Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2013 > February

RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online.  When possible, RSA Firstwatch members will use this space to share information about some of our findings.


All I can say is "that was fast."  Less than 24 hours after announcing that the new Firefox Operating System-enabled smartphone would be produced for Japan by manufacturer KDDI, we detected botnets lauching ICMP-based distributed denial of service attacks against the KDDI networks.



From JapanDailyPress here:

February 25, 2013
Mozilla and KDDI Corporation (KDDI) announced plans of launching Firefox OS smartphones in the Japanese market soon. This news comes after their big announcement at the Mobile World Congress in Barcelona that they will be launching the highly-anticipated Firefox OS in mid-2013.

Firefox OS is the new mobile platform being developed by Mozilla which will challenge Google’s Android and Apple’s iOS in the mobile market. It utilizes open web technologies like HTML5 and has no proprietary restrictions, in keeping with Mozilla’s goal for open development of the online world. The launch of this new OS will make application development even more competitive and faster, as well as bring even more innovation to the industry, with an eye out for fair competition.

So much for fair competition.  Someone is clearly unhappy with the announcement now that thousands of bots are downloading malware that participates in this attack on KDDI.


Here is how we detected it-

We have a huge malware sandbox that is constantly ingesting new samples of malcode, viruses, and malware and we simply watch the behavior of the network these sandboxes are connected to using NetWitness Security Analytics.  And while detecting DDoS attacks tend to stand out when looking at a timeline, this particular DDoS uses simple icmp packets directed at random IP's on KDDI's network.




Almost 4000 icmp packets were shot at KDDI's netblock in under two minutes from just two infected sample hosts.  If this malware is pervasive in the wild, and it seems it is, this sample attack could represent only the tiniest sliver of the attack against KDDI.  And while most ICMP-based attacks can be repelled with rate limiting tactics, an unprepared organization could still suffer outages and downtime if the attack is not detected or dealt with in a timely manner. 


This also shows how cut-throat the internet can be for emergent technology, and why marketing decisions need to be made in conjunction with the CISO of the organization to ensure that the enterprise is prepared- for not only the new business visitors to the corporate website, but to also ensure the enterprise is ready to defend itself from miscreants seeking to create mischief or claim a new cyber-scalp.

RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online.  When possible, RSA Firstwatch members will use this space to share information about some of our findings.


A Chinese generated website offers it's users a unique service-  to instantly generate a false United States Citizen identity- complete with banking credentials, work history, education background, and even a blood type- based on scraped personal information from other websites, geo-IP location, and stolen credit card numbers.  But the site does say that it shouldn't be used for criminal purposes- despite the fact that we detected it from known criminals farming identities. The page screenshot has been translated from the Han Chinese language:



And with a click of the button, you can even generate a new identity for yourself from your own hometown based off of your local IP address.  In addition, there is a driver's license number generator that the website's author assures will work for at least a dozen states.


Don't worry about the seemingly personal information-  The social security number is fake and only guaranteed to match the issuing state, and the telephone number is unused from the region.  The banking site is randomly generated from the local region, and the routing numbers for those banks are not exactly a secret either.  The credit card numbers are supposedly valid, which is why they are blanked out, but it is more likely that only the first four digits match the issuing bank- again, something that is not a secret.  The usernames, email addresses and websites are all generated based on random transforms of the real person's first name and last name-  information real people publish to sketchy websites, such as dating, recipe sharing, message boards, and gaming sites.


Here is one of those real people whose user information appeared in one of my samples. The backend bot of this identity generator cribbed it from her online dating profile, creating matches for age, name, location and zipcode.



The online personals ad leaks personal information such as a username, job title, location, zip code and age.  It provides just enough of a web-based background personal biography, that anyone performing research of one of these generated false identities might believe that a real person is behind it.


So what could you do with a fake generated identity?  While the ID Generator sites says it should be used to protect online identity by providing a layer of anonymity, the opportunites for fraud abounds.  Could someone get a Payday loan with just this amount of information?  Apply for housing?  Purchase a cellphone?  Get a plane ticket? 


The bottom line is that criminals are combining real peoples' information with falsified additional details to perpetrate fraud both online and in the real world.  So think again before you post your own personal information online.

NOTE: This blog is being posted on behalf of Alex Cox, Principal Research Analyst on the RSA FirstWatch team.  To read more of the FirstWatch team's blogs you can visit their RSA Speaking of Security blog page:



As reported today, yet another zero-day exploit in Acrobat Reader is being used in the wild in targeted attacks.  Details can be found here:


As is the case in most of these situations, RSA FirstWatch begins analysis of such threats as soon as they are discovered, and this threat is no different. 


One of the things that the team did in regards to PDF exploits was to profile the most common methods and techniques for PDF-based exploitation and document them.  These techniques were then developed into a FlexParser for the RSA Live (aka NetWitness Live) library.

The good news is that the Adobe Zero-Day uses a common “Open” action when exploiting the target workstation and this is detected forensically on the wire using our parser.  While this particular action is not always malicious, it’s unusual enough that it’s worthwhile to look for it in your network traffic on a regular basis.


To detect this attack (and others like it, zero-day or otherwise), use the following pivot in Security Analytics, or NetWitness Investigator:


  1. = “pdf with open action”



....which will be displayed as follows in the RSA Security Analytics “Investigation” view or in NetWitness Investigator:



If we then reconstruct the session we get additional details:



For RSA Live (aka NetWitness Live)  customers that want to make sure they have this parser loaded, please look for the following in your RSA Live subscription:



In the name of responsible disclosure, we can’t release additional details on the exploit at this time, but this detection offers a generic way for our customers to inspect suspicious PDFs in lieu of a patch from Adobe and/or additional public indicators.


Happy Hunting!


- Alex Cox, Principal Research Analyst,  RSA FirstWatch


Recently Bit9 announced that its internal systems had been compromised and, as a result, malware had been signed using Bit9’s own digital code-signing certificates:


Does this affect RSA NetWitness Spectrum?

Bit9 has given RSA assurance that we are not one of the customers affected by the security incident. They have also stated that the specific product RSA uses from Bit9 (GSR or Global Software Registry) was not affected by this compromise, directly or indirectly.  More specifically, RSA NetWitness Spectrum’s only interaction with Bit9 is to post MD5 hashes of the files we are analyzing and to parse the result to determine the file’s threat level. 


In summary, there is no remediation required on behalf of a RSA NetWitness Spectrum customer given the recent Bit9 security incident.

RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online.  When possible, RSA Firstwatch members will use this space to share information about some of our findings.


In FirstWatch, we see some common get rich quick schemes.  We see people frantically trying to answer online surveys to earn points or dollars.  We see referral dollars for downloading spyware-infected toolbars.  We see bitcoin mining that rarely strikes digital paydirt.  But the following site, run by a probable criminal, actually made me laugh out loud at the audaciousness of his scheme and the concept of his gambling site.  It is a Russian Site where you can gamble on Rock Paper Scissors.  The idea is you register, bankroll your gambling chips, and supposedly bet against "real members online" and the winner of the Rock Paper Scissors battle takes the pot.



The page has been translated from Russian.  You can see the popup where this gambling site is encouraging advertisers and referral hits and it promises 2,500 dollars a month in quick cash.  Of course the cash promise is too good to be true, and the system is most likely run by a statistics bot that will always favor the "house."


So what will Russian Mobsters do next to fleece people from their money?  If Online Rock Paper Scissors doesn't cut it, they might want to check out this scene here from Vegas Vacation and think up a new way to attract the Internet's Clark W. Griswalds.


Filter Blog

By date: By tag: