STE WILLIAMS

Email delivery: Hate phishing emails? You’ll love DMARC

Microsoft has detailed a three-pronged plan to encrypt customer data, improve transparency and fight harder in the courts not to have to hand over your data. The new plan is designed to restore customer trust after revelations of government snooping.

Microsoft has been stung into action by in the wake of documents leaked by former National Security Agency sysadmin Edward Snowden that the NSA and GCHQ had tapped into cables and intercepted sensitive network traffic running between its data centres.

According to the leaks, Microsoft’s Hotmail, Windows Live Messenger and Passport services were scanned by software called Monkey Puzzle, cooked up by hacker squads at GCHQ, as reported in a recent Washington Post piece.

The leak came a month after leaks emerged that alleged the NSA was tapping Google and Yahoo!’s data centre interlinks. Two Google engineers then ripped into the NSA’s Project MUSCULAR, posting sweary posts on Google + denouncing the so-called tactic. Brad Smith, Microsoft’s general counsel, described similar allegations in rather more measured term as “disturbing” and a potentially constitutional breach, if verified.

A foreign affair…

The NSA’s controversial PRISM web surveillance programme slurped internet communications and stored data of the customers of Microsoft, Google and Yahoo!, among others – although all of the firms protested they would only give up customer data after an order from the secret United States Foreign Intelligence Surveillance Court.

Nevertheless, PRISM has already made it harder for Microsoft to sell its cloud-based services outside the US and the latest revelations have made a tricky situation even worse.

Microsoft has already said it would strengthen encryption. A blog post by Smith on Wednesday outlines the details and a timescale for the rollout of improved security for the first time.

Microsoft is following Twitter’s lead and adopting Perfect Forward Secrecy* and 2048-bit key lengths to strengthen encryption of customer data. In addition, data centre links will be encrypted and customer content moving between users and Microsoft will be encrypted by default.

“All of this will be in place by the end of 2014, and much of it is effective immediately,” Smith promised.

We’ll challenge gag orders and notify customers

Smith also talked about reinforcing legal protections. “We are committed to notifying business and government customers if we receive legal orders related to their data,” he explained. “Where a gag order attempts to prohibit us from doing this, we will challenge it in court.”

This sounds like Microsoft will be more proactive about legally contesting surveillance orders rather than a new policy as such.

Finally the software giant wants to be more transparent. It is extending access to its long-standing program that allows government customers to review its source code by promising to build centres in Europe, the Americas and Asia.

Bootnote

*Perfect Forward Secrecy is important because unless it’s deployed sophisticated attackers could extract passwords and data from stored copies of previous encrypted sessions. Twitter’s announcement when it adopted Forward Secrecy provides a useful primer for those interested in learning how the technology offers increased privacy.

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/05/ms_encryption_plans/

It’s no secret that Microsoft is mothballing Windows XP early next year. Officially dubbed the end of “extended support,” the retirement means that security updates will no longer be available. Naturally, this means that systems running XP will become increasingly insecure, as new vulnerabilities (or those that have been held in reserve by attackers) become available on the black market. It may seem easy to dismiss this concern out of hand if you’ve already migrated your workstations to later versions of Windows. But, in practice, the implications of the retirement extend far beyond the workstation.

Thanks to its stability and relatively light resource use, Windows XP has been the OS of choice for specialized systems for more than a decade now. POS systems, medical devices, inventory systems, and a plethora of other turnkey devices have been built around XP. The most security-conscious vendors will surely have a plan to address the retirement of the venerable OS. History tells us, though, that many vendors will ignore the problem, leaving their customers with devices — potentially used for critical business or patient care functions — that are completely exposed to new exploits.

While “embedded” versions of Windows XP present a threat from within an organization, the global install base of XP PCs represents a broader threat to the ecosystem. It’s already the case that Windows XP PCs that are not up to date have high infection rates. But there are plenty of XP users who do, in fact, make an effort to keep their systems patched. It’s safe to say that many of these users — who clearly don’t put much stock in upgrading to the latest OS every few years — will keep on using XP well after its retirement. As unpatched XP vulnerabilities become known within the criminal underground, we are likely to see an uptick in infected machines. More bots mean more spam, broader spread of malware, more phishing, and so on. Whether this will represent a significant enough change in the global bot population to make a noticeable difference remains to be seen, but it’s worth acknowledging the potential.

With these potential risks in mind, what can you do as an information security professional? First, perform a careful inventory of any devices throughout your organization that may be using Windows XP, especially those that are outside of the realm of your typical managed workstations. Talk with the vendors of those devices about their plans to secure the environment in the absence of Microsoft patches. Consider upgrading or retiring XP devices that will not be adequately secured. If that’s not an option, then consider additional security precautions (isolating devices, installing additional security software, etc.) that you can take to prevent the loss of confidentiality, integrity, or availability that could accompany a successful exploit.

This would also be a great time to educate your users about the retirement of Windows XP (and Office 2003, whose support is also ending in April) and its security implications. Many of your users (and their parents, friends, siblings) likely have old machines at home running one or both pieces of software. A simple email, flyer, or intranet post explaining what’s happening, what it means for security, and what users should do (i.e., get a new computer) is all it takes to help them improve their own security and contribute to the security of the Internet at large.

Article source: http://www.darkreading.com/sophoslabs-insights/the-dinosaur-in-the-room/240164462

Efforts to develop drones that can handle a number of routine tasks, such as restocking warehouse shelves or delivering parcels and pizza, keep garnering headlines. But what if hackers could hijack those unmanned aerial vehicles and turn them into “little zombie drones”?

In fact, that’s the promise of a newly announced drone-hijacking program called SkyJack, which was developed by privacy and security researcher Samy Kamkar.

“SkyJack is a drone engineered to autonomously seek out, hack, and wirelessly take over other drones within WiFi distance, creating an army of zombie drones under your control,” Kamkar said on his autonomous drone hacking project site.

Read the full article here.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/hardware-hacker-demos-zombie-drone-hijac/240164465

Some 2 million pilfered user accounts mainly from Facebook, Yahoo, Google, and Twitter were found on a server hosted in the Netherlands.

The stolen accounts include 320,000 email account credentials; 41,000 FTP account credentials; 3,000 remote desktop credentials; and 3,000 Secure Shell (SSH) account credentials, according to researchers at Trustwave, who discovered the booty. Trustwave says the stolen information, which was stolen from more than 93,000 sites, came courtesy of the Pony botnet.

“The Pony malware is used to steal information: stolen credentials for websites, email accounts, FTP accounts, anything it can get its hands on. In this case, attackers planted the malware on users’ machines around the world and were able to steal credentials for websites such as Facebook, Twitter, Yahoo, and even the payroll provider, ADP,” says John Miller, security research manager at Trustwave.

It’s unclear just how the users were initially infected, but Miller says Pony’s typical M.O. is malicious spam with infected attachments or URLs. “There is no actual keylogging, though it does monitor HTTP traffic looking for requests that look like logins to websites,” he says. “The [stolen] passwords are in plain-text because it steals them from configuration files — which must be readable in order to use them — and during login transactions with Web services.”

The stolen ADP credentials are the most chilling find, however. “8,000 credentials from ADP were stolen and unlike the intrusion on the others sites, this could actually have serious financial repercussions. We informed ADP but we are not sure what their response policy entails,” Miller says.

Tom Cross, director of security research at Lancope, says while many of the stolen accounts found on the Pony server were from social networks like Facebook, Twitter, and LinkedIn, the attackers may have been after other more lucrative logins and passwords. “Attackers usually seek to compromise social network accounts because they provide a mechanism for further spreading their malware,” Cross says.

“In this case, however, the attackers appear to have collected some login information that has a direct financial value to a criminal. Logins for payroll service provider ADP could provide attackers with access to sensitive personal information that could be used to commit fraud. Logins for FTP, RDP and SSH services provide the attacker with control over servers on the Internet, which may also contain sensitive information,” he says.

Trustwave researchers were unable to pinpoint the location of the victims because the attackers used a reverse-proxy method to mask the command-and-control server. “The reverse proxy prevents us from identifying where the victims were located. The fact that the controller was hosted on a rented server in the Netherlands prevents us from confirming where the attackers are,” Miller says. He says he can’t confirm whether it was a Russian cybercrime gang behind the attack, either.

And while there were Russian-language . We cannot confirm that this attack was led by a Russian cybercrime group,” Miller says.

Trustwave posted a blog with more details here.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/2-million-stolen-accounts-from-facebook/240164477

We all know by now that the US’s National Stalker Agency – oh, excuse me, I meant to say National Security Agency (NSA) – eavesdrops on just about everybody on the planet.

Evidently, the UK is no better.

But surveillance by your own mother?

Nothing is sacred.

At any rate, that’s the takeaway you get after an eyeful of the mSpy application.

mSpy is a mobile surveillance application that runs on smartphones and tablets including iPhone, Android, BlackBerry, Symbian, iPad and Galaxy Tab devices.

Its marketing promises that users who install it on their phones can “remotely spy on text messages, call logs, and emails; track location, record surroundings, and more on smartphones and tablets.”

Not only that, it stealthily keeps tabs on calendar information; records conversations; determines GPS coordinates of the phone and shows the location of the target device on a convenient map.

Is that legal, you say?

Hahahahahahahahahahahaha! What an adorable question.

But yes.

Yes, it is legal, as long as the “target” is a child or an employee and the surveillance operator has informed the “target”.

From the company’s disclaimer:

My Spy (mSpy) is designed for monitoring your children, employees or others on a smartphone or mobile device that you own or have proper consent to monitor. You are required to notify users of the device that they are being monitored.

Its maker claims that the app is 100% undetectable by the device user, as a sale rep told The Next Web:

After complete installation the application runs in a stealth mode, so it is undetectable and completely invisible for the target phone’s user.

Physical access is required to install mSpy – which takes about 20 minutes – but not after that.

Your mom, your dad, your boss, or any random, creepy friend or stalker who got his or her hands on your mobile phone can remotely tweak the application’s settings at any time with a convenient control panel on any internet-enabled device.

If you find a shiny new gadget under the Christmas tree in December, you may well ponder whether your benefactor has slipped you an mSpy.

Here’s what the company says about determining whether somebody’s installed mSpy on your gadget:

It’s impossible.

Unlike other software of this kind, mSpy manages without SMS commands that appear in the message folder of the target mobile device to make the application work. The size of the activity data that gets uploaded to the server never exceeds 100kb and doesn’t get noticed by the owner of the target phone when their phone bills arrive. Moreover, the mSpy application boasts a battle-tested history of insignificant battery power consumption so that the target device works as usual. Thus, it is virtually impossible for the owner of the target phone to detect the mSpy software as it can be controlled online without conspicuous connection between the server and the target phone.

(Of course, if you have an Android, you could install Sophos Mobile Security which carries protection for Potentially Unwanted Applications (PUAs) like mSpy).

Are there legitimate reasons to conduct surveillance on people?

Of course. Data leakage from corporations is one such.

Employers who choose to do so should heed the company’s advice on the matter, though:

Using the mSpy cell phone tracking software for spying on employees suspected of company theft, fraud or lying is absolutely legal. Companies also have a legal right to monitor phones used in the course of conducting company business to ensure the devices are not being misused. Companies are obliged to notify employees on what type of cell phone usage is deemed acceptable. Please note that by informing staff before installing mSpy on their phones, and by having them accept this as part of using the company-owned devices you will ensure that the company will not run into any legal problems.

When it comes to monitoring employees, the buck doesn’t stop here with mSpy – it stops with the employer.

Like mSpy advises, employers should make sure they inform employees regarding what’s considered to be appropriate mobile device use for their role. Informing staff that they’re being monitored is also a prudent thing to do.

But what about monitoring children? Parents, do you already? If not, would you? If yes, then do your kids know they’re being monitored?

I wouldn’t do that to anybody, and the NSA doesn’t share with the likes of me, so you’re just going to have to tell us your thoughts in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Image of spy courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/I7Htluw5sGw/

Email delivery: Hate phishing emails? You’ll love DMARC

US President Barack Obama, a well-known BlackBerry fan, has said that he’s not allowed to have an iPhone for “security reasons”.

In a speech at the White House promoting his healthcare changes to a youth audience, Obama said that he couldn’t use an iPhone, though he joked that his daughters seemed to spend a lot of time on theirs.

The President had to fight to hang onto his BlackBerry when he took office in 2009, since the NSA, which as everyone now knows, knew everything about slurping private information from personal devices, wanted him to stop using it.

He said that the government would have to “pry it out of my hands”, leading to the National Security Agency working with the manufacturer formerly known as Research in Motion to develop the BlackBerry One, a special one-off super-secure model for the president and his family to use.

Since then, BlackBerry’s fortunes have dwindled considerably and the company recently considered, but then discarded, plans to sell itself off. It’s now trying to stay viable by concentrating on large business and government clients, so it’s probably pretty happy to have such a high-profile fan.

Obama’s comments weren’t intended as a slight against Apple’s iDevices as such, but more as a way to signal that he was down with the kids – while also admitting he wasn’t all that familiar with how much they paid for their mobile phone bills.

“I don’t know what your bills are. I have noticed that Sasha and Malia seem to spend a lot of time on [the iPhone],” he said to laughter from his audience.

“My suspicion is that for a lot of you, between your cable bill, your phone bill, you’re spending more than 100 bucks a month. The idea that you wouldn’t want to make sure that you’ve got the health security and financial security that comes with health insurance for less than that price, you guys are smarter than that. And most young people are, as well,” he said, touting the benefits of his revamped healthcare system, known as Obamacare. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/05/obama_iphone_insecure/

Email delivery: Hate phishing emails? You’ll love DMARC

Microsoft has detailed a three-pronged plan to encrypt customer data, improve transparency and fight harder in the courts not to have to hand over your data. The new plan is designed to restore customer trust after revelations of government snooping.

Microsoft has been stung into action by in the wake of documents leaked by former National Security Agency sysadmin Edward Snowden that the NSA and GCHQ had tapped into cables and intercepted sensitive network traffic running between its data centres.

According to the leaks, Microsoft’s Hotmail, Windows Live Messenger and Passport services were scanned by software called Monkey Puzzle, cooked up by hacker squads at GCHQ, as reported in a recent Washington Post piece.

The leak came a month after leaks emerged that alleged the NSA was tapping Google and Yahoo!’s data centre interlinks. Two Google engineers then ripped into the NSA’s Project MUSCULAR, posting sweary posts on Google + denouncing the so-called tactic. Brad Smith, Microsoft’s general counsel, described similar allegations in rather more measured term as “disturbing” and a potentially constitutional breach, if verified.

A foreign affair…

The NSA’s controversial PRISM web surveillance programme slurped internet communications and stored data of the customers of Microsoft, Google and Yahoo!, among others – although all of the firms protested they would only give up customer data after an order from the secret United States Foreign Intelligence Surveillance Court.

Nevertheless, PRISM has already made it harder for Microsoft to sell its cloud-based services outside the US and the latest revelations have made a tricky situation even worse.

Microsoft has already said it would strengthen encryption. A blog post by Smith on Wednesday outlines the details and a timescale for the rollout of improved security for the first time.

Microsoft is following Twitter’s lead and adopting Perfect Forward Secrecy* and 2048-bit key lengths to strengthen encryption of customer data. In addition, data centre links will be encrypted and customer content moving between users and Microsoft will be encrypted by default.

“All of this will be in place by the end of 2014, and much of it is effective immediately,” Smith promised.

We’ll challenge gag orders and notify customers

Smith also talked about reinforcing legal protections. “We are committed to notifying business and government customers if we receive legal orders related to their data,” he explained. “Where a gag order attempts to prohibit us from doing this, we will challenge it in court.”

This sounds like Microsoft will be more proactive about legally contesting surveillance orders rather than a new policy as such.

Finally the software giant wants to be more transparent. It is extending access to its long-standing program that allows government customers to review its source code by promising to build centres in Europe, the Americas and Asia.

Bootnote

*Perfect Forward Secrecy is important because unless it’s deployed sophisticated attackers could extract passwords and data from stored copies of previous encrypted sessions. Twitter’s announcement when it adopted Forward Secrecy provides a useful primer for those interested in learning how the technology offers increased privacy.

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/05/ms_encryption_plans/

WASHINGTON, D.C. –SINET Showcase 2013 — Keeping up with the bad guys means finding totally new ways to fight — and those new innovations are driving the creation of dozens of new security startups, experts said here today.

The Security Innovation Network (SINET), an organization devoted to developing information security companies, is holding its annual SINET Showcase here this week, providing an exhibition platform for 16 emerging companies selected last month. The chosen firms will have an opportunity to show their wares on Thursday and discuss their vision with top cyber security executives in government and commercial enterprises.

But Robert Rodriguez, chairman and founder of SINET, says the 16 exhibitors — chosen from some 115 startups that applied for the honor — are only the tip of the innovation iceberg.

“The traditional corporate debate of ‘build versus buy’ is no longer a debate. It’s a full-on buy market being driven by a dynamic attack environment. This market has to move quickly to keep up with the innovation on the dark side. The innovators can’t move fast enough.”

So far in 213, there have been more than 230 deals done to fund emerging security companies, and nearly 80 new companies have been financed, Rodriguez reports. “There are so many great innovators out there,” he says. “Judging and choosing the top 16 was harder than ever this year.”

The SINET 16 includes a number of companies that already have become well known, including Bromium, Cylance, Damballa, Lookingglass, Nok Nok Labs, Pindrop Security, PhishMe, and ThreatMetrix.

But there also are several firms that have yet to make their public debut. Among them is Endgame Inc., which promises to “bring data science to cyber security to sense, analyze and act in real-time.” Company officials said the firm was not ready to be interviewed or discuss its products in detail.

Some of the other new names include ZanttZ, which creates “Shadow Networks” to detect and dampen the impact of advanced persistent threats (APTs); Appthority, which identifies and manages hidden risks in mobile apps;and Agari, which prevents unauthorized email.

Although some of the SINET 16 showcase exhibitors have been delivering products and services for more than a year, executives said the information security market is a tough one to break into.

“The biggest problem facing emerging companies in the security space is to clearly articulate their solution in a crowded and hype-filled space,” says Jamie Cowper, senior director of worldwide marketing and business development at Nok Nok Labs, which is working on a universal solution for user authentication. “Nok Nok Labs has a specific challenge in that we’re trying to fix a fundamental computing problem. It will take a comprehensive industry-wide effort to reduce the password problem and we’re just starting on that journey.”

Vijay Balasubramaniyan, CEO of voice fraud detection vendor Pindrop Security, agrees. “In general, credibility is the chief challenge for an emerging company and this is compounded in the security space by the lack of reference customers. Privately, they are happy to discuss you with peers, but publicly, they will rarely discuss.

“Specific to Pindrop are two challenges,” Balasubramaniyan says. “First, our technology is most applicable to large organizations like the top banks and government agencies. However, these organizations are relatively slow moving, which is challenging from a cash flow perspective, and they have higher demands for customization at every step of the process. Second, Pindrop is truly unique – so much so that organizations aren’t quite sure how to use [our products] or who should be in charge of purchasing them.”

“Attack and defense have always had an element of cat and mouse,” notes Allan Carey, chief marketing officer at PhishMe, which provides anti-phishing and social engineering education tools for enterprise uses.” Emerging security company’s struggle with staying nimble and innovative to address the most relevant threats, avoiding commoditization, and raising barriers to entry.”

A complete list of the SINET 16 can be found here.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/mobile/sinet-startups-push-it-securitys-envelop/240164447

It’s no secret that Microsoft is mothballing Windows XP early next year. Officially dubbed the end of “extended support,” the retirement means that security updates will no longer be available. Naturally, this means that systems running XP will become increasingly insecure, as new vulnerabilities (or those that have been held in reserve by attackers) become available on the black market. It may seem easy to dismiss this concern out of hand if you’ve already migrated your workstations to later versions of Windows. But, in practice, the implications of the retirement extend far beyond the workstation.

Thanks to its stability and relatively light resource use, Windows XP has been the OS of choice for specialized systems for over a decade now. POS systems, medical devices, inventory systems, and a plethora of other turnkey devices have been built around XP. The most security conscious vendors will surely have a plan to address the retirement of the venerable OS. History tells us, though, that many vendors will ignore the problem, leaving their customers with devices — potentially used for critical business or patient care functions — that are completely exposed to new exploits.

While “embedded” versions of Windows XP present a threat from within an organization, the global install base of XP PCs represents a broader threat to the ecosystem. It’s already the case that Windows XP PCs that are not up to date have high infection rates. But there are plenty of XP users who do, in fact, make an effort to keep their systems patched. It’s safe to say that many of these users — who clearly don’t put much stock in upgrading to the latest OS every few years — will keep on using XP well after its retirement. As unpatched XP vulnerabilities become known within the criminal underground, we are likely to see an uptick in infected machines. More bots mean more spam, broader spread of malware, more phishing, and so on. Whether this will represent a significant enough change in the global bot population to make a noticeable difference remains to be seen, but it’s worth acknowledging the potential.

With these potential risks in mind, what can you do as an information security professional? First, perform a careful inventory of any devices throughout your organization that may be using Windows XP, especially those that are outside of the realm of your typical managed workstations. Talk with the vendors of those devices about their plans to secure the environment in the absence of Microsoft patches. Consider upgrading or retiring XP devices that will not be adequately secured. If that’s not an option, consider additional security precautions (isolating devices, installing additional security software, etc.) that you can take to prevent the loss of confidentiality, integrity, or availability that could accompany a successful exploit.

This would also be a great time to educate your users about the retirement of Windows XP (and Office 2003, whose support is also ending in April) and its security implications. Many of your users (and their parents, friends, siblings) likely have old machines at home running one or both pieces of software. A simple email, flyer, or intranet post explaining what’s happening, what it means for security, and what users should do (i.e., get a new computer) is all it takes to help them improve their own security and contribute to the security of the Internet at large.

Article source: http://www.darkreading.com/sophoslabs-insights/the-dinosaur-in-the-room/240164462

Technological defences can help a lot in protecting you from phishing and fraud.

We’re sure you’re familiar with many of them: prompt patching, anti-virus scanners with regular updates, spam blockers, web filters, firewalls, and so on.

But you’ll also have heard us urging you not to use technology as a replacement for your own caution, intuition, perspicacity, street smarts, call it what you will.

In particular, if the computer fails to say, “Don’t do it,” that’s not an automatic invitation for you to say, “She’ll be right.”

Sometimes, she won’t be right, and the crooks will have enticed you into a final step you come to regret.

Keeping street smart online

That’s why we urge you to think before you click on links in unsolicited emails, especially if they are urging you to use the link to sign in to an online service.

That’s to protect you from phishing, where cybercriminals take to you a login screen that looks like the real deal but isn’t, causing you to give away your username and password to an imposter website.

We also urge you to be cautious of email attachments, especially if you weren’t expecting them.

That’s to protect you from booby-traps, where cybercriminals feed you a crafty file such as a document or image that is deliberately rigged up to crash your browser (or PDF reader, or multimedia player, or whatever) and sneakily infect you with malware.

So far, so good.

But what if you do open an innocent-sounding attachment, and everything seems OK – no exploit, no booby-trap, no drive-by malware install?

You didn’t click on any links in the original email, so perhaps you think that you’re past the stage of being phished, and are ready to let your guard down?

Don’t do that, not least because documents such as PDF files can contain clickable links, just like the HTML in an email or on a web page.

And if the email contains the attachment, and the attachment contains the link, then the rules of transitivity apply.

You may remember that from school – it sounds fancy but it isn’t: for example, if A is bigger than B, and B is bigger than C, then A is bigger than C.

In other words, if you click on a link in an attachment, and the attachment came in an email, you are effectively clicking a link in the email.

It’s easy to lose track of that fact, not least because when you launch an attachment, it usually opens in an application like Adobe Reader or Microsoft Word, not in your browser – giving you the feeling that you have left email and its related risks behind.

Link-free phishing emails

The crooks are aware of this cognitive disconnect, and here’s a perfect example that Savio Lau and his fellow threat researchers in SophosLabs Vancouver just spotted.

You receive an unsolicited email that’s supposed to be from a real estate company:

It’s not exactly the most believable invitation in the world.

(Reputable real estate agents wouldn’t make so many errors of grammar and formatting in such a short message. They probably wouldn’t say, “Hi.” And if they worked for RE/MAX in a managerial role, they’d know how to write the company’s name properly.)

But it contains no links, which seems like a good sign – if phishing needs links, then surely no links means no phishing?

Also, the attachment isn’t booby-trapped, and it contains real data, plus the ripped-off logo of a genuine real estate company:

Again, it’s not the most believable document, not least because you just vaulted from one realtor to another.

But by simple cutting and pasting from a genuine web page into a Word document, followed by printing out that document as a PDF, the crooks have moved their clickable links out of the original email, and into a file that opens neither in your browser, nor in your email client.

Better yet for the crooks, it all works equally well on Windows, Mac, Linux and even mobile devices.

If you click on one of the links in the PDF, you supposedly return to the real estate website, but you are asked to login first:

You really shouldn’t fall for this, not least because Windows Live and the Hotmail brand were consigned to the scrapheap of history nearly nine months ago – you won’t have seen them anywhere official recently.

On the other hand, the idea of a site such as a real estate company piggy-backing its login process on an existing service provider – Facebook and Twitter are very popular for this – is surprisingly common these days.

And some PDF readers (Preview on OS X, for example), don’t make it easy to see where a clickable link is going to take you, a precaution you are probably used to in your browser.

Of course, if you do fall for the login dialog, you’re not just giving away your credentials to the crooks.

You’re revealing them to anyone sniffing the network between your PC and the server, because the crooks aren’t using HTTPS:

(Incidentally, in the fake login window above, clicking [Close] and [Sign in] have exactly the same effect: whatever is in the input boxes is sent unencrypted to the crooks.)

What to do

Technology would probably have saved you up front: a decent email filter or endpoint anti-virus would block the email or its attachment before you opened it, and a decent web filter would stop you clicking through from the PDF itself.

But the street smart advice we mentioned at the start would save you too:

• Think before you click on links in unsolicited emails.
• Be cautious of email attachments, especially if you weren’t expecting them.

And if you’re the go-to guy for IT amongst your friends and family, keep on reminding them this holiday season, won’t you?

Follow @duckblog

Note. Sophos products detect and block the bogus attachment shown above as Troj/Phish-DC.

Image of topiary chain courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZdIiOYKySJM/