A Cautionary Tale

I recently had an unpleasant experience that was shared with all of my e-mail correspondents (my apologies).

Somehow one of my e-mail accounts was compromised and many of my contacts received spam mail from “me.” I still don’t know quite how it happened. I’m fairly security conscious, but not perfect. One error I made was I hadn’t changed the password on my e-mail account for a long time. The second, larger, error was using the same general purpose password on that account that I use on an assortment of non-financial accounts. The third, and also pretty big error, was that the password itself wasn’t very good—a dictionary word combined with a series of numerals. Bad.

I’ve since remediated those errors and hope that has put an end to this particular nastiness.

While I’m up here talking, I thought I’d share some very contemporary news. The Zeus Trojan—a very popular bit of malware, is currently being distributed via fake iTunes receipts (http://www.scmagazine.com/latest-zeus-attack-propagated-via-fake-itunes-receipt/article/180405/). It looks like a genuine iTunes receipt, appears to have been sent by Apple, but the dollar amount is huge. You think—-what the heck is this??? Conveniently, there is a link included that you can click on if you have questions or concerns about the billing. You guessed it, the link takes you to a series of locations, eventually prompting you to download Adobe Flash Player. Are you getting worried? You should be.

You’re tired, you want to get on with business, Adobe continually pesters you to download updates…you click on it.

Zeus is now on your PC. The hot craze in Zeus payloads right now (http://www.scmagazine.com/zeus-botnet-targeting-macys-nordstrom-account-holders/article/192509/) launches a pop-up when you log into your Macy’s or Nordstrom’s account. The pop-up warns you that: “In order to provide you with extra security, we occasionally need to ask for additional information when you access your account online. Please enter the information below to continue.”

And then it asks for your credit card number, expiration date, security code, SSN, mother’s maiden name, date of birth…boy are you in trouble now.

The moral of this story, if there is one—keep your OS up to date (Microsoft has issued a patch that can detect and remove zeus), be careful with what sites you visit, and be very very careful with what downloads you authorize. (I’d go into your control panel, select User Accounts, and create a user account that is NOT an administrator—use that account for all your day-day computer use. That will disable the ability to install many types of SW in that account, happily, including many types of malware.)

For those of you who are do-it-yourselfers, there are free kits readily available in certain places so that you can add your own malicious payload to the zeus transport and distribute it for fun and profit.

Happy Computing.

Posted in Misc permalink

About Patrick Sullivan

Pat Sullivan is an electrical engineer by training, corrupted into an Information Assurance architect--He recently let slip the secret motto of all IA people: "We're not happy 'til you're not happy." He likes to read science fiction and espionage thrillers, has a few patents, and is trying hard to breath life into a science fiction novel.

Comments

A Cautionary Tale — 2 Comments

  1. I’ve often thought there should be some organization that does nothing but generate phishing letters, fake websites, emails with alleged attachments of naked celebrities, and the like, then when you get to the point where it could’ve installed malware on your computer or when it has your password or whatever, it would put up a big message box saying “YOU BIG DUMMY!”, with a link to a webpage explaining why what they just did was stupid.
    Um, no offense.

  2. Not a bad idea. Eric Lawrence, Senior Program Manager, Internet Explorer Security Team, Microsoft, presented something akin to that in a talk at USENIX Security ’09 where he put up alternate some humorous alternate menus, including “I’m Feeling Lucky” in place of “Download.”

    Don’t be too harsh though. The security features in computers tend to be so obscure, and the warning messages so useless, that people become desensitized.

    The attackers craft very convincing e-mails and fake web pages (far beyond the “I’m a Nigerian Prince and need to cash a check for $1 Million Dollars, can you help me…).

    And things like nasty cross-site scripting attacks don’t require the unlucky user to do much of anything. (It could be as simple as viewing a web page from a blog that allows users to post content containing HTML scripts that are invisible when loaded on the site.)

    My very favorite “hack” doesn’t involve computers but shows how users can be easily manipulated. Imagine you just checked into a hotel while on a business trip. You make the treck up to your room, tired and hungry from traveling, start to unpack, and the phone rings. “Hi, this is Lisa from the front desk. Your credit card didn’t scan correctly. Can you please read me the numbers? Thanks so much.”

    Oops.

    I’m pretty sure I’d have fallen for that one. I’m confident there are slick people out there who can craft other attacks I’d fall for. I think I’d catch 99.99% of the bad guys because they just aren’t that clever. But there are a few that are very clever.