Contributor: Binny Kuriakose

Anonymity disguised as freedom of expression and lack of clear cut laws makes cyberspace murky from a security point of view. Countries are waking up and realizing that there is a need for laws which enable authorities to catch and punish cyberspace miscreants; however, these miscreants are very crafty.

Spammers are known to use ingenious methods to peddle spam and lately they have even begun using antispam laws themselves in an effort to spearhead spam attacks. This blog is not about analyzing the effectiveness of antispam laws; it is about how spammers are quoting the laws in emails in order to make the spam look legitimate.

There are some “grey area” emails, which fall somewhere between spam and legitimate mail, and sometimes there can be something very inconspicuous in the mail that can tip the balance in the mind of a recipient. Quoting antispam law in the body of the email and claiming that the email adheres to the law is proving to be a popular technique when it comes to painting “grey area” spam white.
 

CAN-SPAM Act - Public Law No. 108-187 (USA - English)

The sample in Figure 1 claims to be adhering to the conditions set by the CAN-SPAM Act, which is the antispam law in the USA. The mail has a disclaimer section at the end which explains the law.
 

Figure 1. Spam sample with antispam law quoted in the body
 

How is this spam?

What is transgressed here is that, the option given by the spammer to ‘opt-out’ is bogus. He merely slides you out of one mailing list and inserts you into another. In all such spam instances the spammer gives the quote and the ‘unsubscribe’ or ‘opt-out’ so convincingly that the victim falls for it.
 

Other laws which are most commonly seen ‘misused’ in spam

1. MURK - Bill S.1618 Title III (U.S.A - English)

   By far the most misused legal reference by any scale is Bill S.1618 Title III of the United States, which goes by the alias MURK. Although it did concern spamming, the Bill DID NOT BECOME A LAW in USA since it did not pass both the houses.  So any mail which says it is compliant to Bill S.1618 Title III should be put under scrutiny as you are staring at a lie right there. Spam mails quoting this bill were seen from 1998 when this Bill was presented.

   

   Figure 2. Disclaimer in spam quoting Bill S.1618 Title III

   Something which is more disturbing is that the spammers actually take it as far as threatening the readers, using this quote.

   

   Figure 3. Bill S.1618 quoted in a threatening manner

   However, this drama has spilled beyond the shores of United States. This quote is also seen in other language spam, like Portuguese and Spanish.

   

   Figure 4. Disclaimer in a Spanish spam quoting Bill S.1618 Title III
    

2. Habeas data - Law No. 25, 326 Art. 27 Inc. 3 (Argentina - Spanish and Portuguese)

   Habeas Data is a law which lays guidelines for commercial emails in Argentina. This law like most other laws in this league is to empower a user to demand that his details should be removed from a database.

   It is seen quoted in Spanish and Portuguese spam email campaigns where the opt-out option is manipulated to make it look legit. The fact remains that the opt-out options are bogus and they do not help the victims from getting more spam.

   

   Figure 5. Disclaimer in a spam mail quoting Habeas data law
    

3. Law No. 28493 / 29246 / D. S. 031-2005-MTC (Peru - Spanish)

   This Law No. 28493 / 29246 / D. S. 031-2005-MTC is a law in Peru, which has Spanish as its language. The Spanish mails from even other countries are seen displaying this law and claiming legitimacy by this law. This sample is seen giving an unsubscribe option by sending a reply to a webmail.

   

   Figure 6. Disclaimer in a spam mail quoting Peruvian Law No. 28493 / 29246
    

4. Déclaration CNIL n°1291376 and Déclaration CNIL n°1181416 (France - French)

   Two French legislations regulating commercial mailings are seen displayed in spam, which does not give a proper opt-out option to customer. The opt-out link usually redirected to another webpage showing a message that the user’s details are removed. But in reality the opt-out does not happen.

   

   Figure 7. Disclaimer in a spam mail quoting French CNIL No 1291376
    

Conclusion

From these it is strikingly obvious that spammers are trying to whitewash their spam, using the laws conveniently to create an aura of fake legitimacy. The recipients unfortunately are falling victims to this.

Many countries have recognized the right of individuals to unsubscribe from any communication and the right to demand the removal of their personal information from any database. But these instances expose that a strong law regarding opt-in to a list is equally important along with the law for opt-out, since the spammers can slide you into a new mailing list after you unsubscribe from one. End users should be aware of what rights the anti-spam laws grants to every individual.

When it comes to keeping your website secure your web host should be the least of your worries. These are technology companies, sometimes rather large, whose focus is on websites. You would think that they would be better at handling website security than anyone other security professionals. Unfortunately we often find that they are not. As just one example, last year we discussed the fact that Media Temple was incorrectly blaming a hack of websites hosted by them on their customers running outdated software on their websites, while they themselves were running outdated software on their website. Over a year later they are still are not bothering to take the basic step of keeping software running on their website up to date:

Trying to access the security of web hosts is difficult because much of the information needed to do that assessment is only available to them. There are some things that you can check on and one of those is whether they are keeping the version of PHP on the server hosting your website up to date. If you are using WordPress, Joomla, Drupal, or a lot of other web software then you are using PHP and it is important to keep that up to date, as a hacked website we cleaned up this week shows.

One of the basic steps of cleaning up a hacked website is determining how it was hacked and then fixing the vulnerability so that the website doesn’t get hacked again (unfortunately, many companies that clean up hacked websites cut corners and don’t do this). In reviewing the log files for the website in question we traced the original exploitation to this line in the website’s access log:

91.224.160.25 – - [16/Apr/2013:19:18:32 -0400] “POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1″ 200 68

What that shows is that a vulnerability in PHP versions prior to 5.3.13 and 5.4.3 was attempting to be exploited. Unfortunately the website in question was running an older vulnerable version of PHP and was configured in a way that made it susceptible to the vulnerability. If PHP had been kept up to date the website would not have been hacked.

The PHP developers fairly regularly release new versions that fix security vulnerabilities in the software. The most recent releases with security fixes were versions 5.3.23 and 5.4.13, released in March. Unfortunately, we often find that our client’s web hosts are not keeping PHP up to date. If your web host isn’t keeping PHP updated you probably should move to a web host that takes such basic security seriously.

If you are wondering what version of PHP your web host is using for your website there are a number of ways to find that out. The least technical way to do that is to contact their customer support and ask them what version of PHP in use. It would also be good to ask them what their upgrade policy is for PHP and other software powering the web server, to make sure that they properly handling that. You can sometimes find the PHP version in use in the control panel for your website or the administrative area of the website. You can also use a tool we have created that allows you to check the version of various software running the server your website is on.

Downloader.Liftoh is a Trojan horse detected by Symantec that downloads malware onto the compromised computer without the user noticing.

A new variant of this threat, discovered in early May, was identified in some Spanish-speaking countries in Latin America. This variant of Downloader.Liftoh sends messages in Spanish instead of English. The threat is similar to W32.Phopifas which we wrote about in our blog from October 2012.

The creators of Downloader.Liftoh use Skype, which is popular in Latin America, as well as other instant messaging applications to distribute the malware:

1. The victim receives a message from someone who seems to be on their contact list. The message says, “esta es una foto muy amable de tu parte,” or “jaja, esta foto extraña de tu perfil,” or some similar message to entice the victim to click on a provided link. The link is from one of several URL shortener services, including goo.gl, url9.de, fur.ly, bit.ly, and is.gd.
    
    
    
   Figure 1. Malicious Skype message
    
2. If the victim clicks on the shortened URL, they are redirected to a URL on the 4shared.com website.
    
3. Once on the 4shared.com website, the victim is prompted to download a .zip file that contains Downloader.Liftoh disguised as a legitimate instant messaging file.
    
4. If the victim unzips the file, they will find an .exe file inside.
    
5. If the victim executes that .exe file, Downloader.Liftoh will have successfully compromised the computer.
    

Symantec has observed 171,553 clicks that this attack has received recently through Google’s URL shortener which the cybercriminals use in their campaign.
 

Figure 2. Downloader.Liftoh has 171,553 global clicks since May 20
 

Figure 3. Downloader.Liftoh Latin American click rate distribution
 

There are no geographic boundaries for malware distribution. Attackers only need to change malware code to a different language to find new computers to compromise. To protect yourself, Symantec recommends having up to date and comprehensive security solutions that include antispam and antivirus protections to prevent the compromise of personal computers and networks. It is also recommended that users not click on suspicious links or open any unusual files—even if they are sent from a known contact.

Symantec is observing an increase in spam containing URLs. On May 16, URL spam volume increased by 12% from 84% to 96% and since then the URL spam volume fluctuated between 95% and 99%. That means 95% of the spam messages delivered during this period has one or more URLs in it.

Figure 1. URL spam message volume

During this period, .ru was the most used top-level domain (TLD). As illustrated in Figure 2, it is interesting to note a drop in .ru spam and a simultaneous rise in .com and .pw spam. Over 73% of the URL spam contained the .ru, .com, or .pw TLDs.

Figure 2. Top 3 TLDs distribution (last seven days)

Table 1. Spam volume of top 5 TLDs that contributed to total URL spam

We are observing an increasing use of shortened URLs and free Web domains with the .ru TLD. The spam examples seen are mainly hit-and-run (a.k.a. snowshoe) spam. The call to action URL in the spam message leads to fake offers or online pharmacy stores.

Below are the Subject lines that may be seen in spam emails.

• Subject: Ends Today! Buy One, Get One Free
• Subject: 48 Hours Only | Free Shipping!
• Subject: FREE LIFETIME PASS - WHENEVER YOU WANT
• Subject: Are you dreaming about good health?
• Subject: Satisfy your girl fully
• Subject: Win your lady's addiction
• Subject: Present your women real care
• Subject: You need Ukrainian woman with beautiful eyes that are ready to talk to private theme?

Figure 3. URL spam message

This sudden rise in URL spam volume was seen in December 2012 and January this year when holiday season spam and year-end spam was on the rise. Symantec will continue to monitor this uptick in spam containing URLs and will keep our customers protected with additional filters to block these attacks.

Phishers are trying everything they can to improve their chances of harvesting user credentials. They are known for experimenting with different fake social media applications in a desperate move to lure users. Recently, we found a few examples of some new fake apps.

In the first example, the phishing site used an image of a girl along with the Facebook Like button. After clicking the button, users are prompted for their Facebook login credentials in order to “like” the photo. After the credentials are entered, the phishing site acknowledges the login and asks users to click another Like button. The button is placed beside a fake number indicating the number of likes already gained. The phishing site was hosted on servers based in Amsterdam, Netherlands.

Figure 1. Facebook Like button with a picture of a girl

Figure 2. Login credentials required to” like” the picture

Figure 3. The Like button along with the number of likes already gained

The second example is a phishing site spoofing the Facebook login page that claimed to have several new features for Indian users. The phishing site called itself “Chehrakitab” which is Hindi for “Face Book”. Phishing sites, like the current example, that are designed to target Indian users have been consistently written poorly. The Facebook 2013 Demo phishing is a good example. A description given on the phishing page explained that the site is under construction although users can still login. Phishers appear to be contemptuous of Facebook as they mentioned in the logo that it’s wasting people’s lives. The phishing site was hosted on a free Web hosting site. If users fell victim to the phishing site, phishers would have successfully stolen their information for identity theft.

Figure 4. Phishing site pretending to be the Indian version of Facebook

Internet users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages
• Do not provide any personal information when answering an email
• Do not enter personal information in a pop-up page or window
• Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https”, or the green address bar when entering personal or financial information
• Use comprehensive security software, such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
• Exercise caution when clicking on enticing links sent through email or posted on social networks

A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter.

Organized cyber thieves began siphoning cash from Mooresville, N.C. based J.T. Alexander & Son Inc. on the morning of May 1, sending money in sub-$5,000 and sub-$10,000 chunks to about a dozen “money mules,” people hired through work-at-home job scams to help the crooks launder the stolen money. The mules were paid via automated clearing house (ACH) payment batches that were deducted from J.T. Alexander’s payroll account.

The attackers would repeat this process five more times, sending stolen funds via ACH to more than 60 money mules. Some of those mules were recruited by an Eastern European crime gang in Ukraine and Russia that I like to call the “Backoffice Group.” This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a nonprofit hospital in Washington state.

David Alexander, J.T. Alexander & Son’s president, called the loss “pretty substantial” and “painful,” and said his firm was evaluating its options for recouping some of the loss. The company has just 15 employees that get paid by ACH payroll transactions every two weeks. At most, J.T. Alexander’s usual payroll batch is around $30,000. But in just five days, the thieves managed to steal more than a year’s worth of employee salaries.

The company may be able to recoup some of the loss through insurance: J.T. Alexander & Son Inc.’s policy with Employer’s Mutual Casualty Company (EMC) includes a component that covers cyber fraud losses, but the coverage amount is far less than what the victim firm lost.

“They’ve got some specific coverage, but unfortunately the amount of coverage they’ve got is not going to cover anywhere near the amount of money they lost,” said Jim Mitchell, an adjuster for EMC.

According to J.T. Alexander & Son, the company’s bank – Peoples Bancorp of North Carolina Inc., a state-chartered bank with $1.1 billion in assets and 22 branches across the state — had just upgraded its security system a month prior to the cyberheist. Before the upgrade, the company’s controller had to enter a login ID, password and then enter a six-digit code that was read by an automated system at the bank that would call them.

“Also, it used to be we could only access the bank’s site from my computer,” said Kristie Williams, who works in accounting and finance for J.T. Alexander. “The way [the bank] changed it, anybody anywhere could access it as long as they had my login, and apparently that’s what happened because the logins came from a different IP address than our normal one. I think they made it more convenient, but less secure. I wasn’t aware all of that had changed.”

Peoples Bank did not return calls seeking comment.

These types of cyberheists — in which neither the victim organization nor its financial institution notice the theft for days on end — can be especially costly. It’s difficult to assign blame for such incidents to either the victim or its bank — there were failures on both parts, to be sure — but typically the liability for these breaches lies with the victim. That’s why it’s vitally important for small businesses that wish to bank online to assume they are targets of organized crime and to take the necessary precautions, wherever possible.

If you run a small business and manage your company’s accounts online, please take a moment to read my list of recommendations here: Online Banking Best Practices for Businesses.