All posts by David Harley

About David Harley

David Harley has worked in security since 1986, notably as security analyst for a major medical research charity, then as manager of the NHS Threat Assessment Centre. Since 2006 he has worked as an independent consultant. He also holds the position of Senior Research Fellow at ESET. His books include Viruses Revealed and the AVIEN Anti-Malware Defense Guide for the Enterprise. He is a frequent speaker at major security conferences, and a prolific writer of blogs and other articles. If he had any free time, he would probably spend most of it playing the guitar.

Counter eCrime Operations Summit next week

[I’ve blogged on this elsewhere, but I’m pretty sure that this will be of interest to some of the readers of this blog, so here are the details as supplied by the Anti-Phishing Working Group.]

‘Containing the Global Cybercrime Threat’ is the focus of the Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27

The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.

CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.

Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.

Key presentations will include:

» Toward a Universal eCrime Taxonomy for Industry and Law Enforcement; by Iain Swaine, Ensequrity.
» Budapest Convention on Cybercrime: Transborder Law Enforcement Access to Data; by Alexander Seger, Director of the Data Protection and Cybercrime Division of the Council of Europe.
» Adventures in Cybercrime Event Data Sharing; by Pat Cain, AWPG Resident Research Fellow.
Additional presentations about industrial policy at CeCOS VI will investigate policies that complicate the work of exploited brand holders and responders including the domain name system (DNS) registration process that is abused by phishers as part of their phishing campaigns.

ABOUT the Counter eCrime Operations Summit

CeCOS VI, the second APWG conference held in Europe, is an open conference for members of the electronic-crime fighting community, hosted by the APWG and its Conference Partner AVG, Program Partners: The Council of Europe and Organization for Security and Cooperation in Europe, and sponsored by AVG, Google, Microsoft, MarkMonitor, ESET, Telefonica and ICANN. The CeCOS programs are widely considered the most vital events to investigators and managers of electronic crime from across the private and public sectors.



APWG: Foy Shiver, +1 404-434-7282.


The malware problem looks better after the first cup of coffee

Since most of my income comes from a company on the West Coast, I’m used to people assuming that I should be working according to their time zone (PST) rather than my own (GMT). But apparently we’re all wrong.
According to Trustwave’s Global Security Report:

“The number of executables and viruses sent in the early morning hours increased, eventually hitting a maximum between 8 a.m. and 9 a.m. Eastern Standard Time before tapering off throughout the rest of the day. The spike is likely an attempt to catch people as they check emails at the beginning of the day.”

Did I miss something? Has everyone but me moved to the East Coast? I’m not even sure it matters when you receive a malicious executable, unless you don’t get around to opening it until after your security software has been updated to detect it. However, the report also tells us that:

“The time from compromise to detection in most environments is about six months…”

So if evading AV software is really the point, this seems to suggest that all those people who’ve moved to the East Coast are coping even less effectively with their email than I am.

Hold on, though. Maybe this tells something about the blackhat’s time zone, rather than the victim’s? The report doesn’t seem to tell us anything about the geographical origin of the emails that Trustwave has tracked, but it does tells us that apart from the 32.5% of attacks in general that are of unknown origin, the largest percentage (29.6%) come from the Russian Federation. Russia actually covers no less than nine time zones (until a couple of years ago, it was eleven), but perhaps we can assume for the sake of argument that a high percentage of those attackers are in time zones between CET and Moscow Standard (now UTC+4), which applies to most of European Russia. (That assumption allows us to include Romania and the Ukraine.) Perhaps, after a hard morning administering botnets, Eastern European gangsters are best able to find time to fire off a few malicious emails between the afternoon samovar break and early evening cocktails. Convinced? No, me neither.

Actually, there are some interesting statistics in the report. If they’re reliable, some assumptions that we make about geographical distribution, for example, might bear re-examination. But I’d really have to suggest that journalists in search of something new to say about malware examine some of the report’s interpretations with a little more salt and scepticism. I suppose I should be grateful that no-one has noticed yet that according to the report, twice as many attacks originate in the Netherlands as do in China. Just think of the sub-editorial puns that could inspire…

Small Blue-Green World/AVIEN
ESET Senior Research Fellow

PC Support Sites: Scams and Credibility

Just as 419-ers seem to have been permanently renamed in some quarters as “the Lads from Lagos”, I wonder if we should refer to those irritating individuals who persist in ringing us to offer us help (for a not particularly small fee) with non-existent malware as the “Krooks from Kolkata” (or more recently, the Ne’erdowells from New Delhi). It would be a pity to slur an entire nation with the misdeeds of a few individuals, but the network of such scammers does seem to be expanding across the Indian continent.

Be that as it may, I’ve recently been doing a little work (in association with Martijn Grooten of Virus Bulletin) on some of the ways that PC support sites that may be associated with cold-call scams are bolstering their own credibility by questionable means. Of course, legitimate businesses are also fond of Facebook likes, testimonials and so on, but we’ve found that some of these sites are not playing altogether nicely.

I’ve posted a fairly lengthy joint blog on the topic here: Facebook Likes and cold-call scams

ESET Senior Research Fellow

Help Desk Scams and Microsoft

Apparently when the coldcalling species of scamming maggot claims to be Microsoft or partnered with Microsoft, there really is sometimes a relationship of sorts lurking behind the scenes there, though that doesn’t mean that Microsoft are at all a party to the scam, of course.

I’ve been gnawing at that particular bone for quite a while now – see, for instance, and and – and the name Comantra has turned up time and time again in the context of site registrations, though I haven’t had the resources to confirm links with the company in terms of individual scam calls.

But somehow I’d never realized the company really was a Microsoft Gold Partner. Apparently Microsoft took some time to make the connection too. But they have, and Comantra is no longer a Gold Partner. According to PC Pro, a Microsoft spokesman said:

“We were made aware of a matter involving one of the members of the Microsoft Partner Network acting in a manner that caused us to raise concerns about this member’s business practices.Following an investigation, the allegations were confirmed and we took action to terminate our relationship with the partner in question and revoke their Gold status.”

Somehow, though, I doubt if this means the end of coldcall scams. There were lots of sites and lots of names registered for sites that were associated with individual scammers, and there seems to be no real pressure from law-enforcement in the regions where the calls are actually originating. And Comantra is claiming that it’s all to do with negative marketing from their competitors. Gosh, never heard that one before…

On the other hand, since I moved house a few weeks ago, I haven’t had a single support scam call, though there’ve been a few “we can help you sue your mortgage lender” calls with a reassuringly Indian accent. Still, I miss being told I’m leaking viruses all over Surrey. How long do you suppose it will take them to catch up with me?

David Harley CITP FBCS CISSP. And stuff.
Small Blue-Green World