Archived Blog
This Month in the Threat Webscape
07.10.2009 - 4:00 PM
June was a huge month for malicious email campaigns. There was a big rise in the volume of malicious messages sent, and many companies were hit by spear phishing campaigns. Major news events this month, such as the death of Michael Jackson and the Air France plane crash, led to new targeted spam campaigns.
It was a month of mass compromises as well, with compromise campaigns such as Beladen and Nineball infecting tens of thousands of Web sites. Twitter and the URL shortening services used on it were also targeted this month. Microsoft patched several zero-day vulnerabilities, but more of them continue to surface. Unfortunately, reports this month show that most computers are not fully patched.Major Hits
At the end of June, Michael Jackson's sudden death prompted spammers to send out malicious messages using news of the event as a social engineering lure. Within 24 hours of his death being confirmed, our ThreatSeeker Network detected malicious messages offering a video with new information about the singer. This led to an information-stealing file compromising the user's machine. We saw continued use of the singer's name as a lure promoting everything from pharmacy Web sites to other malicious downloads hosted on purposely-created Web sites.
Michael Jackson's death was not the only event-based lure used by malware authors in June. With the initial mystery surrounding the tragic plane crash of an Air France flight, we saw malicious messages circulating offering news of the event. Cybercriminals' use of event-based themes is something we are always tracking in Websense Security Labs.
The Nineball mass injection campaign compromised more than 40,000 legitimate Web sites in an ongoing campaign. This was definitely a quantity over quality hack, with hackers compromising many sites in the Web’s 'long tail'. While only a small portion of Web traffic may lead to these sites, they are trafficked, and the compromise existed on a massive scale. The end result was that users browsing a known site were redirected to ninetoraq, where the site attempts multiple exploits through obfuscated code. If it finds an open hole, it drops a malicious PDF file or a Trojan that is designed to steal user’s information. Both these pieces of malcode have extremely low anti-virus (AV) detection rates. One of the exploits is only detected by 3 of the 41 most commonly used AV programs.
The Nine-Ball attack was more complicated than most, and difficult for less experienced researchers to fully track and understand. After the infection, the exploit does something interesting. When visitors go back to the compromised sites, their IP is charted, and if it has already been infected, it simply redirects back to Ask.com. This may be a unique way (beyond code variations and obfuscation) to avoid detection and prolong the attack campaign. Our assumption is that attackers were able to infect these sites by using compromised FTP credentials to log into systems. This gave them the ability to insert malicious, obfuscated code on the index pages of tens of thousands of Web sites.
Other interesting mass injections of note included Beladen. This attack peaked at around 40,000 Web sites compromised with the injected code. We are still tracking legitimate Web sites injected with that code, but the number of compromises for this particular injection is much less now as malware authors seek to shake up their attacks and unleash something new.
We also saw high-profile compromises across multiple regions. These included malicious code hosted on the Canadian MSN Web site, a popular bookstore in Singapore, the Embassy of Ethiopia, the Ministry of Water Resources in China, and the Mountain Bike World Cup site in UK, further proving that the activities of malware authors are truly global in their operations and their reach.Web 2 Dot Uh-Oh
This month we saw a number of Twitter vulnerabilities escalate as hackers used trending topics and hashtags to spread links to malicious sites or rogue AV alerts. In addition, noted Twitterer and Web 2.0 luminary, Guy Kawasaki, had his Twitter account hijacked and used to send out a malicious link to his 140,000 followers, apparently because he had configured his account to accept external feeds. We also saw the Twitter accounts of major celebrities like Britney Spears and Ellen Degeneres hacked, presumably through third-party Web applications that plug into Twitter and that may have left their login credentials vulnerable. Those accounts were just used to spread bogus messages, but it could have just as easily been used to spread malicious links to all of their followers.
During the month of July, a security researcher is aiming to post bugs and issues related to Twitter every day in what people are coining the 'Month of Twitter Bugs'. More details in this ZDNet article.
Cybercriminals also hijacked Twitter trending topics to serve malware. Quick to capitalize on whatever hot topic is creating a buzz on the microblogging Web site, malware authors created tweets leading to URLs hosting rogue anti-virus applications. These tweets used URL shortening services such as bitLY and tinyURL to disguise the ultimate destination from the end user. Fortunately for Websense customers, we can apply our analytics to each URL in the redirection chain to protect end users no matter which URL shortening service is in use.
In June, we observed that the Cligs URL Shortening service was hacked with malicious hackers modifying 2.2 million Cligs URLs to redirect to a URL of their choosing. In this case, the redirection led to a benign destination. Cligs have since identified and rectified the flaw that led to this issue.
Malware authors don't just track hot discussion topics; they also track the latest technology offerings. Soon after Microsoft announced the bing.com search engine, spammers were setting up spam templates that included a URL based on a search string on Bing. Should the user browse to this URL, search results were returned that brought sites promoting male enlargement drugs to the top of search results.
Browsing for Dirt
June was a busy month for patch management teams. Mozilla introduced patches for 11 Firefox flaws with Firefox 3.0.11; Google plugged 2 high-risk WebKit holes in Chrome; and Apple produced jumbo patches for Safari and QuickTime. A vulnerability within Adobe Shockwave that could allow remote code execution was also patched by Adobe.
On June 9th, Adobe released their first quarterly patch update for Adobe Reader/Acrobat - designed to coincide with Microsoft's Patch Tuesday. APSB09-07 addressed 13 vulnerabilities, some of which were rated as critical.
Microsoft
For June's Microsoft Patch Tuesday, 10 bulletins were released covering 31 vulnerabilities. Patches released included ones to cover off the IE8 Zero Day identified during the CanSecWest PWN2OWN contest and an IIS WebDav Zero Day.
You are probably itching for updates on CVE-2008-0015 that affects MSVidCtl. Well Microsoft has announced the possibility of a patch being made available during the July Patch Tuesday , and details on the zero-day attack code can be found in our blog.
Hello ThreatSeeker, You've Got Mail!
The evolution of the Michael Jackson-themed spam campaigns was not the only interesting thing through the email attack vector in June. The total number of messages detected as containing viruses increased six-fold in June. ThreatSeeker uses knowledge of the many attributes of email messages to successfully determine the malicious nature; whether this be email campaigns such as the parcel company notifications that have started to mix in embedded URL along with attachments, or low-volume targeted attacks.
Also interesting to note is that we saw an increase in the number of phishing email messages using attached HTML forms.
Here are some threats "in the mail" this month:
So Long, and Thanks for All the Phish
After a five-month break, a spear phishing gang resumed its activity, this time targeting more than 880 victims working at Fortune 500 and small- to mid-sized businesses. According to iDefense, the attack began on June 4 and the reports estimate the losses to be in the high thousands to tens of thousands of dollars per victim. The attack alerted the victim that a wire transfer was successfully performed from his/her account, and that the statement attached to the message needs to be checked. The statement was simply a Trojan horse to steal the victim’s secret credentials.
YouTube partners received phishing messages pretending to be from YouTube and Google asking victims to send out their login credentials and other personal information. The first wave of attacks was received at the end of May and the second on June 3rd, coming from and delivered to different accounts. The wave asked partners for their user name, password, email address, and date of birth, while the second asked only for their password.
Facebook and your Mother's Maiden Name
So it's not just theory, then. Social networking sites DO store sensitive data and they MAY NOT have sufficient controls in place to prevent hacks into this data. According to blog that tracks Facebook, FBHive , a security hole reported in early June (and fixed on June 23) allowed a user, within their profile, to display ANOTHER user's 'Basic Information', after doing an 'Edit Information' on their own profile. This means information such as your relationships (maybe even mother's maiden name) and other information that could be used for security verification purposes on other sites could be compromised--definitely a concern for individual identity theft.
This may be a tough pill to swallow for companies that allow (and even encourage) employee activity on these sites for professional networking and brand promotion (e.g., Facebook groups). What if a privileged user (in executive management, sales, or finance) had his or her profile information visible? Is it possible that someone could use this information to social engineer themselves into a highly confidential application such as salesforce.com or maybe an internal payroll application? Even with use of strong authentication (PKI, token) solutions, password resets are often granted using answers to common questions like 'What city were you born in?' and the old standby, 'What is your mother's maiden name?'. A hacker with enough public information on a privileged user combined with a few golden nuggets like this from a user's profile information may be able to get access to more than just the latest status update on what your friends had for lunch. This is something to think about...
Security Trends
Have you ever wondered how many exploitable programs are actually out there in the world? This information is now available with Secunia Worldmap; designed to show you exactly the distribution of unpatched and patched PCs around the world. According to Secunia, the world holds an average of 3 unpatched/vulnerable programs per PC. Today, when exploit kits prosper in the underground markets and with new exploits becoming part of those in an ever-shrinking time frame, the facts provided by WorldMap aren't reassuring at all. It takes only one unpatched program to exploit a host. Relying only on AVs and firewalls strictly is certainly not enough; "patching is more important" according to Secunia.
Adding to the information above is Sophos that reports nine out of ten corporate PCs are not fully patched or don't have security software such as AVs or firewalls installed.
On another matter, a rather big Iphone update was available half-way through the month. The latest update pack to OS (3.0) includes updates to a total of 46 documented vulnerabilities. Kudos.
Thanks to the following contributors for this month's roundup:
- Carl Leonard (Security & Technology Research)
- Jay Liew (Security & Technology Research)
- Elad Sharf (Security & Technology Research)
- Erik Buchanan (Security & Technology Research)
- Saeed Abu-Nimeh (Security & Technology Research)
- Matthew Mors (Public Relations)
- Gargi Mitra (Data Loss Protection)
