Presentation slides available here - PowerPoint Presentation.ppt by liningnvp


									 Basic Email and Web Security

IT Security Training
October 12, 2010

Harvard Townsend
Chief Information Security Officer
           “The Internet is a bad neighborhood.”
Why   people are so easily tricked
Characteristics of scam emails – things to look for and
tools to help
Can I open this attachment?
Can I click on this link?
Helpful security features built into web browsers
Tools you can add to your web browsers
The value and limitations of anti-virus software (Trend
Micro is still your friend)
Misc. cautions/tips/tricks
Real K-State Federal Credit Union    Fake K-State Federal Credit Union
            web site                web site used in spear phishing scam

  Spear phishing scam received by K-Staters in January 2010
     “Phishing” scams try to trick you into providing private
Information, like a password or bank acct info. “Spear phishing”
Targets a specific population – in this case, K-State email users.
         The malicious link in the email took you to an exact replica
of K-State’s single sign-on web page hosted on a server in the Netherlands
    which will steal your eID and password if you enter it and “Sign in”.
  Note the URL highlighted in red – “”, which is obviously
                                not                           5
Fake SSO
web page

Real SSO
web page

  Fake SSO
 web page –
   site not
secure (http,
not https) and
hosted in the

 Real SSO
web page –
note “https”

Fake SSO
web page

 Real SSO
web page –
Use the eID
 badge to

Result of clicking on eID verification badge on a legitimate K-State
   web site that uses the eID and password for authentication




    Most effective spear
    phishing scam
   At least 62 replied with password, 53 of which were
    used to send spam from K-State’s Webmail
   Arrived at a time when newly admitted freshmen
    were getting familiar with their K-State email – 37 of
    the 62 victims were newly-admitted freshmen
   Note characteristics that make it appear legitimate:
       “From:” header realistic:
        "Help Desk" <>”
       Subject uses familiar terms:
       Message body also references realistic terms:
           “IT Help Desk”, “Webmail”, “KSU.EDU”, “K-State”
       Asks for “K-State eID” and password
       Plausible story (accounts compromised by spammers!!)
     Another effective spear
     phishing scam

  This one
also tricked
    62 K-
Staters into
giving away
  their eID

      Another effective spear
      phishing scam

 Actually did
come from a
K-State email
one that was
 because the
  user gave
away her eID
 password in
How to identify a scam
   General principles:
       Neither IT support staff nor any legitimate
        business will EVER ask for your
        password in an email!!!
       Use common sense and logic – if it’s too
        good to be true, it probably is.
       Think before you click – many have fallen
        victim due to a hasty reply
       Be paranoid
       Don’t be timid about asking for help from
        your IT support person or the IT Help Desk
How to identify a scam
   Characteristics of scam email
       Poor grammar and spelling
       The “Reply-to:” or “From:” address is unfamiliar,
        or is not a or address
       Uses unfamiliar or inappropriate terms (like “send your
        account information to the MAIL CONTROL UNIT”)
       It asks for private information like a password or
        account number
       The message contains a link where the displayed
        address differs from the actual web address
       It is unexpected (you weren’t expecting Joe to send
        you an attachment)
       Does not provide explicit contact information (name,
        address, phone #) for you to verify the communication.
        Good example is spear phishing scam that tries to
        steal your eID password is signed “Webmail
        administrator”                                            17
How to identify a scam
   Beware of scams following major news events or natural
    disasters (e.g., after Hurricane Katrina asking for donations
    and mimicking a Red Cross web site)
   Seasonal scams like special Christmas offers, or IRS
    scams in the spring during tax season
   They take advantage of epidemics or health scares, like
    H1N1 scam last year
   Often pose as legitimate entity – PayPal, banks, FBI, IRS,
    Wal*Mart, Microsoft, etc.
   If unsure, call the company to see if they sent it (we did this
    with recent email from Manhattan Mercury)
   Hackers very good at imitating legitimate email – will use
    official logos, some links in the email will work properly, but
    one link is malicious
   Many make sensational claims; remember to apply the
    common sense filter – if it sounds too good to be true,
    it probably is                                                    18
From the “too good to be
true” class of scams
   Three K-State students fell for this one in August.
    Fortunately none lost money, although two might have if
    alert bank tellers didn’t catch the counterfeit checks

From the “too good to be
true” class of scams

    Useful sources of information
   Google – search for unique phrase in the suspected scam
    to see what others are reporting about it
   Web sites of organization targeted by scams often have
    information, like the IRS,,id=179820,00.html?portlet=1
   Snopes to debunk/confirm hoaxes, rumors, and other
    “urban legends” –
   Teach yourself with Sonicwall’s “Phishing and Spam
    IQ Quiz” –
   K-State’s IT security web site updated regularly
   Current threats and spear phishing scams posted on K-
    State’s IT threats blog

    Evaluating attachments
   Don’t open email attachments you were not expecting
       From someone you do not know
       From someone you know, but weren’t expecting them to
        send you a file (infected computers can send malicious
        emails from the owner of the computer to everyone in their
        email addressbook)
       This is especially true if the content of the email message is
        brief, vague, and/or unusual

    Evaluating attachments
   Should I trust this email?

       Evaluating attachments
      Should I trust this email?

I don’t know
the sender
                                       }           Very brief, vague

attachment                          PDF files can carry malicious
w/ unknown                          code; do not trust PDF files unless
content                             validated with sender

    Evaluating attachments
   Ignore or delete it if it’s not expected or important; not
    worth the risk of opening it and infecting your
   Beware of executable files embedded in .zip
    attachments – is a common way for hackers to send
    .exe files that would normally be deleted by email
   If there’s any reason to believe it might be legitimate,
    validate the attachment before opening it
       Contact the sender and ask if it is legit
       Ask your IT support person or the IT Help Desk
       Test it with antivirus software to see if it is a known malicious

    Evaluating attachments
   Saving it to your desktop without opening it or
    executing it is usually safe
       If Trend Micro OfficeScan recognizes it as malicious, it will
        prevent you from saving it to the desktop (a function of the
        “real time scan”)
       If not detected, is either OK or a new variant of malware
   Manually update Trend Micro OfficeScan (point to the
    OfficeScan icon in the system tray, right click, select
    “Update Now”), then scan the file (point to the file,
    right click, select “Scan with OfficeScan client”)
   If OfficeScan still says “No security risk was found”,
    submit the file to to be evaluated
    by 43 anti-virus products, including Trend Micro;
    here’s an example:      26
    Example of malicious
    email attachments
   Four different emails with the following subjects received by
    many K-Staters in July 2009 and again in November:
       Shipping update for your order 254-78546325-
       You have received A Hallmark E-Card!
       Jessica would like to be your friend on hi5!
       Your friend invited you to twitter!
   Three (somewhat) different attachments:
       Shipping
       Invitation
   130+ computers infected in July, 100+ in November; all
    had to be reformatted and reinstalled from scratch – all
    because users opened malicious attachments




    Why was it so effective?
   Used familiar services
       Hallmark eCard greeting
       Twitter
   Sensual enticement (“Jessica would like to be your friend on hi5!”)
   Somewhat believable replicas of legitimate emails
   Sent it to lots of people (bound to hit someone who just ordered
    something from or is having a birthday)
   Effectively masked the name of the .exe file in the .zip attachment
    by padding the name with lots of spaces
   New variant that spread quickly so initial infections missed by
    antivirus protection
   Been a long time since attack came by email attachment so people
    caught off-guard

    What can we do?
   Remember - Hallmark,,
    Twitter, etc. do not send information or
    instructions in attachments
   Don’t open attachment unless you are
    expecting it and have verified with sender
   Analyze attachments before opening them
   Think before you click
   Be paranoid!

Web Browsing Threats

   Malicious links/sites – to click or not to
    click, that is the question.
   Malicious advertisements
   Drive-by Download (don’t even have to
   Search engines tricked to present
    malicious/bogus result near the top of
    your search results (aka Blackhat Search
    Engine Optimization (SEO) Poisoning)
      Can I click on this?
   Watch for displayed URL (web address) that does
    not match the actual
   Beware of link that executes a program (like ldr.exe
   Avoid numeric IP addresses in the URL
   Watch for legitimate domain names embedded in
    an illegitimate one

     Can I click on this?
   Beware of email supposedly from US
    companies with URLs that point to a non-US
    domain (Kyrgyzstan in example below)
    From: Capital One bank <>
    URL in msg body:

   IE8 highlights the actual domain name to help
    you identify the true source. Here’s a web
    address from an IRS scam email that’s
    actually hosted in Pakistan:

      Can I click on this?
   Beware of domains from unexpected foreign
   MANY scams originate in China
    (country code = .cn)
   Country code definitions available at:
        Can I click on this?
   Watch for malicious URLs cloaked by URL
    shortening services like:

     Can I click on this?
   TinyURL has a nice “preview” feature that
    allows you to see the real URL before going to
    the site. See to enable
    it in your browser (it sets a cookie)
 has a Firefox add-on to preview shortened
     It also warns you if the site appears to be
Can I click on this?

Malicious Advertisements

   Major ad networks (aka “ad
    aggregators”) affiliated with Google
    (e.g., Yahoo
    (, Fox and others,
    covering more than 50% of online ads,
    have been infiltrated with “poisoned
    ads” containing malicious code
    (Source: Avast!)
   Happened to the New York Times
    website last fall                   41
    NY Times incident
   Ad placed via phone call from person posing as
    Vonage, an intl phone company and regular
    advertiser on NY Times web site
   Since Vonage well known, they allowed ads to
    be served by remote 3rd party host (i.e., not
    the NY Times web server)
   Legitimate Vonage ads displayed all week
   During the weekend, legitimate
    ad switched to a malicious one
    that served up fake antivirus
    scareware which tried to get
    people to buy bogus security
    software with a credit card                      42
Malicious Advertisements
   Isn’t just NY Times…
     (!!)
   These legitimate sites are not in cahoots with the criminals,
    they’re just not careful enough in screening ads from third
    party ad networks                                               43
    Drive-by Downloads
   The scary thing is you don’t even have to click on
    anything – just visiting a site with malicious code
    can initiate a download that installs malware on your
    computer without you knowing it.
   Symantec claims every one of the top 100 websites
    in the world have served up malicious code at some
   JavaScript in the ad executes when the page is
    loaded and tries to exploit a vulnerability in Adobe
    PDF reader, Java, or Flash… or all three; this is why
    a tool like NoScript or something that blocks ads is
    effective                                        44
    Drive-by Downloads
   Commonly used to promote fake antivirus software (aka
    “scareware” or “extortionware”) – make you believe your
    computer is infected with lots of malware, enticing the
    nervous user to “Click Here” to buy fake security
    software for $30-$100, plus they steal your credit card
   Can be used to infect your computer with any malware –
    keyloggers, Trojans, Torpig, …
   Malware changes at a very rapid rate to escape
    detection by AV software; hackers test their malware
    against 43 popular AV products at before
   Prevention is by keeping Adobe Reader, Flash, and
    Java updated with latest security patches          45
Search Engine
   Search engines, like Google, are tricked into
    presenting a malicious link in the top 10
    results for popular searches
   Known as “Blackhat Search Engine
    Optimization (SEO) Poisoning”
   13% of Google searches for popular or trendy
    topics yield malicious links
   Currently used mostly for fake antivirus scams
   Exploit current events, popular topics
       January 2010 an all-time high with hackers
        capitalizing on Haitian earthquake, release of
        movie Avatar, and announcement of the iPad
        Blackhat SEO
Search for
“Oscars 2010 winners”

 Malicious pages
 that infect with
 FakeAV scareware

   Source: Sophos security blog March 8, 2010
    Blackhat SEO
   Examples of exploited topics in 2010:
       Tiger Woods car wreck, affairs
       Death of Patrick Swayze
       Affair of Sandra Bullock’s husband with Michelle “Bombshell”
       Rumored death of Bill Cosby (pretty common to make up a
        sensational hoax)
       Chilean earthquake
       Moscow subway explosions
       Plane crashing into IRS building in Austin, TX
       Sea World killer whale attack
       Sentencing of TJX hacker
       Oscars
       Kids’ Choice Awards
       Olympics (esp. death of Georigian luge athlete)
       March Madness basketball tournament                            48

       April Fools Day (a natural…)
        Blackhat SEO
   How do I prevent it?
       Be paranoid – think before you click!
       Pay attention to the link – only visit reputable sites;
        think before you click
       Pay attention to warnings from anti-phishing filters,
        Trend Micro WRS, and
        other tools you might use
        to detect malicious links
        (see later slides)
       If you click on a search
        result and security warnings
         like this pop-up, do NOT
        click on anything – contact
        your IT support person
Blackhat SEO
   How do I prevent it?
       Run antivirus software and keep it up-to-date
        (required to use Trend Micro on campus)
       Keep ALL software patched, including the
        web browsers and plug-ins, Adobe products,
        Flash, and Java
           VERY challenging for IT staff, let alone your
            average user
           Recent study found that average home user would
            have to patch 75 times per year (once every 5
            days!) using 22 different patching mechanisms
What’s a feller to do?

If you’re not scared by
now, then I’m worried
about you and I pity
your IT support person

Browser features – IE8
   Domain highlighting

   SmartScreen filtering – block access to
    malicious sites and file downloads

    Browser features – IE8
   Pop-up blocker- if it
    causes a problem
    with an application,
    add a specific
    exception; don’t turn
    off the pop-up
   If you don’t see a
    malicious pop-up
    message, you won’t
    be duped by it.
    Browser features – IE8
   InPrivate Browsing – good if using a
    public computer in a lab or Internet Café
    since it leaves no trace of your browsing
    activity. The cache (“temporary Internet
    files” which are local copies of content
    from web sites you visited recently),
    cookies, and browser history (web
    address of sites you visited recently) are
    not stored.
Browser features - Firefox
   Anti-phishing and anti-malware
    protection – detects and blocks access
    to known malicious sites and

Browser features - Firefox
   Pop-up Blocker
       Similar to IE; add exceptions at
   Private browsing – cache, cookies, and
    history not saved, just like “InPrivate
    Browsing” in IE
   Instant Website ID – provides detailed identity
    information, if available, about the site:

Browser add-ons
Web of Trust from
 Available for Firefox,
  IE, Google Chrome
 Rates web sites on
       Trustworthiness
       Vendor reliability
       Privacy
       Child safety
   Warns you if about to visit a poorly rated site
   Tags ratings in Google search results, which is really
    helpful for detecting Blackhat SEO Poisoning
   Also tags links in web-based email like K-State’s Zimbra
    Webmail and Gmail
   Provides user comments about the site and its rating
Browser add-ons
NoScript from
 Extension for Firefox (not available for IE)
 Prevents execution of JavaScript, Java, and
  Flash – the most common culprits for web-based
 Can selectively allow trusted sites
 Often able to view content of interest without
  enabling all scripts – you don’t need to see the
  ads or that cute Flash animation!
 Takes some getting used to and it takes a while
  to build up the exceptions for trusted sites so it’s
  not always getting in the way of your productive
  use of the web
Browser add-ons

Adblock Plus from
 Again, only for Firefox (IE is not nearly as
  extensible as Firefox!)
 I haven’t used this tool but others have
  recommended it for blocking
 Some have argued against blocking ads
  since they provide the revenue that
  allows so much free content on the web     59
Help from Trend Micro

   Web Reputation Services (WRS)
       Blocks access to known disreputable
       Enabled in both Windows and Mac
       K-State IT security team regularly reports
        new malicious links to Trend to add to the
        block list
   Also provides traditional “antivirus”
    malware protection                           60
Trend Micro WRS is
your friend

  Recognizing Fake
  Antivirus Alerts
Actual pop-up alert from Trend Micro OfficeScan:

    Recognizing Fake
    Antivirus Alerts
Example of a Fake AV “scareware” alert that tries trick you into
buying worthless software to fix a non-existent infections:

    Misc. Tips/Tricks
   Use a Mac 
   Firefox vs. Internet Explorer (IE)?
       Both have vulnerabilities
       Both have helpful security features
       ActiveX in IE historically been a security concern but is less of a
        target these days
       If you use IE6 or IE7, upgrade to IE8 because of significant
        security improvements plus application compatibility
   Stay away from questionable sites
       Pornography
       Gambling
       Some gaming sites
   Peer-to-peer file sharing applications are dangerous since
    they too have been infiltrated with malware; the movie you
    download may also have malware attached to it that will infect
    your computer when you try to run the movie.
 Misc. Tips/Tricks
“… because that’s where the money is.” Willie Sutton, famous 19th century
bank robber on why he robs banks
Beware   of where you do your online banking – cybercriminals
are actively hunting you online and targeting your computer
because “that’s where the money is”
66 instances of Torpig malware at K-State thus far in 2010, 34 in
2009 – steals username/passwords and banking info
The American Bankers Association recommends using a
dedicated computer for online banking since malware typically gets
on a computer via web surfing or email
A low-end $500 PC or netbook good for this, or re-purpose the old
computer when you upgrade
Make sure your banking computer is protected with a strong
At the very least, don’t do online banking on the same home
computer your children (and their friends) use!
Create a separate regular user account for your children on
your home computer(s)!!
Misc. Tips/Tricks
   Don’t let your browser store/remember
    important passwords like:
       eID
       Financial accounts
   38% of bank account or
    username/password information stolen
    by Torpig malware came from the
    browser’s password store on the
    compromised computer
   Password-protect the browser password   66

    Misc. Tips/Tricks

   Don’t keep yourself logged into
    important accounts
   Similar to letting the browser
    store username/password;
    effect is the same – anyone
    with access to the computer
    has access to those accounts
   Never do either on a public computer
   There’s no way to be 100% secure surfing the
    web these days
   Use multi-faceted approach to reduce your
    risk (browser security features, browser add-
    ons, Trend Micro security software, educate
   These tools and techniques make your
    browsing experience less convenient and may
    frustrate you at times, but they are necessary
    in today’s hostile online climate
   Think before you click!
What’s on your mind?


To top