Threats from Message Threads: A Cautionary Tale of IT Security

Despite nearly continuous warnings to users and administrators, viruses and other malware infect corporate server and client computer systems daily. And while savvy business decision-makers face and fight such threats constantly, the threats themselves continue to evolve, becoming more difficult to identify and combat successfully. A “real-life” example discovered recently at Focus offers both warnings and suggestions for better defense against such threats.

Consider the following e-mail message thread, which made its way through Focus recently. (Focus previously did business as Tippit.) Please do NOT click on ANY of the links in the e-mail thread, for reasons that will become abundantly clear.

[Message thread begins.]

-----Original Message-----

From: Andrew Mosson

Sent: Tuesday, May 04, 2010 10:01 AM

To: Chris Nordman

Cc: Scott Albro

Subject: Fw: Adobe Security Update

Chris,

Just received this important information about a security vulnerability that requires our immediate attention.

Kindly follow the instructions in the email as forwarded as soon as possible.

Regards,

Andrew Mosson

CTO

--- On Fri, 04/30/2010, Scott Albro wrote: ---

From: Scott Albro

To: Andrew Mosson

Subject: Fw: Adobe Security Update

Date: Friday, April 30, 2010, 3:13 PM

Andrew,

Our systems are at risk. Forward the information below to the people we talked about.

All systems will independently be checked, so make sure the instructions are followed as specified to avoid any problems.

A step by step [sic] instruction manual, sent by Adobe Risk Management, is included below.

Scott

--- On Fri, 4/30/10, James Kitchin wrote: ---

From: James Kitchin

To: Scott Albro

Subject: Adobe Security Update

Date: Friday, April 30, 2010, 11:24 AM

Broadcast message:

Adobe has issued a directive which states that all systems running their software should be patched for the latest security glitch.

The CVE-2010-0193 Denial of Service Vulnerability has recently been discovered on several systems running the previously released version of the software, which has been further documented on security sites such as http://www.securityfocus.com/bid/39524.

It is strongly advised that all systems running the Adobe software is updated with the latest security patch to avoid further situations hampering the security and integrity of the system. Failure to follow the directive would mean that any loss which occurs due to the negligence will be a liability of the company and not Adobe. The link to update the system with the latest patch and instructions are provided below:

Download the instructions here: http://64.218.40.74/adobe/update.pdf

To start the update process and download the installation file, click here: http://64.218.40.74/adobe/adbp932b.exe

(READ FIRST THE INSTRUCTIONS BEFORE UPDATING THE SYSTEM)

James Kitchin

Adobe Risk Management

345 Park Avenue

San Jose, CA 95110-2704

Tel: 408-537-6000

---

Disclaimer:

This e-mail message and information contained in or attached to this message is privileged, confidential, and protected from disclosure and is intended only for the person or entity to which it is addressed. Any review, re-transmission, dissemination, printing or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.

[Message thread ends.]

Nothing remarkable about the above thread – until and unless you realize that neither Andrew Mosson nor Scott Albro of Focus/Tippit ever sent any of these messages, and that “James Kitchin" of Adobe does not appear to exist. (The phone number listed for “Adobe Risk Management” is also actually the fax number at Adobe Systems’ headquarters, which are in fact at 345 Park Avenue in San Jose, CA.)

The core of the message thread is an attempt to get the recipients of the e-mails to click on the links to the supposed instructions and the alleged software patch. Either or both are likely to initiate download of a virus or other malware, however. (The IP address in the link to the alleged “installation file” belongs to a company called “Maass Flange Corp.” in Houston, TX, “a fully integrated, forging and machining manufacturer of domestic and import stainless and alloy flanges,” according to that legitimate company’s Web site.

The bottom line: someone apparently used sophisticated tools to figure out our corporation's organizational structure. That someone then figured out how to identify and “clone” legitimate Focus/Tippit user names and e-mail addresses, then to craft the above attempts at “social engineering.” The miscreant in question also appears to have used “bot” software to hijack a legitimate server, or at least its IP address, to deliver malware to unsuspecting victims of his or her social engineering attempts. And if they could do it to our company, they can do it to yours too.

Trust, but verify. Make sure every e-mail you receive passes at least a cursory “sniff test” before you open it. Are you sure it’s from the person or company you think it’s from? Does it seem like other e-mails from that person or company?

Pay attention. When reading e-mails or other documents that contain hyperlinks, check the addresses of those links. In the real-life example above, if the alleged instructions or patch actually came from Adobe Systems, they would be more likely to have IP addresses that began with http://www.adobe.com than with the numerical addresses shown. Similarly, recent e-mails that actually came from Focus employees would end in “focus.com,” not the older “tippit.com” domain name.

Defend yourself and your colleagues. Implement polices, processes and tools that ask users if they’re sure they want to download that executable “.exe” file. Ensure that anti-malware solutions include the ability to quarantine suspicious or proven infected files before they can wreak havoc. Inform everyone immediately when new threats or attempted intrusions are discovered.

Be eternally vigilant. To paraphrase advice given by Focus Expert Anton Chuvakin during a recent Focus Webinar, if you assume your company is not threatened by hackers or malware, your company’s probably already been breached. Your organization need not possess or store sensitive information to be of interest to hackers and other “bad guys.” All you need is to have computers they can enslave without your knowledge and use to propagate malware to others.

If your company’s computers are targeted and successfully breached by hackers, a sufficiently disruptive operational outage could cripple or kill your business. Strive to balance agility and responsiveness with security constantly and consistently across your organization. As Intel Corp. co-founder and long-time leader Andy Grove famously said, “Only the paranoid survive.”