IconixTruemark's Blog

Hackers For Hire

iconixtruemark — Thu, 26 Jan 2012 20:39:38 +0000

When we think of hacking passwords, the image that comes to mind is that of technically savvy geniuses who use super high-tech tools, fancy computers, and whiz-bang software to crack the password. Like Tim and Abby from the popular CBS television show NCIS:

How do real hackers crack passwords? In “Hackers for Hire Are Easy to Find“, The Wall Street Journal reports:

[T]he IHG [hacking] service worked like this: It requested the target person’s email address, the names of friends or colleagues, and examples of topics that interest them. The hackers would then send an email to the target that sounded as if it came from an acquaintance, but which actually installed malicious software on the target’s computer. The software would let the hackers capture the target’s email password.

Real hackers don’t use super smart technology to crack the code. They use social engineering to create highly relevant emails from apparently trusted sources — spearphishing. Attacking systems is hard. Attacking people is easy. That is why bad guys Target the Human.

How long does it take to hack passwords using this method? How much does it cost? Who does this work? The Wall Street Journal reports:

One such site, hiretohack.net, advertises online services including being able to “crack” passwords for major email services in less than 48 hours. It says it charges a minimum of $150, depending on the email provider, the password’s complexity and the urgency of the job. The site describes itself as a group of technology students based in Europe, U.S. and Asia.

Apparently there is a lot of demand for hacking-for-hire services. New York magazine reports that the IHG hackers cited by The Wall Street Journal made more than $200,000 in thirteen months.

Zappos Hacked: Customers Beware Phishing Scams

iconixtruemark — Mon, 16 Jan 2012 21:56:34 +0000

It is being widely reported in the press that an estimated 24 million Zappos user accounts have been compromised.

Mashable reports:

Robert Siciliano, a McAfee consultant and identity theft expert, says he expects whoever hacked Zappos’s site will now sell the data to people who run phishing scams. “They’ll sell it 10,000 accounts at a time, short money, like $100,” he says. While hackers don’t have complete credit card numbers, Siciliano says there’s enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well.

The bad guys now have very useful information with which to craft very convincing fake email. What they cannot do is use the real Zappos’s email servers. You can easily identify real email really coming from Zappos by using a tool to identify real email. You need eMail ID from Iconix.

Know Who. No Doubt. Use eMail ID.

U.S. Government Agencies Targeted By Malware

iconixtruemark — Mon, 16 Jan 2012 18:04:55 +0000

Mashable has posted a video describing the latest twist on the Sykipot targeted attack.

As an added layer of IT defense, the U.S. Government has adopted smart cards control access to data systems. In this attack, the hackers attack the users by sending spearphishing emails that install malware which hijacks the smart cards. Once activated, the malware by-passes the smart card protection.

The technical details are reported by AlienVault. AlienVault concludes:

As defenses get better, attackers will continue to change their tactics to adapt, and as seen here, will hijack the very systems designed to provide more security, if necessary. An interesting by-product of this malware’s necessity of having the card physically present is that attackers can only leverage it for secure authentication to target systems, during times that the user them is physically present at the workstation, making unauthorized activity that much more difficult to discern from legitimate usage. Although smart cards are designed to provide a two factor system of ‘chip and pin’, again we see that true two-factor authentication is not possible without a physical component that is not accessible digitally.

Employees must be empowered to defend against cyberattacks. When the cyberattacks target the human, the human must be hardened. A tool that hardens the human is available now from Iconix. That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

List View. There is an integrity indicator in the list view of the email client.
Message. The open message has a further indicator of authenticity.
Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement. This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

IRS Email Warns Of Phishing — Is the Warning Phishing?

iconixtruemark — Thu, 12 Jan 2012 21:25:36 +0000

Today the IRS issued its Tax Tip 2012-08 warning about phishing scams aimed at US taxpayers. Subscribers to IRS information services received an email about the warning.

This is a screen shot of the email:

Is this a real IRS email? Did you notice these odd things about it?

Why would I open such an obviously fake email? Because it isn’t fake — it is real. I know it is real because I use the products of Iconix. This is what my display looks like with SP Guard turned on:

The IRS really made spelling errors and the IRS really sends emails from the domain govdelivery.com.

Know Who. No Doubt. Use Email ID and SP Guard.

IRS Issues Phishing Warning

iconixtruemark — Thu, 12 Jan 2012 20:36:31 +0000

Today the IRS issued Tax Tip 2012-08 warning about phishing attacks. We reproduce it here as a public service.

Don’t be Scammed by Cyber Criminals

IRS TAX TIP 2012-08, January 12, 2012The Internal Revenue Service receives thousands of reports each year from taxpayers who receive suspicious emails, phone calls, faxes or notices claiming to be from the IRS. Many of these scams fraudulently use the IRS name or logo as a lure to make the communication appear more authentic and enticing. The goal of these scams – known as phishing – is to trick you into revealing your personal and financial information. The scammers can then use your information – like your Social Security number, bank account or credit card numbers – to commit identity theft or steal your money.

Here are five things the IRS wants you to know about phishing scams.

The IRS never asks for detailed personal and financial information like PIN numbers, passwords or similar secret access information for credit card, bank or other financial accounts.
The IRS does not initiate contact with taxpayers by email to request personal or financial information. If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site:• Do not reply to the message.
• Do not open any attachments. Attachments may contain malicious code that will infect your computer.
• Do not click on any links. If you clicked on links in a suspicious e-mail or phishing website and entered confidential information, visit the IRS website and enter the search term ‘identity theft’ for more information and resources to help.
The address of the official IRS website is www.irs.gov. Do not be confused or misled by sites claiming to be the IRS but ending in .com, .net, .org or other designations instead of .gov. If you discover a website that claims to be the IRS but you suspect it is bogus, do not provide any personal information on the suspicious site and report it to the IRS.
If you receive a phone call, fax or letter in the mail from an individual claiming to be from the IRS but you suspect they are not an IRS employee, contact the IRS at 1-800-829-1040 to determine if the IRS has a legitimate need to contact you. Report any bogus correspondence. You can forward a suspicious email to phishing@irs.gov.
You can help shut down these schemes and prevent others from being victimized. Details on how to report specific types of scams and what to do if you’ve been victimized are available at www.irs.gov. Click on “phishing” on the home page.

Links:

YouTube Videos:

Phishing Scams – English | Spanish | ASL

Targeted Attacks – Harden the Human Target

iconixtruemark — Wed, 11 Jan 2012 20:17:32 +0000

In order to compromise data networks, a point of entry is required. An effective point of entry is the people who use the systems. The Wall Street Journal‘s recent article, You Are A Security Risk, provides a nice discussion of this topic. Ironically, the criminals use publicity about cyber intrusions to dupe careful people into their trap. For example, there is a fake security alert purporting to be from CERT. There is another current targeted attack using emails allegedly from the Stratfor’s CEO George Friedman, urging recipients to provide personal information in response to the recent compromise of Stratfor by cyberattackers.

Equally frightening is how effectively the malware that is installed evades detection by security software. We saw this in the recent compromise of the U.S. Chamber of Commerce, in which the FBI, and not internal security measures, alerted the Chamber to the problem. The Chamber is not alone in being unable to detect compromised systems. Kevin Mandia, CEO of Mandiant Corporation, recently testified as follows before the U.S. Congress:

we routinely witness attackers circumvent conventional safeguards deployed to prevent and detect security breaches. Virtually all of these intrusions belong to the growing subset of advanced threats that usually evade off-the-shelf technologies that American corporations rely upon – often times exclusively – for their defense. In fact, in over 90% of the cases we have responded to, Government notification was required to alert the company that a security breach was underway. In our last 50 incidents, 48 of the victim companies learned they were breached from the Federal Bureau of Investigation, the Department of Defense or some other third party.

SP Guard provides the recipient with three confirmations that a message is real:

List View. There is an integrity indicator in the list view of the email client.
Message. The open message has a further indicator of authenticity.
Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

Targeted Attack Seeks US Drone Technology

iconixtruemark — Wed, 04 Jan 2012 18:19:04 +0000

Nextgov is reporting that someone has been conducting a targeted attack against federal agencies and contractors. It appears that the attackers are trying to infiltrate aircraft designers’ computers in order to spy on the U.S. government’s plans for remotely piloted aircraft. Alienvault Labs has studied this attack, dubbed “Sykipot”, and reported on it in detail. Alienvault Labs found:

The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit to key employees of different organizations.

The attack, which has been running since at least September of 2011, uses images such as these as bait to attack the victims.

After installation, the malware takes orders from the attackers’ command and control server. The hacker can extract documents from the victims’ machines or insert phony materials.

Alienvault Labs observes:

It’s true that the piece of malware isn’t too sophisticated, but it is related with at least six zero-day attacks that require skills and/or money. Anyway we have been seeing that “not too sophisticated malware” works, see Shady RAT for instance that targeted organizations ranging from defense contractors to accounting firms.

What can be done to defend the against spearphishing? Potential victims can adopt a tool that identifies trusted email so that the target of the spearphishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

List View. There is an integrity indicator in the list view of the email client.
Message. The open message has a further indicator of authenticity.
Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342 , ext 3 or use our online form.

Apple Phishing Scam Alert

iconixtruemark — Thu, 29 Dec 2011 16:51:07 +0000

CNET is warning about a phishing scam in which the bad guys are sending emails that are fake billing error notices from Apple.

CNET reports that unlike other Apple phishing scams, in this scam the bad guys have created a reasonably convincing fake. The grammar and spelling are correct and the message is formatted to look like a real Apple message. The email address that is displayed looks like it could be from Apple – ”appleid@id.apple.com.” However, it isn’t real. Following the links will land at a fake Apple website that also looks pretty convincing. The fake Apple website requests your Apple ID and password. It then prompts you to update your personal data, including your credit card information. DON”T DO IT!

CNET provides useful advice on detecting the scam. CNET explains how to unwind URLs and then how to compare the fake URLs to real Apple URLs.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications. You should be careful. But you need to do more. You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard. Being conversant with all the real URL’s is impossible. You need a tool to identify real email. You need eMail ID from Iconix.

Know Who. No Doubt. Use eMail ID.

2012 Cyberattacks Predicted by IID

iconixtruemark — Fri, 23 Dec 2011 18:56:35 +0000

IID has released its predictions of the big cyberattacks for 2012. Of the 5 predicted cyberthreats, 4 depend upon phishing scams for their evil success.

Here’s the IID predictions:

1) Phishing – London Summer Olympics cyber attacks — Cybercriminals will try to capitalize on the Olympics by tricking people into installing malware with phishing scams impersonating the Summer Olympics official website and/or official Summer Olympics vendors. Once malware is on a victim’s computer, the miscreants can monitor or control both personal and business computer activity — enabling them to steal data, send spam, and commit fraud.

2) Phishing – Elections altered — The 2012 U.S. presidential election year will create opportunities for deceiving voters and other skullduggery. Cybercriminals are expected to impersonate voting websites and political emails with phishing and malware attacks. Many U.S. states allow military and overseas voting via the Internet — creating the opportunity to alter votes. There are also concerns about the security of voting machines.

3) Phishing – 12/21/2012 danger — The Mayan “end of times” of December 21, 2012 will allow bad guys to play into this fear through targeted phishing and malware attacks playing on people’s heightened awareness surrounding 12/21/2012.

4) Internet infrastructure attacks for financial gain — While hacktivism will persist, expect DNS (Domain Name System) and BGP (Border Gateway Protocol) attacks for financial gain to grab headlines in 2012. The December 2010 DNS hijacking of large European payment processor ChronoPayis an example of this theat. More details surrounding this attack can be found at www.internetidentity.com/images/stories/docs/ecrime_trends_report-q4-2010_by_iid.pdf.

5) Spearphishing - Infrastructure Attacks. IID predicts attacks on physical infrastructure attacks. The Stuxnet hack caused substantial damage to the Iranian nuclear program. The recently discovered DUQU hack is distributed by spearphishing.

This is an interesting forecast. While it is hard to predict the precise events and vulnerabilities that the badguys will use, there is little doubt that clever criminals will use current events and zero day exploits to cause havoc.

Spearphishers Compromise U.S Chamber of Commerce

iconixtruemark — Wed, 21 Dec 2011 16:33:31 +0000

The Wall Street Journal is reporting that Chinese hackers accessed data of the U.S. Chamber from November of 2009 until May of 2010. Using a network of over 300 IP addresses, the hackers gained access to everything stored on its systems, including information about its three million members and lobbying efforts of the Chamber. The attack probably started with a spearphishing email.

The Wall Street Journal summarized the data breach in a graphic:

You can view the original graphic by clicking here.

What can be done to defend the enterprise against spearphishing? The enterprise can adopt a tool that identifies trusted email so that the target of the spearphishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

List View. There is an integrity indicator in the list view of the email client.
Message. The open message has a further indicator of authenticity.
Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.