Archived Blog
This Month in the Threat Webscape
03.11.2009 - 6:30 PMPopular computer magazine eWeek was discovered by Websense to serve a malicious fake anti-virus scanner to unsuspecting visitors, although, through no fault of its own. The malicious Web site made its way to the end-user's machine through Google/DoubleClick's ad network. Google hasacknowledged the existence of the malvertising scourge on its ad network. Websense alerted officials at eWeek who worked with Google to rectify the situation immediately.
Malvertising is certainly not new, but is quietly growing more prevalent. Cleveland.com visitors were also hit by a malvertising campaign (via tacoda.net) that is reported to be similar to yet another malvertising campaign on AllRecipes.com that took place a few months ago.
Auctiva, an eBay solutions provider had its servers compromised and served malware to its own users through the browser. According to their VP of Engineering, "The virus malware was injected via a third third-party plug-in. Once in the file directory, the virus malware executed a malicious script that gained access to files. Once access was gained, the perpetrators used that access to place a low-level malicious script into files that were distributed to some of our users." You can read about the blow-by-blow ordeal for its users in more detail here.
Bypassing in-place authentication systems continues to offer spammers and malware authors the opportunity to create and register fake accounts to carry out a wide range of visual social engineering attacks with increased success rates over a trusted user base where the content is easily editable, mixed-and-matched, and easily distributed and syndicated – Web 2.0's key selling points.
Furthermore, compromised accounts were also used to successfully promote the fake accounts designed to act as doorway pages to malicious and spam domains, instances of which were also seen on Plaxo and Microsoft Office Live Small Business. The technique was also evident in the continuing attack on Digg.
Internet Explorer
MFSA 2009-04 (Impact: Moderate) Chrome privilege escalation via local .desktop files
Safari
Analysis of current blogging patterns shows that traditional blogging is alive and well. The graph above shows the last posting date for blogs on BlogSpot and LiveJournal. Both blogging engines show 45% of blogs have already posted an entry this year. Given that we are only 2 months into the year, it is safe to assume that these blogs are active. Blogs that haven't had a post since 2008 are either dormant or belong to infrequent bloggers. And blogs that haven't had a post since 2006 or 2007, are considered no longer active. When these statistic are combined with the fact that Websense has discovered in excess of 20 million blogging sites, it is clear that there's a massive amount of volatile, blog-based content.
Fast forward to the Web 2.0 space, and we find that social networking has redefined content sharing on the public Internet. Traditional blogging assumes that we want to share our thoughts with the entire world and that the world could (might) listen. Social networking has changed the game with a "friends only" viewing model. Studies of BlogSpot show that only approximately 2% of bloggers restrict their blogs to invitation only. For active blogs it is requirement to have real-time content-based analysis to get accurate classification.
On another front, spammers' objectives of increasing the overall time a spam campaign survives and making the campaign increasingly difficult to trace back to its origins, continued with Waledac’s Valentine's Day theme. To this end, they use randomized, complex networks – a fast-flux infrastructure, through which they kept advertising their malicious spam campaigns.
Visual social engineering tactics are also being consistently adapted by spammers to increase the success of their attacks, which was evident inSkype Valentine spam lure, Walmart fake survey emails, and spam campaigns with malicious zip attachments that appeared to be using spoofed forward technique.
Increasingly frustrated and desperate phishers are targeting GTalk and Gmail accounts. The attack aims to steal Google usernames and passwords, however unlike previous long-tail-phishing attacks, this one has strong monetary ties, as Google credentials can be used in Google Checkout and Google Adsense. The victim receives a GTalk IM with a TinyURL link that redirects to a ViddyHo login page.
Researchers from Harvard and Cambridge estimate that 75.8% of phishing sites are hosted on compromised servers. It is possible that phishers have obtained access to such servers using Google Hacking techniques. The efficacy of such techniques is notable given the fact that most of SQL injection attacks in 2008 performed automatic search engine reconnaissance.
As the deadline for taxpayers moves closer, phishers are sending more IRS phish. This time, the attack asks the victim to download and submit astimulus payment form.
The ThreatSeeker Network also discovered numerous newly-registered fake securities websites in China. These phishing sites host false information about stock and negotiable securities under the names of some of the big securities Web sites. They attempt to deceive people into paying for information or registering for their stock analysis service.
Perfect Storm: Leaky Apps, More Electronic Records
Call it a perfect storm, or a train wreck – whatever you like. But the writing is on the wall. Web 2.0 and other technologies are adding any number and type of applications to our internetworked soup, creating not only more avenues for communication, but also opening up opportunities for deliberate or inadvertent data leaks. On top of that, we’re seeing large-scale trends to digitize traditionally hard copy data to improve automation, but making data leaks and theft more likely, because it’s ‘just in a file’ and can be accessed from virtually anywhere.
News broke on Monday that detailed blueprints were leaked from a government contractor laptop on which P2P file sharing software was installed. The data was pilfered by a hacker who monitors these P2P networks. But safeguards could have been in place above and beyond the public P2P monitoring service from Tiversa that initially discovered the breach. In short, fingerprints of sensitive data followed by regular discovery of this sensitive data across servers and employee and contractor laptops would have kept a current inventory of where all the data (e.g. blueprints or *portions* thereof) lives, enabling investigators to determine where the leak originated (after the fact) and enabling IT administrators to determine which systems need to be further secured (before the fact). To catch the leak, real-time monitoring of communications channels at the endpoint (data in use) and on the network (data in motion) would catch the use of P2P or other applications to transmit this data.
Shoulda, woulda, coulda.
But this wasn’t the only newsworthy item to us. There was a small but significant ‘nudge’ in the multi-digit, no-such-thing-as-a-free-lunch stimulus program. Continuing the directive from the previous 2004 Bush administration, the new Obama administration has supported a $21M infusion to establish e-health records for most Americans by 2014. Yes, that’s only five years away. And with today’s population estimated at 305,940,982 and projected to grow to 309,753,000 (PDF), we’re talking about at least that many records - accounting for per patient, multiple records, multiple doctors and even correcting for the (sad to say) uninsured. This all becomes significant with the existing HIPAA regulations in place to protect PHI – Personal Health Information – including diagnosis codes, prescription information, pre-existing conditions, etc. Protecting the privacy of patients requires the same type of technology required to protect sensitive business data such as POTUS’ helicopter blueprints. Identifying HIPAA data with templates for PHI data and monitoring communications on a broad scale can limit the risk of a HIPAA violation and prevent fines or lawsuits by patient victims.
So can we possibly keep tabs on these new channels for communication, and therefore data leaks, while securing our most precious data, including those addressing matters of national security? And can we keep up with the growing volume of electronic health records, containing PHI and therefore requiring HIPAA compliance?
Yes we can!
- Gargi Mitra (Data Loss Prevention)
- Mark Haffenden (Advanced Content Research)
- Sumeet Prasad (Security & Technology Research)
- Saeed Abu-Nimeh (Security & Technology Research)
- Carl Leonard (Security & Technology Research)
- Elad Sharf (Security & Technology Research)
- Jay Liew (Security & Technology Research)