SPAM frauds, fakes, and other MALWARE deliveries...
Posted 14 January 2012 - 10:08 PM
IP's to block 2012.01.14...
Last Updated: 2012-01-14 21:40:30 UTC - "Antony Elmar owns quite a few domain names... lives in a lovely city called "Kansas, US"... with a phone number that is a tad odd for "Kansas, US" and has a dial prefix that looks more like Italy... Registrant Phone:+3.976639877...
His new domains currently point to 126.96.36.199, in Moldova... The IP used seems to change about once per week, until past Thursday, Antony's virtual HQ was at the neighboring IP, 188.8.131.52.
His latest new domains include:
... and provide a generous helping of malware to users unlucky enough to get redirected there via what appears to be poisoned ads on legitimate web pages..."
Posted 16 January 2012 - 04:00 PM
Zbot spreads thru fake email ...
January 13, 2012 - "... malicious SPAM campaign that is actively sent out by the Cutwail spam botnet. The suspicious email claims to be a bill summary from the New York-based energy company Con Edison, Inc. It may use the subject line “ConEdison Billing Summary as of <DATE>” and the attachment uses the filename format Billing-Summary-ConEdison-<random numbers>-<Date>.zip... The attached zip file contains an executable file, which unsurprisingly is a Zbot malware variant. When extracted, the malicious executable uses no disguise. It uses no fake icons of Adobe Reader or Microsft Word, no double file extensions, or excessive use of space in the file name to hide the .EXE extension... bill notifications do -not- usually arrive with an executable file - so emails like this should be treated with extreme suspicion. When you see these obvious signs of malware, just stop and delete the email..."
Posted 17 January 2012 - 11:33 AM
Zappos breach - 24M affected...
January 16, 2012 - "... Zappos.com is advising over 24 million customers to change their passwords following a data breach... Zappos employees received an email from CEO Tony Hsieh on Sunday*, alerting them about a security breach that involved the online shop's customer database... Even though he assured everyone that no credit card details had been compromised, Hsieh revealed that the attacker had accessed customer records including names; email, billing and shipping addresses; phone numbers, and the last four digits of their credit card numbers. The hacker also gained access to password hashes for the accounts registered on the website, prompting the company to reset everyone's access codes. Zappos is currently in the process of emailing its 24 million customers in order to notify them about the security breach and advise them to change their passwords..."
Last Updated: 2012-01-16 16:56:49 UTC
Jan 17, 2012 - "... hackers had not been able to access servers that held customers critical credit card and other payment data... Zappos... was recommending that customers change their passwords including on any other website where they use the same or similar password..."
Jan 17, 2012 - "... Although the goal would be to never have a breach in the first place, if it happens, there is a crisis of confidence among the customers. Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident..."
(Yet -another- hAcK...) T-Mobile USA hacked
17 January 2012
Edited by AplusWebMaster, 17 January 2012 - 09:12 PM.
Posted 17 January 2012 - 04:04 PM
Zeus variant - Gameover...
January 17, 2012 - "A recent FBI warning* on the Zeus variant called Gameover reveals that high detection accuracy of fraudulent transactions is not enough to prevent cybercrime. This new attack is specifically designed to circumvent post transaction fraud prevention measures... Some Post-Transaction Attacks are not targeted at the bank but rather at the user. One example uses SpyEye to execute man in the browser (MitB) attacks that hide confirmation emails in web email services or fraudulent transactions on the online banking site... these attacks can bring the entire fraud assessment process to a grinding halt..."
(More detail at the trusteer URL above.)
"... The SPAM campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication. After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found)..."
Posted 18 January 2012 - 06:35 AM
Jan 17, 2012 - "... on January 18, 2012, dozens of popular websites covering a diverse range of subjects will be blacking out their home pages in protest of the U.S. Stop Online Piracy Act (SOPA). Some of these websites are well-known... While we cannot be certain exactly what sort of scams may appear, keep in mind that the websites listed above will resume normal activity around their announced times. It is unlikely they will resume much earlier, and some may even be slightly delayed in returning to normal activity. If you see any pronouncements about sites returning to operation early or an option to bypass the blackout by visiting a new web site, ignore them and wait for the site to return at its preannounced time: The “new” site being promoted may have far more malicious actions in mind than pictures of kittens, discussions about ents, bacon and narwhals or jokes about arrows to the knee..."
Edited by AplusWebMaster, 18 January 2012 - 06:59 AM.
Posted 19 January 2012 - 06:09 AM
Malicious SPAM scam "Re: Scan from a Xerox..."
18 Jan 2012 - "... malicious email scam with the subject "Re: Scan from a Xerox W. Pro #XXXXXXX" went wild. This scam has returned – this time, with a new face! Instead of making you attach a .zip file, as it did in the past, it now prompts you to click a download link - DON'T... This redirects the link to a malicious site that hosts a Blackhole exploit kit. Once the iframe is loaded, content from the Blackhole exploit kit (which contains a highly obfuscated script ) site is also loaded... Successful exploitation executes a shellcode that triggers the download and execution of malware... there is an administration option for this kit to use underground audio and video scanners for malware. This lets attackers tweak their malware samples to make them undetectable prior to launching their attack live... detected more than 3,000 messages in this campaign..."
Posted 20 January 2012 - 08:38 AM
SPAM phish leads to malware...
"... The City of Seattle does not have its own Department of Motor Vehicles nor does the Seattle Police Department send email notifications of a traffic violations..."
Search for "QuickTime" Leads to Phishing Site...
19 Jan 2012 - "... if you were to search for the term "QuickTime" today, the 31st resulting entry would lead to a typosquatted URL, which pulls content from a phishing URL... Clicking this Google search entry sends you to a fake QuickTime download site... The "Download Now" button doesn't take you to the download page for QuickTime software. It directs you to a phishing site instead. This alleged music download site phishes your credit card information on the membership fee payment page. Be aware of the risks of using your credit card on random websites to avoid such phishing attacks."
Edited by AplusWebMaster, 20 January 2012 - 08:10 PM.
Posted 22 January 2012 - 04:02 AM
Tax SPAM season...
Jan 21, 2012 - "... beginning of tax season in the US, and just right in time for it are the -cybercriminals- who are already taking advantage and using tax-related messages as a social engineering lure. We’ve recently spotted samples of spammed messages posing as a notice from Fidelity Investments, a well-known American financial institution. The email*, which is in a newsletter-format, contains the subject “Your statement is ready for your review“... The attachment, however, is a .ZIP file containing an executable file, which was found to be malicious. Trend Micro detects it as TSPY_ZBOT.TYR. Users should watch out for such spam campaigns, specially with the tax season already ongoing. We saw attacks similar this one during the tax season last year, so it’s almost a given we’ll see more of it again this time around..."
Posted 24 January 2012 - 07:45 AM
Top 50 Bad Hosts... Q4 2011
24 January 2012 - "There is one common denominator in cybercrime – it is hosted, served, or trafficked by some host or network operator somewhere. It could be assumed that such a succinct, yet true, statement should yield, in return, an equally concise solution. In fact, it provides only a place to start... The aim is to encourage service providers to "clean up" and to be proactive in stopping the cybercriminal activities found on their servers... Some things have changed since our early reports. There is now more cooperation between the security industry, law enforcement and service providers and some pleasing results against some of the worst activities found on the net. Sadly, some things have -not- changed. Cybercriminals are still too easily making financial gain from the lax procedures by service providers, security vulnerabilities of organizations large or small and Internet users’ lack of awareness. 2011 showcased some data breaches of truly epic proportions with the year ending in the same vein in which it began..."
(Full report links @ the hostexploit URL above.)
Posted 25 January 2012 - 05:36 AM
Typosquatting back in use... 7,000+ sites
22 Jan 2012 - "... Typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site... discovered over 7,000 typosquatting sites within this single network... These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site... After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed... An example of such advertisment is a free movie downloader... Currently, these spam advertisements are not -spreading- maliciously..."
23 Jan 2012 - "... unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised... The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it's clearly -not- a site owned by Google Inc... Notice the details*..."
Posted 26 January 2012 - 05:37 AM
Top 10 web security threats...
2012.01.25 - "The compromised website is still the most effective attack vector for hackers to install malware on your computer with 47.6 percent of all malware installs occurring in that manner, says security firm AVG*. Another 10.6 percent are tricked into downloading exploit code - many times, without their knowledge - by clicking on links on pages to sites hosting malware. The Chelmsford, Mass. company announced its findings as part of a broader study of threats detected by its software... AVG warns that the security issues plaguing desktops are migrating to mobile devices..."
Posted 26 January 2012 - 10:34 AM
MS12-004 exploit in-the-wild
Last revised: 02/01/2012
CVSS v2 Base Score: 9.3 (HIGH)
MS12-004 - Critical || Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
Updated: Wednesday, January 11, 2012
Updated: Jan 27 2012
"... Reports indicate this issue is actively being exploited in the wild."
30 January 2012
Jan 31, 2012
Edited by AplusWebMaster, 01 February 2012 - 04:58 AM.
Posted 29 January 2012 - 03:30 PM
Cybercriminals moving from TLD .ru to .su
Jan 29, 2012 - "... The Top Level Domain .ru is managed by the Coordination Center for TLD RU (cctld.ru). CCTLD.ru finally did their job well and addressed the reputation problem TLD.ru had by setting up new terms and conditions for domain name registration of .ru domains... .su is (... was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (... operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su ... If you don’t see any legit .su domains being hit/used in your company just simply -block- it."
Thanks for the link go to:
Jan 29, 2012
Edited by AplusWebMaster, 29 January 2012 - 03:34 PM.
Posted 30 January 2012 - 11:56 PM
* Update 2012/02/06: After obtaining access to logs and PHP files from compromised Web servers, further analysis indicates that most of the compromised Web sites were running older versions of WordPress, but they were not all running 3.2.1. The attackers’ exact point of entry is uncertain. At first, we suspected vulnerable WordPress plugins, because a subset of analyzed sites were running vulnerable versions of the same WordPress plugins. Now that we have access to data from several compromised Web servers, the logs show us that, in some cases, the point of entry was compromised FTP credentials. In several instances, once attackers had access, they scanned WordPress directories and injected specific files (e.g., index.php and wp-blog-header.php) with malicious PHP code.
WordPress exploit in-the-wild for v3.2.1 sites ...
30 Jan 2012 - "... site was compromised because it was running an old version of Wordpress (3.2.1) that is vulnerable to publicly available exploits... more interesting is the redirection chain and resulting exploit site... From our analysis the number of infections is growing steadily (100+)... The Java exploit being served is CVE-2011-3544* (Oracle Java Applet Rhino Script Engine Remote Code Execution), which most Exploit Kits adopted in December 2011 because it is cross-platform and exploits a design flaw. Normally, kits use a variety of exploits... regardless of what OS or browser we used for testing, this Exploit Kit attempted to exploit ONLY our Java Runtime Environment (JRE). It did not attempt -any- other exploit... Websense... has found 100+ compromised Web sites, all with similar infection characteristics. The compromised Web sites all share these traits:
> Running WordPress 3.2.1
> Force a drive by download via iframe to the same malicious set of domains hosting a PHP Web page in the form of:
[subdomain] .osa .pl/showthread.php?t=.*
> Attempt exploitation using CVE-2011-3544
If exploitation is successful, ( the Tdss rootkit will be installed ) on the user's machine.
If you're running WordPress 3.2.1, we recommend that:
You upgrade to the latest stable version of WordPress**.
Check the source code of all your Web pages to see if you've been infected (see the code above). If you have been infected, be sure to upgrade WordPress while simultaneously removing the injected code so that your Web pages aren't simply being reinfected after being cleaned.
January 3, 2012 - "The latest stable release of WordPress (Version 3.3.1) is available..."
Massive Compromise of WordPress-based sites...
Jan 30, 2012 - "... hundreds of websites, based on WordPress 3.2.1... The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit... logs show that users from at least -400- compromised sites were -redirected- to Phoenix exploit pages..."
Last revised: 01/27/2012
"... vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier..."
CVSS v2 Base Score: 10.0 (HIGH)
Latest Java versions available here:
JRE 6u30: http://www.oracle.co...ad-1377142.html
JRE 7u2: http://www.oracle.co...ad-1377135.html
File name: file-3486436_jar
Detection ratio: 12/41
Analysis date: 2012-01-31
File name: 39301c3e4ae8ed0e4faf0c3c18cf54a0
Detection ratio: 10/43
Analysis date: 2012-01-30
File name: oleda0.027112496150291654.exe
Detection ratio: 9/43
Analysis date: 2012-01-28
Edited by AplusWebMaster, 07 February 2012 - 08:05 AM.
Posted 01 February 2012 - 04:08 AM
Malware redirects bank phone calls to Attackers
Feb 01, 2012 - "... some new Ice IX configurations that are targeting online banking customers in the UK and US. Ice IX is a modified variant of the ZeuS financial malware platform. In addition to stealing bank account data, these Ice IX configurations are capturing information on telephone accounts belonging to the victims. This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog*) that approve the transactions. In one attack captured by Trusteer researchers, at login the malware steals the victim’s user id and password, memorable information/secret question answer, date of birth and account balance. Next, the victim is asked to update their phone numbers of record (home, mobile and work) and select the name of their service provider from a drop-down list. In this particular attack, the three most popular phone service providers in the UK are presented: British Telecommunications, TalkTalk and Sky... To enable the attacker to modify the victim’s phone service settings, the victim is then asked by the malware to submit their telephone account number. This is very private data typically only known to the phone subscriber and the phone company. It is used by the phone company to verify the identity of the subscriber and authorize sensitive account modifications such as call forwarding. The fraudsters justify this request by stating this information is required as a part of verification process caused by "a malfunction of the bank’s anti-fraud system with its landline phone service provider"... As we discussed in a recent blog**, fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user..."
Feb 01, 2012
Edited by AplusWebMaster, 03 February 2012 - 11:08 AM.
Posted 05 February 2012 - 04:19 PM
Facebook malware scam ...
Feb 3, 2012 - "... worrying number of Facebook users posting the same status messages today, claiming that the United States has attacked Iran and Saudi Arabia... If you visit the link mentioned in the status update, you are taken to a -fake- CNN news webpage which claims to contain video footage of conflict... clicking on the video thumbnail prompts the webpage to ask you to install an update to Adobe Flash... Of course, it's not a real Flash update, but malware instead. Remember, you should only ever download a Flash update from the genuine Adobe website. The malware - which Sophos is adding detection for as Troj/Rootkit-KK - drops a rootkit called Troj/Rootkit-JV onto your Windows computer. In addition, Sophos detects the behaviour of the malware as HPsus/FakeAV-J..."
"... Part of this site was listed for suspicious activity 436 time(s) over the past 90 days... Of the 102194 pages we tested on the site over the past 90 days, 172 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-07, and the last time suspicious content was found on this site was on 2012-02-07... Malicious software includes 76 trojan(s), 60 scripting exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine. Malicious software is hosted on 147 domain(s)... 28 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... This site was hosted on 74 network(s) including AS32934 (FACEBOOK), AS209 (QWEST), AS2914 (NTT).... Over the past 90 days, facebook.com appeared to function as an intermediary for the infection of 31 site(s)... It infected 6 domain(s)..."
"... over the past 90 days, 151 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-02-07, and the last time suspicious content was found was on 2012-02-07... Over the past 90 days, we found 24 site(s) on this network... that appeared to function as intermediaries for the infection of 29 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s)... that infected 6 other site(s)..."
Edited by AplusWebMaster, 07 February 2012 - 04:28 PM.
Posted 07 February 2012 - 04:04 PM
Mobile malware from German svr... 1,351 sites
Feb 7, 2012 - "... recently found a server that hosts a great number of sites that are used to launch mobile malware, targeting Android OS and Symbian (specifically the J2ME platform). The server, located in Germany, is managed by a hosting provider known as a haven for cyber criminals. We found a total of 1,351 websites hosted on the said server and categorize the sites into five segments based on the type of guise they use for the distributed malware:
Android Market apps
Opera Mini/ Phone Optimizer apps
Pornographic apps (sites were unavailable during time of checking)
App storage sites
Others (sites that were inaccessible during time of checking)...
... the hosted Apps were still up thus making them available for download through the Android Market App and the Opera Mini/Photo Optimizer App sites. The sites under Android Market apps displayed a website very much similar to the legitimate one. They feature popular applications like WhatsApp, Facebook, Facebook Messenger, Barcode Scanner, Skype, Google Maps, Gmail, YouTube, and others. The files downloaded from such sites are now detected as ANDROIDOS_FAKENOTIFY.A... the sites that feature download links for Opera Mini and Phone Optimizer lead to J2ME_SMSSEND.E - a malware that can run on devices that support MIDlets... Among all the categories mentioned, most of sites promoted Opera Mini updates and Photo Optimizer Apps compared with others.. the attackers are not necessarily targeting only one platform... we also saw that cybercriminals use different social engineering lures. Also, despite the emergence and prevalence of platforms such as Android and iOS, the Symbian platform still seems to be targeted as well..."
Posted 08 February 2012 - 08:43 AM
Malware -redirects- to enormousw1illa .com
2012-02-08 - "Site is listed as suspicious... the last time suspicious content was found on this site was on 2012-02-08. Malicious software includes 8 trojan(s). This site was hosted on 2 network(s) including AS48691* (SPECIALIST), AS17937 (NDMC)... Over the past 90 days, enormousw1illa .com appeared to function as an intermediary for the infection of 177 site(s)... this site has hosted malicious software over the past 90 days. It infected 1090 domain(s)..."
Feb 2, 2012 - "... seeing a large number of sites compromised with a conditional redirection to the domain http ://enormousw1illa .com/ (184.108.40.206). On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get -redirected- to that malicious domain (http ://enormousw1illa com/nl-in .php?nnn=556)... this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past**, so we think it is all done by the same group..."
Edited by AplusWebMaster, 08 February 2012 - 08:44 AM.
Posted 08 February 2012 - 10:05 AM
Free Microsoft Points? Game Over ...
Feb 8, 2012 - "There’s an Xbox code generator floating around on Youtube and other sites right now, and a pretty popular one at that. How popular?... 20,000+ views so far. The program promises all sorts of Xbox freebies – 1 month of Xbox Live, 12 months if you’re feeling particularly greedy and 1600 to 4000 free Microsoft points*. Of course, everything goes without a hitch in the Youtube video: we see the program boot up, the user selects his target – 1600 MS points – and hits the “Generate Code” button. After a short while, we see a “Hooray, it worked” type message and the person in the video is presented with a code.... [and]... Another survey. Does the creator of this program expect you to fill in a survey / sign up to a ringtone service not once but twice? Absolutely. Is it worth downloading this program, filling in some of those offers and trying it out? Absolutely - not."
"... currency of the Xbox Live Marketplace, Games for Windows - Live Marketplace, Windows Live Gallery, and Zune online stores..."
Posted 08 February 2012 - 01:22 PM
Cybercrime "factory outlets" – fraudsters selling bulk Facebook, Twitter and Web Site Admin credentials
Feb 08, 2012 - "... discovered two cybercrime rings that are advertising what we refer to as a “Factory Outlet” of login credentials for different web sites including Facebook, Twitter and a leading website administration software called cPanel. Financial malware, like Zeus, SpyEye and others, once it infects a machine, is configured to attack specific online banking web sites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other web sites and web applications. To monetize the login credentials that pile up, fraudsters have started setting up “Factory Outlets” to sell them off... cybercriminals are offering to sell login credentials to social network sites such as Facebook and Twitter belonging to users all over the world. These can be purchased in bulk, from specific countries (e.g. USA, UK, and Germany) and even coupled with additional personal information such as email addresses... the fraudsters claim that they have 80GB of stolen data from victims. In another so called “Credential Factory Outlet Sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain web sites. Specifically, the advertiser is offering cPanel credentials..."
(More detail at the trusteer URL above.)
Know your enemies Online (graphic)
How web threats spread (graphic)
Source: Sophos Security Threat Report
Edited by AplusWebMaster, 08 February 2012 - 04:22 PM.
Posted 09 February 2012 - 09:12 AM
Top 10 threats for January 2012
Feb 08, 2012 - "... Report for January 2012, a collection of the 10 most prevalent threat detections encountered during the month. Last month saw malware attacks targeting a wide range of potential victims, including gamers looking for a Pro Evolution Soccer 2012 game crack, small business owners concerned about the reputation of their business, and government organizations receiving spoofed messages from the United States Computer Emergency Readiness Team (US-CERT)... malware writers installing rootkits on the systems of gamers who were looking for a pirated release of Pro Evolution Soccer 2012... scammers also latched onto the buzz surrounding the upcoming fourth installment of the Halo® video game series... by offering bogus beta invites in return for filling out surveys and recommending links on Facebook and Google+. These attacks leverage the popularity of these titles among the gaming community and are meant to take advantage of the mistakes some users might make when acting out of excitement about a favorite game franchise... phishing emails posing as notices from the Better Business Bureau, claiming that a customer had filed a complaint against the recipient. The messages contained links to malware created using the Blackhole exploit kit. Government body US-CERT served as another disguise for cybercriminals attempting to bait unwitting victims into opening a file that contained a variant of the Zeus/Zbot Trojan. Meanwhile, Tumblr users were baited with “free Southwest Airlines tickets” in exchange for taking surveys and submitting personal information by a phony “Tumblr Staff Blog.” Malware writers and internet scammers also sought to attack a wider cross-section of the population when opportunities presented themselves to creatively piggyback on hot news topics and highly trafficked websites. This past month, the shutdown of popular file hosting website Megaupload led to a domain typo scam targeting both the regular users of the website as well as visitors who were interested in seeing the FBI notice posted on the site. Once the victims reached the misspelled URL, they were -redirected- to various sites promising fake prizes and asking for personal information..."
(See "Top 10 Threat Detections for January" list at the gfi URL above.)
Posted 13 February 2012 - 08:30 AM
Bad news brings SCAMS ...
Feb 13, 2012 - "... cybercriminals are naturally out there taking advantage of this unfortunate incident... A fake video was seen spreading via the social networking site Facebook was found... which have the subject “I Cried watching this video. RIP Whitney Houston“, come in the form of a wall post with a link to the supposed video. Once users click on the video, it leads them to a Facebook page that contains a link to the video. However, clicking the said link only leads to several other redirections until users are lead to the usual survey scam site... we also found -101- more survey scam domains registered on the same IP where the domains are hosted.... also found tweets with malicious links that also took advantage of the tag RIP Whitney Houston, which was trending worldwide on Twitter... tweets contain a link to a particular blog dedicated to Whitney Houston. Users viewing this page are then -redirected- to another web site, even without them having to click on anything. The succeeding page is a site that supposedly features several Whitney Houston wallpapers, which users can download. Once users decide to download a wallpaper, a pop up window appear that asks users to donwload some “Whitney Houston ringtones”. Whatever users choose... they will be -redirected- to the a survey site that asks for mobile numbers... Using newsworthy events... is a common bait of cybercriminals to lure users into their schemes... always be cautious before clicking any -news- items in their Facebook or Twitter feeds..."
(Screenshots available at the trendmicro URL above.)
Posted 13 February 2012 - 05:07 PM
Greyware fog ...
Feb 13, 2012 - "... it was more than a little bit surprising when we observed downloads from Download.com behaving like spyware... Download.com had begun delivering freeware downloads in a wrapper that enticed users to click during the install in order to receive special offers and deals... When a user clicked on this option, the application took several steps that lowered the security of the user’s system, such as making changes to the security settings in the browser, changing proxy settings and also installed a service that leaked user information over HTTP POSTs. As it turns out, Download.com was under new management and had then intentionally developed this wrapper with those functions as a method to collect shopping data from their users. This led to a miniature scandal as antivirus vendors began rightly classifying the code as spyware, and Download.com then quickly reversed course. However, this is an example of a very broad problem... there are tons of applications and code out there that are not overtly malicious, yet do very spyware-like things without the user’s knowledge. Changes to security settings, browser settings, listening on backdoor ports, changing personal firewall settings. This is dangerous because it is -unlikely- that this type of behavior is going to be flagged as malicious, and yet it is materially reducing the security posture of the client machine. These things don’t compromise the host directly, but it certainly softens up the target for more malicious code or attackers... we will need to the ability to quickly determine which sorts of downloads and applets are safe for users to download in just the same way we are safely enabling applications today, applications such as webmail, SharePoint and other collaborative apps. Anything that affects the security posture of the client or the network needs to be seen by IT, and IT needs the policies in place that clearly define what sorts of behavior are allowed and which are not. The lesson here is that until we gain a credible level of control here in the grey end of the spectrum, we are simply trusting the Internet to provide reasonably safe code that doesn’t endanger users..."
Posted 20 February 2012 - 08:49 AM
Fake AICPA e-mail - Blackholes and Rootkits ...
Feb 20, 2012 - "Be wary of emails claiming to be from AICPA – as per their alert here*, these are not real and any mention of “unlawful tax return fraud” is just a bait to convince the end-user to open up a malicious attachment (in this case, a .doc file** although there are rogue PDF files in circulation too). As with many of the malicious spam campaigns doing the rounds at the moment, this one will use the Blackhole exploit kit to serve up zbot from multiple compromised domains. Worse, a Sakura kit (typical example here***) will download Sirefef / ZeroAccess , which as we’ve seen elsewhere**** is not a good thing to have on your system. One of the more unpleasant spam campaigns we’ve seen recently."
Feb 17, 2012
Posted 21 February 2012 - 05:46 AM
ASERT Security Intelligence: Threat Briefings
- http://atlas.arbor.net/briefs/ - 2012.02.21
"Summary: A variety of security patches are released for Cisco NX-OS, Adobe Flash Player, and Java. Such third party software is often the vector used by attackers to compromise systems and install malware. Database systems are also compromised and recent data leaks point to the importance of protecting databases with basic security measures and encryption... The threat of a DNS attack on March 31st* may not be as deadly as it seems, and the trend of users bringing their own devices to work can pose grave risks to security."
Posted 22 February 2012 - 10:50 AM
TL;DR: ICS ASLR = FUBAR ...
22 Feb 2012 - "Jon Oberheid has found the ASLR (Address Space Layout Randomisation) in Google's Android 4, Ice Cream Sandwich (ICS), somewhat wanting. In a detailed posting on the Duo Security blog*, one commenter eloquently concluded that "TL;DR: ICS ASLR = FUBAR". Specifically, he found that the lack of randomisation in executable and linker memory regions meant that it would be "largely ineffective for mitigating real-world attacks"... The Android Security Team responded to Oberheid's posting noting that they will, in 4.0.3, randomise the heap and future Android releases will randomise the linker and executable mappings."
Posted 23 February 2012 - 08:42 AM
McAfee Q4 Threats Report...
Feb 21, 2012 - "... The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The -cumulative- number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with -Android- firmly fixed as the largest target for writers of mobile malware. Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.
Web Threats: In the third quarter McAfee Labs recorded an average of 6,500 -new- bad sites per day; this figure shot up to -9,300- sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were -malicious-. This brings the total of active malicious URLs to more than 700,000..."
Posted 25 February 2012 - 01:43 PM
Mac Trojan spreading in-the-wild...
Exploits Java vulns and packs fake certificate
24 Feb 2012 - "... a new variant of a Mac-specific password-snatching Trojan horse is spreading in the wild. Flashback-G initially attempts to install itself via one of two Java vulnerabilities. Failing that, the malicious applet displays a self-signed certificate (claiming to be from Apple) in the hope users just install the malware. Once snugly in place, the malware attempts to capture the login credentials users enter on bank websites, PayPal, and many others. OS X Lion did not come with Java preinstalled, but Snow Leopard does, so users of Mac's latest OS are more at risk of attack. Mac security specialist Intego warns that the variant is infecting Mac users and spreading in the wild. Symptoms of infection can include the crashing of browsers and web applications, such as Safari and Skype. Intego, which has added detection for the malware, has a write-up* of the attack with a screenshot of the self-signed certificate used by the malware in action..."
"... essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available... Macs are (also) getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple... If you see this, don’t trust it, and cancel the process..."
24 Feb 2012 - "... If an up-to-date version of Java is in use, to become infected the user has to approve a certificate clearly marked as not trusted..."
Edited by AplusWebMaster, 25 February 2012 - 03:01 PM.
Posted 28 February 2012 - 04:42 PM
“Chat-in-the-Middle” phishing attack fraud...
Posted 29 February 2012 - 10:01 AM
Cybercriminals target phones - Android 'most exposed'
Feb 28, 2012 AFP - "Cybercriminals are sneaking a fast-increasing amount of malware into smartphones to steal data or even money, with those running on Google's Android most exposed to security threats, analysts said... Anyone can create or install an application on an Android phone... as opposed to the Apple controlled Appstore which imposes a layer of screening... Trend Micro surveyed independent analysts about security features on the four main mobile operating systems - Apple's iOS, RIM's BlackBerry, Microsoft's Windows and Google's Android - and found that Blackberry was ranked most secure and Android the least. BlackBerry benefitted from the fact that it was originally designed more as a platform than a device, while iOS, ranked second most secure, was tightly controlled by Apple... Technology company Juniper Networks compiled a "record number of mobile malware attacks" in 2011, particularly on Android phones. In 2010, just 11,138 mobile malware samples were recorded, but they soared 155 percent to 28,472 in 2011, the company said. Just under half - 46.7 percent - occurred on Android phones, said Juniper, whose study did -not- look into Apple breaches... Some criminals are hiding "malicious code in legitimate applications" that consumers are downloading unwittingly. Once they have gained access to data on the phone, they are stealing information that could be used in identity theft or in illegal transactions. A further incentive for cybercriminals to breach smartphone security is that unlike computers, each phone "has a direct link to money" through the SIM card... Criminals are able, for instance, to implant so-called trojan horses that prompt phones to send SMSes to premium numbers..."
Posted 01 March 2012 - 09:13 AM
Olympic phishing messages...
01 Mar 2012 - "... Websense... detected and tracked a significant number of these kinds of Olympic phishing messages whose goal is to entice users to submit their personal information... the well-known "National Lottery"-type scam, where the targeted users are tricked into believing they are winners of some sort of local lottery... Once the user opens the Microsoft Word document, the sender informs the user that he or she is the lucky "winner" of £200,00.00 GBP, and then requests that the user provide personal information, such as full name, address, nationality, occupation, and mobile number to help process the claim... Although this email attachment is not malicious, it is clear that the sender has some other questionable activity in mind by asking for and collecting personal information. This could range from email spam using the victim's email address and mobile phone number to other rogue promotional messages that could potentially have web links leading to malicious websites. Threats like these Olympics scams are also known as advanced-fee fraud in which victims are asked to contact a claims agent. They may then be asked to pay "processing fees" to receive their money, which never happens... This is also a good way to collect, with social engineering techniques, mobile phone numbers and to start other kinds of fraudulent activities like asking for details about mobile banking accounts..."
Posted 01 March 2012 - 12:17 PM
Employees disabling security controls
29 Feb 2012 - "Corporate mobile devices and the bring-your-own-device (BYOD) phenomenon are rapidly circumventing enterprise security and policies, say the results of a new global study sponsored by Websense... 77 percent of more than 4,000 respondents in 12 countries agree that the use of mobile devices in the workplace is important to achieving business objectives, but only 39 percent have the necessary security controls to address the risk their use entails. According to a previous Ponemon Institute survey, IT respondents said 63 percent of breaches occurred as a result of mobile devices, and only 28 percent said employee desktop computers were the cause. This latest research shows that organizations often don't know how and what data is leaving their networks through non-secure mobile devices, and that traditional static security solutions are not effective at stopping advanced malware and data theft threats from malicious or negligent insiders... More than 4,600 IT and IT security practitioners in Australia, Brazil, Canada, France, Germany, Hong Kong, India, Italy, Mexico, Singapore, United Kingdom, and the United States were surveyed. With an average of 10 years' experience in the field, fifty-four percent are supervisors (or above) and 42 percent are from organizations with more than 5,000 employees. This survey defines mobile devices as laptops, USB drives, smartphones, and tablets."
Posted 03 March 2012 - 08:08 AM
US SEC SPAM leads to exploit and stealer
March 2, 2012 - "... received an email** in his GMail inbox that purports to originate from the U.S. Securities and Exchange Commission (SEC)... Clicking the link leads users to ftp(dot)psimpresores(dot)com(dot)ar/QH1r1tTd/index(dot)html, which then -redirects- them to trucktumble(dot)com/search(dot)php?page=d44175c6da768b70... This page contains a Blackhole exploit kit that targets the following vulnerabilities:
CVE-2010-0188, an old Adobe Reader and Acrobat vulnerability (patch already available)
CVE-2010-1885, an old Microsoft Windows Help and Support vulnerability (patch already available)
Based on the deobfuscated script, this exploit can also target other vulnerabilities on Java, Adobe Flash, and Windows Media Player. Once vulnerabilities of these software were successfully exploited, users are then led to the website, trucktumble(dot)com/content/ap2(dot)php?f=e0c3a, where the file about.exe can be downloaded... about.exe was found to be a variant of ZBOT, that infamous information stealer, and we detect it as Win32.Malware!Drop. Only 12 AV vendors* detect the variant as of this writing..."
File name: about.vxe
Detection ratio: 12/43
Analysis date: 2012-03-02 05:19:43 UTC
Posted 04 March 2012 - 10:49 AM
Verizon Investigative Response Caseload Review
Feb 29, 2012 - "Verizon -2011- Investigative Response (IR) Caseload Review* is a preview of their pending larger Data Breach Investigations Report (DBIR).
Analysis: This report indicates that outside attacks towards servers comprise the largest source of data breach incidents. Financial gain continues to be a motive, however increasing amounts of hacktivism accelerates data breach trends. System penetration and malware are the highest threats, with default and weak passwords and backdoor tools being the highest vectors. 90% of organizations were alerted by an outside organization, pointing to the fact that internal monitoring systems, if used, were not as useful. Encryption can help reduce the pain of a data breach incident, but much sensitive data is not properly encrypted."
(Info below from linked PDF report at URL above - pg. 5)
Top 10 threat action varieties by number of breaches
Hacking - Exploitation of default or guessable credentials - 29%
Malware - Backdoor (allows remote access / control) - 26%
Hacking - Use of stolen login credentials - 24%
Hacking - Exploitation of backdoor or command and control channel - 23%
Malware - Keylogger / Form-grabber / Spyware (capture data from user activity) - 18%
Malware - Send data to external site / entity - 17%
Malware - System / network utilities (PsTools, Netcat) - 14%
Hacking - SQL Injection - 13%
Malware - Capture data resident on system (e.g., cache, disk) - 9%
Malware - Download / install additional malware or updates - 9% ...
"... Among servers involved in breaches in our 2011 cases, point-of-sale servers, web/application servers, and database servers led the pack. Desktops, laptops, and point-of-sale terminals comprised the bulk of compromised end-user devices.
With respect to the data stolen from these assets, criminals got away with a mixed bag. Payment cards, personal information, and authentication credentials were most often compromised, but other types of sensitive organizational data, trade secrets, and copyrighted information were taken..."
Posted 05 March 2012 - 06:49 PM
Flashback Mac -malware- using Twitter as C&C center
Mar 5, 2012 - "... Flashback... uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. These hashtags aren’t as simple as, say, #Flashback or #MacMalwareMaster, but are seemingly random strings of characters that change each day. Intego’s malware research team cracked the 128-bit RC4 encryption used for Flashback’s code and discovered the keys to this system. The hashtags are made up of twelve characters. There are four characters for the day, four characters for the month, and four characters for the year... In addition, in order to ensure that people checking logs don’t spot the malware, it uses a number of different user agents... It’s worth noting that the people behind the Flashback malware most likely to not send commands every day, and certainly delete their tweets, as Intego has found no past tweets in its searches. However, the malware clearly sends these HTTP requests, looking for such tweets..."
Posted 08 March 2012 - 02:52 PM
Mar 8, 2012 - "Ransomware attacks are growing in popularity these days. French users were a recent target of an attack that impersonated the Gendarmerie nationale. A few months ago, Japanese users were also hit by ransomware in a one-click billing fraud scheme targeted for Android smartphones... the more recent ransomware variants appear to be targeting other European countries. They are disguised as notifications from country-specific law enforcement agencies such as eCops of Belgium and Bundespolizei of Germany... a majority of the top eight countries infected with ransomware are from Europe:
... While ransomware are also being distributed through affiliate networks like FAKEAVs, these attacks operate using payments outside of traditional credit card payments, specifically via Ukash and Paysafecard vouchers. Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business... based on feedback taken from the past 30 days."
March 9, 2012 - "... reports of Finns being targeted by ransomware which is localized in Finnish language and claims to be from Finnish police..."
Police Themed Ransomware continues
April 4, 2012 - "Over the last several weeks, we've been monitoring a rash of ransomware campaigns across Europe, in which messages, supposedly from the local police, are displayed demanding that a fine must be paid in order to unlock the computer... easiest way to manually disable it is as follows:
1 – Press Ctrl-O (that's the letter O, not the number zero).
2 – Select "Browse", go to c:\windows\system32 and open cmd.exe.
3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again.
4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).
5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.
6 – Reboot the computer.
After this the threat is disabled but malicious files still remain on the computer. Scanning the computer with an antivirus product is highly recommended.
The steps may vary slightly depending on the variant... Microsoft provides information in their description*.
Updated to add on April 5th: Our description for Trojan:W32/Reveton includes removal instructions."
Edited by AplusWebMaster, 07 April 2012 - 05:54 AM.
Posted 12 March 2012 - 10:35 AM
Bogus prescription drug trade...
Mar 12, 2012 - "Half of all “rogue” online pharmacies - sites that sell prescription drugs without requiring a prescription — got their Web site names from just two domain name registrars... but at least one-third of all active rogue pharmacy sites are registered at Internet.bs, a relatively small registrar that purports to operate out of the Bahamas and aggressively markets itself as an “offshore” registrar. That’s according to LegitScript*, a verification and monitoring service for online pharmacies... Anti-spam and registrar watchdog Knujon (“nojunk” spelled backwards) also released a report (PDF**) on rogue Internet pharmacies today, calling attention to Internet.bs, AB Systems and a host of other registrars with large volumes of pharma sites..."
Posted 13 March 2012 - 12:57 PM
Mobile phones - weak link in Online Bank Fraud scheme
March 13, 2012 - "... two online banking fraud schemes designed to defeat one time password (OTP) authorization systems used by many banks... in these -new- scams the criminals are stealing the actual mobile device SIM (subscriber identity module) card...
> In the first attack, the Gozi Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application. The bank is using a OTP system to authorize large transactions. Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device...
> The second attack combines online and physical fraud to achieve the same goal. We discovered this scheme in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim’s bank account details, including credentials, name, phone number, etc. Next, the criminal goes to the local police department to report the victim’s mobile phone as lost or stolen. The criminal impersonates the victim using their stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen. The criminal then calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider’s retail outlets. The SIM card reported as lost or stolen is -deactivated- by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number. This allows the fraudster authorize the fraudulent transactions he/she executes...
Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them. The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves."
15 March 2012
Edited by AplusWebMaster, 15 March 2012 - 08:55 AM.
Posted 14 March 2012 - 02:04 PM
Unsolicited support calls - iYogi ...
March 14, 2012 - "The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast's customer support. A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support... Unfortunately, Avast is not the only security and antivirus firm that has outsourced its support to this company. iYogi also is the support service for AVG, probably Avast’s closest competitor."
Mar 12, 2012 - "... we -never- phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either..."
Unsolicited support calls
... About 7,230,000 results...
Avast Antivirus drops iYogi support
March 15, 2012
March 15, 2012 - "... we have removed the iYogi support service from our website and shortly it will be removed from our products... users can receive support via the other support options provided on our website. We will also work to ensure that any users that feel they have been misled into purchasing a premium support receive a full refund..."
Edited by AplusWebMaster, 15 March 2012 - 06:22 PM.
Posted 15 March 2012 - 03:49 PM
Brute force attacks - WordPress sites...
Mar 15, 2012 - "... Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and -never- changes it... There is a technique known as brute-force attack... access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..)... the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware... in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example:
220.127.116.11 – 32 attempts
18.104.22.168 – 47 attempts
22.214.171.124 – 211 attempts
126.96.36.199 – 39 attempts
188.8.131.52 – 105 attempts
184.108.40.206 – 40 attempts
And many more IP addresses. We will adding all of them to our IP blacklist* and Global Malware view**..."
WordPress Page is Loading... an Exploit
March 15, 2012 - "... Spam appears to be the driver of these campaigns. Various websites have already been identified to be redirecting to Blackhole exploit kit... Currently, these sites redirect to the following domains that host Blackhole exploit kit:
• themeparkoupons.net ..."
Edited by AplusWebMaster, 16 March 2012 - 08:42 AM.
Posted 16 March 2012 - 09:42 AM
iPhone malware - CrossTalk ...
Tue, 13 Mar 2012 18:54:02 +0000
Those tasked with the defense of smartphones could benefit from this detailed document.
Attempts to Spread Mobile Malware in Tweets ...
Tue, 13 Mar 2012 18:54:02 +0000
Yet more attempts to spread mobile malware are being seen, this time Twitter is the spreading platform of choice.
Android Malware Stealing Online Banking Credentials
Friday, March 16, 2012 01:36
... Android malware continues with multi-factor financial credential theft and remote update capabilities.
Analysis: As mobile devices proliferate, cybercrime goes where the money is. While the style of this attack is not new, extra capabilities are being seen and it is likely just a matter of time before very sophisticated malware targeted towards mobile devices becomes a larger problem. Additionally, malware awareness and safe browsing on handhelds may not be as common as on dekstop or notebook systems in enterprises with security policies. If mobile devices are not yet part of the organizational security policy, such threats may quicken this change.
Edited by AplusWebMaster, 17 March 2012 - 08:16 PM.
Posted 17 March 2012 - 07:38 PM
Fake Linkedin e-mails lead To Cridex
March 16, 2012 - "... there are fake Linkedin invitation reminders in circulation sending users to a BlackHole exploit which attempts to drop Cridex* onto the PC. Cridex is a rather nasty piece of work that does everything from target banks and social networking accounts to a little bit of CAPTCHA cracking... This particular run shares the IP address 41(dot)64(dot)21(dot)71 with various BBB and Intuit spam runs from recent weeks. If in doubt, go directly to Linkedin and check your invites from there."
March 1, 2012
Edited by AplusWebMaster, 19 March 2012 - 06:01 AM.
Posted 20 March 2012 - 01:00 AM
Millions of harvested US gov't and military email addresses ...
March 19, 2012 22:10
"While the sale of email addresses is nothing new, the sale of millions of US government and military e-mail addresses could bring increased attacks.
Analysis: As e-mail is a typical delivery vector for Advanced Persistent Threat and other targeted attacks, it is possible that e-mail attacks on the US government and military may increase as a result. Already, "spear phishing" techniques involving trickery and sometimes 0-day exploits are finding many victims, and this trend is likely to increase."
"... U.S. government and U.S military users whose emails have been exposed are advised to be extra vigilant for potential targeted malware attacks enticing them into downloading and executing a malicious attachment, or attempting to trick them into clicking on a client-side exploits serving link found in the emails."
Posted 22 March 2012 - 08:45 AM
2012 Data Breach Investigations Report - Verizon
March 22, 2012 - "... The report combines data from 855 incidents that involved more than 174 million compromised records, an explosion of data loss compared to last year’s 4 million records stolen. The increase is due largely to the massive breaches perpetrated by activists... Most breaches Verizon tracked were opportunistic intrusions rather than targeted ones, occurring simply because the victim had an easily exploitable weakness rather than because they were specifically chosen by the attacker. And, as with previous years, most breaches — 96 percent — were not difficult to accomplish, suggesting they would have been avoidable if companies had implemented basic security measures. Verizon noticed a difference between how large and small organizations are breached. Smaller organizations tend to be breached through active hacking, involving vulnerabilities in websites and other systems and brute force attacks. Larger companies are more often breached through social engineering and phishing attacks — sending e-mail to employees to trick them into clicking on malicious attachments and links so that the intruders can install malware that steals employee credentials. Verizon surmises that this is because larger organizations tend to have better perimeter protections, forcing intruders to use human vulnerabilities to breach these networks instead."
March 22, 2012
Edited by AplusWebMaster, 23 March 2012 - 07:30 AM.
Posted 23 March 2012 - 04:35 AM
SPAM - IRS themed e-mails w/malicious attachment
March 22, 2012 - "Cybercriminals are currently spamvertising with IRS themed emails, enticing end -and- corporate users into downloading and viewing a malicious .htm attachment.
More details: Spamvertised subject: Your tax return appeal is declined...
Malicious attachment: IRS_H11832502.htm *
Malicious iFrame URL found in the attachment...
Upon downloading and viewing the malicious attachment, an iFrame tag attempts to load, ultimately serving client-side exploits such as the Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188), and Trusted method chaining remote code execution (CVE-2010-0840)... the malicious iFrame is hosted within a fast-flux botnet, and is therefore currently responding to multiple IPs, in an attempt by cybercriminals to make it harder for security researchers to take it down. End users are advised to ensure that they’re not running outdated versions of their third-party software and browser plugins, as well as to avoid interacting with the malicious emails..."
File name: IRS_U774510.htm0
Detection ratio: 13/43
Analysis date: 2012-03-23 09:17:40 UTC
Posted 25 March 2012 - 02:10 PM
1x1 pixel drive-by-malware...
Last Updated: 2012-03-25 17:04:16 UTC - "Exploit authors sometimes like to be cute... A Java archive called "fun.jar" containing an "evilcode.class" file that runs as an applet of 1x1 pixels size ... well, this can't be anything good. And it indeed isn't. This code snippet was lurking on quite a few web sites over the past days. Sending fun.jar to Virustotal shows* that only 10 of 43 anti-virus tools actually recognize the exploit code, whereas 27/43 recognize the d.exe malware file** that the exploit currently downloads and runs. Evilcode.class exploits the Java Rhino Engine vulnerability (CVE-2011-3544), published back in October 2011 and affecting -all- Java Runtime Engines up to JRE 1.6_27. The exploit still seems to work well enough for the bad guys that they don't see any need to re-tool to newer exploits. In slight modification of Oracle's own words: '
* Latest: https://www.virustot...a2a38/analysis/
File name: kr.jar
Detection ratio: 11/43
Analysis date: 2012-03-26 12:09:54 UTC
** Latest: https://www.virustot...a0cf6/analysis/
File name: 60685cf9afc3e4f95097aa219ecb6da0
Detection ratio: 28/40
Analysis date: 2012-03-27 16:01:57 UTC
- http://web.nvd.nist....d=CVE-2011-3544 - 10.0 (HIGH)
Critical Java hole being exploited on a large scale ...
Severity: High Severity
Published: Wednesday, March 28, 2012 19:20
Java security vulnerability patched in February is now being used widely by criminals to install malware.
Analysis: Patch! Watch for outdated Java on the network as the presence of old Java User-Agents is often a sign that a system has been exploited and Java is now doing the attackers bidding, typically downloading something evil.
Edited by AplusWebMaster, 30 March 2012 - 04:46 AM.
Posted 28 March 2012 - 12:51 PM
MacOS X targeted w/MS Office exploit in the wild...
March 27, 2012 - "... The doc files seem to exploit MS09-027 and target Microsoft Office for Mac. This is one of the few times that we have seen a malicious Office file used to deliver malware on Mac OS X... An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
> When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file... The C&C server this time is:
- 2012 .slyip .net: 220.127.116.11
18.104.22.168 – 22.214.171.124
Black Oak Computers Inc – New York – 75 Broad Street...
> The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..). We have also found a version that has paths to debugging symbols... The C&C domain resolves to:
- freetibet2012 .xicp .net: 126.96.36.199
188.8.131.52 – 184.108.40.206
China Unicom Beijing province network...
All the samples we have found have 0/0 rate antivirus detection, it includes the malicious doc files..."
March 29, 2012 - "... These Word documents exploit a Word vulnerability that was corrected in June, 2009, but also take advantage of the fact that many users don’t update such software. Word 2004 and 2008 are vulnerable, but the latest version, Word 2011 is not. Also, this vulnerability only works with .doc files, and not the newer .docx format..."
Edited by AplusWebMaster, 02 April 2012 - 05:43 AM.
Posted 02 April 2012 - 08:33 PM
Blackhole exploits ...
April 2, 2012 - "... an exploit for CVE-2011-0559*, which is one of the two Flash exploits being used by Blackhole currently. Compared to other exploits, this one has been used by Blackhole for quite some time and yet the coverage using different security products is very low**.
With very -low- antivirus coverage, -no- Metasploit module, and PoCs being extremely difficult to find, this increases the chances of exploitation. Blackhole targets to exploit Adobe Flash 10.0 and earlier versions, 10.1, and 10.0.x (where x is later than 40). The vulnerability has been patched since March 2011. Detection has been added to F-Secure Anti-Virus as Exploit:W32/CVE-2011-0559.A..."
* http://web.nvd.nist....d=CVE-2011-0559 - 9.3 (HIGH)
Last revised: 01/27/2012
March 29, 2012 - "... over the past 12-18 months we have seen Blackhole become the most prevalent and notorious of the exploit kits used to infect people with malware..."
Edited by AplusWebMaster, 02 April 2012 - 08:34 PM.
Posted 03 April 2012 - 06:01 AM
Android bot attacks rooted smartphones
3 April 2012 - "Antivirus company NQ Mobile has discovered a variant of the DroidKungFu Android malware called DKFBootKit* that targets users who have rooted their smartphones. The malware piggybacks on apps that would otherwise ask for root privileges anyway – and, once the user has agreed, sets up camp deep in the smartphone's boot sequence and replaces commands such as ifconfig and mount to help ensure it is started early in the boot sequence..."
"... DKFBootKit makes use of the granted root privilege for other malicious purposes, namely comprising the system integrity... the malware itself contains a bot payload that phones home to several remote C&C servers and waits for further commands...
1) Only download applications from trusted sources...
2) Never accept application requests from unknown sources...
3) Be alert for unusual behavior on the part of mobile phones and be sure to download a trusted security application that can scan the applications being downloaded onto your mobile device..."
(More detail at the URLs above.)
Apr 04, 2012
... About 29,400,000 results
Edited by AplusWebMaster, 09 April 2012 - 07:46 AM.
Posted 03 April 2012 - 09:31 PM
Credit Card fraud/malware attacks Facebook users
April 03, 2012 - "... new configuration of the Ice IX malware that attacks Facebook users after they have logged in to their account and steals credit card and other personal information... discovered a “marketing” video used by the creators of the malware to demonstrate how the web injection works. The global reach and scale of the Facebook service has made it a favorite target of fraudsters... This latest attack uses a web injection to present a fake web page in the victim’s browser. The form requests the user provide their cardholder name, credit/debit card number, expiry date, CID and billing address. The attackers claim the information is needed to verify the victim’s identity and provide additional security for their Facebook account... This pop up* presents virtually the same message used in the Ice IX configuration our researchers discovered and analyzed. The only difference is the version in the video requests a social security number and date of birth, in addition to the information mentioned earlier... We contacted Facebook to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about their site’s security measures. Here’s a summary of their response:
i) Facebook actively detects known malware on users' devices to provide Facebook users with a self-remediation procedure including the Scan-And-Repair malware scan. To self-enroll in this check point please visit – on.fb.me/AVCheckpoint
ii) Please advise your readers to report to Facebook any spam they find on the Facebook site, and remember Facebook will never ask for your credit card, social security, or any other sensitive information other than your username and password while logging in."
"... Part of this site was listed for suspicious activity 336 time(s) over the past 90 days... Of the 113053 pages we tested on the site over the past 90 days, 186 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-04-03, and the last time suspicious content was found on this site was on 2012-04-03. Malicious software includes 63 trojan(s), 62 exploit(s), 60 scripting exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine... Malicious software is hosted on 138 domain(s)... 28 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... Over the past 90 days, facebook.com appeared to function as an intermediary for the infection of 56 site(s)... It infected 8 domain(s)..."
Edited by AplusWebMaster, 04 April 2012 - 04:31 AM.
3 user(s) are reading this topic
0 members, 3 guests, 0 anonymous users