Credit card data breaches: Is there a better solution?

Another month and another big retailer hit with credit card theft. This time it is Home Depot. Last time it was Target. Before that it was Sally Beauty, P.F. Changs, and the list goes on. This week’s news comes after credit cards showed up for sale on rescator dot cc. There is much speculation about how the breach occurred. There are questions about the type of firewall, IDS, and malware detection. Central to the conversation is point-of-sale malware that steals credit card information directly from the cash register system. One variant called backoff was unveiled in July and has already infected over 1,000 businesses. It is known to access computer memory and use keyloggers to get credit card information. PCI-DSS requires encryption during storage and transit. However that does not protect against memory scrapers and keyloggers. How do we actually stop this trend? Is the answer more network-based and host-based threat prevention to avoid the malware infections? Should POS systems be trusted software running on trusted hardware on private networks? What about chip-and-pin based credit cards? The requirement of a pin in addition to the physical card will reduce reuse of cloned cards. However it does not solve the problem of card-not-present environments such as e-commerce and telephone based orders. Some suggest that Bitcoin and other blockchain-based approaches provide a safer option for online transactions because they are not susceptible to replay attacks in the same way that stolen credit card information can simply be replayed. What are the other...

read more

Introducing Threatglass – New Industry Portal Offering Exploration, Visualization and Analysis of Exploited Websites

Today, Barracuda released a new online tool for sharing, browsing and analyzing web-based malware—Threatglass, available at threatglass.com. Our Barracuda Labs team is the backstage director to foster this idea, design the large-scale backend system, and finally implement a nice GUI to show it to the world. We are very excited here to be able to offer this resource – free of charge – to both casual users and the security research community as a whole. Welcome to threatglass.com!   The backend system of Threatglass has been working internally inside Barracuda for a few years, which has been used to automatically scan suspicious websites from Barracuda’s customer network and the Alexa top 25,000 websites, in order to better protect Barracuda’s customers. The system was designed in a large-scale and automated manner that utilizes thousands of virtual machines to visit URLs in web browsers to see what will happen to the browsers, their plugins, and the operation systems.  Without prior knowledge of specific exploits served to the browser or its extensions, the resulting network-level actions are recorded and analyzed to reveal whether the visited URLs serve malicious content. With millions of URLs being scanned every week, the system has accumulated nearly 10,000 live web-based malware infections to date. Meanwhile, new data resources are feeding in daily, including our recent social feeds from Facebook and Twitter. Two of our previous posts specifically demonstrated the power of the Threatglass backend system—summaries of maliciousness on top-ranked Alexa Domains in February 2012 and July 2012. The frontend of Threatglass is a modern web portal that provides a unique visualization of malware-infected websites identified by the backend system with a Pinterest-like graphical feel. Threatglass allows users to casually browse website infections that date back to September 2011, and view the charting and trending graphs to retrospect historical malware trendings. Threatglass provides detailed information of what happened when visiting each of the infected websites on a given date, such as the screenshots of the browser, whether binary was downloaded or any emails were sent, and number of...

read more

The Twitter Underground Economy: A Blooming Business

— A study on Dealers, Abusers and fake Twitter Accounts by Jason Ding, Research Scientist Many people dream of becoming popular or famous, and Twitter provides an outlet to make this possible. Most Twitter users try the standard way to get popular and gain followers: constantly tweet funny quotes or comments, discuss breaking events, or disclose information that many people want (like Guy Adams did). However, some Twitter users look for unusual ways to make themselves appear more desirable and become popular faster. One of these ways is buying Twitter followers, which right or wrong, is a significantly growing trend. At Barracuda Labs, we consistently find and study fake profiles on social media platforms (reference our study on Facebook Fake Profiles at http://barracudalabs.com/fbinfographic/) in order to better protect our 150,000 customers from being phished or harmed. For the past 75 days, we have been investigating the business of trading Twitter followers on eBay and other websites searched from Google. As it turns out, this underground economy on Twitter is blooming! The results show that this Twitter business is growing very fast to form a series of underground markets. For quick snapshot, please refer to our most recent infographic, The Underground Economy of Buying Twitter Followers at http://barracudalabs.com/underground/. The Study As part of this study, beginning in May 2012, our team set up three Twitter accounts and purchased between 20,000 and 70,000 Twitter followers for each of them from eBay and another website searched from Google. After collecting these followers’ profiles via Twitter API, as well as additional information from eBay sellers and Google search results, we found many interesting highlights of this business, summarized as follows  into 3 categories. Dealers (those users who create fake accounts and sell followings): There are 20 eBay sellers and 58 websites (within top 100 returns of searching “buy twitter followers” in Google) where people can buy (fake) followers Twitter username is used to purchase, no authentication is required The average price of buying 1000 followers is $18 A...

read more

Hot Security Topics “HST“ Ranking System measures popular topics in security industry

By Barracuda Labs The problem: As we walked around RSA conference this week, the usual greetings are ‘How are you? What’s hot at the show?’ or ‘What trends do you see?’ This has been the case for years. Everyone surveys each other looking for some sort of trend identification. The problem is that answers vary based on where an individual spent time, what parties they visited and who had the most memorable booth models. We lack a quantitative view of what is hot at the RSA conference and what is hot in the information security industry. We set out to solve this problem—to create a data-driven, quantitative, view of what is hot at the RSA conference and subsequently what is hot in the information security industry. The infosec industry has few quantitative measure of industry trends and priorities. The industry relies largely on human opinion and analysis. This creates the same problems that existed in NCAA football before the computer-guided BCS ranking system rankings were decided solely on human opinion polls. Before the BCS, the top 2 teams only played in the final game of the season- 8 of 56 times. Since the BCS, the top 2 teams have played in 12 consecutive games. Improved analysis has created a more accurately aligned system. We aim to achieve the same in the security industry; by better measuring the priority of topics we can ensure that our attention is aligned with the need. (source: Wikipedia) How It Works: As we introduce the system we focus on the largest gathering of information security professionals and companies, the 21st annual RSA conference with 15,000 attendees and 341 exhibiting companies. These companies represent over 90% of the $27 Billion information security industry. (source:IDC) Popular Topics: Each year RSA publishes a program guide that contains the list of exhibiting companies and a company-provided description. This is the most concise explanation of a company’s focus. We used these descriptions in a content analysis system to identify recurring n-grams. These n-grams identify...

read more

Attackers Use Fake Friends to Blend into Facebook

FOR IMMEDIATE RELEASE Attackers Use Fake Friends to Blend into Facebook Barracuda Labs Unveils New Research Study Analyzing Facebook Profiles View the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/. Campbell, Calif. (February 2, 2012) – Barracuda Networks, a leading provider of security, networking and data protection solutions, today released findings from Barracuda Labs’ most recent study, Facebook: Fake Profiles vs. Real Users. The study analyzes a random sampling of 2,884 active Facebook accounts to identify key differences between average real user accounts and fake accounts created by attackers and spammers. The results of the study are being presented today at the 2012 Kaspersky Threatpost Security Analyst Summit in Cancun, Mexico. Facebook, which filed for IPO this week, has become an important part of personal and business communication. The company consistently fights to keep attackers out of its network, most recently announcing its lawsuit against a marketing firm accused of “spreading spam through misleading and deceptive tactics”. The Barracuda Labs study provides yet another example of this “arms race” as an increasing number of attackers move to social networks to carry out their wares. Highlighted findings from the Barracuda Labs study include: •    Almost 60 percent of fake accounts claim to be bisexual, 10 times more than real users •    Fake accounts have six times more friends than real users, 726 versus 130 •    Fake accounts use photo tags over 100 times more than real users, 136 tags per four photos versus one tag per four photos •    Fake accounts almost always (97 percent) claim to be female, as opposed to 40 percent for real users “Likes, News Feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “These fake profiles and apps give attackers a long-lived path to continuously present malicious links to innocent users. “Also, researchers have shown how friending malicious accounts can lead to account...

read more

Do we really want better spam detection on social networks?

by Daniel Peck, Research Scientist The question sounds crazy, especially for someone who’s spent a fair amount of the last year working on making spam and other malicious message detection on social networks better.  But we do a disservice to tools geared for protection when we don’t think long term about the consequences of them.  Does better spam detection on say twitter for example reduce the total amount of spam that users see, or does it just change the signal to noise ratio? Websites who’s only content is related to spam didn’t get many hits.  This led spammers to move to Search Engine Optimization techniques, which have had a good run are still fairly effective, but more often than not spam sites are full of legitimate content harvested from other sites. I suspect, and have seen several examples, that the same trend is taking place in social media.  We build systems that force spammers to put more “real” content into the stream, so that they don’t immediately out themselves. These fake accounts contain plenty of retweets of popular stories, and shared links on facebook with a bit of “hey, what a great deal on shoes” or “click here to see my naked” thrown in here and there. Times are changing here too, sharing too many popular things also indicates than an account is a spammer, or at the very least a much less valuable node in the network.  So the next step is wholesale copying of real peoples profiles, complete with pictures of their cat, a bizzaro you with everything from your facebook account duplicated on another network, such as tumblr or google+, with an occasional spam or malicious link thrown in.  The kind of place where friends will eagerly add you, because everyone needs to be connected to every one of their friends through every medium possible of course, and not think twice about clicking on the malicious link that bizzaro you just shared out. Besides being quite a blow to the privacy...

read more

The more connected the more vulnerable

by Daniel Peck, Research Scientist The Facebook data team released some interesting data a few days ago focusing on the connectedness of their social graph, taking six degrees of Kevin Bacon and looking at how many connections away from each other any two people on the network are. From their research it seems like more than 90% of people on the network are seperated by only four degrees, meaning that any person A has a friend that knows a friend of Person B. Interesting in and of itself this shows how social networking is used to connect to people with whom you have very little in common, perhaps enjoying similar music, enjoying the same food, or like the same apps/games on Facebook.  Something like mini ad-hoc Farmville Fan Clubs.  And that is neat, the more connected we are to one another then maybe the more we’ll understand each other. That said, this amount of connectedness has a price in the realm of trust, especially with regards to anomaly detection and behavioral classifying. The network doesn’t distinguish the levels of trust/friendship that we have in the real world.  This is likely a neccessary level of abstraction, and we don’t have a leaderboard of friends trust levels, but you have an internal model that allows you to weigh “truths” differently based on whether it came from a long time friend versus someone you met because you attended a one day class together. Software can’t know these levels, at least not without an unreasonable level of training from the user, so for the purposes of behavioral classification it has to use more derived variables, like connectedness, on the social graph.  As this collapses these variables become less valuable, and may introduce false levels of trust within your real circle of friends.  We’ve seen this become increasingly popular with spammers working through fake accounts.  Usually the steps go something like this: An account is created with a profile listing that they went to “Generic State U” A few...

read more

Seven Annoying Attacks That Facebook Misses

This week Facebook experienced a rash of attacks that posted pornographic images. Some even claimed to be nude celebrities and others claimed to be child pornography. Last month we released survey results that showed that 40% of Facebook users do not feel safe on Facebook. Two weeks later, Facebook released an infographic showing its security initiatives and statistics. We applaud the efforts; however, more is needed. When you are trying to grow a social network as well as increase advertising revenue, security becomes not only a lower priority but sometimes a conflict of interest. Facebook claims that only 0.5% of users experience spam on any given day. That is still 4 million people out of the 400 million users that log in on any given day. We suspect that measurement only counts spam that Facebook catches which is clearly not 100% of the spam. While working on Profile Protector and other web security intelligence, we regularly come across examples of spam and attacks that repeatedly use simliar approaches that are detectable. We compiled this list of seven annoying attacks that Facebook misses. 1) Fake Product Pages: Knock off luxury goods have always been popular scams.  You might think you are buying your mother a nice new purse for a great price.  If you actually get the product, which is a bit of a long shot, you are likely to find that the quality you expected from the brand is lacking at best.  Facebook is rife with pages promoting these goods. Somehow these pages remain long-lived even after user complaints.  Once they finally are shut down there are already 8 duplicate pages running the same scam. Clearly there are some brands that just are not sitting on hundreds of photo albums on Facebook as their advertising platform. For example, Christian Louboutin, Louis Vuitton, Air Jordan and Beats By Dre.   2) Manipulated Accounts Recommendations: On social networks those with less good motives have figured out how to game the recommendation system and use it to...

read more