Phisher Attempts to Blackmail Marriott

Dark READING reports that a Hungarian man has pleaded guilty in a phishing scheme to blackmail  Marriott.  The plea was entered on Nov. 23, 2011.

The man, Attila Nemeth, 26, used data he stole from Marriott in an effort to force them to hire him into the IT department.  Dark READING summarized the scam:

The case puts a whole new spin on the targeted attack; rather than trying to cash in on the intelligence or use it for competitive purposes, the perpetrator used it as leverage. Nemeth’s methods were similar to those of advanced persistent threat (APT) attackers: He got a foot in the door of Marriott’s computers by targeting some of its employees with spear-phishing emails. Marriott did not publicize details about what happened next, but one or more of the users appear to have fallen for the phony emails and either opened infected documents or a link that silently installed a backdoor on Marriott’s systems.

On Nov. 11, 2010, Nemeth contacted Marriott’s HR department by email and told them that he had been able to compromise their systems and steal confidential information.  He warned Marriott that if they did not give him a job maintaining their systems, he would disclose confidential information he had stolen.  Two days later he followed-up the threat with an email that contained stolen documents.

On November 18, 2010, Marriott called on the U.S. Secret Service.  The Secret Service set up a sting operation in which an agent pretended to be a Marriott HR employee.  Dark READING reports:

Nemeth fell for it: He telephoned and emailed the undercover agent, continuing his threats to release the private Marriott documents. Then he emailed the agent his passport and volunteered to meet in the U.S., which they did on Jan. 17, 2011.

Nemeth assumed he was meeting the Marriott “employee” for a job interview, where he admitted his alleged crimes of hacking and stealing Marriott files and threatening them with exposing the data if they didn’t give him a job. Meanwhile, he also demonstrated how he got into the Marriott network and showed where he stored the data on a server back in Hungary.

Nemeth will be sentenced on Feb. 3, 2012 and faces 10 years in federal prison for transmission of malicious code and 5 years for attempted blackmail.

Although Nemeth failed to extort Marriott, the scheme was very costly to Marriott.  Federal prosecutors alleged that the security breach cost Marriott between $400,000 and $1 million dollars in salaries, consultant expenses and other costs to determine the extent of the compromise of its computers and to identify the compromised data.

While Nemeth did not demonstrate the best way to seek an IT job, he provides a powerful reminder that social engineering deceives the email recipients into becoming the agents of the criminals.  What can be done to defend the enterprise against spearphishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spearphishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

Phishers Use Cyber Monday for Scams

Computerworld reports that cybercriminals are using phishing scams  to rip-off consumers during this holiday shopping season.  The bad guys are using spoofing legitimate messages from real companies in order to deceive consumers.  The criminals are sending fake shipping confirmations, fake Groupon and Living Social offers and fake social traffic.  A common scam is a fake email about problems with a transaction, such as a delivery problem, a canceled order or direct deposit.  Cloudmark has reproduced this example of a fake UPS email:

Computerworld quotes Cloudmark engineering director Angela Knox about details of the UPS-based phishing  scam.  This phishing scam lures recipients into either opening an attachment or clicking on a link to infect machines with malware.

“We’ve seen a number of variants in this campaign, some with attachments, some with no attachments and bad links, all of them personalized to the recipient, and sent from an ever-changing list of fake UPS employees or the generic ‘UPS Customer Services,'” said Knox in a blog post today.

The attached files are actually .zip archives that contain malware, said Knox, while the links lead to compromised or hacker-controlled websites that host attack code.

“With Cyber Monday kicking off the online holiday shopping frenzy, online shoppers should remember to be vigilant about any email message that they receive,” said Knox.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

Xbox Live Phishing Scam — Microsoft Reimburses Ripped-off Users

The Guardian is reporting that Microsoft is giving refunds to Xbox Live subscribers who may have had their credit card information stolen in a phishing scam.   The Guardian describes the scam in its November 22, 2011 edition:

Reports are proliferating of Xbox Live users checking the credit card and bank account statements which they use to pay their Xbox Live subscriptions, and discovering payments which they did not make, generally over a period of months, which were used to buy Microsoft Points (the service’s currency which enables users to purchase extra downloadable content, games and in-game objects) which were then cashed in to buy downloadable content from EA Sports – specifically Ultimate Team Packs for its games FIFA 12, Madden and NBA.

EU provides more details about the scam on its website.

You receive an email that appears to be from EA concerning an Ultimate Team promotion. You click on the link in the email, go to what appears to be the Ultimate Team login page, and enter your account name and password. Two days later you discover all the gold players you’ve worked so hard for have disappeared.

This is the fake website that is launched from the phishing email:

EU advised that the official EA website uses the following URL:
<a href=”http://www.ea.com/”>http://www.ea.com/</a&gt;.
Any other similar looking URL is not official and should not be clicked on.

As this image from the EA website shows, the difference between the scam website and the real website are extremely subtle.

This is a close-up of the URL’s.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

CYBER SECURITY AWARENESS MONTH FAILS TO DETER PHISHERS – RSA

RSA’s recently released report Cyber Security Awareness Month Fails to Deter Phishers explains that despite efforts to increase awareness and fight phishing, deceptive emails continue to be a major problem.

Sometimes viewed as one of the oldest scams in the book, phishing is still a very popular method among cybercriminals. RSA recently estimated that worldwide losses from phishing attacks alone during H1 2011 amounted to over $520 million, and losses incurred from phishing attacks during the 12-month period of H2 2010 through H1 2011 reached nearly $1 billion.

RSA shows the recent growth of phishing:

You should use the latest version of a reputable security product and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool.

Know Who.  No Doubt.  Use eMail ID.

University of Delaware Spearphishing Attack

Demonstrating that a little bit of personal information goes a long way for cybercriminals, the University of Delaware reports spearphishers are targeting UD students and staff.  The criminals “targeted UD addresses, knowing that many UD students and employees have PNC accounts and that UD has a business relationship with PNC.”

Social Engineering Defeats Security at DEFCON

Reporting the details of the penetration testing conducted at the August 2011 DEFCON, researchers from Social-Engineer.org reported that by using social engineering techniques they were able trick employees into compromising the security of all 14 Fortune 500 companies that participated in DEFCON 19.

The report, from the firm Social-Engineer.org is for free with registration.

Malware — Life Imitates Art 2

In response to our posting Malware – Life Imitates Art, one of our followers directed our attention to the first season of the popular CBS series, NCIS.  In Seadog, season 1, episode 3, the team is called upon to investigate the death of a Naval Officer whose body has washed ashore.  The investigation begins as a routine drug case.  As the plot evolves, the investigation uncovers cyber warfare directed at the nation’s power grid.  Fortunately, Gibbs and the team foil the plot at the last second.

The 2003 fictional attack on the US power grid is now reality as reported by the Wall Street Journal on April 8, 2009.  The article, entitled Electricity Grid in U.S. Penetrated by Spies, describes ongoing attacks on the infrastructure of the United States. 

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

The article describes a 2008 cyber attack that was part of an extortion plot.  The attack took out power equipment in multiple regions of the United States. 

Cyber warfare is real.  Spearphishing is a frequent point of entry into critical systems.

Cyberspying Report: China, Russia Are Main Culprits

Yesterday, the Office of the National Counterintelligence Executive released a report to Congress entitled, Foreign Spies Stealing US Economic Secrets In Cyberspace.  The report paints a disturbing picture:

US Technologies and Trade Secrets at Risk in Cyberspace

Foreign collectors of sensitive economic information are able to operate in cyberspace with relatively little risk of detection by their private sector targets. The proliferation of malicious software, prevalence of cyber tool sharing, use of hackers as proxies, and routing of operations through third countries make it difficult to attribute responsibility for computer network intrusions. Cyber tools have enhanced the economic espionage threat, and the Intelligence Community (IC) judges the use of such tools is already a larger threat than more traditional
espionage methods.

Economic espionage inflicts costs on companies that range from loss of unique intellectual property to outlays for remediation, but no reliable estimates of the monetary value of these costs exist. Many companies are unaware when their sensitive data is pilfered, and those that find out are often reluctant to report the loss, fearing potential damage to their reputation with investors, customers, and employees. Moreover, victims of trade secret theft use different methods to estimate their losses; some base estimates on the actual costs of developing the stolen information, while others project the loss of future revenues and profits.

Pervasive Threat from Adversaries and Partners

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.
• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.
• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

The report recites many techniques that are used by cyberspies to gain access to technology.  One of these techniques is spearphishing. The report makes specific reference to McAfee’s Night Dragon study. The report also discloses hackers for hire who are expert in the methods of cyberdeception  — citing the example of the Iranian government employing hackers for hire to deploy social engineering schemes.

The report said that pace of industrial espionage activities is accelerating. According to the report, foreign intelligence agencies, corporations and individual hackers increased their efforts to steal proprietary technology between 2009 and 2011.

Spearphishing the Chemical Industry – Symantec Reports “Nitro” Attacks

On October 31, 2011, Symantec released a whitepaper entitled  The Nitro Attacks: Stealing Secrets from the Chemical Industry.  In the whitepaper, Symantec reports on a hacking attack on 29 chemical companies.  The attack appeared to be aimed at stealing intellectual property related to the research, development and manufacture of chemicals.  These attacks started in July 2011 and continued until mid-September.  The attacks also targeted 19 non-chemical companies, primarily in the defense industry.

Symantec tells us how the systems were compromised:

The attackers first researched desired targets and then sent an email specifically to the target. Each organization typically only saw a handful of employees at the receiving end of these emails. However, in one organization almost 500 recipients received a mail, while in two other organizations, more than 100 were selected. While the attackers used different pretexts when sending these malicious emails, two methodologies stood out. First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update. The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email. In both cases, the executable file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker.

Yet again, the means of entry was spearphishing.  The cyberspies are using the same social engineering schemes that were reported in secret State Department cables as early as 2002.  

Regrettably, the tools to improve the criminals’ social engineering craft are becoming more robust every day.   A little internet research yields substantial personal information that can be used to deceive the recipient.  Email is the ideal medium for deception because the attacker has at his command all of the human factors needed to deceive the recipient.  Given the ability of criminals to craft and deliver deceiving emails, email recipients are essentially unarmed in this battle of wits with spearphishers.

Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spearphishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spearphishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.