« August 2013 | Main | October 2013 »

September 2013

Saturday, 07 September 2013

Is it Spam? This Week in Credit and Refinance Fraud Scams

Spam is one of the few subjects where I practice more as a cynic than skeptic. I assume that nearly email I receive that even hints at having a commercial message is spam (and I'm careful to unsubcribe from commercial email that is opt-out). I'm most cynical and aggressive with any message that mentions credit reports or refinance. These target and prey upon people who are having financial issues, which ranks them high in the despicable category.

Recent refi or credit improvement scams use these Subject: lines:

With this increase to your credit score - you are in good shape

Your Credit Score May Have Changed

CONTACT US FOR A LOAN

Refinance rates are lower than ever! Achieve 2.99% now

Just verify the approved increase to your credit score and its done

Keep those hard earned funds in your pocket when you refinance today

Scam1 Scam2

Others attempt to look legitimate by invoking the names of the three major credit score firms (TransUnion, Experian, Equifax). 

Many have telltale spelling or grammatical errors as well.

It's not very hard to collect data to justify my (or your) cynicism. Running basic checks on messages with such headers (whois, cURL, dig, PDNS), I find that

  • The domain names are recent registrations
  • The contact information in Whois records is privacy protected
  • Using cURL, I can see that the home/base page is empty, i.e., it only contains
    <HTML><BODY></BODY></HTML>
  • The zone data for the domain is hosted on a name server that also hosts other scam domains.

I do these checks for research or reporting purposes. You don't need to.

Be cynical. Delete the message. Don't reply. Don't visit the site. 

Posted at 03:31 AM in Anti-Malware and Anti-phishing, Stop Think Connect | | Comments (0)

Tuesday, 03 September 2013

Emergence of DDoS as a Service (DDoSAAS)

Originally posted at The Transformed Data Center 28 May 2013

As if the current frequency of DDoS attacks is not enough, we’re now confronted with an emergence of “legitimized” attacks: DDoS-as-a-service (DDoSAAS).

Service?  

Respected security blogger Brian Krebs exposed the advent of DDoS legitimization and interviews players in this questionable industry in May 2013. What Brian learned is that these services are really straightforward: A DDoS service operator launches an attack of your choice against your target, for however long you specify.

For the ultimate in convenience, the operators often accept PayPal. Are such services widely in use? Brian’s investigations revealed that one operator alone appears accountable for over 10,000 attacks in a single week. Are they legal? The operators of the service, and their attorneys, claim that they are, or claim that they aren’t responsible for how their customers use the services they offer. For the moment, legal or not, we all must contend with DDoSAAS.

Open recursion is a key attack component

Analysis by security experts suggests that DDoS amplification (reflection) is the attack method of choice for many DDoSAAS operators. This form of DDoS attack relies on DNS resolvers that accept DNS queries from any source (recursion is thus open to all hosts). The attacks also originate from spoofed IP addresses (which you could mitigate at your datacenter firewalls by filtering source addresses if your ISP has not implemented BCP 38).

If these characteristics sound familiar, it’s because the numbers of open resolvers and networks that forward traffic from spoofed sources remains unacceptably high. The Open Resolver Project recently identified over 27 million resolvers that appear open. The daily surveys at the Measurement Factorysuggest that the number is growing.

Mitigate open recursion to reduce attack infrastructure

DDoS attackers, legit or not, need infrastructure to launch attacks. We can make legitimized DDoS service less attractive if we raise the cost of doing business. This begins by taking away the open resolver infrastructure that they exploit at no cost. Mitigating open recursion, however, is inherently a community initiative: it’s not about your networks or datacenter being a target but about your recursive resolvers being enablers. The irony of legitimizing DDoS service, however, is that it shifts every organization’s motivation to reduce open recursion from selfless act to preventative measure.

Begin by referring to a public resources or explanations of how to test whether or not your resolvers are open recursive. ThinkbroadbandMeasurement Factory, and VerisignLabs provide online checking tools. Measurement Factory also explains how you can do checks using command line commands dig (Linux, BSD) or nslookup (DOS).

The basis for many techniques for mitigating the threat that open recursion poses is published as an IETF Best Common Practice (BCP 140). The recommendations essentially advise that you implement access controls (ACLs) to provide name resolution only to clients you intend to serve. To disallow open recursion or to limit recursion, look at recommended configurations specific to your name server software.

As an example, Internet Systems Consortium, Inc. (ISC), the folks who develop and maintain the BIND DNS software run on many recursive resolvers discourage open recursion without an accompanying implementation of abuse mitigation or countermeasures. Consult the default configuration for BIND 9.4.1 and beyond: these versions only allow recursion for local hosts and networks. ISC recommends that you “create ACLs that match hosts that should be allowed access to cache and recursion on the servers.” You may want to consult Team Cymru’s Secure BIND Template as well.

Similar configuration resources exist for Windows Server 2003 and 2008/2012 and for Unbound as well. Other sources you may find useful are Sysadmins of the North and Cisco Systems’ DNS Best-Practices page.

Let me leave you with this final point: So-called legitimized services raise the DDoS threat level. However, on the positive side, they also help lend credence to the notion that information security is as much about corporate health or wellness as it is self-defense.

Posted at 10:33 AM | | Comments (0)

« Previous
Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories