Phisher Attempts to Blackmail Marriott

November 29, 2011

Dark READING reports that a Hungarian man has pleaded guilty in a phishing scheme to blackmail  Marriott.  The plea was entered on Nov. 23, 2011.

The man, Attila Nemeth, 26, used data he stole from Marriott in an effort to force them to hire him into the IT department.  Dark READING summarized the scam:

The case puts a whole new spin on the targeted attack; rather than trying to cash in on the intelligence or use it for competitive purposes, the perpetrator used it as leverage. Nemeth’s methods were similar to those of advanced persistent threat (APT) attackers: He got a foot in the door of Marriott’s computers by targeting some of its employees with spear-phishing emails. Marriott did not publicize details about what happened next, but one or more of the users appear to have fallen for the phony emails and either opened infected documents or a link that silently installed a backdoor on Marriott’s systems.

On Nov. 11, 2010, Nemeth contacted Marriott’s HR department by email and told them that he had been able to compromise their systems and steal confidential information.  He warned Marriott that if they did not give him a job maintaining their systems, he would disclose confidential information he had stolen.  Two days later he followed-up the threat with an email that contained stolen documents.

On November 18, 2010, Marriott called on the U.S. Secret Service.  The Secret Service set up a sting operation in which an agent pretended to be a Marriott HR employee.  Dark READING reports:

Nemeth fell for it: He telephoned and emailed the undercover agent, continuing his threats to release the private Marriott documents. Then he emailed the agent his passport and volunteered to meet in the U.S., which they did on Jan. 17, 2011.

Nemeth assumed he was meeting the Marriott “employee” for a job interview, where he admitted his alleged crimes of hacking and stealing Marriott files and threatening them with exposing the data if they didn’t give him a job. Meanwhile, he also demonstrated how he got into the Marriott network and showed where he stored the data on a server back in Hungary.

Nemeth will be sentenced on Feb. 3, 2012 and faces 10 years in federal prison for transmission of malicious code and 5 years for attempted blackmail.

Although Nemeth failed to extort Marriott, the scheme was very costly to Marriott.  Federal prosecutors alleged that the security breach cost Marriott between $400,000 and $1 million dollars in salaries, consultant expenses and other costs to determine the extent of the compromise of its computers and to identify the compromised data.

While Nemeth did not demonstrate the best way to seek an IT job, he provides a powerful reminder that social engineering deceives the email recipients into becoming the agents of the criminals.  What can be done to defend the enterprise against spearphishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spearphishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.


Phishers Use Cyber Monday for Scams

November 29, 2011

Computerworld reports that cybercriminals are using phishing scams  to rip-off consumers during this holiday shopping season.  The bad guys are using spoofing legitimate messages from real companies in order to deceive consumers.  The criminals are sending fake shipping confirmations, fake Groupon and Living Social offers and fake social traffic.  A common scam is a fake email about problems with a transaction, such as a delivery problem, a canceled order or direct deposit.  Cloudmark has reproduced this example of a fake UPS email:

Computerworld quotes Cloudmark engineering director Angela Knox about details of the UPS-based phishing  scam.  This phishing scam lures recipients into either opening an attachment or clicking on a link to infect machines with malware.

“We’ve seen a number of variants in this campaign, some with attachments, some with no attachments and bad links, all of them personalized to the recipient, and sent from an ever-changing list of fake UPS employees or the generic ‘UPS Customer Services,'” said Knox in a blog post today.

The attached files are actually .zip archives that contain malware, said Knox, while the links lead to compromised or hacker-controlled websites that host attack code.

“With Cyber Monday kicking off the online holiday shopping frenzy, online shoppers should remember to be vigilant about any email message that they receive,” said Knox.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

Xbox Live Phishing Scam — Microsoft Reimburses Ripped-off Users

November 25, 2011

The Guardian is reporting that Microsoft is giving refunds to Xbox Live subscribers who may have had their credit card information stolen in a phishing scam.   The Guardian describes the scam in its November 22, 2011 edition:

Reports are proliferating of Xbox Live users checking the credit card and bank account statements which they use to pay their Xbox Live subscriptions, and discovering payments which they did not make, generally over a period of months, which were used to buy Microsoft Points (the service’s currency which enables users to purchase extra downloadable content, games and in-game objects) which were then cashed in to buy downloadable content from EA Sports – specifically Ultimate Team Packs for its games FIFA 12, Madden and NBA.

EU provides more details about the scam on its website.

You receive an email that appears to be from EA concerning an Ultimate Team promotion. You click on the link in the email, go to what appears to be the Ultimate Team login page, and enter your account name and password. Two days later you discover all the gold players you’ve worked so hard for have disappeared.

This is the fake website that is launched from the phishing email:

EU advised that the official EA website uses the following URL:
<a href=””></a&gt;.
Any other similar looking URL is not official and should not be clicked on.

As this image from the EA website shows, the difference between the scam website and the real website are extremely subtle.

This is a close-up of the URL’s.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.


November 17, 2011

RSA’s recently released report Cyber Security Awareness Month Fails to Deter Phishers explains that despite efforts to increase awareness and fight phishing, deceptive emails continue to be a major problem.

Sometimes viewed as one of the oldest scams in the book, phishing is still a very popular method among cybercriminals. RSA recently estimated that worldwide losses from phishing attacks alone during H1 2011 amounted to over $520 million, and losses incurred from phishing attacks during the 12-month period of H2 2010 through H1 2011 reached nearly $1 billion.

RSA shows the recent growth of phishing:

RSA Tracks Phishing

You should use the latest version of a reputable security product and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool.

Know Who.  No Doubt.  Use eMail ID.

University of Delaware Spearphishing Attack

November 11, 2011

Demonstrating that a little bit of personal information goes a long way for cybercriminals, the University of Delaware reports spearphishers are targeting UD students and staff.  The criminals “targeted UD addresses, knowing that many UD students and employees have PNC accounts and that UD has a business relationship with PNC.”

Social Engineering Defeats Security at DEFCON

November 10, 2011

Reporting the details of the penetration testing conducted at the August 2011 DEFCON, researchers from reported that by using social engineering techniques they were able trick employees into compromising the security of all 14 Fortune 500 companies that participated in DEFCON 19.

The report, from the firm is for free with registration.

Malware — Life Imitates Art 2

November 8, 2011

In response to our posting Malware – Life Imitates Art, one of our followers directed our attention to the first season of the popular CBS series, NCIS.  In Seadog, season 1, episode 3, the team is called upon to investigate the death of a Naval Officer whose body has washed ashore.  The investigation begins as a routine drug case.  As the plot evolves, the investigation uncovers cyber warfare directed at the nation’s power grid.  Fortunately, Gibbs and the team foil the plot at the last second.

The 2003 fictional attack on the US power grid is now reality as reported by the Wall Street Journal on April 8, 2009.  The article, entitled Electricity Grid in U.S. Penetrated by Spies, describes ongoing attacks on the infrastructure of the United States. 

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

The article describes a 2008 cyber attack that was part of an extortion plot.  The attack took out power equipment in multiple regions of the United States. 

Cyber warfare is real.  Spearphishing is a frequent point of entry into critical systems.