Gladiator Research and Security

Gladiator has received reports that an old email scam regarding domain registry has resurfaced, and the amount of scam-related emails sent to website owners has picked up greatly.  Basically, the scammers will send a deceptive email to a user at the organization, usually the person whose name is listed as registering the website or the CEO of the organization, if this information is listed on the public-facing website.  The email states that the organization’s domain registration is going to expire in Asia, and directs the organization to send money to a domain registrar in order to keep others from buying the domain space.  (A perfect example of one of these scam emails can be seen by clicking here.)  Most of the scam email examples that Gladiator has seen have been sourced from China or other nations in Asia.  Basically, these scammers are instigating fear on the part of the unsuspecting user by suggesting that his organization may lose its domain space (.com address) unless he acts as they direct.

Now that the Internet has been around for some time, users are starting to become more adept at protecting themselves from Web-based threats.  Users have learned that certain parts of the Web or Web pages, like advertisements, can pose a security threat and, therefore, will avoid clicking on them.  Unfortunately, the malware writers have also noticed the trend and continue to come up with new ways of distributing their malicious applications.  The most popular method used for the past year is called Drive-by Downloads.  The term Drive-by Download means users become infected simply by surfing an exploited Web page and are completely unaware of the malicious file download occurring in the background.  Web browser exploits (such as IE, Firefox, Safari, etc.) and other third party application exploits (such as Adobe Reader, Microsoft Excel, etc.) can potentially allow remote code execution, which can lead to a malicious file download which is completely invisible to the user.  Fake pop-ups that look legitimate, often cleverly masqueraded as anti-virus solutions, are also a popular method of tricking a user into either clicking on the pop-up to close it or following the instructions on the pop-up, both of which result in malicious file downloads.

Happy Holidays!  This is just a reminder that the Holidays are always a very active time for the “bad guys.”  Malware writers and phishers prey on our cheery attitudes and overactive messaging habits to slip in malicious emails.  There are a few popular attacks that pop up like clockwork around the holidays each year, and so you should make your users aware of these attacks.

Over the past year, security researchers found many new Web attacks indicating that the “bad guys” have come up with some rather advanced methods to accomplish their dirty deeds.  In the past few months alone, two particular banking attacks have been detected that demonstrate the sophisticated methods being used to steal money from online banking users.  In the first attack method, dubbed “Chat-in-the-Middle,” the fraudster creates a fake support chat session with his victim by claiming to be from the bank’s fraud department.  The fraudster then uses social engineering techniques to attempt to gather further information from the unsuspecting victim.  The second attack, a Trojan known as URLZone, involves editing a user’s banking website to hide money transfer transactions started by the attackers.  This technique gives attackers ample time to transfer the funds through “money mules” and, eventually, into their own accounts, well before the attack is ever spotted by the victim.

We’ve all noticed the trends lately which suggest that new malware is being written at an ever-increasing pace.  It seems like each day a new threat is discovered by security professionals.  However, anti-malware products seem unable to keep up with the pace set by the malware programmers.  So, what can be done to combat this discrepancy?  Have you heard of software “sandboxes”?  Read on and we’ll discuss some options available to help you fight in the war against malware.

Microsoft has announced three new patches for its monthly release cycle.  One patch is rated critical, and affects both server and client operating systems.  This patch covers a remote code execution vulnerability, and should be patched as soon as possible. The other two patches are rated important, and only affect servers.  These vulnerabilities could allow spoofing, but not remote code execution.

Security researchers have seen a new worm, called Waledac, quickly spreading throughout many networks.  Many of these researchers feel that Waledac bears a striking resemblance to one of the most devastating worms of all time, Storm.  Like the Storm worm, Waledac is spread through emails that appear to be holiday themed “e-cards.”  So far, users and researchers have seen both Christmas and Valentine’s Day e-cards being used.