SIRT Roundtable RecogniziscamngEmailScams(1)

8/13/2019 SIRT Roundtable RecogniziscamngEmailScams(1)

http://slidepdf.com/reader/full/sirt-roundtable-recogniziscamngemailscams1 1/47

Recognizing Email ScamsSIRT IT Security Roundtable

Harvard TownsendChief Information Security Officer

[email protected] 4, 2009



Agenda

The problem – why should we care?

Types of email scams

Recent examples at K-State and why theytricked so many people

Characteristics of scam emails – things to lookfor and tools to help

How to determine if a web link is safe

How to evaluate email attachments Reporting scams or other malicious emails

Useful information sources

Q&A2



Many vectors for attack

Vulnerable operating system (i.e., Windows)

Vulnerable applications

Hackers scanning our network from outside or inside the campusnetwork

Passwords stolen by a key logger

USB flash drives

Malicious web links, even sponsored ads at the top of a Googlesearch

Malicious Facebook ads

Extra goodies in P2P downloads

Instant messaging Redirected DNS queries

Hijacked duplicate web site

Phishing email

Malicious web links in an email

Email attachments 3



Many vectors for attack

Vulnerable operating system (i.e., Windows)

Vulnerable applications

Hackers scanning our network from outside or inside the campusnetwork

Passwords stolen by a key logger

USB flash drives

Malicious web links, even sponsored ads at the top of a Googlesearch

Malicious Facebook ads

Extra goodies in P2P downloads

Instant messaging Redirected DNS queries

Hijacked duplicate web site

Phishing email

Malicious web links in an email

Email attachments 4



What’s the big deal?

130+ K-State computers infected in November whenpeople opened malicious email attachments – the same emails that hit campus in July and infected 100+computers

289 spear phishing scams at K-State thus far in 2009resulting in 421 compromised email accounts used tosend spam

These forms of “social engineering” currently one of themost effective ways to compromise a computer and

steal financial or personal identity information Information loss/theft (personal, institutional, passwords,

acct info)

Identity theft

Financial fraud

5



It doesn’t just affect you

When stolen K-State email accounts are used to send spam,K-State is seen as a spam source and sometimes ends up onspam block lists such that ALL email from K-State to thoseemail providers is blocked (examples include Hotmail, Gmail,

Comcast, AT&T, Road Runner…) – a huge headache forfaculty-student communication

Compromised computers become part of a “botnet” used forillegal purposes

A recent compromised K-State computer became a “botnetcontroller” that controlled 12,000 other compromised

computers around the world Compromised computers are used to send spam, host scam

web sites, spread malware, steal data, launch denial ofservice attack, etc.

One careless mouse click can affect thousands of otherpeople, not just yourself

6



What’s the big deal?

Tactics constantly changing so can’t

let down your guard

Malware constantly changing so anti-virus software can’t always prevent

infection

Technology can’t stop them all – you, the user, is critically important in

our security defenses

7



Definitions Malware – malicious software

Virus, Worm, Trojan, etc . - types of malware, specific definitionsnot that important now; “virus” sometimes used as a catch-all formalware

Keylogger – watches your keystrokes and intercepts data ofinterest; often sends it to the perpetrator. Typically looks forthings like username/password, bank account info, credit cardinfo

Rootkit – malware that tries to hide the fact that it compromisedthe computer. Think of it as stealth malware.

Spyware – watches your online activity and sends informationabout you or your habits to others w/o your informed consent

Adware – automatically displays ads on your computer,usually in annoying pop-ups

Scareware – tries to trick you into buying something of little orno value using shock, anxiety or threats (like Anti-virus2008/2009). Common tactic is to claim your computer isinfected and you have to buy their software to clean it up.

8



9

Scareware

examples



Definitions

Phishing – attempt to acquire sensitiveinformation by posing as a legitimateentity in an electronic communication

Spear phishing – phishing that targets aspecific group

Social engineering – manipulating ortricking people into divulging privateinformation

Spam – unsolicited or undesiredbulk email/messages

10



11Spear phishing example that targets K-State



Let’s look at some examples

Check IT Security Threats blog for

examples of spear phishing scams:

threats.itsecurity.k-state.edu Analysis of actual scams received by

people at K-State

12

http://threats.itsecurity.k-state.edu/






13

Most

EffectiveSpear

Phishing

Scam



14

Most

EffectiveSpear

Phishing

Scam



15

Most

EffectiveSpear

Phishing

Scam



Most effective spear

phishing scam

At least 62 replied with password, 53 of which wereused to send spam from K-State’s Webmail

Arrived at a time when newly admitted freshmenwere getting familiar with their K-State email – 37 of

the 62 victims were newly-admitted freshmen Note characteristics:

“From:” header realistic: "Help Desk" <[email protected]>”

Subject uses familiar terms:

“KSU.EDU WEBMAIL ACCOUNT UPDATE” Message body also references realistic terms:

“IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State”

Asks for “K-State eID” and password

Plausible story (accounts compromised by spammers!!)16



Another effective spear

phishing scam

This one

also tricked

62 K-Staters into

giving away

their eID

password

17



How to identify a scam

General principles:

Neither IT support staff nor any legitimatebusiness will EVER ask for your

password in an email!!! Use common sense and logic – if it’s too

good to be true, it probably is.

Think before you click – many have fallen

victim due to a hasty reply Be paranoid

Don’t be timid about asking for help fromyour IT support person or the IT Help Desk

18




Characteristics of scam email Poor grammar and spelling

Uses unfamiliar or inappropriate terms (like “send youraccount information to the MAIL CONTROL UNIT”)

It asks for private information like a password oraccount number

The message contains a link where the displayedaddress differs from the actual web address

It is unexpected (you weren’t expecting Joe to sendyou an attachment)

The “Reply-to:” or “From:” address is unfamiliar, or isnot a ksu.edu or k-state.edu address

Does not provide explicit contact information (name,address, phone #) for you to verify the communication.Good example is spear phishing scam that tries tosteal your eID password is signed “Webmail

administrator” 19




Beware of scams following major news events or naturaldisasters (e.g., after Hurricane Katrina asking for donationsand mimicking a Red Cross web site)

Seasonal scams like special Christmas offers, or IRSscams in the spring during tax season

They take advantage of epidemics or health scares, likeH1N1 scam currently making the rounds

Often pose as legitimate entity – PayPal, banks, FBI, IRS,Wal*Mart, Microsoft, etc.

If unsure, call the company to see if they sent it (we did thiswith recent email from Manhattan Mercury)

Many make sensational claims; remember to apply thecommon sense filter – if it sounds too good to be true, itprobably is

Hackers very good at imitating legitimate email – will useofficial logos, some links in the email will work properly, butone link is malicious

20



21

Real K-State Federal Credit Union

web site

Fake K-State Federal Credit Union

web site used in spear phishing scam



Can I click on this?

Watch for displayed URL (web address) that doesnot match the actualdisplayed: http://update.microsoft.com/microsoftupdateactual: http://64.208.28.197/ldr.exe

Beware of link that executes a program (like ldr.exe above)

Avoid numeric IP addresses in the URLhttp://168.234.153.90/include/index.html

Some even use hexadecimal notation for the IP:http://0xca.0x27.0x30.0xdd/www.irs.gov/

Watch for legitimate domain names embedded inan illegitimate onehttp://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/

22




Beware of email supposedly from UScompanies with URLs that point to a non-USdomain (Kyrgyzstan in example below)From: Capital One bank <[email protected]>URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/

IE8 highlights the actual domain name to helpyou identify the true source. Here’s one from

an IRS scam email that’s actually hosted inPakistan:

23




Beware of domains from unexpected foreigncountriesKyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.php

Lithuania: http://kateka.lt/~galaxy/card.exeHungary: http://mail.grosz.hu/walmart/survey/Romania: http://www.hostinglinux.ro/Russia: http://mpo3do.chat.ru/thanks.html

MANY scams originate in China (country code =

.cn) Country code definitions available at:

www.iana.org/domains/root/db/index.html

24

http://www.iana.org/domains/root/db/index.html

http://www.iana.org/domains/root/db/index.html




Analyze web links w/o clicking on them by

copying the URL and testing them at these

sites: Trend Micro’s Web reputation query –

reclassify.wrs.trendmicro.com/wrsonlinequery.aspx

McAfee SiteAdvisor (enter URL on this web

page – you don’t have to install their software): www.siteadvisor.com/

25

http://reclassify.wrs.trendmicro.com/wrsonlinequery.aspx

http://www.siteadvisor.com/

http://www.siteadvisor.com/

http://reclassify.wrs.trendmicro.com/wrsonlinequery.aspx




Watch for malicious URLs cloaked by URL

shortening services like:

TinyURL.com

Bit.ly

CloakedLink.com

26




TinyURL has a nice “preview” feature that

allows you to see the real URL before going to

the site. See http://tinyurl.com/preview.php to

enable it in your browser (it sets a cookie)

Bit.ly has a Firefox add-on to preview shortened

links; it also warns you if the site appears to be

malicious:addons.mozilla.org/en-US/firefox/addon/10297

27

http://tinyurl.com/preview.php

https://addons.mozilla.org/en-US/firefox/addon/10297




http://tinyurl.com/preview.php




28



Trend Micro Web Reputation

Services is your friend

29



So are anti-phishing/malware

features in Firefox and IE

30



Evaluating attachments

Saving it to your desktop without opening it orexecuting it is usually safe If Trend Micro OfficeScan recognizes it as malicious, it will

prevent you from saving it to the desktop (a function of the

“real time scan”) If not detected, is either OK or a new variant of malware

Manually update Trend Micro OfficeScan (point to theOfficeScan icon in the system tray, right click, select“Update Now”), then scan the file (point to the file,

right click, select “Scan with OfficeScan client”) If OfficeScan still says “No security risk was found”,

submit the file to www.virustotal.com to be evaluatedby 39 anti-virus products, including Trend Micro;here’s an example:

virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d 31

http://www.virustotal.com/

http://virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d




http://www.virustotal.com/



Evaluating attachments

If it is still undetected and obviously malicious becauseof the email it was attached to, submit it K-State’s ITsecurity team atwww.k-state.edu/its/security/report/ so we can send it

to Trend Micro for analysis Contact the sender to verify they sent it

Ignore or delete it if it’s not expected or important

Beware of executable files embedded in .zipattachments – is a common way for hackers to send.exe files that would normally be deleted by emailsystems

Potentially dangerous file types include .exe, .zip(depending on file types in the .zip archive), .msi, .pif,.scr, .js, and even.pdf and (rarely) .doc 32

http://www.k-state.edu/its/security/report/






Example of malicious

email attachments

Monday, July 13, 12:59pm – received first report(from Penn State) that a K-State computer wassending spam with a malicious attachment

Many more reports soon followed from around theworld implicating many K-State IP addresses

Many K-Staters started reporting receipt of themalicious emails too

At least113 K-State computers wereinfected/compromised when people open themalicious attachment

Was a new variant of malware so Trend MicroOfficeScan did not detect it initially

33



What happened?

Four different emails with the following subjects: Shipping update for your Amazon.com order 254-78546325-658742

You have received A Hallmark E-Card!

Jessica would like to be your friend on hi5!

Your friend invited you to twitter!

Three (somewhat) different attachments: Shipping documents.zip

Postcard.zip

Invitation card.zip

At least three different malicious executables in the zip files (note thenumerous spaces in the file name before the “.exe” extension): “attachment.pdf .exe”

“attachment.htm .exe”

“attachment.chm .exe” 34



What happened?

Harvested email addresses in addressbooks and sent the same malicious emailsto everyone – aka “mass mailing worm”;

that’s why so many people at K-Statereceived so many copies

July 29 and August 7 - similar attacks withnew variants of the malware that escaped

anti-virus detection AGAIN (!!) on Nov. 5 – same four emails,

new variant of malware, infected 130+ K-State computers

35



Why was it so effective? Used familiar services

Amazon.com

Hallmark eCard greeting

Twitter

Sensual enticement (“Jessica would like to be your friend on hi5!”)

Somewhat believable replicas of legitimate emails Sent it to lots of people (bound to hit someone who just ordered

something from amazon.com or is having a birthday)

Effectively masked the name of the .exe file in the .zip attachmentby padding the name with lots of spaces

New variant that spread quickly so initial infections missed by

antivirus protection I was too slow submitting samples to Trend (better the second and

third time around)

Malware/attachment filtering in Zimbra did not stop it

Been a long time since attack came by email attachment so peoplecaught off-guard 36



37

Malicious

Hallmark

E-Card



38

Legitimate

Hallmark

E-Card



39

Malicious

Amazon

ShippingNotice



40

Legitimate

Amazon

ShippingNotice



41

Malicious

Twitter

Invitation



42

Legitimate

Twitter

Invitation



What can we do?

43

Remember - Hallmark, amazon.com,

Twitter, etc. do not send info in

attachments Don’t open attachment unless you are

expecting it and have verified with sender

Analyze attachments before opening them Think before you click

Be paranoid!



Reporting scams

Send spear phishing scams that target K-State specifically to [email protected] Send them with “full headers” (in webmail:

highlight message, right click, select “ShowOriginal”, copy everything in resultingwindow and paste into email [email protected])

To get full headers in other email clients:

www.haltabuse.org/help/headers/index.shtml Don’t send generic run-of-the-mill scams

to [email protected] unless it’s somethingparticularly threatening to K-Staters

44

http://www.haltabuse.org/help/headers/index.shtml

http://www.haltabuse.org/help/headers/index.shtml



Reporting scams

Submit suspicious files/attachments towww.k-state.edu/its/security/report/ (don’t try to send them in email since they

may get filtered) Can report scams/fraud/crimes to federal

government: FBI’s Internet Crime Complaint Center

www.ic3.gov/

FTC’s OnGuardOnline -www.onguardonline.gov/file-complaint.aspx

ALWAYS report suspected child pornographyto the police (K-State or Riley County)

45


http://www.ic3.gov/

http://www.onguardonline.gov/file-complaint.aspx




http://www.ic3.gov/






Useful sources of information

Google – search for unique phrase in the suspected scamto see what others are reporting about it

Web sites of organization targeted by scams often haveinformation, like the IRSwww.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1

Snopes to debunk/confirm hoaxes, rumors, and other“urban legends” – snopes.com

Teach yourself with Sonicwall’s “Phishing and Spam IQQuiz” – www.sonicwall.com/phishing/

K-State’s IT security web site updated regularly

SecureIT.k-state.edu Current threats and spear phishing scams posted on K-

State’s IT threats blog threats.itsecurity.k-state.edu/

46

http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1

http://www.snopes.com/

http://www.sonicwall.com/phishing/

http://secureit.k-state.edu/








http://www.sonicwall.com/phishing/

http://www.snopes.com/

http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1



What’s on your mind?

47

SIRT Roundtable RecogniziscamngEmailScams(1)

Documents