“Thy sin’s not accidental, but a trade.” (from Measure For Measure)
Getting bombarded by Phishers is no fun but sometimes these communications offer some comic relief. This posting is dedicated to the anguished English and linguistic jewels they produce. May the tormented ghost of Shakespeare continue to sabotage their exploits.
Here are my top ten favorites:
1. Starting the message in one language and then switching to another as in “Dear Cliente,”
2. Getting subject verb agreement wrong as in “Your account just make…”
3. Poor punctuation as in “Due to concerns, for safety and the integrity…”
4. Nonsense content as in “Most of your date in our database were encrypted…”
5. Poor formatting as in missing a space after a period.that’s right.
6. Wrong capitalization as in “This is the Last reminder…”
7. Poor grammar as in “If this message sent as Junk or Spam, its just an error…”
8. Excessive use of exclamation marks as in “Update Required!!”
9. Poor spelling as in “It has come to out [our] attention that…”
10. Failure to do basic arithmetic accurately as in “$254.99 + $20.00 = $374.99”
© Copyright 2016 Yaacov Apelbaum, All Rights Reserved.
The Anti-Virus Offer from Hell
Several weeks ago, my wife was searching online for the words to one of Shel Silverstein’s poems. With the Internet within closer reach than the bookshelf in our den, she went to Google and typed in the key words “shel silverstein pancakes,” and within 0.32 seconds got several matching results (Image 1).
Image 1: Google Search Results
She clicked on one of the top results on the first search page and almost instantly got prompted by a message box (Image 2) indicating something to the effect that her computer contained various signs of viruses and immediately needed to be examined. It then offered an option to perform a security scan.
Image 2: Infection Warning
We keep our OS well patched and the anti malware software up to date, so she decided to decline the offer and clicked on the cancel button. The message box went away but then another screen popped up telling her that her system was being scanned for viruses. Thinking that she may have clicked the OK button instead by mistake, she waited for the scan results.
Image 3: Infection Warning
When the scan was complete (within 15 seconds or so), she was informed that her computer indeed had been infected with several nasty viruses (Image 3) and that she would need to download and install the offered security program in order to remove these viruses (Image 4).
Image 4: Malware Download Dialog Box
At that point, she realized that malware itself was communicating with her and trying to install itself on her machine. She clicked the Cancel button dialog box but instead of terminating the installation, she was taken back to the first message box which told her again that her computer contained various signs of viruses and needed to be examined. Essentially, she was trapped in a loop, unable to close the Browser. After another round of scans and cancelations, she decided to bring up the Task Manager and terminate the process from there.
Several days later during dinner, she happened to mention her run-in with the malware and I made a sly comment that these are the rewards we reap for hanging around dubious websites. She took offense. “Dubious web sites?” she said, mocking me, “this was the fourth entry on the first search results page of Google. How ‘dubious’ can that be?”
I found it hard to believe that the writers of the malware were clever enough to sneak by the Google filters and make it to the top of the first search results page. I executed the same search she did just day previous. My search results were almost identical, but ironically her malware link had by then moved a step upwards in relevance.
Instead of clicking on the link I copied its URL and went directly to the website (Image 5)
Image 5: Actual page with download link and keywords
The web site turned out the be a newsgroup called derkeiler.com, which is one of the most popular and most heavily advertised mailing list archives on the net. Looking closer at the page, I found the following:
1. At the top was the bold title “SHEL SILVERSTEIN”
2. Below the title was a bogus poster name in the format of firstname.lastname@example.org
3. Next was a link which activated the malware download script.
4. Finally at the bottom of the page was an extensive list of hundreds of keywords that were associated with the works of Shel Silverstein.
I looked at the parent directory page and found a long list of dated directories (Image 6).
Image 6: Parent Directory (note heavy commercial advertising)
Each one of these directories contained dozens of linked entries. After randomly clicking on about 30 links, I determined that most of them were identical to the Shel Silverstein page (Image 5) in terms of content, layout and malware activation functionality. I checked out several other public newsgroups and “personal” web sites to compare. It appeared as if indeed there was a method to this madness.
Image 6: Sample directory contents with links to malware download
So what does it all mean? Well, the modus operandi seems to be as follows:
1. The creators of the malware install the program on a large number of personal websites (some have been breached and others are dedicated). One example is Rosuto Samurai which was allegedly created to support fantasy gaming but in reality never had any content beside the malware.
2. They then proceed to automatically create hundreds of highly popular topic pages (i.e. Ipod, Shel Silverstein, movies, etc.) in newsgroups and mailing lists, each of which contains a link to the malware download website.
3. Each of the pages also includes a large list of keywords (generated by some machine learning process) that are associated with the topic. The purpose of the keyword list is to increase the radar signature for the search engine spiders.
4. The search engines find these individual topic pages, traverse the keyword list and algorithmically determine that all the words are related. They also see the hyperlinks and postings on each page (which makes them appear like miniature websites) and as a result assign them a top rating—which to the user, translates as top hits in topic search results.
The outcome of this strategy is cheap and effective SEO penetration and viral dissemination of viral contents (no pun intended) via top search results.
Another interesting observation—which is not without its irony—is that large vendors such as Microsoft are completely unaware of this practice and are aggressively purchasing advertising space on these sites, (including ads for their security products). Clearly, this is being done without the realization that they are actually sharing living space with some of the most aggressive malware distribution centers.
Stay tuned, in a future posting, we will dive deeper to see who is actually developing and marketing this malware.
Quis Custodiet Ipsos Custodes?
- © Copyright 2010 Yaacov Apelbaum All Rights Reserved.
Mata Hari and Friends (Robert Hanssen and Aldrich Ames)
Over the years, I’ve had this recurring conversation\argument with security technologists regarding the trust lifecycle. The crux of it revolves around how you go about effectively assigning, monitoring and adjusting individual trust levels. Most of us when questioned about trust will tell you that it’s made up of behavioral elements like:
- Acting with honesty and integrity
- Not having hidden agendas
- Maintaining open communication
- Keeping your promises
- Meeting your obligations
- Looking out for other people’s interests
Indeed, these are all virtuous traits, but how do we use them in designing a complex security infrastructure? After all, it’s hard to code a function that will check if a user has a hidden agenda. In order for these social concepts to be of any use, we need to understand the nature of trust; we must go "Beyond good and evil”. Under the microscope, trust exhibits the following four characteristics:
- It’s transferable—We assign a higher degree of trust to individuals who come recommended by people we already trust,
- It’s inheritable—we tend to trust a relative of a trusted friend,
- It’s socially derived—We tend to trust individuals who share our cultural heritage,
- It’s cumulative—We tend to increase our trust levels in individuals who previously have proved themselves trustworthy.
- These evaluation criteria (which, interestingly enough, are essentially deterministic Turing tests) work very well in social relationships, but frequently fail in complex security infrastructures. The source of the problem is that most of us instinctively tend to classify the world into a “friend”, “foe” or “unclassified TBD” categories. We also like to believe that once categorized, the subject in question will continue indefinitely to conform to our classification. This simplistic tendency is hard wired into our evolutionary decision making process and to a large degree also forms the basis for many irrational behaviors like anti-Semitism.
After conducting quite a few security sweeps and post mortems, I have come to conclude that most individuals—given the right opportunity and enough curiosity—could spontaneously flip the color of their “hat”.
The concept of credential-based security (that is, non-expiring clearance) is reminiscent of cheese, especially the cheap Swiss variety, the one with too many holes. Now, don’t get me wrong I have the same tolerance for curious mice as the next guy, but the text books are full of big rats that were—paradoxically—supposed to guard the cheesy comestibles, not eat or sell them! Recall that Aldrich Ames, Robert Hanssen and Kim Philby, just to name a few, each had the highest top-secret clearance and all the right personal and social attributes.
So ultimately, it’s not the rogue, external, blood thirsty anarchists or money hungry crackers one needs to worry about. Rather they are the trusted senior employees responsible for the daily maintenance, administration and security of the corporate resources. This could run the gamut from as high as the CISO who spies on the CEO’s e-mail all the way down to DBA who is running Select statements on the HR comp database.
The lesson that I have learned from all of this is that most people regardless of how trustworthy they seem, cannot be completely trusted at all times.
And you can trust me on this one.
© Copyright 2008 Yaacov Apelbaum All Rights Reserved.