Jon Kibler, a security guru, posted an e-mail to the DShield mailing list. He did such a good job making an important point that I requested his permission to repost part of his e-mail. He graciously agreed.

The Adobe Flash Player issue brings up what I consider a critical question.

Few (IMHO, very few) web browser plug-ins let you know when there are updates available. After playing around with Safari and Firefox, the only out-of-date plugins that I experimented with that told me they were out of date were the Acrobat Reader and QuickTime plugins. Even more scary—and I believe a fundamental problem with web plugin design—they did not provide an offer to update to a newer version until AFTER they had executed (potentially malicious) content.

Note that third-party products exist to help scan a computer for outdated software. StopBadware.org does not endorse particular products, but our friends over at Consumer Reports WebWatch do, and they mentioned such a product on their blog just the other day.

Targeted spear phishing campaigns are using money to lure victims. Brian Krebs blogged this week about a two part spear-phishing attack targeting small and medium sized businesses. The attack focuses on gaining access to circumnavigating two-part authentication used in banking security.

The scam begins with an email containing specific information about the user, their business, and the bank. This email requests that users click to view or download an attached object, which installs a keylogger, according to iDefense, and a browser helper object enabling attackers to modify webpages in real time. When a user with an infected computer attempts to log into their bank account, Krebs writes that a “message is inserted into the body of the bank’s actual Web page.” The interstitial message appears to originate from the bank since it is displayed within the body of the bank’s website, and requests that the user wait 15-30 minutes before logging on. The attackers use this time, after they have intercepted the user’s authentication information, to empty the associated bank accounts.

Quoting Matt Richard, of iDefense, “If a bad guy has malicious code on a customer’s machine, no matter what you do, he’s going to have some way to get in to the customer’s account. The best you’ll be able to do is try to stop the money transfers.”

As something of a coup de grace, Krebs writes “Before the Trojan download, the attacker attempts to get the user to install their bogus root CA certificate with the ‘VeriSign Trust Network’ name.” Combining malware with a new root certificate makes it easier for the attacker to re-infect a computer in the future. Sunbelt has also spotted fake banking certificates in their blog.

In a similar attack noted by McAfee’s Avert Labs last month, a number of spear phishing emails have been playing on an ubiquitous fear: the Tax Court. So many of these emails spoofing petition requests have been received that the US Tax Court website provides a clear warning that “[t]he Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”

Kevin McGhee writes, “The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.”

Alex Eckelberry at Sunbelt noted a nifty phishing development: embedded forms. Phishers are spoofing forms from reputable sources- think PayPal, large banks, etc. Considering the advances in phishing: correllating name, position, and email addresses for high-level corporate interests; these emails may look very convincing in the future.

There is some irony in the content of this phishing message, which warns users that their accounts may have been highjacked by a third party – aside from the tense, the sentence is honest. Eckelberry writes: “This makes things easier: No phishing site to have to maintain. No browser-based phishing filters to worry about.” And a bit more of a pain for users.

Remember to be skeptical in cases when “service providers” diverge from normal protocols. Checking with the service provider (though not by clicking on links contained in the email) can help you avoid phishing pitfalls.

Yesterday evening, I was wondering why an e-mail of mine to a friend using Comcast’s e-mail bounced. Then I saw a message on a listserv I use asking if anyone else had experienced difficulty sending e-mail to Comcast addresses. Thirty seconds and one Google search later, I discovered why. Slashdot explains:

Fallen Andy notes that Comcast, one of the largest US ISPs, lost control of its domain name to what appeared to be juvenile social engineers of the old school — i.e. not in it for the money. The intruders got into Comcast’s registrar account at Network Solutions and repointed the domain’s DNS records. A blog entry at SANS points out how trivially easy this can be. Reader ElvenKnight points out an insightful interview up at Wired with the two young guys who perpetrated the hack.

While I’m sure Comcast and its customers are none too happy about this incident, it’s probably a positive for them in the sense that the hackers were tricksters, not serious criminals. Using the same technique, a criminal organization could have delivered malware or collected usernames and passwords (or potentially bank/credit card account information). Hopefully, Comcast, the domain registrars, and other companies will learn from this example and will tighten up their security processes and controls to reduce the risk of more dangerous abuses in the future.

It appears that someone took advantage of an unpatched hole in Adobe Flash player, along with a SQL injection attack, to initiate a drive-by download to visitors of some 20,000 websites. The target? “It turns out that the whole attack just steals World of Warcraft passwords...”

Even if you’re not a World of Warcraft player, you may still want to protect yourself from the download. Since the Flash vulnerability is not yet patched, this will require some combination of heeding warnings about dangerous sites and keeping your security software up to date. Or, if you want full protection with a corresponding loss of functionality, you can always uninstall Flash Player or use a browser plug-in that blocks Flash objects.