CyberInsecure.com

Archive for March, 2008

Security experts at Webroot Software report seeing a new wave of keyloggers (programs that secretly record every character you type), system monitors, and viruses leading up to prime tax filing season. Webroot’s Threat Research Team says that more than 1200 new key-logging programs and 336 versions of system monitoring spyware have been found and defined in the past month alone. Several states warn that con artists have already begun the highly publicized rebate checks associated as a ploy to get you to divulge personal financial information.

The increase might be explained by the fact that fewer taxpayers are using old-fashioned paper forms for preparing and submitting their taxes. According to Webroot’s figures, a record 22 million taxpayers filed their taxes from a home computer last year, up 11 percent from the previous year. Scammers know this and figure that your identity is especially vulnerable to theft when you’re filling out your tax documents with a software program or filing them over the Internet.

Federal government expects to issue economic stimulus rebate checks sometime in May or June. IRS refund checks typically arrive within three weeks of the date when you e-file your return. Some fraudulent e-mail messages contain links to fake government Web sites that request your Social Security number and bank account numbers so that the IRS can process a rebate check. If you resist disclosing the information, the site informs you that you won’t be able to receive your rebate.

Another tax scam involves e-mail messages that target accountants, businesses, and individuals, notifying them of supposed changes in tax laws. These phishing messages direct the recipient to download “updated” tax documents that reflect the new tax laws. The IRS reports having received numerous complaints from people who have downloaded bogus documents to their computer, only to discover that the documents contained malicious code designed to transfer control over the PC to a third party. A growing number of tax-themed e-mail messages contain links to Web sites (not files for download) that attempt to install malware on the visitor’s PC.

WXYZ, the ABC television affiliate in Detroit, reported that a Michigan woman, Maria Mendoza, lost US$4000 when a crook stole her identity and then visited a local H & R Block office to file a tax return, posing as Mendoza. After submitting the return, the scammer asked to receive her $4000 tax refund on the spot, using a Block service called a Rapid Refund debit card.
(more…)

Earlier today SophosLabs reported a new scam designed to fool users into viewing a web site where they would be hit with a malicious script that installs a Trojan. Several different spam messages alerting users to the supposed shooting of the e-Gold founder, for example:

E-gold founder, Douglas Jackson, 51, of Sheridan, Mont., was 4 times shot
and killed Friday night on the Seventh Street ramp at East Seventh Avenue by off-duty County Deputy Daniel Montana Jr.,
police said.

A spokesman for the Jackson’s family told Fox 31 that the autopsy
details show the shots came from 3 to 7 feet away and were fired at a level angle, not from someone lying on the ground.

The investigation is ongoing, said DA spokeswoman Pam Russell.

More details at ********.com

A variety of domains have been used in the scam. Browsing to each of the domains redirects to a malicious page on another server. This page contains a malicious Javascript which attempts to install a Trojan on the victim’s computer. This malicious script is pro-actively detected as Mal/ObfJS-B. The Trojan is detected by runtime HIPs protection as HIPS/FileMod-005. Specific detection for the Trojan and the files it installs has been added as Troj/Agent-GUJ in Sophos Antivirus.

This is yet another example of the attackers using a blend of spam and malicious web sites to infect victims. Such cases provide perfect illustrations of the need for quality security solutions, encompassing anti-spam, web content inspection, URL filtering and runtime protection technologies.

A massive IFRAME injection attack, which stared last week, is slowly turning into a large scale web application vulnerabilities audit of high profile sites. Last week Symantec has rated the attack as medium risk, StopBadware and US-CERT issued a warning about the incident. After another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site’s web application security practices.

The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. High profile websites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants. Some of the websites attacked:

USAToday.com, ABCNews.com, News.com, Sears.com, Circuitcity.com, Target.com, Packard Bell.com, Walmart.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu

The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

Google is actively filtering the results and removing the cached pages on number of domains. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we’re definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections.
(more…)

The Georgia Department of Human Resources is taking extensive measures to alert current and former employees of a breach of confidential records that may expose personal employee information. Stolen records include names, social security numbers, birth dates, home contact and federal tax information.

An external hard drive that stored a database containing identifying information such as names, social security numbers, birth dates, home contact and federal tax information was removed by an unauthorized person. The agency warns that the breach took place on or around March 19th. Since discovering the breach, DHR has been working diligently to inform employees of the breach while also conducting an internal investigation led by the Office of Investigative Services.

The agency has also proactively alerted the three credit bureaus about the situation. In addition, DHR has instituted a new directive which requires password protection on jump and flash drives and portable computer media that contains personnel information.

Additionally, the agency is directing employees to secure these items when away from their desks and offices. Although DHR has no evidence that the information is being used fraudulently, the agency is taking every immediate measure to limit the possibility of potential fraud and identity theft.

Georgia law indicates that all residents are to receive two credit reports free of charge each year. The agency urges employees to retrieve a copy of their credit report and request a fraud alert be placed on their records. Employees can find out how to contact credit bureau by visiting original Georgia Department of Human Resources article describing this accident.

Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.’s supermarkets across the Northeast and in Florida enabled the massive data breach that compromised up to 4.2 million credit and debit cards, the company said Friday. The finding was revealed in a letter from Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Gov. Deval Patrick’s Office of Consumer Affairs and Business Regulation.

The Scarborough, Maine-based grocer confirmed a report in The Boston Globe that it told Massachusetts regulators this week about the link between the breach and the illicit programs, known as “malware”. The company doesn’t know how malicious software got onto nearly all its 271 stores’ servers, Hannaford spokeswoman Carol Eleazer said.

At least 1,800 cases of fraud have been linked to the data breach, with unauthorized charges showing up as far afield as Mexico, Italy and Bulgaria. The breach has prompted concern in the industry because it appeared to be the first large-scale theft of credit and debit card numbers while the information was in transit. The usual mode of attack targets data sitting in databases, as in the record-setting theft of information from Massachusetts-based TJX Cos. involving least 45 million cards.

The company has said that the breach, which occurred between Dec. 7 and March 10, allowed credit and debit card numbers to be stolen as shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

The malware turned up in all Hannaford stores in New England and New York, and in most of the company’s affiliated Sweetbay stores in Florida, Eleazer said.

The involvement of the software had not been previously disclosed “because of the confidential nature of the investigation,” Eleazer said. The breach remains under investigation by the U.S. Secret Service.

Even while the Hannaford hack was still going on last month, the company was found to be in compliance with security standards required by the Payment Card Industry, a coalition founded by credit card companies.

Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software “driver” used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:Windowssystem directory of your computer.

ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run cryptographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programs inserted and controlled by NSA. As yet, no-one knows what these programs are, or what they do.

Recently, Microsoft programmers mistake has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors).

The result of having the secret key inside your Windows operating system is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards.

The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.
(more…)

Sony has warned that PS3 gamers may have had cash stolen from their online game accounts. They may also have had their passwords changed by hackers and personal information taken.

Sony admitted on Thursday they found that hackers might have gained access to its PlayStation Store, a part of the PlayStation Network, which offers downloadable games for sale. Although it said information theft and financial theft from users online wallets was possible, it claimed that credit card theft was “very unlikely”, as user accounts did not display entire credit card numbers.

It said if gamer’s password still worked, they hadn’t been affected, implying that if the password didn’t work there was a case for mild panic and the frantic checking of one’s wallet. The company said it has now restored system security and that it is contacting affected customers.

As Sony shipped 280,000 PS3s last month, this is set to be an embarrassing admission and certainly won’t instill confidence among gamers.

Recommendation: If you are a customer of such service, log in to the account and check the password hadn’t been changed as soon as possible. If it hadn’t, it would be a good idea to change it by yourself, just in case.

Researchers from MarkMonitor, a brand-protection firm, compiled a list of 750 Google search terms that are used to track down websites likely to have easily exploitable vulnerabilities - mostly PHP-based sites. Three-quarters of phishing sites are built on hacked servers that have been tracked down using pre-programmed Google search terms, according to the research. Among other activities, MarkMonitor tracks phishing attacks that target brand names.

MarkMonitor found that 75 percent of the phishing sites it had discovered had been originally tracked down using one of the list of 750 Google search terms. The finding was based on a sample of one-quarter of the phishing sites logged by the firm.

The search terms return a list of sites likely to have particular vulnerabilities; the attackers then exploit the vulnerability, gain access to the site, and then use it to host malicious code, counterfeit web pages (phishing) and spam redirection “doorways”, as part of the scam. Search terms, are actively traded on internet forums, and are routinely scanned by IRC-based “bots”, which also scan Yahoo and AOL Search results, according to MarkMontitor.

Google has already made moves to block automated exploitation, but they can still be used manually. The websites exploited tend to be small, local PHP-based sites, which are less likely to have the latest patches installed, and are invaded via one of more than 1,800 known PHP bugs.

Auction sites are the biggest targets, accounting for 44 percent of the phishing emails in the fourth quarter, up from 36 percent in the first quarter of 2007. In the fourth quarter of 2007, 412 organisations were targeted by phishing attacks, up 37 percent from the same period in 2006, according to the firm’s brand-jacking index, published last month.

Recently SophosLabs identified a malicious script on the website of a European ticket re-sale company, currently building up to selling tickets for the forthcoming Euro 2008 championships. The site in question (http://en.euro2008.uefa.com/index.html) has a high search engine ranking and a presence among sponsored links, indicating that the hackers may have a huge pool of potential victims.

The site has been compromised in an attempt to create a classic drive-by download attack. Attempting to purchase tickets through the site will expose the user to a malicious script embedded in the pages (detected by Sophos as Mal/ObfJS-R). The script is intended to load further malicious content from a remote site. However, initial analysis suggests the script is somewhat buggy, maybe it broke during obfuscation.

Users may not become infected when browsing the site, in some browsers at least. The site is likely to attract high numbers of visitors as the championships get closer, but contact via email and telephone has thus far been fruitless. Using search engines to find a suitable ticket vendor shows the site has quite a high ranking, including a presence amongst the sponsored links.

It is not the first time we have seen a sporting event involved in an attack - shortly before the 2007 Superbowl the web site of the Miami Dolphins was compromised in order to infect victims logging on in the days leading up to the event. The Superbowl attack was almost certainly targeted, timed just before the event. In contrast the Euro 2008 ticket site has most probably not been specifically targeted, but caught up in a larger, widespread attack.

The huge number of legitimate sites being compromised presents a risk to all of us, even those that are careful.
Sophos urged all computer users to ensure that their security settings are up to date and able to defend against such threats.

Credit: SophosLabs UK

Police questioned a Broward County student on Tuesday after they said he hacked into the school district’s computer system.

Authorities said a student at Taravella High School in Coral Springs hacked into the Broward County school district’s computer system, gaining access to over 38,000 employees’ detailed, private records information including names, addresses, phone numbers and Social Security numbers, which could put those district employees at risk for identity theft and other crimes.

According to a police affidavit, 18-year-old Michael Wasa admitted that he hacked into the district’s computers from a computer classroom at Atlantic Technical Center, where he was also taking classes.

In his computer, police found the entire Taravella High School database and a folder about making bombs. Police conducted forensic analysis of Wasa’a personal computer while the district employees wait for the results.
Investigators also found hacker programs, student information and software that could falsify credit card information in a school computer Wasa allegedly used last month.

The school district did notify teachers about a week and a half ago. A representative from the district said there is no new information. Pat Santeramo, Broward County Teachers’ Union President, said his inbox was flooded with e-mails from worried teachers. The school district suspended the student for 10 days.

It’s not yet clear how Wasa intended to use the information. He might just be a teenager who gets a kick out of breaking computer codes and hacking into systems as if playing a video game. But the consequences could be deleterious for the people whose personnel files were breached, and the matter should not be taken lightly.

Coconut Creek police said they’re still not sure if Wasa was showing off his computer skills or if he had intended to use the information. No charges have been filed and the incident is still under investigation. The district has warned employees to keep close track of their bank accounts in the meantime.