A couple of interesting articles from the always awesome Bank Info Security today, noting that various forms of phishing are on the rise. First up, the Anti-Phishing Working Group (APWG) reported that all types of phishing are on the rise. In the APWG's report for the third quarter of 2009, phishing reports to the organization rose to a record 40,621 (in August 2009). More, including some quotes form the APWG's chairman, Dave Jeavans, here:

BankInfoSecurity: Phishing Trends: Numbers up, Corporate Accounts Targeted

Phone-based phishing scams (often called "vishing" - for VOIP or voice phishing) have also surged recently. In an article out today (Vishing Scam: Four More States Struck, Five Institutions Say Customers Received Fraudulent Calls) Linda McGlasson at BankInfoSecurity reports that:

"Financial institutions in Michigan, Wisconsin, Minnesota and Mississippi report being hit by these "vishing" attacks in the past two weeks. Five different institutions -- three credit unions and two banks - say their customers have received vishing calls from fraudsters."

The article includes details of the various attacks.

Links:

Phishing Trends: http://www.bankinfosecurity.com/articles.php?art_id=2119&rf=013010eb

APWG Report: http://www.antiphishing.org/reports/apwg_report_Q3_2009.pdf

New Vishing Attacks: http://www.bankinfosecurity.com/articles.php?art_id=2138

For reasons we discuss regularly in this blog, more and more enterprises are choosing to move email security functions "to the cloud" and today's announcement from Proofpoint offers yet another example.

Headquartered globally in Paris, web and audio conferencing vendor Arkadin found that its previous on-premises email security solution was suffering from poor anti-spam accuracy and imposing too many administrative burdens on IT staff. So they looked for new solutions that provided better effectiveness versus email-borne threats as well as reduced administration time and reduced TCO.

Arkadin found that adopting Proofpoint's SaaS email security solution gave them the features and savings they were looking for, without sacrificing control and customizability. Proofpoint ENTERPRISE now protects 1000 Arkadin end-user inboxes worldwide. Says Arnaud Lejeune, executive president of operations for Arkadin:

“We needed an email security solution with better performance that was also reliable and easy to manage. Proofpoint ENTERPRISE delivered on all of those requirements and more. By moving to Proofpoint’s cloud computing-based email security solution, we’ve greatly reduced our costs, effectiveness in stopping spam has been incredible and performance is guaranteed by service level agreements. It’s the perfect solution for enterprises faced with these problems.”

Arkadin’s information services team was also impressed by level of customization enabled by Proofpoint’s SaaS email security solution.

“Even though it’s a SaaS solution, Proofpoint ENTERPRISE gives us a level of control and configurability comparable to on-premises appliances,” said Jean-Claude Asseufi, global IS support manager at Arkadin. “Everything is managed by a centralized, Web-based management console, so we can easily make changes and get complete visibility into our email systems.” 

You can read the full press release here:

Arkadin Deploys Proofpoint ENTERPRISE SaaS Email Security to Stop Spam and Viruses, Simplify Administration

If you'd like to learn more about the advantages of moving email security to the cloud and tips on what large enterprises should look for when buying security-as-a-service, register for our next live web seminar at the following link:

Web seminar: SaaS and the Global 2000: Best Practices for Deploying Security-as-a-Service
http://www.proofpoint.com/id/enterpriseSaaS/index.php

A couple of "last chance" reminders today: First, Gartner's most recent "Magic Quadrant for E-mail Security Boundaries" published in 2008 is about to be retired as an updated quadrant will debut in the first half of 2010.

You can still get a complimentary copy of that document from Proofpoint (until December 11th, 2009) at the following URL:

http://www.proofpoint.com/id/gartner-email-security-magic-quadrant/index.php

After 12/11/09, you'll have to wait until Gartner publishes an updated Magic Quadrant on email security, probably not available until Q2 of 2010.

Gartner, Inc. positions Proofpoint in the Leaders quadrant in its 2008 Magic Quadrant for the Email Security Boundaries (anti-spam, anti-virus, outbound content filtering, email encryption, intrusion prevention market). While consolidation in the email security market means that the market landscape is rather different today than when this report was first published, it still provides some great insight into what enterprises should look for when buying email security solutions and the comparison of the various vendor solutions is still quite useful.

Second, our next live Proofpoint webinar, "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" is just a week away (Wednesday, December 9th at 2:00 PM ET, 11:00 AM PT).

This is an extremely popular topic right now and there are already more than 750 attendees signed up. As usual, if you can't make it to the live webinar, just register and we'll send you a replay as soon as it's available.

Hard to believe it's the holiday season already, but the here in the US, Thanksgiving is next week, bringing with it what are usually two of the biggest shopping days of the year—so called "Black Friday" (the day after Thanksgiving) and "Cyber Monday" (the Monday after Thanksgiving). Spammers and scammers traditionally observe these days as well, increasing their holiday themed scams at this time.

So, as is traditional this time of year, Proofpoint has issued its updated list of rules for staying safe online during the busy holiday shopping season. Longtime Proofpoint followers will remember our "Five Golden Rules" for online safety, but things have gotten so bad this year that we expanded the list with two new tips... making this "Seven Simple Rules."

You can find the full press release, "Stay Safe Online This Holiday Season by Following Proofpoint’s Seven Simple Rules," here, but I've reproduced the rules themselves below. Feel free to share these with your email users, friends and family!

1. Be aware: View with suspicion any email with requests for personal IDs, financial information, user names or passwords. Your bank, online services, government agencies or legitimate online stores are unlikely to ask you for this type of information via email. Consumers should also be suspicious of similar emails that appear to come from an employer or friend. Never send personal financial information such as credit card numbers and Social Security numbers via email.

Today’s malicious emails and phishing attacks are disguised as communications from all sorts of organizations, including government agencies, software vendors and money transfer services, as these examples from the Proofpoint Email Security Blog show.

2. Don’t click: If you receive a suspicious email, don’t click the links in the email or open file attachments from anything but 100 percent trusted sources. Links embedded in emails may take you to fraudulent sites that look similar or identical to the legitimate “spoofed” site. Instead of clicking, open a browser and type the actual Web address for the site into the address bar. Alternatively, call the company using a phone number you already know.

3. Be secure: When you are shopping online, entering important information such as credit card numbers, or updating personal information, make sure you’re using a secure Web site. If you are on a secure Web server, the Web address will begin with “https://” instead of the usual “http://”. Most Web browsers also show an icon (such as Internet Explorer’s “padlock” icon) to indicate that the page you are viewing is secure.

4. Don’t fill out email forms: Never fill out forms within an email, especially those asking for personal information. Instead, visit the company’s actual Web site and ensure that the page you are using is secure before entering sensitive information.

5. Keep an eye on your accounts: Check the accuracy of your credit card and bank statements on a regular basis, especially during this time of continued economic unease and during the holiday shopping season. If you see anything suspicious, contact the financial institution immediately.

6. Get social media savvy: Email isn’t the only attack vector used by spammers and scammers. Social media sites like Facebook and Twitter are increasingly used to deliver the same kinds of scams and malicious links to unsuspecting users. Spammers and malware writers are riding the social media wave, commonly using malicious, but convincing, emails that masquerade as notifications such as friend requests or message notifications. Keep all of the preceding tips in mind when using the latest communication tools.

7. Make security your first stop: If your holiday includes giving or receiving a new computer, netbook or upgraded operating system, install a good desktop anti-virus or Internet security solution before doing anything else online. Reputable vendors include F-Secure, McAfee and Symantec. Be extremely wary of Web pop-ups that offer “free security scans” or that inform you that your machine is infected with a virus. Such offers commonly lead to fraudulent anti-virus solutions that are actually malicious software.

However you choose to observe them, make it a happy and safe holiday season!

Social media sites are hot and spammers and scammers have fully embraced the trend as well. We're seeing more and more malicious emails that masquerade as social media notifications such as friend requests, policy changes, etc.

Today, I'm seeing a lot of phishing and malware-infected emails in my personal spam traps spoofing Facebook's login system. There are at least three variations on this (probably many more) that I've spotted. All of them have "from" lines using "facebookmail.com" as the domain. (Note that Proofpoint's anti-spam and anti-virus features block all of these messages.)

First up, there's a message with subject line "Facebook updated account agreement" that also features a zip attachment that is surely some sort of malware. As is usual for phishing/malware email attacks, this message encourages the user to urgently "submit a new, updated account agreement", otherwise, your account will be "restricted." (Click the thumbnail at left for a full-size jpeg sample of this email. Need I stress that you should not download, unzip and run that attachment?

Similarly, I'm seeing phishing emails that have malicious links as their destination. Two different variations depicted in the thumbnails at left (again, you can click to show a full-size jpeg sample). One uses the subject line "Facebook Update Tool", the other is "new login system."

 Both emails use similar body copy that includes the following text:

Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.

Please click on the link below to update your account online now:

[malicious URL deleted]

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team 

The URLs in these messages link to fraudulent sites, of course, Recipients are advised never to click on links in email.

One of the interesting things about working in email security is that the problems we solve are extremely horizontal—every organization needs anti-spam, anti-virus and email policy enforcement features. So one gets exposed to many different types of companies in this line of work. Case in point: Proofpoint issued a customer case study press release today about Dakota Growers Pasta Company, which is apparently the third largest pasta manufacturer in North America.

Like so many enterprises today, when it came time to re-evaluate its email security solution, Dakota Growers opted for a SaaS (Software-as-a-Service) solution for stopping email spam and malware. Using Proofpoint PROTECT, one of our SaaS email security solutions, provided a more better performing, more cost-efficient way for the company to deal with email secuirty issues. Dakota Growers's director of IT, Jeffrey Strang, says:

"We wanted a solution that resided outside of our own network, as we've had issues in the past with email security software impacting our hardware assets. Proofpoint PROTECT was our first experience with a SaaS solution of any kind, but given the positive results we've achieved with Proofpoint, we're actually moving to hosted solutions in other areas of our business."

As I've noted before, moving inbound email security features to the cloudis pretty much a "no-brainer" for companies of any size. By deploying Proofpoint PROTECT, Dakota Growers has radically reduced the volume of spam and virus-infected email entering its network, making employees more productive and reducing the time that IT staff spends on email security-related administration and helpdesk tasks to near zero.

If you'd like to learn more about using cloud computing to solve your organization's email security challenges, attend our next live web seminar, Wednesday, November 18th. To register, please visit the link below:

And here's a little bonus for reading this far: Apparently, the other type of spam (the canned meat product) makes a fine addition to any sort of pasta. Here's a recipe for angelhair pasta with spam cream sauce. Enjoy.

The FDIC (Federal Deposit Insurance Corporation) issued a consumer alert today, noting that they have received many reports of fraudulent email purporting to be from the FDIC. In its warning (see "E-mail Claiming to Be From the FDIC – October 26, 2009"), the FDIC notes:

The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of a fraudulent e-mail that has the appearance of being sent from the FDIC.

The subject line of the e-mail states: “check your Bank Deposit Insurance Coverage.” The e-mail tells recipients that, "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.”

The e-mail then asks recipients to “visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage” (a fraudulent link is provided). It then instructs recipients to “download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage.”

This e-mail and associated Web site are fraudulent. Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft.

The FDIC does not issue unsolicited e-mails to consumers. Financial institutions and consumers should NOT follow the link in the fraudulent e-mail.

Good advice, of course! I took a quick look in Proofpoint's spam traps today and, indeed, these emails seem to be very widespread. (Note: Proofpoint's anti-spam solution accurately identifies all variations of these as spam.)

Subject lines I have observed for these emails include:

• FDIC has officially named your bank a failed bank
• you need to check your Bank Deposit Insurance Coverage
• FDIC alert: check your Bank Deposit Insurance Coverage

The body of these messages is all very similar and reads as follows:

You have received this message because you are a holder of a FDIC-insured bank account.

Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.

You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:

Visit FDIC website: [malicious URL removed]

Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

Federal Deposit Insurance Corporation

These emails are very similar to the "IRS Notice of Underreported Income" and "Critical Update for Microsoft Outlook" emails I've noted recently and I suspect they are an attempt to install similar malware.

It wouldn't be Halloween without a few spooky stories now, would it? People seem to love our regular round-ups of email blunders, so just in time for Halloween, Proofpoint put together some of the "scariest" email-related blunders, mishaps and threats from the past few months.

We've omitted some of the super-high-profile events that you're probably well aware of by now (such as the loss of Sidekick mobile phone users' data and the subsequent efforts to restore that data, and widely-reported email delays at Google's Postini email security service) in favor of some of the stories that, while not as widely reported, provide a few "teachable moments" about email security.

In no particular order, Proofpoint highlights some of this year’s email mishaps below:

1.) Trojan Horse Empties Bank Accounts

In September, it was reported that a banking Trojan horse, dubbed URLZone, had thwarted fraud detection systems, to enable software to actually steal money while users are logged in to their accounts and display a fake balance. Victims’ computers were infected either by clicking on a malicious link in an email or visiting a Website that has been compromised with hidden malware. The Trojan also kept a log of the victim's bank account login credentials, took screenshots, and snooped on the user's other Web accounts, such as PayPal, Facebook, and Gmail.

Article here »

2.) FBI Forgery

The wife of FBI Director Robert Mueller banned him from online banking after he nearly fell for a phishing scam. Mueller received a seemingly legitimate email from what he thought was his bank, which prompted him to verify some information. He even went as far as filling out some of his personal information before realizing it might not be a great idea. He said he barely caught himself in time before falling victim to the scam. As a result, he changed his passwords and tried to pass the incident off to his wife as a “teachable moment.” However, that did not stop Mrs. Mueller from sanctioning Mr. Mueller’s online activities.

Article here »

3.) White House Adopts Spammer Tactics

In August, the White House emailed thousands of messages to Americans detailing its stance on the contentious issue of healthcare reform from an email account created to gather and dispel rumors, but some recipients claimed the messages were unsolicited. The White House acknowledged the unsolicited email and blamed third-party groups for the mass email.

Unfortunately, the damage was already done. Critics questioned whether the White House used address-gathering tactics similar to those employed by spammers.

Article here »

4.) Hotmail Phishing

Most recently, more than 10,000 Hotmail accounts were compromised in October and passwords were posted on several Websites where developers typically share programming code. News site Neowin reported it had seen part of the list, which has since been removed, and notified Microsoft of the issue. In this phishing scam, hackers sent out legitimate-looking emails under the letterhead of banks, eBay and other institutions, telling consumers they needed to reset online passwords to their Web sites for security purposes.

Article here »

It seems that many of the affected account holders could have used a password reset. Security researchers with copies of the exposed passwords reported that “123456” was the most commonly used among them.

Article here »

5.) Start-up Suicide

Back in September, social media advertising and applications start-up RockYou, sent out a mass email to their customers and associates announcing their new site redesign, but instead of using BCC:, they displayed the entire mailing list of over 200 email addresses in the CC: field. Not surprisingly, many of those addresses ended up on a spammer’s list.

Two months later, the start-up sent out another mass email using a mailing list. Unfortunately, the email asked contractors to provide information for their W9 tax forms. This resulted in people inadvertently sending personal information to the entire mailing list.

Email may not be as trendy as social networks, but companies still need to use both properly.

Article here »

6.) Judge Orders Gmail Account Deactivated

In August, Wyoming-based Rocky Mountain Bank mistakenly sent names, addresses, social security numbers and loan information of more than 1,300 customers to a Gmail address. When the bank realized the problem, it sent a message to that same address asking the recipient to contact the bank and destroy the file without opening it.

No one responded, so the bank contacted Google to ask for information about the account holder. U.S. District Court Judge James Ware in the northern district of California ordered Google to deactivate the email account and also disclose the Gmail account holder's identity and contact information. The Gmail user hasn't been accused of any wrongdoing, but someone at the Bank should be a little more careful when typing in the TO: field in an email.

Article here »

7.) Payroll Panic

Payroll processor PayChoice was the victim of a Website breach in which customers received targeted emails purporting to be from the company, but were designed to trick people into downloading malware. Workers received emails that directed them to download a browser plug-in or visit a Website to continue accessing the Onlineemployer.com PayChoice portal.

Clients were notified within hours and the site was shut down. It was later learned that the emails were sent from a Yahoo! email account and the links were hosted from servers in Poland.

Article here »

8.) UK Tax Terror

Britain’s tax authority, HM Revenue & Customs, issued a warning about a rash of scam emails that used convincing (but fake) government email address in an attempt to lure recipients into divulging their personal information to receive a tax refund. The scam messages claimed that recipients were entitled to a tax refund and asked for bank or credit card details, so that the fictitious refund could be paid out.

Like most legitimate businesses and government organizations, the HMRC stressed that it would not inform citizens of a tax rebate via email, nor would it invite them to complete an online form to receive a tax rebate.

Article here »

9.) Death, Taxes and Phish

In September, a fake email notice that purports to come from the Internal Revenue Service continued to make the rounds, widely ramping up attacks against businesses and individuals. The attacks were concealed in a bogus email containing a subject line of “Notice of Underreported Income,” according to US-CERT. The emails contained a link or an attachment that, if opened, will infect users with the Zbot/Zeus Trojan, a nasty credentials-stealing program that seeks to compromise banking login information.

Proofpoint reports that these phishing emails continued to be widely circulated as the October 15th deadline for filing extended tax returns approached.

Article here »

10.) UCSD Fake-Out

28,000 students were turned away from UC San Diego in one of the toughest college entrance seasons on record after a particularly cruel twist in the perils of instant communications. All 46,000 students in the entire freshman applicant pool received the same misfired message of acceptance, which could have led to the largest freshman class at any university globally.

The 18,000 students who were actually accepted breathed a sigh of relief. Unfortunately, the rest of the applicant pool had to march on in the grueling college application process.

Article here »

You can find Proofpoint's full press release here:

"Hallowee-mail Horrors": Proofpoint Identifies the Top 10 Terrifying Email Blunders of 2009

So, I haven't personally seen any Windows 7 themed spam or malicious emails reported by other other vendors (though I presume our Proofpoint spamtraps are chock full of related badness)... but I'm seeing my personal "spamtrap" type accounts getting hit with a lot of the little lovely pictured at left (click it for full-size sample).

This is another blended threat email trying to trick users into installing the ZBot trojan (just like the "IRS Notice of Underreported Income") spam I reported on recently.

This email purports to be a communication from Microsoft with subject lines like "Critical Update for Microsoft Outlook" or "Microsoft has released an update for Microsoft Outlook."

It goes on to describe a suposedly critical update to Microsoft Outlook / Outlook Express (complete with legitimate sounding Microsoft knowledge base ID "KB910721") and a link to a complicated-looking Microsoft-type URL.

However, rather than pointing to Microsoft the destinations for these links are malware sites hosting ZBot. All the ones I've see were in the .eu domain. Need I even say it? "Don't click follow these sorts of links."

The message itself looks fairly convincing as it's formatted quite a bit like Microsoft's actual online knowledge base pages and, well, it's boring but functional. Of course, Microsoft doesn't go around emailing users with links to updates like this. In fact, Microsoft has been spoofed by such messages for quite some time and there is even a real Microsoft Knowledge Base article - last updated November 5, 2008 - about these types of emails (which have apparently been used to distribute other malware including Haxdoor):

http://support.microsoft.com/kb/959318/

The full text from a sample of this spam message reads as follows:

Update for Microsoft Outlook / Outlook Express (KB910721)

Brief Description

Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest level of security and stability.

Instructions

To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:

[Link to malware site disguised as Microsoft "Office Update" type link]

Quick Details

File Name: officexp-KB910721-FullFile-ENU.exe
Version: 1.5
Date Published: Fri, 23 Oct 2009 13:42:20 -0300
Language: English
File Size: 100 KB


System Requirements


Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista


This update applies to the following product: Microsoft Outlook / Outlook Express

So the big IT news this week is, of course, the launch of Microsoft's Windows 7 operating system tomorrow (Thursday, October 22, 2009). While the jury's still out on whether widespread Windows 7 adoption will improve security in a global sense, it does look like there are some solid new security features that could definitely help decrease malware propagation as well as preventing data breaches from lost or stolen devices (with the inclusion of BitLocker drive encryption that can now support USB removable devices, i.e., "BitLocker to Go").

PC World has a nice overview of some of the core Windows 7 security features including a short primer on how to protect drives with BitLocker. This seems like one of the most dramatic improvements to me (as our own research found that more than 20% of large enterprises investigated a data breach due to lost or stolen devices and media in just the past 12 months). Find that overview here:

PC World: A Guide to Windows 7 Security

CNET's download.com site has a slideshow tour of some of the security-related interfaces in Windows 7 including shots of the security Action Center and User Account Control panel with some easy-to-digest commentary:

CNET: Security in Windows 7 Slideshow

Of course, some things haven't changed over previous versions of Windows. Our friends at F-Secure have previously pointed out that the Windows Explorer default of hiding file extensions for known file types represents a security problem because that makes it more likely for users to inadvertently run malware executables that are masquerading as document or media files (e.g., GIFs, JPEGs or WMVs).

This default continues in Windows 7. Personally, I don't know how folks can even deal with Windows when you can't see file extensions and this is one of the first things I change on a new system or fresh Windows install.

Find F-Secure's commentary on this issue here:

F-Secure Blog: Windows 7 Fail

I haven't had much time to mess about with Windows 7 yet, though I've been pretty impressed with it based on my experience installing the 64-bit version of the Win 7 beta on a new drive. It definitely offers snappier performance over XP on the same hardware and the ability to address huge amounts of memory is a huge win for folks like me who do a lot of multimedia work.

That being said, as with any new install of Windows, your first stop should after installation of Win 7 should be to install a good desktop anti-virus solution. I was pleased to find that F-Secure's Internet Security 2010 already supports Windows 7 (both 64-bit and 32-bit versions) and installed with no hassles. I'm sure that many of the other major anti-virus solutions offer the same support, but I continue to be a big fan of F-Secure because it's very effective, doesn't hog system resources and has a slick user interface.