This scenario was an invitation from Linkedin, posing as an invitation from Bill Gates to join his network. Linkedin was selected due to availability, and the fact that it is a social network recognized by most executives. This selection of Linkedin was also based on the fact that linked-in email should be already identified by most existing email system(s), and this may have helped delivery through into the mailbox.

While this particular research-project was mainly intended to document the (in)effectiveness of anti-spam filters in protecting against this kind of attack, it goes on to illustrate other vulnerabilities.  Just visiting the phishing site may provide enough information, obtained from the browser’s User Agent headers, to launch a targeted attack.

Specifically, we are interested in the IP address, the OS, Browser, and any plug-ins installed on the client. This information could be used in a multi-layered attack. We have scripts that read this USERAGENT information, and direct the targeted user to specific application pages.

An example of this could be if we had setup and tested a specific client exploit for Win XP and IE 6. Based on this exploit, we could direct only users with Windows XP AND IE6 to a specific page. If they don’t have this specific OS/Browser combo they will be sent to another page. This is invaluable in increasing the chance of exploit success. It works by setting up the exploit (Browser, OS) then, redirecting a targeted user to this page.

This case reiterates that continued user education is a key part of a comprehensive security policy. You may even consider running your own internal phishing campaign to assess current exposure and help raise awareness within your organization.

Share/Save

“Using social networking sites may divert employees’ attention away from more pressing priorities, so it’s understandable that some companies limit access,” said Dave Willmer, executive director of Robert Half Technology, in a statement.

Another study conducted by Nucleus Research also indicated that employees who use social networking sites at work do so up to 2 hours a day. 87% of employees admitted they weren’t using the sites for business, but for personal purposes instead.

Does your company have a social networking use policy in place? Perhaps a good time to check before HR comes knocking.

Update: I just found this short presentation on slideshare…

Share/Save

It appears that currently only accounts starting with the letters A-B are affected, but other lists could exist.

I suggest that you change your password on your msn, hotmail or live account just to be safe.

Share/Save

“The FBI said it uncovered a sophisticated phishing operation that was designed to swipe personal information and then use the data to defraud banks. On Wednesday, authorities arrested 33 of the 53 defendants named in an indictment. Egyptian authorities charged another 47 alleged cybercrooks.”

Each of the defendants indicted in the US, is charged with conspiracy to commit bank and wire fraud, with a statutory maximum penalty of 20 years in federal prison. Hopefully this case will result in convictions with stiff sentences, sending a strong signal to other aspiring cyber crooks.

Share/Save

The State Departments responded by announcing “unspecified disciplinary actions” to employees who keep using reply-to-all, and they delivered this news via old-fashioned cable.

“Department staff hitting ‘reply to all’ on an e-mail with a large distribution list is causing an e-mail storm on the department’s OpenNet e-mail system,” says the unclassified cable that was sent Thursday by Under Secretary of State for Management Patrick Kennedy.
He said the result was ‘effectively a denial of service as e-mail queues, especially between posts, back up while processing the extra volume of e-mails.

The cable orders employees to ‘take immediate action’ to ensure they and their colleagues are ‘aware of the negative impact’ of hitting ‘reply all’ and to delete e-mails addressed to large numbers of people that they might receive in error.

Anyone who disregards these instructions will be subject to disciplinary actions, Kennedy wrote in the cable, which begins:  Please ensure widest distribution of this message. Some also compounded the problem by trying to recall their initial replies, generating yet another round of messages.”

I am still amazed how little control many companies and government agencies assert over their critical communication infrastructure.  Distribution lists, reply-to-all, mail forwarding, restricted content, etc. should all be governed by administrative rules that protect the company from serious technical and legal consequences.

The technology certainly exists…

Technorati Tags: reply-to-all, email security, us state department

Share/Save

New web browser anti-phishing tools expose fake URLs, but the best defense still is simply not clicking email-embedded URLs, and always going directly to a vendor’s website by typing the URL in the browser, especially for login pages and account authentication.

Spear-phishing is a narrowly focused variant of phishing. Rather than bottom trawling the Internet by sending massive numbers of generic messages, spear-phishers gather detailed personal information readily available via Google and Social Networking sites, to craft convincing emails that can trick even seasoned professionals into opening tainted email attachments or visiting fake websites.

Roger Matus wrote an interesting blog post about a particular spear-phishing attack on a Booz Allen Hamilton executive.

“Its authors knew enough about the ‘sender’ and ‘recipient’ to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China’s Yangtze River.”

Targeted phishing attacks on senior executives are now also referred to as Whaling (you’ve got to love the lingo). The case highlights how common exploitive internet techniques are being perfected and used for sophisticated corporate and military espionage attacks. The stakes are high and it is important to train and inform senior executives proactively about these risks. Executives in non-technical fields may be especially vulnerable. Worse, the fear of potential embarrassment may delay the discovery of a problem.

Technorati Tags: phishing, spear phishing, whaling, email risks, electronic espionage

Share/Save

“New York attorneys ordered Hirsch to provide records of the content of the messages exchanged on TXTmob during the convention, as well as the identification of people who sent and received messages, the time the messages were sent for the duration of the event, and a list of people who used the service during the event.”

Hirsch is fighting to protect the privacy of the users of his service, but it is becoming clear that under the Federal Rules of Civil Procedure, text-messages and for that matter all other electronic communications are admissible in court.

This raises some serious privacy concerns and makes you want to think twice of twittering about your life’s every moment.

The even bigger question is how companies must and can comply with discovery requests that are as broadly defined as seen in this case. The archiving of email messages is already adding a huge expense to corporate IT budgets. In case of litigation, the cost of retrieval and e-discovery of this archived content is often even bigger.

Companies should certainly consider these issues when leveraging new collaborative technologies.

Technorati Tags: txtmob, twitter, text-messaging, tad hirsch

Share/Save

Sure enough, there is a section called Text Blocking on the VerizonWireless customer portal. I assume that the cell carriers are just as motivated to control text-message spam, since they will have to deal with the undesired system load and resulting customer complaints.

The settings are straightforward. In my case, I simply disabled all messages that are sent as email or originate from the web. I figured it is OK. to receive messages from other cell phones, since the sender has to pay for the text-message as well.

I am sure the other cell carriers have similar tools in place. Perhaps now is a good time to check your text-message settings.

Technorati Tags: sms spam, text-message spam, cell phone spam

Share/Save

No question, this is a bad practice. All emails, auto-generated or not, should have a valid return address, not simply as a matter of customer courtesy, but also for other reasons. As it turns out, many of these messages cannot be delivered to the intended recipient. People’s email addresses change, they forget to update their email notification preferences, and of course many anti-spam filters mislabel these messages as spam and block the delivery.

And here is where it gets interesting.
Some of the geniuses in charge of these mail servers apparently use as the “fake” return address: some_address-at-donotreply-dot-com. DoNotReply.com of course is a valid internet domain, registered thankfully to somebody with a sense of humor. Chet Faliszek maintains a blog that exposes the worst offenders.

What really got my attention is who’s made the list:

• The Department of Homeland Security
• Merrill Lynch
• MessageLabs
• Capital One
• Verizon Wireless
• Microsoft

Besides the embarrassment, there is also great potential for legal liability for these companies, as some messages contained privileged information.

If you are in charge of messaging operations at your company, I would suggest reviewing the procedures for configuring auto-mailers. Here is what I recommend:

• Provide a valid return address to accept undeliverable messages.
• Implement a process that checks this bounce mailbox and purges undeliverable email addresses from the auto-mailer after a certain count.
• Include a real email address for customer support in the do-not-reply disclaimer in the body of the message to allow recipients to respond.
• Include an unsubscribe link in the message.

Technorati Tags: donotreply.com, email risk, mass-mailers

Share/Save

Email spam is already a huge nuisance and a significant drain on worker productivity. Getting spammed on your cell phone adds yet another dimension, as text messages cost the receiver money, often charged by the message.

“It’s so annoying because I get charged every time I get one, said Ryan Williams, 27, of Falls Church, Va., who receives half a dozen spam messages on a daily basis. They ask him to download ring tones, visit questionable sites over his phone’s Internet connection or urge him to subscribe to horoscopes or sports-score updates.”

Just like regular email, spam is only the beginning. Watch out for smishing – the SMS equivalent of phishing.  Some e-commerce and online banking services have started offering text messaging services for consumer interaction. I am using a service offered by my credit card company, which sends a text-message alert to my cell phone when certain charges exceed a preset limit. The crooks are now using similar, authentic looking text-messages to request personal information, such as social security numbers and account pin numbers.

Just remember, your bank would never make such requests.

Technorati Tags: sms spam, text-message spam, cell phone spam

Share/Save