Fake PayPal Emails Distributing Malware

Everyday there is a new threat with seemingly innocent emails being sent out that look close to an official correspondence from a company, from Paypal, ADP and BBB – to name a few.

Cybercriminals are mimicking the online payment processor PayPal in a malicious spam campaign that attempts to dupe customers Paypal logo into downloading malware from links in seemingly authentic emails, according to a Webroot report written by Dancho Danchev.

The piece of malware in use here is a backdoor that, once downloaded, can be used by an attacker to take complete control of the infected host machine. Danchev writes that some 90 percent of antivirus scanners are detecting the download as ‘backdoor.win32.androm.fm.’

The email that Danchev analyzed can be seen below.

This isn’t by the first time PayPal users have been targeted in malicious campaigns. In fact, customers of the payment processor have been a popular target among phishers for years now. For its part, PayPal has done what it can. They implemented a bug bounty program earlier this year and at least try to educate customers about the dangers of social engineering. However, the reality is that it is almost impossible to prevent criminals from imitating their service, so this problem is not likely to go away any time soon.

Top 10 PHP Security Vulnerabilities

Security is not a list of things you do. Security is a way of thinking, a way of looking at things, a way of dealing with the world that says “I don’t know how they’ll do it, but I know they’re going to try to screw me” and then, rather than dissolving into an existential funk, being proactive to prevent the problem.

But, you can’t buck statistics. Nobody is going to read an article entitled “Coding for Security.” Everyone wants an article with a number in it: “The 8 Most Common PHP Security Attacks and How to Avoid Them”, “23 Things Not to Say to a Super Model”, and “15 Reasons to Avoid Radiation Poisoning.” So, here goes, the “Top 10 PHP Security Vulnerabilities.”

SQL Injection

Number one on the hit list is the SQL injection attack. In this case, someone enters an SQL fragment (the classic example is a drop database statement, although there are many possibilities that don’t include deletions which could be just as destructive) as a value in your URL or web form. Never mind now how he knows what your table names are; that’s another problem entirely. You are dealing with an insidious and resourceful foe.

So, what can you do to avoid this? First and foremost you need to be suspicious of any input you accept from a user. Believe everyone is nice? Just look at your spouse’s family… they’re weird and freaky, some dangerously so.

The way to prevent this sort of thing is to use PDO Prepared Statements. I don’t want to go through a full discussion of PDO now. Suffice to say prepared statements separate the data from the instructions. In doing so, it prevents data from being treated as anything other than data. For more info, you might want to check out this PHPMaster article.

XSS (Cross Site Scripting)

Curse the black hearts who thrive on this type of deception. Parents, talk to you children today lest they become evil XSS’ers!

The essence of any XSS attack is the injection of code (usually JavaScript code but it can be any client-side code) into the output of your PHP script. This attack is possible when you display input that was sent to you, such as you would do with a forum posting for example. The attacker may post JavaScript code in his message that does unspeakable things to your site. Please don’t make me go into detail; my heart weeps at what these brigands are capable of.

For more information and how to protect yourself, I suggest reading these fine articles on PHPMaster:

Source Code Revelation

This one has to do with people being able to see the names and content of files they shouldn’t in the event of a breakdown in Apache’s configuration. Yeah, I dig it, this is unlikely to happen, but it could and it’s fairly easy to protect yourselves, so why not?

We all know that PHP is server side – you can’t just do a view source to see a script’s code. But if something happens to Apache and all of a sudden your scripts are served as plain text, people see source code they were never meant to see. Some of that code might list accessible configuration files or have sensitive information like database credentials.

The solution centers around how you set up the directory structure for your application. That is, it isn’t so much a problem that bad people can see some code, it’s what code they can see if sensitive files are kept in a public directory. Keep important files out of the publicly-accessible directory to avoid the consequences of this blunder.

For more information on this, including a sample of what your directory structure might look like, see point 5 in this article. For additional discussion on this topic, see this forum discussion.

Remote File Inclusion

Hang on while I try to explain this: remote file inclusion is when remote files get included in your application. Pretty deep, eh? But why is this a problem? Because the remote file is untrusted. It could have been maliciously modified to contain code you don’t want running in your application.

Suppose you have a situation where your site at www.myplace.com includes the library www.goodpeople.com/script.php. One night, www.goodpeople.com is compromised and the contents of the file is replaced with evil code that will trash your application. Then someone visits your site, you pull in the updated code, and Bam! So how do you stop it?

Fortunately, fixing this is relatively simple. All you have to do is go to your php.ini and check the settings on these flags.

  • allow_url_fopen – indicates whether external files can be included. The default is to set this to ‘on’ but you want to turn this off.
  • allow_url_include – indicates whether the include(), require(), include_once(), and require_once() functions can reference remote files. The default sets this off, and setting allow_url_fopen off forces this off too.

Session Hijacking

Session hijacking is when a ne’er-do-well steals and use someone else’s session ID, which is something like a key to a safe deposit box. When a session is set up between a client and a web server, PHP will store the session ID in a cookie on the client side probably called PHPSESSID. Sending the ID with the page request gives you access to the session info persisted on the server (which populates the super global $_SESSION array).

If someone steals a session key, is that bad? And the answer is: if you aren’t doing anything important in that session then the answer is no. But if you are using that session to authenticate a user, then it would allow some vile person to sign on and get into things. This is particularly bad if the user is important and has a lot of authority.

So how do people steal these session IDs and what can decent, God-fearing folk like us do about it?

Session IDs are commonly stolen via a XSS attack, so preventing those is a good thing that yields double benefits. It’s also important to change the session ID as often as is practical. This reduces your theft window. From within PHP you can run the session_regenerate_id() function to change the session ID and notify the client.

For those using PHP5.2 and above (you are, aren’t you?), there is a php.ini setting that will prevent JavaScript from being given access to the session id (session.cookie.httponly). Or, you can use the function session_set_cookie_parms().

Session IDs can also be vulnerable server-side if you’re using shared hosting services which store session information in globally accessible directories, like /tmp. You can block the problem simply by storing your session ID in a spot that only your scripts can access, either on disk or in a database.

Cross Site Request Forgery

Cross Site Request Forgery (CSRF), also known as the Brett Maverick, or Shawn Spencer, Gambit, involves tricking a rather unwitting user into issuing a request that is, shall we say, not in his best interest. But rather than me going on and on about CSRF attacks, refer to an outstanding example of just what kind of content we have here on PHPMaster: Preventing Cross-Site Request Forgeries by Martin Psinas.

Directory Traversal

This attack, like so many of the others, looks for for a site where the security is not all that it should be, and when if finds one, it causes files to be accessed that the owner did not plan to make publicly accessible. It’s also known as the ../ (dot, dot, slash) attack, the climbing attack, and the backtracking attack.

There are a few ways to protect against this attack. The first is to wish really, really hard that it won’t happen to you. Sometimes wishing on fairies and unicorns will help. Sometimes it doesn’t. The second is to define what pages can be returned for a given request using whitelisting. Another option is to convert file paths to absolute paths and make sure they’re referencing files in allowed directories.


Those are the top 10 issues that, if you aren’t careful to avoid, can allow your PHP application to be breached. Yep, 10. Count them… 1, 2, 3… What? You only counted 8? Okay, maybe 7. Well then that shows you just how easily you can be fooled, and I’m not even one of the bad guys!


By: David Shirey

Dealing with Phishing Messages

According to the article in Dark Reading,  Study: Phishing Messages Elude Filters, Frequently Hit Untrained Users, many people are still being tripped up by phishing emails.

The article summarizes the findings of a survey that was conducted at the Black Hat USA security conference held in July 2012. Of the 250 conference attendees that were polled, 69% said that phishing messages get past spam filters and into users’ inboxes on a weekly basis. Over 25% indicated that top executives and other highly privileged employees have been successful targets of phishing attacks.

Many phishing messages aren’t difficult to spot, but if you don’t know what you are looking for you can easily get hooked.

Filtering Software Can Help, But…

Stated simply phishing messages are fraudulent attempts to obtain your personal information through email or social media messaging.  Armed with your credit card numbers, bank account data or social media account information, the bad guys can steal money from you and snare your online contacts in their phishing nets.

Your anti-malware software or special capabilities in your browser can inform you when you navigate to potentially malicious websites or block malware from being downloaded. Recent versions of Mozilla Firefox, Google Chrome and Internet Explorer all have some anti-malware capabilities. Likewise many email clients, like Mozilla Thunderbird and Microsoft Outlook, can detect and filter spam and other “junk” email that come from senders who you don’t know, did not originally contact, or that look like phishing attacks.

Nevertheless bad stuff still gets through these automated filters and on occasion email that is harmless is flagged as dangerous.  Filtering software cannot protect you in all cases.  In practice, it is difficult to differentiate benign and malicious emails, so it pays to be able to recognize phishing attempts when you see them.

Recognizing and Responding to Phishing Messages

Here’s my list of what to look for in phishing messages and what you should do, or not do, when you get them. Some of these suggestions are based on information presented in the article The State of Phishing Attacks by Jason Hong, associate professor of computer science at Carnegie Mellon and How to Recognize Phishing Email Messages, Links or Phone Calls at Microsoft’s Security and Safety Center Website.

  1. Don’t automatically click on links in emails or other messages. Most phishing messages try to get people to go to malicious websites that will collect their personal information. Now that email and other kinds of messages are delivered in HTML, it is possible to obscure the actual URLs contained in the messages since any link can contain a URL that is different than indicated by the link text. For example, consider these links all of which seem to point to Google’s search website: (1) http://www.google.com (2) http://www.google.com and (3) click here to go to Google. Only the first will direct you to Google while the other two will direct you to Yahoo!. By hovering your mouse cursor over these links you can see their actual URLs in the status bar of your browser (usually found at the bottom of the browser or email client window). You can check the URLs in links the same way in most email clients that support HTML. With this technique you can verify whether you are being directed to a website that you trust or even recognize.  If you don’t recognize the website URL, the URL is shortened using a service like bit.ly or you did not initiate the contact with the organization or person sending you the link, be reluctant to click on it.
  2. Beware sending personal information in email forms. If you are sent an email that presents a form asking you to supply any kind of personal information, event if it contains legitimate looking company graphics and logos, you can pretty well bet that it is a phishing message. Most companies ask you to visit their websites directly to login into your accounts and transact business. If you receive an email like this it is a good idea to contact the company that seems to have sent you the message to let them know about it. And don’t use the contact information in the email, go the the official company website to contact them.
  3. Be suspicious of emails or other messages making threats or asking for money.  Don’t fall for email scams sent by people or organizations threatening you with legal action unless you send money to them or who are trying to persuade you to contribute to strange charity causes you have never heard of. If you are truly concerned that the organization threatening you might be real or the charity looks legitimate and you’d like to contribute, contact these parties to verify their legitimacy and deal with them directly. Don’t let messages that convey a sense of urgency coerce you into being careless.
  4. Look out for messages with spelling errors and bad grammar. Reputable companies don’t want to look like fools when they contact you so messages that are poorly written are more than likely bogus.

Phishing Messages in 2012

Phishing attacks are evolving to become even more sophisticated and deceptive.  In their blog Blackhole Exploit Kit Transforms Phishing, Trend Micro product manager Sandra Cheng and senior director Jon Oliver point out that phishing messages they are collecting in 2012 look exactly like legitimate emails from real companies. Here is an example of the kind of message they are seeing:


The authenticity of this message is nearly impossible to ascertain by just looking at it, since it does not have any of the obvious phish content I mentioned before. Many of these phishing messages contain links that lead unsuspecting users to websites where malware is installed that enable cybercriminals to take control of the victims’ computers. In most cases the only difference between this new type of phishing email and the legitimate variety are the links they contain.

One way to handle messages like this is to avoid clicking on any of the links in them and instead going to directly to the websites of the companies from where the emails appear to have come. Once there you can verify if you have any of the pending issues that are claimed in the fake emails.

More Information on Phishing

If you want to get additional information about phishing, I suggest visting the PhishTank, a clearing house for information and data about phishing on the Internet. Their website features a lookup service where you search a URL you suspect might be a phishing site in their database. If you don’t find it you can submit the URL to the PhishTank for evaluation. As you find phishing URLs you can help others avoid them by contributing to the PhishTank database. The PhishTank also has a nice FAQ page that can answer many of your questions regarding phishing.

Don’t become the phishing catch of the day. Protect yourself against phishing attacks by staying informed and vigilant.


Article by Vic Hargrave

Introducing Towerwall’s BYOD Policy Services

Towerwall is proud to offer our new Bring Your Own Device (BYOD) Policy Services.

In recent years, the workplace has become more mobile than ever, and the mobile worker revolution is, in large part, the need for clear Bring Your Own Device (BYOD) policies. The big idea is that through the use of cloud computing-based collaboration platforms, enterprise-class companies can save a great deal of money in IT, security and overall operational costs.

While this would seem like a no-brainer, more companies are learning that the opposite is true. Both executives and employees need to know the realities of BYOD programs, and how they truly impact operations.

To learn more about our BYOD Policy Services, and all of our Mobile and Wireless Services, visit our Mobile and Wireless Page

Introducing Towerwall’s VOIP Assessment Services

Towerwall is proud to offer our new VOIP Assessment Services.

Do you know if your VoIP phones and servers are segmented from the rest of your network? Even if they are, segmentation alone may not protect your voice assets. Towerwall, Inc. has developed an approach that is extremely effective in testing the security of VoIP (Voice over IP) systems. This program includes controlled tests in which Towerwall, Inc. will attempt to assess several vulnerabilities in VoIP systems and networks. Our methodology includes performing validation and testing to ensure that only “valid” vulnerabilities are reported. The following list outlines some of our “goals” when attempting to perform a VoIP penetration test:

  • Hi-jacking phone calls
  • Recording and replaying voice calls
  • Voicemail tampering
  • Phone registration hi-jacking
  • Caller ID spoofing
  • Sound insertion
  • Access to phone administrative capabilities
  • Attacking systems within the voice VLANS to gain access to the internal network
  • Attacking VoIP client phones
  • A VoIP Penetration Test is focused on vulnerabilities on VoIP systems and networks, including: how these systems are segmented from the rest of the network
  • Towerwall, Inc. uses a detailed testing methodology when conducting VoIP Penetration Tests
  • Towerwall, Inc. focuses our attacks on vulnerabilities specific to VoIP systems and networks

Towerwall, Inc. has developed an approach that is extremely effective in testing the security of VoIP systems and networks. Our Team Members will attempt to gain access to VoIP systems and networks by exploiting vulnerabilities; as well as using information gathered from the information gathering and vulnerability analysis phase. Towerwall, Inc. also tests the network segmentation in place to determine if attacks such as VLAN hopping can be used.


To learn more about our VOIP Assessment Services, visit our Assessment Page

Introducing Towerwall’s Threat Spotlight

We are proud to announce our Threat Spotlight, sign up for our Twitter feed and get the latest threats and how to protect against them.


Threat Spotlights as of October 15, 2012:


AutoInf is a component used by many malware families, notably Conficker, Sality and AutoRun. AutoInf is used to automatically run associated malware from removable media such as USB drives.
More information about this threat


Autorun is a family of worms and viruses for the Windows platform. The family gets its name from its use of the USB autorun functionality to automatically execute when an infected USB device is connected to a PC. The members of the Autorun family also use other methods of spread including file infection and traversing network shares.
More information about this threat


Conficker is a worm for the Windows platform. It first appeared in late 2008 and is now the most commonly seen malware worldwide. Conficker’s success is due to the multiple methods it uses to spread, exploiting an operating system vulnerability (now patched), weak passwords and removable storage devices.
More information about this threat

Fake antivirus

Fake antivirus software is a scam commonly used by malicious software creators in order to sell fake security software to unwitting victims. The scam will typically involve a webpage or pop-up that informs the user they have viruses or other malware on their computer, even though they do not. It then offers to clean the infection. When the user opts to clean up they are required to pay to obtain a version of the fake software the will perform the cleanup. After the victim pays the software may or may not cease the fake warnings.
More information about this threat


Iframe malware usually consists of a small addition to a legitimate webpage. The addition is usually invisible to the normal user of the page in that it does not affect the visual appearance of layout of the modified webpage. Malicious iframes usually cause the web browser to load additional, malicious content. As such they are used as the first step in the delivery chain for many different types of malware.
More information about this threat


Sality is a family of file infecting viruses for the Windows platform. It first appeared in 2003 and has been in development ever since. In addition to infecting other files the members of the Sality family can also spread by copying themselves to removable storage devices and accessible network shares.
More information about this threat

Zero Access Rootkit (ZAccess)

Zero Access is a family of rootkits and backdoors. It uses rootkit techniques to hide from security software while allowing remote attackers to control infected computers. Zero Access is commonly used to redirect a user’s web traffic.
More information about this threat


Zeus (also known as Zbot) is a widespread Trojan whose primary purpose is to steal information, usually financial data such as credentials for online banking. Zeus is also the name of the toolkit used to create these information stealing Trojans. The kit can be purchased on underground forums, enabling less technically able criminals to take advantage of the capabilities of Zeus.
More information about this threat

BYOD means Bring Your Own Dilemma

It’s becoming more and more common for workers to store work-related documents on their smartphones, tablet computers and other devices they bring to and from work each day. While this can be convenient–employees can access important documents at home or on the road–it also creates greater security risks for businesses.

Employees’ Devices May Not Be Secure

Many employees’ devices have operating systems that are vulnerable to hacking attacks or viruses. This is especially true if the employee’s device isn’t running the latest version of the operating system. Phone and tablet users often don’t install the latest upgrades or even think about security risks because they’re using phones, not computers.

Both employees and business owners are generally aware of the risk to computers from viruses, malware and the like; however, they may not realize that their smartphones and tablets are vulnerable to the same attacks. Thus, they may not scan phones or tablets for viruses regularly or stay on top of upgrading the firmware on these devices.

In addition to operating system vulnerabilities, phones and tablets are susceptible to getting viruses from downloaded applications. Employees may be careful about downloading only legitimate applications; however, if a hacker attacks the application itself, users may end up downloading a compromised version of the application or an “upgrade” to a compromised version. If an employee’s device has business files on it, a hacker could steal the files. Worse, he or she could break into the business’ computer system and wreak havoc after retrieving log-in information from stored files.

Lost and Stolen Devices

Lost and stolen devices accounted for 50 percent of all security breaches in 2011, according to a Ponemon Institute study. If an employee loses his or her phone or tablet–or worse yet, if someone steals the device–that can lead to all kinds of security problems. For example, suppose an employee stored unencrypted files on his or her phone. If the employee loses the phone, whoever finds it might be able to access all the company’s files with just a few taps of the screen. This can happen very easily if an employee’s phone falls out of his or her pocket while sitting in a waiting room or riding in a taxicab.

Difficult to Keep Track of

BYOD security is also more difficult to keep track of. If a business manager has ten computers in his or her office, he or she can easily track computer use; IT specialists can pinpoint infected computers easily. However, there are an infinite number of tablets and smartphones that might become infected during an attack. For example, if an office has 50 employees and some employees have more than one device, it can become difficult and time consuming to determine which devices are infected. In addition, employees may share their devices with each other, making it even more difficult to keep track of who’s been doing what with the device.

No Standardization

The problem is compounded by the fact that there are no standardized security procedures that allow business owners to manage mobile device security. Each company must create its own security policies, and there’s no objective measurement of which devices are most secure. Thus, business owners may not know which devices they should ban employees from using at work.

Legal Impediments

While employers have the right to demand that company-owned devices follow certain security procedures, they may not have the same right when it comes to employee-owned devices. Since the devices aren’t theirs, they’re limited in what they can require.

For example, suppose an office handles a lot of confidential documents. The employer can require that all documents on his or her computer system be encrypted. However, the employer may not have the right to demand that all employees encrypt documents on their personal devices because those devices do not belong to the employer. Some states allow the employer to make rules about devices used on his or her system while others don’t; in many states, the best an employer can do is make rules limiting the type of devices that are allowed to be used on his or her systems.


In order to resolve security problems with BYOD, managers should consult with IT specialists prior to allowing any mobile devices to be used. Managers need to understand which devices are most secure to use so that they can create a reasonable BYOD policy. They may also want to invest in software that helps keep track of mobile devices that are being used in conjunction with company networks so that they can more easily track devices for security purposes. Some employers require employees to download applications that encrypt files or require passwords to access the device. These measures can help cut back on security breaches from lost or stolen devices.

By Michelle Drolet, founder and CEO, Towerwall
Special to Mass HIgh Tech

This article was recently published in Mass High Tech

New Internet Explorer zero day being exploited in the wild

After the last zero day exploit on Java we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one.

Yesterday, Eric Romang reported the findings of a new exploit code on the same server that the Java 0day was found some weeks ago. The new vulnerability appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP.

The exploit code found in the server works as follow:

– The file exploit.html creates the initial vector to exploit the vulnerability and loads the flash file Moh2010.swf.

– Moh2010.swf is a flash file encrypted using DoSWF.  We’ve seen the usage of DoSWF in the exploit code of other targeted attacks such as:

Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779)

The Flash file is in charge of doing the heap spray. Then it loads Protect.html

Due to the usage of DoSWF, the malicious code is encrypted. The easiest way to obain the decrypted content is executing the file within Internet Explorer and attaching to the process once the content is decrypted. Then you can obtain the raw content when we can find the following Bytearray declared:

If we obtain the raw content of the hexadecimal string and then we apply a XOR “E2″ operation we can obtain the following bytes that contains the URL of the malicious payload.

– Protect.html checks if the system is running Internet Explorer version 7 or 8 under Windows XP. If the victim satisfies those conditions, the vulnerability is triggered and the malicious payload is executed.

The payload dropped is Poison Ivy as in the previous Java 0day.


The C&C server configured is ie.aq1.co.uk that is currently resolving to

We’ve also seen that the domain used in the previous attacks hello.icon.pk is also pointing to the new IP address.

Once executed, the payload creates the file C:WINDOWSsystem32mspmsnsv.dll and the service WmdmPmSN is configured and started.

Here you have more details on the vulnerability being exploited.

It seems the Metasploit guys are already woking on a Metasploit module so let’s see how fast Microsoft handle the issue.

More info coming soon!


Metasploit has released a working exploit

You can download the following Yara rule to match both exploit versions.

Microsoft Windows Update emails try to steal your Gmail, Yahoo, AOL passwords…

Beware any emails which claim to come from privacy@microsoft.com – it could be that you’re being targeted in an attack designed to steal your AOL, Gmail, Yahoo or Windows Live password.

At first glance, if you don’t look too carefully, the emails entitled “Microsoft Windows Update” may appear harmless enough. But the grammatical errors and occasional odd language should raise alarms bells that the emails may not really be from Microsoft.

Dear Windows User,
It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.

This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to confirm your records.


Thank you,

Microsoft Windows Team.

If you do make the mistake of clicking on the link you are taken to a third party website (not the real Microsoft.com), where you are warned that your computer is at high risk and told to choose between logging in via Gmail, Windows Live, Yahoo or AOL.

For the benefit of this article, I chose to pretend that I wanted to log in via AOL. Surprise surprise, the web page asked me to enter my AOL username and password.

Of course, whatever I enter at this point is going to be passed straight into the hands of a cybercriminal. Once your details are in their claws, they’ll waste no time breaking into your online account, stealing information and potentially committing identity theft.

Oh, and I hope you don’t use the same password on multiple websites. Things could definitely get very ugly..

Naturally, victims of the phishing attack are oblivious to what is going on – especially as the thoughtful scammers are caring enough to redirect your browser to a genuine Microsoft webpage related to updating your Windows security.

Take care folks. Be suspicious of unsolicited emails, and always think carefully before entering your webmail passwords. If you are reckless you might be handing the keys to your online life over to a complete stranger.