screen-capture-11

LinkedIn Spam Leading to Exploits

“Join my network on LinkedIn” This was the subject of recent spam emails we received at the Defintel office, and the same subject we have legitimately seen many times before. However, Hussein Matar (skimpinesstul131@rrtrr.net) and Chip Eubank (lucindad0@novamaterialsllc.com) don’t actually share any connections with us. What they wanted to share was malware.

The messages themselves are formed fairly well and not entirely shady looking if you don’t quickly recall what a true LinkedIn request email looks like. Below is the fake:

Every link from Chip takes me to www.rezagroup.net/templates/beez/wps.php?c002, which then directs to hourlydesk.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php.
The first domain www.rezagroup.net appears to be a compromised site with a normally benign intent. just like many of the others used for the initial hosting of the “/templates/beez/wps.php?c002” and “/templates/beez/wps.php?pprec” links used in the spam campaign. Other sites include:
www.mediasoftbd.com
www.polirovka.lv
grhterceirizacoes.com.br
www.debtconnect.com
www.tempus-giessen.de
The second location at hourlydesk.org is hosting blackhole exploit kits and ZeroAccess malware. This domain is currently pointed to 46.4.150.114 which it shares with autorevertpartitionmanagement.biz, another site with the same exploits and malware. The destination URLs for the exploits part of this campaign vary some but commonly fall under the “closest” location:

/closest/209tuj2dsljdglsgjwrigslgkjskga.php
/closest/df7guhoijewpgkegwegko.php

/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php

Some malicious domains sharing these files:

3isjhieuegnirng.mywww.biz

3rtyjjdxgn.ns02.us
3thtyjtyjcc.ns02.us
209wugoirgor.mymom.info
7whwjvlwd.ikwb.com
Be wary of odd looking invitations and use your instincts. If it feels strange, then don’t click. Real LinkedIn invites come from (member@linkedin.com) and include personal information. LinkedIn addresses this very thing in their help center:

In our messages to you, we include a security footer message with your name and professional headline to help you distinguish authentic LinkedIn emails from “phishing” email messages. “Phishing” emails often look very similar to legitimate ones, but they likely wouldn’t have this personalized information and may also contain links that direct you to malicious sites instead of LinkedIn.

-Matt Sully
Additional info and sources:
http://blog.dynamoo.com/2013/02/follow-this-link-spam.html
http://malwaremustdie.blogspot.ca/2013/02/blackhole-of-closest-version-with.html
http://urlquery.net/report.php?id=1186819
http://pastebin.com/UPm0s8r0

Google scam – Part 2

Image representing Google as depicted in Crunc...
Image via CrunchBase
Those of us who deal in IT security have the
luxury of being able to ignore the typical scam unless it impacts our network,
family member or close friend. These scams are generally not all that
technically interesting and frankly, it’s easy to feel like such scams are
beneath us somehow.
Many of us have been using computers since before
the rise of the internet, and being computer and internet literate we are more
than capable of distinguishing a scam with ease, unfortunately there are also many
who aren’t.
To a large segment of the population, the
internet is just as mystifying as a good magic show.  They can see the set pieces and the effects,
but can’t quite grasp what goes on in the background.  They’re not idiots for being conned, they are
victims; victims because they didn’t have the knowledge to see through the scam.
  
Recently my friend, a fellow entrepreneur who
I’ll refer to as Jocelyn, found she faced a high pressure telemarketing scam
based on Google listings.
Having just opened her business last summer, every
day she faces a long list of calls to make, bills to pay, appointments to keep and
the last thing she has time for is to know all the details of how Google
listings and SEO work.
Here’s a breakdown of how the scam unfolded:
September
  • Business Registry Center (BRC) contacts
    Jocelyn and she explains she’s not interested.
  • Being telemarketers they’re very persistent
    and advanced their tactics detailing Jocelyn’s business who suffer and close if
    she doesn’t accept their offer to ensure her business is registered and promoted on Google Local
    Business listings. BRC keeps calling to pressure with more stats and ‘facts’ to validate their claims.
October
  • Jocelyn checks out the BRC website at businessregisterycenter.com
    and is taken in by initial appearances that seem legitimate. The text is well
    written and they seem to know what they are talking about.
  • Jocelyn decides to accept the offer to
    receive the BRC information package and take more time to review their offering.
  • Business Registry issues the information
    package with an invoice.
  • The BRC package arrives that includes a cardstock
    folder with Shutterstock images on it, a one-page letter explaining how important Google Local Business Listing is and
    the invoice.
  • Jocelyn immediately called Business Registry
    Center to ask about the invoice and explaining there must be some
    misunderstanding as she only requested the information package and did not agree to the services. The agent advises Jocelyn that when she agreed to send
    her the package it was her verbal agreement to the service package and that
    they had the conversation recorded.
November to January 
  • For two months Business Call Registry
    calls non-stop. Almost every day and escalating at the end to eight or 10 times a day, often while Jocelyn was with a
    client. The calls became progressively aggressive threatening to send her to debt collector
    and destroying her credit rating. Believing the lies Jocelyn sends in her credit card
    number with the invoice.
January
  • Jocelyn consults friends and immediately
    calls her credit card company to cancel the transaction.
 February 
  • Following up with due diligence the credit
    card company contacts BRC about the cancellation of the transaction. RBC does not respond to the inquiry by the
    credit card company. Jocelyn is completely reimbursed by her credit card company.
  • Jocelyn details the scam to me and I then
    investigate you can see details from my findings on my earlier blog here.
  • Wanting to protect others I work with
    Jocelyn to contact Montreal Police Department, because the physical location of RBC is in Montreal, Quebec. Montreal police
    advise that this must be followed up with Ottawa Police Department.
  • Ottawa Police Department informs us that
    because the money was reimbursed there is no fraud and no charges can be laid.
  • Concerned that others might fall victim we
    contact local news teams and work with the media and social media to make others aware of this scam.

These people are preying on those who lack specialized knowledge, nothing else. They are thieves, and should be dealt with as such.  They may as well have skimmed her debit card or grabbed the cash from her register.

We can’t stop the scammers from ripping people off.  Like cockroaches, they will scurry off and set up elsewhere as soon as they can.  That doesn’t mean that we shouldn’t stop them at every opportunity.

I welcome your thoughts and comments on how we can resolve these annoying scam artists. 

Enhanced by Zemanta
Screen-shot-2013-01-22-at-6.35.17-PM

Google Places for Business Scam

Business Registry Center, with a post office box in Montreal, is calling businesses and non-profits offering to list them with Google Local Business Listings, now known as Google Places Business.  For the listing that is free with Google, they are charging $499.  A rip-off perhaps, but maybe not too bad?  It gets worse.

CBC News Story
CBC News Video

www.businessregistrycenter.com
Telephone: +1-888-416-7472

Address:
6228 Saint Jacques, 
Suite 417, 
Montreal, QC H4B 1T6

From the user agreement found on their site:
 Although never mentioned in any of the phone calls, the user agreement states that you are signing up for two years of service at the spectacular rate of over $5, 500.00.  The user agreement is apparently binding, even if you’ve never been to their site to read it.

You authorize them to charge any card that “they are aware or become aware of”.
In case you don’t follow their terms or even threaten to do so:

So what do you get for your $5,500.00? Well, pretty much what you get for free with Google.

The earliest activity I can find dates back to September of 2012.  Here is one of the dozens of complaints on 800notes.com.  It seems they finally moved from disks to the cloud. http://800notes.com/Phone.aspx/1-888-774-9902

And finally, what I can only assume is a sister site at www.onlineregistrycenter.com.  Different theme, but the content is identical.  
This “office” is located at a UPS store in MN.  

Telephone: +1-888-311-0262
Fax: +1-866-929-0748
Address:
1043 Grand Avenue, 
Suite 145, 
Saint Paul, MN 55105.

Thinking twice about shopping online and BYOD

Image representing Cisco as depicted in CrunchBase
Image via CrunchBase

Cisco has recently published their annual security report that has some interesting and significant security findings for both security
companies and executives.
The study reports that “the majority of web
malware encounters actually occur via legitimate browsing of mainstream
websites. In other words, the majority of encounters happen in the places that
online users visit the most and think are safe.”
This means the assumption that malware
infections commonly result from bad sites like counterfeit software is a delusion.
Online shopping sites were identified by Cisco as being 21 times more likely to
deliver malicious content than counterfeit software sites. The Cisco report
also states that large organizations are 2.4 times more likely to encounter web
malware.
The Symantec Internet Security Threat Report volume 17,
which was also recently published, reports that “advanced targeted attacks are
spreading to organizations of all sizes and variety of personnel, data breaches
are increasing, and that attackers are focusing on mobile threats.”
Both reports identify a significant increase in mobile, specifically Andriod, malware from
2011. This indicates mobile devises are a tangible threat to all organizations.
Symantec clarified that the malware was being created for activities such as
data collection, sending content, and user tracking.
The increase in mobile attacks creates a
higher demand on security companies and security executives to protect these vulnerable
areas on networks.
Many security executives have added an
extra layer of protection to their security plan with Defence Intelligence’s Nemesis.
 Nemesis is able to protect all mobile
devices that are within a network, and can identify and sever malware
communications on legitimate sites, which have been compromised. This provides
security teams and traditional tools the time needed to respond and remediate.   
Contact Defence Intelligence
today for a free presentation on  how
easily and effectively Nemesis can fit into your current security plan.

Enhanced by Zemanta
2387915131_def4355468_m

What can we learn from Twitter?

Twitter Logo
Twitter Logo (Photo credit: Jon Gosier)

With each new breach it’s good practice to
find a takeaway that can serve as a reminder or new insight. The recent breaches with Twitter, The New
York Times and The Washington Post are no different.
Twitter has offered the most transparent
account of the breach thus far. Bob Lord, Twitter’s director of information security, offers an extensive explanation in his blog.  Lord reveals that the attack was not the work
of amateurs nor was it an isolated incident against Twitter. The hackers were
clearly targeting other companies and organizations. It was for this reason
Lord, “felt that it was important to publicize this attack while [Twitter] still
gather information, and we are helping government and federal law
enforcement… to make the Internet safe for all users.”
The Daily Mail consulted an independent
privacy and security researcher for input on the Twitter breach and what can be
gained from Twitter being so public about it. Considering the breach impacted a
relatively small number of users and how quickly Twitter was able to
effectively respond and mitigate the breach, it was deemed well contained.
This reflects the discussions we
participated in at the Women in Security Lecture Series recently.  Namely, that there is a clear need for more
communication between security executives and more learning from each other’s
mistakes. Twitter is setting a positive example in how to be transparent in process
and sharing details for others to learn from and how to proceed.
Given that it’s now understood that it’s
not a matter of if a company will be breached but when, responses like
Twitter’s go towards removing much of the taboo and shame associated with a
breach.  This is the necessary first step
towards true sharing and progress.
Severing
the communication at an early stage, which Twitter seems to have been able to
do, is an essential part of any security plan. As Lord stated in his blog,
these attacks were specific and not perpetrated by amateurs. The hackers have
gotten sophisticated and the security executive’s plan must evolve to keep pace.
Defence Intelligence’s main service
offering, Nemesis, is able to add that layer of protection. Many security
executives rely on Nemesis as the extra layer that will protect their network
from breaches. Nemesis effectively protects networks by severing communication
between the network and the attacker. This allows security groups and
traditional security tools the needed time to respond and remediate.
Contact Defence Intelligence today to find
out how easily and effectively Nemesis can fit into your current security plan. 

Enhanced by Zemanta
WIS2013-1

The Second Annual Women in Security Lecture Series

Last night we had the pleasure of being a diamond sponsor and attending the second annual Women in Security Lecture series at the Hampton Inn and Conference Centre in Ottawa. The event had a relaxed business casual atmosphere with everyone talking about security. We appreciated hearing the different points of view and opinions from the panel and conversations on the current and future state of security.

Students from RMC at the event – Winners for best dressed
One of the speakers that really stood out for us was Lisa Gordon-Hagerty. Her extensive background in security in the corporate and government sector made her extremely interesting to hear from.  She touched on the fact that hackers, malware writers, and botmasters all work together sharing information and technologies. This allows them to constantly be a step ahead of the organizations they’re attacking.

“She’s been on both sides of the fence and very much believes in having the government and corporate entities work hand in hand to develop better security policies, to share information on different events and act as a collective unit to better combat cyber security,” says Mohamad Haidara of Defence Intelligence.

Mohamed Haidara and his cinnamon hearts.

There were lots of interesting ideas and discussion around the need for transparency among organizations and the need for organizations to learn from each other’s mistakes and leverage different strengths to secure their networks.

One key point was how current security tools are becoming obsolete. There needs to be a new tool or system brought in to help secure the networks of organizations.

Speakers and panel members for the night included:

LISA GORDON-HAGERTY, MPH – Founder and CEO, LEG Inc

DJENANA CAMPARA – President and CEO of KDM Analytics; Author of System Assurance: Beyond Detecting Vulnerabilities (2011)

DR. ALISON WAKEFIELD – Senior Professor in Security & Risk Management at the Institute of Criminal Justice Studies, University of Portsmouth;

NATALIE RUNYON, MBA, CPP – Director, Global Security, Thomson Reuters; Owner of CSO Leadership Training

CHRISTINA DUFFEY, CPP – Vice President, Operations, Paragon Security

SYLVIA FRASER, CPP, PMP, CRM, CSPM (Moderator) – Corporate Security Supervisor, City of Toronto, currently overseeing the Business Strategies and Risk Management Office

We are pleased to sponsor such a quality event for security executives in the Ottawa area. It was a great night filled with excellent discussions and we’re looking forward to next year’s event.

By Sarah Raphael

Part3-1-1

The Intern’s Security Practices Part 3: Attitudes

The last area of our survey focused on the attitudes and values of the students. We wanted to know if their security was strict or lax because of their views. This survey was given to first year public relations students at Algonquin College. 
We asked the students if they cared if someone accesses their Twitter, Facebook, Linkedin, or Google+ accounts. I was surprised that only 77 per cent of the students said yes. It is really important to me because I use social media to make professional connections and keep in touch with family. 
Only 55 per cent said that they are more cautious when using the campus computer labs. Personally I don’t bank online in the campus labs but I do log on to social media, e-mail, and school accounts. With the exception of online banking the rest of my accounts seem like second nature. I don’t always think before I log in. That is something I have become more conscious of since I started working at Defence Intelligence.  
We then asked students to rank the following three points from one to three, one being the most important and three being the least. 
  • Your Twitter/Facebook/LinkedIn or Google+ account(s) is (are) hacked and someone posts lies on your account(s)
  • Your email sends spam to all of your email contacts.  
  • Your banking information is stolen and hackers steal money from your account
Fifty per cent of the students ranked them in the following order from most important to least.
  • Your banking information is stolen and hackers steal money from your account
  • Your Twitter/Facebook/LinkedIn or Google+ account(s) is (are) hacked and someone posts lies on your account(s)
  • Your email sends spam to all of your email contacts. 
I agree with this ranking because I do a lot of my banking online and use social media to communicate with family and friends. I don’t have a lot of important or professional contacts on the email account, but as I come closer to graduating and I gain more professional contacts I realize the damage that can be inflicted by someone sending spam from my email. 
Surveying other students has really helped identify my personal security habits and ways to improve them. Hopefully I will be able to keep up the good habits and change the bad ones so I can avoid major security issues.  

By Sarah Raphael

Our Top 3 Stories from January

Each month we want to highlight three news stories that stand out to us. Now that it’s February, it’s time to look back on all the things that happened in the first month of 2013.

Here are the stories for January:

Pupil expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data.

A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account  …….. Read more. 

Kim Dotcom Goes on Mega-Offense Against U.S. Copyright Case

AUCKLAND, New Zealand — Facing extradition and possibly decades in U..S. prison, Megaupload founder and filesharing kingpin Kim Dotcom is fighting back, internet-style, launching kim.com, in an attempt to foment a protest movement on his behalf. Dotcom, currently on bail in New Zealand, argues the “the U.S. government has declared war on the internet” and is trying to convince the netroots community to vote against President Obama on Nov. 5 if the case isn’t dropped ….. Read More.

Activist Swartz’s suicide raises questions about prosecuting computer crimes

Internet freedom activist Aaron Swartz, who was found dead in his New York apartment Friday, struggled for years against a legal system that he felt had not caught up to the information age. Federal prosecutors had tried unsuccessfully to mount a case against him for publishing reams of court documents that normally cost a fee to download. He helped lead the campaign to defeat a law that would have made it easier to shut down websites  …… Read More.