malicious websites by search term type source: symantec corporation
DESCRIPTION
Malicious Websites. Malicious websites by search term type Source: Symantec Corporation. Internet Surfing "Real or Fake?". 1. Spam e-mail was circulating in January 2009 containing factual information about the Israeli/Hamas conflict - PowerPoint PPT PresentationTRANSCRIPT
1
Official Use Only
Malicious websites by search term typeSource: Symantec Corporation
2
Official Use Only 2
3
Official Use Only 3
Spam e-mail was circulating in January 2009 containing factual information about the Israeli/Hamas conflict
It appeared to originate from CNN & contained a link to a website posing as CNN, which contained what looked like a video file
All links on the website actually resolved to the valid CNN website
Visitors who attempted to view the video were prompted to update to a new version of the Adobe Flash Player
Update was actually malicious code IRS initiated Content Filtering to block the e-mail Only 11 of 38 AV products could detect stage one Only 2 of 38 AV vendors’ signatures could detect stage two Analysis revealed 36 IRS systems visited the fraudulent CNN website
(Stage One) Additional analysis identified 1 IRS system issuing HTTP GET requests to
the Russian IP address every 20 minutes (Stage Two) Further analysis confirmed that no data was exported`
IRS SystemIRS User
Russian IP
Israel/Hamas Spam Mail
IRS.gov Exchange Server
hxxp://xxx.cnn.2009.xxxxxxxxxxxxxxxxx.com
hxxp://xxxxx.com/servicepack1.exe
4
Official Use Only 4
Treasury Email Gateway
IRS Email Gateway
IRS Employee IRS Distribution List(10 Employees)
Email sent via gmail.com
Spear Phishing Email was sent on a Friday targeting two (2) IRS email addresses that includes a distribution email address. NOTE: Following Monday was a federal holiday.
Invalid
Account
Email Attachment withMicrosoft Excel
SpreadsheetZero-Day Exploit
(Em
ail A
ttach
men
t)
Zero-D
ay E
xcel
Spre
adsh
eet
`
Call Back IP AddressXAnalysis identified that the malware calls back to IP address residing in the US over TCP port 443 using custom encryption for beaconing and/or data exfiltration activity.
IRS Environment
5
Official Use Only
6
Official Use Only 6
NimdaNimda 336 DaysSept. 18
2001
Oct. 17, 2000 Patch MS00-078
SlammerSlammer 185 Days Jan. 25 2003
Jul. 24, 2002 Patch MS02-039
BlasterBlaster 26 DaysAug. 11
2003Jul 16, 2003 Patch MS03-026
SasserSasserApril 30
2004
Apr. 13, 2004 Patch MS04-011
17 Days
JViewJView Jul. 12, 2005 Patch MS05-0370-DayJune 2005
7
Official Use Only
HOW TO PROTECT YOURSELF: Limit the amount of personal information you post. Remember that the internet is a public resource Be wary of strangers Be skeptical - Don't believe everything you read online. Evaluate your settings - Take advantage of a site's
privacy settings. Be wary of third-party applications Use strong passwords Check privacy policies Keep software, particularly your web browser, up to date
Use and maintain anti-virus software
My Space
Widows LiveSpaces
YouTubeTwitter
Flicker
8
Official Use Only
Organization database attacks► Social engineering via e-mail, web site, telephone
or postal mail► Dumpster diving & trash collection► Man in the middle web site attacks
► Skimmer (black box) – Portable Magnetic strip card – takes a second to skim through the device. Can be carried in a pocket. Can carry up to a thousand numbers – can be purchased on line - Can be used by anyone, Cabdriver, Waiter, Rental Car etc… Hooked up later to a computer to pull up all your information. They can use a credit card encoder to clone your card.
► Bank ATM modifications ► Equipment disguised to look like normal ATM► Wireless “skimmer” & video camera transmit
scanned card information & PIN► Criminals clone cards & use PINs to withdraw
cash
9
Official Use Only 9
• Equipment being installed on top of existing bank card slot.
10
Official Use Only 10
• PIN reading camera being installed on the ATM is housed in an innocent looking leaflet enclosure.
11
Official Use Only
Intrusion Worm Virus Blended Threat
+ + =
Mobile Malware (Blackberry, iPhone, iPad)Memory Based root kits & other malwareCloud ComputingCross Platform Malware
Infrastructure & Contractor OutsourcingIncludes virtualized environments
Blended Threats (multiple vectors)
12
Official Use Only
Speed of AttacksGreater sophistication of attacksSimplicity of attack toolsDetect vulnerabilities more quickly
Delay in patchingDistributed attacksUser Confusion
13
Official Use Only
The most frequently spoofed organization was banks, which accounted for 56 percent of phishing attacks blocked in 2010.
Credit cards were the most commonly advertised item for sale on
underground servers known to Symantec, accounting for 22 percent of all goods and services advertised—an increase from 19 percent in 2009.
The United States was the top country advertised for credit cards on known underground servers, accounting for 65 percent of the total; this is a decrease from 67 percent in 2009.
The top three spam botnets that delivered the highest volume of spam in 2010 were Rustock, Grum, and Cutwail.
India was the leading source of botnet spam in 2010, with 8 percent of the worldwide total.
Approximately three quarters of all spam in 2010 was related to pharmaceutical products.(74%)
14
Official Use Only
►286M+ Threats
►93%Increase in Web Attacks
►260,000 Identities Exposed per Breach
►1M+ Bots
►$0.07 to $100 per Credit Card
►6,253 New Vulnerabilities
►74%Pharmaceutical Spam
►$15 per 10,000 Bots
►42% More Mobile Vulnerabilities
►14 New Zero-Day Vulnerabilities
15
Official Use Only
Anonymous Hacks Booz Allen Hamilton, Steals 90,000 Military Emails. The hacker group Anonymous claims it has stolen information from government contractor Booz Allen Hamilton that it says will help it hack into resources of other contractors and security consultants.
Trojan Spreading Through Facebook Replaces Antivirus Programs: Security researchers warn about a Trojan spreading through Facebook and having an unusually sophisticated payload which involves replacing the legit antivirus programs used by its victims. The malware hijacks the Facebook sessions of its victims and sends messages to their friends via the website's chat function. Once installed on the computer, the Trojan blocks notifications from the firewall, Windows update or the legit antivirus and displays a pop-up asking the user to reboot the system. The Trojan uses the bcdedit.exe utility to force the computer into Safe Mode upon reboot, where the un-installation of the legit antivirus starts. Unlike most malware, this malware configures itself to run in Safe Mode so it is always in control of the machine. The computer is rebooted again and a fake antivirus mimicking the real one is executed. This is meant to trick users into believing that they are still protected, while the Trojan freely downloads and installs more malware in the background.
TJX, T.J. Maxx, And MarshallsIn February 2007, TJX, parent company of discount stores T.J. Maxx and Marshalls, disclosed that thieves had stolen information on possibly tens The company first thought its systems had been compromised for about but it turned out the vulnerability might have lasted for almost a year longer than that. The incident wound up costing TJX millions of dollars paid to the FTC, credit card companies, banks, and consumers. Oh, and 11 hackers were eventually arrested for the break-in. Security breaches have only increased in scope and frequency in recent years, as more businesses store their data in digital files and thieves become increasingly sophisticated in how they gain access to those files. But sometimes the attacks aren't sophisticated at all -- sometimes they just occur because someone got careless with a physical object. That's old-school data theft, no hacking required.
Nasdaq Confirms Servers Breached
Malware may have been targeting insider information From 10,000 senior executives who use the compromised
Directors Desk app.
By Mathew J. Schwartz InformationWeekFebruary 07, 2011 01:00 PM
100,000 Credit Cards Compromised By Data BreachCitySights
NY tour operator was storing card security codes in apparent violation
of payment card industry regulations. By Mathew J. Schwartz InformationWeek
December 22, 2010 01:43 PM
Online Dating Site BreachedPlentyOfFish.com has been compromised and the
company is blaming the messenger.
Online dating Web site has been hacked, exposing the personal information and passwords
associated with almost 30 million PlentyOfFish.com accounts. However, the site's founder Markus Frind claims
that only 345 accounts were successfully stolen. By Thomas Claburn InformationWeek
January 31, 2011 04:50 PM
Cyber Attack Hits European Commission
Malware was blamed for the "major" breach, launched on the eve of a summit focusing on euro instability, the war in Libya, and nuclear safety.
On Wednesday, a large cyber-attack was launched against the European Commission, mere hours before a two-day Brussels summit focused on the European debt crisis
and Portugal, as well as the war in Libya and nuclear safety concerns.
By Mathew J. Schwartz InformationWeekMarch 25, 2011 02:05 PM
Sony Sued Over PlayStation Network Hack
A class action lawsuit charges that Sony failing to protect personal information and
credit card numbers of up to 77 million users. Sony faces public condemnation as its PlayStation
Network (PSN) outage enters its seventh day, combined with a security breach of users' personal information that may have exposed the credit card details of up to 77 million customers.
By Mathew J. Schwartz InformationWeekApril 27, 2011 04:05 PM
Sony Hacked Again, 1 Million Passwords ExposedHacker group LulzSec releases 150,000 Sony Pictures records,
including usernames and passwords, in latest setback for consumer electronics giant.
A group of hackers behind the recent PBS website breach said they've now hacked into a Sony website. The hackers,
who call themselves LulzSec or the Lulz Boat, said they exploited the Sony Pictures website via a SQL injection attack.
We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their
accounts," the group said in a Pastebin post. "Among other things, we also compromised all admin details of Sony Pictures (including passwords)
along with 75,000 'music codes' and 3.5 million 'music coupons By Mathew J. Schwartz InformationWeek
June 03, 2011 11:36 AM
Anonymous Claims Hack On NATO Servers
The hacktivist group said it's holding 1 gigabyte of Information from the international alliance, as it would be
"irresponsible" to release most of it. Hacktivist group Anonymous was at it again Thursday, claiming
it had breached the servers of the North Atlantic Treaty Organization (NATO), but that it likely would not reveal most of the
1 gigabyte of information it said was stolen
By Elizabeth Montalbano InformationWeekJuly 21, 2011 12:51 PM
16
Official Use Only
NEVER► Never consider e-mail secure. Do not include taxpayer, SBU, or PII info in e-
mail or attachments unless you use encryption (Outlook Secure Messaging)► Never put sensitive information in the subject line which is not encrypted. ► Never send SBU data by electronic mail to taxpayers or their
representatives.► Never Use words in the dictionary or that has common facts about you when
establishing your password. ► Never reveal or share your password with anyone, ► Never change password to something someone has suggested or requested.► Never use another person’s login and password.► Never process SBU or PII data on IRS laptops in public places.► Never store laptop in checked luggage.
ALWAYS► Change password if you think someone else knows ► construct strong passwords.► store passwords in a secure location.► use a cable lock to secure their laptops at all times. (Not required to use
cable lock at home).► keep cable lock attached or store in a locked cabinet or drawer at the end of
the day.► use cable lock when off-site (taxpayer sites) and when in travel status.
IRM 1.10.3, Standards for Using E-mail
17
Official Use Only
► Access only authorized data (need-to-know). ► Secure sensitive papers, data files and software. ► Backup your critical files on a regular basis to your Home directory (“I” drive or “D” drive) or government purchased removal media. ► Scan all media from taxpayers for viruses on a stand alone system. ► Always log off or lock your computer screen when leaving your computer
unattended. ► The IRS restricts the use of personally owned IT equipment, software, and
media. Exceptions have been granted for the use of personally owned Bluetooth Headsets and computer monitors. Only certified government-owned IT equipment, software, and media may be used on IRS systems.
2) Prohibited: Personal communication on blogs and social networking sites such as MySpace, Facebook, Yahoo! 360°, Twitter, etc.;
5) Prohibited: Downloading, copying, or installing of unauthorized application (e.g., executable code), such as: Screen savers, Software products, Computer games etc…
15) Prohibited: Any access to non-IRS e-mail accounts through the Internet (i.e., accessing personal AOL accounts, accessing company accounts, etc. through the IRS Internet firewall);
16) Prohibited: Inappropriate use of IRS e-mail account's), such as: Transmitting files larger than 1 megabyte, Any correspondence for personal gain, Chain letters or other unauthorized mass mailings regardless of the subject matter; etc…
18
Official Use Only 18
SCADA (supervisory control and data acquisition) generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes, as described below:
SCADA systems are highly distributed systems used to control geographically dispersed assets. Systems consist of hardware, software and communications components.
SCADA systems are used in distribution systems such as electrical power grids, water distribution and wastewater collection systems, oil and natural gas pipelines, and railway transportation systems.
These control systems, which are highly interconnected and mutually dependent systems, are critical to the operation of the U.S. critical infrastructures.
It is interesting to note that approximately 90% of the nation’s critical infrastructures is privately owned and operated.
There have been numerous asserted cyberattacks on critical infrastructures, especially since 9/11. Many of these are known to be urban legends.
It is believed that many attacks against SCADA has never been reported by the Federal Government.
The United States now has various layers of Security protecting US infrastructure.
The attacks to infrastructure were unexpected and bizarre then. It could be possible for a sophisticated cyberattack to again cause serious system failures.
19
Official Use Only
Iran Alleges Espionage Over Internet Worm Senior government official says foreign
governments are launching malware dubbed Stars at the country's nuclear facilities.
A senior official in Iran has alleged that foreign governments have been targeting the country's nuclear facilities using an Internet-borne worm, dubbed Stars.
By Mathew J. Schwartz InformationWeekApril 27, 2011 01:44 PM
76% Of Energy Utilities Breached In Past Year
• Despite the high risks, energy company managers don't understand the importance of IT security, according to 71% of security pros surveyed by Ponemon Institute.
• Three-quarters of energy companies and utilities have experienced at least one data breach in the past 12 months, resulting in average clean-up costs of $156,000 per breach. Furthermore, 69% of organizations think that another data breach is very likely to occur within the next year.
• Numerous studies have pointed to a continuing increase in online attacks against so-called critical infrastructure providers -- including oil, gas, and electricity suppliers --often driven by political motivations. Furthermore, legislators and government agencies have been increasingly concerned that the nation's critical infrastructure -- which is almost completely controlled by private industry -- is at risk of attacks, not least by terrorists or unfriendly nation states. By Mathew J. Schwartz InformationWeekApril 06, 2011 01:52 PM
Malware Spreading Via USB Drives
• The Stuxnet rootkit launches even with AutoRun and AutoPlay disabled and is known to affect Windows 7 Enterprise Edition x86 operating systems. Security experts are warning of never-before-seen malware, dubbed Stuxnet, that spreads via USB drives, infecting PCs via an unknown -- aka zero-day -- Windows vulnerability. Unfortunately, the attack works even with AutoRun and AutoPlay disabled, and affects at least Windows 7 Enterprise Edition x86 operating systems. Reportedly, the malware's purpose is to gather any information relating to Siemens SCADA (supervisory control and data acquisition) system software.
CIA Admits Cyberattacks Blacked Out Cities
The CIA on Friday admitted that cyberattacks have caused at least one power outage affecting multiple cities outside the United States.
Alan Paller, director of research at the SANS Institute, said that CIA senior analyst Tom Donahue confirmed that online attackers had caused at
least one blackout. The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers from North American energy
companies and utilities.
"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We
suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks
have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these
attacks or why, but all involved intrusions through the Internet."
Gas Pipelines in Russia(and the former Soviet Union)
2000 & 1982In 2000, the Interior Ministry of Russia reported that
hackers seized temporary control of the systems regulating gas flows in natural gas pipelines, although it is not publicly known if
there was physical damage. The former Soviet Union was victim of an attack to their gas
pipeline infrastructure in 1982 when a logic bomb caused an explosion in Siberia.
Automobile Plant and the Zotob WormAugust 2005
Zotob is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability. In August 2005, Zotob crashed thirteen of DaimlerChrysler’s U.S. automobile
manufacturing plants forcing them to remain off line for almost an hour. Plants in Illinois, Indiana, Wisconsin, Ohio,
Delaware, and Michigan were also forced down. Zotob affected computers by slowing them down and causing them
to continually crash and reboot. Infected Windows 2000 computes were potentially left exposed to more malicious attacks, while infected Windows XP computers can only
continue to spread the worms.Zotob and its variations also caused computer outages at heavy-
equipment maker Caterpillar Inc., aircraft-maker Boeing, and several large U.S. news organizations.
20
Official Use Only
Protect your Computer ► Anti-Virus software can scan a computer for virus infections as well as
monitor computer activities. Keep anti-virus definitions up to date. Don’t turn off anti-virus.
► Firewall is designed to prevent malicious packets.► Software vendors usually deploy a software “fix” every month to address
the vulnerabilities in operating systems. Make sure these security updates (patches) are being downloaded to your computer.
► Popup Blocker can prevent popups, or small Web browser windows from appearing.
► Anti-Spam methods can be installed by an email client or a separate spam-filtering program.
► Anti-Spyware ► Host Intrusion Detection System (HIDS) compares new behavior against
normal behavior.► Back-up files on a regular basis. Keep backups separate from home
machine.► Scan all media before using on your computer (thumb drives, CD’s etc..)► Avoid saving any personal information on your computer. (passwords,
bank account info etc.)► Use strong passwords and pin numbers on all financial accounts and
change them often. Keep your passwords secure safe and strong.
21
Official Use Only
Report security incidents within one hour after they occur to the appropriate agency officials. (There is no penalty for reporting incidents that are questionable)
Reportable information systems incidents include, but are not limited to:
► Unauthorized disclosure of information;► Viruses, worms, virus hoaxes, and phishing;► Loss and theft of equipment, software, or information; and► Deliberate alteration or destruction of data or equipment.
All computer security incidents shall be reported directly to:
1. Computer Security Incident Response Center (CSIRC), 2. Inspector General for Tax Administration (TIGTA), 3. and your immediate supervisor.
http://www.csirc.web.irs.gov/reporting/Incident_Reporting_Procedures.pdf
22
Official Use Only 22