The sender name is spoofed to appear to come from “protection@nsa.security.gov” and the links go to national-security-agency.com, a domain that was just registered yesterday. This attack is a perfect example of how deeply spear-phishers understand the psychology of social engineering users. It invokes the authority of a respected and mysterious government agency, it uses fear of being hacked or getting “in trouble” at work to prompt action, and it takes advantage of current events in the form of the widely reported (i.e. verifiable fact) and recent RSA token hack. This is a potent cocktail of logic, emotion and authority to manipulate the user into a desired action, and is typical of today’s advanced Phishers.

Here are some of the tips that can help you spot scams like this one:

1. Supposed needs for patches, security updates and vulnerability fixes are a favorite technique of scammers and phishers. Even if the message appears to come from someone in your own company, treat all such requests as suspicious and verify with your IT team by voice or fresh email to the actual IT person who supports you.
2. Treat ANY email that tells you to download something as malicious until proven otherwise. Again, contact your IT team before installing anything on your system.
3. Hover (but do NOT click) your mouse over all links in the email. The true destination of the link will pop up next to your mouse pointer. If you’ve never heard of the site, treat it as dangerous. Does the site in the link address match the site in the sender’s email address? If it does not, be suspicious. Is the pop up destination different from the URL shown in the visible text of the email, what we call a bait-and-switch link? If so, this is a major warning.
4. Finally, any link that ends in .zip or .exe should be treated as extremely hazardous and not clicked on.

Education is needed to convey to your network users that the stakes here are high. Even if the intruder isn’t seeking a dime from your company, the potential cost with respect to response, data loss and reputation can be crippling. As indicated, the vast majority of these incidents are the result of your users’ social-media behavior. Actually, the exploitation of social media for the purpose of malware attacks is growing at the same or at an even greater pace than the overall use of these sites. Online tools – like the popular, URL-shortening ones for Tweets – are very handy in masking malware threats, and a lack of security-savvy on the part of users establish social networks as a virtual playground for cyber criminals.

In seeking to avoid fallout from this that would impact your business, we at Cyveillance strongly advocate the following five-point plan for our customers a plan that has helped us earn recognition by industry-research leader Gartner Inc. as a top provider of the surveillance/collection/analysis of social-media activity for commercial-organization networks:

1. Launch a social-media policy. We realize that many of our customers already have a policy in place. We examine it, however, to get a sense of whether it’s up to date. Social media changes all the time. Legal documents do not. We look to see whether the policy addresses “real” modern-day concerns about social media, or if it’s really just a copy/paste of some antiquated HR form. Here as some questions to consider within the policy: Is it OK for employees to say that they are representing the company on Facebook, Twitter, etc.? If so, what are the guidelines as for appropriate content to post?

2. Train everyone. As stated before on this blog, your weakest link can be your most uninformed employee. Printing and distributing a policy is fine. But reinforcing it with training is even better. Don’t lecture them. Instead, engage in interactive workshops or computer-based training sessions to test their awareness of the latest social engineering attack techniques. Too many organizations put all of their focus on firewalls and passwords. These days, hackers don’t necessarily need to know how to get around these measures to do damage. They just need to get a single user within the network to trust them via a cleverly disguised email.

3. Establish the significance. Meaning, make sure your users realize how important it is to remain informed and alert. If your logo is used to support some kind of malware scheme, for example, your future relationships with customers and partners will suffer. As conveyed previously, there’s tangible, bottom-line value in a company’s reputation. Within minutes, a successful intrusion can crush the good reputation that an organization has been building for years.

4. Don’t try to do it all on your own. Social media is a very, very large universe. In fact, nearly 56 percent of Internet users in the U.S. use some type of social media, according to the Pew Research Center. That translates to a lot of traffic to monitor. Consider tools such as social media monitoring solutions and protection appliances to address this need for you.

5. Keep it current. No matter what tools you use – as well as intrusion techniques you share with users – make sure everything is up-to-date. The entire landscape of social media and the methods used to exploit it are in a constant state of rapid transformation. What worked this month won’t necessarily work the next. Your security team needs to stay on top by constantly educating and re-educating itself and company staffers on the latest trends.

The bottom line is that – in the “share more, not less” world of today criminals can easily obtain the information needed to craft emails that can fool even the most savvy of users. With no “silver bullet” solution to thwart all intrusion attempts, the best practice is to educate users to make decisions, and equip yourself with the best monitoring tools to detect attacks in progress.

James Brooks, Director of Product Management, Cyveillance

Question to consider: What essentials do you feel are needed in a social-media policy?

Two Australian girls, ages 10 and 12, got stuck in a storm drain. To get help, they whipped out their smartphones and posted Facebook status updates to say they were lost in a local drain, and someone needed to call 000 (Australian 911).

Now, if you read that summary and concluded, “OK. So what? That’s what I’d do in the same situation,” consider yourself as part of a generation in which social media remains fully immersed within practically every facet of your life.

If you’re like me and say, “Wait…What?! They had phones in their hands and they posted Facebook updates asking someone to call the rescue brigade?!,” then you’re clearly a degree or two removed from this typically younger demographic.

Ironically, however, it’s members of the older generation – the ones who would call 911 instead of asking Facebook friends to do it for them who are often the biggest targets for socially-engineered attacks. That’s because higher-level executives with more access to valuable data tend to fall into this category. This, in turn, makes them more vulnerable. They may be connected to social media (or not, see here for an interesting case of what can happen then), but they’re often not as sophisticated in using it as younger employees are.

Think about it: For many in their 20s, social media is like running water or electricity. There is simply no conception of technology as distinct from daily existence, nor a comprehension of living, working, playing or socializing without it. For older users, technology is a topic, a tool, a discipline. They didn’t grow up with all of “this stuff.” Some are happy to use it, but don’t see it as integral to every aspect of their personal or profeesional lives.

This generational gap – where the least social-media savvy employees are most likely to be the prey in a highly targeted attack – presents a significant risk to corporate and government organizations. One need only read the details of the penetrations of Google, Conoco or RSA to see how public information and social media have become the tools of choice for achieving significant penetration and data exfiltration.

To make these well known cases more “real”, let me actually step through this hypothetical but otherwise very realistic scenario: Let’s say I’m a data thief and I know that executive Joe Smith works for a high-profile IT contractor that serves key DoD agencies. (The company here could just as well be a law firm, an accounting company or a widget maker.) I also know from an easy online search that he’s a big booster for his old college’s football team. So guess how easy it would be for me to come up with a completely believable email to send to Joe about the team, in anticipation that he’ll click my infected Web link to get more information?

The answer: incredibly easy, and that one click is often all I need to compromise the network of the company that employs Joe. (If you’re not sure why that’s true, see our White Paper here on A/V Detection Lag Times).

To mitigate these risks, organizations must come up with standard-operating procedures that allow the senior executives to anticipate, identify and avoid socially-engineered attacks. And all users on the enterprise should take a long, careful look at the extent of information they publish on sites such as Facebook, Twitter and LinkedIn. They need to “think like a data thief,” examining what’s posted “out there” relating to their job duties, associated customers/vendors/partners, building location, e-mail, phone and other details to get a sense of how vulnerable they could be and what information about themselves a hand-crafted attack would likely contain or leverage.

Consider educating your workforce – especially the senior members – about these scenarios as a “Safe Social Media Usage 101” ongoing seminar of sorts. It’s one that would provide great, lasting value, regardless of where your users fall within the generational divide.

Eric Olson, Vice President/ Solutions Assurance, Cyveillance

Question to consider: How up-to-date are your users – especially senior executives on socially-engineered attack methods?

And here’s another troubling wrinkle: These criminals aren’t gaining access to networks to exclusively steal money anymore. No, these days, your network’s data commands the big dollar signs.

To protect themselves, those overseeing enterprises must dispense of badly outdated stereotypes about would-be intruders. Especially the one in which the hacker is some pimply faced kid pecking away solo in his parents’ basement. This kid has grown up, now a member of a thriving, sophisticated organized crime ring – possibly with deep connections to international syndicates or rogue nations in Eastern Europe, the Middle East or Asia.

The mob once dealt in liquor, gambling and other vices. Now, it’s all about the black market for information. The organized cyber-crime syndicate could be on retainer to obtain secrets from the Pentagon or U.S. Department of State. Or the data of interest could be the molecular blueprint of a pharmaceutical company’s developing wonder drug – a valuable “purchase” for a competitor. Or a food retailer may be willing to pay a small fortune for details on the expansion plans of a rival. It could be one of these or any number of countless scenarios in which information commands an asking price.

Once the terms of an agreement are reached between the buyer and the criminal ring, the strategies of intrusion are deployed. As described in detail by Manoj, the most popular technique involves getting inside network users to unwittingly open an emailed link that’s really malware.

You may think that your network users are above that sort of ruse, but people use multiple ways to connect to your network (i.e. working from home, non-corporate or personal mobile devices); which only broadens the attacker’s vectors of access and points for trust. Keep in mind that the phishing scammer here simply needs one ill-advised click. That’s it. Even relatively savvy users can lapse into a weak moment, perhaps during an especially frazzling day when they’ve been multitasking for hours and are attempting to swiftly go through their in-box before heading home. That’s the kind of moment the hacker is waiting for, because mental fatigue + urgency = a ripe opportunity for that much-sought click.

Keep in mind that once in the network, it’s time to mine for the information. If the intruder keeps a low profile – not taking part in any activity that would raise any suspicions among those monitoring the network – he can settle in for the long haul and keep gaining access to data. And consider the wealth of information within that can be exploited for ill-gain: intellectual-property, sensitive financial reports, R&D innovations, hiring plans, salary structures and other confidential personnel information.

Because so many users are combining “work” with personal tech, hackers can further expand their market reach. Information about corporate executives, for example, is highly valued because they usually have a “clean” background record and such a record is valuable for black-market operatives. These operatives will use the records to create bogus passports, visas and driver’s licenses to allow dubious characters from foreign countries to arrive here while avoiding a watch list.

All it takes is one bad click to unleash all of this access. If you’re not taking pro-active steps to thwart these data thieves, are you prepared to deal with the consequences?

Terry Gudaitis , Ph.D., Cyber Intelligence Director, Cyveillance

Question to consider: What are you doing to pro-actively monitor and prevent unauthorized access to information on your network?

I tell them that it’s not really about some highly advanced but ill-intended technological strategy. It actually boils down to a simple concept: building and exploiting trust.

That’s right. Yesterday’s hacker spent all of his time looking for holes in the network to exploit, to penetrate and trigger a malware attack. They cultivated legendary status as whiz kids of the tech underground who routinely outsmarted corporate IT security pros at their own game.

Today, these would-be intruders still command a high level of technological aptitude (not to mention unsavory attitude). But they are cultivating another highly useful skillset: the ability to manipulate the human behavior.

That’s because social media has changed everything.

Individuals and Organizations are now embracing the use of Facebook, Linkedin, Twitter and other outlets. As well they should. These sites are remarkably effective when it comes to peer networking and connecting with customers to get product feedback, test marketing strategies and build brand loyalty. However, not surprisingly, cyber crooks are flocking to social-media sites to plot their next attack. Why wouldn’t they? That’s where they can pinpoint executives and employees who hold key positions within the organizations that they seek to compromise. Because the very concept of social media encourages these professionals to display their business associations publicly, their corporate background is highly valued data that’s easy for the bad guys to find.

Once they zero in on which employees to target, they then work on the “trust” factor.

For certain, taking advantage of the human capacity for trust is nothing new. The term for the computer virus, Trojan, refers to the legendary deception of the city of Troy on the part of the Greeks, with that “gift” of a large, wooden horse. During Pontiac’s Rebellion, European soldiers were said to have given Indian natives blankets outside Fort Pitt, blankets that were intentionally infected with small pox. And Bernie Madoff is far from the first Ponzi artist to destroy personal fortunes by promoting a financial house of cards built upon the concept of trust.

Today’s cyber attacker – at least from a psychological standpoint – operates in very similar fashion. He’s a phisher who finds individuals who can lead him to where he wants to go within the network and emails them with some kind of message that, on the surface, brings something of value to the intended victim and raises sufficient curiosity to take some action. If that intended victim is a high-level finance executive, for example, the email could contain a URL to click on to find out about a new accounting regulation that’s in the works. A sales staffer could get an online invitation to download online coupons for discounts at a local golf club.

Only the URLs are simply disguised links to malware. Since anti-virus technology is typically based upon blocking signatures, it’s useless against this kind of tactic. That’s because the chances that the hacker’s signature hasn’t been seen before is greater than 99 percent. And if you haven’t seen it before, your anti-virus technology won’t block it. Web proxies are also generally ineffective as well. They’re intended to serve as gatekeepers to distinguish “good” URLs from “bad” ones. But they’re too often outdated, and it doesn’t take much effort for a phisher to come up with newer “bad” URLs that won’t get tripped up by the proxy solution.

Once inside the network, these hackers execute their intrusion in a manner very unique to the modern era. In the recent past, such intrusions were all about disruption. Today, they’re about stealth. The hacker doesn’t want to announce his presence. He’ll lay low for days, weeks and even months at a time, quietly looking for backdoor channels to gain credentials, so he can access more and further secure entry points within.

To fight this, education/training of enterprise users is necessary if not sufficient. They need to know how to spot suspicious messages, and to resist the natural inclination to click on a link that looks benign but really is a hidden front for malware. In addition to training, IT security staff must remain on top of phishing trends and pro-actively monitor their traffic for high-risk behaviors. And above all, next generation security systems must examine the content and context of the email along with the methods and behavior of embedded Web Page links to judge the trustworthiness of the emails

Ultimately, organizations need to realize that their weakest link is a curious employee who also happens to be a trusting one.

Manoj Srivastava , Chief Technical Officer, Cyveillance

Question to consider: How much training/education does your organization conduct with internal users on detecting and avoiding intrusion attempts?

It’s not just small sites that are victims of such attacks. The European Space Agency was recently targeted, large e-commerce sites are regularly defending themselves from electronic break ins, and universities are especially juicy targets for black hat search engine optimization experts.

If the unthinkable occurs and your corporate site is hacked, it may not be immediately obvious to visitors that anything is awry. The last thing most profit-motivated web hackers wish to do is to alert anyone of their work.

Fortunately both Google and Bing offer a way to learn if your site has been hacked. Any webmaster can sign up for Google Webmaster Tools and Bing Webmaster Tools (both are free) for insight on how their sites are perceived by these major search engines when they visit to index your content. They can often detect infected or hacked websites when they visit. If they do, you can see exactly where it was found on your site. (Google will even email you!)

In Bing Webmaster Center Tools, the information would be found under the Crawl Details section.

In Google Webmaster Tools, information about malware found on your site would be shown under Diagnostics.

Of course, preventing your website from being hacked in the first place is best case scenario. Staying current with all the applications you have installed on your website and applying patches as soon as they are available are some of the best ways to prevent your site from being compromised by cyber criminals in the first place. Applications that are designed in-house deserve extra scrutiny for potential security holes. Don’t let your corporate website become a part of the Internet criminal ecosystem. If you don’t have one already, put a plan in place to regularly scan your web servers for malicious software and make sure all software is always up to date.

The content management system WordPress is a fantastic tool. Its ease of use has has helped it become the most popular blogging tool out there. Its most recent version has been downloaded more than 5.7 million times as of this writing.

The popularity of WordPress has made it a very attractive target for cyber attackers. Like most software, eventually security holes are found that allow hackers inside. Once a site is breached, it can be used for many illegal purposes like distributing malware, hosting phishing attacks, and marketing counterfeit pharmaceuticals. Blog owners need to be ever vigilant to ensure there software is current with all updates including blog software to plug security holes.

WordPress developers have been great about patching those holes quickly. Despite being on top of vulnerabilities, there are still some steps that should not be tough to implement but should make the web a safer place.

• Please stop advertising the version number in the source code. In 2008 Google’s Matt Cutts made the recommendation to WordPress webmasters to delete the part of the software’s code that advertises which version of the software is being run. This information is used by hackers to determine which attacks might work against a given website. Removing this announcement will make hackers’ work much harder.
• Please email the blog’s owner until they upgrade to the newest version.

  

  In recent years, WordPress began notifying site admins in the tool’s dashboard view with a message saying that a new version of WordPress was available, and offered a link to upgrade immediately. This is very helpful.

  But often blogs are abandoned out there and site admins never see this message. Why wait until a webmaster returns? Like a beeping car when your seat belt is unbuckled, WordPress could email the admin on a regular basis to remind them that they have to upgrade, reducing the number of vulnerable websites out there online. WordPress already emails site owners when blog comments are awaiting approval, so this should be pretty easy to implement.

Note that out of date WordPress installs are not the only pieces of software contributing to web server infections. Shopping cart software, forum software, and photo gallery software all tend to be targeted. WordPress installs are likely more common than all of those, so it would make sense to make its security a priority.

Make no mistake, we love WordPress. We use it on this very site. But there are a couple of steps that would appear to be low-hanging-fruit that Matt Mullenweg and the WordPress development crew could take to make an impact on hacked sites on the web.

If you run WordPress and suspect your site’s been hacked, please see this official FAQ from the WordPress team!

The amount of attacks seen monthly is down compared to the first half of the year and could be related to the recent decline in spam, but the overall volume confirms that the problem of phishing is still easily one of the top threats on the Internet. Specifically, the use of more sophisticated and targeted attacks result in greater success and lucrative opportunities for online criminals. A recent story regarding socially-engineered attacks against High Value Targets (HVTs) in the Canadian government provides a great example of the danger this new breed of attack poses to organizations.

Organizations should continue to monitor for suspicious activity related to the attack described in the article above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

Cyveillance recently asked the United States Embassy in Moscow to comment on cooperation between our countries in the fight on cybercrime for publication on CyveillanceBlog.com. Below, the responses to our inquires from the U.S. Embassy in Moscow:

Cyveillance: Is there regular dialogue between the American and Russian governments at the diplomatic level on the topic of international cybercrime? If so, how often does such engagement occur?

U.S., Embassy in Moscow: Yes, on more than one level. For example, there is ongoing dialogue between U.S. and Russian diplomats concerning matters of Internet governance, of which law enforcement efforts against cyber crime are an integral part. These discussions typically occur in a multi-national setting such as the United Nations. Additionally there is ongoing dialogue and cooperation between our respective investigators on particular cyber crime cases. This dialogue occurs in several ways, including through periodic face-to-face meetings several times per year. In some instances, these discussions focus on a particular area of cyber crime. For example, there is a bilateral United States – Russia IPR Working Group which meets regularly to discuss issues related to intellectual property protection, including in cyber space, with special focus on enforcement.

Cyveillance: With the shutdown Russia-based Spamit this fall and the investigation into the activities of alleged spammer Igor Gusev, it appears Russian authorities may be taking steps to curtail cybercrime. From the U.S. Embassy in Moscow’s perspective, are these isolated incidents or does it appear that there may be a shift in the climate for cybercriminals in Russia?

U.S., Embassy in Moscow: We are hopeful that these examples mark the beginning of the creation of a much more difficult environment for cyber criminals, not only in Russia, but worldwide. As you know, cyber crime transcends national boundaries not only in the perpetrator-victim sense, but also in the sense that members of the same cyber-driven criminal organization are often based in several countries. It is more important than ever that each nation take steps to clamp down on cyber crime.

Cyveillance: Russia traditionally enjoys a population that is well educated in math and engineering. Some authors suggest that the lack of opportunities in traditional business environments may tempt talented programmers into criminal activity. Is the State Department aware of any formal efforts that will help encourage Russian technologists to pursue legal opportunities using their skills, as opposed to those offered by cybercrime?

U.S., Embassy in Moscow: President Medvedev has made technological development a very high priority in his administration’s vision for the future of Russia. One example of this is the plan to develop a cyber industry, along the lines of Silicon Valley, based in the town of Skolkovo near Moscow. The prioritization of economic development in the tech sector, provided it is coupled with a strong law enforcement response to cyber crime, should incentivize individuals with technical skills to seek legitimate career paths.

Cyveillance: While there have been some recent notable exceptions, Western cybercrime researchers and even some in law enforcement sometimes feel that Russian cybercriminals are out of reach and enjoy a de facto immunity from prosecution. What is the State Department’s position on the amount and quality of cooperation received from Russian officials in international cybercrime investigations?

U.S., Embassy in Moscow: There has been some cooperation on cyber crime matters, but there is a need for far more. That is an overarching goal of the ongoing dialogue between our countries on these issues. Certainly, enhanced cooperation in this area would support the goals announced by President Medvedev for technological development in Russia, as those who consider investing in that development will expect a consistently strong law enforcement response to cyber and other crimes to protect their investments.

Cyveillance: From the State Department’s perspective, how much of American success in combating cybercrime of Russian origin is amenable to American law enforcement’s efforts? Are there inroads that remain to be made at the diplomatic level first?

U.S., Embassy in Moscow: The United States plays a leadership role in combating cyber crime, but no one nation can tackle this multi-national problem. The United States has law enforcement partnerships around the world with dedicated and highly professional counterparts in the area of cyber crime. We are striving to strengthen our partnership with our Russian counterparts in this area, which is certainly in our mutual interest.

Cyveillance: Is there anything else the State Department thinks cybercrime researchers or the general public should know about efforts to combat cybercrime in Russia?

U.S., Embassy in Moscow: Cyber crime presents complex problems that require a complex, multi-faceted response. This includes coordinated efforts not only by the governments of the United States, Russia and other countries, but also by those in industry and academia. We appreciate the opportunity to participate in this important dialogue.

Many thanks to U.S. Embassy staff for taking the time to answer our questions.