Recognizing Email Scams
SIRT IT Security Roundtable
Harvard Townsend
Chief Information Security Officer
harv@ksu.edu
December 4, 2009
Agenda









The problem – why should we care?
Types of email scams
Recent examples at K-State and why they
tricked so many people
Characteristics of scam emails – things to look
for and tools to help
How to determine if a web link is safe
How to evaluate email attachments
Reporting scams or other malicious emails
Useful information sources
Q&A
2
Many vectors for attack














Vulnerable operating system (i.e., Windows)
Vulnerable applications
Hackers scanning our network from outside or inside the campus
network
Passwords stolen by a key logger
USB flash drives
Malicious web links, even sponsored ads at the top of a Google
search
Malicious Facebook ads
Extra goodies in P2P downloads
Instant messaging
Redirected DNS queries
Hijacked duplicate web site
Phishing email
Malicious web links in an email
Email attachments
3
Many vectors for attack














Vulnerable operating system (i.e., Windows)
Vulnerable applications
Hackers scanning our network from outside or inside the campus
network
Passwords stolen by a key logger
USB flash drives
Malicious web links, even sponsored ads at the top of a Google
search
Malicious Facebook ads
Extra goodies in P2P downloads
Instant messaging
Redirected DNS queries
Hijacked duplicate web site
Phishing email
Malicious web links in an email
Email attachments
4
What’s the big deal?






130+ K-State computers infected in November when
people opened malicious email attachments – the same
emails that hit campus in July and infected 100+
computers
289 spear phishing scams at K-State thus far in 2009
resulting in 421 compromised email accounts used to
send spam
These forms of “social engineering” currently one of the
most effective ways to compromise a computer and
steal financial or personal identity information
Information loss/theft (personal, institutional, passwords,
acct info)
Identity theft
Financial fraud
5
It doesn’t just affect you





When stolen K-State email accounts are used to send spam,
K-State is seen as a spam source and sometimes ends up on
spam block lists such that ALL email from K-State to those
email providers is blocked (examples include Hotmail, Gmail,
Comcast, AT&T, Road Runner…) – a huge headache for
faculty-student communication
Compromised computers become part of a “botnet” used for
illegal purposes
A recent compromised K-State computer became a “botnet
controller” that controlled 12,000 other compromised
computers around the world
Compromised computers are used to send spam, host scam
web sites, spread malware, steal data, launch denial of
service attack, etc.
One careless mouse click can affect thousands of other
people, not just yourself
6
What’s the big deal?



Tactics constantly changing so can’t
let down your guard
Malware constantly changing so antivirus software can’t always prevent
infection
Technology can’t stop them all – you,
the user, is critically important in
our security defenses
7
Definitions

Malware – malicious software






Virus, Worm, Trojan, etc. - types of malware, specific definitions
not that important now; “virus” sometimes used as a catch-all for
malware
Keylogger – watches your keystrokes and intercepts data of
interest; often sends it to the perpetrator. Typically looks for
things like username/password, bank account info, credit card
info
Rootkit – malware that tries to hide the fact that it compromised
the computer. Think of it as stealth malware.
Spyware – watches your online activity and sends information
about you or your habits to others w/o your informed consent
Adware – automatically displays ads on your computer,
usually in annoying pop-ups
Scareware – tries to trick you into buying something of little or
no value using shock, anxiety or threats (like Anti-virus
2008/2009). Common tactic is to claim your computer is
infected and you have to buy their software to clean it up.
8
Scareware
examples
9
Definitions




Phishing – attempt to acquire sensitive
information by posing as a legitimate
entity in an electronic communication
Spear phishing – phishing that targets a
specific group
Social engineering – manipulating or
tricking people into divulging private
information
Spam – unsolicited or undesired
bulk email/messages
10
Spear phishing example that targets K-State
11
Let’s look at some examples


Check IT Security Threats blog for
examples of spear phishing scams:
threats.itsecurity.k-state.edu
Analysis of actual scams received by
people at K-State
12
Most
Effective
Spear
Phishing
Scam
13
Most
Effective
Spear
Phishing
Scam
14
Most
Effective
Spear
Phishing
Scam
15
Most effective spear
phishing scam



At least 62 replied with password, 53 of which were
used to send spam from K-State’s Webmail
Arrived at a time when newly admitted freshmen
were getting familiar with their K-State email – 37 of
the 62 victims were newly-admitted freshmen
Note characteristics:



“From:” header realistic:
"Help Desk" <helpdesk@k-state.edu>”
Subject uses familiar terms:
“KSU.EDU WEBMAIL ACCOUNT UPDATE”
Message body also references realistic terms:



“IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State”
Asks for “K-State eID” and password
Plausible story (accounts compromised by spammers!!)
16
Another effective spear
phishing scam
This one
also tricked
62 KStaters into
giving away
their eID
password
17
How to identify a scam

General principles:





Neither IT support staff nor any legitimate
business will EVER ask for your
password in an email!!!
Use common sense and logic – if it’s too
good to be true, it probably is.
Think before you click – many have fallen
victim due to a hasty reply
Be paranoid
Don’t be timid about asking for help from
your IT support person or the IT Help Desk
18
How to identify a scam

Characteristics of scam email







Poor grammar and spelling
Uses unfamiliar or inappropriate terms (like “send your
account information to the MAIL CONTROL UNIT”)
It asks for private information like a password or
account number
The message contains a link where the displayed
address differs from the actual web address
It is unexpected (you weren’t expecting Joe to send
you an attachment)
The “Reply-to:” or “From:” address is unfamiliar, or is
not a ksu.edu or k-state.edu address
Does not provide explicit contact information (name,
address, phone #) for you to verify the communication.
Good example is spear phishing scam that tries to
steal your eID password is signed “Webmail
administrator”
19
How to identify a scam







Beware of scams following major news events or natural
disasters (e.g., after Hurricane Katrina asking for donations
and mimicking a Red Cross web site)
Seasonal scams like special Christmas offers, or IRS
scams in the spring during tax season
They take advantage of epidemics or health scares, like
H1N1 scam currently making the rounds
Often pose as legitimate entity – PayPal, banks, FBI, IRS,
Wal*Mart, Microsoft, etc.
If unsure, call the company to see if they sent it (we did this
with recent email from Manhattan Mercury)
Many make sensational claims; remember to apply the
common sense filter – if it sounds too good to be true, it
probably is
Hackers very good at imitating legitimate email – will use
official logos, some links in the email will work properly, but
one link is malicious
20
Real K-State Federal Credit Union
web site
Fake K-State Federal Credit Union
web site used in spear phishing scam
21
Can I click on this?

Watch for displayed URL (web address) that does
not match the actual
displayed: http://update.microsoft.com/microsoftupdate
actual:
http://64.208.28.197/ldr.exe


Beware of link that executes a program (like ldr.exe
above)
Avoid numeric IP addresses in the URL
http://168.234.153.90/include/index.html

Some even use hexadecimal notation for the IP:
http://0xca.0x27.0x30.0xdd/www.irs.gov/

Watch for legitimate domain names embedded in
an illegitimate one
http://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/
22
Can I click on this?

Beware of email supposedly from US
companies with URLs that point to a non-US
domain (Kyrgyzstan in example below)
From: Capital One bank <cservice@capitalone.com>
URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/

IE8 highlights the actual domain name to help
you identify the true source. Here’s one from
an IRS scam email that’s actually hosted in
Pakistan:
23
Can I click on this?

Beware of domains from unexpected foreign
countries
Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.php
Lithuania: http://kateka.lt/~galaxy/card.exe
Hungary: http://mail.grosz.hu/walmart/survey/
Romania: http://www.hostinglinux.ro/
Russia: http://mpo3do.chat.ru/thanks.html

MANY scams originate in China (country code =
.cn)

Country code definitions available at:
www.iana.org/domains/root/db/index.html
24
Can I click on this?

Analyze web links w/o clicking on them by
copying the URL and testing them at these
sites:

Trend Micro’s Web reputation query –
reclassify.wrs.trendmicro.com/wrsonlinequery.aspx

McAfee SiteAdvisor (enter URL on this web
page – you don’t have to install their software):
www.siteadvisor.com/
25
Can I click on this?

Watch for malicious URLs cloaked by URL
shortening services like:



TinyURL.com
Bit.ly
CloakedLink.com
26
Can I click on this?


TinyURL has a nice “preview” feature that
allows you to see the real URL before going to
the site. See http://tinyurl.com/preview.php to
enable it in your browser (it sets a cookie)
Bit.ly has a Firefox add-on to preview shortened
links; it also warns you if the site appears to be
malicious:
addons.mozilla.org/en-US/firefox/addon/10297
27
Can I click on this?
28
Trend Micro Web Reputation
Services is your friend
29
So are anti-phishing/malware
features in Firefox and IE
30
Evaluating attachments

Saving it to your desktop without opening it or
executing it is usually safe




If Trend Micro OfficeScan recognizes it as malicious, it will
prevent you from saving it to the desktop (a function of the
“real time scan”)
If not detected, is either OK or a new variant of malware
Manually update Trend Micro OfficeScan (point to the
OfficeScan icon in the system tray, right click, select
“Update Now”), then scan the file (point to the file,
right click, select “Scan with OfficeScan client”)
If OfficeScan still says “No security risk was found”,
submit the file to www.virustotal.com to be evaluated
by 39 anti-virus products, including Trend Micro;
here’s an example:
virustotal.com/analisis/b299e2ac8871cd3e511db312d3f3e55d
31
Evaluating attachments





If it is still undetected and obviously malicious because
of the email it was attached to, submit it K-State’s IT
security team at
www.k-state.edu/its/security/report/ so we can send it
to Trend Micro for analysis
Contact the sender to verify they sent it
Ignore or delete it if it’s not expected or important
Beware of executable files embedded in .zip
attachments – is a common way for hackers to send
.exe files that would normally be deleted by email
systems
Potentially dangerous file types include .exe, .zip
(depending on file types in the .zip archive), .msi, .pif,
.scr, .js, and even.pdf and (rarely) .doc
32
Example of malicious
email attachments





Monday, July 13, 12:59pm – received first report
(from Penn State) that a K-State computer was
sending spam with a malicious attachment
Many more reports soon followed from around the
world implicating many K-State IP addresses
Many K-Staters started reporting receipt of the
malicious emails too
At least113 K-State computers were
infected/compromised when people open the
malicious attachment
Was a new variant of malware so Trend Micro
OfficeScan did not detect it initially
33
What happened?

Four different emails with the following subjects:





Three (somewhat) different attachments:




Shipping update for your Amazon.com order 254-78546325-658742
You have received A Hallmark E-Card!
Jessica would like to be your friend on hi5!
Your friend invited you to twitter!
Shipping documents.zip
Postcard.zip
Invitation card.zip
At least three different malicious executables in the zip files (note the
numerous spaces in the file name before the “.exe” extension):



“attachment.pdf
“attachment.htm
“attachment.chm
.exe”
.exe”
.exe”
34
What happened?



Harvested email addresses in address
books and sent the same malicious emails
to everyone – aka “mass mailing worm”;
that’s why so many people at K-State
received so many copies
July 29 and August 7 - similar attacks with
new variants of the malware that escaped
anti-virus detection
AGAIN (!!) on Nov. 5 – same four emails,
new variant of malware, infected 130+ KState computers
35
Why was it so effective?

Used familiar services











Amazon.com
Hallmark eCard greeting
Twitter
Sensual enticement (“Jessica would like to be your friend on hi5!”)
Somewhat believable replicas of legitimate emails
Sent it to lots of people (bound to hit someone who just ordered
something from amazon.com or is having a birthday)
Effectively masked the name of the .exe file in the .zip attachment
by padding the name with lots of spaces
New variant that spread quickly so initial infections missed by
antivirus protection
I was too slow submitting samples to Trend (better the second and
third time around)
Malware/attachment filtering in Zimbra did not stop it
Been a long time since attack came by email attachment so people
caught off-guard
36
Malicious
Hallmark
E-Card
37
Legitimate
Hallmark
E-Card
38
Malicious
Amazon
Shipping
Notice
39
Legitimate
Amazon
Shipping
Notice
40
Malicious
Twitter
Invitation
41
Legitimate
Twitter
Invitation
42
What can we do?





Remember - Hallmark, amazon.com,
Twitter, etc. do not send info in
attachments
Don’t open attachment unless you are
expecting it and have verified with sender
Analyze attachments before opening them
Think before you click
Be paranoid!
43
Reporting scams

Send spear phishing scams that target KState specifically to abuse@ksu.edu



Send them with “full headers” (in webmail:
highlight message, right click, select “Show
Original”, copy everything in resulting
window and paste into email to
abuse@ksu.edu)
To get full headers in other email clients:
www.haltabuse.org/help/headers/index.shtml
Don’t send generic run-of-the-mill scams
to abuse@ksu.edu unless it’s something
particularly threatening to K-Staters
44
Reporting scams


Submit suspicious files/attachments to
www.k-state.edu/its/security/report/
(don’t try to send them in email since they
may get filtered)
Can report scams/fraud/crimes to federal
government:



FBI’s Internet Crime Complaint Center
www.ic3.gov/
FTC’s OnGuardOnline www.onguardonline.gov/file-complaint.aspx
ALWAYS report suspected child pornography
to the police (K-State or Riley County)
45
Useful sources of information






Google – search for unique phrase in the suspected scam
to see what others are reporting about it
Web sites of organization targeted by scams often have
information, like the IRS
www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1
Snopes to debunk/confirm hoaxes, rumors, and other
“urban legends” – snopes.com
Teach yourself with Sonicwall’s “Phishing and Spam IQ
Quiz” – www.sonicwall.com/phishing/
K-State’s IT security web site updated regularly
SecureIT.k-state.edu
Current threats and spear phishing scams posted on KState’s IT threats blog threats.itsecurity.k-state.edu/
46
What’s on your mind?
47