CyberInsecure.com

Archive for October, 2009

A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account.

News reports say $479,247 vanished from a bank account belonging to the Cumberland County Redevelopment Authority after it was hit by Clampi. The trojan gets installed by tricking users into clicking on a file attached to email and then lies in wait for the victim to log in to online financial websites. The authority has so far been able to recover $109,467 of the stolen loot.

The theft is part of a rash of online heists that have stolen millions of dollars from businesses and non-profit organizations. While circumstances are different in each case, they all point to a single point of failure: Each theft relied on the successful compromise of a Windows-based system.

It was this undeniable fact that led Brian Krebs - author of the Security Fix blog which over the past month has published a series of articles detailing high-stakes bank thefts - to recommend Windows machines no longer be used by those who choose to do their banking online.

“I do not offer this recommendation lightly,” he wrote. “But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection.”

Indeed, the Clampi variant that hit the Cumberland redevelopment authority reportedly was able to succeed even though employees used an automated clearing house token that generated a different eight-digit access code every minute or so. Redevelopment authority officials didn’t return calls seeking comment.

Credit: The Register

Microsoft on Tuesday patched a record number of security holes in its Windows operating systems and other software, a haul that included at least one security flaw that was already under attack in the wild.

One of the updates fixed a vulnerability in Windows Media Runtime that allows an attacker to remotely execute malware by tricking a user into playing a booby-trapped audio or video file. A few hours after its release, a Microsoft spokesman said company researchers have “seen limited attacks trying to use the reported vulnerability.” The bug is rated critical on every version of Windows.

A separate update fixed a bug that left users of the Internet Explorer, Google Chrome, and Apple Safari for Windows browsers vulnerable to forged secure sockets layer certificates. The flaw in Microsoft’s CryptoAPI, was disclosed 10 weeks ago, but took on more urgency after a hacker published a counterfeit certificate for PayPal that made it trivial for someone mounting a man-in-the-middle attack to impersonate the online payment processor.

The patch batch also included a fix the SMB2 file-sharing technology that was added to Vista and later versions of Windows. Four weeks ago, white-hat hackers developed a reliable way to target the critical vulnerability, but there still are no reports of it being exploited in the wild.

As always, Microsoft provides a visual chart that provides a summary of the releases.

Credit: The Register

A largely unsuccessful attack on Polish government systems last month reportedly originated in Russia.

Details are scarce but it seemed that the attack coincided with the 70th anniversary of the outbreak of World War Two. Polish newspaper Rzeczpospolita reported that the assault targeted Polish government systems and took place at the same time Russian Prime Minister Vladimir Putin visited Poland.

Pawel Bialek, deputy head of Poland’s Internal Security Agency (ABW), said it was able to thwart the attack, without going into details, Infowar Monitor reports.

Nazi Germany and the Soviet Union infamously invaded and carved up Poland in September 1939 under the secret terms of the Molotov–Ribbentrop non-aggression pact. Polish hackers attacking Russia might make sense in the context of the anniversary of infamous invasion; it’s harder to understand why Russian hackers might have it in for Poland, but then again perhaps they don’t need much provocation before cracking open the attack tools.

Disputes between Russia and its neighbours have regularly spilled out onto the internet over recent years. For example, cyberattacks accompanied the armed conflict between Russia and Georgia over the fate of Russian-language speaking regions of Georgia last year. Security researchers subsequently blamed the attacks on civilians and Russian cyber-crime gangs.

The internet infrastructure of Estonia was ripped apart in April 2007, following a dispute over the relocation of Soviet-era war memorials and graves.

Credit: The Register

Peruvian hackers have reacted to the country’s dramatic defeat to Argentina on Saturday by defacing the site of Argentinian manager Diego Maradona and dubbing him a cry-baby.

A picture of a tearful Maradona was pasted on the website, alongside the message “Te Hicimos Llorar” (We made you cry). Maradona is pictured in tears and wearing a Boca Juniors top, whereas on the night he was wearing a suit. But such was the torrential downpour during the latter stages of the game, it would be difficult to tell if someone was crying or not.

The defacement goes on to add: “For the biggest cry baby of all time - you won over us at football, but we won on the internet”, above a picture of the Peruvian national team. The defacement, captured by net security firm Sophos, is claimed in the name of Elite-Peruvian.

Peru equalized against Argentina in the last minute of normal time, only for Argentina to score an injury time 2-1 winner in Saturday’s game in Buenos Aires.

World Cup qualification games between El Salvador and Honduras in 1969 infamously acted as a lightning rod for wider tensions between the two neighbours over issues such as immigration, and led to a four-day war (known as La guerra del fútbol). Forty years on we get a website defacement, which counts as progress of sorts, we suppose.

Maradona famously knocked England out of the 1986 FIFA World Cup with the infamous “Hand of God” goal. This was followed by an outstanding solo dribble and goal that showcased his extraordinary talent as an attacking midfielder.

“The message for Maradona [from the hack] is clear,” said Graham Cluley, a security consultant at Sophos. “Don’t leave your web security to the Hand of God - secure your systems and follow best practices instead to keep hackers locked out.”

Credit: The Register

Attackers once again are targeting an unpatched vulnerability in Adobe Reader that allows them to take complete control of a user’s computer, the software maker warned.

Adobe said it planned to patch the critical security bug in Reader and Acrobat 9.1.3 for Windows, Mac and Unix on Tuesday, the date of the company’s previously scheduled patch release for the PDF reader. According to Security Focus here, attackers can exploit the vulnerability by tricking a user into opening a booby-trapped PDF file.

“Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application,” the security site warned. “Failed attempts will likely result in denial-of-service conditions.”

The bug is presently being exploited in “limited targeted attacks,” Security Focus added, without elaborating. Adobe said only that the attacks target Reader and Adobe running on Windows operating systems.

Those using Windows Vista with a feature known as data execution prevention enabled are safe from the exploit. Users on other platforms can insulate themselves from the current attack by disabling javascript from running inside the application, but Adobe warned it’s possible to design an exploit that works around that measure.

The company said it’s working with anti-virus providers so their software can detect the PDF files that target the bug.

This is at least the third time this year that criminals have targeted an unpatched vulnerability in Adobe Reader or Flash, which arguably are installed on a larger base of machines than any Microsoft software. The company has taken flak not just for releasing buggy programs, but for taking too long to fix security flaws once they’re discovered. The company in May promised to reinvigorate its security program for Reader.

To disable javascript from running inside the application, choose Preferences from Reader’s Edit menu, highlight javascript and then uncheck the box that says “Enable Acrobat JavaScript.” Another good idea would be completely uninstalling the Reader and using a much safer, less bloated alternative like Foxit Reader.

Credit: The Register

US and Egyptian authorities have charged 100 people with conducting a phishing operation that siphoned at least $1.5m from thousands of accounts belonging to Bank of America and Well Fargo customers.

Fifty-three defendants from California, Nevada and North Carolina were named in a federal indictment unsealed Wednesday. Prosecutors said it was the largest number of defendants ever charged in a cybercrime case. Authorities in Egypt charged an additional 47 people.

Operation Phish Phry, as the case was dubbed, marks the first joint cyber investigation between law enforcement agencies in those two countries. The case was filed in federal court in Los Angeles.

According to the indictment, the Egypt-based defendants phished individuals’ personal information and then used it to access victims’ bank accounts. The phishers then worked with their counterparts in the US so money could be transferred into fraudulent accounts created specifically to receive the stolen funds.

The ring leaders were named as Kenneth Joseph Lucas, Nichole Michelle Merzi and Jonathan Preston Clark, all of California. They directed dozens of “runners” to set up the accounts that would receive the stolen loot. A portion of the funds were wired to the individuals in Egypt who originated the scam. Other defendants were located in Nevada and North Carolina.

Each defendant named in the 51-count indictment is charged with conspiracy to commit wire fraud and bank fraud. If convicted, each faces a maximum penalty of 20 years in federal prison. A handful of defendants were charged with additional felonies, including bank fraud, aggravated identity theft, conspiracy to commit computer fraud and domestic and international money laundering.

The operation is an object lesson in the scale and coordination found in today’s professional phishing operations. The charges are the result of an investigation that began in 2007, when FBI agents identified criminal enterprises targeting US financial institutions.

“The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed,” Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, said in a statement.

Credit: The Register

A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports. Both lists have been taken offline, so are no longer directly accessible.

Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. The phishing scam was originally thought to target just Hotmail users. It was brought to light when 10,000 Hotmail addresses were posted online at Pastebin, a website commonly used by developers to share code.

A spokesperson for Microsoft said phishing was an “industry-wide problem”. “Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.”

Google has confirmed to BBC News that its e-mail system - Gmail - has been targeted as part of an “industry-wide phishing scheme”. The search giant said that it had taken immediate action to safeguard the affected accounts.

Yahoo also confirmed that an unspecified number of Yahoo webmail accounts were on the leaked list. It couldn’t confirm how many of the profiles were genuine:

We are aware that a limited number of Yahoo! IDs have been made public.

Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security. We urge consumers to take measures to secure their accounts whenever possible, including changing their passwords. We also encourage our customers to review resources that provide guidelines on email safety.

Rik Ferguson, a security researcher at Trend Micro, said that the security firm had begun detecting spam sent through these compromised Hotmail accounts.

As many as two in five people use the same password for every site they use. That means access to a webmail account gives hackers a head start in accessing online banking or PayPal accounts linked to the same address. Underground bazaars and carder forums are full of sales of these more sensitive login credentials. Email addresses have sold alongside purloined credit card numbers and online bank accounts for months if not years on such black market forums.

Credit: BBC News, The Register

Neowin.net has reported regarding a possible Windows Live Hotmail “hack” or phishing scheme where password details of thousands of Hotmail accounts have been posted online.

An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but according to Neowin, the accounts are genuine and most appear to be based in Europe. The list details over 10,033 accounts starting from A through to B, suggesting this is only a part of a bigger list. Currently it appears only accounts used to access Microsoft’s Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts. Some accounts are from @hotmail.fr, @live.it, few from @yahoo.es.
Neowin has reported this immediately to Microsoft’s Security Response Center and to Microsoft’s PR teams in the UK and US and we are currently awaiting feedback on the situation. As this is a breaking story, updates by Neowin can be found here.

If you are a Windows Live Hotmail user Neowin recommends that you change your password and security question immediately.

According to Neowin, Microsoft has fully confirmed their initial reports. According to a Microsoft spokesperson “over the weekend Microsoft learned that several thousand Windows Live Hotmail customer’s credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.”

Unfortunately, according to our check, the list can still be found in Google’s cache, here is the screenshot:

Google has already been contacted by CyberInsecure in order to remove the cached page from search results.

UPDATE: Google removed cached page after about 3 hours.

Hackers have figured out how to create computer-generated Facebook profiles and are using them to trick unsuspecting users into installing malware, a security researcher warned Thursday.

The fraudulent profiles display the same picture of a blond-haired, blue-eyed woman, but with slightly different names and birthdates, said Roger Thompson, chief of research at security firm AVG Technologies. Each invites visitors to click on what purports to be a video link that ultimately tries to trick viewers into installing rogue anti-virus software.

AVG’s LinkScanner product, which monitors webpages in real time to make sure they’re not malicious, has encountered “hundreds” of separate pages. But because AVG only sees a page when one of its subscribers tries to click on one, Thompson suspects the total number of fake profiles is in the thousands.

“There are enough of them that it’s probably an indication of an automated attack. I just can’t see someone creating the same profile time after time after time,” Thompson said.

That means the attackers have figured out how to crack the captcha Facebook uses to ensure profiles are created by humans, rather than computer scripts that automate the process so it can be carried out thousands of times.

If Thompson is correct, it’s by no means the first time hackers have figured out how to bypass the measure on a high-profile website. Captchas for Google Mail and Microsoft’s Windows Live email services have been successfully cracked before. In some cases, scripts that use optical recognition technology are suspected to be at work. In other cases, sweat shops that rely on people to solve the captcha puzzles are likely at play.

In any case, the availability of an unlimited number of fraudulent accounts is extremely valuable to scammers. Web-based email accounts typically get the green light from anti-spam products, and end users have an inherent, if misplaced, trust in social networking profiles.

Thompson’s report came the same day that the FBI issued this advisory warning people to be wary of fraud on social networking sites.

Facebook engineers are doing a good job killing the fake profiles, Thompson said. But at time of writing, many were still available, as pages like this one attests.

Credit: The Register