|
Information Security
Be on the lookout! Information Security Bulletins
We have decided that you, our subscribers, would be better served if we simply update this news bulletin with timely and
important messages as they arise. New and significant threats don't tend to wait until we have time to publish our
newsletter!
So, we will be posting new items as they arise and as we are able, and will only use email notifications if there is a
particularly dangerous threat. We will keep notices on this letter for about a week and then archive them.
We have posted new bulletins and our newsletter (on 01/16/09)
US Tax Court Phishing Attack
We have received a warning from US-CERT about a new phishing attack that
claims to be petitions from the US Tax Court. This is an example of what is
known as a "Spear Phishing" scheme because the messages contain very
specific information about the message recipient.
The message requests the user follow a link to download additional information
or documents. If you click on the link the website attempts to load a bogus
root certificate supposedly issued by VeriSign Trust Network using JavaScript.
Normally you will see several warnings when the JavaScript attempts to install
the certificate.
However, if the certificate is installed successfully your browser will redirect to
another page that will attempt to download an ActiveX control. You might get
a prompt to allow the installation and since it seems to be signed and legitimate
(it is signed by a fake certificate for "Adobe Systems Incorporated" that is
trusted by the bogus certificate that you just downloaded), you might be
fooled into installing it.
The ActiveX control is a "Browser Helper Object" that "helps" your browser
steal information such as stored passwords, cookies, browsing history, etc.
from your computer. It will start by going out and trying to update itself. A
very efficient piece of malware!
Reports are indicating the attack messages come from "United State Tax
Court" (Note the missing 's' on 'State'), and that the URL in the message links
to the "ustax-courts.com" domain.
As usual, the City of Seattle Office of Information Security reminds you:
- Do not follow unsolicited or suspicious web links
- Make sure your anti-virus anti-spyware programs are running and up to date
- Make sure your operating system and all other applications are patched and up to date
- Pay close attention to warning messages and prompts
Posted: June 4, 2008
ADP Phishing Scam
We have been notified of a new phishing scam that could affect City users. It pretends to come from either ADP Total Pay or
Survey@ADPmy account.com. The first of these (from ADP Total Pay) has the subject line "Account Lock", while the second's
subject line is: "Customer Survey Get $50 reward now"
Watch out for this scam and just delete the email if it arrives in your inbox.
Posted: May 28, 2008
iTunes Phishing Scam
Be on the lookout for a new scam email that targets Apple's iTunes music
store. This is a relatively sophisticated identity theft attack. The spam email
comes with a message that you need to correct a problem with your iTunes
account. If you follow the link in the email you are taken to a site posing as an
iTunes billing update page, which asks for information including credit card
number and security code, Social Security number and mother's maiden name.
This is the first time we've seen a phishing scam that attacked Apple products.
Be aware of this scam and just delete the email if it arrives in your inbox.
Posted: May 22, 2008
Natural Disasters and Phishing Scams
With all of the recent natural disasters we have noticed an uptick in the number and frequency of phishing scams taking advantage
of our natural tendency to want to help those in need.
These scams always appear soon after natural disasters such as the earthquake in China or the cyclone in Myanmar. They appear to
be requests for donations from charitable organizations and give you a link to click on to learn more or donate.
The link is to a fraudulent website that often is a very good imitation of a legitimate charity site. These sites sometimes ask
for more personal information that will be used to compromise your identity, or they might simply attempt to infect your computer
with malware while you are browsing.
The City of Seattle's Office of Information Security reminds you to never follow a link in an unsolicited email message.
Before donating to any charity you should also check the Federal Trade Commission's Charity Checklist and/or verify the legitimacy
of an organization directly by calling a trusted contact number. Trusted contact numbers can be found on the Better Business Bureau
National Charity Report Index.
Posted: May 19, 2008
Email Scam - Lost Wallet While Traveling - Need a "Soft Loan"
We have seen a resurgence of this particular scam recently and wanted to bring it to your attention. The email usually comes with
a simple subject line such as 'Hello'. Then it goes on to apologize for not informing you that the sender is traveling in Europe
on some humanitarian mission and has lost their wallet with their money and hope you will help them with a "soft loan" (as opposed
to a "hard" loan I guess!).
The most recent example claims to be from someone who is in Europe "for a program called Empowering Youth to Fight Racism,HIV/AIDS,
and Lack of Education" - a tall order, especially when you've "misplaced my wallet on my way to the hotel where my money,and
other valuable things were kept". They then beseech you to help them out with a mere $2400 to "sort-out my hotel bills and get
myself back home."
They go on to assure you that any amount will be appreciated and they will pay you back as soon as they return. You need only
reply to the email to get the details of where to send the money through Western Union.
The example we've seen is pretty poorly done, so I would expect it won't be too successful, but these folks tend to get better
with experience, so be aware of this scam.
Posted: May 19, 2008
New Gasoline Discount Scam
With the ever rising gas prices, it was only a matter of time till the scammers found a way to exploit our anxieties.
Today we have a report of a new phishing scam that offers fuel discounts. The SPAM email directs you to a link that claims to
offer a 70 cent discount on each gallon of gasoline. The email originates from a sender with the alias "Gas Saver."
This is not out widely yet, but with the price of gas heading quickly to $4 a gallon and rising over the summer we expect it to
escalate.
Watch out for this scam and if the high price of gas is getting you down, try riding your bicycle!
Posted: May 13, 2008
P2P File Sharing Danger - New Malware Attack
File sharing programs such as Limewire, eDonkey, BitTorrent, and many others
(also known as Peer to Peer or P2P programs), are often used to share data
files between computers all across the Internet.
While that might seem like a wonderful and convenient idea at first blush, it
has become one of the most dangerous practices on the Internet and in many
organizations all P2P traffic is banned or blocked by policy.
There are many reasons for blocking this traffic. First, it is often used for
stealing copyrighted materials, which is, uh... illegal! Second it has become a
very popular way to share those nasty malicious software files. In fact one
estimate was that over 50% of all Peer to Peer files were infected.
We have had another reminder this week of why we recommend against using
these types of applications. McAfee has reported the most significant malware
outbreak in three years. More than 500,000 Trojan horse infections have been
detected on PC's since May 2. These files, masquerading as MP3 music or
Mpeg video files are appearing on many of the major and most popular file
sharing services.
The files are all named differently in multiple languages and vary in size to
make them appear like legitimate files. When you attempt to play one of these
infected files it triggers an application called "PLAY_MP3.exe".
The City of Seattle's Office of Information Security recommends against the
use of Peer to Peer services and warns that illegal downloading of copyrighted
materials may be prosecuted if it is detected on City computers. For those of
you not using City computers, be aware that the media industry is becoming
much more serious about finding and prosecuting violators of these laws.
There are much safer alternatives for legitimate sharing of files, so be prudent
and avoid P2P.
Posted: May 8, 2008
IRS Rebate Phishing Scam
We have heard from US-CERT of a new phishing scam that is currently
circulating. This scam is related to the IRS economic stimulus rebate. It arrives
in an email message that appears to be from the IRS. The email includes text
that attempts to convince you to click on a link to a website before a deadline
to expedite the rebate process.
If you click on the link, the website will request bank account information.
US-CERT and the City of Seattle Office of Information Security recommends the following:
- Never follow unsolicited web links received in email messages
- Check the us-cert.gov web site for several good documents about avoiding e-mail scams, social engineering and phishing
attacks
- Also check out the irs.gov Suspicious E-Mails and Identity Theft website for information on the latest scams
- Warn any family members or acquaintances - especially those who might be more vulnerable to these type of scams
Posted: April 24, 2008
Trojan Extortion Scheme
A new scheme to extort money from computer users has to be given points for
originality. A new Trojan, calling itself "MonaRonaDona" is spreading rapidly.
Once you are infected the Trojan actually notifies you of its presence and
leads you to seach for "MonaRonaDona" on the web. This leads you to the
pages of "Unigray Anti-Virus," an application sold for $39.90 which it claims will
detect and remove thousands of malicious applications.
In fact, it will ONLY detect and remove the MonaRonaDona Trojan! A source
code review has shown that both Unigray and MonaRonaDona share many
similarities and were most likely created by the same malware writers.
The City's antivirus application has a signature out for this so you are unlikely to get infected at work. But at home
just make sure your AV is up to date, and don't buy unknown antivirus programs.
Posted: March 4, 2008
Two Warnings - Digital Photo Frame Virus & Lunar Eclipse Email Scam
The latest digital device to be hit by virus writers are the digital photo frames that were a favorite holiday gift
this year.
These nifty devices connect with your computer and store a bunch of digital photos that you can select or have running
as a slide show. Great idea, but of course the hackers couldn't fail to notice a new venue to ply their nefarious
trade.
The virus that has been detected is a powerful Chinese Trojan horse that gathers personal
information from your computer once you hook it up. So far it has only collected passwords for online games, but we
can be relatively certain that it will be used to gather other information or otherwise infect computers in the near
future.
This Trojan, which has been named Mocmex, blocks anti-virus protection from more than 100 AV vendors as well as the
security and firewall built into Microsoft Windows. It spreads by hiding itself on photo frames and other portable
storage devices that are plugged into an infected PC. It is designed to do its work and leave no trace.
The other scam we've seen this week is an email that says it has a wonderful video of the recent lunar eclipse if
you just click on a link to download it.
The eclipse was pretty amazing, but if you missed it don't fall for this scam to get a belated look. All you'll get if
you click on this link is a nasty Trojan virus on your computer.
The City of Seattle's Office of Information Security suggests that you never click on any
links in an email unless you can be absolutely certain that it was sent from someone you know. Also be sure that
your antivirus program is running and up to date with the latest signatures and your operating system is patched to
the latest level.
Posted: February 22, 2008
Valentine eCard Warning
We received a warning today from the FBI about a St. Valentine's Day E-Card phishing scam that carries the Storm
worm virus.
If you get a Valentine's e-card, even if it comes from someone you know, be extremely careful (best to just delete it).
This SPAM contains a link that you are directed to click on to receive your card.
If you click on that link you will infect your computer with the Storm worm botnet. A botnet is a network of
compromised computers that can be controlled by the bad guys (the "botnet herders"). They are setup to spread
SPAM, capture your keystrokes for identity theft and other criminal activities.
We have seen the Storm worm sent out regularly, capitalizing on Holidays or news events.
The City of Seattle's Office of Information Security suggests that to be safe you never accept or click on any
links on an e-card unless you can be absolutely certain that it was sent from someone you know.
If it does look like it came from an aquaintance, call them up to thank them BEFORE you open the
e-card. If they didn't send it you can do them a big favor and let them know that their computer is infected and
they need to take immediate action to clean things up.
Posted: February 13, 2008
FaceBook Profile SPAM
We have just seen a big influx of SPAM messages with the subject line, "Check out my Facebook profile".
The link in this message will most likely lead you to a poisoned Facebook page that will attempt to infect your
computer.
If you receive this email delete it immediately without clicking on any links.
Posted: February 8, 2008
Two Important Updates - Adobe Reader and QuickTime
Both Adobe Reader and Apple QuickTime have released vital new updates to address serious vulnerabilities.
First, if you are using Adobe Reader to open and read PDF documents, we highly recommend that you update to the newest
version, 8.1.2 as soon as possible.
Adobe recently created this update to address a very serious vulnerability in the application. The security flaw
affects PDF documents and could pose a serious threat to your computer and its data if you open a compromised PDF
file and the vulnerability is exploited.
Secondly, Apple has just released an update to address a recently discovered vulnerability in QuickTime's streaming
protocol. They have been dealing with a series of vulnerabilities in QuickTime and this is the fifth QuickTime update
since October.
If you use QuickTime for viewing media files at home, we recomment updating to version 7.4.1 as soon as possible to avoid
becoming a victim of this vulnerability.
Posted: February 8, 2008
Tax Rebate Scam
And in the category of "They Never Miss A Beat!", the scammers are actively
taking advantage of the latest news. The FBI today issued a warning of a tax
rebate scam.
As you have no doubt heard, Federal lawmakers are considering an economic
stimulus package that may result in rebate checks being sent out to millions of
Americans.
Criminals, pretending to be IRS agents, are calling unsuspecting people asking
for Social Security numbers and other personal information so a tax refund
check can be sent.
This tax-rebate plan hasn't even been approved by Congress yet and the IRS
will never ask for personal information on the phone or by e-mail.
If you get such a call (or an email) you can report it to the FBI on their
Internet Crime Complaint Center website.
Posted: January 29, 2008
Two New Scams - Excel Zero Day and FBI Phishing Spam
Two new scams are threatening the City and everyone else right now.
First, there is a new zero day Microsoft Excel vulnerability. Specific targeted attacks are already attempting to
exploit this vulnerability in the wild. The vulnerability is
in any MS Excel version prior to Office 2003 Service Pack 3 and may allow
remote code execution (meaning the attacker will be able to install programs
on your computer, view, change or delete data, or create new accounts with
full privileges). The vulnerability can be exploited by opening a malicious Excel
spreadsheet attachment to an email (they have .xls at the end), or by visiting
a Web site that is hosting a malicious Excel spreadsheet. A successful
exploitation results in the attacker gaining the same user privileges as the
logged on user.
If you receive an email with an Excel attachment, don't open it unless and
until you can absolutely verify its source and that it is a legitimate attachment.
The second scam is a deluge of email spam purporting to be from the FBI. The
bogus messages often include pictures of the FBI's director, along with the
organization's official seal, letterhead and banner. The emails use the FBI's
name to intimidate and/or convince the recipient of the legitimacy of the
message. The emails are typically a notice of a lottery win or a long-lost
relative leaving an inheritance. Other emails offer website monitoring
containing malicious attachments and online auction scams.
Using trusted institutions, such as the FBI or Better Business Bureau is a well-
known and often used spamming method. But since it is still working, they are
still using it and we still need to watch out for it.
Posted: January 18, 2008
Don't Allow Your Computer to Be a Vulnerability - Lock Up When You Leave
Did you know that every computer on the any network is a potential vulnerability simply by virtue of its connection
to the rest of the network? As a responsible citizen on your network there is much you can do to help. In some
of these bulletins we'll offer quick tips that you can use both at work and at home.
Today we want to talk about locking your computer screen when you leave it, even for a moment. As we are all aware,
sometimes those moments can be extended by "drive-by" conversations, etc. It only takes a moment for someone passing
by your desk to look at what you are working on; open up your email (and maybe send something out in your name); open
an inappropriate or dangerous web site; install a key stroke logger; etc. Any of these activities could be blamed on
you if they happen on your computer and all of them could result in the compromise of your network and the
sensitive or personal data that you store there.
Locking your computer is very easy to do. There are two simple ways: First, you can press the Ctrl, Alt, and Del keys at
the same time and then either press the W key or click on the 'Lock Workstation' button. Or, if you want to use even
less keystrokes, simply press and hold the Windows key (that's the one located on the bottom of your keyboard right next
to the Alt key on both sides with a little flying windows symbol), then press the L key.
All the work you were doing is saved just as you left it, but your computer screen will now be locked and no one can
use your computer without pressing Ctrl Alt Del again and entering your password. This simple practice will go a long
way to ensuring that your computer is not a vulnerable point in your network.
Posted: January 15, 2008
----------------------------------------
Last Updated: January 28, 2009
Website Contact: David Matthews
|
