Archive
The Alphabet of Cyber Crime from APT to Zeus
If you need to know what Cyber Crime is but you are bored and fed up with the too many information security terms, loosing yourself among the acronyms, you have stumbled upon the correct place. I have just compiled a very special alphabet which collects the terms related to Cybercrime. Forgive me for some “poetic license” and enjoy this half-serious list.
A like APT
Yes, the Advanced Persistent Threats have been the undisputed protagonists of 2011. An APT is essentially an attack carried on with different vectors, different stages and on a distributed time windows (yes, it Persistent). APT are behind the most remarkable events of 2011 such as the RSA Breach, Stuxnet, and so on…
B like Botnet
Botnet are networks of compromised machines that are used by cybercriminals to perpetrate their malicious action. Tipically a compromised machine becomes part of a botnet where the master distributes the commands from a C&C Server. Command may include the theft of information or the attack to other machines.
C like Crime-As-A-Service
The last frontier of Cybercrime: why developing costly malware if you can find a wide offer of customizable malware on the black market offering help desk and support services?
D like DLP
Data Leackage (or Lost) prevention is a suite of technologies that may help organization to counter the theft of information by preventing misuse or leak of data while they are in use at the endpoint (DIU), in transit on the network (DIM), or simply it is an aggregated Dark Matter on the corporate servers (DAR) that needs to be indexed and cataloged (and possibly classified and assessed).
January 2012 Cyber Attacks Timeline (Part 1)
Click here for part 2.
New year, new Cyber Attacks Timeline. Let us start our Information Security Travel in 2012 with the chart of the attacks occurred in the first fifteen days of January. This month has been characterized so far by the leak of Symantec Source Code and the strange story of alleged Cyber Espionage revolving around it. But this was not the only remarkable event: chronicles tell the endless Cyber-war between Israel and a Saudi Hacker (and more in general the Arab World), but also a revamped activity of the Anonymous against SOPA (with peak in Finland). The end of the month has also reserved several remarkable events (such as the breaches to T-Mobile and Zappos, the latter affecting potentially 24,000,000 of users). In general this has been a very active period. For 2012 this is only the beginning, and if a good beginning makes a good ending, there is little to be quiet…
Browse the chart and follows @paulsparrows to be updated on a biweekly basis. As usual after the jump you will find all the references. Feel free to report wrong/missing links or attacks.
December 2011 Cyber Attacks Timeline (Part I)
As usual, here it is my compilation of December Cyber Attacks.
It looks like that Christmas approaching is not stopping hackers who targeted a growing number of organizations including several security firms (Kaspersky, Nod 32 and Bitdefender) even if in secondary domains and with “simple” defacements.
Cyber chronicles report of Gemnet, another Certification Authority Breached in Holland (is the 12th security incident targeting CAs in 2011) and several massive data breaches targeting Finland (the fifth this year, affecting 16,000 users), online gambling (UB.com affecting 3.5 million of users), Telco (Telstra, affecting 70,000 users), and gaming, after the well known attacks to Sony, Sega and Nintendo, with Square Enix, which suffered a huge attacks compromising 1,800,000 users (even if it looks like no personal data were affected).
Online Payment services were also targeted by Cybercrookers: a Visa East European processor has been hit by a security breach, but also four Romanian home made hackers have been arrested for a massive credit card fraud affecting 200 restaurants for a total of 80,000 customers who had their data stolen.
As usual, hacktivism was one of the main trends for this first half of the month, which started with a resounding hacking to a Web Server belonging to ACNUR (United Nations Refugees Agency) leaking more than 200 credentials including the one belonging to President Mr. Barack Obama.
But from a mere hactvism perspective, Elections in Russia have been the main trigger as they indirectly generated several cyber events: not only during the election day, in which three web sites (a watchdog and two independent news agencies) were taken down by DDoS attacks, but also in the immediately following days, when a botnet flooded Twitter with Pro Kremlin hashtags, and an independent forum was also taken down by a further DDoS attacks. A trail of events which set a very dangerous precent.
Besides the ACNUR Hack, the Anonymous were also in the spotlight (a quite common occurrence this year) with some sparse attacks targeting several governments including in particular Brazil, inside what is called #OpAmazonia.
Even if not confirmed, it looks like that Anonymous Finland might somehow be related to the above mentioned breach occurred in Finland.
Other interesting events occurred in the first two weeks of December: the 0-day vulnerability affecting Adobe products, immediately exploited by hackers to carry on tailored phishing campaigns and most of hall, a targeted attack to a contractor, Lockheed Martin, but also another occurrence of DNS Cache Poisoning targeting the Republic of Congo domains of Google, Microsoft, Samsung and others.
Last but not least, the controversial GPS Spoofing, which allegedly allowed Iran to capture a U.S. Drone, even the GPS Spoofing on its own does not completely solve the mistery of the capture.
Other victims of the month include Norwich Airport, Coca Cola, and another Law Enforcement Agency (clearusa.org), which is currently unaivalable.
As usual after the page break you find all the references.
November 2011 Cyber Attacks Timeline (Part II)
The second half of November has confirmed the trend seen in the previous report covering the first half of the month. The period under examination has confirmed a remarkable increase in Cyber Attacks from both a quality and quantity perspective.
Although the month has been characterized by many small attacks, several remarkable events have really made the difference.
Among the victims of the month, Finland deserves a special mention in this unenviable rank: the second half of the month has confirmed the emerging trend for this country, which suffered in this period two further breaches of huge amounts of personal data, for a global cumulative cost, computed on the whole month, around $25 million.
But Finland was not the only northern European country hit by cybercrookers (maybe the term cyberprofessionals would be more appropriate): Norwegian systems associated with the country’s oil, gas and energy sectors were hit with an APT based cyber attack resulting in a loss of sensitive information including documents, drawings, user names and passwords.
But once again the crown of the most remarkable breach of the month is placed upon the head of South Korea which suffered another huge data dump affecting users of the popular MMORPG “Maple Story” affecting theoretically 13 million of users, nearly the 27% of the Korean population, for an estimated cost of the breach close to $2.8 billion.
The list of affected countries this month includes also 243,089 Nigerian users, victims of the hack of Naijaloaded, a popular forum.
Microsoft has been another victim in this November, with a phishing scam targeting Xbox Live users. Details of the scam are not clear, although each single affected user in U.K. might have lost something between £100 and £200 for a total cost of the breach assimilable to “million of Pounds”.
November will make history for showing for the first time to information security professionals the dangers hidden inside the SCADA universe (and not related to Nuclear Reactors). The echo of Stuxnet and Duqu is still alive, but this month was the the turn of SCADA water pumps, that have suffered a couple of attacks (Springfield and South Houston), the first one allegedly originated from Russia and the second one from a “lonely ranger” who considered the answer from DHS concerning the first incident, too soft and not enough satisfactory. My sixth sense (and one half) tells me that we will need to get more and more used to attacks against SCADA driven facilities.
The Anonymous continued their operations against governments with a brand new occurrence of their Friday Releases, targeting a Special Agent of the CA Department and leaking something like 38,000 emails. Besides from other some sparse “small” operations, the other remarkable action performed by the Anonymous collective involved the hacking of an United Nations (old?) server, that caused personal data of some personnel to be released on the Internet.
November Special mentions are dedicated (for opposite reasons) to HP and AT&T. HP for the issue on their printers discovered by a group of Researchers of Columbia Univerity, which could allow a malicious user to remotely control (and burn) them. AT&T deserved the special mention for the attack, unsuccessful, against the 1% of its 100 million wireless accounts customer base.
In any case, counting also the “minor” attacks of the month, the chart shows a real emergency for data protection issues: schools, e-commerce sites, TVs, government sites, etc. are increasingly becoming targets. Administrators do not show the deserved attention to data protection and maybe also the users are loosing the real perception of how much important is the safeguard of their personal information and how serious the aftermaths of a compromise are.
As usual, references for each single cyber attack are reported below. Have a (nice?) read and most of alle share among your acquaintances the awareness that everyone is virtually at risk.
Related articles
- November 2011 Cyber Attacks Timeline (Part I) (paulsparrows.wordpress.com)
Anatomy Of A Twitter Scam
Do you remember Mobile Phishing and the related risks? Well This morning I had a bad surprise and could see it anction with my hands (or better with my fingers on the display of my Android Device).
This morning I woke up early (6 AM) since I previously arranged a travel to my hometown which takes approximately 4 hours. As usual I have the bad habit to check email upon awakening, directly from my Android device. This morning found a strange DM strange DM on my Twitter Account:
This made me laugh so hard when i saw this about you lol hxxp://t.co/AusOXeQ
I already exchanged some DMs in English with this contact, so, the content was not so strange (probably a similar message from an Italian contact would have received a different impact and triggered an alarm bell). Moreover I suppose my neurons were not completely up and running (actually they are rerely in this state), so a little bit for curiosity, a little bit for fun I clicked the link directly from my mobile device.
In the following screenshots you may realize how easy and dangerous for the user, mobile phishing is: as a matter of facts the link points to a bogus Twitter-like site, but, believe me, from a 3.7″ screen is really difficult to discriminate it.
The page is really similar to the real one:
But yes, if you look carefully at the address bar (but at the 6 AM with the sleep fog surrounding you is not so easy) you will notice a misplaced detail and it is the link (currently up): hxxp://www.ltwittier.com/session-verify (but not all the address is visibile on the bar). If you click on the text box the situation is even worse since the address bar, a default beaviour for the Android Browser, disappears.
Needless to say, if you login, your account will be hacked and your contacts will suffer the same fate.
This event shows how easy is to fall victim of phishing in case of mobile devices and, even worse, in case the bait comes from Social Network (and a professional social network how Twitter is for me, in which I trust the reputation of my contacts).
Always remember to check the links and be careful to follow strange links from mobile devices!
P.S.
If you point to the incomplete link: hxxp://www.ltwittier.com/ there is a clear evidence of the fact that the site is bogus:
http://paulsparrows.files.wordpress.com/2011/09/wronglink.png” alt=”" width=”300″ height=”494″ />
Finally I Saw One!
Update: F-Secure posted in their blog the complete description on how the patient 0 was found: And here it is the infamous “2011 recruitment plan message”.
Have a look to the fake sender: a message from beyond…
Original Post follows:
I am working hard for the August 2011 Cyber Attacks Timeline (stay tuned it is almost ready! Meanwhile you may check the previous ones) while I stumbled upon this very interesting article. Yes, I may say that finally I saw one of the Emails used for spear phishing attacks against RSA customers, using compromised seeds.
As you will probably know everything started on March 17, 2011, when RSA admitted to have been targeted by a sophisticated attack which led to certain information specifically related to RSA’s SecurID two-factor authentication products being subtracted from RSA’s systems.
Of course the sole seed and serial number of the token (the alleged information subtracted) is not enough to carry on a successful attack, so the attacker (whose possible target were presumably RSA customers) had to find a way to get the missing pieces of the puzzle, that is the username and the PIN. And which is the best way? Of course Spear Phishing!
And here the example of a fake spear phishing E-mail targeting one of the One of America’s Most Secret (and Important) Agencies and in the same Time RSA customers:
Likely the same attack vector was utilized against three Contractors (RSA Customers) which were targeted by attacks based on compromised SecurID seeds between April and May (Lockheed Martin, L-3, and Northrop Grumman). What a terrible year for Contractors and DHS related agencies!
By chance today F-Secure revealed to have discovered the patient zero, that is the mail (“2011 Recruitment Plan”) used to convey the APT inside RSA. Someone (who decided to follow the best practices for anomalous e-mails) submitted it to Virus Total, a cloud based service for scanning files, and it looks like that F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files.
Original Source of Spear Phishing E-mail: http://www.cyveillanceblog.com, Kudos to @yo9fah for reporting me the link.
Is Your Credit Card Stolen?
Are you an hardcore Playstation gamer hit by the infamous PSN Breach? (the infamous PSN Breach not the (In)famous PS3 hit… Or rather are you a Citi Card Holder afraid that your card, not yet replaced, has been compromised?
You can sleep peaceful sleep since you may check right now, for free, if your credit card has been compromised. Simply surf to:
http://www.ismycreditcardstolen.com/
Insert your Credit Card and check. All for free!
Done? Ok!, now click on the “About” link on the page to discover that this is a mere provocation done by some coders to educate users about the dangers of phishing which will revamp after the numerous breaches of sensitive data which are characterizing this 2011.
In any case better to be careful when playing with CC numbers, most of all from mobile devices… If you still have any concerns about the leakages by Lulzec and Anonymous, you can always check if your email addresses and passwords are safe…
Thanks to my colleague Massimo Biagiotti for reporting the CC link!
Related articles
- How To Buy A Stolen Credit Card (npr.org)
If Phishing Goes Mobile…
One of the most surprising things I noticed concerning the Lockheed Martin Affair, was the affirmation contained in the Reuters Article, made by Rick Moy, president of NSS Labs, indicating that the initial RSA attack was followed by malware and phishing campaigns seeking specific data to link tokens to end-users (an indirect evidence of the same authors behind the infamous RSA breach and the Lockheed Martin attack.
My initial surprise only lasted few seconds, since, this year is showing us a brand new role for the phishing attacks which are more and more targeted to steal corporate sensitive data, and constitute the first level of attack for Advanced Persistent Threats.
At first sight could be quite difficult to believe that users are still tricked by old-school phishing techniques, but a deeper analysis could show in my opinion, a possible (in part psychological) explanation relying on the fact that the users themselves are still used to think to phishing as something targeted to steal personal information (often with pages crafted with gross errors), and seems to be unprepared to face the new shape of phishing which targets corporate information with cybercrime purposes and industrial methods, which definitively means to perpetrate the attack with plausible and convincing methods, and most of all leveraging arguments the user hardly doubts about (I could doubt of an E-mail from my bank asking me to provide my account and credit card number, maybe, most of all in case I am not an infosec professional, I could feel more comfortable in providing my username to a (fake) provisioning portal of my Company).
But my information security beliefs are falling one after the other, and after reading this really interesting article by Adrienne Porter Felt and David Wagner of the University of California (the marvelous LaTeX layout!) I can only confirm that mobile devices will be next frontier of phishing.
According to this paper the risk of a success of a phishing attack on mobile devices is dramatically greater than traditional devices due to some intrinsic factors such as the smaller size of the screen, the fact that many applications embed or redirect to web pages (and vice versa some or web pages redirect to applications), the fact that mobile browsers hide the address bar, and most of all the absence of application identity indicators (read the article and discover how easily a fake native application can resemble completely a browser page) which makes very difficult to discover if a certain operation is calling a fake application on the device or it is redirecting the user to a fake application resembling a legitimate login form.
Moreover, the intrinsic factors are worsened by (as usual) the user’s behavior: as a matter of fact (but this is not a peculiarity of mobile devices), users often ignore security indicators, do not check application permissions and are more and more used to legitimate applications continuously asking for passwords with embedded login forms and. Last but not least I would add the fact that they are not still used to think to mobile applications as targets of phishing (Zitmo Docet).
Guess what are the ideal candidates for Mobile Phishing attacks? Easy to say! Facebook and Twitter since they are the most common linked applications used by developers to share their creations (the power of free viral marketing!).
Given the speed with which these devices are spreading in the enterprise (see for instance this GigaOM infographic), there is much to worry about in the near future. An interesting solution could be the operating system to support a trusted password entry mechanism. Will SpoofKiller-like trusted login mechanisms be our salvation as the authors of the paper hope?
Related articles
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- Mobile Phones Are Great for Phishers, Researchers Find (pcworld.com)
About The Author
Support My Work!
Share:
News
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
Visitors from…
