October 30, 2007Phishing Blast from the Past
There's that old saying (attributed to George Santayana): "Those who cannot remember the past are condemned to repeat it." That assumes, of course, that one even knew the past to begin with, and just forgot about it. When you have youngsters in their late teens and early twenties doing computerish things, they may believe they've invented something kewl...except that the same thing had been done before and abandoned.
I was amazed to receive a PayPal phishing message that harkened back to the early days of phishing with HTML-formatted email. When rendered in an HTML-capable email client (just about all of them these days), the message I received was a replica of the PayPal home page (actually, the old home page before the recent redesign), complete with form fields for username (email address) and password.
This is the lazy kid's way to phish. The form attempts to use a public form-email forwarding program (in Switzerland) to send the form field data to (in this case) a yahoo.com email address. I say lazy because this guy didn't have to go through the trouble of hijacking one of the seemingly millions of hijackable web servers around the world and installing a phishing kit on the server. All he has to do is read his Yahoo! email account to grab submitted username/password combinations.
It was this type of activity that got early phishing targets, such as PayPal and banks, to warn customers about filling out forms that arrived in an email message. That's where the phrases like, "We never ask for your username and password in an email message" came from. It had been ages since I saw a form inside a phishing email message—until today. I'll bet this guy thought he was really clever.
On the other side of the fence, recipients may not have experienced this bit of history to recognize what's happening before their eyes. It's also possible that they may not connect the warning noted above (as if customers read security notices) to the form built into the email message, and thus fall prey to the ruse. They might be condemned to repeat a past they never knew about—and then have a nasty future ahead to repair the account theft.Posted on October 30, 2007 at 09:18 AM
October 23, 2007Issuing a License to Email
Early in 2005, I had the privilege of speaking at a conference hosted by The Institute for Spam and Internet Public Policy. During my speech, one of my slides was a tongue-in-cheek suggestion that email users should be tested for fundamental knowledge about proper handling of email—almost to the same extent that preparing for a driver's test keeps us from running willy-nilly around the pavement (most of the time):
Funny, ha ha.
But then something happened to me today that not only made me resurrect the slide image, but prompted me to show it boldly here with tongue removed from cheek.
Without getting too detailed about it, let's say that I'm assisting a technophobic senior citizen relative of mine complete a real estate transaction. My relative is in Indiana, the real estate agent involved with the transaction is in Illinois, and I'm in California. My role is merely to be another set of eyes overlooking the deal.
The agent is a little frustrated with my relative who has no computer, fax machine, or cell phone. The agent is apparently thoroughly modern in this regard, and wants to use technology to its fullest. Normally, that's okay by me.
To bring me up to speed on the transaction, the agent needed to send me via email copies of various documents, some of which would be generated by outside services. Because I could not predict who the senders of these missives would be, attempting to whitelist those senders on my server in advance was impossible. Instead, I entrusted the agent with a private email address of mine that has no filtering on it whatsoever. Within hours, relevant documents started pouring in as expected.
But within 24 hours, I received another message from the agent that had nothing to do with the transaction. She was forwarding an announcement that some high-end condominium was soon opening its sales center. Whoop-de-freakin'-doo.
So, it was clear that the agent had—vacuum-cleaner-style—sucked my private address into her email distribution list. While that action, itself, is a horrible breach in protocol (an early chapter in the non-existent pamphlet shown above), it could be attributed to the overzealousness of a real estate salesperson (imagine!), and could be stopped with a single warning.
But, the situation was out of control long before I ever saw my copy of the forwarded message. This real estate agent—in her over-zeal—sent the message to 47 individuals, each of whose email address is in plain sight in the To: field of the message.
Now, I'm not too worried that my 46 co-recipients are going to start emailing me, but some of these addresses must belong to people who have the dough to be interested in a building whose top unit will be going for $40 million. On the other hand, that I'm on the list doesn't prove a thing. Still, if I were in that category, I certainly wouldn't want strangers to know it or know how to find me.
My real beef with this laundry listing of To: addresses in plain sight is that neither the sender nor any other recipient knows if the PCs on the receiving end are infected with malware that regularly inspects files for email addresses. If the message is instantly deleted, it will probably still stay in a trash folder for 30 days, ready to be snarfed up at will during that period. Even if the infection rate of the recipients were as low as ten percent, it means that five or so of these recipients' computers can expose my private, unspammed address to the spam gangs. In truth, all it takes is one compromised machine to compromise this private address. And, as we all know, once an email address gets out there, you can't get it back.
It's not difficult at all to create an email distribution list that utilizes the BCC (blind carbon copy) field to list all intended recipients. The beauty of the BCC field is that the addresses are not sent with each message to each recipient. Instructions on how to do that and, more importantly, why, would be another chapter in the Emailers Handbook. In the meantime, if I were an email cop, I'd pull over this real estate agent and give her a ticket for forwarding without a brain.
UPDATE (28 October 2007) — While I may have been spitting bullets about my experience with a clueless forwarder, a far more egregious example appeared this past week. An email sent by the House Judiciary Committee (U.S.) accidentally went out to everyone who had previously filled out a web site form to blow the whistle on questionable activity in the Justice Department. All addresses were exposed in the To: field of the message. Every whistleblower could see who else had blown the whistle. Oh, and so could whoever opens email addressed to Vice President Cheney. Next Monday's staff meetings could be ugly. More on the story here. Now, where's my Clue Stick?Posted on October 23, 2007 at 03:35 PM
October 21, 2007Who(m) Do You Trust?
I'm showing my age here, but before Johnny Carson owned (yeah, that's how they used to spell "pwned") the Tonight Show, he had a daytime game show called Who Do You Trust? That title isn't grammatically correct, and I remember there were even commercials for the program highlighting that fact (a tongue-in-cheek discussion between Johnny and Ed McMahon). I bring up this bit of ancient television history simply to cover my ass with pickers of nit with respect to the title of this piece.
We now return to our regularly scheduled program here in the 21st century.
The issue of trust is a huge deal in the realm of computer security—a subject probably worthy of an entire book (but not by me). Tests for trust occur on numerous levels, many of which are out of view of the average personal computer user. For example, most large ISPs/email providers support one or more systems intended to assure that an incoming message's sender not only identifies herself accurately, but that the sender's address is authorized to send email from the stated domain. In other words, the sending and receiving email servers undergo a test of trust between them—long before the recipient ever sees the message. At the user level are trust elements such as believing that when you enter http://spamwars.com into your browser's address box, that you'll reach the real spamwars.com web site to read my wonderful prose.
I believe that most everyday computer users blindly grant entirely too much trust to their computers and the things they see and do on the Internet. It's precisely this uncritical trust that crooks use as the gateway to grabbing personal identity information, financial account passwords, corporate network access, and even command-and-control of the personal computer, itself.
Computers and software are complex beasts (yes, I'm including Macs here, too). In an effort to make them more user friendly and protective, computer and software designers have coddled us with all kinds of "wizards" and automatic updaters—so many, in fact, that they may become more intrusive than seems worth the effort. In the past week, for instance, I've had at least three updater notifications on my little-used Windows PC—for Firefox, Java (which no one ever sees running), and Windows, each one requiring a restart of either a program or the entire computer. Fortunately, my antivirus software installs its daily patches without requiring me to restart this or that.
The problem with all these updaters and wizards is that most users think nothing of them anymore, even if they're not quite sure that every one is legitimate. When presented with an alert saying that something needs to be installed, a quick click of the Install button gets rid of that pesky dialog box. "How was I supposed to know that the video codec (whatever that is) needed to view smiling kitten pictures was actually a trojan that loaded a program to steal my banking passwords?"
It can get even nastier.
The SANS Internet Storm Center is running a month-long article series to coincide with October's Cyber Security Awareness month. Although most of the great work of the ISC is aimed at network administrators, a sentence from the 21 October article makes a frightening point that users should know:
The trojans are now so advanced as to render what you see through your browser as totally unbelievable.
This notion hit home the other day with a report about an eBay user's computer supposedly infected with a chillingly devious piece of malware. To understand how the trick works, it helps to know that every personal computer has a file that is a kind of lookup table for accessing locations on the Internet. By and large, your web browser and email program use an external lookup table—the Domain Name System (DNS)—for general Internet access. But this local file can be modified to redirect traffic intended for one location to go someplace else, including a "location" on your own computer. Malware that disables antivirus software, for instance, modifies this file so that attempts to access antivirus software sites are instead redirected to an empty location on the PC.
Now imagine if your computer had its own hidden web server running in the background, complete with replica pages of popular sites you know and (normally) trust. That's what apparently happened to one eBay Motors bidder who wanted to buy a vehicle, but eventually found herself redirected to a sham auction replica, including phony replicas of third-party sites that provided false information about the history of the vehicle. She won the "auction," and whisked US$8,650 to the scammer. Because the transaction occurred outside of real eBay channels, there is no recourse for the buyer. Adios dineros.
According to the article, the scammee claims that the infection came by way of an attachment to a message that arrived via eBay's My Messages section. Hmmm. I'm not so sure about that because in my experience, that system does not support sending message attachments. In lieu of seeing the actual material, I suspect that she received a real-looking, but phony email message in her regular email inbox, complete with attachment promising more photos of the vehicle. EBay offers an option that lets you receive copies of My Messages mail in your regular email. I use that option to let me know when such messages arrive, but I then act on those messages exclusively in the My Messages section of the eBay site (and click the option to hide my email address from any response).
The extra bummer to this story is that the victim used a popular antivirus program and kept it updated. Unfortunately, the program did not consider the infected attachment to be a threat because it was a new variant of existing malware.
Let's face it: Scammers are working a lot harder to attack than typical users are working to defend. Not only can't technology shield users from every possible attack, the technology can encourage a massively false sense of security that puts unaware users at a greater risk than if they felt the need to be wary. Although I genuinely empathize with the fears and frustrations of everyday users with these infernal machines, I also believe the bulk of them need a "whack upside the head" with an awareness stick. Crooks are using variations of schemes practiced for years. Awareness of these fundamental tricks can head off future variations.
Whom do I trust? Sadly, although the Internet gets bigger every day, my list seems to get shorter. It has come down to a twist on the adage, "Trust, but verify." On the Internet, it's "Verify, then trust."Posted on October 21, 2007 at 01:28 PM
October 14, 2007Spammers Making Life Even More Miserable
Back in 1971, the Occupational Safety and Health Administration (OSHA) was formed "to ensure employee safety and health in the United States by working with employers and employees to create better working environments" (from the OSHA web site). Shortly thereafter, I got my first job after college as a manufacturing management trainee (don't ask) at a steel fabrication company outside of Chicago. The company facilities were long in the tooth even back then, so bringing the plant and plant employees up to OSHA compliance was no easy or cheap task.
Many old timers (not just at my old employer, mind you) held a belief that some OSHA regulations seemed to go overboard in protecting workers from their own carelessness. It was therefore not uncommon to find many factory managers in complete agreement with a satirical cartoon entitled "Cowboy After O.S.H.A." It shows how a cowboy and his horse need to be equipped to comply with OSHA, including a rollbar, prescription safety goggles for the horse, four wheels to keep the horse upright in case he slips, and so on. In the end, neither the cowboy nor horse is recognizable for all the extra gear needed to protect them in the workplace.
This picture comes to mind every time I encounter yet another hoop through which I must jump to perform a simple computing task because the web site, operating system, or piece of software is having to protect me from malicious actions of spammers or scammers. The hoop provider this time is eBay.
I've been active on eBay recently, and have received several messages from potential bidders on my auctions. The messages come through eBay's message service, which provides a decent system of keeping messages strictly between eBay members. I elect to use the service like a web-based email system, which means that I view incoming messages in the My Messages area, and respond there, as well. I don't recall ever receiving a spam message through this service (although I have seen plenty of bogus phishing messages in my regular email inbox claiming to come from eBay members).
Today, however, as I responded to a new message through the eBay system, I found that I had to enter a CAPTCHA code. The image was on the edge of being so distorted as to invite an error (about which I have reported before). Bear in mind that in order to reach the My Messages section of the eBay site, you must enter your eBay username and password. In other words, I had already been pre-qualified as a legitimate member, yet I still had to solve the CAPTCHA puzzle.
I can only guess that this new hoop is to head off a problem that has begun to plague popular sites such as Facebook and MySpace. In those sites, spammers have opened up numerous accounts, which they use to spam other members via the internal messaging systems of those sites. Spam only pays when it can be done in bulk, so the CAPTCHA code is probably intended to prevent simple automatons from signing up with an eBay account and sending lots of spam to anyone listing an item for sale on the site. Thanks to spammers' latest tactics, my regular Internet activity becomes even more burdensome.
Pretty soon, every web site will be equipped with a rollbar, and we'll all have to wear safety goggles and steel-tipped gloves to send an electronic message.Posted on October 14, 2007 at 07:03 PM
October 10, 2007Inside a Storm Worm Infection
I just read a fascinating study of the internal workings of a recent variant of the Storm worm. The paper was written by SRI International. The report is definitely for the geeky (I'm talking assembly language code), but everyday users can learn a thing or three from the findings.
You should know by now that the Storm worm tends to be hosted on hijacked web sites around the world. You have likely received an email message that has used a variety of social engineering tricks to get you to visit the site (recent ones described here, here, and here). The sites use further social engineering to get you to download and install a software program that promises something alluring...but, in truth, is deadly.
If nothing else, the descriptions of the inner workings demonstrate how much of your PC and its data you hand over to a foreign program running mostly silently in the background. Among the most immediately devastating actions that the worm takes is looking for and disabling programs you may have previously installed to save you. In fact, an inspection of the Labor Day variety of Storm infection reveals a list of—get this—489 different programs, including the Zone Alarm firewall, and McAfee antivirus software (these are ones I found as tasks running on the one Windows PC I have here) targeted by the worm. If your anti-whatever software hasn't been updated to detect the latest (and rapidly evolving) Storm executable, then your protection is essentially disabled before it ever has a chance to save you.
When you install an application program, especially one that requires administration-level permission, you open up your entire machine, its data, and network resources (including other computers on a local network) to that program. Therefore, it's not surprising that when you install the Storm executable, it can look through all your files for whatever it wants. A primary target is any text with strings of characters that look like email addresses. If you think it looks only in obvious places, like Outlook address books, think again. The Labor Day storm variant examines files with the following extensions: .txt, .msg, .htm, .shtm, .stm, .xml, .dbx, .mbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .wsh, .adb, .tbb, .sht, .xls, .oft, .uin, .cgi, .mht, .dhtm, .jsp, .dat, and .lst.
What does the worm do with those addresses? Why, it addresses more spam to them to lure others to download the malware. The spam is meted out in small batches—on average 100 messages every five minutes. That's so your ISP (on the outside chance that it even cares to notice) doesn't get wise to the fact that you have a spam-spewing machine running full time.
All the while, the program is communicating like mad with other infected machines in a massive peer-to-peer network (i.e., they don't report to a single command-and-control center, which could possibly be shut down). Each bot is exchanging IP addresses of other successfully-infected machines so that each can perform the latest dirty work of whoever is behind the whole scheme.
The types of activities that Storm performs (e.g., snarfing email addresses and disabling antivirus software) aren't new. Other infections have been doing this stuff for years. But this new report reveals the depths of sophistication involved in the programming of the executable—as well as the lengths to which it goes to prevent detection.
This isn't kiddie stuff. And if you believe that your anti-anti software will protect you 100% from clickety-clicking your way through unsolicited email and instant messages, you're sorely mistaken.Posted on October 10, 2007 at 05:30 PM
October 02, 2007Mac vs. PC and Bad Guys
Microsoft may not like to hear it, but virtually every piece of malware released in the wild for (lower case) personal computers operates only on machines running versions of the Windows operating system. Trojans, worms, keyloggers, bots—they're running on Windows.
Unfortunately, that leads Macintosh folks (and Linux people, too) to exhibit a bit of smugness about their supposedly safe computing environments. As I discuss in Spam Wars, this is a foolish attitude to assume. There have been (and will continue to be) security holes in Mac OS X and its supporting infrastructure (e.g., QuickTime, Adobe Acrobat, MS Office, etc.). Apple doesn't issue security-related software updates just to keep their engineers busy. It's just that we've (yes, I'm primarily a Mac user) been lucky so far that Bad Guys have not made concerted efforts to come after our machines. I believe that what running a non-Windows computer buys you—for the moment—is protection against an accidental infection if your mouse finger suddenly twitches with the cursor atop a malicious email attachment.
That said, I have seen one type of Bad Guy attack that is completely thwarted by Firefox and Safari browsers running on the Mac. It's a kind of attack that doesn't care what type of computer the recipient runs, because all the action occurs on a server. I'm talking about phishing that is implemented in a way that does not (so far) affect Mac users running either of the aforesaid browsers.
At issue is the way a handful of phishers compose the URLs to the phony web sites. They're trying to be cute with a little bit of obfuscation. Fortunately for Mac users, the obfuscation causes Firefox and Safari to fail to resolve the URL addresses. Woohoo!
Allow me to demonstrate. The most common obfuscation technique I've seen in the wild uses non-decimal base-number systems to represent a site's numeric IP address. The regular numeric IP address for the spamwars.com web site is 22.214.171.124. Here are links with the regular version and one each in the octal and hexadecimal versions:
Windows browsers (including Firefox) will resolve all three; Mac OS X browsers only the first one. The same goes for yet another numeric version that converts the IP address into one long number (with no periods).
I'm not sure why phishers bother with this type of obfuscation. For the most part, phishing message recipients they're trying to scam don't look at the real URLs beneath the "Click here to update your PayPal account information" links. Those who do look at such links know instantly how to decode the addresses to find the hosting services that can shut down the sites.
(This type of operating system self-selection could be understandable if the obfuscated-URL phishing sites were attempting to load malware onto Windows machines, but I haven't seen evidence of this. A fair number of real malware-loading sites self-select by using VBScript scripts to perform some or all of the infections on the Swiss cheesiest of browsers, Internet Explorer for Windows.)
If a phishing message recipient reaches the phony web site and enters username/password data, the scam works equally well across all operating systems. If you fall for the phishing email message and slick lookalike web site, you have no reason to be smug about your "impenetrable" operating system. But if the phisher is dumb enough to build in a filter that prevents your browser from visiting the lookalike site...well, I suppose a quick smug smile may be in order.Posted on October 02, 2007 at 08:30 AM