Your Cyber Intelligence Source

Reports continue to come out about social media users who unknowingly access malware through online advertisements and/or applications. Facebook’s Farm Town is a recent example, where people who clicked on a banner ad in the game, were told that they had multiple viruses on their computer, but could eradicate them by clicking on an anti-virus link. Those people who clicked the link were exposed to a malware download and installation.

While reports like this are not new, users continue to fall victim to traps on trusted social media sites. It is time for these sites to realize the serious impact that attacks have on user confidence and make the necessary adjustments to proactively protect their users from dangerous links and ads resting on their pages.

For example, Cyveillance works with customers who use their data feeds to ensure the protection of advertiser’s brands online. These organizations understand the importance of staying one step ahead of the dangers on the Internet and utilize Cyveillance’s real-time content monitoring to deliver early warnings of potential violations. In doing so, advertisers are aware of any brand misuse online, which helps to keep Internet users protected against rogue links that may be falsely associated with the company, thus providing a safer online environment. 

As malware continues to plague social media sites, it is time for these Websites to take action. A proactive security approach will not only create a safer online environment, but also generate greater user confidence among the growing social media sites.

Spam originating in Gmail accounts that routed recipients to what appears to be a Canadian pharmacy this week has created quite a stir online. According to reports:

…the Gmail spam is hardly sophisticated. It’s being used to flog Canadian pharmaceutical Web sites that promise to send cheap drugs to U.S. customers

Although the spam component may not be very sophisticated, a more detailed analysis shows the attack is more complex. The fulfillment of the scam is relatively complicated and like many websites which sell prescription drugs over the internet, Canadian Health & Care Mall has no real connection to our neighbors above the border at all. In fact the websites to which Cyveillance has seen internet users routed in this scam are hosted in countries like Thailand, Iran, and China, and registered to individuals in Russia.

Canadian Health & Care Mall

When recipients of the spam coming from compromised Gmail accounts click the link in the email, they are sent to various legitimate websites around the world. Unfortunately these sites have been hacked by cyber criminals and visiting certain links on them will redirect the web surfer to websites that look like the one pictured above.

At first glance, this fake online pharmacy site’s efforts to appear legitimate are impressive. The cyber criminals have fabricated Verisign certificates and even included a digitally altered seal of approval from the United States Food and Drug Administration.

The certificate, dated 2001, reads:

All the drugs sold at Canadian Health&Care Mall are considered to be FDA approved.

The FDA is responsible for protecting the public health by assuring the safety, efficacy, and security of human and veterinary drugs, biological products, medical devices, our nation’s food supply, cosmetics, and products that emit radiation. The FDA is also responsible for advancing the public health by helping to speed innovations that make medicines and food more effective, safer, and more affordable; and helping the public get the accurate, science-based information they need to use medicines and foods to improve their health.

A little digging shows the inaccuracies in the website’s claims. Their Contacts page lists their USA headquarters’ address at “2723, Guadalupe St, Austin, TX, USA”. A look in Google Maps shows a Taco Bell and Chinese restaurant at that location.

This building is not found at the USA address provided on the fake online pharmacy.

Another red flag – how often is your credit card number required simply to submit an inquiry on a web form?

Despite the small lock icon next to the credit card field, no security measures appeared in place on this page.

The scam shows how elaborate fraud campaigns on the internet can be today. Consumers’ hacked email accounts were used to distribute the spam. Compromised web servers redirect their visits to illegitimate pharmacy websites. These destination websites where the fraud is actually perpetrated are located on servers in far off lands where interactions with hosting companies’ Abuse teams may not be easy.

As always, be vigilant when following links you receive in email. The risk to your computer and to your financial health is extremely high if you are not very careful. And never, ever order from an online pharmacy unless you know it to be legitimate and operating within the law.

A robust examination of the Canadian Health & Care Mall can be found at SpamTrackers.eu.

Among the many services we offer our clients, Cyveillance monitors the internet for important client documents that are meant to be kept inside an organization. Nearly every day we find examples of valuable intellectual property posted on the internet where it can be used by competitors and fraudsters. Even foreign governments seeking industry secrets to assist their own defense and technology industries can find sensitive documents posted online.

Yesterday CBS News ran a story titled Digital Photocopiers Loaded with Secrets. It described how the common digital copy machines used today can be a serious threat to an organization’s security because they often create and save digital versions of the documents they scan onto the copier’s own internal hard drive. These copiers are often leased by office supply firms to offices, and when the copiers are eventually returned, the data stored on the hard drive goes out the door with the copier to unknown destinations.

Investigators with CBS bought four previously used copy machines and uncovered highly sensitive documents on every one of them. The copiers contained criminal records, sensitive architectural blueprints, and even consumer health records. As reporter Armen Keteylan described the situation, “If you’re in the identity theft business, this has to be some kind of pot of gold.”

While the copiers examined in the CBS story appeared to originate in the New York area, imagine what would have been found if they examined copy machines from the nation’s capitol. The story underscores the importance of end-to-end security of high-value documents and sensitive information within an organization. Even in the unlikely scenario of perfect information protection compliance by employees if the copier that leaves the building contains an archive of recent years’ documents, the organization has been breached.

Today’s threat landscape is more risky than ever. Organizations need to think more like their competitors, fraudsters, and agents overseas if they have any hope of keeping their data secure. Otherwise, like the document-laden copiers in the CBS story being shipped from New Jersey to Argentina and Singapore we will continue to give away our one of our most valuable assets.

PC World recently reviewed Norton Internet Security 2010 praising the tool as “one of the top performers in detecting and cleaning up active malware infections on a PC.” While it is important to recognize the inherent need for anti-virus (AV) security tools, reports like these published by PC World may in fact be a disservice to consumers and businesses by creating a false sense of security for those using these tools.

PC World stated that Norton “found all bad software, disabled 93 percent of it and removed all traces of two-thirds of the software—the best score of any product [they] tested.” While these may have been the best scores that they saw, according to the report, their lab environment included only known signatures, thus not representing the “real” Internet where zero-day threats and malware with unknown signatures appear in abundance every day.

Since the testing of the top AV products was conducted against known signatures, anything less than a 100% detection rate should be unacceptable. As illustrated in the graph below, we have found that even the most popular AV solutions detect less than half of the latest malware threats:

Furthermore, after at least a week from the release of a new malware threat, AV companies still only have about a 50% chance of protecting against the threat – strengthening the argument for a comprehensive proactive security approach. More information regarding our testing can be found in the Cyveillance Intelligence Report.

We strongly encourage vigilant testing of security products but the methods should be based realistic online environments, provide insight into the realities of what AV solutions can do and report an accurate level of security for those using the products.