Security
Briefs
E-mail fraud and vulnerabilities, plus the impact of Microsoft's source code leak
by Mathew Schwartz
2/25/2004
E-mail Fraud and Phishing Attacks Jump
Reports of e-mail fraud and phishing attacks increased 50 percent in
last month, according to research from Tumbleweed Communications and
the Anti-Phishing Working Group. On average, consumers received an
average of 5.7 new attacks each day.
Phishing attacks, as Tumbleweed explains, “involve the mass
distribution of ‘spoofed’ email messages with return addresses, links,
and branding which appear to come from banks, insurance agencies,
retailers or credit card companies.” The goal is to get the recipient
to enter personal information—bank account numbers, PINs, or
passwords—into the form. Such data is immediately relayed back to the
attacker, or “phisher.”
In January, 176 new phishing attacks were reported to the
Anti-Phishing Group, a 52 percent increase over December. Other
interesting findings, according to the group: eBay was the company most
often used by phishers to try and dupe recipients, and eight percent of
phishing e-mails utilized a recent Microsoft Internet Explorer
vulnerability to disguise their true URL. Also, phishing attacks are
growing even more dangerous, since some attacks now “fool recipients
into downloading keyloggers and other Trojan programs,” says the group.
On average, says Tumbleweed, up to five percent of recipients
respond to any one message. The repercussions can include identity
theft for customers (and the associated headaches), loss of sensitive
corporate information, plus financial loss for consumers and
corporations.
Organizations should consider blocking fraudulent e-mails when
investing in new messaging security products, says International Data
Corp. analyst Brian Burke. “Enterprises need to accurately distinguish
valid email from illegitimate messages, and ensure that their employees
are protected from scams designed to obtain personal identity
information. There is increasing demand for messaging security
solutions that protect enterprises from potentially significant losses
caused by e-mail fraud.”
Link: http://www.antiphishing.org
Microsoft Source Code Leak Could Herald New Attacks
Weeks after Microsoft revealed portions of its Windows NT and 2000
source code were stolen and posted on the Internet, experts are still
debating the security repercussions of the leak.
Most agree: it will take some time, but expect viruses will be more
virulent than ever before. If the severity doesn’t shock users, the
decreasing time between vulnerability and exploit code will still cause
headaches for many security managers.
For example, sample exploit code based on the source code took only
four days to appear online. That gives virus writers a “path for a worm
exceeding the size and scope of Blaster,” says Jeffrey Guilfoyle, vice
president of e-security at managed security services provider
Solutionary. "Coupled with the recent leak of Microsoft's Windows
source code, virus writers have tools at their disposal as never
before.” He recommends companies get their patch management approach
worked out now. “Corporations are being given less and less time to
react and secure their networks and systems from threats.” Furthermore,
“there is no reason to believe things are going to get any calmer.”
Two New Threats Arrive in E-mail
Symantec warned of two new threats: W32.Netsky.B@mm, and
W32.Beagle.B@mm. Netsky.B, says Symantec, “is a mass-mailing worm that
uses its own SMTP engine to send itself to the e-mail addresses it
finds when scanning the hard drives and mapped drives.” In addition,
should a user activate the worm, it will search the user’s hard drive
for any folder names containing the words “share” or “sharing”—common
for file-sharing programs such as Kazaa—and copy itself to those
folders, presumably to spread more easily.
Beagle.B is a mass-mailing e-mail worm that, if executed, “opens a
backdoor on TCP port 8866,” which can allow an attacker to upload files
to the infected computer, according to Symantec. The worm can also send
the attacker the port number, and an identification number (perhaps for
tracking). The worm also spreads via its own SMTP engine.
Symantec notes, “W32.Beagle.B@mm is coded to stop at the end of February 25, 2004.”
Netsky.B information: http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@mm.html
Beagle.B information:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.b@mm.html
Mathew
Schwartz is a Contributing Editor for Enterprise Systems and is its
Security Strategies column, as well as being a long-time contributor to
the company's print publications. Mr. Schwartz is also a security and
technology freelance writer.You can contact Mathew Schwartz about Briefs at Mat@PenandCamera.com