recognizing email scams sirt it security roundtable
DESCRIPTION
Recognizing Email Scams SIRT IT Security Roundtable. Harvard Townsend Chief Information Security Officer [email protected] December 4, 2009. Agenda. The problem – why should we care? Types of email scams Recent examples at K-State and why they tricked so many people - PowerPoint PPT PresentationTRANSCRIPT
Recognizing Email ScamsSIRT IT Security Roundtable
Harvard TownsendChief Information Security [email protected] 4, 2009
Agenda
The problem – why should we care? Types of email scams Recent examples at K-State and why they
tricked so many people Characteristics of scam emails – things to look
for and tools to help How to determine if a web link is safe How to evaluate email attachments Reporting scams or other malicious emails Useful information sources Q&A
2
Many vectors for attack Vulnerable operating system (i.e., Windows) Vulnerable applications Hackers scanning our network from outside or inside the campus
network Passwords stolen by a key logger USB flash drives Malicious web links, even sponsored ads at the top of a Google
search Malicious Facebook ads Extra goodies in P2P downloads Instant messaging Redirected DNS queries Hijacked duplicate web site Phishing email Malicious web links in an email Email attachments 3
Many vectors for attack Vulnerable operating system (i.e., Windows) Vulnerable applications Hackers scanning our network from outside or inside the campus
network Passwords stolen by a key logger USB flash drives Malicious web links, even sponsored ads at the top of a Google
search Malicious Facebook ads Extra goodies in P2P downloads Instant messaging Redirected DNS queries Hijacked duplicate web site Phishing email Malicious web links in an email Email attachments 4
What’s the big deal? 130+ K-State computers infected in November when
people opened malicious email attachments – the same emails that hit campus in July and infected 100+ computers
289 spear phishing scams at K-State thus far in 2009 resulting in 421 compromised email accounts used to send spam
These forms of “social engineering” currently one of the most effective ways to compromise a computer and steal financial or personal identity information
Information loss/theft (personal, institutional, passwords, acct info)
Identity theft Financial fraud
5
It doesn’t just affect you When stolen K-State email accounts are used to send spam,
K-State is seen as a spam source and sometimes ends up on spam block lists such that ALL email from K-State to those email providers is blocked (examples include Hotmail, Gmail, Comcast, AT&T, Road Runner…) – a huge headache for faculty-student communication
Compromised computers become part of a “botnet” used for illegal purposes
A recent compromised K-State computer became a “botnet controller” that controlled 12,000 other compromised computers around the world
Compromised computers are used to send spam, host scam web sites, spread malware, steal data, launch denial of service attack, etc.
One careless mouse click can affect thousands of other people, not just yourself
6
What’s the big deal?
Tactics constantly changing so can’t let down your guard
Malware constantly changing so anti-virus software can’t always prevent infection
Technology can’t stop them all – you, the user, is critically important in our security defenses
7
Definitions Malware – malicious software
Virus, Worm, Trojan, etc. - types of malware, specific definitions not that important now; “virus” sometimes used as a catch-all for malware
Keylogger – watches your keystrokes and intercepts data of interest; often sends it to the perpetrator. Typically looks for things like username/password, bank account info, credit card info
Rootkit – malware that tries to hide the fact that it compromised the computer. Think of it as stealth malware.
Spyware – watches your online activity and sends information about you or your habits to others w/o your informed consent
Adware – automatically displays ads on your computer, usually in annoying pop-ups
Scareware – tries to trick you into buying something of little or no value using shock, anxiety or threats (like Anti-virus 2008/2009). Common tactic is to claim your computer is infected and you have to buy their software to clean it up.
8
9
Scarewareexamples
Definitions
Phishing – attempt to acquire sensitive information by posing as a legitimate entity in an electronic communication
Spear phishing – phishing that targets a specific group
Social engineering – manipulating or tricking people into divulging private information
Spam – unsolicited or undesiredbulk email/messages
10
11Spear phishing example that targets K-State
Let’s look at some examples
Check IT Security Threats blog for examples of spear phishing scams:threats.itsecurity.k-state.edu
Analysis of actual scams received by people at K-State
12
13
Most EffectiveSpear PhishingScam
14
Most EffectiveSpear PhishingScam
15
Most EffectiveSpear PhishingScam
Most effective spearphishing scam
At least 62 replied with password, 53 of which were used to send spam from K-State’s Webmail
Arrived at a time when newly admitted freshmen were getting familiar with their K-State email – 37 of the 62 victims were newly-admitted freshmen
Note characteristics: “From:” header realistic:
"Help Desk" <[email protected]>” Subject uses familiar terms:
“KSU.EDU WEBMAIL ACCOUNT UPDATE” Message body also references realistic terms:
“IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State” Asks for “K-State eID” and password Plausible story (accounts compromised by spammers!!)
16
Another effective spearphishing scam
This one also tricked
62 K-Staters into giving away
their eID password
17
How to identify a scam General principles:
Neither IT support staff nor any legitimate business will EVER ask for your password in an email!!!
Use common sense and logic – if it’s too good to be true, it probably is.
Think before you click – many have fallen victim due to a hasty reply
Be paranoid Don’t be timid about asking for help from
your IT support person or the IT Help Desk18
How to identify a scam Characteristics of scam email
Poor grammar and spelling Uses unfamiliar or inappropriate terms (like “send your
account information to the MAIL CONTROL UNIT”) It asks for private information like a password or
account number The message contains a link where the displayed
address differs from the actual web address It is unexpected (you weren’t expecting Joe to send
you an attachment) The “Reply-to:” or “From:” address is unfamiliar, or is
not a ksu.edu or k-state.edu address Does not provide explicit contact information (name,
address, phone #) for you to verify the communication. Good example is spear phishing scam that tries to steal your eID password is signed “Webmail administrator” 19
How to identify a scam Beware of scams following major news events or natural
disasters (e.g., after Hurricane Katrina asking for donations and mimicking a Red Cross web site)
Seasonal scams like special Christmas offers, or IRS scams in the spring during tax season
They take advantage of epidemics or health scares, like H1N1 scam currently making the rounds
Often pose as legitimate entity – PayPal, banks, FBI, IRS, Wal*Mart, Microsoft, etc.
If unsure, call the company to see if they sent it (we did this with recent email from Manhattan Mercury)
Many make sensational claims; remember to apply the common sense filter – if it sounds too good to be true, it probably is
Hackers very good at imitating legitimate email – will use official logos, some links in the email will work properly, but one link is malicious 20
21
Real K-State Federal Credit Unionweb site
Fake K-State Federal Credit Unionweb site used in spear phishing scam
Can I click on this? Watch for displayed URL (web address) that does
not match the actualdisplayed: http://update.microsoft.com/microsoftupdate actual: http://64.208.28.197/ldr.exe
Beware of link that executes a program (like ldr.exe above)
Avoid numeric IP addresses in the URLhttp://168.234.153.90/include/index.html
Some even use hexadecimal notation for the IP:http://0xca.0x27.0x30.0xdd/www.irs.gov/
Watch for legitimate domain names embedded in an illegitimate onehttp://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/
22
Can I click on this? Beware of email supposedly from US
companies with URLs that point to a non-US domain (Kyrgyzstan in example below)From: Capital One bank <[email protected]>URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
IE8 highlights the actual domain name to help you identify the true source. Here’s one from an IRS scam email that’s actually hosted in Pakistan:
23
Can I click on this? Beware of domains from unexpected foreign
countries Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.phpLithuania: http://kateka.lt/~galaxy/card.exeHungary: http://mail.grosz.hu/walmart/survey/Romania: http://www.hostinglinux.ro/Russia: http://mpo3do.chat.ru/thanks.html
MANY scams originate in China (country code = .cn)
Country code definitions available at: www.iana.org/domains/root/db/index.html
24
Can I click on this?
Analyze web links w/o clicking on them by copying the URL and testing them at these sites: Trend Micro’s Web reputation query –
reclassify.wrs.trendmicro.com/wrsonlinequery.aspx McAfee SiteAdvisor (enter URL on this web
page – you don’t have to install their software):www.siteadvisor.com/
25
Can I click on this? Watch for malicious URLs cloaked by URL
shortening services like: TinyURL.com Bit.ly CloakedLink.com
26
Can I click on this? TinyURL has a nice “preview” feature that
allows you to see the real URL before going to the site. See http://tinyurl.com/preview.php to enable it in your browser (it sets a cookie)
Bit.ly has a Firefox add-on to preview shortened links; it also warns you if the site appears to be malicious:addons.mozilla.org/en-US/firefox/addon/10297
27
Can I click on this?
28
Trend Micro Web Reputation Services is your friend
29
So are anti-phishing/malware features in Firefox and IE
30
Evaluating attachments Saving it to your desktop without opening it or
executing it is usually safe If Trend Micro OfficeScan recognizes it as malicious, it will
prevent you from saving it to the desktop (a function of the “real time scan”)
If not detected, is either OK or a new variant of malware Manually update Trend Micro OfficeScan (point to the
OfficeScan icon in the system tray, right click, select “Update Now”), then scan the file (point to the file, right click, select “Scan with OfficeScan client”)
If OfficeScan still says “No security risk was found”, submit the file to www.virustotal.com to be evaluated by 39 anti-virus products, including Trend Micro; here’s an example: virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d 31
Evaluating attachments If it is still undetected and obviously malicious because
of the email it was attached to, submit it K-State’s IT security team atwww.k-state.edu/its/security/report/ so we can send it to Trend Micro for analysis
Contact the sender to verify they sent it Ignore or delete it if it’s not expected or important Beware of executable files embedded in .zip
attachments – is a common way for hackers to send .exe files that would normally be deleted by email systems
Potentially dangerous file types include .exe, .zip (depending on file types in the .zip archive), .msi, .pif, .scr, .js, and even.pdf and (rarely) .doc 32
Example of maliciousemail attachments
Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment
Many more reports soon followed from around the world implicating many K-State IP addresses
Many K-Staters started reporting receipt of the malicious emails too
At least113 K-State computers were infected/compromised when people open the malicious attachment
Was a new variant of malware so Trend Micro OfficeScan did not detect it initially
33
What happened? Four different emails with the following subjects:
Shipping update for your Amazon.com order 254-78546325-658742 You have received A Hallmark E-Card! Jessica would like to be your friend on hi5! Your friend invited you to twitter!
Three (somewhat) different attachments: Shipping documents.zip Postcard.zip Invitation card.zip
At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension): “attachment.pdf .exe” “attachment.htm .exe” “attachment.chm .exe”
34
What happened?
Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies
July 29 and August 7 - similar attacks with new variants of the malware that escaped anti-virus detection
AGAIN (!!) on Nov. 5 – same four emails, new variant of malware, infected 130+ K-State computers
35
Why was it so effective? Used familiar services
Amazon.com Hallmark eCard greeting Twitter
Sensual enticement (“Jessica would like to be your friend on hi5!”) Somewhat believable replicas of legitimate emails Sent it to lots of people (bound to hit someone who just ordered
something from amazon.com or is having a birthday) Effectively masked the name of the .exe file in the .zip attachment
by padding the name with lots of spaces New variant that spread quickly so initial infections missed by
antivirus protection I was too slow submitting samples to Trend (better the second and
third time around) Malware/attachment filtering in Zimbra did not stop it Been a long time since attack came by email attachment so people
caught off-guard 36
37
MaliciousHallmarkE-Card
38
LegitimateHallmarkE-Card
39
MaliciousAmazonShippingNotice
40
LegitimateAmazonShippingNotice
41
MaliciousTwitterInvitation
42
LegitimateTwitterInvitation
What can we do?
43
Remember - Hallmark, amazon.com, Twitter, etc. do not send info in attachments
Don’t open attachment unless you are expecting it and have verified with sender
Analyze attachments before opening them Think before you click Be paranoid!
Reporting scams
Send spear phishing scams that target K-State specifically to [email protected] Send them with “full headers” (in webmail:
highlight message, right click, select “Show Original”, copy everything in resulting window and paste into email to [email protected])
To get full headers in other email clients:www.haltabuse.org/help/headers/index.shtml
Don’t send generic run-of-the-mill scams to [email protected] unless it’s something particularly threatening to K-Staters
44
Reporting scams
Submit suspicious files/attachments to www.k-state.edu/its/security/report/(don’t try to send them in email since they may get filtered)
Can report scams/fraud/crimes to federal government: FBI’s Internet Crime Complaint Center
www.ic3.gov/ FTC’s OnGuardOnline -
www.onguardonline.gov/file-complaint.aspx ALWAYS report suspected child pornography
to the police (K-State or Riley County)45
Useful sources of information Google – search for unique phrase in the suspected scam
to see what others are reporting about it Web sites of organization targeted by scams often have
information, like the IRSwww.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1
Snopes to debunk/confirm hoaxes, rumors, and other “urban legends” – snopes.com
Teach yourself with Sonicwall’s “Phishing and Spam IQ Quiz” – www.sonicwall.com/phishing/
K-State’s IT security web site updated regularly SecureIT.k-state.edu
Current threats and spear phishing scams posted on K-State’s IT threats blog threats.itsecurity.k-state.edu/
46
What’s on your mind?
47