Threat and Spamscape Report
October 2011
What We Saw in September
Email delivered malware continued to spike, carrying over from August. The numbers maintained an average of more than 6 million pieces per day with spikes of 18 million pieces a day early on in the month. Hackers also took advantage of the 10th anniversary of the 9/11 events and its collective emotions by taking control of the NBC News Twitter feed. The hackers used the account to report that another plane had been hijacked and crashed into the site where the twin towers had once stood. Obviously a hoax carried out by conscienceless children meant to simply get a reaction and rise out of already elevated fears. The same group - which called themselves the Script Kiddies - also took over the Twitter account belonging to USA Today later in the month and posted a few messages asking people to vote for the account they would hack next. Here are some other highlights from the month of September:
- American Express customers are again the victim of a phishing attack designed to capture critical banking credentials.
- Dutch certificate authority DigiNotar folds after hackers breached their system and generated many illegal certificates in the company's name, including one for Google.com which was apparently used to get access to spy on the Gmail accounts of hundreds of thousands of Iranians back in June and August of this year.
- Malware posing as FDIC floods our filters claiming security concerns asking recipients to restore their accounts.
- At the same time as the FDIC attacks, tons of malformed "garbage" malware campaigns were circulating - obviously the result of broken automation or a really curious technique.
- Fake "Payment Request" emails were another attempt to trick users into downloading and installing malicious payloads.
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of September. Spam traffic was brisk in September as we saw an increase of 28 percent from the previous month.
Tests Failed
This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of September.
Regions of Origin
This graph represents both spam and malicious email traffic by region. We saw a steady increase in spam originating from North America as well as Australia and Oceania in September.
Top Ten Countries of Origin
This chart represents the top countries from which spam originated during September.
Top Email-Delivered Viral Threats
These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top postiion. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This does not mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).
- X.UPX.App.pakuber
- X.W32.Sasfis.pak
- X.Troj\Invo-Zipreport.ks
- X.Troj\Invo-Zip.9.14repor
- X.W32.PECxt.a
- X.Troj\Zipreport.ndg20110
- X.Troj\FakeAV-ENL.ac
- X.W32.Generic.bank97
- X.Troj.nacha.rpt9
- X.UPX.App.pakuberb
- X.wormgen.NDG20110920
- X.W32.Changelog9.15jra
- X.W32.Bredo922
- W32\AutoRun.Spy.Banker.I_
- X.Trojan.ACH.NDGb
- W32\TrojanDownloader.Chep
- X.W32\Trojan2.NNME.9.6FDI
- X.W32\Yakes.C.gen!Eldorad
- X.Brk.Zeus926
- W32\TrojanDownloader.Agen
30 Day Virus Activity
This chart represents email-borne virus and malware activity during the month of September as seen by AppRiver filters. Emailed viruses continued their flood during September. In all, we quarantined over 170 million messages containing a virus. .
Image Spam
The chart below represents total Image spam seen by AppRiver filters during September.
Phishing American Express
First thing in the morning on September 23rd, we began to see a rather large push from scammers who were attempting, as usual, to part unsuspecting victims from their money. In this particular campaign an email arrived dressed up somewhat convincingly to look like it was coming from American Express.
These emails were generically addressed to "Dear Customer," which is essentially the only clue one should need to identify it was a sham since if the message was important it would have been properly addressed to the individual account holder. Next, it went on to say that they had been doing security screenings and noticed "unauthorized credit card use associated with this account". What account? The account in question that belonged to "Dear Customer" had never been cited. If they've made it this far in the email, readers should have had plenty of evidence to go ahead and delete this phishing attempt.
Finally, the email went on to give readers a false case number, and requested them to download the attachment "form.zip", unzip it, and load the resulting HTML page in their browser.
The HTML page was adorned with more good looking graphics stolen from the American Express web site, as well as a form to fill out that asked for a lot of information, probably information that someone so concerned about your account should probably know in the first place. The code that was mentioned previously was used to make sure that victims were inputting a proper numerical value for the requested PIN number, as well as an account number that properly matched an American Express algorithm. This is a special little touch to try to add some authenticity to this malicious attack, but these algorithms and pre-assembled code are easy to find.
Once all of the "proper" information was added and the "Submit Securely" button was clicked, the victim's personal information was shipped off to be stored at the domain staufain.com where the purveyors of this phish would check in later to weigh their catch. The victim was at the same time redirected to the actual American Express website, hopefully none the wiser. Though, they are redirected without being logged into their accounts or to any sort of page recognizing that they had just given all of that personal information, or any mention of a security issue, just to the AMEX home page.
A Double Whammy: FDIC and Errors in Automation
In the third week of September, we began to see a large push of malware purporting to come from FDIC as well as an even larger campaign of malware claiming that recipients' domains had been suspended, even though the email bodies contained nothing but garbage characters arranged in what appeared to be a typical email format. Please refer to the picture below.
The automation used had somewhat corrupted the malicious attachments by malforming the MIME portion of the emails causing them to be rendered ineffective in some cases as some machines may not have recognized the file type. Other versions of these malicious attachments were simply empty shells boasting a file size of 48K yet containing little more than the document name under the hood.
The FDIC flavored malware did appear to be in proper working order however, with its file FDIC_information.zip. This one appeared to be a variant of the Bredolab downloader out to cause a little havoc. Overall, we saw about half a million pieces of mail related to these two campaigns
Payment Request
In addition to the above mentioned, we also saw a large number of emails with the subject line, "Payment Request". The emails were made out in a familiar way to us as analysts. We've seen this particular format/template many times in the past and can immediately spot them as frauds from across the room without needing to see even what the message contains.
Which may be a benefit considering if someone were to read its attached message they may become concerned that someone had made some fraudulent charges on their company's account. The email claimed that the recipient's domain had made some sort of charge on their company account for a random amount and that this charge was pending. The emails provided a link to dispute the charge, but instead of declining the charge, the link would lead to a Trojan downloader that would cause some real damage.
Bad News for DigiNotar
Thanks to a breach into the Certificate Authority company DigiNotar's systems earlier this year; hackers were able to create fraudulent SSL certificates in this once trusted company's name. The certificates were setup to appear to be for Google. They were designed to trick web browsers into believing that they were talking to legitimate Google domains when in actuality they were the victims of a man-in-the-middle attack. The attacker would present these fake certificates to people attempting to access Google domains and services such as Gmail , and the victim would trust the fake Google certificate and connect believing they were talking to Google. Once the initial connection was made, the attacker would then forward the requests on to the actual Google site positioning themselves in between the communications. This way the attacker would be able to monitor all exchanges in both directions between Google and its victims.
The attack was used to eavesdrop on over 300,000 Iranians via their Gmail accounts. Interestingly enough, Iran's own government is suspected as the attacker as they were supposedly keeping tabs on activists and protestors. The company that did the majority of the research into the breach, Fox-IT, claim that of the over 300,000 IPs that accessed the fake certificates, over 99% of them originated in Iran, making these people the obvious target of a directed attack.
Google wasn't the only domain falsified in the certificates, according to the research group, over 500 fake certificates were issued and possibly abused during the several weeks that DigiNotar was breached and before they had realized it. DigiNotar has since filed for bankruptcy after being removed from trusted certificate lists by all of the major browser companies.
Script Kiddies Annoy Everyone
The term Script Kiddie is a term used to describe people that don't know enough about coding or hacking to create attacks on their own, but instead take scripts written by other people and use them as if they know how. It's a term usually used as an insult to the "noobs" of the craft, but an online hacking group is actually referring to themselves as the Script Kiddies, and just as their namesakes annoy people who know what they're doing, this group is creating plenty of annoyance as well. The group first came to light when they broke into the Facebook account of big drug company Pfizer, defaced it, and took credit for it on their newly created Twitter account. On September 9th they broke into the NBC News Twitter account and began posting tweets that another terrorist attack was occurring at the ground zero site just two days before the 10th anniversary of the original 9/11 attacks. This time they altered the NBC News Twitter account to read "Hacked by Script Kiddies". Since then they have also hacked the Twitter account of the Wall Street Journal where they asked people to vote for what entity that they would hack next, very similar to the boasting ways of the recently defunct group LulzSec. The group has also claimed responsibility for another Twitter breach that occurred back in July. This one was that of Fox News where they made several posts claiming that Barrack Obama had died. These groups are most certainly gaining their courage from the infamy of the aforementioned LulzSec and Anonymous "hactivism" attacks, but they may want to note that these people are being caught and put in jail left and right.