Your Cyber Intelligence Source

There has never been greater focus on the threat posed by attacks on our nation’s infrastructure. The Obama administration has prioritized defending the United States from cyber attack by online criminals and other countries. Indeed, in May the President noted that cybersecurity would be designated as one of his key management priorities.

In their role as protectors of private and public sector infrastructure, companies in the information security industry bear witness to intimate details of the attacks against critical resources we all rely on. Appropriately sharing such knowledge and data about these attacks is an important step in preventing future attacks.

The United States Secret Service’s Electronic Crimes Task Forces were created to facilitate opportunities for such information sharing. Mandated by federal law signed by President Bush in 2001, the Electronic Crimes Task Force Initiative originally created ECTFs in eight metropolitan regions but has now grown to twenty-four task forces.

The Electronic Crimes Task Forces hold meetings on a quarterly basis where law enforcement of all levels, academia and the private sector gather to discuss trends and share information about recent threats and attacks.

As President Obama stated in his remarks in May, “This status quo is no longer acceptable — not when there’s so much at stake. We can and we must do better.” Cyveillance encourages its colleagues, customers, and partners in the information security industries to participate in initiatives like the ECTF.

Earlier today, Cyveillance detected attacks targeting Web hosting companies and their customers. As part of one of the attacks, the email below is sent to users:

As you can see, the email asks the user to “confirm your FTP details”. The user is instructed to click on the link in the email that routes him or her to the fake administrator’s Website below:

On the fake Website, the user is asked to provide login credentials. If the credentials are entered, then the user would basically hand over access to every Website controlled by that specific login. Users can avoid falling victim to this attack by never clicking on the link within the emails and only accessing online applications directly through known Web sites and pages.

Tactic Used to Spread Malware Now Observed Hijacking Users, Pushing Them to Illegal Online Pharmacies

Less than three weeks ago, Cyveillance shared its discovery of Google search results that lead users directly to malware. In that exploit, cyber criminals infected websites and placed blog software on them that automatically posted pages that Google would later find, index, and include in its search results. Users that clicked the links in Google’s search results were redirected to other sites that attempted to install malware on users’ computers.

Cyveillance has now observed the same tactic being used to drive traffic to illegal online pharmacies. Similar to before, cyber criminals have inserted blogging software on compromised pre-existing websites. The blog software automatically generates content like that found in the following image.

The rogue blog posts content laden with references to the erectile dysfunction drug Cialis.

The rogue blog software notifies Google that new content is available, and Google’s crawlers visit the new content for inclusion in the search results it presents to users.

Sites that are unknowingly hosting this version of the rogue blog software can be found with the Google search allinurl:.store/cialis-online/index.

If a user were to click on any of the results shown above or any other search results from the directory where the rogue blog is found on the compromised sites, they would be redirected to a site like traffic-analytics.net, which in turn would redirect them to an online pharmacy like the one below.

Those who click on the poisoned results will be ultimately delivered to ultimatepharmsgather.com.

Enter Glavmed, the Notorious Illegal Pharmacy Ring

The site where these search results lead, ultimatepharmsgather.com, is part of the long-standing illegal online pharmacy network called Glavmed. Believed to be related to the Russian Business Network (RBN), Glavmed is a long-standing Russia-based organization that relies on affiliates to market counterfeit pharmaceuticals.

While Glavmed is perhaps best known for spam related to erectile dysfunction drugs like Viagra, Cialis, and Levitra, their sites sell medications for body-building and heavy duty painkillers.

What’s New This Time?

In our earlier report a user could avoid being redirected to the malware drop site by not clicking on the link in the Google search results and simply typing in the address of the link into their browser’s navigation bar. This time, typing in the link will still result in the user being redirected to the online pharmacy. This makes it harder for users to avoid being hijacked by the cyber criminals.

Further, last time it appeared that the middleman site that would perform the initial redirect to the malware drop site would change on a regular basis, almost daily. Since discovering the Google search results that lead to the online pharmacy, Cyveillance has observed the same redirector middleman site (traffic-analytics.net) and the same final destination (ultimatepharmsgather.com). Overall, this is a simpler scheme than before and should be easier to remove for the safety of internet users.

Closing Thoughts

The number of websites found that are unknowingly hosting these rogue blogs is relatively low at the moment. However, as described in our original post a few weeks ago, it would be naive to believe that those presented here are the only sites where this tactic is used by cyber criminals. Internet users should remember to exercise extreme caution when ordering medications online. The US Food and Drug Administration lists steps consumers should take when considering purchasing drugs online. Additionally, never order medications online from Glavmed.

Cyveillance saw a significant spike in phishing threats on Thanksgiving Day, representing more than a 100 percent jump in attacks compared to the average number of phishing attacks seen the in the previous weeks. This one day spike in the number of phishing attacks is a tactic used by criminals around long holiday weekends, targeting a variety of organizations ranging from major corporations to smaller businesses and credit unions.

The trend of phishers launching increased number attacks around Thanksgiving Day or Weekend is in line with trends of previous years. During the holiday season, users should practice extra caution when shopping and conducting business online. The potential for falling victim to phishing attacks can be minimized by never clicking on links within emails and only accessing online applications through known Web sites and pages.

This past October, Cyveillance reported that cyber criminals were exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses were spoofed, the bogus messages were sent to addresses of the organizations’ personnel. The messages asked the recipients to click on a link in order to change the security settings. Once clicked, the users were routed to a fake Web site and if a user clicked on the link to the executable file on the site, then malware was downloaded to his or her computer. More info at: http://www.cyveillanceblog.com/general-cyberintel/a-dangerous-blend-of-phishing-methods

Unfortunately, cyber criminals are encountering success with this attack method because similar attacks continue today. Over the weekend, both Cyveillance and its customers received multiple emails similar to the one below:

Like in the attack illustrated in our October posting, the email requests the user to click on a link to false Web page. The Web page instructs the user to download a file that contained malware. The malware in the attack above was downloaded and analyzed by the Cyveillance Security Lab. Once installed, the malware made several communication attempts to URLs at 193.104.27.42/livs/rec.php and 193.104.27.42/lcc/ip2.gif. The first URL received encrypted data from the infected host making it difficult for security researchers to analyze while the 2nd URL was a Zeus Binary used to capture banking credentials.

The lab also observed additional attempted TCP connections to 66.199.251.242 on hundreds of different port destinations. It appears that the infected host was scanning the IP address for other services that may be running. The scan was of low intensity to avoid IDS detection. In summary, it appears that server located at 193.104.27.42 is the command and control server, which instructed this infected host to port scan 66.199.251.242 for known services and report back with the collected data; a dangerous, but effective combination of attack methods.

IT departments should continue to monitor for suspicious activity related to the attack described above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Hundreds of Thousands of Links Leading to Malware Found in Google Results

Cyveillance has discovered a complex attack vector that uses Google search results to distribute malicious software (malware) to unsuspecting Internet users. Using this attack vector, users click on links within Google search results and are routed to sites that attempt to download malware to their computers. The attack method also relies on inattentive webmasters who do not update the software on their sites and often unknowingly provide the material that appears in the search results.

The screenshots below display examples of blogs with posts that are simply images and contain no text or stories:

The common string albums/bsblog/category is found in the URLs for all these blogs. By simply using the Google search parameter allinurl, along, you can see how many other sites contain the same string.

More than 260,000 poisoned Google results. If you carry out the same Google search, DO NOT click on the results.

As can be seen in the image above, more than 260,000 URLs are presented in Google’s search index leading to blogs similar to the ones illustrated in our example. Beware: if you were to visit one of the above blogs after clicking on the URLs in Google search results, then you would be taken to two different websites. The second site would attempt to install fake anti-virus software on your computer. (For safety purposes, we are not directly linking to infected search results, but if you enter the query shown in the image, you can recreate the above results.)

Readers can simply copy and paste the destination URL into your browser to direct it to the desired website, you would be taken to the boring but otherwise harmless blog posting like those pictured earlier in this discussion. The attack only happens when the compromised blog site determines that you arrived by way of Google by checking the HTTP referrer.

An earlier search similar to the one above produced 104,000 infected URLs:

Another 104,000 results that will lead to malware. Again, if you carry out the same Google search, DO NOT click on the results.

As you can see, only a small portion of sites in the search results carry a warning provided by Google. The reason for the small number of warnings is likely because the actual attacks do not take place on the website URLs in the search results, but on the sites you’re redirected to thereby decreasing the chances that Google will designate the destination sites as harmful.

Digging Deeper

On all the infected sites found there is rogue blog publishing software installed, sometimes in the popular online photo gallery software Coppermine. (The most recent version of Coppermine we observed being used in this attack was 1.4.24, and Coppermine is now on release 1.4.25.) These rogue blogs automatically and regularly publish new posts that are titled with esoteric terms like “las vegas rental no credit check”, “real world melinda and danny”, or “uninvited song lyrics alanis morrissette morissette”. These posts are intentionally not titled just with simple terms that are very popular like “Britney Spears”, “Obama” or “Paris Hilton” to avoid having to compete in search rankings with the millions of pages which already exist for these topics. Instead, the authors of this exploit take advantage of the long-tail of search where rare combinations of search terms in aggregate make up a very large portion of the queries made by web surfers in search engines. In fact, a surprising amount of internet searches contain four and five words, and the authors of this attack appear to have titled their blogs’ titles with this in mind to be exposed to as many potential victims as possible.

No words are to be found in these blog posts. The content of each post consists solely of images that are found among images.google.com results of queries for the same terms found in the post’s title. Each of the images are then presented inside the new blog post and contain alt and title tags which also match the post’s title in an attempt to maximize the relevancy in Google’s eyes for any query matching those terms. For example, if one of these blog postings was titled “common and kanye west”, the blog posting would simply contain four or five of the images shown in the results of a Google image search for “common and kanye west”, and each of these images would in turn be given alt and title tags that read “common and kanye west”.

The repetition of the same terms in the post title and image tags is a clumsy but straightforward mechanism of suggesting to Google that the page contains highly relevant information about those topics, hoping that Google will then present these pages to searchers. When the searchers click on these links in Google search results, the blog will redirect that visitor to the fake anti-virus installation site.

The Attack

Image of an attack site in progress.

The fake anti-virus site displays what appears to be the results of a computer scan, warning the user that “31 Malware programms was found!” (sic). The fake notifications display illegitimate Windows anti-virus warnings regardless of the user visiting the site on a Macintosh, as happened in the pictured example. Interestingly however, it did correctly dynamically insert this researcher’s computer’s IP address into the image (which has now been blurred out). Clicking on anything in the fake infection findings, including the blue framed popup, will result in a file named Inst_58s6.exe being downloaded to the user’s computer.

Where the Wild Things Are

The path from the infected websites to the fake anti-virus software drop sites is swift and likely not noticed by the user. A user will click on one of the innocent-looking Google search results and is transported to a “middle man” domain like ionisationtools.cn or moored2009.cn. The server at these domains will then redirect the web surfer to a final destination where the fake anti-virus is pushed on the user, as described above.

The middlemen domains like ionisationtools.cn or moored2009.cn are “live” for just a day or two and quickly go offline. Their DNS records briefly point to the free DNS service provider EveryDNS.net.

The actual fake anti-virus drop sites are found on domains such as:

• premium-protection6.com
• file-antivirus3.com
• checkalldata.com
• foryoumalwarecheck4.com
• antispy-scan1.com

All these domains observed by Cyveillance were registered with Chinese registrar TodayNIC.com and like the middlemen sites above, these domains are registered one or two days before the inbound Google search traffic will be arriving, suggesting that the software now directing search traffic from the infected websites may know in advance where the drop sites will be in advance.

Only Google?

It appears that Google is the only search engine with knowledge of these infected sites. We learned this by taking several domains that contained the infected Coppermine installs and used Bing’s site: command and Yahoo!’s Site Explorer; neither of these search engines returned any URLs which contained this particular exploit in action, suggesting that Google is the only major search engine being used as the attack vector by these malware distributors.

It is possible that the attackers took advantage of the ability to submit .xml sitemaps in Google to stimulate the search engine to visit and index the rogue blogs’ postings. A suitable .xml file was found on the sites examined to support this technique.

What Can Be Done?

Cyveillance recommends that Google investigate all URLs in its main index which contain albums/bsblog/category or bmsblog/category in the URLand take the appropriate action to minimize the potential danger to users. Additionally, webmasters need to ensure that software is constantly kept up-to-date with the latest revisions and site content is periodically reviewed for potential malicious activity.

While not necessarily practical, users can minimize the exposure to the attack vector described in this writing by copying and pasting the link in the Google search results directly in their browser rather than a directly clicking on the search result link. Additional steps to minimize the harm from the attack vector are ensuring all computer software is up-to-date and practicing safe Web surfing habits.

Heading in to 2010 and beyond, Cyveillance will continue to make the investments in personnel and technology needed to warn the Internet community of new threats, protect our customers, and stay one step ahead of the bad guys.

In recent phishing attacks targeting Cyveillance and numerous other organizations, cyber criminals are exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses are spoofed, the bogus messages are sent to addresses of the organizations’ personnel. The messages ask the recipients to click on a link in order to update their Microsoft Exchange settings. Once clicked, the user is routed to a fake site that appears to be authentic. If the user clicked on the link to the executable file on the fake site, then malware was downloaded to his or her computer. After the malware is downloaded and installed, the user’s computer becomes part of a larger botnet capable of a multitude of malicious acts.

Email screenshot:

This attack type was originally reported by SANS earlier this week. The SANS report can be found at https://isc.sans.org/diary.html?storyid=7333. Since the time of the report, the attack has become even more dangerous by adding fast flux technology to the attack. Fast flux is a method of phishing where the attacks are moved throughout a group of servers in order to evade detection and takedown.

The malware used in the attack is a Trojan-Spy virus. More information about sample… It is detected by only 4 of the top 41 anti-virus vendors according to VirusTotal (http://www.virustotal.com/analisis/95583b5228d16750aa81a8c8ba6d29455b89297560fbb65b53638bc6b3b9c188-1255547944).

It appears on the surface that the goal of the attacks is to increase the computing power of botnets by increasing the number of bots that belong to the network. Given the numerous organizations targeted and the methods used, this approach clearly demonstrates the sophistication of modern phishers and their ability to amplify the potential danger of attacks targeted at specific victims. By being more creative in their approach, this mixing of phishing methods increase the likelihood that the phisher’s emails will successfully reach their intended recipients. Users can minimize the potential for falling victim to these types of attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

The total cost of a phishing attack is driven by the lifespan of the attack. Every hour that a phishing attack is live can cost organizations huge amounts of money. This theory has been proven with the simple fact that, in detecting and responding to phishing attacks, speed of performance is the single most important factor in minimizing the cost of each Phishing attack. 

Based on a recent review of Cyveillance Anti-Phishing™ performed by SC Magazine, Cyveillance’s anti-phishing solution excels in the performance category receiving their highest mark in their rating system.

http://www.scmagazineus.com/Cyveillance-Anti-Phishing/Review/2949/

To ensure customers consistently receive the industry’s most complete and comprehensive solution, Cyveillance provides a suite of service level agreements (SLAs) that guarantee the performance of the solution including the accuracy of the information provided, the availability of the service and the performance of the response and takedown services.

The problem of phishing will continue to grow in volume and evolve in technical complexity. Through Cyveillance Anti-Phishing™, Cyveillance will continue to make the investments needed to provide our customers with a solution that will address this growth and evolution in a way that greatly reduces the day-to-day management of the problem and significantly cuts the costs incurred by the attacks, allowing customers to remain focused on their core business.

Last month Cyveillance released the Cyveillance Intelligence Report for the 1st half of 2009. As a regular part of the report and to better understand the daily risks consumers face from phishing attacks, Cyveillance tests unique and confirmed phishing attacks against some of the leading consumer anti-phishing protections. For the testing Cyveillance feeds confirmed live attacks through four of the most widely used Web browsers with embedded anti-phishing technology and reports the detection rates for each browser.

At the time of the testing, Microsoft’s Internet Explorer 7 (IE7) was configured in the Cyveillance testing environment. As stated in the report, IE7 detected 24.9% of all phishing attacks fed through its anti-phishing protection capabilities. Since the time of the IE7 testing Cyveillance has updated the testing environment to Microsoft Internet Explorer 8 (IE8). Using IE8, the detection rate of new phishing attacks increased to 31.5%. This increase in the detection rate of attacks represents an improvement of over 6 percentage points, but still fails to protect consumers from over two thirds of newly discovered phishing attacks. These results also represent a significantly smaller detection rate than the 83% detection rate reported for the same application by NSS Labs in July of this year (http://nsslabs.com/browser-security-phishing-3Q2009).

The Cyveillance Intelligence Report can be downloaded at http://www.cyveillance.com/web/forms/request.asp?getFile=115

Antivirus and Anti-Phishing Tools Provide Inadequate Detection of Cyber Attacks During Critical First 24-Hour Period

In addition to the AV, Web browser anti-phishing and consumer protection application testing, other key findings in the report include:

• Cyveillance tracked an online “fraud chain” which included malware components that store and serve malware executables, distribute malware to consumers and receive and store confidential information collected from infected computers.
  • The United States and China continue to host the majority of malware executables representing 33 percent and 21 percent of attacks, respectively, which make up over half of the malware found during the first half of this year. 
• During the first half of 2009, there was an average of over 23,000 unique phishing attacks per month, which makes phishing still one of the top threats on the Internet.
• Popular consumer applications used for detecting phishing attacks do not provide adequate protection. Initially, Symantec’s Norton SafeWeb only blocked/warned against 4.4 percent of phishing attacks and increased to only 5 percent after the first 24-hour period.
• During the first half of 2009, 200 unique brands were first-time targets of phishing attacks, which represents a 26 percent increase over new brands phished in the second half of 2008.

View the report: http://www.cyveillance.com/web/forms/request.asp?getFile=115