NACHA Attacks Rising Again

Symantec reports an unprecedented jump in spam volumes containing “polymorphic malware,” malicious software that constantly changes to evade anti-virus software.  One of the most successful lures used in these attacks is spoofed NACHA email.  NACHA is a not-for-profit group that develops operating rules for organizations that handle electronic payments.

Victims of these scams soon find new employees, money mules, added to their payroll to move their ill-gotten funds out.  The thieves use the victim’s online banking credentials to push unauthorized payroll payments to the mules, who are instructed to take out the cash, take a cut for themselves, and wire the rest overseas.

  • In September, attackers stole about $120,000 from Oncology Services of North Alabama.  The organization’s accounting firm was the apparent source of the compromise, indicating that other clients may also have been victimized.  The bank was able to block some of the fraudulent transfers, but it remains unclear how much they got away with.
  • Thieves also robbed the North Putnam Community School Corporation, serving 6 northern townships in Indiana.  They made off about $100,000, sending the money to several people who had no prior business with the school district.  Luckily, all of the fraudulent transfers were returned shortly after the attack.
  • Hackers also struck the City of Oakdale, Calif, stealing $118,000 from a city bank account. Oakdale city officials are confident that its insurance carrier would reimburse the loss, minus a $2,500 deductible.  Officials from Oak Valley Community Bank wrongly layed blame for the incident on a lack of technology and security.

Blocking these attacks has little to do with bleeding edge systems or scanning files with anti-virus.  It’s not clear what malware family was used in any of these attacks, although the first involved a gang that uses the ZeuS Trojan.  Most victims of modern malware will actually have anti-virus software installed.  What they won’t have is a definition file that detects the specific characteristics of the malware that is attacking them.  Anti-virus firms and users are constantly playing catch up.  Someone has to suspect a file as malicious and send a copy in for analysis before a signature can be developed and pushed out to users.

Preventing theft of your online banking credentials is a critical first step in dealing with this threat. Consumers, small and mid-sized businesses should use a dedicated computer for online banking.  Access bank accounts only from a PC that is locked-down, regularly updated, and used for no other purpose than online banking.  It’s a few hundred dollars, compared to your entire business and reputation.

-=[BUSTED]=- Two Scareware Rings Taken Down

InformationWeek reports that the FBI has disrupted two scareware (fake anti-virus) crime rings, as part of “Operation Trident Tribunal.”  The FBI obtained warrants to seize 22 PCs and servers located across the United States that were used to support the scammers’ operations.  They also worked with law enforcement agencies in France, Germany, Latvia, Lithuania, Netherlands, Sweden, and the United Kingdom to seize an additional 25 PCs and servers.  It would appear the seizure of several servers hosted by DigitalOne in data center space it leased in Reston, Va. may have impacted some unrelated sites.

The first group bagged at least $72 million over a three-year period by tricking one million people into buying the scareware for up to $129 per copy.  The second criminal operation resulted in the arrest of 2 people in Latvia, and charges each with two counts of wire fraud, one count of conspiracy to commit wire fraud, and computer fraud.  The pair were apparently running a “malvertising” scam by creating a phony advertising agency, and purchasing advertising space on the Minneapolis Star Tribunewebsite.  Newspaper staff vetted the digital advertisement before posting it to the site.

The defendants altered the advertisement code to infect website visitors with malware that launched scareware applications on their PCs.  The scareware froze PCs until the user paid to purchase fake AV software.  Those that didn’t pay  found that all information, data, and files stored on the computer became inaccessible.  As part of this scam, the two Latvians allegedly netted $2 million.

These scams may sound lucrative, but it is good to hear that arrests are being made.  Watch for an increase in arrests as the FBI and other Law Enforcement Organizations get a handle on the scope and scale of this type of activity and trace it back to the nest.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading

Sophos 2011 Security Threat Report

Sophos’ threat experts see 30,000 new malicious URLs each day.

70% of these sites are legitimate websites that have been compromised.

Their 2011 Security Threat Report has been released detailing the battle against malware.

It describes the significant threats of 2010, what to watch for in 2011, and more importantly, what you need to do to get ahead of the threats.

  • .
  • One of the more persistent threats of the year was fake anti-virus, also commonly known as “scareware” or “rogueware.”  In this widespread practice, software is introduced into a victim’s computer system, through an interface closely resembling—and in some cases directly impersonating—genuine security solutions.   Criminals are using this ploy to drain bank accounts and completely take over identities.
  • The search engine is our gateway to the web, and crooks are skilled at manipulating search results from the popular engines such as Google, Bing and Yahoo! to lure victims to their malicious pages.   These pages host security risks and browser exploits just waiting to infect users who are directed to these sites. There’s also the abuse of legitimate search engine optimization (SEO) techniques. Legitimate SEO techniques are regularly used as marketing tools, but when SEO is abused by the bad guys, and supplemented by more devious methods, it’s known as “SEO poisoning”. With SEO poisoning, search engine results are poisoned to drive user traffic to the rogue site.  Google reported that up to 1.3% of their search results are infected . You’re directed to a bad page through a poisoned search.  Once a victim is lured to the desired webpage, they’re redirected to a rogue or compromised site.  On these sites, criminals infect users’ machines with malware or push fake goods and service while attempting to steal personal information.
  • Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.  Young people are less likely to use email, and more apt to communicate through Facebook, Twitter or other social sites.  Unsurprisingly, scammers and malware purveyors targeted this massive and committed user base , with diverse and steadily growing of attacks throughout 2010.  One of the more common types of attack hitting Facebook users is “clickjacking,”.  These attacks use maliciously created pages where the true function of a button is concealed beneath an opaque layer showing something entirely different.  Often sharing or “liking” the content in question sends the attack out to contacts through newsfeeds and status updates, propagating the scam.

Other areas that are assessed and reported on are passwords, and spam.  It’s a good report, well worth the read.

Spoofed LinkedIn Invite = Malware

According to M86 Labs, malware scammers are targeting LinkedIn users with legitimate-looking messages that appear to come from the social networking site:

The scammers have used the actual LinkedIn email template and modified it to suit their needs, changing the link behind the confirmation button.  Simply hovering the mouse over the button reveals that the destination URL is not on LinkedIn, but on the salesforceappi.com (not to be confused with the legitimate salesforceapi.com domain).

For those unfortunate users who follow the link, the “BlackHole” exploit kit at the destination server tries to exploit a number of vulnerabilities in order to load up malware.  The bulk of the successful exploits appear to exploit Java and PDF reader vulnerabilities.

Lessons learned from this attack campaign include, don’t click that link!  Even if it looks familiar.  Instaed, open up your own browser window and visit the site yourself.  Legitimate invites will be present in your LinkedIn inbox.  Also, keep your software up to date!  One vulnerability is all that the bad guys need.  Once you have been had, it is difficult to undo the damage.

Beware Email Frauds

The FBI is warning against common “News of The Moment” scams, where hot topics are abused to spread malware.  This sort of attack will often use cross site scripting (XSS), which allows an attacker to execute code on the target website within a user’s browser using crafted values in the target site’s URL, web forms, or in cases where sites allow users to place material directly in posted content.  These scams are not likely to go away anytime soon, and are increasing in their sophistication and cleverness.

Recently, social networking site users have fallen victim to “self” infecting XSS attacks where they actually perform the attack themselves by following directions to view the latest Osama bin Laden video.  Before users can view the video, they must complete a “5 second security check.”  Instructions to follow a few keyboard shortcuts allow users to cut and paste malicious code directly into their browser’s URL without any indications it is a viral scam.

They are also warning on scams misrepresenting the Financial Crimes Enforcement Network of The United States Department of the Treasury.  Perpetrators will commonly use the names of various government agencies or officials to legitimize their scams.  Most recently, there have been several complaints in which victims reported receiving an e-mail or phonecall claiming to be from the U.S. Department of the Treasury stating their lost funds, which were stolen and diverted to a foreign account registered in their name, have been recovered.  The e-mail advised them to cease all money transactions, especially overseas, and to respond to the e-mail so the lost funds could be returned.

The e-mail further stated the US government is making adequate arrangements to ensure outstanding beneficiaries receive their funds.  The e-mail is signed by James H. Freis, Deputy Director of the Financial Crimes Enforcement Network, and requires victims to provide personally identifiable information that could potentially result in identity theft.

The U.S. Department of the Treasury posted a scam alert on their website on April 13, 2011, stating they do not send unsolicited requests, do not seek personal or financial information from members of the public by e-mail, and recommend that recipients do not respond to these messages. The alert further provides links for victims to report solicitations claiming to be from the U.S. Treasury.

Beware: NACHA Spam Scam

NACHA manages the development, administration, and governance of the ACH (Automated Clearing House) Network, the backbone for the electronic movement of money and data.  The ACH Network provides direct consumer, business, and government payments, facilitating billions of payments annually, such as Direct Deposit and Direct Payment.  As a not-for-profit association, NACHA represents nearly 11,000 financial institutions via 17 regional payments associations and direct membership.

NACHA continues to be spoofed in sustained and evolving phishing attacks in which consumers and businesses are receiving emails that appear to come from NACHA.  The attacks are occurring with greater frequency and increasing sophistication.  Perpetrators may also be exploiting email addresses recently stolen from Epsilon.  Remain vigilent, and do not fall prey to these scammers.

The email that I received appears in the following form:

These fraudulent emails typically make reference to an ACH transfer, payment, or transaction and contain a link or attachment that infects the computer with malicious code when clicked on by the email recipient.  The contents of these fraudulent emails vary, with more recent examples including a counterfeit NACHA logo (the above sample shows a logo placeholder) and the citation of NACHA’s physical mailing address and telephone number.  The link in my sample was obfuscated using a URL shortening service to hide its actual destination.

NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to persons or organizations about individual ACH transactions that they originate or receive.

Do not to open attachments or follow Web links in these or other unsolicited emails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or otherwise unusual.  Forward suspected fraudulent emails appearing to come from NACHA to abuse@nacha.org to aid in their efforts with security experts and law enforcement officials to pursue the perpetrators.

If you did click on the link or open an attachment from a similar email, malicious code is detected, or suspected on a computer, consult with a computer security or anti-virus specialist to remove the malicious code or re-install a clean image of the computer system.  To protect yourself, always use anti-virus software and ensure that the virus signatures are automatically updated frequently.  Ensure that the computer operating systems and common software application security patches are installed and current.