|
Information Security
Be on the lookout! Information Security Bulletins
We have posted a special bulletin on December 02, 2008, as well
as a new newsletter on 11/20/08
US Tax Court Phishing Attack
We have received a warning from US-CERT about a new phishing attack that
claims to be petitions from the US Tax Court. This is an example of what is
known as a "Spear Phishing" scheme because the messages contain very
specific information about the message recipient.
The message requests the user follow a link to download additional information
or documents. If you click on the link the website attempts to load a bogus
root certificate supposedly issued by VeriSign Trust Network using JavaScript.
Normally you will see several warnings when the JavaScript attempts to install
the certificate.
However, if the certificate is installed successfully your browser will redirect to
another page that will attempt to download an ActiveX control. You might get
a prompt to allow the installation and since it seems to be signed and legitimate
(it is signed by a fake certificate for "Adobe Systems Incorporated" that is
trusted by the bogus certificate that you just downloaded), you might be
fooled into installing it.
The ActiveX control is a "Browser Helper Object" that "helps" your browser
steal information such as stored passwords, cookies, browsing history, etc.
from your computer. It will start by going out and trying to update itself. A
very efficient piece of malware!
Reports are indicating the attack messages come from "United State Tax
Court" (Note the missing 's' on 'State'), and that the URL in the message links
to the "ustax-courts.com" domain.
As usual, the City of Seattle Office of Information Security reminds you:
- Do not follow unsolicited or suspicious web links
- Make sure your anti-virus anti-spyware programs are running and up to date
- Make sure your operating system and all other applications are patched and up to date
- Pay close attention to warning messages and prompts
Posted: June 4, 2008
ADP Phishing Scam
We have been notified of a new phishing scam that could affect City users. It pretends to come from either ADP Total Pay or
Survey@ADPmy account.com. The first of these (from ADP Total Pay) has the subject line "Account Lock", while the second's
subject line is: "Customer Survey Get $50 reward now"
Watch out for this scam and just delete the email if it arrives in your inbox.
Posted: May 28, 2008
iTunes Phishing Scam
Be on the lookout for a new scam email that targets Apple's iTunes music
store. This is a relatively sophisticated identity theft attack. The spam email
comes with a message that you need to correct a problem with your iTunes
account. If you follow the link in the email you are taken to a site posing as an
iTunes billing update page, which asks for information including credit card
number and security code, Social Security number and mother's maiden name.
This is the first time we've seen a phishing scam that attacked Apple products.
Be aware of this scam and just delete the email if it arrives in your inbox.
Posted: May 22, 2008
Natural Disasters and Phishing Scams
With all of the recent natural disasters we have noticed an uptick in the number and frequency of phishing scams taking advantage
of our natural tendency to want to help those in need.
These scams always appear soon after natural disasters such as the earthquake in China or the cyclone in Myanmar. They appear to
be requests for donations from charitable organizations and give you a link to click on to learn more or donate.
The link is to a fraudulent website that often is a very good imitation of a legitimate charity site. These sites sometimes ask
for more personal information that will be used to compromise your identity, or they might simply attempt to infect your computer
with malware while you are browsing.
The City of Seattle's Office of Information Security reminds you to never follow a link in an unsolicited email message.
Before donating to any charity you should also check the Federal Trade Commission's Charity Checklist and/or verify the legitimacy
of an organization directly by calling a trusted contact number. Trusted contact numbers can be found on the Better Business Bureau
National Charity Report Index.
Posted: May 19, 2008
Email Scam - Lost Wallet While Traveling - Need a "Soft Loan"
We have seen a resurgence of this particular scam recently and wanted to bring it to your attention. The email usually comes with
a simple subject line such as 'Hello'. Then it goes on to apologize for not informing you that the sender is traveling in Europe
on some humanitarian mission and has lost their wallet with their money and hope you will help them with a "soft loan" (as opposed
to a "hard" loan I guess!).
The most recent example claims to be from someone who is in Europe "for a program called Empowering Youth to Fight Racism,HIV/AIDS,
and Lack of Education" - a tall order, especially when you've "misplaced my wallet on my way to the hotel where my money,and
other valuable things were kept". They then beseech you to help them out with a mere $2400 to "sort-out my hotel bills and get
myself back home."
They go on to assure you that any amount will be appreciated and they will pay you back as soon as they return. You need only
reply to the email to get the details of where to send the money through Western Union.
The example we've seen is pretty poorly done, so I would expect it won't be too successful, but these folks tend to get better
with experience, so be aware of this scam.
Posted: May 19, 2008
New Gasoline Discount Scam
With the ever rising gas prices, it was only a matter of time till the scammers found a way to exploit our anxieties.
Today we have a report of a new phishing scam that offers fuel discounts. The SPAM email directs you to a link that claims to
offer a 70 cent discount on each gallon of gasoline. The email originates from a sender with the alias "Gas Saver."
This is not out widely yet, but with the price of gas heading quickly to $4 a gallon and rising over the summer we expect it to
escalate.
Watch out for this scam and if the high price of gas is getting you down, try riding your bicycle!
Posted: May 13, 2008
P2P File Sharing Danger - New Malware Attack
File sharing programs such as Limewire, eDonkey, BitTorrent, and many others
(also known as Peer to Peer or P2P programs), are often used to share data
files between computers all across the Internet.
While that might seem like a wonderful and convenient idea at first blush, it
has become one of the most dangerous practices on the Internet and in many
organizations all P2P traffic is banned or blocked by policy.
There are many reasons for blocking this traffic. First, it is often used for
stealing copyrighted materials, which is, uh... illegal! Second it has become a
very popular way to share those nasty malicious software files. In fact one
estimate was that over 50% of all Peer to Peer files were infected.
We have had another reminder this week of why we recommend against using
these types of applications. McAfee has reported the most significant malware
outbreak in three years. More than 500,000 Trojan horse infections have been
detected on PC's since May 2. These files, masquerading as MP3 music or
Mpeg video files are appearing on many of the major and most popular file
sharing services.
The files are all named differently in multiple languages and vary in size to
make them appear like legitimate files. When you attempt to play one of these
infected files it triggers an application called "PLAY_MP3.exe".
The City of Seattle's Office of Information Security recommends against the
use of Peer to Peer services and warns that illegal downloading of copyrighted
materials may be prosecuted if it is detected on City computers. For those of
you not using City computers, be aware that the media industry is becoming
much more serious about finding and prosecuting violators of these laws.
There are much safer alternatives for legitimate sharing of files, so be prudent
and avoid P2P.
Posted: May 8, 2008
IRS Rebate Phishing Scam
We have heard from US-CERT of a new phishing scam that is currently
circulating. This scam is related to the IRS economic stimulus rebate. It arrives
in an email message that appears to be from the IRS. The email includes text
that attempts to convince you to click on a link to a website before a deadline
to expedite the rebate process.
If you click on the link, the website will request bank account information.
US-CERT and the City of Seattle Office of Information Security recommends the following:
- Never follow unsolicited web links received in email messages
- Check the us-cert.gov web site for several good documents about avoiding e-mail scams, social engineering and phishing
attacks
- Also check out the irs.gov Suspicious E-Mails and Identity Theft website for information on the latest scams
- Warn any family members or acquaintances - especially those who might be more vulnerable to these type of scams
Posted: April 24, 2008
Trojan Extortion Scheme
A new scheme to extort money from computer users has to be given points for
originality. A new Trojan, calling itself "MonaRonaDona" is spreading rapidly.
Once you are infected the Trojan actually notifies you of its presence and
leads you to seach for "MonaRonaDona" on the web. This leads you to the
pages of "Unigray Anti-Virus," an application sold for $39.90 which it claims will
detect and remove thousands of malicious applications.
In fact, it will ONLY detect and remove the MonaRonaDona Trojan! A source
code review has shown that both Unigray and MonaRonaDona share many
similarities and were most likely created by the same malware writers.
The City's antivirus application has a signature out for this so you are unlikely to get infected at work. But at home
just make sure your AV is up to date, and don't buy unknown antivirus programs.
Posted: March 4, 2008
Two Warnings - Digital Photo Frame Virus & Lunar Eclipse Email Scam
The latest digital device to be hit by virus writers are the digital photo frames that were a favorite holiday gift
this year.
These nifty devices connect with your computer and store a bunch of digital photos that you can select or have running
as a slide show. Great idea, but of course the hackers couldn't fail to notice a new venue to ply their nefarious
trade.
The virus that has been detected is a powerful Chinese Trojan horse that gathers personal
information from your computer once you hook it up. So far it has only collected passwords for online games, but we
can be relatively certain that it will be used to gather other information or otherwise infect computers in the near
future.
This Trojan, which has been named Mocmex, blocks anti-virus protection from more than 100 AV vendors as well as the
security and firewall built into Microsoft Windows. It spreads by hiding itself on photo frames and other portable
storage devices that are plugged into an infected PC. It is designed to do its work and leave no trace.
The other scam we've seen this week is an email that says it has a wonderful video of the recent lunar eclipse if
you just click on a link to download it.
The eclipse was pretty amazing, but if you missed it don't fall for this scam to get a belated look. All you'll get if
you click on this link is a nasty Trojan virus on your computer.
The City of Seattle's Office of Information Security suggests that you never click on any
links in an email unless you can be absolutely certain that it was sent from someone you know. Also be sure that
your antivirus program is running and up to date with the latest signatures and your operating system is patched to
the latest level.
Posted: February 22, 2008
Valentine eCard Warning
We received a warning today from the FBI about a St. Valentine's Day E-Card phishing scam that carries the Storm
worm virus.
If you get a Valentine's e-card, even if it comes from someone you know, be extremely careful (best to just delete it).
This SPAM contains a link that you are directed to click on to receive your card.
If you click on that link you will infect your computer with the Storm worm botnet. A botnet is a network of
compromised computers that can be controlled by the bad guys (the "botnet herders"). They are setup to spread
SPAM, capture your keystrokes for identity theft and other criminal activities.
We have seen the Storm worm sent out regularly, capitalizing on Holidays or news events.
The City of Seattle's Office of Information Security suggests that to be safe you never accept or click on any
links on an e-card unless you can be absolutely certain that it was sent from someone you know.
If it does look like it came from an aquaintance, call them up to thank them BEFORE you open the
e-card. If they didn't send it you can do them a big favor and let them know that their computer is infected and
they need to take immediate action to clean things up.
Posted: February 13, 2008
FaceBook Profile SPAM
We have just seen a big influx of SPAM messages with the subject line, "Check out my Facebook profile".
The link in this message will most likely lead you to a poisoned Facebook page that will attempt to infect your
computer.
If you receive this email delete it immediately without clicking on any links.
Posted: February 8, 2008
Two Important Updates - Adobe Reader and QuickTime
Both Adobe Reader and Apple QuickTime have released vital new updates to address serious vulnerabilities.
First, if you are using Adobe Reader to open and read PDF documents, we highly recommend that you update to the newest
version, 8.1.2 as soon as possible.
Adobe recently created this update to address a very serious vulnerability in the application. The security flaw
affects PDF documents and could pose a serious threat to your computer and its data if you open a compromised PDF
file and the vulnerability is exploited.
Secondly, Apple has just released an update to address a recently discovered vulnerability in QuickTime's streaming
protocol. They have been dealing with a series of vulnerabilities in QuickTime and this is the fifth QuickTime update
since October.
If you use QuickTime for viewing media files at home, we recomment updating to version 7.4.1 as soon as possible to avoid
becoming a victim of this vulnerability.
Posted: February 8, 2008
Tax Rebate Scam
And in the category of "They Never Miss A Beat!", the scammers are actively
taking advantage of the latest news. The FBI today issued a warning of a tax
rebate scam.
As you have no doubt heard, Federal lawmakers are considering an economic
stimulus package that may result in rebate checks being sent out to millions of
Americans.
Criminals, pretending to be IRS agents, are calling unsuspecting people asking
for Social Security numbers and other personal information so a tax refund
check can be sent.
This tax-rebate plan hasn't even been approved by Congress yet and the IRS
will never ask for personal information on the phone or by e-mail.
If you get such a call (or an email) you can report it to the FBI on their
Internet Crime Complaint Center website.
Posted: January 29, 2008
Two New Scams - Excel Zero Day and FBI Phishing Spam
Two new scams are threatening the City and everyone else right now.
First, there is a new zero day Microsoft Excel vulnerability. Specific targeted attacks are already attempting to
exploit this vulnerability in the wild. The vulnerability is
in any MS Excel version prior to Office 2003 Service Pack 3 and may allow
remote code execution (meaning the attacker will be able to install programs
on your computer, view, change or delete data, or create new accounts with
full privileges). The vulnerability can be exploited by opening a malicious Excel
spreadsheet attachment to an email (they have .xls at the end), or by visiting
a Web site that is hosting a malicious Excel spreadsheet. A successful
exploitation results in the attacker gaining the same user privileges as the
logged on user.
If you receive an email with an Excel attachment, don't open it unless and
until you can absolutely verify its source and that it is a legitimate attachment.
The second scam is a deluge of email spam purporting to be from the FBI. The
bogus messages often include pictures of the FBI's director, along with the
organization's official seal, letterhead and banner. The emails use the FBI's
name to intimidate and/or convince the recipient of the legitimacy of the
message. The emails are typically a notice of a lottery win or a long-lost
relative leaving an inheritance. Other emails offer website monitoring
containing malicious attachments and online auction scams.
Using trusted institutions, such as the FBI or Better Business Bureau is a well-
known and often used spamming method. But since it is still working, they are
still using it and we still need to watch out for it.
Posted: January 18, 2008
Don't Allow Your Computer to Be a Vulnerability - Lock Up When You Leave
Did you know that every computer on the any network is a potential vulnerability simply by virtue of its connection
to the rest of the network? As a responsible citizen on your network there is much you can do to help. In some
of these bulletins we'll offer quick tips that you can use both at work and at home.
Today we want to talk about locking your computer screen when you leave it, even for a moment. As we are all aware,
sometimes those moments can be extended by "drive-by" conversations, etc. It only takes a moment for someone passing
by your desk to look at what you are working on; open up your email (and maybe send something out in your name); open
an inappropriate or dangerous web site; install a key stroke logger; etc. Any of these activities could be blamed on
you if they happen on your computer and all of them could result in the compromise of your network and the
sensitive or personal data that you store there.
Locking your computer is very easy to do. There are two simple ways: First, you can press the Ctrl, Alt, and Del keys at
the same time and then either press the W key or click on the 'Lock Workstation' button. Or, if you want to use even
less keystrokes, simply press and hold the Windows key (that's the one located on the bottom of your keyboard right next
to the Alt key on both sides with a little flying windows symbol), then press the L key.
All the work you were doing is saved just as you left it, but your computer screen will now be locked and no one can
use your computer without pressing Ctrl Alt Del again and entering your password. This simple practice will go a long
way to ensuring that your computer is not a vulnerable point in your network.
Posted: January 15, 2008
Season's Scammings
Last week it was Christmas strippers, this week it's "Happy 2008". The makers and purveyors of the Storm botnet
are hard at work and changing their messages and tactics daily (or even more often) to try to dupe unwary
users into infecting themselves with the latest botnet Trojan.
We're seeing subjects like "Happy 2008!" and "Happy New Year!" this week, and we expect to see more versions as
the typical Holiday malware bash continues. These e-mails include links to poisoned websites such as the "Uhavepostcard.com"
and attempt to install files such as "happy2008.exe". The botnet controllers are using very sophisticated techniques
to disguise their malware from antivirus software and to keep their poisoned web-site on-line.
The City of Seattle's Office of Information Security urges you to be especially careful this time of year and to inform
vulnerable relatives and friends of these types of scams so they aren't victimized.
Posted: December 31, 2007
Phone Scams Galore
We are hearing almost daily reports of new phone scams. They are many and
varied: from callers telling you that you failed to report for jury duty and there
is a warrant out for you (that you can fix by giving them your social security
number so they can resolve the problem); to scammers telling you that your
utility bills haven't been paid and your lights are about to go out unless you
give them your credit card number; to congratulations "you won the lottery! -
We just need your bank routing information so we can deposit your winnings",
to the latest one that tells the person they have qualified for free Medicare
coverage, but "we need to verify your address and bank account information."
There are many more, but they all have similar patterns to them. They tend to
prey on the elderly so please pass this information on to folks you know who
might be at risk.
The City of Seattle's Office of Information Security urges you to never disclose
personal information over the phone unless you can positively verify the
legitimacy of the caller. One way to do so would be to ask for a call back
number and tell the caller you will check with the institution they claim to be
calling from and your local police before calling them back. If it's a scammer,
they will probably decline. Even if they do give you a call back number, go
ahead and check with the institution and the police before calling them back
and giving them any information.
Posted: December 11, 2007
Trojan Spreading via MSN Messenger
US_CERT has notified us of reports that a Trojan (Malware that is disguised as another type of file), is spreading
via MSN Messenger. The Trojan arrives as a chat message that appears to contain an image file, that when opened,
downloads and installs a Internet Relay Chat Bot. These messages may appear to come from a known contact.
Posted: November 20, 2007
Fake IRS Tax Refund E-Mail or Complaint from DOJ
We've seen this scam come around before: a very real looking email pretending to be from the IRS or the Department of
Justice. This time the one from the IRS purports to be from the IRS and the Taxpayer Advocate Service
(a genuine and independent organization within the IRS whose employees assist taxpayers with unresolved tax
problems).
The IRS email scam tells the recipient that he or she is eligible for a tax refund and points them to a link. The link
takes you to a fake IRS website that asks for your personal information and proceeds to infect your computer.
The DOJ spam contains a malicious attachment that supposedly contains information regarding complaints filed against the
recipient's company with the DOJ (we've also seen these purportedly coming from the Better Business Bureau). The attachment
launches malware if you open it.
The IRS has setup an email address: phishing@irs.gov - where you can send any suspicious email you receive that claims
to be from them. They will use the information you provide to locate and shut down the web sites the criminals are
using. You won't get any response from them however, due to the expected volumes of reports.
The City of Seattle's Office of Information Security reminds you to be cautious and avoid clicking on links in, or
opening attachments to, any emails you receive unless you know for sure they are legitimate.
Posted: November 19, 2007
Postal Mail Scam - Notification of Sweepstakes Winnings
We have received a copy of a postal mail fraud attempt that we want to warn everyone about. This isn't our usual
bailiwick because it isn't computer crime, but it is so devious and professionally done, we want you to be aware of it.
The mail we received was in an envelope postmarked from Canada. Inside was a notice on the letterhead of "The Millenium
Plan Trust Account, Republic Bank and Trust, Trustee", and a very real looking check in the amount of $3,342.27.
This is a real bank and we spoke to their fraud officer who is aware of the fraud.
The notice starts out with:
RE: FINAL AWARD WINNING NOTIFICATION (CLAIM # US/CA/ME-0725NA)
It then goes on to say that you are the lucky winner of $48,650 and that the enclosed check is to "assist you in
financing your clearance fee." A contact name and number is included with the caveat that you must claim your winnings
before November 9, 2007.
If you call the number, a gentleman will inform you that you must submit a "clearance fee" to process your winnings.
This is usually an amount less than the "check" they sent, so it sounds like a great deal. However, if you try to cash
the check it will come back as insufficient funds and/or no such account and your bank will deduct that money back out
of your account.
We have even heard reports of people falling for this scam and then being contacted again and asked for MORE money to
process the winnings.
This is extremely devious and professionally done and preys on the elderly and other vulnerable populations. Please
tell people about this who might be susceptible to this scam.
If you get one of these in the mail, the bank that is cited will probably want to know. Look them up and give them a
call - ask to speak to their compliance or fraud officer. You should also report it to the US Postal Service Inspectors.
Posted: November 7, 2007
Real Player Exploit
The City of Seattle's Office of Information Security has become aware of a new exploit involving Real Player in combination with Internet Explorer, that is being
promulgated widely on the Internet currently. Again, this only affects people who are using Real Player with
Internet Explorer and Windows. Other browsers and operating systems are not affected. Nor are versions of Real Player
older than version 8.
Real has promised to release a patch today that will address the problem. Users of RealOne Player, RealOne Player v2,
and RealPlayer 10 should upgrade to the 10.5 version of the product or the RealPlayer 11 beta code and should install
the patch as soon as possible.
If you are using Real Player on a Windows system and running Internet Explorer on your own computers, you
should update as soon as possible.
Posted: October 23, 2007
New Threat Involving PDF Files
PDF or portable document format is a file type popular for sending documents between organizations. The City sends and
receives hundreds of them everyday. However, a new (as of 10/16/2007) security vulnerability has been identified in the
format that allows malicious individuals to specially craft .pdf files that, when opened, infect your PC. Infected .pdf
files can either be included as an e-mail attachment or hosted on a compromised web site. This is a brand new threat and
City anti-virus systems currently cannot recognize and block this threat.
As always, be suspicious when you receive an e-mail that contains any attachments that you were not anticipating- even
if you recognize the sender. In the next few days, be particularly vigilant if you receive a .pdf file. You should also
never be tempted to click on links contained in suspicious e-mails. Today, even visiting a compromised web site puts
your PC at risk.
Posted: October 17, 2007
New Threats Require Vigilance from Every User
Two new exploits are currently threatening your City and home PC. However, you can avoid them both by always being
suspicious when you receive e-mail you were not expecting. The first involves Microsoft Word documents that come as
e-mail attachments that when opened infect your computer.
Remember to never open e-mail attachments from strangers and to always confirm the authenticity of attachments you
receive from friends, customers and colleagues.
The second danger to be on the look out for in your e-mail inbox comes from criminals masquerading as either the
Internal Revenue Service (IRS) or Better Business Bureau (BBB). Both contain enticing language designed to get you to
click on a legitimate looking link.
Remember to never click on links within an e-mail unless you can be absolutely sure of the integrity of the sender. If
you have already opened and clicked on one of these links, please contact your service desk.
Posted: October 11, 2007
BOA - Account Activity Blocked Scam
Many City users have reported receiving an email purportedly from the Bank of America, informing them that their
account activity has been blocked and their "online has expired".
We would hope that the obvious problems with grammar would clue you all in right away that this is a scam, but
just in case, please just delete this email. Do not reply and of course, do not click on the link.
We have also seen similar emails, purporting to be from Citibank and from the IRS. These types of scams are not
always so obvious, so please be extremely careful and vigilant right now as many of these seem to be getting
through our SPAM filters.
Remember, do not click on links within email unless you can be absolutely sure of the integrity of the sender. If
you have already opened and clicked on one of these links, please contact your service desk.
Posted: September 24, 2007
New Vulnerabilities Put Skype Users At Risk
Skype users are under attack from a new worm that spreads through the peer- to-peer Internet phone application's
chat feature. The attack begins when a user receives an instant message containing a link from someone in their
contact list or an unknown Skype user, said a Skype spokesman. There are several versions of the chat messages,
which are cleverly written to fool users, he wrote on the Skype heartbeat blog.
The link appears to contain a JPEG photo file which, if clicked, asks the user to save or run a '.scr' file. The file
is malicious software that can then access a user's PC via Skype's API (application programming interface). The
malicious file has been named W32/Ramex.A. Users whose computers are infected with this virus will send a chat message
to other Skype users asking them to click on a web link that can infect their computers, he wrote.
To avoid trouble, users should not download the file. As of early today, detailed information from anti-virus
vendors was scanty. Several security companies, however, have already updated their signature definitions to detect
and delete the new malware.
Skype is only the latest IM client to feel the heat from hackers. Both Yahoo Messenger and Microsoft's MSN/Live
Messenger have been struck this summer. Exploit code designed to hijack Windows PCs running Yahoo Messenger appeared
as early as June, and Yahoo has been forced to patch the IM client several times since. Microsoft, meanwhile,
has scheduled fixes for its MSN Messenger and Windows Live Messenger software for this week, presumably to quash a
webcam bug that was disclosed late last month.
Posted: September 12, 2007
Storm Worm Now Brought to You by YouTube!
Are you sick of hearing about this Storm Worm/Trojan yet? I know I am!
In yet another twist to this menace, spammers have created a site that carries the YouTube branding. Using typical
social engineering techniques an e-mail containing a link to the fake YouTube site is spammed out with the message,
"Man you have got to tell me where you picked her up. I saw this on the web. It has to be you. Check it out yourself
at..." followed by a link to the poisoned site.
Don't get caught in the Storm - be extremely vigilant and suspicious of any email similar to the ones we've
warned you about.
Posted: August 27, 2007
Storm Worm Worst Malware Ever - New Scams
The "Storm" worm has become the worst piece of malware in history, infecting hundreds of thousands of computers
and recruiting them into the largest botnets ever seen.
NOTE: A botnet is a collection of compromised computers whose collective power is used by cyber criminals for
everything from denial of service - bombarding a website with requests until it shuts down; to extortion - threatening
to shut down your web services unless you pay; to click fraud - using the computers to generate thousands of clicks a
second on a particular advertisement to drive up the payment for that ad.
US-CERT has notified us of several new techniques being used by the purveyors of this particularly virulent trojan. The
new variants arrive as either an email claiming to contain a link to adult pictures, or as credentials for a membership
-based website, asking you to login to change your temporary ID and password. The messages contain links to malicious
websites that when visited, install the Storm malware on your system.
The City of Seattle's Office of Information Security again reminds you: 1) Do not follow unsolicited or suspicious
links; 2) Make sure your anti-virus software is up to date and working; and 3) Inform your friends and family of the
new scams and suggest they subscribe to our mailing list (subscription information is on our home page).
For more information from US-CERT on how to recognize and avoid e-mail scams, social engineering and phishing attacks,
go to our "Useful Links" page and click on: 1) "Recognizing and Avoiding Email Scams"; and 2) "Avoiding Social
Engineering and Phishing Attacks".
Posted: August 22, 2007
Another Yahoo IM Danger
There are new reports of an exploit using Yahoo Instant Messenger. If you or someone you know uses Yahoo IM, please
be aware that this new exploit uses an invitation to view a WebCam to take over your computer.
It should go without saying, but never accept a WebCam invite or any other offer in IM or e-mail unless you are
absolutely sure of the source.
Posted: August 20, 2007
MS Excel the Latest Vehicle for 'Pump & Dump' Scams
'Pump and Dump' scams are e-mails that purport to be from stock traders and contain a false rumor or 'tip' about a
stock that they are recommending buying. When the criminals get enough people to purchase stock in this fashion it
results in the stock price rising ('pumping' it up) temporarily and they use that to cash in by 'dumping' the
(generally worthless) stock at its peak and making a profit. We've seen this scam for a long time in spam e-mail, but
the latest twist is that it is being sent in Excel files to fool the spam blocking software.
Researchers at several antivirus and antispam vendors have reported these pump and dump spam in Excel files starting on
July 21. The spam promotes stock in attachments with names like "invoice20202.xls", stock information-3572.xls, and
"requested report.xls".
Spammers are continually finding new ways to bypass spam blocking tools. For awhile they were using images, then when the
tools started blocking those they switched over to Adobe PDF files, and now they have moved on to Excel as their newest
vehicle of choice.
The Office of Information Security suggests that you always ignore these types of scams and let your friends
and family know about them as well. If you get one of these just delete it.
Posted: July 27, 2007
Malicious e-Cards Delivered in City e-Mail
Seattle's Office of Inforamtion Security has received multiple reports of malicious e-cards that are being widely
distributed in an attempt to compromise systems. The emails claim to have been sent from ‘a family member’ and use
similar formatting to legitimate e-cards. Once the user clicks on the link to view their e-card, they are redirected
to a site containing malicious code. The code is downloaded immediately and depending on the user’s security posture,
this could result in their system being compromised. There are multiple versions of the email with some claiming to
originate from E-cards.com and others from Netfuncards.com.
Please report any activity and/or infections related to this threat to the Office of Information Security.
Posted: June 29, 2007
Dangerous Vulnerability in Yahoo Instant Messenger
Update your Yahoo Messenger immediately
Yahoo has released an updated version of Yahoo Messenger to fix two critical vulnerabilities affecting separate
ActiveX controls related to webcam functionality. Both vulnerabilities can and are being exploited to execute
arbitrary code on a victim's computer.
Very accurate and easy to use exploits for these vulnerabilities are publicly available right now.
If you use Yahoo Messenger you should install the latest upgraded version as soon as possible
(Version 8.1.0.401)..
Posted: June 11, 2007
New IRS/Better Business Bureau E-mail Scam
IRS/BBB scam downloading new Trojan Horse
Websense Security Labs reports having discovered a new e-mail spam variant similar to ones we've seen before. They
claim to be from the Internal Revenue Service (IRS) or the Better Business Bureau (BBB).
The spoofed e-mail claims the IRS is investigating the recipient and recipients's company for tax fraud. It prompts
the user to download a document to help resolve the issue. The document is an infected file named "Complaint.doc.exe"
(although you may not see the .exe extension). The document is hosted on a server in China.
If you receive this type of email, the City of Seattle's Office of Information Security (OIS) recommends
you delete them immediately..
Posted: June 11, 2007
----------------------------------------
Last Updated: October 31, 2008
Website Contact: David Matthews
|
