Security Alerts

CDC PHISHING EMAIL

Simply Put: A fraudulent email is currently circulating that appears to be from the Center for Disease Control (CDC). The email scam informs recipients that they need to register with the CDC due to the launch of a fictitious "State Vaccination H1N1 Program." There is a link within the email that will forward users to a fake website that will actually install the ZeuS Trojan.

Attack Details: The email appears to be from the CDC and the subject of the email states "Government registration program on the H1N1 vaccination" or "Create your personal Vaccination Profile." The email also includes a link to create your personal profile, which instead links to a fake, malicious website. This site attempts to exploit a recent Adobe software vulnerability to install the ZeuS Trojan. This Trojan is considered "crimeware" and will attempt to steal website credentials.

Countermeasures: Users should be notified of the email immediately and informed to delete the email. Any currently infected machines should be removed from the network and the necessary incident response measures enacted. Gladiator is adding recognition patterns to our eShield email service to deny emails matching the current phishing scheme and will continue to block sites at the firewall if they are found to be hosting this scam.

Reference Links:

CDC Phishing Advisory (http://www.cdc.gov/hoaxes_rumors.html)

SANS ISC Diary Entry(http://isc.sans.org/diary.html?storyid=7678)

 

ACH Fraud Emails

Random individuals and/or companies may have received a falsified e-mail with the subject title “Rejected ACH Transaction.” This e-mail appears to be from NACHA– The Electronic Payments Association telling them that there is a problem with an ACH transaction they have originated. The e-mail includes a link which redirects the individual to a fake web page which appears like the NACHA website and contains a link which is almost certainly executable virus with malware.

Sample E-mail
From:nacha.org[mailto:report@nacha.org]
Sent: Thursday, November 12, 2009 10:25 AM
To: Doe, John
Subject: Rejected ACH transaction, please review the transaction report

Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report (this is the how the link is presented)

 

Unlawful Internet Gambling Enforcement Act (UIGEA) of 2006

The UIGEA, signed into law in 2006, prohibits any person engaged in the business of betting or wagering (as defined in the Act) from knowingly accepting payments in connection with the participation of another person in unlawful internet gambling. The Dept of Treasury and the Federal Reserve Board have issued a joint final rule, Regulation GG, to implement this Act.

As defined in Regulation GG, unlawful Internet gambling means to “place, receive or otherwise knowingly transmit a bet or wager by any means which involves the use, at least in part, of the internet where such bet or wager is unlawful under any applicable Federal or State law in the State or Tribal lands in which the bet or wager is initiated, received or otherwise made”.

As a customer of Flint Community Bank, these restricted transactions are prohibited from being processed through your account or banking relationship with us. If you do engage in an Internet gambling business and open a new account with us, we will ask that you provide evidence of your legal capacity to do so.

 

ADOBE FLASH PLAYER ZERO-DAY VULNERABILITY

Simply Put: Simply Put: Adobe’s Flash Player has a new, zero-day vulnerability. "Zero-day" means the attack is being actively exploited on the Internet and there is not a patch available. Adobe Flash Player is used to display flash files (.swf) in web pages and these files are normally seen as movies or animations. The vulnerability can be used to run malicious code on a user’s machine without notification or permission. Gladiator feels this issue is extremely critical.

Attack Details: There are no details currently available from Adobe. The reported vulnerable version is 9.0.124.0 but other versions may also be vulnerable.

Countermeasures: Users should be reminded not to visit untrusted websites nor click on links to pages they have never visited. Keep checking the links below for information on when a patch will be available. Once a patch is available, be sure to have all users in the organization install it. Check all servers and critical workstations and uninstall Flash if possible.

If you are using Mozilla Firefox, Gladiator suggests downloading the NoScript plugin. NoScript will block all scripts and active content unless specifically allowed for each site. This will prevent Flash files from running without permission. The link is included below for your convenience. Gladiator is not aware of an Internet Explorer plugin with these capabilities.

Reference Links:
Security Focus Advisory
Secunia Advisory

ADOBE FLASH PLAYER ZERO-DAY VULNERABILITY [RESOLVED]

Resolution: Adobe has released more information on this vulnerability. This bug was fixed in Adobe Flash Player 9.0.124.0; however, prior versions of Flash Player are still vulnerable. Therefore, Gladiator recommends all institutions upgrade to Adobe Flash Player 9.0.124.0 as soon as possible.

Reference Links:
Adobe Flash Player Latest Version

ECONOMIC STIMULUS REFUND IRS PHISHING ADVISORY

Simply Put: A new phishing scam is currently making its way around the internet. Phishers are sending out email which appears to come from the IRS with information on your 2008 Economic Stimulus Refund. The email requests that you fill out an online form with your personal information so the check can be directly deposited in your bank account. The link to the form is included in the email. This email is not from the IRS, and is designed to steal a person’s identity.

Attack Details: Hoax-slayer.com has examples of both the email and the form in its advisory (linked below). Some emails also include malicious code embedded in the email. All emails matching this description should be deleted when received. Do not read the email or click on any embedded links.

Countermeasures: Users should be notified that these emails are circulating the internet. Do not open or respond to any emails asking for personal information. If an email appears to come from a known source, browse to the company’s website to double-check the authenticity of the information. Type in the company’s address manually, do not rely on embedded links.

Reference Links:
hoax-slayer.com advisory
IRS advisory

 

NEW PHISHING ATTACK

Simply Put: A new phishing attack has been targeted to customers of a financial institution in Italy. This attack is unique because it links to the institution’s actual website instead of using a fake website like most phishing attacks. Once the customer clicks on the link in the email, they are directed to the institution's website to log on. However, an attack embedded within the link allows the attacker to capture the username and password as the user logs in. The username and password are recorded by the attacker for future use.

Let’s go through an example of what this might look like. A financial institution’s website address is:

https://www.myinstitutionname.com

and the logon page for the institution is:

https://www.myinstitutionname.com/logon.asp.

If this page were vulnerable to XSS an attacker could send out a link that looks like:

https://www.myinstitutionname.com/logon.asp?user=%20$21script%34source%…

Notice how the domain name is always the same. Most users would only check the target domain, which is the institution’s website, so they would inherently trust this link. If clicked, the additional code at the end of the link would run in the browser with the rest of the financial institution’s website.

Attack Details: The attack uses a cross-site scripting (XSS) vulnerability found in the institution’s website. This vulnerability allows the attacker to use a link to the institution’s actual website (regardless of SSL certificates) and alter the link to include new code, such as malicious javascript or HTML. This code is loaded in the client’s browser with the same trust level as the financial website they are visiting. This specific attack injects an IFRAME which opens a new website from Taiwan directly onto the institution’s existing website. Screen shots of this specific attack are included in the Netcraft article below.

Countermeasures: This attack is of concern because most anti-phishing material suggests looking at the domain name in the link to see if it is legitimate, or to check for the SSL “lock” at the bottom of the browser window while at the site. Since the domain name and the SSL certificate in this attack belong to the bank, many users could be tricked into putting themselves at risk. Gladiator suggests that all financial institutions review their anti-phishing notices on their websites. They should include a warning to never log in to a secure website by clicking on ANY link in an email, even one with a correct domain name. Users should instead type the domain name into the browser or use a shortcut they have set up. If a financial institution runs its own website and is concerned about vulnerabilities, it can contract with an application vulnerability assessment firm to check its site. If you have any questions, please contact the Gladiator Security Operations Center at 678.461.4620 or soc@gladtech.net.

Reference Links:
Web Application Security Consortium
Netcraft

|back to top