MA-295.022012: MyCERT 3rd Quarter 2011 Summary Report
25 November 2011
Introduction The MyCERT Quarterly Summary Report provides an overview of activities carried out by the Malaysian Computer Emergency Response Team (hereinafter referred to as MyCERT), a department within CyberSecurity Malaysia. These activities are related to computer security incidents and trends based on security incidents handled by MyCERT. The summary highlights statistics of incidents according to categories handled by MyCERT in Q3 2011, security advisories and other activities carried out by MyCERT professionals. The statistics
provided in this report reflect only the total number of incidents handled by MyCERT and not
elements such as monetary value or repercussions of the incidents. Computer security incidents
handled by MyCERT are those that occur or originate within the Malaysian domain or IP space.
MyCERT works closely with other local and global entities to resolve computer
security incidents.
Incidents Trends Q3 2011
Incidents were reported to MyCERT by various parties within the constituency as well as from foreign, which include home users from local as well from foreign, private sectors, government sectors, security teams from abroad, foreign CERTs, Special Interest Groups including MyCERT's proactive monitoring on specific incidents such as Intrusions.
From July to September 2011, MyCERT, via its Cyber999 service, handled a total of 4526 incidents representing 17.83 percent increase compared to the previous quarter. In Q3 2011, incidents such as Intrusion, Malicious Code, Intrusion Attempt and Spam had increased compared to the previous quarter.
Figure 1 illustrates incidents received in Q3 2011 classified according to the type of incidents handled by MyCERT.
Figure 2 illustrates the incidents received in Q3 2011 classified according to the type of incidents handled by MyCERT and its comparison with the number of incidents received in the previous quarter.
Figure 3: Shows the percentage of incidents handled according to categories in Q3 2011.
In Q3 2011, a total of 978 incidents were received on Intrusion representing 21.60 percent out of total incidents received this quarter. Most of these Intrusion incidents are web defacements, also known as web vandalism followed by account compromise. Web defacements are referred to unauthorised modifications to a website with inappropriate messages or images with various motives by the defacer. This was made possible due to vulnerable web applications or unpatched servers involving mostly web servers running on IIS and Apache with a few others involving other platforms.
In this quarter, we received a total of 769 .MY domains defaced with the majority involving .COM.MY and .COM domains belonging to the private sector. The defaced domains were hosted on single servers that host single domain as well as on virtual hosting servers that host multiple domains, belonging to local web hosting company. The web defacements were managed to be brought down under control and MyCERT had advised the System Administrators on steps for rectifying and recovering from the defacement.
As was in the previous quarter, MyCERT observed that the majority of web defacements were done using the SQL injection attack technique.
More information about SQL Injection technique and fixes is available at:
http://www.mycert.org.my/en/resources/web_security/main/main/detail/573/index.html
Figure 4 shows the breakdown of domains defaced in Q3 2011.
Account compromise refers to unauthorised access or ownership to another account via stolen password or the act of sharing passwords for various malicious motives. The account compromise reported to us mainly involved free based email accounts and social networking accounts. The compromised accounts will then be used in malicious activities on the net such as in Nigerian scams, impersonation and cyber harassment. Based on our observation, account compromise incidents are mainly due to poor password management practice such as using weak passwords and sharing passwords. As such we advise users to practice good password management to prevent their account from compromised.
Users may refer to the below URL on good password management practise:
http://www.auscert.org.au/render.html?it=2260http://www.us-cert.gov/cas/tips/ST04-002.html
Fraud incidents had decreased to about 12.41 percent in this quarter compared to previous quarter. Majority of fraud incidents handled were phishing attacks involved foreign and local brands with the rest of fraud incidents are Nigerian scams, lottery scams, illegal investment, job scam and fraud purchases. A total of 1355 incidents were received on fraud activities in this quarter, from organizations and home users. A total of 241 phishing websites involving domestic and foreign brands were reported to us in this quarter with majority of them belong to local brands. In this quarter we observed an increase in local Islamic Bankings becoming target of phishing activities compared to previous quarters. MyCERT handled both the source of the phishing emails as well as the removal of the phishing sites by communicating with the respective Internet Service Provider (ISPs).
Based on our analysis, majority of the phishing sites were hosted on compromised machines besides phishers host them on purchased or rented domains. The machines may had been compromised and used to host phishing websites and other malicious programs on it.
As was in previous quarter, incidents on job scams and fraud purchase continue to increase with fraudsters using the same modus operandi. Majority of the job scams poses as a recruitment agency of well known Oil & Gas company to lure potential job seekers and the fraud purchases involved purchasing of items at website in which victims never received the items after they transfered money to the buyer for the item.
MyCERT had released an alert on the Job Scam available at:
http://www.mycert.org.my/en/services/advisories/mycert/2011/main/detail/815/index.html
In this quarter we also received a total of 111 incidents on impersonation or spoofing involving emailand social network accounts. Normally the spoofing or impersonations uses compromised accounts belonging to victims and in some other incidents perpetrators will use victims personal detail such as photos, full name, address, telephone number to impersonate as the victim for malicious motives.
We continue to receive incidents on cyberharassment in this quarter with a total of 80 incidents representing a 37.5 percent decrease compared to128 incidents in previous quarter. Harassment reports mainly involved cyberstalking, cyberbullying and threatening. Many of cyberharassment victims are people known to the perpetrator such as their friends, relatives, colleagues. Threatenings via emails, blogs and social networking sites are prevalent in this quarter in which victims are threatened to pay money by person they just got know on the net otherwise their pictures will be exposed or uploaded on porn websites. MyCERT advise users to be very careful with whom they befriends with and never provide their personal details or photos to a third party on the net as the details can be used for malicious activities.
In Q3 2011, MyCERT had handled 233 incidents on malicious codes, which represents 23.28 percent increase compared to previous quarter. Some of the malicious code incidents we handled are active botnet controller, hosting of malware or malware configuration files on compromised machines and malware infections to computers.
Advisories and Alerts
In Q3 2011, MyCERT had issued a total of 6 advisories and alerts for its constituency. Most of the advisories in Q3 involved popular end user applications such as Adobe PDF Reader, Safari web browser, Multiple Microsoft Vulnerabilities. Attacker often compromise end users computers by exploiting vulnerabilities in the users' application. Generally, the attacker tricks the user in opening a specially crafted file (i.e. a PDF document) or web page. Readers can visit the following URL on advisories and alerts released by MyCERT
Other Activities
In this quarter, MyCERT had conducted several trainings and presentations related to
Incident Handling, Malware Analysis and, Internet Security Awareness. Some of the trainings
that we had recently conducted were Incident Handling for Critical National Infrastructure
and also for participants of Malaysian Cyber Drill. We had also conducted presentations at
Hack In Taiwan Conference in Taiwan, at DEFCON Conference in the USA and at OWASP Day. DEFCON is the world's longest running and largest underground hacking conference. OWASP stands for Open Web Application Security Project, a non-profit worldwide charitable
organization focused on improving the security of application software.
Conclusion Basically, in Q3 2011, the number of computer security incidents reported to us had increased compared to the previous quarter. In addition, most categories of incidents reported to us had also increased. The increase is also a reflection that more Internet users are aware of the importance of reporting security incidents to relevant parties besides other factors contributing to the increase of security incidents, not only in Malaysia but worldwide. However, no severe incidents were reported to us this quarter and we did not observe any crisis or outbreak in our constituencies. Nevertheless, users and organisations must be constantly vigilant of the latest computer security threats and are advised to always take measures to protect their systems and networks from these threats. Internet user and organizations may contact MyCERT for assistance at the below contact:
Malaysia Computer Emergency Response Team (MyCERT)
E-mail: mycert@mycert.org.my
Cyber999 Hotline: 1 300 88 2999
Phone: (603) 8992 6969
Fax: (603) 8945 3442
Phone: 019-266 5850
SMS: Type CYBER999 report to 15888
http://www.mycert.org.my/
Please refer to MyCERT's website for latest updates of this Quarterly Summary.
|
