Your Cyber Intelligence Source

Cyveillance advises consumers to exercise caution when making online charitable contributions.  See the full announcement here.

In recent phishing attacks targeting Cyveillance and numerous other organizations, cyber criminals are exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses are spoofed, the bogus messages are sent to addresses of the organizations’ personnel. The messages ask the recipients to click on a link in order to update their Microsoft Exchange settings. Once clicked, the user is routed to a fake site that appears to be authentic. If the user clicked on the link to the executable file on the fake site, then malware was downloaded to his or her computer. After the malware is downloaded and installed, the user’s computer becomes part of a larger botnet capable of a multitude of malicious acts.

Email screenshot:

This attack type was originally reported by SANS earlier this week. The SANS report can be found at https://isc.sans.org/diary.html?storyid=7333. Since the time of the report, the attack has become even more dangerous by adding fast flux technology to the attack. Fast flux is a method of phishing where the attacks are moved throughout a group of servers in order to evade detection and takedown.

The malware used in the attack is a Trojan-Spy virus. More information about sample… It is detected by only 4 of the top 41 anti-virus vendors according to VirusTotal (http://www.virustotal.com/analisis/95583b5228d16750aa81a8c8ba6d29455b89297560fbb65b53638bc6b3b9c188-1255547944).

It appears on the surface that the goal of the attacks is to increase the computing power of botnets by increasing the number of bots that belong to the network. Given the numerous organizations targeted and the methods used, this approach clearly demonstrates the sophistication of modern phishers and their ability to amplify the potential danger of attacks targeted at specific victims. By being more creative in their approach, this mixing of phishing methods increase the likelihood that the phisher’s emails will successfully reach their intended recipients. Users can minimize the potential for falling victim to these types of attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Antivirus and Anti-Phishing Tools Provide Inadequate Detection of Cyber Attacks During Critical First 24-Hour Period

In addition to the AV, Web browser anti-phishing and consumer protection application testing, other key findings in the report include:

• Cyveillance tracked an online “fraud chain” which included malware components that store and serve malware executables, distribute malware to consumers and receive and store confidential information collected from infected computers.
  • The United States and China continue to host the majority of malware executables representing 33 percent and 21 percent of attacks, respectively, which make up over half of the malware found during the first half of this year. 
• During the first half of 2009, there was an average of over 23,000 unique phishing attacks per month, which makes phishing still one of the top threats on the Internet.
• Popular consumer applications used for detecting phishing attacks do not provide adequate protection. Initially, Symantec’s Norton SafeWeb only blocked/warned against 4.4 percent of phishing attacks and increased to only 5 percent after the first 24-hour period.
• During the first half of 2009, 200 unique brands were first-time targets of phishing attacks, which represents a 26 percent increase over new brands phished in the second half of 2008.

View the report: http://www.cyveillance.com/web/forms/request.asp?getFile=115

In a recent phishing attack discovered by Cyveillance, cyber criminals used an individual Web site to attack over 160 banks and credit unions. For the attack, the phisher launched an email campaign soliciting users to click on a link within the email referencing a trusted brand (Neteller). Once clicked, the user would be routed to a Web site that asks the user to select their Bank or Credit Union from a list of 162 institutions. If the user selected an institution and clicked on the continue button, he or she would then be asked to enter personal information related to their account. The information given would later be used by the phisher for purposes of identity theft and other criminal activity.

Screenshot of phishing Website:

Given the numerous financial institutions targeted, this approach clearly demonstrates the sophistication of modern phishers and their ability to go beyond simple one-off attacks targeted at specific victims. By being less discriminative in their approach, these growing bundled phishing attacks significantly increase the likelihood that the phisher’s emails will successfully reach their intended recipients. Users can minimize the potential for falling victim to these types of attacks by never clicking on links within emails and only accessing their online banking applications through their financial institutions’ primary Web site.

Hackers were able to penetrate systems at grocer Hannaford Brothers and made off with 4.2 million credit and debit card numbers. The Associated Press reports there are already 1,800 cases of fraud linked to the breach.
(more…)