This is the summary of computer virus/unauthorized computer access incident report for December 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

In 2011, serious information security incidents occurred one after another, including the leakage of information from a heavy industries company in September and a cyber attack on the House of Representatives and the House of Councilors in October, both of which are still fresh in our minds.
Among other instances are:

• Increases in viruses that target Smartphone (in particular Android device), accelerated by the popularity of Smartphone;
• Emergence of virus-containing e-mails spoofed as disaster information (From March to April);
• Large scale information leakage from a network service run by a game company (April);
• A spate of website defacement.

Nowadays, for anyone who uses information technology, incidents on the Internet are not someone else's problems and security measures are indispensable.

In the reminder for this month, we look back "Targeted Attack^*2" and "Unauthorized use of Internet services" that stood out in 2011, providing description and countermeasures.

*2 Targeted Attack: a cyber attack that targets a specific organization/individual and it is intended to fraudulently obtain important information and intellectual property, etc.

(1)Targeted Attack

[I]Characteristics of recent cyber attacks and shift in attackers' motivation

As far as recent cyber attacks on enterprises/organizations are concerned, we can see that attackers' motivation has changed and that techniques employed for such attacks have increasingly been sophisticated (see Figure 1-1).

Motivation of those who carry out cyber attacks have shifted from "getting into mischief" or "showing off their ability" to "obtaining money" or "interfering with organizational activities" in recent years. In the case of pecuniary motive, attackers, from the beginning, mark down valuable information (i.e., classified information, personally identifiable information, etc) that are preserved within the organization, and then attempt to steal and cash them in the end. So, if the leakage of such information occurs, it is likely that the leaked information is abused in some form, causing considerable damage to organizational activities.

Figure 1-1:Characteristics of Recent Cyber Attacks

Among cyber attacks that were carried out in 2011, what stood out in terms of numbers was "Targeted Attack" – an attack that zero in on a specific organization/individual. According to a questionnaire survey^*3 conducted by the Ministry of Economy, Trade and Industry (METI), among the enterprises surveyed, those that have ever received "Targeted Attack" accounted for 33 percent in 2011, a significant increase from 5.4 percent in 2007.

For Targeted Attack, various techniques can be employed, but major one is to send a virus-containing e-mail designed for a specific organization/individual (i.e., "Targeted Attack Mail"). Unlike a virus-containing e-mail that is distributed at random, Targeted Attack Mail uses an authentic-looking sender or message body as well as a virus that is less likely to be detected by antivirus software.

*3 "Presenting information security measures that are based on the recent trend and bring them home to computer users" (METI)
http://www.meti.go.jp/press/2011/05/20110527004/20110527004.html (in Japanese)

[II]Instances of damages caused by Targeted Attack Mail

By opening a file attached to a "Targeted Attack Mail" or clicking a URL in its massage body, the user's PC is infected with the virus. As a result, files that are stored in that PC might be sent to an external party, leading to information leakage, or the PC might be taken over by an external party, allowing him to gain access to a server within the organization.

Instances of techniques to infect PCs with a virus are as follows:

• Vulnerabilities in word-processing software, Adobe Reader, Flash Player, JRE, web browser, etc. that are applications to open data files or browse websites are exploited and a PC opening a file attachment is infected with the virus.
• Extension of a file attachment is spoofed by means of RLO (Right-to-Left Override)^*4 so that the PC whose user takes the file as a document file and clicks it is infected with the virus.

*4 RLO (Right-to-Left Override): a function to reverse a file name's character sequence from "left-to-right" to "right-to-left" by using a special control character.

[III]Instances of damages caused by Targeted Attack Mail

(a) Countermeasures that can be taken by individual users

●In "Targeted Attack Mail", vulnerabilities in software installed on a PC are exploited (e.g., using a crafted PDF file) to infect that PC with a virus. Let's use antivirus software. In addition, check the version of your operating systems and applications by using e.g., "MyJVN Version Checker" provided by IPA and then keep them up-to-date so that existing vulnerabilities are eliminated.

<Reference>

• "MyJVN Version Checker" (a tool to check software installed on a PC)
  http://jvndb.jvn.jp/apis/myjvn/#VCCHECK (in Japanese)

●Countermeasures by humans (e.g., "See through Targeted Attack Mail and do not open it", "If you have received a suspicious e-mail, communicate it throughout the organization") are also important.

There is a possibility that all the members of an organization receive "Targeted Attack Mail", so all PC users need to understand its threats and exercise cautions. It is also advisable to establish rules on how to respond to suspicious e-mails received as an organization (including procedures for calling all the members' attention to such incident).

<Reference>

• "'Points to notice strangeness' and 'measures that should be taken after noticing strangeness' concerning 'Targeted Attack Mail' that have been drawn out from actual cases"
  http://www.ipa.go.jp/security/vuln/report/newthreat201006.html (in Japanese)
• "'Targeted Attack Mail' – a suspicious e-mail sent to a specific organization to steal information"
  http://www.ipa.go.jp/security/virus/fushin110.html (in Japanese)

(b) For management layer, system administration division, system administrators

The results of "IT Security Vaccination"^*5 and a survey on effective implementation methods by JPCERT/Coordination Center (CC), both of which serves as a means for PC users to see through a trapping e-mail, are available to the public, so refer also to them.

*5 "IT Security Vaccination": An act of carrying out Targeted Attack on a specific organization for the purpose of raising its personnel's security awareness. In general, after the distribution of a Targeted Attack Mail, its secret is shown to the personnel in the end so that their uneasiness is dispelled and the survey results are fed back to them for the purpose of educating them.

<Reference>

• "The 2009 IT Security Vaccination Research Report" JPCERT (CC)
  http://www.jpcert.or.jp/research/#inoculation (in Japanese)

(c) Contact point for Targeted Attack Mail

Alarmed by the frequent occurrence of Targeted Attack, IPA has set up a special help line as part of efforts to promptly collect, analyze and share the attack information and to provide preventive measures and coping strategy.
Should you receive an e-mail that you think is Targeted Attack Mail, please contact the following:
●Special help line for targeted cyber attack
TEL: 03-5978-7509 FAX: 03-5978-7518

(2)Unauthorized Use of Internet Services

[I]Current state of unauthorized use

Instances of unauthorized use in 2011 are as follows:

• The website of a major Internet service provider was hacked by a spoofed third party and points redeemable for commodities were stolen (occurred in May, with more than one-hundred cases, causing 100,000 yen worth of damage in total);
• Customers' credit card information being leaked from a system management company for an online Kamaboko store (occurred in May, with about two-hundred cases, causing about two million yen worth of damage);
• Internet banking systems of major banks and regional banks in Japan were used in an unauthorized manner (causing about 300 million yen worth of damage in total);
• A science journal publisher's website was accessed in an unauthorized manner and personally identifiable information and card information were leaked and used fraudulently (occurred in August, with more than a dozen credit cards used fraudulently);
• A large-scale unauthorized use of a major Internet shopping service (occurred in November, with about 4,000 cases).

In this way, a number of unauthorized use cases occurred in 2011. If we include other unauthorized access cases about which whether information leakage has occurred or not is unclear, the total number increases further. What stood out is the amount of information leaked and the number of clients suffered at a time (i.e., they are so large).

[II]Reason Why Such Unauthorized Use was Possible

One reason for Internet services to be used fraudulently is that their users' IDs and passwords are stolen by means of (a), (b) and (c) listed below.

(a)Virus infection via an e-mail attachment or USB thumb drive

Sends an e-mail to which a virus that steals ID/password is attached, aiming at getting the recipient(s) to open the attachment and their PCs to be infected with the virus. External storage media such as USB thumb drive are also used as an avenue of virus infection.

(b)Virus infection through a Website-browsing

One of the mainstream techniques for virus infection through a Website-browsing is "Drive-by Download". This is an attack that causes a virus or other malicious programs to be downloaded into the victims' PCs upon their visit to certain Websites, and it mainly exploits vulnerabilities in operating system or applications running on that PC. If a PC is infected with a virus that steals IDs and passwords in this manner, the user's ID and password are stolen without him/her knowing.
To guide PC users to a website that carries out "Drive-by Download" attack, attackers use e-mail, social networking service such as mixi and Facebook, or micro-blog service such as Twitter, with tempting messages/comments and a trapping link, aiming at getting the recipients to click the link.

(c)Phishing

Phishing is an act of sending an e-mail which is spoofed as the one from an Internet shopping services or a bank, getting the e-mail recipient to access a fake website and enter his/her important information (such as ID/password), and defrauding money and goods by using such information. Nowadays, social engineering^*6 are used in such tempting e-mail messages. Furthermore, a new attack method comprising existing Phishing technique and virus infection technique has emerged, so we need to look out for it.

<Reference>

• "Watch out for new type of phishing scam that uses a virus!" (IPA)
  http://www.ipa.go.jp/security/english/virus/press/201109/E_PR201109.html

*6 Social engineering is a technique to obtain confidential information (such as password) from the victim by taking advantage of psychological off-guard or by exploiting loophole in the society.

[III]Reason Why the Damage by Unauthorized Use Spreads

Users of an Internet service are typically required to register and manage their ID/password. But some people register and use the same ID/password for multiple services as they think they cannot remember many different IDs/passwords. Should such cross-service ID/password be leaked from one of those Internet services, unauthorized access could be carried out against the rest of the services, incurring further damages (See Figure 1-2).

Figure 1-2:Risk of Using the Same ID/Password

[IV]Countermeasures

(a)Properly manage ID/password

Using the same ID/password for multiple services might allow for the spread of damages by "spoofing". To avoid suffering from "spoofing", implement basic ID/password-handling measures with the following three points in mind:

●Strengthen your password … Use the combination of all kinds of usable characters (e.g., alphabetical character (upper- and lower-case), numeric character, symbols) and be sure to set a password with eight or more characters. Do not use a simple word that can be found in a dictionary or the name of a person.

●Keep your password safe … You may write down your password on a paper, but do it separately from ID and keep them apart.

●Use your password in an appropriate manner … Do not log into any Internet services from a PC that is not under your control (e.g., a PC that can be used by unspecified number of people in such places as Net café.)

<Reference>

• "My password is a treasure unknown to anybody other than myself" (IPA)
  http://www.ipa.go.jp/security/english/virus/press/201105/E_PR201105.html

(b)Keep your operating system and programs up-to-date and use antivirus software

Even though you implement the above-mentioned countermeasures against "spoofing", it is essential to install antivirus software, which is a fundamental security measure. A virus that steals ID/password entered by users to log into an online service (i.e., keylogger) has been confirmed. To avoid being infected with this kind of virus and letting information be stolen, install antivirus software and use it with its pattern files updated.

(c)Use login alert feature

Some online services provide login alert feature (i.e., sending an e-mail to a user who has just logged into the service to notify their successful login). Should you receive an unknown login alert e-mail, by locking your account immediately, you can minimize the damage caused.

(3)Outlook of the Year 2012

The tendency of "for enterprises, their information is targeted by attackers, and for individual, their money" is expected to be strengthened. It's not an exaggeration to say that all the services involving money would be put at risk.

[I]Target of attacks might become borderless

In 2011, specific industries and government-affiliated agencies were the main target for Targeted Attack. This trend is expected to continue but in 2012, Targeted Attack might become a major threat to enterprises in all kinds of industries.
As an example, in an attempt to obtain an enterprise's confidential information, a malicious entity may first identity a friend of an official from the official's SNS page, carries out an attack on the friend's PC, for which the PC is infected with a virus, and then obtains the enterprise's confidential information in the end. This kind of scenario was also possible in the past, but the increased use of SNS in recent years has made it easier for a third party to figure out the others' friendships, so any enterprises or individuals might be targeted by attackers to use them as so called "stepping stone".

<Reference>

• Design and Operational Guide to Cope with "Advanced Persistent Threats"
  http://www.ipa.go.jp/security/vuln/newattack.html

[II]Free services that have not been targeted until now might also be targeted

In the feature, even the services that do not involve money might become the target of such attacks, focusing on those using the same password for multiple services.
In the case of fee-based services, using the same ID/password for multiple services increases the chance of suffering monetary damage. Regardless of being fee-based or free, you should avoid using an easy password and using the same password for multiple services.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

III. Reporting Status of Unauthorized Computer Access (includes Consultations) –Please refer to the Attachment 2 for further details–

IV. Unauthorized Computer Access Consulted

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in December

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact