Wednesday, June 4, 2008

Daily Report

• According to Reuters, a recently released report of the 2007 underground collapse of the Crandall Canyon coal mine in Utah, which resulted in the deaths of six miners and three rescuers, covered 50 acres. This is about four times larger than the initial estimate made shortly after the disaster. (See item 7)

• The Washington Post reports that a criminal group that specializes in deploying malicious software to steal banking data is presenting victims with fake maintenance pages and error messages as a means of getting around anti-fraud safeguards erected by many banks. It is estimated that this latest scam was sent to around 6,000 to 8,000 targets, and at least 690 people fell victim to it. (See item 14)

Banking and Finance Sector

12. June 3, Dark Reading – (National) Chinese hacker behind US Court, IRS scams. SecureWorks Inc., a security services provider, reported Tuesday that a Chinese hacker is behind the current and former executive “whaling phishing scams” involving the U.S. Federal Courts and the Internal Revenue Service. The Director of Threat Intelligence for SecureWorks discovered this past weekend’s U.S. Tax Court scam whereby corporate financial executives are receiving phishing emails with subjects like “Notice of Deficiency” purporting to be from the United States Tax Court. The emails state that the recipient has a case pending with the Internal Revenue Service. Links in the phishing email lead to a download page for a Trojan known alternately as DlRhifrem, Rhifrem, and Fireming. It is a spyware BHO masquerading as an Adobe Acrobat ActiveX control. Additionally, in this latest scam, the hacker is targeting C-Level financial executives with information from non-public databases, such as those found in legal databases, ie: direct phone numbers, company addresses, titles, etc. SecureWorks has determined that the hacker behind the U.S. Tax Court and the IRS scams is Chinese, most likely from Hong Kong or Taiwan, and has had first-hand experience with the U.S. courts system. The hacker is technically savvy and has the capability to modify the trojan to do what they want it to do and understands social engineering tactics. This is the same variant of the DIRhiferm malware that was used in the “U.S. Courts” attack which took place in mid April of this year. However, this is the first time a root certificate has been included into the whaling scam. Source:

13. June 3, – (National) Spammers exploit Google Docs. Spam levels jumped in May to 76.8 per cent of all emails sent globally, according to new monitoring data. MessageLabs’ latest Intelligence Report attributed this hike to a change of tactics in which spammers are moving away from a reliance on email attachments. In addition to the variety of new spam techniques, MessageLabs also identified several new phishing exploits this month, including one which preyed on a bank’s environmentally-conscious customers. Using the Srizbi botnet to launch the attacks, the phishers took advantage of a ‘Go Green’ campaign run by Central Bank in Missouri to lure recipients into sharing their bank details in order to register for electronic statements. Also in May, MessageLabs found evidence of phishing attacks claiming to be from HSBC bank which purported to be a secure connection via HTTPS. Closer inspection revealed that the attack was actually a standard HTTP link to a domain pretending to be the actual bank. Source:

14. June 2, Washington Post – (National) Beware of error messages at bank sites. A criminal group that specializes in deploying malicious software to steal banking data is presenting victims with fake maintenance pages and error messages as a means of getting around anti-fraud safeguards erected by many banks. Dozens of banks now require business customers to log in to their accounts online using so-called “two factor authentication” methods, which generally require the customer to enter something in addition to a user name and password, such as a random, one-time-use numeric code generated by a key fob or a scratch-off pad. But one of this past year’s most prolific cyber gangs has devised a simple but ingenious method of circumnavigating these security measures. When a victim whose PC is infected with their data-stealing malware attempts to log in at a banking site that requires two-factor authentication, the fraudsters modify the display of the bank site in the victim’s browser with an alert saying “please allow 15 to 30 minutes for your request to be synchronized with our server.” By intercepting the victim’s password along with the one-time code - and assuring that the victim will never be able to use that one-time code - the thieves can quickly use the one-time code to log in as the victim and proceed to drain the bank account. According to researchers at iDefense, this tactic was most recently used in an attack nearly two weeks ago, in which the fraudsters sent thousands of targeted e-mails spoofing the United States Tax Court. The message in the email prompts the recipient to click on a link to view the complaint. Those who do so are greeted with a prompt to install an Adobe Acrobat viewer. Of course, the program is not a viewer at all, but a “browser helper object” (BHO) that allows the attacker to steal passwords and data when victims log on to encrypted (https://) Web sites. More importantly, the BHO lets the attackers modify Web pages that the victim sees in real time. As a result, when victims are presented with one of these error pages, the message is inserted into the body of the bank’s actual Web page. In such an attack, even an alert victim is unlikely to notice anything amiss. The director of rapid response at iDefense said the criminal group responsible for this and a string of other such targeted attacks use the fake scam message for customers of roughly 50 different financial institutions that deploy two-factor authentication for business customers. iDefense estimates this latest scam was sent to around 6,000 to 8,000 targets, and the company has evidence that at least 690 people fell victim to the scam. Source:

Information Technology

33. June 3, – (International) Spammers exploit Google Docs. Spam levels jumped in May to 76.8 percent of all emails sent globally, according to new monitoring data. MessageLabs’ latest Intelligence Report attributed this hike to a change of tactics in which spammers are moving away from a reliance on email attachments. Spammers are instead moving towards the exploitation of free mainstream hosted services such as Google Docs, Google Calendar and Microsoft SkyDrive. “The savvy and accurate cyber-criminals of today seem to have abandoned the attachments tactic that was so innovative in late 2007 and are exploiting free hosted applications which have become mainstream in 2008,” said the chief security analyst at MessageLabs. “The spammers are taking advantage of the fact that these services are free, provide ample bandwidth and are rarely blacklisted,” he said, adding, “This is one more addition to the growing list of ways in which the spammers have succeeded in outsmarting traditional detection devices.” MessageLabs intercepted spam emails in May which contained links to spam contained in documents hosted on the Google Docs environment. Traditional spam filters do not block links to the Google Docs domain, and spammers are using this to their advantage and even tracking their success through Google Analytics. Spammers are also using Microsoft’s SkyDrive shared file hosting service. Spam generated using this technique accounted for one per cent of all unsolicited mail in May. Source:

34. June 3, CNet News – (International) Storm worm resurfaces, tries love angle again. After a hiatus, the gang behind the Storm worm is attempting to exploit people’s curiosity about a fictional love interest to tempt users into downloading the malware, according to security training organization the Sans Institute. A security expert from the Sans Institute warned on Tuesday that a Storm worm download site had been detected by security researcher ‘DavidF’. A link that contained the site’s IP address was being spammed out in emails, he wrote in a blog post. He noted that spam is being sent with the message: “‘Crazy in love with you’ hxxp://”. He wrote: “I checked that site and could only find an index.html, lr.gif and loveyou.exe.” The researcher said that index.html encourages visitors to run the ‘loveyou’ executable by asking: “Who is loving you? Do you want to know? Just click here and choose either ‘open’ or ‘run’.” Loveyou.exe is a version of the Storm worm, also known as Trojan.Peacomm.D by Symantec and Troj/Dorf-AP by Sophos. He recommended IT professionals block the IP address until it gets “cleaned up”. The unknown gang behind the Storm botnet tried a similar technique in January in the run up to Valentine’s Day. At the time, Sophos warned that the gang was using a social-engineering technique in an attempt to trick users into clicking on a link in a ‘Valentine’s Day’ email. Storm worm attacks then dropped off, leading some security vendors to report that the influence of Storm worm was waning. However, in May, Symantec researchers warned they had identified a number of nascent Storm worm hosting domains using fast-flux techniques to mask their URLs. Source:,1000000189,39428439,00.htm

35. June 2, Security Products – (International) Study: Risky online behavior more likely to happen at small companies. Trend Micro recently reported that in the U.S., U.K., Germany and Japan, employees in small companies took more online risks while on the company network compared to their counterparts in larger organizations, according to the results of a study that explores corporate computer users’ perceptions of and experiences with security threats. The study, which surveyed usage habits of 1,600 corporate end users in the U.S., U.K., Germany and Japan, found that certain risky activities such as browsing Web sites unrelated to work, making online purchases, visiting social networking sites, downloading executable files and checking personal Web-based e-mail were more likely to take place in small businesses. For example, 32 percent of small business employees in the U.K. have admitted to downloading executable files that can potentially lead to Trojan or virus attacks and, ultimately, identity and data theft. Checking personal e-mail is the most popular non-work related online activity for German workers -- 70 percent of small-business employees do this at work, compared to 59 percent of those in large companies. In Japan, the study revealed that most of the personal Internet activities stated above were more likely to occur in small businesses. Despite a higher level of risky online behavior taking place, only about 50 percent or fewer end users within small companies said they had an IT department which may explain why spam, phishing and spyware were more commonly reported within these companies compared to larger ones. Source:

Communications Sector

36. June 2, Government Technology – (International) “State of the Internet” report released. Akamai Technologies Inc. last week announced the release of its inaugural “State of the Internet” report. Beginning with the January to March 2008 time period (first quarter), Akamai will be publishing a quarterly “State of the Internet” report extrapolated from data gathered across Akamai’s global server network. This report will include data on the origins of attack traffic, network outages and de-peering events, as well as a look at broadband connectivity by geography. In addition to providing a quarterly summary, Akamai will document trends seen in this data over time. The report will also aggregate publicly available news and information about notable events seen throughout the quarter, including denial of service attacks, Web site hacks, and network events. During the first quarter of 2008, for example, Akamai observed attack traffic originating from 125 unique countries around the world. China and the United States were the two largest attack traffic sources, accounting for some 30 percent of this traffic in total. Akamai observed attack traffic targeted at 23 unique network ports. Many of the ports that saw the highest levels of attack traffic were targeted by worms, viruses and bots that spread across the Internet several years ago. A number of major network “events” occurred during the first quarter that impacted millions of Internet users. At the end of January, undersea cable cuts in the Mediterranean Sea severed Internet connectivity between the Middle East and Europe, drastically slowing communications. De-peering events between major networks impacted Internet communications for selected Internet users in the United States and Europe for a two-week period. A routing change by a telecommunications provider spread across the Internet resulting in a popular Internet video sharing site to go offline for several hours. The company is planning to release its second quarter “State of the Internet” report in August. Source:

37. June 2, Computerworld – (National) Smartphones ‘bigger security risk’ than laptops. Smartphones are seen as a more of a security risk than laptops and mobile storage devices, according to new research. Some 94 percent of senior IT staff fear PDAs present a security risk, just above the 88 percent who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was “not worth” protecting. The results come from a survey of 300 senior IT staff conducted by endpoint data protection supplier Credant Technologies. A key danger with PDAs was that over half of IT executives surveyed were “not bothering” to enter a password when they used their phone. Nine in 10 of the smartphones were being given access to company networks without extra security, even though the phones were individually owned by users. There were no access restrictions being applied to 81 percent of the phones. Credant Technologies said smartphones had become “easy pickings” for any opportunists trying to steal them and access information. Source: