Recognizing Email ScamsSIRT IT Security Roundtable

Harvard TownsendChief Information Security Officerharv@ksu.eduDecember 4, 2009

Agenda

The problem – why should we care? Types of email scams Recent examples at K-State and why they

tricked so many people Characteristics of scam emails – things to look

for and tools to help How to determine if a web link is safe How to evaluate email attachments Reporting scams or other malicious emails Useful information sources Q&A

2

Many vectors for attack Vulnerable operating system (i.e., Windows) Vulnerable applications Hackers scanning our network from outside or inside the campus

network Passwords stolen by a key logger USB flash drives Malicious web links, even sponsored ads at the top of a Google

search Malicious Facebook ads Extra goodies in P2P downloads Instant messaging Redirected DNS queries Hijacked duplicate web site Phishing email Malicious web links in an email Email attachments 3

Many vectors for attack Vulnerable operating system (i.e., Windows) Vulnerable applications Hackers scanning our network from outside or inside the campus

network Passwords stolen by a key logger USB flash drives Malicious web links, even sponsored ads at the top of a Google

search Malicious Facebook ads Extra goodies in P2P downloads Instant messaging Redirected DNS queries Hijacked duplicate web site Phishing email Malicious web links in an email Email attachments 4

What’s the big deal? 130+ K-State computers infected in November when

people opened malicious email attachments – the same emails that hit campus in July and infected 100+ computers

289 spear phishing scams at K-State thus far in 2009 resulting in 421 compromised email accounts used to send spam

These forms of “social engineering” currently one of the most effective ways to compromise a computer and steal financial or personal identity information

Information loss/theft (personal, institutional, passwords, acct info)

Identity theft Financial fraud

5

It doesn’t just affect you When stolen K-State email accounts are used to send spam,

K-State is seen as a spam source and sometimes ends up on spam block lists such that ALL email from K-State to those email providers is blocked (examples include Hotmail, Gmail, Comcast, AT&T, Road Runner…) – a huge headache for faculty-student communication

Compromised computers become part of a “botnet” used for illegal purposes

A recent compromised K-State computer became a “botnet controller” that controlled 12,000 other compromised computers around the world

Compromised computers are used to send spam, host scam web sites, spread malware, steal data, launch denial of service attack, etc.

One careless mouse click can affect thousands of other people, not just yourself

6

What’s the big deal?

Tactics constantly changing so can’t let down your guard

Malware constantly changing so anti-virus software can’t always prevent infection

Technology can’t stop them all – you, the user, is critically important in our security defenses

7

Definitions Malware – malicious software

Virus, Worm, Trojan, etc. - types of malware, specific definitions not that important now; “virus” sometimes used as a catch-all for malware

Keylogger – watches your keystrokes and intercepts data of interest; often sends it to the perpetrator. Typically looks for things like username/password, bank account info, credit card info

Rootkit – malware that tries to hide the fact that it compromised the computer. Think of it as stealth malware.

Spyware – watches your online activity and sends information about you or your habits to others w/o your informed consent

Adware – automatically displays ads on your computer, usually in annoying pop-ups

Scareware – tries to trick you into buying something of little or no value using shock, anxiety or threats (like Anti-virus 2008/2009). Common tactic is to claim your computer is infected and you have to buy their software to clean it up.

8

9

Scarewareexamples

Definitions

Phishing – attempt to acquire sensitive information by posing as a legitimate entity in an electronic communication

Spear phishing – phishing that targets a specific group

Social engineering – manipulating or tricking people into divulging private information

Spam – unsolicited or undesiredbulk email/messages

10

11Spear phishing example that targets K-State

Let’s look at some examples

Check IT Security Threats blog for examples of spear phishing scams:threats.itsecurity.k-state.edu

Analysis of actual scams received by people at K-State

12

13

Most EffectiveSpear PhishingScam

14

Most EffectiveSpear PhishingScam

15

Most EffectiveSpear PhishingScam

Most effective spearphishing scam

At least 62 replied with password, 53 of which were used to send spam from K-State’s Webmail

Arrived at a time when newly admitted freshmen were getting familiar with their K-State email – 37 of the 62 victims were newly-admitted freshmen

Note characteristics: “From:” header realistic:

"Help Desk" <helpdesk@k-state.edu>” Subject uses familiar terms:

“KSU.EDU WEBMAIL ACCOUNT UPDATE” Message body also references realistic terms:

“IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State” Asks for “K-State eID” and password Plausible story (accounts compromised by spammers!!)

16

Another effective spearphishing scam

This one also tricked

62 K-Staters into giving away

their eID password

17

How to identify a scam General principles:

Neither IT support staff nor any legitimate business will EVER ask for your password in an email!!!

Use common sense and logic – if it’s too good to be true, it probably is.

Think before you click – many have fallen victim due to a hasty reply

Be paranoid Don’t be timid about asking for help from

your IT support person or the IT Help Desk18

How to identify a scam Characteristics of scam email

Poor grammar and spelling Uses unfamiliar or inappropriate terms (like “send your

account information to the MAIL CONTROL UNIT”) It asks for private information like a password or

account number The message contains a link where the displayed

address differs from the actual web address It is unexpected (you weren’t expecting Joe to send

you an attachment) The “Reply-to:” or “From:” address is unfamiliar, or is

not a ksu.edu or k-state.edu address Does not provide explicit contact information (name,

address, phone #) for you to verify the communication. Good example is spear phishing scam that tries to steal your eID password is signed “Webmail administrator” 19

How to identify a scam Beware of scams following major news events or natural

disasters (e.g., after Hurricane Katrina asking for donations and mimicking a Red Cross web site)

Seasonal scams like special Christmas offers, or IRS scams in the spring during tax season

They take advantage of epidemics or health scares, like H1N1 scam currently making the rounds

Often pose as legitimate entity – PayPal, banks, FBI, IRS, Wal*Mart, Microsoft, etc.

If unsure, call the company to see if they sent it (we did this with recent email from Manhattan Mercury)

Many make sensational claims; remember to apply the common sense filter – if it sounds too good to be true, it probably is

Hackers very good at imitating legitimate email – will use official logos, some links in the email will work properly, but one link is malicious 20

21

Real K-State Federal Credit Unionweb site

Fake K-State Federal Credit Unionweb site used in spear phishing scam

Can I click on this? Watch for displayed URL (web address) that does

not match the actualdisplayed: http://update.microsoft.com/microsoftupdate actual: http://64.208.28.197/ldr.exe

Beware of link that executes a program (like ldr.exe above)

Avoid numeric IP addresses in the URLhttp://168.234.153.90/include/index.html

Some even use hexadecimal notation for the IP:http://0xca.0x27.0x30.0xdd/www.irs.gov/

Watch for legitimate domain names embedded in an illegitimate onehttp://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/

22

Can I click on this? Beware of email supposedly from US

companies with URLs that point to a non-US domain (Kyrgyzstan in example below)From: Capital One bank <cservice@capitalone.com>URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/

IE8 highlights the actual domain name to help you identify the true source. Here’s one from an IRS scam email that’s actually hosted in Pakistan:

23

Can I click on this? Beware of domains from unexpected foreign

countries Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.phpLithuania: http://kateka.lt/~galaxy/card.exeHungary: http://mail.grosz.hu/walmart/survey/Romania: http://www.hostinglinux.ro/Russia: http://mpo3do.chat.ru/thanks.html

MANY scams originate in China (country code = .cn)

Country code definitions available at: www.iana.org/domains/root/db/index.html

24

Can I click on this?

Analyze web links w/o clicking on them by copying the URL and testing them at these sites: Trend Micro’s Web reputation query –

reclassify.wrs.trendmicro.com/wrsonlinequery.aspx McAfee SiteAdvisor (enter URL on this web

page – you don’t have to install their software):www.siteadvisor.com/

25

Can I click on this? Watch for malicious URLs cloaked by URL

shortening services like: TinyURL.com Bit.ly CloakedLink.com

26

Can I click on this? TinyURL has a nice “preview” feature that

allows you to see the real URL before going to the site. See http://tinyurl.com/preview.php to enable it in your browser (it sets a cookie)

Bit.ly has a Firefox add-on to preview shortened links; it also warns you if the site appears to be malicious:addons.mozilla.org/en-US/firefox/addon/10297

27

Can I click on this?

28

Trend Micro Web Reputation Services is your friend

29

So are anti-phishing/malware features in Firefox and IE

30

Evaluating attachments Saving it to your desktop without opening it or

executing it is usually safe If Trend Micro OfficeScan recognizes it as malicious, it will

prevent you from saving it to the desktop (a function of the “real time scan”)

If not detected, is either OK or a new variant of malware Manually update Trend Micro OfficeScan (point to the

OfficeScan icon in the system tray, right click, select “Update Now”), then scan the file (point to the file, right click, select “Scan with OfficeScan client”)

If OfficeScan still says “No security risk was found”, submit the file to www.virustotal.com to be evaluated by 39 anti-virus products, including Trend Micro; here’s an example: virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d 31

Evaluating attachments If it is still undetected and obviously malicious because

of the email it was attached to, submit it K-State’s IT security team atwww.k-state.edu/its/security/report/ so we can send it to Trend Micro for analysis

Contact the sender to verify they sent it Ignore or delete it if it’s not expected or important Beware of executable files embedded in .zip

attachments – is a common way for hackers to send .exe files that would normally be deleted by email systems

Potentially dangerous file types include .exe, .zip (depending on file types in the .zip archive), .msi, .pif, .scr, .js, and even.pdf and (rarely) .doc 32

Example of maliciousemail attachments

Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment

Many more reports soon followed from around the world implicating many K-State IP addresses

Many K-Staters started reporting receipt of the malicious emails too

At least113 K-State computers were infected/compromised when people open the malicious attachment

Was a new variant of malware so Trend Micro OfficeScan did not detect it initially

33

What happened? Four different emails with the following subjects:

Shipping update for your Amazon.com order 254-78546325-658742 You have received A Hallmark E-Card! Jessica would like to be your friend on hi5! Your friend invited you to twitter!

Three (somewhat) different attachments: Shipping documents.zip Postcard.zip Invitation card.zip

At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension): “attachment.pdf .exe” “attachment.htm .exe” “attachment.chm .exe”

34

What happened?

Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies

July 29 and August 7 - similar attacks with new variants of the malware that escaped anti-virus detection

AGAIN (!!) on Nov. 5 – same four emails, new variant of malware, infected 130+ K-State computers

35

Why was it so effective? Used familiar services

Amazon.com Hallmark eCard greeting Twitter

Sensual enticement (“Jessica would like to be your friend on hi5!”) Somewhat believable replicas of legitimate emails Sent it to lots of people (bound to hit someone who just ordered

something from amazon.com or is having a birthday) Effectively masked the name of the .exe file in the .zip attachment

by padding the name with lots of spaces New variant that spread quickly so initial infections missed by

antivirus protection I was too slow submitting samples to Trend (better the second and

third time around) Malware/attachment filtering in Zimbra did not stop it Been a long time since attack came by email attachment so people

caught off-guard 36

37

MaliciousHallmarkE-Card

38

LegitimateHallmarkE-Card

39

MaliciousAmazonShippingNotice

40

LegitimateAmazonShippingNotice

41

MaliciousTwitterInvitation

42

LegitimateTwitterInvitation

What can we do?

43

Remember - Hallmark, amazon.com, Twitter, etc. do not send info in attachments

Don’t open attachment unless you are expecting it and have verified with sender

Analyze attachments before opening them Think before you click Be paranoid!

Reporting scams

Send spear phishing scams that target K-State specifically to abuse@ksu.edu Send them with “full headers” (in webmail:

highlight message, right click, select “Show Original”, copy everything in resulting window and paste into email to abuse@ksu.edu)

To get full headers in other email clients:www.haltabuse.org/help/headers/index.shtml

Don’t send generic run-of-the-mill scams to abuse@ksu.edu unless it’s something particularly threatening to K-Staters

44

Reporting scams

Submit suspicious files/attachments to www.k-state.edu/its/security/report/(don’t try to send them in email since they may get filtered)

Can report scams/fraud/crimes to federal government: FBI’s Internet Crime Complaint Center

www.ic3.gov/ FTC’s OnGuardOnline -

www.onguardonline.gov/file-complaint.aspx ALWAYS report suspected child pornography

to the police (K-State or Riley County)45

Useful sources of information Google – search for unique phrase in the suspected scam

to see what others are reporting about it Web sites of organization targeted by scams often have

information, like the IRSwww.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1

Snopes to debunk/confirm hoaxes, rumors, and other “urban legends” – snopes.com

Teach yourself with Sonicwall’s “Phishing and Spam IQ Quiz” – www.sonicwall.com/phishing/

K-State’s IT security web site updated regularly SecureIT.k-state.edu

Current threats and spear phishing scams posted on K-State’s IT threats blog threats.itsecurity.k-state.edu/

46

What’s on your mind?

47