Category Archives: Security Response News

Spammers Continue to Exploit Mother’s Day

Mother’s Day is celebrated in many countries on May 12 and it’s a day for children, regardless of age, to express their love to their mother by giving her a gift. Spam messages related to Mother’s Day have begun flowing into the Symantec Probe Network. Clicking the URL contained in the spam message automatically redirects the recipient to a website containing a bogus Mother’s Day offer upon completion of a fake survey.

mothers 1.png

Figure 1: Survey spam targeting Mother’s Day

Once the survey is completed, a page is then displayed asking the user to enter their personal information in order to receive the bogus offer.

mothers 2.png

Figure 2: Fake survey

 

mothers 3.png

Figure 3: Bogus Web page asking for personal information

We recently blogged about the persistence of spam with .pw URLs and not surprisingly a lot of the Mother’s Day spam messages contain .pw top-level domain (TLD) URLs. The following are some examples of the From header using .pw URLs that we have identified to date:

  • From: Mother’s Day Gifts <Check@[REMOVED].pw>
  • From: “Early Bird Mother’s Day Flowers” <postmaster@[REMOVED].pw>
  • From: “Early Bird Mother’s Day Bouquets” <noreply@[REMOVED].pw>
  • From: “Mother’s Day Bouquets” <MothersDayBouquets@[REMOVED].pw>
  • From: “Mom” <Mom@[REMOVED].pw>

 

mothers 4.png

Figure 4: Another dodgy website related to Mother’s Day

Symantec is observing an increase in spam volume related to Mother’s Day, which can be seen in the following graph.

mothers 5.png

Figure 5: Volume of Mother’s Day spam

The following are some of the Subject lines observed for these spam attacks:

  • Subject: Don’t Forget Mother’s Day – $19.99 Chocolate, Dipped Strawberries
  • Subject: Stunning Personalized Gifts for Mother’s Day
  • Subject: Top Personalized Mother’s Day Gifts
  • Subject: Make Mother’s Day Special With A Personalized Gift
  • Subject: Mother’s Day Car Deal (Half Off Every Make And Model)
  • Subject: Regarding Mothers Day
  • Subject: Celebrate Mom with a $19.99 bouquet.
  • Subject: Mother’s Day Replica’s Women’s Accessories
  • Subject: Mother’s Day Secret Formula.

Symantec advises our readers to use caution when receiving unsolicited or unexpected emails. We are closely monitoring Mother’s Day spam attacks to ensure that readers are kept up to date with information on the latest threats.

Have a safe and happy Mother’s Day!

New Internet Explorer 8 Zero-Day Used in Watering Hole Attack

Microsoft has issued Security Advisory 2847140 in response to reports regarding public exploitation of a vulnerability affecting Internet Explorer 8. Other versions such as Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Exp…

Google Glass and Tomorrow’s Security Concerns

If you haven’t heard, Google Glass, the latest gadget from the Silicon Valley giant, has set the media and tech world abuzz, with both admiration and controversy surrounding the device. Google Glass was released to the public last week and combines smartphone technology with wearable glasses that is reminiscent of something seen on Star Trek. Public, in this case, actually means beta testers (called Glass Explorers) who had to apply for the chance to purchase the spectacles in advance by writing a 50 word essay using the hashtag, #ifihadglass. Those chosen had the opportunity to purchase the device for $1,500 USD.

Along with the admiration of a device that appears to do everything, comes controversy.  The 8,000 individuals who were able to purchase the device were bound to a restrictive end user license agreement, in which the product would be deactivated and rendered useless if sold, loaned, or transferred to a third party. This was discovered after one winner decided to put his glasses on EBay and was contacted by Google. However, it appears there were no restrictions against modifying or rooting the device other than the loss of warranty and technical support.

Recently, James Freeman, a security researcher from the United States blogged about his acquisition of Google Glass from Google’s headquarters in Mountain View, California. His blog post set the press and Google scrambling after he posted a picture showing that he had rooted the device. Freeman wasn’t part of the Glass Explorer beta test, he simply had the privilege of purchasing the device as an attendee of Google I/O in 2012. His main motivation in purchasing Google Glass was device customization.  In order to make customize the device, he had to “jailbreak” or “root” it.

The foundation of Google Glass is Android 4.04. As with any operating system, there are publicly known vulnerabilities and exploits. In this case, the author analyzed an unnamed exploit which relies on a symlink traversal and a race condition to see if he could apply it to Glass. To gain full root access, Freeman realized he needed to open the Debug menu on Glass. The Debug menu is typically locked on smartphones and requires a PIN to access it, but this was not the case with Google Glass. Freeman discovered that the Debug menu on Glass was not locked down and allowed for easy access to the device:

“Even if you wear Glass constantly, you are unlikely to either sleep or shower while wearing it; most people, of course, probably will not wear it constantly: it is likely to be left alone for long periods of time. If you leave it somewhere where someone else can get it, it is easy to put the device into Debug Mode using the Settings panel and then use adb access to launch into a security exploit to get root.

The person doing this does not even need to be left alone with the device: it would not be difficult to use another Android device in your pocket to launch the attack (rather than a full computer). A USB “On-The-Go” cable could connect from your pocket under your shirt to your right sleeve. With only some momentary sleight-of-hand, one could “try on” your Glass, and install malicious software in the process.”

Although the vulnerability in Google Glass allows for anyone with malicious intent to install malware to their heart’s desires, it does require physical access to the device. As those in the security community know, while this vulnerability is a definite flaw security wise, if you can have physical access to a device, it is not completely secure. This is why Linux distributions have a single user mode for forgotten or lost root passwords. If you have physical access to the device or computer, it can be considered insecure.

Wearable devices will give malware authors another avenue to exploit, as evidenced by their transition from desktops to mobile devices. Enterprising and creative malware authors will always try to find a way to exploit a vulnerability in anything, and it will only be a matter of time before it happens.

In theory, Glass or any device that can be worn and used to record at the same time can have security implications. We might not be far away from clever ways for these devices to be used against us. For example, privacy risks such as being recorded inconspicuously wherever you are and theft possibilities, such as having your ATM PIN recorded. These problems just scratch the surface—the list of security concerns might be endless.

.pw URLs in Spam Keep Showing Up

Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.
 

pw TLD blog update.png

Figure 1. .pw TLD spam message increase
 

Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada. 

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. The top 25 subject lines from .pw URL spam from May 1, 2013 were:

  • Subject: For all the moms in your life on Mother’s Day.
  • Subject: Tax Relief Notification
  • Subject: Remove IRS Tax Penalties
  • Subject: Save on the most beautiful bouquets for Mom
  • Subject: Reusable K Cup for Keurig or single-brew coffee maker
  • Subject: Garden Today says, “By far the easiest hose to use”
  • Subject: HOME: Amazingly Strong water hose you can fit anywhere.
  • Subject: The LAST water hose you’ll ever need
  • Subject: No Hassle Pricing on Ford Vehicles
  • Subject: Own a NEW Ford for the Summer
  • Subject: May 1st Ford Clearance Event
  • Subject: Lasik- Safe, Easy, and Affordable
  • Subject: Safe, Easy, and Affordable Lasik
  • Subject: We work with the Biggest and Best Brands in Fashion
  • Subject: Whos the hottest? Post . Vote . Win
  • Subject: Are You and Your Business seen at a global scale?
  • Subject: Power your entire House, Pool and more with Solar Energy
  • Subject: Most EFFECTIVE way to treat Hypertension
  • Subject: Solar power slashes your electric bill in half
  • Subject: Global Business Registry for Networking Professionals
  • Subject: Finally, an EFFECTIVE fat shredding solution
  • Subject: Register with other professionals
  • Subject: Easiest Way To Lower Blood Pressure
  • Subject: Secret To Lowering Blood Pressure Naturally
  • Subject: Refinance Today, Save Tomorrow

In addition to creating anti-spam filters as needed, Symantec has been in contact with Directi and working with the registrar to report and take down the .pw domains associated with spam. Symantec believes that collaborating with the registrar is a more progressive and holistic approach to solving this problem.

The Hexadecimal URL Obfuscation Resurgence

For that past several days, Symantec has observed an increase in spam messages containing hexadecimal obfuscated URLs. Hexadecimal character codes are simply the hexadecimal number to letter representation for the ASCII character set. To a computer, he…

????????????

      No Comments on ????????????

今では、データ侵害の事例をほぼ毎週のように見かけるようになりました。そのたびに膨大なユーザーアカウントと、おそらくはそれ以外にも重要なデータが危険にさらされていますが、ほとんどの人はそうした報道に驚きさえしなくなっています。データ侵害はそれほど日常茶飯事になりつつあるからです。

データ侵害に使われる攻撃のなかでも特に多いのが、SQL インジェクションです。SQL インジェクションは、Web アプリケーションの欠陥ランキング OWASP Top 10 でも、長年にわたってトップの座を占め続けています。SQL インジェクションを防ぐ手段はいくつも知られているはずですが、残念ながらアクセス数の多いサイトでも SQL インジェクションの発生は後を絶ちません。さらに、Web サーバーの設定不備やリモート管理ツールの脆弱性を狙えば、攻撃者はシステムにアクセスし、潜在的に重要なファイルを読み取ることができます。

最も確実なパスワードの保存方法については長い間さかんに議論されてきましたが、今でもその結論は出ていません。データベースに平文でパスワードを保存するのは好ましくない、というのは大多数の一致するところですが、実際には今でも至るところで行われています。言い訳として返ってくるのは、「データベースには誰も読み取りアクセス権を持っていないのだから、何も問題ないでしょう?」といった言葉です。歴史が繰り返し証明しているように、この言葉がいつまでも当てはまることはありえません。

一般のユーザーは、自分のパスワードがサービス上でどのように保存されているのか知らないのが普通です。パスワードリセットの機能を利用するという鮮やかな手口も考えられます。なかには、ユーザーのパスワードを平文で記載したメールを送信してくるサービスもありますが、それだけでもパスワードが平文で保存されていることは明らかです。疑問に思ったら、サービス会社に問い合わせてみることもできますが、たいてい「パスワードは最新の暗号化技術で保護されています」と請け合うだけで、それ以上のことは知らされないでしょう。

それでも、キーワードは間違っていません。ほとんどのシステムでは、一方向の暗号化関数が導入されているからです。パスワードの保存には、MD5 や SHA1 など、いわゆるハッシュ関数が使われています。注意したいのは、これがパスワード保護の関数ではなく、通常はメッセージダイジェストを作成するための関数だということです。これをパスワードに利用し、ハッシュ値だけを保存することで、平文パスワードの問題は消え去るように見えます。ところが攻撃者には、パスワードとそれに対応するハッシュ値のペアをあらかじめ計算した「レインボーテーブル」を作成するという手があります。最近のクラウドサービスを使えば、レインボーテーブルの生成にそれほど時間はかからず、組み合わせの値も簡単に保存できます。こうした仕組みを利用すれば、簡単なルックアップだけで一般的なパスワードはすべて瞬時のうちに破ることができるのです。

レインボーテーブルでもパスワードを簡単に破ることができないように、ソルト(salt)を使う方法があります。ソルトとは、ランダムな長い文字列で、これをハッシュ化する前にパスワードと組み合わせます。ユーザー単位でこれを使うと、文字列は一気に複雑になります。仮に 2 人のユーザーが同じパスワード(たとえば、123456)を使ったとしても、結果的にテーブルでは異なるハッシュとして生成されます。しかも、攻撃者は想定されるソルトごとにレインボーテーブルが必要になるので、多数のユーザーのパスワードを同時に解析することは大幅に難しくなります。それでも、特定の 1 ユーザー(たとえば管理者)のパスワードを総当たりで突き止めることは、依然として可能です。

ここで登場するのが、イテレーション(反復)またはキーストレッチです。ハッシュ関数を何度も何度も繰り返すと、全体のプロセスは遅くなります。通常の使い方でログオンする場合には、多少の遅延もそれほど問題になりませんが、総当たり攻撃となれば、パスワードの解析に要する時間は数千年に達するかもしれません。簡単に組み込める例が、bcryptPBKDF2 です。もちろん、2 要素認証を使うだけでも障壁を高くすることはできます。シマンテックの VIP サービスもその一例です。

パスワードの保存にどのような機能が使われるとしても、サービスごとに異なるパスワードを使うようにするのが理想的であることは変わりません。すべてのサービスで同じパスワードを使っている場合、そのひとつでも破られてしまうと(おそらくはパスワード保存のしかたが悪いために)、他のパスワードもすべて攻撃者に知られてしまうことになるからです。データ侵害に成功するたびに、攻撃者は他のサービスに対しても電子メールパスワードの組み合わせを試そうとするものです。あわよくば、という期待程度にすぎませんが。

そもそも強力なパスワードを使うことが必須であることは、言うまでもありません。「123456」は、もちろん強力なパスワードとはほど遠く、けっして使うべきではありません。パスワードを変えたらすべて覚えていられない、というのであれば、パスワードマネージャを使うという手があります。そうすれば、パスワードをスマートフォンに保存して、いつでも確認できます。もちろん、そのスマートフォンを紛失した場合には誰もパスワードマネージャにアクセスできないようにしておく必要がありますが、それはまた別に考えるべき問題です。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Social Media and Hactivism: Two Ideas Made for Each Other?

In today’s connected world, many of us are members of at least one, if not more, social networking services. The influence and reach of social media enterprises, such as Facebook (more than 600M active users per month) and Twitter (more than 140M active users), is staggering and as communications tools they offer a global reach delivering almost instantaneous communications to huge multinational audiences. Social media is attractive for hacktivists because it is a forum for people on the Internet and where big discussions take place. Hijack a forum like this and you have an effective soapbox to get your message across. Hardly a day passes without news of another high profile breach by hacktivists and social media influencers are in the crosshairs. Are social media and hacktivism two ideas that are made for each other? Let’s explore some thoughts and ideas and you can make up your own mind.

Two sides of social media

The ability of social media to spread news quickly is powerful, and obviously, has great potential for positive use but, like many things in life, it also has potential to be abused. In the case of the recent tragic events in Boston, the tweets started almost immediately and helped keep people informed and also warned people away from the area. Many of the tweets came from “citizen journalists” who were actually on the ground as the events unfolded and were able to describe first-hand what they witnessed. Even in the aftermath of that event, social media played a major part in helping to track down the suspects behind the tragic event. Law enforcement issued a general plea for information and the public gladly did what they could by publishing information, pictures, and videos of the event on the public forums provided by social media sites. Law enforcement was able to utilize this information available to put the pieces together.

The downside of this highly visible means of public participation when looking for suspects in a highly charged situation, such as this, is that individuals may be wrongly accused. This is exactly what happened on certain social media sites where, notably, the Reddit service drew the most criticism. On their site users took the role not only of citizen journalist, but as citizen investigator too. Users began to look at the details and photos posted on the site and pieced together their own—and, as it turned out, incorrect—conclusions on the matter. False information and allegations began to circulate and took on a life of their own.

Power of social media

The business of news is all about influencing people and social media provides a large audience to be influenced. Influence is such a fundamental concept in social media that there are even services which attempt to measure how much influence a user has in the social media space. Services, such as Klout, are designed to address how much influence a user has by using algorithms to measure a person’s “clout,” reflected by a number between 1 and 100, with a higher score indicates a higher level of influence.

The news industry has long recognized the power of social media, not only for influencing people but also for gathering information. Today, just about all news outlets have a social media presence to receive and broadcast news to interested audiences. Twitter is the default choice to quickly get information out there. The 140 character limit on tweets forces users to be succinct and focus on main points when communicating. Since many Twitter users use the service on their mobile device and people generally have their mobile device near them all day, information can quickly reach people and be shared again (retweeted) propagating throughout the service’s user population (“going viral”).

Indeed, services like Twitter reach mass audiences and in turn hold a strong level of influence. Then when trusted media brands enter the social media space, their power of influence and reach is further magnified. We have seen how big news stories often drive follow-up events. Major disasters or terrorist acts have an immediate impact on stock markets. For example, the stock market crashed immediately following the September 11 attacks in 2001—and that happened before the advent of modern day social media services. Recently it was reckoned that the next market crash will be tweeted and given the role social media now plays in society there is no reason to doubt that. What is to stop criminals from perpetrating “pump and dump” stock market fraud by spreading market-moving rumors in social media which cause wild movements in stock prices? This is particularly true as professional trading systems are now even designed to “read” news headlines and react to news autonomously.

Hacktivism and social media

Hacktivism is a modern-day evolution of traditional activism brought about by a confluence of technology, politics, and people power. While traditional activism still has its place, activist activity is increasingly being conducted online. There are likely a myriad of reasons why this is the case but one thing is for sure, activists have caught on to the powers of social media and the Internet as tools to further their cause. Many of them actively use Twitter to communicate and coordinate worldwide activities.

Ultimately, hacktivists aim to draw attention to their causes which, naturally, makes big influencers their biggest targets. With so much power and influence under the control of trusted brand’s social media accounts it is not too difficult to see that hacktivists would try compromise these accounts and leverage some of the influence for themselves. We have all heard of various celebrity, politician, and corporate social media accounts being hacked, bogus messages being sent, and much of it relatively harmless. But what if a highly influential account is hacked and a plausible but fake message about some disaster or terrorist attack is broadcast to a nation? The possibility for causing panic and disruption is clear. Unfortunately, this type of activity is set to be become an increasingly common phenomenon.

While much of the hacktivists’ attention is focused on the perceived injustices of governments and big business, along with global issues, they also zone in on local issues too.

How are attackers getting in?

In recent months, there has been an increase of hacktivism activity. This activity is largely focused on hacking into legitimate social media service accounts and defacing them or posting false messages. In general, these social media accounts are protected only by password based authentication. The only thing that stands between an attacker and your loyal base of social media followers is a short series of characters. While in some cases, passwords may be guessed due to a bad choice of passwords, there are other ways in which an attacker could get at the password and gain access. It has been proven that people are often the weakest link in many security systems, so it makes sense to exploit this weakness through social engineering. In recent attacks of this type, attackers gained access by sending phishing emails that, at their core, just asked the user for the login details, but disguised the request to make it look legitimate. For example, phishing emails may present users with a link and ask them to log in using the link to verify their account, but in reality their password is being stolen. Attacks of this type have been tried and tested, and found to be effective.

Another way in is to exploit weaknesses in the lost password feature. The feature is not only convenient for users, but also for mischief makers too. There are a plethora of implementations for handling lost user passwords. Some will just ask the user to specify an email address and it will send a new password. Other types will ask a security question, but often times the security questions themselves are insecure, and ask where the user was born or where they went to school. This type of information can be obtained relatively easily on the Internet. Couple this with password reuse and users who do not change their passwords frequently and it is easy to see that there is an opportunity for attack here.

No silver bullet

The Internet and the social media services enabled by it are truly revolutionary, but many of them are built in such a way that enables anonymous and irresponsible messaging. For example, when a person signs up for a social media account, they are asked for personal details during the sign process, but how many people actually provide real names and contact details when signing up for these accounts? There may be legitimate reasons for providing false information, particularly in the light of all the data breaches into large and well known websites in recent times, but the ability to access these services without being traceable makes them ripe for abuse. It’s interesting to consider whether people would be as inclined to carry out malicious activities on the Web if they knew they could be easily traced and held accountable for their actions.

Given the potential influence behind the brands who own social media accounts, the question for legitimate account owners and social media service providers is: shouldn’t the protection of these accounts be of the highest priority? We are all waking up to the risks posed but unfortunately, there is no single silver bullet that can stop all misuse. Responsibility for account protection is a shared one. The social media industry could do more to help protect against misuse and unauthorized access, but at the same time, account owners could do more too.

Social media service provider’s role

Social media sites could ensure that if account login attempts fail repeatedly, further attempts are either delayed by temporary suspensions to slow down brute force attempts or have the account locked and notification sent to the owner. Some services even track the list of IP addresses used to access the service and will notify the owner if a new IP is used to access the service, which could indicate a possible breach of the account.

Social media service providers can help by implementing improved security around authentication and authorization, and more secure storage and handling of personal information. Many websites are increasingly turning to two factor authentication (2FA) to increase account login security. This is a welcome and necessary measure, but they could potentially do more. How about requiring two factor authorization before messages can be sent? This could help prevent unauthorized messages from being sent, even if the main account password was compromised.

Service providers could also introduce tiered accounts with different access levels; this would be particularly useful for business users on social media. Not everybody in a business needs to be able to send messages, so the ability to manage user access controls would be beneficial. HootSuite is an example of a service that offers granular user access controls for managing social media accounts and may be a helpful add-on service for business users. Subscriber and follower management is another feature area that could be explored. Google had an interesting idea with the concept of circles, which allows for selective sharing of information, and goes some way towards addressing this. When you boil it down, the problem is this: accounts in most social networking sites are designed around a person, who is unlikely to need or want different access control levels for their own account, and not a brand or a company. This situation makes the current mapping of requirements between a commercial or brand entity and a personal social media user account a somewhat uncomfortable fit.

User’s role

Users can help matters by being better educated against social engineering attacks, equipping themselves with good quality protection software, and practicing better security hygiene such as better choice and handling of passwords. For example, according to a recent report by Ofcom (UK communications industry regulator), over half of the adults in the UK use the same password across multiple websites. This statistic is very likely mirrored in other parts of the world and is not encouraging at all from a security standpoint. Users of social media would be well advised to beef up on their security awareness training because technology only represents a small part of the solution to this problem.

As some commentators say, it’s a bit of a wild west in the social media space right now, freedom of speech and civil liberties is hugely important, but so is the responsibility that comes with it. Back to my original question: Are social media and hacktivism made for each other? Of course that is not true, both can exist quite happily without the other. Social media was not created to be a platform for hacktivism and it would be beneficial if hacktivism was not carried out through it. However, social media does amplify the power of hacktivism and because of that, it represents a highly effective and attractive avenue for hacktivists to carry out their activities.

?????????????????

      No Comments on ?????????????????

寄稿: Avhdoot Patil

フィッシング詐欺の世界では最近も変わらず、サッカーが大人気のようです。2012 年にも、サッカーを利用したさまざまなフィッシング攻撃が確認されましたが、フィッシング詐欺師は早くも 2014 年の FIFA ワールドカップに熱い視線を注ぎ、有名選手やサッカークラブを狙っています。リオネル・メッシ選手のファンを狙った詐欺や、FC バルセロナを利用した詐欺は、そういったフィッシングの一例です。たくさんのファンが付いている有名選手を利用すれば、標的も膨大な数にのぼり、結果的に個人情報を収集できるチャンスも大きくなることを詐欺師は知っています。2013 年 4 月にもこの傾向は続き、同じようなフィッシング詐欺の手口が横行しています。今回のフィッシングサイトは、フランスにある無料の Web ホスティングサイトを利用していました。

このフィッシングサイトでは Facebook のログイン情報を入力するよう要求します。ページにはリオネル・メッシ選手、FC バルセロナ、あるいはクリスティアーノ・ロナウド選手が目立つようにデザインされています。フィッシングページには彼らの画像が掲載され、いずれかの正規の Facebook ページであるかのような印象を与えます。なかには、「first social networking site in the world(世界で最初のソーシャルネットワークサイト)」というタイトルの偽サイトまでありました。ユーザーは、Facebook ページにアクセスするために Facebook のログイン情報を入力するよう求められます。ログイン情報を入力すると、ログインが有効であると思い込ませるようにリオネル・メッシ選手、FC バルセロナ、またはクリスティアーノ・ロナウド選手の正規のコミュニティページにリダイレクトされます。この手口に乗ってログイン情報を入力したユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。
 

Fraudsters Repeatedly 1.jpeg

図 1. リオネル・メッシ選手の画像が掲載された偽の Facebook ページ
 

Fraudsters Repeatedly 2.jpeg

図 2. FC バルセロナの画像が掲載された偽の Facebook ページ
 

Fraudsters Repeatedly 3.jpeg

図 3. クリスティアーノ・ロナウド選手の画像が掲載された偽の Facebook ページ
 

インターネットを利用する場合は、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

  • 電子メールメッセージの中の疑わしいリンクはクリックしない。
  • 電子メールに返信するときに個人情報を記述しない。
  • ポップアップページやポップアップ画面に個人情報を入力しない。
  • 個人情報や口座情報を入力する際には、鍵マーク、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
  • ノートン インターネットセキュリティやノートン 360 など、フィッシング詐欺およびソーシャルネットワーク詐欺から保護する統合セキュリティソフトウェアを使う。
  • 電子メールで送られてきたリンクや、ソーシャルネットワークに掲載されているリンクがどんなに魅力的でも不用意にクリックしない。
  • 偽の Web サイトや電子メールを見かけたら報告する(Facebook の場合、フィッシング報告の送信先は phish@fb.com)。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

URL ? .pw ??????????????

      No Comments on URL ? .pw ??????????????

シマンテックは、URL のトップレベルドメイン(TLD)に .pw が含まれるスパムメッセージの増加を確認しています。元々はパラオを表す国別コードトップレベルドメインでしたが、現在は Directi 社を通じて、「Professional Web」を意味するドメインとして誰でも利用できます。
 

pw tld blog 1.png

図 1. TLD が .pw のスパムメッセージが急増
 

まず過去 90 日間の状況を見てみると、.pw は TLD 別の分布リストで 16 位でした。
 

pw tld blog 2_0.png

図 2. 過去 90 日間の TLD 別の分布リスト
 

ところが、直近の 7 日間を見ると、.pw を含む URL が 4 位に急上昇しています。
 

pw tld blog 3.png

図 3. 過去 7 日間の TLD 別の分布リスト
 

Global Intelligence Network で見つかったメッセージを調べたところ、URL に .pw を含むスパムメッセージの大多数は一撃離脱タイプのスパム(「かんじきスパム」とも呼ばれます)であることが判明しました。

.pw を含む URL スパムについて、過去 2 日間の上位 10 件の件名は以下のとおりです。

  • 件名: How to sell your Timeshare(タイムシェアを売る方法)
  • 件名: Reusable K Cup for Keurig or single-brew coffee maker(キューリグのシングルカップコーヒーメーカー用、再利用可能な K-Cup)
  • 件名: Reusable single-brew coffee cup you can fill with your coffee blend.(再利用可能なシングルブリューコーヒーカップで、自分だけのブレンドを)
  • 件名: Are your home possessions covered in case of a  catastrophe?(大災害のそのとき、あなたの家の保障は大丈夫?)
  • 件名: Elmo’s Learning Adventure Gift Package(エルモの学習アドベンチャーギフトパック)
  • 件名: Make Learning Fun – With Elmo & the Sesame Street Gang!(お勉強が楽しくなる – エルモとセサミストリートの仲間たちが一緒!)
  • 件名: Are your appliances and home systems covered?(電化製品やホームシステムは保障されていますか?)
  • 件名: Refinance Today, Save Tomorrow(今すぐ借り換え、明日のために)
  • 件名: Nothing is more EFFECTIVE for High Blood Pressure(高血圧に最高の効果)
  • 件名: Mortgage Rates(住宅ローン金利)

pw tld blog 4.png

図 4. .pw を含むスパムメッセージの例
 

シマンテックでは、引き続きこの傾向を監視し、こういった攻撃を絞り込むためのフィルタの作成を続ける予定です。また、企業や個人ユーザーの皆さまは、シマンテックインテリジェンスレポートに掲載されている基本的なセキュリティ対策(ベストプラクティス)を実施するようお勧めします。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

?????????????????????? 18 ????? Twitter ????????

きたる 4 月 30 日火曜日、午前 9:00(太平洋標準時)(日本時間の 5 月 1 日水曜日午前 1:00)より、シマンテックセキュリティレスポンスの専門家 Kevin Haley と Paul Wood による Twitter 討論会が開催されます(ハッシュタグは #ISTR)。テーマは、最新の『インターネットセキュリティ脅威レポート』第 18 号(英語)で焦点を当てられている主な傾向についてです。ぜひご参加ください。

今回の『インターネットセキュリティ脅威レポート』では、2012 年にシマンテックが確認した主な脅威の傾向を取り上げ、個人情報や重要な知的財産にアクセスしようとするサイバースパイ活動が著しく増加していること、そしてこうした情報窃盗犯罪の手口がどのように変遷しつつあるかを明らかにしています。2012 年に標的型攻撃が最も増えたカテゴリは、従業員数 250 人未満の企業であり、標的型攻撃の総数のうち 31 パーセントを占めています。2011 年と比べると 3 倍にも達したことになります。

ハッシュタグ #ISTR の Twitter 討論会を今すぐカレンダーに追加し、サイバー犯罪者が企業の知的財産を狙う最新の手口と攻撃経路についての議論にぜひご参加ください。

テーマ: 『インターネットセキュリティ脅威レポート』第 18 号 – データが教えてくれるもの

日付: 2013 年 4 月 30 日火曜日(日本時間 5 月 1 日)

時刻: 午前 9:00(太平洋標準時)(日本時間午前 1:00)より

時間: 1 時間

サイト: Twitter.com。ハッシュタグ #ISTR をフォローしてください。

討論に参加する専門家:

  • シマンテックセキュリティレスポンス担当ディレクター、Kevin Haley@kphaley
  • サイバーセキュリティインテリジェンス担当マネージャー、Paul Wood@paulowoody

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。