of scams following major news events or naturaldisasters (e.g., after Hurricane Katrina asking for donationsand mimicking a Red Cross web site)
Seasonal scams like special Christmas offers, or IRSscams in the spring during tax season
They take advantage of epidemics or health scares, likeH1N1 scam currently making the rounds
Often pose as legitimate entity – PayPal, banks, FBI, IRS,Wal*Mart, Microsoft, etc.
If unsure, call the company to see if they sent it (we did thiswith recent email from Manhattan Mercury)
Many make sensational claims; remember to apply thecommon sense filter – if it sounds too good to be true, itprobably is
Hackers very good at imitating legitimate email – will useofficial logos, some links in the email will work properly, butone link is malicious
20
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 21/47
21
Real K-State Federal Credit Union
web site
Fake K-State Federal Credit Union
web site used in spear phishing scam
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 22/47
Can I click on this?
Watch for displayed URL (web address) that doesnot match the actualdisplayed: http://update.microsoft.com/microsoftupdateactual: http://64.208.28.197/ldr.exe
Beware of link that executes a program (like ldr.exe above)
Avoid numeric IP addresses in the URLhttp://168.234.153.90/include/index.html
Some even use hexadecimal notation for the IP:http://0xca.0x27.0x30.0xdd/www.irs.gov/
Watch for legitimate domain names embedded inan illegitimate onehttp://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/
22
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 23/47
Can I click on this?
Beware of email supposedly from UScompanies with URLs that point to a non-USdomain (Kyrgyzstan in example below)From: Capital One bank <cservice@capitalone.com>URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
IE8 highlights the actual domain name to helpyou identify the true source. Here’s one from
an IRS scam email that’s actually hosted inPakistan:
23
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 24/47
Can I click on this?
Beware of domains from unexpected foreigncountriesKyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.php
Lithuania: http://kateka.lt/~galaxy/card.exeHungary: http://mail.grosz.hu/walmart/survey/Romania: http://www.hostinglinux.ro/Russia: http://mpo3do.chat.ru/thanks.html
MANY scams originate in China (country code =
.cn) Country code definitions available at:
www.iana.org/domains/root/db/index.html
24
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 25/47
Can I click on this?
Analyze web links w/o clicking on them by
copying the URL and testing them at these
sites: Trend Micro’s Web reputation query –
reclassify.wrs.trendmicro.com/wrsonlinequery.aspx
McAfee SiteAdvisor (enter URL on this web
page – you don’t have to install their software): www.siteadvisor.com/
25
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 26/47
Can I click on this?
Watch for malicious URLs cloaked by URL
shortening services like:
TinyURL.com
Bit.ly
CloakedLink.com
26
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 27/47
Can I click on this?
TinyURL has a nice “preview” feature that
allows you to see the real URL before going to
the site. See http://tinyurl.com/preview.php to
enable it in your browser (it sets a cookie)
Bit.ly has a Firefox add-on to preview shortened
links; it also warns you if the site appears to be
malicious:addons.mozilla.org/en-US/firefox/addon/10297
27
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 28/47
Can I click on this?
28
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 29/47
Trend Micro Web Reputation
Services is your friend
29
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 30/47
So are anti-phishing/malware
features in Firefox and IE
30
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 31/47
Evaluating attachments
Saving it to your desktop without opening it orexecuting it is usually safe If Trend Micro OfficeScan recognizes it as malicious, it will
prevent you from saving it to the desktop (a function of the
“real time scan”) If not detected, is either OK or a new variant of malware
Manually update Trend Micro OfficeScan (point to theOfficeScan icon in the system tray, right click, select“Update Now”), then scan the file (point to the file,
right click, select “Scan with OfficeScan client”) If OfficeScan still says “No security risk was found”,
submit the file to www.virustotal.com to be evaluatedby 39 anti-virus products, including Trend Micro;here’s an example:
virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d 31
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 32/47
Evaluating attachments
If it is still undetected and obviously malicious becauseof the email it was attached to, submit it K-State’s ITsecurity team atwww.k-state.edu/its/security/report/ so we can send it
to Trend Micro for analysis Contact the sender to verify they sent it
Ignore or delete it if it’s not expected or important
Beware of executable files embedded in .zipattachments – is a common way for hackers to send.exe files that would normally be deleted by emailsystems
Potentially dangerous file types include .exe, .zip(depending on file types in the .zip archive), .msi, .pif,.scr, .js, and even.pdf and (rarely) .doc 32
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 33/47
Example of malicious
email attachments
Monday, July 13, 12:59pm – received first report(from Penn State) that a K-State computer wassending spam with a malicious attachment
Many more reports soon followed from around theworld implicating many K-State IP addresses
Many K-Staters started reporting receipt of themalicious emails too
At least113 K-State computers wereinfected/compromised when people open themalicious attachment
Was a new variant of malware so Trend MicroOfficeScan did not detect it initially
33
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 34/47
What happened?
Four different emails with the following subjects: Shipping update for your Amazon.com order 254-78546325-658742
You have received A Hallmark E-Card!
Jessica would like to be your friend on hi5!
Your friend invited you to twitter!
Three (somewhat) different attachments: Shipping documents.zip
Postcard.zip
Invitation card.zip
At least three different malicious executables in the zip files (note thenumerous spaces in the file name before the “.exe” extension): “attachment.pdf .exe”
“attachment.htm .exe”
“attachment.chm .exe” 34
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 35/47
What happened?
Harvested email addresses in addressbooks and sent the same malicious emailsto everyone – aka “mass mailing worm”;
that’s why so many people at K-Statereceived so many copies
July 29 and August 7 - similar attacks withnew variants of the malware that escaped
anti-virus detection AGAIN (!!) on Nov. 5 – same four emails,
new variant of malware, infected 130+ K-State computers
35
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 36/47
Why was it so effective? Used familiar services
Amazon.com
Hallmark eCard greeting
Sensual enticement (“Jessica would like to be your friend on hi5!”)
Somewhat believable replicas of legitimate emails Sent it to lots of people (bound to hit someone who just ordered
something from amazon.com or is having a birthday)
Effectively masked the name of the .exe file in the .zip attachmentby padding the name with lots of spaces
New variant that spread quickly so initial infections missed by
antivirus protection I was too slow submitting samples to Trend (better the second and
third time around)
Malware/attachment filtering in Zimbra did not stop it
Been a long time since attack came by email attachment so peoplecaught off-guard 36
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 37/47
37
Malicious
Hallmark
E-Card
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 38/47
38
Legitimate
Hallmark
E-Card
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 39/47
39
Malicious
Amazon
ShippingNotice
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 40/47
40
Legitimate
Amazon
ShippingNotice
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 41/47
41
Malicious
Invitation
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 42/47
42
Legitimate
Invitation
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 43/47
What can we do?
43
Remember - Hallmark, amazon.com,
Twitter, etc. do not send info in
attachments Don’t open attachment unless you are
expecting it and have verified with sender
Analyze attachments before opening them Think before you click
Be paranoid!
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 44/47
Reporting scams
Send spear phishing scams that target K-State specifically to abuse@ksu.edu Send them with “full headers” (in webmail:
highlight message, right click, select “ShowOriginal”, copy everything in resultingwindow and paste into email toabuse@ksu.edu)
To get full headers in other email clients:
www.haltabuse.org/help/headers/index.shtml Don’t send generic run-of-the-mill scams
to abuse@ksu.edu unless it’s somethingparticularly threatening to K-Staters
44
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 45/47
Reporting scams
Submit suspicious files/attachments towww.k-state.edu/its/security/report/ (don’t try to send them in email since they
may get filtered) Can report scams/fraud/crimes to federal
government: FBI’s Internet Crime Complaint Center
www.ic3.gov/
FTC’s OnGuardOnline -www.onguardonline.gov/file-complaint.aspx
ALWAYS report suspected child pornographyto the police (K-State or Riley County)
45
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 46/47
Useful sources of information
Google – search for unique phrase in the suspected scamto see what others are reporting about it
Web sites of organization targeted by scams often haveinformation, like the IRSwww.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1
Snopes to debunk/confirm hoaxes, rumors, and other“urban legends” – snopes.com
Teach yourself with Sonicwall’s “Phishing and Spam IQQuiz” – www.sonicwall.com/phishing/
K-State’s IT security web site updated regularly
SecureIT.k-state.edu Current threats and spear phishing scams posted on K-
State’s IT threats blog threats.itsecurity.k-state.edu/
46
8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)
http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 47/47
What’s on your mind?
47
top related