470 likes | 606 Views
Recognizing Email Scams SIRT IT Security Roundtable. Harvard Townsend Chief Information Security Officer harv@ksu.edu December 4, 2009. Agenda . The problem – why should we care? Types of email scams Recent examples at K-State and why they tricked so many people
E N D
Recognizing Email ScamsSIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer harv@ksu.edu December 4, 2009
Agenda • The problem – why should we care? • Types of email scams • Recent examples at K-State and why they tricked so many people • Characteristics of scam emails – things to look for and tools to help • How to determine if a web link is safe • How to evaluate email attachments • Reporting scams or other malicious emails • Useful information sources • Q&A
Many vectors for attack • Vulnerable operating system (i.e., Windows) • Vulnerable applications • Hackers scanning our network from outside or inside the campus network • Passwords stolen by a key logger • USB flash drives • Malicious web links, even sponsored ads at the top of a Google search • Malicious Facebook ads • Extra goodies in P2P downloads • Instant messaging • Redirected DNS queries • Hijacked duplicate web site • Phishing email • Malicious web links in an email • Email attachments
Many vectors for attack • Vulnerable operating system (i.e., Windows) • Vulnerable applications • Hackers scanning our network from outside or inside the campus network • Passwords stolen by a key logger • USB flash drives • Malicious web links, even sponsored ads at the top of a Google search • Malicious Facebook ads • Extra goodies in P2P downloads • Instant messaging • Redirected DNS queries • Hijacked duplicate web site • Phishing email • Malicious web links in an email • Email attachments
What’s the big deal? • 130+ K-State computers infected in November when people opened malicious email attachments – the same emails that hit campus in July and infected 100+ computers • 289 spear phishing scams at K-State thus far in 2009 resulting in 421 compromised email accounts used to send spam • These forms of “social engineering” currently one of the most effective ways to compromise a computer and steal financial or personal identity information • Information loss/theft (personal, institutional, passwords, acct info) • Identity theft • Financial fraud
It doesn’t just affect you • When stolen K-State email accounts are used to send spam, K-State is seen as a spam source and sometimes ends up on spam block lists such that ALL email from K-State to those email providers is blocked (examples include Hotmail, Gmail, Comcast, AT&T, Road Runner…) – a huge headache for faculty-student communication • Compromised computers become part of a “botnet” used for illegal purposes • A recent compromised K-State computer became a “botnet controller” that controlled 12,000 other compromised computers around the world • Compromised computers are used to send spam, host scam web sites, spread malware, steal data, launch denial of service attack, etc. • One careless mouse click can affect thousands of other people, not just yourself
What’s the big deal? • Tactics constantly changing so can’t let down your guard • Malware constantly changing so anti-virus software can’t always prevent infection • Technology can’t stop them all – you,the user, is critically important in our security defenses
Definitions • Malware – malicious software • Virus, Worm, Trojan, etc. - types of malware, specific definitions not that important now; “virus” sometimes used as a catch-all for malware • Keylogger – watches your keystrokes and intercepts data of interest; often sends it to the perpetrator. Typically looks for things like username/password, bank account info, credit card info • Rootkit – malware that tries to hide the fact that it compromised the computer. Think of it as stealth malware. • Spyware – watches your online activity and sends information about you or your habits to others w/o your informed consent • Adware – automatically displays ads on your computer, usually in annoying pop-ups • Scareware – tries to trick you into buying something of little or no value using shock, anxiety or threats (like Anti-virus 2008/2009). Common tactic is to claim your computer is infected and you have to buy their software to clean it up.
Definitions • Phishing – attempt to acquire sensitive information by posing as a legitimate entity in an electronic communication • Spear phishing – phishing that targets a specific group • Social engineering – manipulating or tricking people into divulging private information • Spam – unsolicited or undesiredbulk email/messages
Let’s look at some examples • Check IT Security Threats blog for examples of spear phishing scams:threats.itsecurity.k-state.edu • Analysis of actual scams received by people at K-State
Most Effective Spear Phishing Scam
Most Effective Spear Phishing Scam
Most Effective Spear Phishing Scam
Most effective spearphishing scam • At least 62 replied with password, 53 of which were used to send spam from K-State’s Webmail • Arrived at a time when newly admitted freshmen were getting familiar with their K-State email – 37 of the 62 victims were newly-admitted freshmen • Note characteristics: • “From:” header realistic:"Help Desk" <helpdesk@k-state.edu>” • Subject uses familiar terms:“KSU.EDU WEBMAIL ACCOUNT UPDATE” • Message body also references realistic terms: • “IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State” • Asks for “K-State eID” and password • Plausible story (accounts compromised by spammers!!)
Another effective spearphishing scam This one also tricked 62 K-Staters into giving away their eID password
How to identify a scam • General principles: • Neither IT support staff nor any legitimate business will EVER ask for your password in an email!!! • Use common sense and logic – if it’s too good to be true, it probably is. • Think before you click – many have fallen victim due to a hasty reply • Be paranoid • Don’t be timid about asking for help from your IT support person or the IT Help Desk
How to identify a scam • Characteristics of scam email • Poor grammar and spelling • Uses unfamiliar or inappropriate terms (like “send your account information to the MAIL CONTROL UNIT”) • It asks for private information like a password or account number • The message contains a link where the displayed address differs from the actual web address • It is unexpected (you weren’t expecting Joe to send you an attachment) • The “Reply-to:” or “From:” address is unfamiliar, or is not a ksu.edu or k-state.edu address • Does not provide explicit contact information (name, address, phone #) for you to verify the communication. Good example is spear phishing scam that tries to steal your eID password is signed “Webmail administrator”
How to identify a scam • Beware of scams following major news events or natural disasters (e.g., after Hurricane Katrina asking for donations and mimicking a Red Cross web site) • Seasonal scams like special Christmas offers, or IRS scams in the spring during tax season • They take advantage of epidemics or health scares, like H1N1 scam currently making the rounds • Often pose as legitimate entity – PayPal, banks, FBI, IRS, Wal*Mart, Microsoft, etc. • If unsure, call the company to see if they sent it (we did this with recent email from Manhattan Mercury) • Many make sensational claims; remember to apply the common sense filter – if it sounds too good to be true, it probably is • Hackers very good at imitating legitimate email – will use official logos, some links in the email will work properly, but one link is malicious
Fake K-State Federal Credit Union web site used in spear phishing scam Real K-State Federal Credit Union web site
Can I click on this? • Watch for displayed URL (web address) that does not match the actualdisplayed: http://update.microsoft.com/microsoftupdate actual: http://64.208.28.197/ldr.exe • Beware of link that executes a program (like ldr.exe above) • Avoid numeric IP addresses in the URLhttp://168.234.153.90/include/index.html • Some even use hexadecimal notation for the IP:http://0xca.0x27.0x30.0xdd/www.irs.gov/ • Watch for legitimate domain names embedded in an illegitimate onehttp://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/
Can I click on this? • Beware of email supposedly from US companies with URLs that point to a non-US domain (Kyrgyzstan in example below)From: Capital One bank <cservice@capitalone.com>URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/ • IE8 highlights the actual domain name to help you identify the true source. Here’s one from an IRS scam email that’s actually hosted in Pakistan:
Can I click on this? • Beware of domains from unexpected foreign countries Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.phpLithuania: http://kateka.lt/~galaxy/card.exeHungary: http://mail.grosz.hu/walmart/survey/Romania: http://www.hostinglinux.ro/Russia: http://mpo3do.chat.ru/thanks.html • MANY scams originate in China (country code = .cn) • Country code definitions available at:www.iana.org/domains/root/db/index.html
Can I click on this? • Analyze web links w/o clicking on them by copying the URL and testing them at these sites: • Trend Micro’s Web reputation query – reclassify.wrs.trendmicro.com/wrsonlinequery.aspx • McAfee SiteAdvisor (enter URL on this web page – you don’t have to install their software):www.siteadvisor.com/
Can I click on this? • Watch for malicious URLs cloaked by URL shortening services like: • TinyURL.com • Bit.ly • CloakedLink.com
Can I click on this? • TinyURL has a nice “preview” feature that allows you to see the real URL before going to the site. See http://tinyurl.com/preview.php to enable it in your browser (it sets a cookie) • Bit.ly has a Firefox add-on to preview shortened links; it also warns you if the site appears to be malicious:addons.mozilla.org/en-US/firefox/addon/10297
Evaluating attachments • Saving it to your desktop without opening it or executing it is usually safe • If Trend Micro OfficeScan recognizes it as malicious, it will prevent you from saving it to the desktop (a function of the “real time scan”) • If not detected, is either OK or a new variant of malware • Manually update Trend Micro OfficeScan (point to the OfficeScan icon in the system tray, right click, select “Update Now”), then scan the file (point to the file, right click, select “Scan with OfficeScan client”) • If OfficeScan still says “No security risk was found”, submit the file to www.virustotal.com to be evaluated by 39 anti-virus products, including Trend Micro; here’s an example:virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d
Evaluating attachments • If it is still undetected and obviously malicious because of the email it was attached to, submit it K-State’s IT security team atwww.k-state.edu/its/security/report/ so we can send it to Trend Micro for analysis • Contact the sender to verify they sent it • Ignore or delete it if it’s not expected or important • Beware of executable files embedded in .zip attachments – is a common way for hackers to send .exe files that would normally be deleted by email systems • Potentially dangerous file types include .exe, .zip (depending on file types in the .zip archive), .msi, .pif, .scr, .js, and even.pdf and (rarely) .doc
Example of maliciousemail attachments • Monday, July 13, 12:59pm – received first report (from Penn State) that a K-State computer was sending spam with a malicious attachment • Many more reports soon followed from around the world implicating many K-State IP addresses • Many K-Staters started reporting receipt of the malicious emails too • At least113 K-State computers were infected/compromised when people open the malicious attachment • Was a new variant of malware so Trend Micro OfficeScan did not detect it initially
What happened? • Four different emails with the following subjects: • Shipping update for your Amazon.com order 254-78546325-658742 • You have received A Hallmark E-Card! • Jessica would like to be your friend on hi5! • Your friend invited you to twitter! • Three (somewhat) different attachments: • Shipping documents.zip • Postcard.zip • Invitation card.zip • At least three different malicious executables in the zip files (note the numerous spaces in the file name before the “.exe” extension): • “attachment.pdf .exe” • “attachment.htm .exe” • “attachment.chm .exe”
What happened? • Harvested email addresses in address books and sent the same malicious emails to everyone – aka “mass mailing worm”; that’s why so many people at K-State received so many copies • July 29 and August 7 - similar attacks with new variants of the malware that escaped anti-virus detection • AGAIN (!!) on Nov. 5 – same four emails, new variant of malware, infected 130+ K-State computers
Why was it so effective? • Used familiar services • Amazon.com • Hallmark eCard greeting • Twitter • Sensual enticement (“Jessica would like to be your friend on hi5!”) • Somewhat believable replicas of legitimate emails • Sent it to lots of people (bound to hit someone who just ordered something from amazon.com or is having a birthday) • Effectively masked the name of the .exe file in the .zip attachment by padding the name with lots of spaces • New variant that spread quickly so initial infections missed by antivirus protection • I was too slow submitting samples to Trend (better the second and third time around) • Malware/attachment filtering in Zimbra did not stop it • Been a long time since attack came by email attachment so people caught off-guard
Malicious Hallmark E-Card
Legitimate Hallmark E-Card
Malicious Amazon Shipping Notice
Legitimate Amazon Shipping Notice
Malicious Twitter Invitation
Legitimate Twitter Invitation
What can we do? • Remember - Hallmark, amazon.com, Twitter, etc. do not send info in attachments • Don’t open attachment unless you are expecting it and have verified with sender • Analyze attachments before opening them • Think before you click • Be paranoid!
Reporting scams • Send spear phishing scams that target K-State specifically to abuse@ksu.edu • Send them with “full headers” (in webmail: highlight message, right click, select “Show Original”, copy everything in resulting window and paste into email to abuse@ksu.edu) • To get full headers in other email clients:www.haltabuse.org/help/headers/index.shtml • Don’t send generic run-of-the-mill scams to abuse@ksu.edu unless it’s something particularly threatening to K-Staters
Reporting scams • Submit suspicious files/attachments to www.k-state.edu/its/security/report/(don’t try to send them in email since they may get filtered) • Can report scams/fraud/crimes to federal government: • FBI’s Internet Crime Complaint Centerwww.ic3.gov/ • FTC’s OnGuardOnline - www.onguardonline.gov/file-complaint.aspx • ALWAYS report suspected child pornography to the police (K-State or Riley County)
Useful sources of information • Google – search for unique phrase in the suspected scam to see what others are reporting about it • Web sites of organization targeted by scams often have information, like the IRSwww.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1 • Snopes to debunk/confirm hoaxes, rumors, and other “urban legends” – snopes.com • Teach yourself with Sonicwall’s “Phishing and Spam IQ Quiz” – www.sonicwall.com/phishing/ • K-State’s IT security web site updated regularly SecureIT.k-state.edu • Current threats and spear phishing scams posted on K-State’s IT threats blog threats.itsecurity.k-state.edu/