Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Soon to come: IRS Spam

Published: 2007-10-30
Last Updated: 2007-10-30 20:46:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Our friends at iDefense/Verisign shared a template with us for a new IRS phishing e-mail which they expect to be mail out soon (today). The template looks like it will be sent as a multipart mime encoded email with plain text and html part.

The '%' keywords in the template will be replaced with customized content. Expect URL like this to be used:

note that the directory starts with a '.' in order to hide it on compromised unix systems. Another common directory name is '.bbb'. file names to expect are b.php,, update.exe


Here is the top part of the template:

From=IRS e-file <>
Reply-To=IRS e-file <>
Subject=Known e-file Issues and Solutions (2007 tax year), for %comp%!

Binary Attachments


It has come to the attention of the IRS Modernized e-File office that
some transmitters/software developers/return originators are creating
binary files incorrectly. In some instances, the IRS was unable to
display the PDF document because of improper formatting.
Effective immediately, please ensure that binary attachments are created
according to the PDF standards in this correspondence.
The internal identifier (first five bytes of the file) must be the
standard PDF identifier, "%PDF-".
Please download the correct PDF form for your business needs here:




0 comment(s)

Cyber Security Awareness Tip #30 - Blogging and Social Networking

Published: 2007-10-30
Last Updated: 2007-10-30 15:26:05 UTC
by Deborah Hale (Version: 1)
0 comment(s)

First of all - thanks to our fearless leader, Johannes, for getting this diary started.  I am becoming an absent minded old grandma I guess and forgot that I started my Tour of Duty last night.  Anyway, I am here today and ready for all of the fun.


Now for my 2 cents on the subject of Blogging and Social Networking.

I will not even try to kid you, I don't like the rooms that the kids are hanging out in.  I work very hard to discourage them from hanging out in some of these places. Unfortunately it is not easy. Many of these rooms contain numerous dangerous, not the least of which is sexual predators.  We all know what a danger these can be for kids. And if that is not enough to worry you, let's see if this does.

A few weeks ago we had some computers at our stores that had been infected. Now all of our stores had AV software installed and running.  During my monthly audit I discovered that we had some PC's that the AV had been disabled on and they were laden with bad things not the least of which was a worm.  As I began the job of cleaning these up and getting the AV going again I discovered that the common thread was that all of the infected machines had accessed one popular social networking site (not one page... the site).

Upon further investigation I discovered that the machines also contained a keylogger. Customer data as well as company data may have been at risk. Luckily we caught it before damage was done, however it could have been a big problem. I explained to management the dangers of the sites that the folks were visiting and we put a dollar value to the amount of time it took me to cleanup the problem by formatting and reloading all of the computers. We also took a look at the potential loss of revenue if a breach had of occurred and we had compromised valuable customer data. What about the possibility of a law suit? What about the loss of goodwill, faith in our service and our company?

We have now put in web filtering and we no longer allow access to certain sites and types of sites.  For instance music or video download.  What the employee does at home in their own time, I can't control. What happens in one of our facilities, I can.

The important thing is to talk to your employees, explain to them why you do what you do.  When they realize the cost they are more likely to cooperate.  When they realize that a breach can result in a significant loss of revenue which equates to less money for raises and bonuses and they see that it does affect their bottom line they don't complain, or at least complain silently.

Educating your users about the dangers on the Internet can go a long way in impacting your bottom line.

0 comment(s)

Cyber Security Awareness Tip #30 - Blogging and Social Networking

Published: 2007-10-30
Last Updated: 2007-10-30 13:28:17 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Yesterday we talked about the "insider threat". Blogging and Social Networking can be seen as a variation of this issue. But unlike the clandestine (and intentional) activities performed by a malicious insider, the threatening actions from blogging and social networking are usually unintentional and frequently well intended.

So how do you (or your organization) deal with this threat? Do you review your employees blogs for proprietary information? This may be an area where user education will actually work. However, it is also a area where the lines between a person's professional and personal life blur. What about the reputation of a company? Would it be affected by a well known employee of the company voicing radical political views in his personal blog?

The threat from social networking is similar. By mixing personal and professional contacts in your social network, you allow for "data leaks". Another issue is that with social networking, terminated employees retain access to customer and collaborator contact information.

As always: contact us with your tips on how to mitigate this threat.

Johannes B. Ullrich, Ph.D. SANS Institute.
Interested in web application security? We still got seats in my next class: SEC519 Web Application Security, Virginia Beach, November  14-15th.

0 comment(s)
Diary Archives