Virus Bulletin 2008 International Conference

Next week the Virus Bulletin International Conference is being held in Ottawa, Canada [1st to the 3rd of October]. This is the premier conference for people involved with fighting malware and related security threats. The programme can be found here.

This year I was going to be there just as a delegate; normally when I attend this conference I attend as a speaker, which means I have to write a paper and present it at the conference to an audience of 50-200 uber-geeks from various industries as well as the world's best malware researchers.  This can be pretty daunting! This will be my 11th Virus Bulletin Conference since my very first I attended and presented at back in 1996.

However, I've now been asked to be a reserve speaker, so I have to have a presentation ready, just in case I'm needed. The last time I was a reserve speaker it was for VB2002 which was held in New Orleans that year, and was nearly washed away by a hurricane! Needless to say, I ended up presenting my paper that year.

If any of you ready this are going to be there, then please feel free to stop me and have a chat, or just to say hello. I don't bite, honest ;-)

The presentation I am working on for the conference is to do with malware forensics, so it should be fun to do, as well as interesting for any audience I get; if I get to present it, that is.

As usual, I will write a short review of the conference, including what I personally found interesting, and may also post some mini-reviews and updates via Twitter.

If you can make it, then I hope to see you there; if not then stay tuned and I'll post a review as soon as I can.

American Airlines Survey

I'd like to start this post with an apology as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won't be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here's a new one I've not seen before, the following e-mail arrived in my 'Phish' inbox late last night [screenshot below]:



That's nice if I answer five questions in a simple survey I will get $50.....I smell a phish, so what do we see when I click on the link?



So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the AAdvantage number and password, and then click on go. This is where I'm taken too next



As you can see, I'm now asked for my Bonus Code and the rest of the page is the alleged survey. So, I'll fill this in, again using bogus data. Interestingly the Bonus Code is the same in all the copies I've received, to multiple e-mail honeypot addresses too. So, now all the data has been entered, let me click on the continue button and see where we go next.



Aha.....Just as I suspected, this is a phish, as it not only asks for personal details, it also wants credit card data, including the CVV and an ATM PIN number too. So, let me enter in some more bogus data and click on the continue button again.

The final page shown informs me that my data has been entered correctly [yeah right!] and that I should see my bonus of $50 on my credit card within 72 hours. More like my credit card will be misused or sold on to others to misuse within 72 hours!

For those of you who like the detail behind the web-page, here is a screenshot of the first page, showing that the actual page is being rendered from two other sites. You may also notice that this phishing site is hosted on Yahoo servers.



Here is a screenshot showing part of the whois record for the phishy domain being used as a front for this scam.



So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I've seen one targeting an airline, in fact I'd go as far as saying that this may be a 'Spear Phishing' attempt as it seems to have been sent to a small number of people and in far smaller numbers that the more traditional bank phish I see day in and day out..

So, if you are an American Airlines customer be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details....

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!