Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-08-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Olympic Clicks

Published: 2008-08-07
Last Updated: 2008-08-07 21:05:09 UTC
by Mark Hofman (Version: 1)
0 comment(s)

You don’t have to be the oracle at Delphi to be able to predict that the next few weeks are going to be rife with attempts to phish, SPAM and scam with an Olympic theme. 

With the Olympics starting tomorrow our users are going to start receiving themed emails with something extra.  They will start receiving emails similar to the cnn.com top ten emails Daniel wrote about, but also messages from “news services”, storm with Olympic themed subjects, messages from Visa as Olympic sponsor, etc.  They will all ask the recipient to click.  So it is probably a good idea to remind your users of the dangers of the almighty click.

Now whilst 15 lashes with the cane for the first person to introduce nasties might sound like a great idea, in most countries this is frowned upon.  Likewise the advice of “don’t click anything” is also likely to be ignored. So we will have to come up with some ideas that will help prevent people from becomming victims.  Lets arm them with some rules of clicking safely.

Don’t click any links when
:

  • the email was sent by someone you do not know.
  • the email was sent by someone you might know, but whose name and email address do not match.  e.g sender: John Smith <Shjdyu@yahoo.com>  or Albert Einstein <stacyB@hotmail.com>
  • if the email asks you to click a link to “verify” personal details. e.g. “please click the link below to verify your account details”.
  • the link looks funny.  e.g. http://123.123.123.123/dhjeuaUhskw/special_surprise or www.notquite-the-banks-name.com
  • the web page says you have
    • “won a laptop, click here to claim”,
    • “a /spyware, click here to download a program to fix it”,
    • “been selected as our lucky winner for .....”

If you have passed all of the above tests and you succumb to the urge to click, then before you click ask yourself some additional questions:

  • How certain am I that the email was sent by the sender?
  • Does the link match what I would expect it to be?  e.g.  www.xyzstore.com rather than www.xyzzstore.com
  • When you hover the cursor over the link, where does the browser say it will take you?  e.g. Hover your mouse over the following link http://www.xyzstore.com  would this link take you somewhere “special”.

So these are some of the examples I could think off to help educate my users.  If you have some that I can add, please send them in.

As for system admins and security folks, in the next three weeks you might want to make sure that your AV is up to date.  Your SPAM engines are working properly, web traffic is filtered and you watch your logs for connections to weird places.  Keeping in mind that until August 24 some parts of China are not going to be weird places.   You might even consider doing what I have done at a few sites, which is to whitelist the official Olympic sites and block the rest. 

Just to get into the spirit of things,  Go Aussie Go! (and Kiwi’s too).  ;-)

Cheers

Mark H - Shearwater

Keywords:
0 comment(s)

Cleanup in isle 3 please. Asprox lying around

Published: 2008-08-07
Last Updated: 2008-08-07 14:43:56 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Whilst looking for something completely different I came across our old friend ASPROX See previous diary  from Marc

It seems that a lot of the domains used by this are still or again active.  Typically using fast flux.   The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js.  This links to an IP address (still up) where a CGI script starts the road of pain.

Doing a quick search using our friend Google I ended up with 1,470,000 sites that are currently infected.  Now about 591,000 or so are b.js which seems to point to inactive domains so these are unlikely to do damage.  The rest is a mixture of active and inactive links. 

The high number of infected sites points to a couple of issues. 

  1. Sites are compromised and nobody notices
  2. Sites that are infected are not cleaned up.

Now the number of infected sites is high, but the sky is not falling, however if you have a spare few minutes do the following google search replacing yoursite  with your domain, e.g. sans.org (just cut and paste the whole search).

   site:yoursite    "script src=http://*/""ngg.js"|"js.js"|"b.js"

If the search returns results, you have some cleaning to do.

I did a quick breakdown of infected sites:

.gov       - 238                  .com      - 474K
.gov.au  - 927                  .org        - 79.9K
.gov.uk  - 2,930               .com.au  - 19.5K
.gov.cn  - 34K                  .co.uk    - 19.3K
.gov.za  - 424                  .ca         -  13.1K
.gov.br  - 263

I'll let you know next week if things are getting better or worse.

Happy cleaning.

Mark



 

Keywords:
0 comment(s)
Diary Archives