Computer Security for Real People -...

Tim GurganusFor Cyber Security Month [email protected]

Computer Security for

Real People

Some Computer Security Myths

• Good Antivirus software will detect any viruses

on my computer

• The network is on the NCSU campus, so it must

be secure.

• Computer Security is someone else’s problem

• Using Windows Update is all you need to do to

make your PC secure.

Some Computer Security Myths

Computer Security in Movies and TV shows:

• Cracking 128 bit SSL in 2 minutes

� social engineering is much faster

• Cracking passwords one character at a time

Truth: Computer security threats cannot be adequately thwarted unless they are fully understood.

Truth: Most encrypted PDFs can be cracked in 96 hours.

Truth: Without security, you have no privacy.

Some Stats on Students and Computer Security

• 39% of students share passwords withfriends and family

• 78% password protect laptops• 21% secure handheld devices such as iPads

with a password

• 50% secure mobile phones with a password

• 9% of students surveyed havedownloaded a virus from a social network

• 22% of web users have had their social networking accounts hacked, and the same amount have experienced email hacking

Some Stats on Mobile Computer Security

• 5% of enterprise mobile devices are lost

• Only 15% of smart phone users install

antivirus software

Some Stats on Computer Security

A day in the life of a PC on our campus network:– Exploit attacks from laptop connected to the wireless

network

– Probed to see if it is a web server or email server

– Login attempts from infect machines on campus

wireless

– Login attempts via Remote Desktop from off campus

– SSH login attempts from the internet

– Probed to see if IP is active

– Probed to see if host is using a firewall

Is your Laptop ready to go online?

Some Stats on Computer Security

A day in the life of an online account:

Email Account:– Sent 6 viruses from botnets to infect your PC or mobile phone– Sent 5 scams for Prescription drugs, Free iPads or Penny stocks– Password guessed at Gmail to see if password is simple word– May receive returned spam where your good address was faked as the

sender– Email accounts sent phishing attacks for Gmail, NCSU email, iTunes,

Paypal, Online banking, twitter, Facebook, Linked-In, Hotmail, or Yahoo! passwords

• At least one message per semester will ask for your NCSU email password

Other Accounts:– Password guessed at twitter.com to see if password is simple word– Password guessed at Facebook to see if password is simple– Cross site password guessing using posted lists of phished accounts

• 5.9% of all email contains a malicious file, most are blocked by spam filters

Searching for Free Stuff Online can be costly

• According to Google, 1% of search results leads to malware

• According to Google, 15% of malware is Fake Computer Security software

• A study from McAfee found that adding the word "free" when looking for entertainment content in search engines greatly increases the chances of landing on a site hosting malware.

• For instance, searching for free music ringtones increases the chances of hitting a malicious site by 300 percent


What Search Results to Trust?:• Most search engines have a Safe Search or Warning level setting to

mark malicious contentGoogle SafeSearch

Yahoo SafeSearch and SearchScanBing SafeSearch

• Avoid certain domains like .co.cc and .tk• Avoid URLs where the subject of the search shouldn’t match the result

– For example, a car dealership website selling clothes

To Avoid Malware:• Avoiding clicking on links in banner ads • Avoid clicking on links posted in forums and on fan pages• Keeping security software up to date and use link reputation features of

newer web browsers


To Avoid Malware:• Avoiding clicking on links in banner ads • Avoid clicking on links posted in forums and on fan pages• Keeping security software up to date and use link

reputation features of newer web browsers

Enable Attack Site Warnings in FireFox

Enable SmartScreen in Internet Explorer


Other Ways You Meet Malware

• Digg and Reddit (like the Like It! on Facebook) have been used to redirect users to malware

• Be Aware that hackers can use networks of compromised computers to affect search results.

• Infected computers in a botnet vote for an article a spammer posts containing malicious content or a link to trojan malware and move its ranking up.

Viruses & Trojans At NCSUIn Last 12 Months % of PCs Infected

WORM_RONTOKBR (mass mailer - 13 Variants ) 27 %

WORM_DOWNAD (Conficker - 8 variants ) 25 %

JAVA_LOADER (250 variants ) 18 %

PE_Sality ( spreads via shares and USB - 22 variants) 16 %

TROJ_Generic ( detected by heuristics 807 variants) 13 %

TROJ_FakeAV ( 578 variants ) 7 %

Mal_Hifrm ( 7 variants ) 7 %

TROJ_KRYPTK ( rootkit - 110 variants ) 7 %

TROJ_IFRAME ( 46 variants) 4 %

EXPL_MS04-028.A ( JPEG exploit ) 3 %

PTCH_KATUSHA ( launches other malware ) 3 %

Mal_OTORUN ( spread via USB device –45 variants) 3 %

TROJ_Dropper ( 120 variants ) 3 %

TROJ_Starter – RAMNit ( 20 variants ) 3 %

PE_MABEZAT (mass mailer, USB - 7 variants ) 3 %

Viruses & Trojans At NCSUFake Antivirus Software

This is a screenshot of a Fake Antivirus trojan. The real WindowsSecurity Software never has an Install… button.


Fake Antivirus is ridiculously profitable:1 in 50 installs will pay for the FakeAV!!


In 2011, the number of new variants per month was greater than 30 for the first time.

The list below shows the variants released per day in 2011:

1/4/2011 Palladium.FakeRean1/4/2011 HDDFix.FakeSysDef1/5/2011 MemoryFixer.FakeSysDef1/9/2011 DiskOK.FakeSysDef...3/23/2011 WindowsRecovery.FakeSysDef3/23/2011 WindowsBackgroundProtector3/24/2011 WindowsSimpleProtector3/25/2011 WindowsPowerExpansion3/26/2011 MSRemovalTool3/28/2011 WindowsExpansionSystem3/29/2011 WindowsRepair.FakeSeysDef3/30/2011 WindowsProcessRegulator3/31/2011 WindowsStabilityCenter


In 2011, Fake Antivirus trojans for the Mac appeared:

Unique Fake AV for MAC Discovered

0

50

100

150

200

250

Jul-10

Aug-1

0

Sep-1

0

Oct-

10

Nov-1

0

Dec-1

0

Jan-1

1

Feb-1

1

Mar-

11

Apr-

11

May-1

1

Jun-1

1

Unique Fake AV for MACDiscovered

* From McAfee Quarterly Threat Report Q2 2011


In 2011, the number of new variants of Fake AV per month was greater than 30 for the first time.

Then in August 2011, Law Enforcement shutdown the credit card processor for one the largest Fake AV makers, ChronoPay.

The shutdown of Russian Card Processor ChronoPay affected Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com

For a time, they ceased operations and alerted affiliates that they may not be paid for current and future installations.

Viruses & Trojans At NCSU – cont.

Rogue Facebook Emails Spread Oficla Trojan

September 29, 2010 malicious spam messages posing as a password change notifications from Facebook arrived on campus.

The message claimed the recipient's Facebook password had changed and that the new password was contained in the provided attachment.

The attachment instead contained a variant of the Oficla trojan.

Date: Tue, 28 Sep 2010 09:53:11 -0400From: "Facebook Support, Jocelyn Nicodemus" <[email protected]>To: “Larry Ellison" <[email protected]>Subject: Your facebook password has been changed!Attachments: TEXT.htmFaceBook_Password_Nr60891.zipMime.822

Dear user of facebook. Because of the measures taken to provide safetyto our clients, your password has been changed. You can find your newpassword in attached document. Thanks, Your Facebook.

Viruses & Trojans on Social NetworksKoobface in Action

You receive a friend request like this.

The profile picture is usually a model with a pretty face

In most cases the malicious link mentioned above takes you to a YouTube like site that pops a message that you need to install Adobe Flash, a new video codec, or some other plug-in to view the video.

Installing this is how you get infected and the cycle repeats.

Koobface has targeted users of Facebook, Twitter, MySpace and Friendster.

Viruses & Trojans on Social Networks

Avoiding Koobface and Other Social Networking Worms

1) Avoid promiscuous friending. Spammers, phishers, and worm distributors abound on social networkingsites. Demonstrate restraint by not accepting friendinvites from strangers. Your real friends will thank you.

2) Log out of the social networking site when it's not being used. Worms like Koobface can only spread when you are logged on to Facebook or other social networking account.


Avoiding Koobface and Other Social Networking Worms

3) Use a unique strong password on each account. If you have multiple social networking accounts, use a unique password for each.

4) Never click links in messages received unexpectedly. Instead, open a new page and visit the site using a previously bookmarked or known safe link.


Twitter phishing attack:

Direct Message from compromised accounts:

you look like you lost weight in this video.. [http://3x3ors.tk]

If you're curious, you might click on the link which will take you to what appears to be the standard Twitter login page.


Twitter phishing attack:

http://3xloanstoday.com/twitter/login/sessions/?phx=1/

URL is NOTtwitter.com

Viruses, Trojans and Social Networks

Malware on Facebook:Scam messages appearing to offer free Facebook credits are being seen on Facebook. Here's an example:

Want Free Facebook credits go to <link>Free Faceebook credits

Want free Facebook credits?


Malware on Facebook:Clicking on the link, leads to another page:

The page uses a clickjacking technique, whereby clicking on the red and blue boxes will actuallyinvisibly update your Facebook profile with references about how to get free Facebook credits.

The Red box is over the Like button and the Blue box is over the Share button.

This effectively sends the “get free FB credits” message and link to your friends.

ClickJacking

Click Jacking is the idea of overlaying a picture on top of the buttons that are needed to click in order to spread the attack.

The click jack window could be transparent or covered by a floating image.

The action link, such as the Share, Comment or Like buttons are hidden by the image on top.

http://www.youtube.com/watch?v=jgAO8WU2lp0&feature=related


Malware on Facebook:If you do agree to click on the red and blue boxes, you'll be taken to a page not hosted on the Facebook website (but pretending to be a legitimate Facebook page) still claiming to offer free Facebook credits.

Continue to click on the links you will find that you are visiting webpages that ask you to sign up for a rewardsprogram or take online surveys. The scammers behind the Facebook Credits messages earn 50 cent commission for every person that enters their information and verifies their email address, and another 50 centsfor every person that completes an offer.

Avoiding ClickJacking

1) Install the latest version of Flash Player –It has added features to prevent ClickJacking

2) Keep your browser patched –Patches to IE and Firefox added features to prevent clickjacking

3) Use an antivirus program with a web reputation feature or linkscanner that will block known clickjacking links

Be suspicious of pop-ups that look a little different or buttons that appear directly on top of another button. For example, the pop-up may not have a Close ‘X’ in the corner or the window follows the mouse as it moves.

In these cases, it is better to close the browser application instead of clicking on something that might be an exploit.

Facebook Security Apps - Avoiding ClickJacking

There are also some Facebook Apps you can add to your account that will scan links, images and videos posted to your wall, messages and news

feeds for malicious links.

Defensio Social Web Security- Delivered via the Websense global Security-as-a-Service (SaaS) platform, the Defensio Facebook application provides security and controls to manage what type of content can be posted to personal or commercial Facebook walls.It can send you an alert email if spam or a malicious link is detected in your account.

Norton Safe Web for Facebook- Norton Safe Web for Facebook application scans your news feeds and identifies URLs containing security risks such as phishing sites, malicious

downloads and links to unsafe external sites.

More Facebook Security Features

Facebook begins offering https version

Facebook is also testing social authentication - login by identifying your friends in pictures

More Facebook Security Features

Facebook recent activity log…

Facebook is also testing social authentication - login by identifying your friends in pictures


Malware on Facebook:• A few days another similar scam appeared using a rogue Facebook App:

• If a user clicked one of the links above, a viral Facebook App was added to their profile.

• This bogus application sent similar wall postings and messages to Facebook friends.


Malware on Facebook:

• If a user clicked one of the links above, a viral Facebook App, fbthecredits, was added to their profile.

• This bogus application sent similar wall postings and messages to Facebook friends.


Malware on Facebook:• You should always be suspicious whenever a third party application requires to access

their profile without a legitimate reason.

• If you've been hit by a scam like this, remove references to it from your newsfeed, andrevoke the right of rogue applications to access your profile via Account/ Privacy Settings/Applications and Websites.

Scams to Avoid on FacebookExample of Fake Facebook Notification

Phishing attack

Hovering on the Link to reveals it is not www.facebook.com.

http://graydolphins.110mb.com/auscultation.html

Computer Security for Real People

• Half of all malware is directly downloaded from websites.

• 45% of infections result from user interaction, i.e. Social Engineering, vs. pure exploits which don’t require user interaction Note: Patches for these tend to be important priority vs. critical

By default, WindowsUpdate only installs critical monthly security patches

• Arming the web browser with intelligence to avoid bad sites is areasonable defensive action

Trend Micro Officescan Web Reputation Service Blocks Malicious downloads• Most often blocked URLs are free game downloads where the game is infected with a virus• The next most often category of blocked URLs is malvertising, internet advertising that

contains a malicious image, flash animation or Javascript.• Various fake web statistics, web metrics and web counter scripts are also blocked often (i.e.

google-stats.info or clickzs.com )• Blocked content is found more often on Adult content websites and free movie and music

download sites as well.

Malicious URLs blocked by OfficescanURL Unique Endpoints Detections

http://bid.openx.net/jstag 63 2158

http://edge.quantserve.com/quant.js 154 1923

http://b.scorecardresearch.com/beacon.js 86 854

http://ssl.gstatic.com/gb/js/sem_67691c26458c684deff94c5b94fcc700.js 192 835http://denis.stalker.h3q.com/scrape.php?info_hash=%24%E63k%F1%92hX%7D%0C%BF%1F%5E%AEf%21%23 2 727

http://s1.pasadserver.com/showBanner.php?size=728x90 19 376

http://denis.stalker.h3q.com/scrape.php?info_hash=%81%89%40%97%059%1Amx%A2%8D%A3%81%B6%0E%1 2 374


http://js.users.51.la/1210055.js 1 349




http://banners.hotbox.com/go/page/iframe_tab_banner_content?lang=english&&show_sex=&pid=g821718 1 198





http://www.info-komen.org/js/utils.js 22 151

http://code.37cs.com/rich/fl.php?uid=3479&pid=945 1 147http://admonkey.dapper.net/PixelMonkey?adId=expedia&format=image&tp=111222120&useReferrer=1&type=search 28 141

http://a1.ationnet.co.kr/38843.js 4 141

http://marketgidcounter.ru/p 1 134

http://content1.admonkey.dapper.net/clients/expedia/SearchResults_US.html 26 130

How Risky is Browsing the Internet?

Arrival methods of the top 100 malware infecting the most number of systems

Computer Security for Real PeopleWhere the Malware is Built

• The number of crimeware application suites has grown in the last year making it easier to produce malicious code, build botnets, create phishing attacks, etc.

Example Crimeware applications are:

• Blackhole Exploit Kit

• Crimepack

• Eleonore

• Icepack

• Mpack

• Zombie Infection Kit

• SEO Sploit Pack


Fake LinkedIn Invite Leads to ZeuS Trojan

Links in the messages lead to websites hosting the SEO Exploit Pack which attempts to drop a Zeus variant onto victims' systems.

The observant user would notice that none of the links lead back to linkedin.com

Avoiding MalwareWhere the Malware is Built

Zombie Infection Kit:

This screen shot fromZombie Infection KitShows the real-timeBrowser exploitationStatistics.

Note the support forFirefox and Google Chrome.


Blackhole Infection Kit:

This screen shot fromBlackhole Infection Kitshows the efficiency ofvarious exploits availablein the kit.


Blackhole Infection Kit:

This screen shot fromBlackhole Infection Kitshows the percentageof browsers and Operating Systems Infected.

Note the support for Opera, Safari and GoogleChrome.

Some bots are Linux andOS X computers.


SEO Sploit Pack:

This screen shot from the SEO Sploit Pack shows theEffectiveness of various exploits targeting Java, PDF and Windows.

Note the number of Java exploits.


SEO Sploit Pack:

This screen shot from the SEO Sploit Pack shows theEffectiveness of various exploits targeting Java, PDF and Windows.

Note the number of Java exploits.

Out of date Java clients are very common.

Avoiding MalwareThe Need to Patch, Patch, Patch

• As you can see, production of exploit code has been commoditized.

• The need for patching browsers, players, viewer and email programs has never been greater.

• Most of the viruses sent to campus via email and downloaded from websites were produced with these exploit kits that target common applications like:

JavaFlash PlayerAdobe Reader and AcrobatMedia PlayerInternet ExplorerFirefoxOutlook

Nearly All PCs Run Insecure Software

• A survey of 20,000 computer systems running Microsoft Windows found that nearly all ran at least one program with a vulnerability that put the computer at risk.

• According to Microsoft's Security Intelligence Report, the US has 2.2 million PCs infected with bot software, more than any other country in the world.

• A survey found that only 1.9 percent of Windows systems that ran the Secunia Software Inspector utility for the first time had no out-of-date programs.

• About a third of the systems ran a vulnerable version of five or fewer programs, while nearly half of the machines ran 11 or more insecure applications.

Nearly All PCs Run Insecure Software

Microsoft Security Intelligence Report, SIRv11:

99% of infections were propagated through social engineering, AutoRun exploitation, file infection, and

password attacks.

90% of the recorded attacks could have been prevented by a patch that had been available for at least a year

Avoiding MalwareThe Need to Patch, Patch, Patch

• There are free tools to scan your PC and tell you what patches are available for your software:

Secunia Online Software Inspector:

http://secunia.com/vulnerability_scanning/online/

Qualys Browser Scanner:

https://browsercheck.qualys.com/

Firefox Plugin Check: - for Firefox users

http://www.mozilla.com/en-US/plugincheck/

Computer Security for Real People

• If malware on Social Networking sites wasn’t bad enough, there are websites with illegal tools for hacking Facebook, MySpace, Hotmail, Gmail, AOL, Yahoo accounts.

Pricing

Hacking Facebook, Hotmail, and Yahoo passwords are free. However, there is a small fee for the decryption of the passwords.

90.00 Euros: Will hack you only 1 password.

140.00 Euros: Will get you UNLIMITED password hacking. The best on the market today!!

Equivalent amount in USD, respectively is $100.00 and $150.00

1,500.00 Euros: We can sell the entire hacking system. This gives you access to the website and unlimited use forever. Even if you gain new email addresses from any computer and have this tool and be able to have a copy on disc.

Some Interesting New Features of Modern Malware

Creative Programming has created malware that:1) Can run without administrator access2) Doesn’t modify the registry3) Doesn’t store any malicious code on disk4) Uses your location to change behavior

Role of geographic IP Information

• It is quite common these days that distribution and execution ofTrojans are geographic based.

• Based on the client IP address, the C&C servers will determinewhether to infect a system at all or how to behave.

• Many versions of Mebroot, SpyEye and Zeus trojans use IP location data

• SpyEye’s billing hammer routes fake Credit card purchases through anIP in the geographic region of the stolen card owner’s zipcode.

Some Interesting Features of SpyEye“Create task for billing.”uses the billinghammerplug-in (which is under the Plug-ins button), to charge the credit cards collected to certain sites.

This way, a Bot master can obtain direct financial gain from the stolen Credit card data without as much risk as buying stuff online through Amazon then using a drop to ship the stuff to.

Main SpyEye Interface

Some Interesting Features of SpyEyeSpyEye runs without Administrator privileges and can steal all kinds of information, such as:

• Credit Card numbers• Online Banking Credentials• Online Account Balances• Online Banking Security

questions and answers• OnScreen keyboard logins• Login Security Certificates• Paypal username/password• Email username/password • FTP username/password• Facebook login

Main SpyEye Interface

Some Interesting Features of SpyEyeSpyEye runs without Administrator privileges and can steal all kinds of information, such as:

• Credit Card numbers• Online Banking Credentials• Online Account Balances• Online Banking security

questions and Answers• OnScreen keyboard logins• Login Security Certificates• Paypal username/password• Email username/password • FTP username/password• Facebook login

SpyEye BoA Grabber Interface

Some Interesting Features of SpyEye

SpyEye Certificate Grabber Interface

SpyEye Certificate Grabber:

Some websites uses these certificates to log users in either as a substitute for or in addition to passwords.

This way, SpyEye is able to steal information for those

website logins as well.

Some Interesting Features of SpyEyeThe Statistic button gives an overview of the sites that the infected computers are going to the most.

Notice Facebook,

Gmail, and Microsoft Live in the list.

Botnets Are Collecting Data On You and Your PCs

Three or more years ago, botnet operators focused on stealing email and password credentials, which were useful to spammers.

Now botnet controllers are building massive profiles on their users, including:– Name– Address– Age– Sex– Financial worth– Relationships– Where they visit online

They sell this information, where it ultimately finds its way into legitimate lead generation channels

Sites will buy the information stolen via botnets in bulk. In some cases, a company might pay $20 -$30 for a qualified lead.

Alternatively, Botnets can be used to sign up individuals for all kinds of pay for registration schemes since they have all the data needed.

Botnets Are Collecting Data On You and Your PCs

Botnets are big business: How hackers can make $$$ with a botnet:

1. Trade in stolen email addresses, usernames, passwords2. Trade in other profile information like Name, Address, OS, software

installed, browser used3. Pay-per-install malware.

In this scenario, bot agent malware is developed. Then the creator subscribes to a pay-per-install company in the criminal ecosystem to infect as many machines as possible.

To increase its own profits, the pay-per-install company will attempt to install more than one piece of malware. This makes removing all the malware difficult.

Digital Security Certificates

If you have a website:Companies like GoDaddy and VeriSign can provide your site with a digital security

certificate that authorizes that you are who you say you are.

This helps visitors to your site have the confidence to become buyers and will often make a big difference in your perceived credibility.

The certificate has your company name and a certificate key, which works like a key or password. GoDaddy/Verisign digitally sign your Security Certificate

When you visit a website, your web browser gets the certificate key from the webserver.

An encryption algorithm is used to verify the key and thus the certificate is authentic.

Digital Certificates AttacksYour computer’s operating systems and some applications store lists of certificate signing companies they trust and know to be authentic.

In 2011, several certificate signing companies like Comodo and Diginotar were compromised and fraudulent certificates were signed for popular websites like Google, Gmail, Yahoo, Skype, Microsoft, CIA and Tor.

After a compromise, the certificates issued by the victim companies should not be trusted.

To update the lists of authentic certificate signing companies, your computer or applications need a patch

You can also update the lists manually, but this requires knowing which certificate nameto remove

After the Diginotar certificate signing company was hacked, most everybody issued patches to remove them from the trusted list. This includes:

Apple, Microsoft, Google, Mozilla, Opera, Thunderbird

Be aware that fake certificate updates are out there. You may get one in an email that appears to be from your bank, the FDIC, Microsoft, Homeland Security, the FBI or the IRS.Only install updates from legitimate sources. i.e. go to the bank website, Windows Update, Apple Software Update, etc.

Common Scams sent via e-mail to @ncsu.eduusers

Viruses sent to Campus email users included:• Fake UPS, Fedex, DHL shipment notices in malicious PDFs• Fake I.R.S. Notices (tax payment due or denied)• Fake Denied Electronic Fund transfers (ACH )• Fake Credit Card notices ( card blocked, charge denied)• Fake NYC traffic/parking tickets (speeding or illegal parking)• Infected Office Documents and PDFs sent as “Scans” from

Hewlett-Packard Officejet

The Rise in Social Engineering attacks:

While not technically sophisticated, hackers have studied what emails you normally open and created malicious fakes to spread viruses and steal passwords.


Infected Office Documents and PDFs sent as “Scans” from Hewlett-Packard Officejet or Xerox WorkCentre Pro

The attached files can vary but are along the lines of Xerox_Document_08.23_C11125.zip or Xerox_Scan_08.23_K1274.zip.The attached file is a Trojan downloader.


Viruses sent to Campus email users included:• Fake UPS, Fedex, DHL shipment notices in malicious PDFs• Fake I.R.S. Notices (tax payment due or denied)• Fake Denied Electronic Fund transfers (ACH )• Fake Credit Card notices ( card blocked, charge denied)• Fake NYC traffic/parking tickets (speeding or illegal parking)• Infected Office Documents and PDFs sent as “Scans” from

Hewlett-Packard Officejet• Fake trojan security updates from your bank in .zip file

Trojan application update programsSecurity Certificate Trojans

• Fake Facebook messages waiting notices that were really led to Facebook viruses

The Rise in Social Engineering attacks:

While not technically sophisticated, hackers have studied what emails you normally open and created malicious fakes to spread viruses and steal passwords.

Has Your Gmail Account been Hacked?

From: HACKED! Article in The Atlantic magazine

• Gmail user’s account was compromised and all email erasedand purged – six year’s of email, 4+ Gb of messages

• Hacker also changed password, recovery email address and mobile number to make taking control of the account difficult

• Scammers sent ‘Mugged in Madrid’ message to all addresses inaddress book asking to send money via Western Union

• At one point in the summer of 2011, scammers were making about $500/day running these scams.



Consider what is stored in email accounts now:Electronic copies of bank statementsElectronic copies of credit card statementsElectronic copies of tax forms filed onlineElectronic copies of online trading accountsRetirement account informationReceipts for all kinds of online purchases and billsPasswords to other websitesPassword reset links for other websitesMedical information

Do you have backups? Do you need them?



• After an account is compromised, hackers often add a redirect rule/filter so replies go to the hacker’s other account

• After sending scams to all your friends and contacts, the hacker may erase your address book so you will have a harder time telling others what happened

- Make a backup of your address book too.

Google Security sees 2000-3000 account compromises per day

At one point in 2011, 30% of the spam sent from @hotmail.comaddresses was from compromised accounts

Gmail Account been Hacked? - Some Good News


• Google now has an Undeletion Program where email that is maliciously deleted and purged can be recovered within 30 daysof the incident

• Google has a 2 factor verification system where you login with a password and a code sent to your cell phone as a TXT message.

- This should make account takeovers more difficult


Check recent account activity


Check recent account activity

This chart shows recent logins times and locations

And if connection was via web browser, IMAP client or Mobile App

Be very suspicious of logins from other countries like Nigeria.

Turn on Alerts for unusual Activity


Check These items if you suspect your account is compromised:

• Login History show when last 10 logins occurred and where from• Check Sent mail for phishing messages or spam you didn’t send• Check Trash mail for returned mail or excessive error messages• Check Drafts mail for drafts of phishing emails ready to go• Check inbox for excessive returned or bounced email that you didn’t

send

• If you find evidence of account hijacking, change your passwordand check your Email Settings for:

Filters that the hacker added to redirect responses elsewhereForwarding that the hacker added to redirect messages elsewhere

Avoiding Phishing AttacksPhishing Attacks in Last 12 Months

• Phishing attacks targeting NCSU: 125

• Accounts compromised via Phishing: 99

• Targeted Phishing has been going on for over 3 years now. Some new versions use webforms and forms attached to email.

• All email requests for your Unity Username and password are fraudulent.

Avoiding Phishing Attacks

Phishers and the lies they tell:• Your email is over quota• We are Upgrading the email system and need your password• You have sent too much spam• There is a virus in the email system• You need to upgrade your antivirus software• We have too many accounts and are removing inactive ones• You can get more email storage if you send your password in• We’re sorry, but we made a mistake and now we need your

password to finish our email upgrade• Someone logged in from a suspicious IP, we think your account

is hacked, send us your password to show it is OK.

Phishing attack summary

Avoiding Phishing AttacksPhishing Attacks are Targeting Your NCSU Passwords

New phishing versions use webforms

From: Smith, Patricia [email protected]: [email protected]: Important Notice!!! Your Account Expires in 24 Hours

A Computer Database Maintainance is currently going on our Webmail MessageCenter. Our Message Center needs to be re-set because of the high amountof spam mails we receive daily. A Quarantine Maintainance will help usprevent this everyday dilemma.To revalidate your mailbox Please Click on the link below:

http://webform-update.ucoz.org/submitform.html

Failure to revalidate your mailbox will render your e-mail in-active fromour database.

ThanksSystem Administrator

Avoiding Phishing AttacksPhishing Attacks Sent to NCSU Campus

New phishing versions use webforms and forms attached to email.

Phishing Attacks Sent to NCSU Campus

New phishing messages use webforms like this Google Doc spreadsheet

Hovering over the link, you can see the URL to:

https://docs.google.com/spreadsheet..


New phishing messages use webforms like this Google Doc spreadsheet


New phishing messages use webforms and HTML format.

Hovering over the link, you can see where the form is: www.sys-admin.co.cc


New phishing versions use webforms and forms attached to email.

Phishers tend to use the same webservers over and over. Here are some common phishing form hosting sites:

http://webform-update.ucoz.org/submitform.htmlhttp://www.my3q.com/home2/319/upgraeinbox/17067.phtml

http://www.my3q.com/survey/338/web121/79916.phtml

http://www.my3q.com/survey/337/mailboxconfirmation/80048.phtml

http://submitaccount2upgrade.9hz.com/

http://form0098.9hz.comhttp://premiun.jotform.freehostia.com/phpformgenerator/use/Account1/form1.html


Example of new phishing attack with HTML form attached to email.

Dear Account Owner:

We have reason to believe your webmail account was accessed by a third party. Because protecting the security of your account isimportant to us, we have limited access to your account.

OPEN AND COMPLETE THE FORM ATTACHED IN THIS MESSAGE TO REGAIN ACCESS TO YOUR ACCOUNT.

Also when you will complete the document we have sent, remember to ALLOW javascript to run from the bar that will pop-up, otherwise we cannot verify the information you have provided.

Attachment: AccountVerificationForm.html


Example of new phishing attack with HTML form attached to email.

Form opens in web browser and sends the username and password over the internet when submit is clicked with the mouse.

Avoiding Computer TheftComputer Thefts in Last 12 Months

• Laptops: 21• Desktops: 1• Minis/ netbooks 1

* Statistics from NCSU Campus Police

5 stolen laptops have actually been recovered using the campus wireless network to track their location.

Avoiding Computer TheftLaptop Tracking Software

• If your laptop or mobile phone is stolen, having tracking software installed makes it possible to find it.

• Install a tiny agent in your PC or phone, which silently waits for a remote signal to wake up and contact you with the devices location.

• This signal is sent from the Internet and allows you to gather information regarding the device's location, hardware and network status, what is on the screen and a picture of the room in front of the device.

• If you give this information to the Police, they can find your missing computer.


• If your laptop or mobile phone is stolen, have tracking software installed makes it possible to find it.

• Download from http://preyproject.comAvailable for Windows 2000/XP/Vista/7 (32 and 64 bit available)

OS X and Linux

Android too.

• Choose Stand Alone Mode

• Enter your website information

• Enter your email address and SMTP server address

Avoiding Computer TheftPrey Laptop Tracking Software

In Stand Alone mode, you have complete control of how software works

In Control Panel mode, you use the preyproject website to control the program

In Stand Alone mode, the program checks every 10-20 minutes for a web page on your website

If your laptop or device is stolen, erase the page from your website and Prey will start sending reports when it is online.


The Prey report emailed to your account will show the approximate location of your laptop:

lat=35.7885825 :: lng=-78.6708385 :: accuracy=52.0

Public network IP and gateway IP:

public ip=75.200.169.17 :: internal ip=75.200.169.17 :: gateway ip=75.200.169.17 ::mac address=00-50-56-C0-00-08

The current logged in username and uptime:

logged user=tsgurgan :: uptime=\SECURITY-LAPTOP has been up for: 6 day(s), 6 hour(s), 52 minute(s), 10 second(s)

As well as a screen shot of the desktop and a photo from the webcam if possible.


With the information in the report, Police can track down the street address of your computer.


Installing Prey on OS X:

Mac Install


Installing Prey on Windows:

Date post:	01-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times