Monday, November 29, 2010

Cyber Monday Warnings

Today is Cyber Monday, the more recent trendy computer version of Black Friday. It originated when the Internet at home was slow and expensive and corporations and online sellers realized that everyone came back from their long holiday weekend with a list of things they had been unable to buy in the malls and ready to use the company's fast Internet access to finish up their shopping lists.

Of course that's no longer true. Most of us have fast Internet at the house, and the online sellers realize this, which is why many companies started "Cyber Monday" over the weekend. I was getting messages yesterday afternoon from Amazon.com that "Cyber Monday Starts Today!" even though it was quite clearly Sunday. MSN's top ad yesterday was an animated cube from JC Penney announcing 40,000 deals for "Cyber Monday" were already available. Sears sent me emails announcing "The deals launch tonight! Get up to 20% off for Cyber Monday!" WalMart is among the firms extending the holiday shopping spree with "Cyber Week" sales available. I also received Cyber Monday emails from Best Buy, Guitar Center, Kohl's, Office Depot, Rosetta Stone, and Toys'R'Us. Just while I'm typing this two more came in! (Bass Pro Shops and Books-A-Million...excuse me, I'll be right back, and I'm not going fishing!)

I'll be joining all of you shopping, as soon as I get home from work, of course. But let's make sure to use some Cyber Sense to keep safe during this holiday shopping spree.

We've already talked about some general Consumer Safety tips, such as this Birmingham News article, Avoid Being Victimized While Shopping Online and our interview this morning on the CNBC Ron Insana show.

In this blog post, we wanted to share a bit more "techie" version of what we'll be watching for on this Cyber Monday. These are the things that have been troubling me as I think about what the bad guys are plotting for this holiday season.


ESP Spear Phishing leads to ... what?



You might know the term "ISP" is Internet Service Provider. "ESP" is Email Service Provider. Something that has me especially concerned as we head into Cyber Monday is a story from last week that ESP's have been the target of Spear Phishing campaigns. In "Phishing" criminals try to steal your userid, password, and other personal information by sending an email pretending to be from an online company with which you do business, and then directing you to a website to steal your information. In "Spear Phishing" criminals are not using a general "lure" but are instead targeting a particular individual. ESP "ReturnPath" shared this spear phishing attack they observed last week as an example of what was targeting their employees:


Hey Neil, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:

(CAUTION: DO NOT VISIT! MALWARE!)
www.weddingphotos4u.net/Photos/Michelle/

Let’s keep in touch then.

Love,

Michelle & Brian


Obviously, I added that "Do Not Visit" part...

Real people who were really getting married sending emails to real people working at the ESP. Only the wedding site was fake, and instead dropped two pieces of malware. Brian Krebs has more details on his KrebsOnSecurity column, but if the people working at the ESP followed the link, they would be infected with a password stealing program called iStealer and a RAT (a Remote Administration Trojan) called CyberGate.

Why? These companies, and it is believed that perhaps as many as a hundred ESPs were targeted, are the companies that send the "official marketing" emails for many of the largest companies on the planet. Their sending IPs are listed as "trusted" and their emails are signed with digital certificates that "prove" the email is legitimate. If the criminals can take over computers in these organizations, they can insert their malware links into the official marketing emails of large companies!

Shipping Spam Malware



A constant for more than a year, one of the main ways malware is delivered with spam is from messages claiming that a package that you were supposed to receive was not delivered for some reason. While most of the time this is a general annoyance, during the holiday online shopping spree season, this is the kind of email that people are likely to click on. What advice do we always give regarding email? DON'T CLICK THAT LINK! (Or in this case, open that attachment.)

To help protect yourself during the holiday season, make sure that you keep track of what packages have been shipped to you, and what the tracking numbers are for those packages. If you really need to know the status, UPS, FedEx, and the US Postal Service all have great websites where you can enter your tracking number to find out what's going on with your package. Visit the website and type in your tracking number.

We've blogged on this subject repeatedly in the past, including this story from last year's Cyber Security Awareness Month (scroll past the IRS spam, it was the second topic).


Holiday Gift Card Malware



Although we haven't seen it yet this year, some of the most successful malware distributions in the past, particularly with Storm and Waledac, have been holiday themed malware and especially "Greeting Card" malware. See for instance the 2009 story Happy New Year! Here's a Virus! or last Christmas and New Year's New Year's Waledac Card. We even saw these back in 2007, with A Stormy Christmas and a Botnet New Year.

Search Engine Poisoned Results



Back in April we detailed how the criminals use "Search Engine Optimization," which we prefer to call "Search Engine Poisoning" to attach their malware to hot search topics. In that article, that we called Fake AV in the News we demonstrated the technique using common search terms from hot news stories. Watch for the same technique to be used now, only using hard to find gifts as the bait!

(oops...just got another email from Target.com about Cyber Sale!)

Counterfeit (Illegal) Product Sales



There are so many spam campaigns going on right now, as usual, for Rolex watches, UGG Boots, ridiculous software sales, and luxury items, such as popular handbags.

These are largely criminal enterprises, using compromised home computers to send spam that advertises webservers hosted in China by criminals in Russia who will send you fake products of questionable quality that are illegal in the United States as they have violated the copyrights and trademarks of the legitimate companies.

Remember: Why do spammers spam? Because Americans keep buying their garbage. There is no such thing as "OEM Software" that is legal.

Penny Auctions & Gift Cards



Another scam we're seeing spammed heavily today are the "penny auctions" that promise to sell items for pennies on the dollar. One popular site is advertising "Save 95% off retail!" and shows iPhones for $19 and laptops for $40. Most of these work by selling bids. You pay a price to have the right to bid, but of course that doesn't guarantee you will win. The item may "sell" for $4, but in order to sell it for that, thousands of dollars of purchased bids are expended. We've seen spam this morning for QuiBid and BidCactus, as examples.

Other spam messages are giving away "Free $1,000 Gift Cards!" These scams, including popular spam right now for Victoria Secrets and Olive Garden work by having the visitors complete "Member Tasks" to earn their gift card. Another popular version allows you to "pick your gift card" and shows images of Sears, KMart, Kohl's, JCPenney, and Walmart gift cards. Before you actually get the card though, you have to do things like trying NetFlix or trying a new Tooth Whitener. The tasks get more complex, and more expensive, as you try to get enough "points" to get your gift card. By the end, some of the tasks are things like "spend at least $1800 on a EuroRail Pass," or "stay three nights in a Red Horse Inn hotel's luxury suite" or "buy a new car from General Motors!" READ THE FINE PRINT! (and don't waste your time!)

Work At Home, Refinancing, and Other Financial Desperation spam


As desperate as some Americans are for some extra holiday cash, answering a job ad that you receive in spam should not be a consideration. Many of these jobs are helping to facilitate money laundering or illegal product shipment. We've talked about this scams before, most recently in the story Running Out of Money Mules?. Don't fall for the temptation.

Today we've seen spam from "Home Jobs For Citizens", promising us we can earn $150 per day at home, as the most recent example.

We've also seen an uptick in really threatening sounding mortgage spam. One spam message I received today had my true street address in the subject line and warned that my mortgage was delinquent! The spam had my wife's name, my real address, and my email, and took me to a webpage that offered me a 3.6% interest rate on refinancing my home. They've got many "look and feels" all running on the same webserver:

http://62.19.48.58/website/
http://62.19.48.58/website3/
http://62.19.48.58/website4/
http://62.19.48.58/website5/

These spammers are "lead generators" that have you fill out all the credit information that would be used to generate a loan application, and then shop you out to people desperate to make their quota refinancing. Its also not uncommon that this type of spam leads to identity theft. If you want to refinance your home, call a mortgage company, don't click a spam message!

No comments:

Post a Comment