Seattle.gov Home Page City Services Staff Directory [WEB GRAPHIC] About Seattle.gov City Contacts
Seattle.gov Home Page
 SEARCH: 
Seattle.gov This Department
Link to DoIT Home Page Link to DoIT Home Page Link to DoIT About Us Page Link to DoIT Contact Us Page
We make technology work for the City Bill Schrier, CTO
Information Security Home Page
Chief Information Security Officer
Information Security Bulletins
Information Security Newsletter
Information Systems Security Policy
Spams and Scams
Creating Secure Passwords
Securing Your Laptop
Protecting Your Home Computer
Spyware Solutions
Wireless Network Security Guidelines
Viruses, Worms & Other Pests
Glossary of IT Terms

Information Security Newsletter

Newsletter Posted 11/18/2008

This Week's Trends
We've been off the air for a couple of weeks, waiting for our RSS feed to be setup. It's now ready for you! If you'd like to keep track of any new additions to this newsletter, please click on the RSS button above and subscribe. In case you don't know how to subscribe to RSS feeds and missed the tip where I gave instructions on how to do so - I've archived that tip here.

This last couple of weeks we've seen Adobe in the cross-hairs. You'll note several security updates for Adobe products in this newsletter, as well as several other important updates. On the email front, we've seen new attacks using the economic crisis and the Obama election, as well as a lot of the same old tricks that we're used to. We sent out a notice last week regarding the "Inland Revenue" email scam that attempted to fool people into filling out fake IRS forms and faxing them to the bad guys. You have to give them credit for a never-failing imagination.

Federal Reserve Phishing Scam
Security officials are warning users of a clever new phishing scam arriving in emails purporting to come from the U.S. Federal Reserve.

The U.S. Computer Emergency Response Team (US-CERT) said that the spammed messages direct users to a web page which warns of a new phishing scam targeting users. The message contains a fake Federal Reserve letterhead and warns users in typically broken English that a “large-scales phishing attack started and has been still lasting.” In addition to the shoddy grammar, the messages are identifiable in their attempt to lure victims to an outside URL. On clicking the link, the user is briefly sent to a fake Federal Reserve page which attempts to download a PDF file, supposedly containing further details on the attack. Shortly after accessing the page, the user is forwarded to a pornographic web site.

An advanced threats researcher at security firm Trend Micro said in a blog posting that the PDF file is loaded with malicious JavaScript which attempts to download and install a number of malware packages, including a botnet controller.

In addition to keeping updated system and antivirus software, US-CERT recommends that users exercise caution when viewing unsolicited messages and avoid clicking on any links which may seem suspicious.

Malware Campaign Uses Obama’s Name
Within 24 hours of the polls being closed hackers were launching a new malware campaign. Using the president-elect’s name to draw people in, the e-mail messages contain subject lines such as “Obama win preferred in world poll” and claims to be from news@president.com.

After the message is opened, there is a link that purports to take the user to news about the new president. Once the link is clicked, the user is prompted to download Adobe Flash 9 to view a video of Obama president making a speech. If the bogus Adobe Flash player is downloaded, a malicious Trojan horse infects the computer.

Owners with infected computers will find that their data has been compromised, and they could potentially even have their identity stolen. Sophos experts said the malicious Trojan horse incorporates the following characteristics: The malware contains rootkit technology to conceal itself; it is designed to steal information from an infected computer; it has general “backdoor” functionality; it spies on user’s keyboard and mouse inputs and can take screenshots; it looks for passwords; and it submits the information it discovers to a Web server located in Kiev, Ukraine.

We have seen several varieties of this type of scam since the election, so be wary.

Users of anti-virus products should check to see if updates have been made to protect against this new malware.

Hotmail Account Scam Warning
An email that claims to be from the Hotmail Customer Care team is actually a phishing scam, security experts have warned.

The email, which asks recipients to verify the details of their Hotmail account to avoid having it shut down, says that a person’s account will be closed within 24 hours if they do not reply. The English in the email is not especially good, which should make it easier to identify as a scam. “We are having congestions due to the anonymous registration of Hotmail accounts so we are shutting down some Hotmail accounts and yours was among those to be deleted,” the phony email reads. “We are sending you this email to so [sic] that you can verify and let us know if you still want to use this account,” the message continues. It also asks recipients for their username, password, and date of birth. An employee of FaceTime Security said that this scam had been seen before.

Microsoft Updates for Multiple Vulnerabilities
In it's latest patch Tuesday on November 11, Microsoft has released updates that address vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft XML Core Services. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code. A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable application to crash.

High Volume of Financial Accounts Compromised
US-CERT is aware of public reports of a high volume of financial accounts compromised by the Torpig (also known as Sinowal or Anserin) Trojan horse. This Trojan horse uses HTML injection to add fields to web pages in order to convince users to provide additional user credentials or financial account information. Systems compromised by this Trojan horse are being used by attackers to obtain FTP credentials, email addresses, and digital certificates of the current user.

This Trojan horse uses an MBR rootkit known as Mebroot. This rootkit contains configuration information for the Trojan horse as well as techniques used to keep the Trojan horse undetectable.

Adobe Flash Player Vulnerable
Several security vulnerabilities have been identified in Adobe Flash Player. Adobe Flash Player is a widely distributed multimedia and application player for Microsoft Windows, Mozilla, and Apple technologies. It is used to enhance the user experience when visiting web pages or reading email messages. These vulnerabilities can be exploited if a user views a malicious webpage or opens a malicious Shockwave Flash (SWF) or Java Archive (JAR) file. Successful exploitation may result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Adobe Flash CS4 Professional
  • Adobe Flash Player 10
  • Adobe Flash Player 7
  • Adobe Flash Player 7.0.69.0
  • Adobe Flash Player 7.0.70.0
  • Adobe Flash Player 8.0.34.0
  • Adobe Flash Player 8.0.35.0
  • Adobe Flash Player 9
  • Adobe Flash Player 9.0.124 .0
  • Adobe Flash Player 9.0.28.0
  • Adobe Flash Player 9.0.31.0
  • Adobe Flash Player 9.0.45.0
  • Adobe Flash Player 9.0.47.0
  • Adobe Flash Player 9.0.48.0
  • Adobe Flash Player 9.0.115.0
  • Adobe Flex 3.0
We recommend upgrading to Adobe Flash Player 10.0.12.36 or 9.0.151.0 as soon as possible

Multiple Vulnerabilities Discovered in Adobe Reader and Adobe Acrobat
Several security vulnerabilities have been identified in Adobe Reader and Adobe Acrobat. Adobe Reader allows users to view Portable Document Format (PDF) files. Adobe Acrobat offers users additional features such as the ability to create PDF files. These vulnerabilities can be exploited if a user opens a malicious PDF file. Successful exploitation will result in an attacker gaining complete control of the affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

It has been reported that one of the vulnerabilities is actively being exploited on the Internet. A trojan is currently being served from infonews.athena.cx but may come from other sources. Once the exploit is triggered, it will attempt to contact a server at adxdnet.net to download additional malware. Current anti-virus detection is very low.

SYSTEMS AFFECTED:

  • Adobe Acrobat Reader 8.1.2 and earlier
  • Adobe Acrobat Standard/Professional/3D 8.1.2
We recommend upgrading to version 8.1.3 or 9 as soon as possible

Mozilla Firefox and SeaMonkey Updates
Mozilla has released Firefox 2.0.0.18, Firefox 3.0.4, and SeaMonkey 1.1.13 to address multiple vulnerabilities, some of which could lead to the complete compromise of affected systems if successfully exploited by an attacker. Some of these vulnerabilities may also affect Mozilla Thunderbird.

Apple Releases Safari 3.2
Apple has released Safari 3.2 to address multiple vulnerabilities.

These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.

US-CERT encourages users to review Apple Article HT3298 and apply any necessary updates.

Lame Mac Trojan Limps Into View
Lamzev-A creates a backdoor on compromised Mac OS-X systems. The malware typically disguises itself as video codec on dodgy websites. Mac users hoping to watch a clip from a grumble flick get infected instead, a trick carried out by the earlier RSPlug Mac Trojan.

Few have fallen for the bait. The malware is notable as a rare example of a malicious agent capable of infecting Apple systems rather than any threat that it poses, which is minimal. Previous examples of malware able infect Mac systems have included an Apple-variant of a scareware (fake anti-spyware) package and a Trojan, DNsChan-A, that detected whether it was attempting to infect either Windows or Mac systems before running the appropriate infection routine.

New Attack Targeting Windows Mobile Phones
Attacks on Google’s Android and Apple’s iPhone have made headlines recently but now Windows Mobile phones are the latest target.

The latest wave is a Windows CE/Mobile polymorphic “companion” virus, according to a McAfee Avert Labs blog post on Thursday. It could also be regarded as one of the real first viruses for Windows Mobile, the head of global marketing for McAfee’s mobile division, told SCMagazineUS.com Thursday. The virus is notable because it combines two different PC attack methods — one called a “companion technique” and encryption.

Researchers in the Georgia Tech Information Security Center (GTISC) recently predicted mobile threats will pose one of the top risks to end-users in 2009, suggesting that botnets will spread to handhelds.

Reports of Electric Vehicle Scams
During the days of rising gas prices we saw reports of Gas card scams. Still related to that we have seen reports of electric vehicle conversion kit scams. The Ford Ranger conversion kit or already converted Ford Ranger is the one that seems to have been most often reported as a scam. In several cases, the truck or the conversion kit were ordered and paid for but never delivered.

Sitter City Nanny Web Site Used by Cyber Criminals
A legitimate web site for locating and hiring nanny's has been used by criminals to scam the Nanny's registered with that site. This might not affect you unless you are a nanny, but it is a typical scheme that it is wise to be aware of.

In this case, the criminals claimed to be from abroad and moving to the U.S. soon, needing nanny services. After agreeing to the details, they offered to forward the nanny several money orders as pre-payment and to pay for toys for the kids. The money orders arrived in larger amounts than expected and the criminals asked that the balance be wired back to them.

The nanny's wired the extra money back, only to learn eventually that the money orders were counterfeit and they were responsible for the money.

Campaign Hacks Highlight Cyber-espionage
The security world is abuzz with news today that both the Democratic and Republican presidential campaigns had their IT systems hacked and infiltrated in recent months.

As originally reported by Newsweek, “The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyber-attack by an unknown foreign entity, prompting a federal investigation.” The newsmagazine also reported that after taking a closer look at the incidents, Obama’s technical experts believed that the involved hackers were either Russian or Chinese. Newsweek’s sources speculated that the attacks were targeted attempts by foreign constituencies to study the potential policies that each candidate would propose to put into place.

Is Our Internet Future in Danger?
The digital Disneyland of the future -- where we freely work and play online -- may be at risk. Why? Because, some argue, broadband carriers can't support it.

The Internet's "free ride" culture has led to more people downloading gigabytes of data at practically no cost. Even if broadband infrastructure's capacity doubled or tripled, there's no avoiding the equivalent of an abrupt work stoppage.

There are signs of the free ride being nearly over. In the U.K., a million users are about to bump into "soft caps" for usage that their carriers imposed, according to consumer research group uSwitch. In the U.S., some carriers have also started imposing caps that customers have found out about only when they exceeded them in their inaccurately labeled "unlimited" plans. (These limits were hidden in the "unlimited" contracts' fine print.) Comcast, for example, now has a national cap of 256GB per month. And a few are experimenting with tiered pricing, where the more you use, the more you pay -- just like you do for electrical, gas, and water.

Up to 10,000 Web Sites Hacked Into, Unpatched Visitors in Danger, Says Kaspersky
Hackers have launched a widespread Web site attack, leaving malicious links on up to 10,000 web servers, says security software firm Kaspersky Lab. Kaspersky says the servers hacked into are mainly located in Western Europe and the United States. It is not clear at this stage who has hacked the machines, but the expectation is that the number of infected sites will rise.

The cyber criminals are adding a line of Javascript code onto the sites that redirects hacked site visitors to one of six servers. These sites then redirect the visitor to a server in China. That server can then launch a variety of attacks, targeting known flaws in the Firefox and Internet Explorer browsers, Adobe’s Flash Player and ActiveX management controls, said Kaspersky. Victims who do not have fully patched PCs run the risk of allowing the remote attackers to install spyware on their machines, and then to steal their data.

This attack will be hard to fight. The thousands of Websites infected by this new Web attack during the past few days won’t necessarily be safe even after they remove the offending code. “People are recommending that the Website remove the link, but that’s not enough. If it has compromised your machine once, it will do it again. We’ve seen evidence” of this, says a senior virus researcher for Kaspersky Lab, which first discovered this new wave of Web attacks late last week. The SQL injection attacks, which appear to originate from China, appear to have peaked on November 13th, according to Kaspersky.

Among the infected sites found by Kaspersky were Travelocity.com, countyofventura.org, and missouri.edu. It is not likely, however, that the attacks will reach the volume of SQL injection attacks from earlier this year, which numbered in the hundreds of thousands of sites, mainly because the new attacks are mostly using a new, stealthier, and more closely guarded SQL injection toolkit, says the director of threat intelligence for SecureWorks. The director and his team have been in communication with the Chinese developer of the tool, hoping to procure a copy and reverse-engineer it. The toolkit is protected with a layer of digital rights management and appears to be sold mainly in China.

Cybercrime Expected to Ramp During Holiday Season
With the holiday season just weeks away, cybercriminals are beginning to shift their efforts into high gear, security vendors have warned. Vendors have forecast that cybercriminal activity will hit an all-time high sometime around Thanksgiving and will remain high throughout the holiday season.

The Monday after Thanksgiving is referred to as “Cyber Monday.” It's the “Black Friday” of the cyber world -- that is, one of the biggest online shopping days of the year.

Security vendor PC Tools analyzed threats to more than 500,000 computer users. Last year, it saw an increase in cyberattacks starting in mid-October and a peak the Monday before Thanksgiving. If the pattern holds true, the most dangerous online shopping day of the year will to be November 24, the Monday before Thanksgiving, Michael Greene, vice president, PC Tools, told SCMagazineUS.com.

----------------------------------------
Last Updated: November 18, 2008
Website Contact: David Matthews
Seattle.gov: Services | Departments | Staff Directory | Mayor | City Council
Copyright © 1995-2009 City of Seattle Questions/Complaints | Privacy & Security Policy