Back From Vacation, China Renews Simple, But Effective, Cyberattacks

The New York Times is reporting that Unit 61398, the Chinese cyber-espionage unit that has stolen vast amounts of data from western governments and industry, has returned to its old tricks.  Following the release of the Mandiant report in February 2103, the unit disappeared from the internet.  However, they have now returned to the web, operating at 60% to 70% of the level there at which they were working before Mandiant exposed them.  Quoting Crowdstrike, the NYT reports that it is “business as usual” for the Chinese hackers.

Reporting on the same story, Computerworld observes that what the Unit 61398 is doing is not technically sophisticated.  And this is the real lesson to be learned from Unit 61398.  The Chinese are not using advanced cybertechnology to infiltrate our systems and steal our secrets — they are using simple, but effective tools.  Quoting John Pescatore, director of emerging security trends at the SANS Institute:

It’s not that the Chinese have some unbeatable way of breaking into a network. What is innovative is their targeting.

What is that targeting?  This diagram shows how it works:

Simple, but effective.

At Iconix, our goal is to make this threat vector less effective. Spearphishers deceive employees into making bad email decisions that compromise security. IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.

You can contact us at  408-727-6342,ext 3 or use our online form.

2013 Security Threats — Websense

Websense has release a comprehensive prediction of the security threats for the coming year.  We recommend that anyone interested in the evolving threats and tactics being used to attack systems should read this comprehensive report.

Because Iconix is an email security company, we focused on the email predictions.  Websense predicts that email will continue to be a favorite means of attack. For consumers, this means more deceptive emails that leverage important recurring events (tax time, elections, etc.), current events and clever trickery to lure people into giving up money or credentials.  On the enterprise side, spearphishing will be used to deliver more technically advanced malware that evades detection. Websense provides this foreboding warning:

There are a number of other reasons behind the CSOs’ concern about spear-phishing. For example, most security solutions are designed around a “sacrificial lamb” model where some user, somewhere, must become the first victim. Even behavioral and next-gen technology lacks enough information in the early stages to tell if the “result” will be bad, so they have to wait for something “bad” to happen. Only then do they evaluate the events that led up to the first breach. For normal mass-market threats, the chance that someone in your own organization will be the first victim is small. For a spear-phishing attack, it is 100 percent.

At Iconix, we don’t subscribe to the sacrificial lamb model.  We believe that prevention is an important layer in the multi-layer defensive strategy.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. You can contact us at  408-727-6342 ,ext 3 or use our online form.

Iconix Whitepaper – DMARC

Today Iconix released its whitepaper, “DMARC – Less Than Meets The Eye.”  In this whitepaper, Iconix discusses the limitations of DMARC in solving the problem of deceptive emails. 

In the whitepaper, Iconix focuses on Section 2.2 of the DMARC spec.  Iconix discussed how, while the DMARC standard is important, it addresses only one technical avenue exploited by the creators of deceptive email. 

You can download a copy of the whitepaper here.

DMARC Goes Live

Yesterday, dmarc.org released the new DMARC standard for email.  Contributors to the DMARC standard include Agari, American Greetings, AOL, Bank of America, Cloudmark, Comcast, Facebook, Fidelity Investments, Google, LinkedIn, Microsoft, PayPal, Return Path, TDP, and Yahoo!.

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.”  DMARC provides important extensions to the existing email authentication standards by providing automated and standardized methods to process messages that fail email authentication. DMARC explains the significance of this enhancement:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Let’s look at an example. If a phisher spoofs “paypal.com”, the real email address of PayPal, the bad guy cannot send email from PayPal’s email servers. Because the bad guy can’t use the real email servers, the fake paypal.com email will fail authentication. Before DMARC, webmail services such as Hotmail, Yahoo! Mail, AOL, Mail and Gmail lacked a systematic way for senders to tell them what to do with emails that failed authentication. This is where DMARC comes into play. If PayPal is using DMARC, webmail providers will know that PayPal wants them to reject the fake “paypal.com” email.

Let’s look at another example. What does DMARC do if a phisher uses a deceptive email address instead of “paypal.com”?  Consider the example of paypa1.com, where the last letter is really the number one instead of the letter el. Because the deceptive domain is not paypal.com, the deceptive domain is not governed by the authentication records of the paypal.com or the DMARC instructions for paypal.com. The authentication records and DMARC instructions for paypal.com govern only paypal.com and not the other hundreds of millions of domains that exist and will be created. DMARC will have no impact on paypa1.com emails.

While DMARC can deny bad guys the use of the actual domains of trusted senders, DMARC cannot stop bad guys from using domains that are not the actual domains of trusted senders. DMARC will not stop pay-pal.com, fasebook.com, or the myriad of other deceptive domains that bad guys will dream up. DMARC is useful because it:

• allows senders to specify handling policies about messages that fail authentication, and
• provides feedback that can help senders improve their authentication accuracy,

but it only addresses one of many doors that phishers use to get into the inbox.

To deal with all the doors leading to your inbox , you need more. You need a service that can distinguish real from fake for leading consumer brands, regardless of the methods that phishers use. You need eMail ID from Iconix.

Know Who. No Doubt. Use eMail ID.

Zappos Hacked: Customers Beware Phishing Scams

It is being widely reported in the press that an estimated 24 million Zappos user accounts have been compromised.

Mashable reports:

Robert Siciliano, a McAfee consultant and identity theft expert, says he expects whoever hacked Zappos’s site will now sell the data to people who run phishing scams. “They’ll sell it 10,000 accounts at a time, short money, like $100,” he says. While hackers don’t have complete credit card numbers, Siciliano says there’s enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well.

The bad guys now have very useful information with which to  craft very convincing fake email.  What they cannot do is use the real Zappos’s email servers.  You can easily identify real email really coming from Zappos by using a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

IRS Email Warns Of Phishing — Is the Warning Phishing?

Today the IRS issued its Tax Tip 2012-08 warning about phishing scams aimed at US taxpayers.   Subscribers to IRS information services received an email about the warning.

This is a screen shot of the email:

Is this a real IRS email?  Did you notice these odd things about it?

Why would I open such an obviously fake email?  Because it isn’t fake — it is real.  I know it is real because I use the products of Iconix.  This is what my display looks like with SP Guard turned on:

The IRS really made spelling errors and the IRS really sends emails from the domain govdelivery.com.

Know Who.  No Doubt.   Use Email ID and SP Guard.

IRS Issues Phishing Warning

Today the IRS issued Tax Tip 2012-08 warning about phishing attacks.  We reproduce it here as a public service.

Don’t be Scammed by Cyber Criminals

IRS TAX TIP 2012-08, January 12, 2012The Internal Revenue Service receives thousands of reports each year from taxpayers who receive suspicious emails, phone calls, faxes or notices claiming to be from the IRS. Many of these scams fraudulently use the IRS name or logo as a lure to make the communication appear more authentic and enticing. The goal of these scams – known as phishing – is to trick you into revealing your personal and financial information. The scammers can then use your information – like your Social Security number, bank account or credit card numbers – to commit identity theft or steal your money. Here are five things the IRS wants you to know about phishing scams. The IRS never asks for detailed personal and financial information like PIN numbers, passwords or similar secret access information for credit card, bank or other financial accounts. The IRS does not initiate contact with taxpayers by email to request personal or financial information. If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site:• Do not reply to the message. • Do not open any attachments. Attachments may contain malicious code that will infect your computer. • Do not click on any links. If you clicked on links in a suspicious e-mail or phishing website and entered confidential information, visit the IRS website and enter the search term ‘identity theft’ for more information and resources to help. The address of the official IRS website is www.irs.gov. Do not be confused or misled by sites claiming to be the IRS but ending in .com, .net, .org or other designations instead of .gov. If you discover a website that claims to be the IRS but you suspect it is bogus, do not provide any personal information on the suspicious site and report it to the IRS. If you receive a phone call, fax or letter in the mail from an individual claiming to be from the IRS but you suspect they are not an IRS employee, contact the IRS at 1-800-829-1040 to determine if the IRS has a legitimate need to contact you. Report any bogus correspondence.  You can forward a suspicious email to phishing@irs.gov. You can help shut down these schemes and prevent others from being victimized. Details on how to report specific types of scams and what to do if you’ve been victimized are available at www.irs.gov. Click on “phishing” on the home page. Links: Protect your personal information! The IRS does not initiate taxpayer communications through e-mail Suspicious e-Mails and Identity Theft YouTube Videos: Phishing Scams – English |  Spanish   |  ASL

Apple Phishing Scam Alert

CNET is warning about a phishing scam in which the bad guys are sending emails that are fake billing error notices from Apple.

CNET reports that unlike other Apple phishing scams, in this scam the bad guys have created a reasonably convincing fake.  The grammar and spelling are correct and the message is formatted to look like a real Apple message.  The email address that is displayed looks like it could be from Apple – ”appleid@id.apple.com.”  However, it isn’t real. Following the links will land at a fake Apple website that also looks pretty convincing. The fake Apple website requests your Apple ID and password. It then prompts you to update your personal data, including your credit card information. DON”T DO IT!

CNET provides useful advice on detecting the scam. CNET explains how to unwind URLs and then how to compare the fake URLs to real Apple URLs.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

2012 Cyberattacks Predicted by IID

IID has released its predictions of the big cyberattacks for 2012.  Of the 5 predicted cyberthreats, 4 depend upon phishing scams for their evil success.

Here’s the IID predictions:

1) Phishing – London Summer Olympics cyber attacks — Cybercriminals will try to capitalize on the Olympics by tricking people into installing malware with phishing scams impersonating the Summer Olympics official website and/or official Summer Olympics vendors.  Once malware is on a victim’s computer, the miscreants can monitor or control both personal and business computer activity — enabling them to steal data, send spam, and commit fraud.

2) Phishing – Elections altered — The 2012  U.S. presidential election year will create opportunities for deceiving voters and other skullduggery.  Cybercriminals are expected to  impersonate voting websites and political emails with phishing and malware attacks.  Many U.S. states allow military and overseas voting via the Internet — creating the opportunity to alter votes.  There are also concerns about the security of voting machines.

3) Phishing – 12/21/2012 danger — The Mayan “end of times” of December 21, 2012 will allow bad guys to play into this fear through targeted phishing and malware attacks playing on people’s heightened awareness surrounding 12/21/2012.

4) Internet infrastructure attacks for financial gain — While hacktivism will persist, expect DNS (Domain Name System) and BGP (Border Gateway Protocol) attacks for financial gain to grab headlines in 2012. The December 2010 DNS hijacking of large European payment processor ChronoPayis an example of this theat. More details surrounding this attack can be found at www.internetidentity.com/images/stories/docs/ecrime_trends_report-q4-2010_by_iid.pdf.

5) Spearphishing - Infrastructure Attacks.  IID predicts attacks on physical infrastructure attacks.  The Stuxnet hack caused substantial damage to the Iranian nuclear program.  The recently discovered DUQU hack is distributed by spearphishing. 

This is an interesting forecast. While it is hard to predict the precise events and vulnerabilities that the badguys will use, there is little doubt that clever criminals will use current events and zero day exploits to cause havoc.

FBI Denver Cyber Squad Warns of New Phishing Campaign

The FBI Denver Cyber Squad issued the following warning on November 23, 2011:

With the holiday shopping season upon us, the FBI Denver Cyber Squad would like to advise citizens of a new spear phishing campaign involving personal and business bank accounts, financial institutions, money mules, and jewelry stores. The campaign involves a variant of the “Zeus” malware called “Gameover.” The spam campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication.

After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found). A portion of the wire transfers (not all) are being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).

Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as “pending” and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.

The FBI in Denver is asking all consumers to be cautious of opening communications from senders that would not normally send you e-mail or are not from the normal sender e-mail address.

This is the link to the original FBI Press Release:  http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign