The Security Pub

Random Thoughts About Security

Monthly Archives: September 2009

Zeus Trojan being spread through an IRS Scam

There is another  Internal Revenue Service (IRS) scam spreading across the internet and landing in users mailboxes.  However this scam is different than the one that is in the wild during tax season.  What makes this campaign particularly ugly is that the malware that accompanies the fake IRS messages is a variant of the hard-to-detect Zeus Trojan. This software hacks into bank accounts and drains them of money as part of a widespread financial fraud scheme.

Here are some tips to help identify the scam:

  • All IRS web page addresses begin with http://www.irs.gov. Phishing/Scam emails will have an address other than that, an example might be http://ww4.irs.com. You can mouse over the link and see what it leads to, but whatever you do, don’t click on it!
  • Do not follow unsolicited web links in email messages.  Clicking a link in a phishing/scam email typically takes you to a fake website.  The phishing site is designed to look just like the company’s real website.
  • If you receive a suspicious email we recommend you simply delete it or contact system support or a security administrator.
  • Look for signs of security. Real corporate websites use secure, encrypted web pages any time their customers are asked to send personal and financial information over the internet.
    • Look for https:// in the web address. The “s” stands for “secure”.
    • Also, look for a locked padlock icon in the lower part of your browser window. The locked padlock icon indicates the site is encrypted, which means your data is protected when you send it over the Internet. If you don’t see these signs, then the site could be a scam.
    • Most phishing/scams there will be typos in the message.
    • Look at the copyright in the bottom of the message if it states “Internal Revenue Service U.S.A.” this is clearly incorrect, because “U.S.A.” is not printed at the end of government correspondence for any agency.

These spam emails contain a subject line of “Notice of Underreported Income.”

If users follow a link in the spam or open an attachment they get infected with the Zeus Trojan.

CERT advisory here.

IRS SPAM

PCI SSC Community Meeting Notes from Las Vegas

security_lockPCI SSC Community Meeting Day 1

I was in Las Vegas last week with close to 650 people who enjoy PCI as much as I do. :)  The PCI Community is made up of roughly over 500 participating organizations, 203 QSA firms, 145 ASVs, and 8 PED labs.

So the PCI Council is in its feedback phase, soliciting feedback from all parties on the DSS (and PA-DSS) and how it should be updated to provide clarification or to be expanded and otherwise revised. The PCI DSS is scheduled for the next revision to be in October 2010.  Here are some highlights from some of the sessions on day 1.

Verizon enlightened everyone with highlights from their 2009 Data Breach Investigation Report. The message reinforced that most companies are not prepared for the threats that continue to compromise systems every day. I was very surprised when I heard that most companies breached did not have an incident response plan in place. So then how did they ever get a compliant Report on Compliance (ROC)?

The next presentation came from Price Water Cooper House. The Council retained PWC to investigate & report on emerging payment technologies that could impact PCI. PWC identified 12 possible technologies and focused primarly on 4 for further investigations. These were:

  • end-to-end encryption
  • mag stripe imaging
  • tokenization and
  • virtual terminals.

It was reiterated during the presentation that none of these is the silver bullet solution, due to business challenges using these technologies.

The bottom line and my personal opinion is that these technologies will shift the burden of PCI compliance from the merchants to the processors, or service providers or aquirers.  The downfall for the merchants is they will pay more to make this shift.

The day was closed with a summary from the 4 Special Interest Groups (SIGs).

  • The Pre-Authorization Data SIG has made recommendations to the Council, and the Technical Working Group is starting its review. There can be implications for recurring payments, hospitality/hotels, travel, and of course petroleum retailers with all those wonderful self-serve gas pumps.
  • The Virtualization SIG is working on a phased set of releases due to the changing nature of this technology. We should see in January 2010 a draft white paper defining issues, risks, maybe some case studies. They are also planning to develop a mapping tool that will identify where virtualization can apply each requirement of the PCI-DSS.
  • The PCI Scoping SIG is just getting started.  But at the other end of the spectrum is the Wireless SIG.
  • The Wireless SIG issued their report on wireless which can be obtained from the PCI website, and this SIG is now gearing up to look at Bluetooth implementations next.

PCI SSC Community Meeting Day 2

Former Representative Tom Davis spoke about the federal legislation addressing cyber security. Mr. Davis identified the complicated legislative process with Congress, lower approval ratings for the President who might support such a legislation.  Statutory changes barring a crisis such as a “cyber Pearl Harbor” – it is unlikely the many committees in the House and Senate with jurisdiction will act.

The second presentation on day two was the report from the PIN Transaction Security working group. What I took away from this presentation is if you’re looking at purchasing or installing any kind of unattended payment terminal (UPT) such as a parking lot or ticketing kiosk, or if you have other kind of devices that accepts PINs whether they are attended or not, make sure the vendor hardware is compliant and listed.  Also know that there are a lot of products, and many vendors that have devices that are not compliant. So before you make any decisions you can verify if the device and vendor have been approved on the PCI Council’s website.

Over the two days worth of meetings there were a few sessions that allowed merchants, vendors QSA’s to provide feedback to the Council.  The Council will be posting the presentation and recordings on the website, but I suspect it will be a few weeks before they are available.

Twitter Used by Hackers

twitter_hacked_LZByk_25552_310x235There are many legitimate uses for Social Network Sites. I have heard some neat processes that use Twitter for security incident notifications and Facebook to market products and services. But cyber criminals are also using these social networking technologies to their advantages.  In this article the criminal was using Twitter to send botnet command and control signals.

In other words, the criminal would post something to Twitter and the zombies (compromised computers) would listen on Twitter for messages to come through that could perform various desired commands. A botnet may update software, launch attacks such as DDOS, spread to other systems, relay SPAM, and other nefarious acts.

The Official Social Engineering Framework

The Official Social Engineering Framework launched today Wednesday, September 16th. The goal is to gather some of the community to produce the web’s first and only true social engineering framework.  This framework is being developed by Jim “Elwood” O’Gorman,  Mati “muts” Aharoni, and LoganWHD along with many contributors from the SE and Security community.

Check out their site and blog.