Security Blog Log: Word doc scam evades spam filters
Also this week: A researcher gets a harsh reward after flagging a University of Southern California Web site flaw, and more blogs are keeping an eye on the latest security breaches.
If another Microsoft Word zero-day exploit isn't enough to keep Windows administrators on guard, here's something else to worry about when it comes to the popular word processing program:
Since users are getting better at avoiding URLs in the body of emails, it appears the digital underground is now trying to dupe spam filters by sending their ads as Microsoft Word attachments, according to an analysis in McAfee Inc.'s AVERT Labs blog.
By moving the advertising content and the URL link into an attached document rather than the body of an email message, spammers are able to evade some of the antispam vendors' content-filtering techniques, McAfee said, because most vendors don't scan content inside attachments.
"Microsoft Word is a convenient format because it supports clickable links and most recipients will have Word installed or would be able to open the document with another compatible word processor," McAfee said.
 |
||||
|
|
|||
|
||||
Here are some examples:
Subject: Billing Update, Bill #90023
Forward original invoice with attached invoice transmittal sheet to the contracting officer.
DATED MATERIAL,INVOICE ATTACHED
Subject: Your receipt for Invoice #25826
Credit memo attached to deleted payment receipt cannot be applied to different invoice.
Software order has a Related invoice attached with prepayment information.
Subject: Confirm amount of charges for Claim #59703
"Invoice" hence shall mean the invoice attached to this Agreement.
You MUST show and review the UCAR Invoice Number.
Subject: Filed under your account via Statement #67345
This is to acknowledge receipt of your letter (with attached invoice) of August 2006.
Potential fraud alert, please review invoice to prevent further action on your account.
McAfee said attachments for these samples have filenames similar to: Bill90023.doc, Invoice25826.doc, Claim59703.doc and Statement67345.doc, but the content remains the same.
"We may see this technique adopted by other spammers, and it may also spread to other popular formats such as .pdf," McAfee warned. "While there are plenty of other characteristics of this spam that can be used to block it, it is yet another incremental step by spammers to attempt to make detection harder."
What's an antispam vendor to do? The most obvious thing is to add attachment scanning to their products. But McAfee said there's a potential downside to that: It would require additional processing power on customers' email servers.
Did a flaw finder's plea deal send the wrong message?
One would think the University of Southern California should thank Eric McCarty for alerting them to an SQL injection vulnerability attackers could have used in a future security breach. Instead he got in trouble with the law, and one security blogger is concerned about the potential ramifications.
McCarty, a 24-year-old security analyst based in San Diego, found the flaw on the university Web site in June of last year. Days later, he reported the issue to SecurityFocus, which reported that attackers could have exploited it to access the university's database of 275,000 student and applicant records.
The FBI claimed in court documents that he accessed seven of those records, and that his motives weren't purely about saving USD and its students from public embarrassment and identity fraud. According to SecurityFocus, the FBI pointed to one email McCarty sent a friend in which he lamented about not being admitted to the university.
In the end, McCarty pleaded guilty to charges he intentionally exploited a flaw in the online student application. If a judge signs off on the plea agreement in December, McCarty will have to serve three years of probation with a condition of six months of home detention, and pay the university nearly $37,000 in damages.
Security expert Martin McKeay thinks McCarty deserved some punishment, but nothing like this.
"I don't believe he should be let go without some sort of warning for poking around in the USC database, but three years of probation, six months of house arrest and $37K in restitution is a pretty stiff punishment," McKeay wrote in his Network Security blog. "The punishment that is being meted out is far in excess of the crimes Eric McCarty is guilty of."
Beyond the fairness of the punishment itself, McKeay worries the prosecution will discourage researchers from reporting other serious security holes in the future.
"By stifling the ability of legitimate security professionals to test Internet-facing Web applications, this case weakens the security of the Web as a whole," he said. "If anyone who looks for vulnerabilities is declared an outlaw and subject to this type of persecution, only outlaws will be looking at the vulnerabilities. And they're not going to tell the university before they start exploiting the holes."
Blogs keep tally of data breaches
Looking for a detailed tally of security breaches? The most comprehensive is probably Privacy Rights Clearinghouse (PRC) list of data breaches. But there are also some blogs out there that stay atop the latest incidents.
One is the numbrX blog, which links to news reports of the latest breaches. The most recent item is about Transportation Security administration warning former employees that their personal information was mailed to the wrong addresses. Accenture, a contractor that handles TSA personnel, sent 1,195 documents to the wrong former employees during a recent mailing, according to a letter signed by Richard Whitford, TSA assistant administrator for human capital.
The blog also links to a story about how the personal data of 38,000 current and retired Chicago city workers was stored in a laptop that was stolen in April 2005.
