Psychological trick used for spam

Friday, June 26th, 2015 | Taichi Nakamura | Comments Off on Psychological trick used for spam

Subject Title “stop spamming me”

There was an interesting spam today caught on the university email spam filter system.
It used a psychological trick manipulating people’s behaviour.
The subject title and the content contained a complaint towards spams being sent continuously from a certain department and had a Microsoft Word document attached with the details of the spam they were receiving.

The uniqueness to this spam was that it avoided being deleted instantly by not using the common subject title and its following sentences that spammers use.
Then carefully sent to a third party employee that is interested in helping.
Hope for the spammer next was that the employee will try and be helpful. Otherwise from the human nature of curiosity the employee would click the attachment.

Of course after that, the malware hidden in the Word document would be infecting the PC.

More Specific

The spam looked like a genuine complaint. But the complaint was not real.
The sender and receiver’s email address was forged. But with the recent standard email applications usually hiding the headers by default, it would be difficult for the receiver to have spot it.

How the subject line and contents looked was not like the commonly computer generated spam. But rather a complaint written by a native English speaker.
It had nothing to identify it was a spam. It had enough but minimal information gaining more necessity to investigate further to understand the full picture.
With that it gained more possibility to have the employee read the contents rather than throwing the spam straight away, and then checking the attachment.

The receiver wasn’t associated to the department being complained on the spam’s contents. But it did look like a genuine complaint having real department names included.
So if the employee tried to be helpful he/she could have easily been tricked to check the attachment and then be infected by the malware.

How to Avoid 

Best practice is to never open an email attachment unless you know who it is from, expecting them and absolutely sure it is legitimate.
If there is an attachment that you are not expecting it is best to be suspicious and contact the sender or Information Security Office to receive clarification.

Recent Type of Spams

Often spams provide the notion that the matter is critical to be responded immediately and requesting to do something.
It often contains malicious attachment sor links.

Recent spam types:
Bank requesting change of passwords
Helpdesk informing your email account being out of quota and to click on a link to avoid getting locked
Someone wealthy overseas wanting to send money or funds
Unknown parcels having difficulty to be delivered
Copyright and other infringement notices that you do not recognise the reason for
Conference and paper submission invites
Sales of equipments and goods
Apple iTunes and other vendor’s apps and services requesting to go to a website and authenticate

Microsoft’s iOS and Android Outlook app

Wednesday, February 4th, 2015 | Jim Cheetham | Comments Off on Microsoft’s iOS and Android Outlook app

Microsoft have recently released a new “Outlook” email app on the iOS and Android mobile platforms. This app is a rebrand of the recently-purchased Acompli.

The user interface apparently is quite effective, mixing calendar and priority mail and allowing fast response to messages.

Unfortunately, at this stage in the app’s existence it takes some security shortcuts that are not ideal. All your email is copied into “the cloud” (this is a techno-marketing phrase that simply means “someone else’s computer” – and of course we should assume that “the cloud” will always be in a hostile legal environment, where government agencies from multiple countries will have free access to all your data). Worse, if you are accessing an Exchange service (i.e. University mail) your username and password are also stored in the cloud in order to make this work. The app doesn’t make this clear to users, and for some people that could represent a real problem.

More directly, this cloud-based login also actively violates the security policies that the University sets on Exchange email access. In order to protect University-owned data, devices that connect to Exchange are required to have local security policies like active screen locking, and to respond to remote wipe requests when they are reported stolen/missing. The current Outlook app does not apply these policies to the devices that use it, and although remote wipe might correctly remove data copied into the cloud, it doesn’t remove anything from the missing device. Worse, if you have multiple devices using this app, we can no longer wipe just the missing one; this app services them all from the same connection, and therefore a wipe affects all of them at the same time.

There has been a lot of press about this Outlook app recently – from the usability point of view it’s all positive, and from the security point of view it is all negative. Hopefully Microsoft will be able to put in some new development resources to help address these problems soon.

In the meantime, ISO recommend that you do NOT use this app with University email services.

Phone-to-email Spam

Wednesday, November 26th, 2014 | Jim Cheetham | Comments Off on Phone-to-email Spam

Can I send you an email?

In the last few months there has been a rise in “pretexting” phone calls from legitimate marketing organisations, probably in response to anti-spam legislation around the world.

The usual script is an unsolicited phone call from a real live human, asking for permission to use your email address in order to send you some marketing material, usually described as a “White Paper”.

The calls are often made over a low-quality connection (i.e. cheap VoIP) and come from non-native English speakers (a kind way to suggest “offshore call centres”). However, they do generally respond well to a polite “No thanks” as an answer, and to requests to not be called again in the future. If permission is given the eventual email usually represents a legitimate trading company of some sort.

All in all, no real problem.

I have a business opportunity for you!

However, we’re beginning to hear of the same approach being used by spammers, particularly of the advance-fee fraud variety. A small amount of research (i.e. get your name and job title from a website), a hacked VoIP system (which lets them call anywhere in the world for free), and a fresh email address from one of the big free webmail providers potentially gives these criminals a much more direct line to your mailbox and your attention.

This is a particular worry because it won’t be long before these techniques are used for distributing fresh malware – you receive a difficult-to-understand phone call from someone with urgent information to send to you, and a couple of minutes later in comes the email, along with a juicy PDF attachment. Would you resist the temptation to click? How can you tell the difference between an attack, and a real foreign student or academic trying to work with the University?

(Some of you reading this might suddenly realise that you already open too many attachments without stopping to check fully the source!)

What should you do?

The best defence if you are unsure would be to check with your colleagues, see what they think; to check with your IT support; or to ask the ITS Information Security Office for an opinion.

If you don’t have an opportunity to get a second opinion, you have a few technical opportunities to reduce the risk. Firstly, wait a while … come back to the message in a couple of hours time. If the message came out of hours, just don’t open it until you are back at work. Remember that just because it seems to be urgent to someone else it is not necessarily urgent to the University!

Instead of just opening the attachment, ask your anti-virus software to scan it. This is best combined with the “wait a while” approach – if this is a new malware sample (there are tens of thousands per day automatically created), give your AV software time to get an update from the vendor.

Finally, open the attachment in an unusual program. For example, malware PDFs often only successfully attack Adobe Acrobat Reader, so if you have a different PDF reader available you could use that. Instead of opening untrusted attachments with Microsoft Word, open it with a copy of Libre Office. If your job role means that you will be receiving unsolicited attachments regularly, get your IT support to help you install these alternatives.

Finally, if you are in any doubt, leave the file alone and refer the whole thing to the Information Security Office. We can check a lot more details to find out what is going on, and we really don’t mind being asked.

TrueCrypt & file encryption

Thursday, June 26th, 2014 | Jim Cheetham | Comments Off on TrueCrypt & file encryption

TrueCrypt is dead

We used to recommend TrueCrypt as an effective file encryption solution, suitable for exchanging data sets over untrusted networks as well as for medium-term offline storage or backups.

Unfortunately, over the last few weeks it has become clear that the TrueCrypt authors have withdrawn their support for the product; and while the source code is available (and is actively being audited), it is not Open Source licensed, and should not be used in the future. TrueCrypt is effectively dead.

What should I do?

What does this mean for people who are currently using TrueCrypt? I’d recommend that you migrate your data out of TrueCrypt and into some other format; not in a rush, because there are no currently-known attacks or vulnerabilities in the product, but in a well-planned way. You should not start any new storage schemes using TrueCrypt.

What alternatives are there?

There doesn’t seem to be any useable and “free” software that does everything that TrueCrypt did, but most people we talk to don’t actually need all of those features at the same time anyway.

We are currently recommending the 7z archive format with AES encyption as a solution to :-

  • Cross-platform support
  • Protection in transit (email, dropbox, etc); sharing
  • Medium-term storage on untrusted media

Please be aware that University-owned data should always be accessible by the University itself; so if the only copy of your data is encrypted in this way, the passphrase used as the key needs to be made (securely) available to the appropriate people (usually your employment line management).

7z?

7z is the file format originally implemented by the Open Source 7-Zip file archiver, it is publicly described and there are now multiple software implementations available. It is currently regarded as the ‘best’ performing compression software available. Read more on the Wikipedia entry. Command-line users might like the p7zip implementation, packaged in Debian and the EPEL repository for RedHat.

7z applications usually do not use encryption by default; make sure that you select this option for secure storage.

 

Keep an ear out for this – vishing

Thursday, May 1st, 2014 | Mark Bedford | Comments Off on Keep an ear out for this – vishing

The security firm PhishLabs has released some interesting research on a new type of phishing attack involving Voice over Internet Protocol (VoIP). Seems the bad guys send a SMS text message to unsuspecting users advising them that their debit card has been deactivated and advising them to enter their card number and PIN to reactivate it.

So far this has only been seen in the United States and has yet to make it to our shores. It will come just as those nasty irritating hoax Microsoft support calls eventually showed up.

So knowing that this type of attack is in use means that you can have the upper hand, before you reply with your credentials consider, have you actually given you mobile number to your bank, contact your bank using the number from the phone book advising them that you have received such a message (don’t delete the message as it maybe be helpful in pursuing the offender).

Could this happen in NZ

Aside

While scanning my security news feeds I came across this article from azcentral.com which caused me to wince a little. It seems that the Maricopa County Community College District could be spending around $17.1 million, with most of it going on lawyers and services to the millions of people whose personal data was exposed.

The article cites that a breach in 2011 was never addressed properly and this lead to the more costly 2013 event. During April 2013 a server was compromised exposing Social Security numbers and banking information for 2.4 million current and former students and staff from as long as 30 years ago.

Thursday, November 21st, 2013 | Mark Bedford | Comments Off on

Well it is hard to believe that we are well into November and what a month it has been. With the recent Adobe password debacle where 150 million email addresses, their password hashes and the hints were exposed on the internet. Then there was Kiwicon, the New Zealand hacker conference in Wellington, where “AmmonRa” took us for a ride.

With the Christmas shopping season just around the corner many will be purchasing online and there are the usual reminders. Things to watch out for are nicely organised in this SANS article by Lenny Zeltser.

While you are shopping, perhaps this Microsoft blog article from Holly Stewart will encourage you to finally ditch your old XP computer. A couple of noteworthy points in the article are that XP is six times more likely to get infected than Windows 8, and when XP service pack 2 went out of support there was a huge disparity of infections as much as 66% higher than the supported XP service pack 3. So plan now to buy your Windows 8 replacement computer before it gets infected.

 

Fake Dropbox password reset

Wednesday, October 23rd, 2013 | Mark Bedford | Comments Off on Fake Dropbox password reset

There are reports of a recent spam campaign that tries to deceive Dropbox users in to resetting their passwords but instead leads to malware. Dropbox, which is a popular cloud storage service who sometimes do in fact reset users’ passwords when they haven’t been changed for a while. They DON’T send an advisory email though, instead at their website they require a password reset before linking a new computer, phone, tablet, or API app on their web site.

The spam has quite a convincing message along the lines of

Hello <user>
We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven;t changed long time already. Your old password has expired and you’ll need to create a new one to log in.

Please visit the page to update your password

Clicking on the link takes the user to a suspicious looking page hosted in the .ru (Russian domain) that tries to pass itself off as a Microsoft site with several downloads for non Microsoft browsers. All very suspicious.

So if you had followed our tips on how to detect phishing emails you would have caught on to their ruse and saved yourself some grief.

Patching Java

Monday, October 21st, 2013 | Mark Bedford | Comments Off on Patching Java

Oracle have settled on a quarterly patch period for not only their database products but also Java. I have yet to decide if this is good or bad as I really would like to see a shorter update period to reduce to time that the unpatched vulnerability exists in the wild. The release notes are here for 7u45

The schedule is
14 January 2014
15 April 2014
15 July 2014
14 October 2014

Cyber Attackers Access 72,000 Confidential Employee Details

Thursday, August 1st, 2013 | Mark Bedford | Comments Off on Cyber Attackers Access 72,000 Confidential Employee Details

The University of Delaware was on the 22nd July the recipient of a criminal attack on one of its systems. The criminals were able to steal files that contained 72,000 names, addresses and other personally identifiable information for past, present and student employees. The University is working with the Federal Bureau of Investigation and Mandiant to determine the scope of the attack after having taken immediate corrective action. The University has indicated that the attackers used a vulnerability in software acquired from an unnamed vendor.

 
 
 

Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.