CyberInsecure.com

Archive for the ‘Cybercrime’ Category

A bogus application that lures Facebook users by falsely offering to show who has been viewing their profile has been exposed as a scam.

Rik Ferguson, a senior security consultant at Trend Micro, warns he has already identified 25 different copies of the same rogue app but using different monikers such as peeppeep-pro, profile-check-online and stalk-my-profile.

All of the rogue apps are spread by updates seeking to lure the friends of previous victims to give the stalkerware a try. Some even offer a photo montage of a victim’s contacts in a bid to add more authenticity. However, none of the apps actually do anything except profit their creators via ad affiliate revenues and deceptive tactics.

“The app itself is designed to look convincing enough, but none of the many ‘Continue’ buttons it offers will activate some under-the-counter profile checking functionality - they will just push you into another Facebook app earning the scammer advertising revenue in the process,” Ferguson explains. “There is no officially sanctioned Facebook functionality that will allow you to view who has been checking your profile.”

Facebook recently removed the ability for applications to send notifications directly. The unknown creators of stalk-my-profile have built in functionality designed to get around that limitation while still attracting the attention of would-be marks.

Security staff at Facebook acted promptly on Sunday to remove the rogue apps. That’s all well and good, but Ferguson argues that only the introduction of an app-vetting scheme - something he first suggested over a year ago - stands any chance of bringing under control the growing problem of misuse of the social network by rogue application developers.

A similar scam again involving a supposed answer to the question “Who is checking your profile?” was squashed by Facebook in late February, Websense reported at the time. The reappearance of much the same scam just two weeks later underlines Ferguson’s contention that simply playing whack-a-mole with rogue apps is a waste of resources that unnecessarily endangers Facebook users.

Another run of rogue apps, detected by Ferguson at the end of February, attempted to fool victims into clicking the spam notifications it sent out, earning dodgy developers affiliate-based ad revenues in the process. The app adopted the name “Like” and borrowed the icon from the official Facebook “Likes” function, but was in reality nothing more than cheap crud whose only function was to direct users towards a website offering an application called Zwinky.

Credit: The Register

Ubisoft has confirmed its rights management servers were hit by a fierce DDoS attack over the weekend that left some customers unable to play its games for much of Sunday.

The attack is an apparent protest at controversial new DRM controls by the video game publisher which mean customers have to be online in order to play its latest PC games such as Assassin’s Creed II and Silent Hunter 5.

The introduction of so-called Online Services Platform technology last month means it’s impossible to play a game without an internet connection or save progress while playing a game if an internet connection is lost. The controls, designed to combat piracy, have sparked much negative comment in the gamer community and apparently inspired action by hacktivists over the weekend that curtailed gameplay for some.

“Apologies to anyone who couldn’t play ACII or SH5 yesterday,” Ubisoft said in a post. to its official Twitter account on Monday. “Servers were attacked which limited service from 2:30pm to 9pm Paris time.”

“95 per cent of players were not affected, but a small group of players attempting to open a game session did receive denial of service errors,” it added in a later update.

Meanwhile Ubisoft’s much criticised controls have been broken by software hackers. A hacker group called Skid-Row managed to bypass DRM restrictions on Silent Hunter 5 less than 24 hours after the game was published.

Credit: The Register

The perpetrators of a ticket fraud operation that made use of a botnet to subvert protection mechanisms enforced by ticket vendors were indicted earlier this week. The dedicated network of computers spread across the U.S. ran software that impersonated legit buyers and solved CAPTCHA tests.

It’s a well known fact that in order to ensure a fair distribution of tickets to the public, online ticket vendors enforced restrictions such as limiting the number of seats a single individual could obtain. In addition, to make sure that only real humans are able to acquire tickets, the order forms are usually accompanied by CAPTCHA challenges.

The indictment filed in Newark, New Jersey, names Kenneth Lowson, Kristofer Kirsch, Joel Stevenson and Faisal Nahdi as defendants. They operated through several companies and are collectively referred to as the “Wiseguys,” after Wiseguys Tickets, Inc., the first and primary firm they controlled.

The operation, which lasted from late 2002 until January 2009, involved fraudulently purchasing thousands of tickets for various events across the United States, and selling them to ticket brokers at higher prices. Investigators estimate that the Wiseguys racked up profits of almost $29 million by re-selling 1.5 million tickets.

In order to pull off the scheme, the gang employed programmers in the United States and Bulgaria, who coded and constantly adapted the software used to acquire the tickets. The program was so good that it solved CAPTCHAs far quicker than humans and was able to snatch up the best seats at high-profile events as soon as tickets went on sale.

But according to prosecutors, the defendants did not only stop at damaging online ticket vendors’ ability to ensure a fair distribution of tickets. Instead, they went as far as setting up a competing company to distribute tickets on behalf of artists or venues and giving assurances that it was capable of doing what the other vendors were failing to do.

“This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies,” notes Francois Paget, threat researcher at McAfee.

Credit: Softpedia.com News

World of Warcraft users won’t be happy to hear that hackers have managed to pull a man-in-the-middle attack on several servers hosted in Europe. This happened even with the extra security barriers added by the use of an external authenticator. The attack is suspected to have came from China or/and Malaysia.

The attack basically happened like this: while a regular user accessed a WoW-themed infected site on the web, they installed a trojan, named Malware.NSPack, thinking that they were installing a game add-on. That trojan would then go to install suspicious files on the user’s computer (emcor.dll copied to ../users/username/appdata/Temp) and log all key strokes, sending back data related to WoW authentication credentials.

The data acquired was then employed by attackers to circumvent WoW’s login system and empty the user’s account of all of their in-game (“fake”) money. Subsequently, those sums can be transferred to other accounts, which then can be put up for sale and turn real profit for the hackers.

The keylogger trojans that infected the users were hosted on Chinese-based websites, were graphically cloned after the WoWMatrix website and advertised using Google AdWords service. The spoofed data was relayed using a server hosted in Malaysia. Websites reported by users as being attack sources are cursea.com, deadlybossmodss.com, gamesacca.com and wowmatrixf.com. The sites were taken down, along with the Google AdWords banner.

WoW tech admins were quick to reply and investigate, offering this answer within 24 hours of the first report, “After looking into this, it has been escalated, but it is a Man in the Middle attack. This is still perpetrated by key loggers, and no method is always 100% secure,“ trying to excuse the authenticator’s failure in supplying full protection.

The attacks themselves don’t differ very much from other man-in-the-middle hacks on banking sites, the only difference being that this latest target wasn’t harboring real money like banks do, but fake in-game gold.

Credit: Softpedia.com News

International cooperation between law enforcement agencies in Spain and the U.S., as well as several security companies, led to the arrest of three Spanish citizens who controlled one of the largest botnets in history. Dubbed Mariposa, the army of zombie computers connected from more than 12 million unique IP addresses.

The Mariposa (Butterfly in English) botnet was identified in May 2009 by researchers from a Canadian information security company named Defence Intelligence. The malware behind the botnet is an information stealing computer trojan, which has seen more than 200 variants to date.

In order to investigate and track the threat more efficiently, security experts from various organizations, including Defence Intelligence, Georgia Tech Information Security Center and Spanish antivirus vendor Panda Security have established the Mariposa Working Group (MWG). The group closely cooperated with the FBI and their Spanish counterpart, La Guardia Civil (the Civil Guard).

The experts managed to hijack the botnet in December, but the cyber-criminals, who called themselves the Días de Pesadilla Team (the Nightmare Days Team), regained control and retaliated with crippling Distributed Denial of Service (DDoS) attacks. A second, more successful takeover allowed researchers to count the number of IP addresses trying to access the Command and Control (C&C) servers and get an idea of the threat’s true scope.

“We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history,” notes Luis Corrons, technical director of PandaLabs, Panda Security’s malware intelligence laboratory. It was also discovered that the gang leased parts of the botnet to other cyber-crooks or sold DDoS services.

In addition, on the infected computers, the trojan displayed rogue ads while surfing the Web and altered Google search results. It also stole personal and financial information, such as online banking credentials and other usernames and passwords.

The authorities were able to identify F. C. R., a 31-year-old bot herder known online as “Netkairo,” after he slipped and accidentally revealed his home IP address. He was arrested by the Spanish Civil Guard in his home town of Balmaseda last month.

Data collected from Netkairo’s computer led to the capturing of two other accomplices, identified only as J. P. R., 30, a.k.a. “jonyloleante”, and J. B. R., 25, a.k.a. “ostiator.” A fourth co-conspirator is believed to be located in Venezuela.

Stolen information belonging to 800,000 users was also found, as well as data belonging to companies, government institutions and educational organizations in 190 countries. “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were,” commented Defence Intelligence’s CEO Christopher Davis.

Credit: Softpedia.com News

The name of the popular file analysis service VirusTotal is being abused by cyber-crooks to infect users with scareware. A recent forum spam campaign tries to trick people into visiting a malicious website hosted at virus-total.in.

VirusTotal.com has been well known as free virus and malware online scan service which allows submitters to test a particular file against a multitude of malware scanners. So, it’s not highly surprising that malware authors would try to use that name to further their gain.

Security researchers from Sophos reported a spam run promoting the rogue virus-total domain, as a private message on a forum. The message employs scare tactics in order to frighten users into visiting the scareware-pushing website.

The message looks like this:

Subject: Warning!

DO NOT REPLY TO THIS EMAIL!
***************************

Dear [Redacted forum user name],

You have received a new private message at [Redacted] Forum from [Redacted], entitled “Warning!”.

To read the original version, respond to, or delete this message, you must log in here:
http://[Redacted]

This is the message that was sent:
***************
Dear, [Redacted forum user names]

There are viruses’ activities from your computer! Highly recommend you to scan your computer for malicious and potentially unwanted software. If you do not follow this, I will have to make a complaint to your Internet Service Provider with attached log file (your IP address, etc.). If you want to find a report about your computer’s security and solve every problem with it, please click here: http://www.virus-total.[TLD removed]/detected/[Redacted] This is an online service that you can use for free spyware removal. Use it to scan your computer to help protect, clean, and keep your computer running at its best. Use the free scan to check for and remove viruses, spyware, and other potentially malicious software and to find vulnerabilities or shortcomings in your Internet security.

Thank you. Yours truly, [Redacted].
***************

This attack clearly targets VirusTotal.com, a popular free service which allows users to scan suspicious files with over 40 antivirus engines and other tools. Julio Canto, VirusTotal’s project manager, issued an alert about the rogue virus-total.in website via Twitter.

The site displays bogus security warnings and fake antivirus scans to unsuspecting visitors, tricking them into installing a scareware program called SecurityTool. Rogue security programs such as these are commonly used by cyber-criminals to charge money for useless licenses and steal credit card details.

The above popup would follow by the loading of a fake scanning page inside the browser:

One of the interesting parts of this fake page is that the “Windows Security Alert” pop-up is actually a time-delayed object inside the page. Even though the box looks like a window box from Windows XP, it is not moveable at all.

When the fake scanning completes, another pop-up will be generated asking the user to download a file called security_tool_setup.exe. Needless to say, this file is malicious and is yet another one of the Fake Antiviruses.  This executable has already been proactively detected by Sophos as Mal/FakeVirPk-A.

“An unfortunate side effect of a scam like this is that the real VirusTotal could start to receive emails from irate victims of the fake site claiming they’ve ‘infected my PC’ – fingers crossed it doesn’t get to that stage. Remember: the REAL domain for VirusTotal is Virustotal.com. Don’t fall for this scam!” Sunbelt’s Chris Boyd advises.

Another unusual aspect of this attack is the threat of filing a complaint with a user’s ISP about the virus activity alleged in the spam message. This statement comes at a time when ISPs have announced initiatives to identify compromised computers on their networks and take proactive measures to clean them.

Credit: Softpedia.com News, SophosLabs Blog

Computer scientists at Rutgers University this week are demonstrating ways that rootkits can attack new generations of smart mobile phones. The researchers, who are presenting their findings at a mobile computing workshop in Maryland, are showing how a rootkit could cause a smartphone to eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless — all without the user’s knowledge.

“Smartphones are essentially becoming regular computers,” says Vinod Ganapathy, assistant professor of computer science in Rutgers’ School of Arts and Sciences. “They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by [malware].”

Ganapathy and computer science professor Liviu Iftode worked with three students to study the use of rootkits in smartphone operating systems. They note that while many PCs carry virtual machine monitors to help detect rootkits, most smartphones cannot support a VM monitor.

Rootkit attacks on smartphones — or upcoming tablet computers — could be more devastating because smartphone owners tend to carry their phones with them all of the time, the researchers say. This creates opportunities for potential attackers to eavesdrop, extract personal information from phone directories, or just pinpoint a user’s whereabouts by querying the phone’s GPS receiver. Smartphones also have new ways for malware to enter the system, such as through a Bluetooth radio channel or via text message.

“What we’re doing today is raising a warning flag,” Iftode says. “We’re showing that people with general computer proficiency can create rootkit malware for smartphones. The next step is to work on defenses.”

In one test, the researchers showed how a rootkit could turn on a phone’s microphone without the owner knowing it happened. In such a case, an attacker would send an invisible text message to the infected phone, telling it to place a call and turn on the microphone, such as when the phone’s owner is in a meeting and the attacker wants to eavesdrop.

In another test, they demonstrated a rootkit that responds to a text query for the phone’s location as furnished by its GPS receiver. This would enable an attacker to track the owner’s whereabouts.

In a third test, the researchers showed a rootkit turning on power-hungry capabilities — such as the Bluetooth radio and GPS receiver — to quickly drain the battery.

The researchers are careful to note they did not assess the vulnerability of specific types of smartphones. They did their work on a phone used primarily by software developers versus commercial phone users. Working within a legitimate software development environment, they deliberately inserted rootkit malware into the phone to study its potential effects.

The research was supported by the National Science Foundation and the U.S. Army.

Credit: DarkReading.com

Researchers from Atlanta-based security vendor SecureWorks have discovered a new information-stealing trojan facilitating ACH and wire fraud. The trojan has all the capabilities of malware commonly used to steal money from SMBs and non-profits.

An unprecedented wave of Automated Clearing House (ACH) and wire fraud started in 2009, resulting in small and medium-sized companies, public institutions and non-profit organizations losing millions of dollars to cyber-criminals. The problem prompted the FBI and the American Bankers Association to recommend that online banking operations be performed from dedicated computers only.

These attacks start by infecting computers on an organization’s network with the purpose of stealing online banking credentials. The Clampi and Zeus (Zbot) families of trojans have so far dominated this aspect of cyber-crime and positioned themselves as the leading information-stealing computer trojans.

However, it seems other groups are willing to challenge that supremacy, especially since antivirus products are getting better at generically detecting modified Clampi and Zeus variants, which significantly reduces their success rate. The trojan discovered by SecureWorks back in January, which was dubbed Bugat, appears to be one of these new competitors.

“In mid-January, the installer for Bugat had moderate coverage (20/40), according to VirusTotal. The most commonly identified name (Bredolab) corresponds to a family of trojan downloaders. However, its runtime behavior did not match what one would expect from Bredolab. The installed mspdb30.dll file had almost no AV recognition (2/41),” Jason Milletary, SecureWorks’ technical director for malware analysis, explains on the company’s research blog.

Bugat is capable of capturing information entered in Web forms, altering the content of targeted websites or stealing browser cookies, as well as FTP and POP3 credentials. Additionally, the malware can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.

The trojan communicates with a command and control (C&C) server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.

“The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals,” Mr. Milletary concludes. Indeed, just last week, Symantec warned of a new Zeus-like crimeware toolkit called SpyEye.

Credit: Softpedia.com News

Security researchers warn that a significant number of WordPress websites have been compromised recently as part of what looks to be a money-generating affiliate scheme. The header.php template files are being injected with obfuscated JavaScript code.

“Late last week, I noticed something of a surge in reports of a particular threat: hoards of legitimate pages were being injected with a malicious JavaScript, pro-actively blocked as Mal/ObfJS-H. Thus far, the common link between the affected sites appears to be Wordpress. One user report suggests that the malicious script is being added to the header.php template script used by Wordpress,” Fraser Howard, principal virus researcher at Sophos, writes on the company’s blog.

The obfuscated script is inserted right after the tag and its purpose is to load additional content via an IFrame and to pass visitors through a series of silent redirects. One of these 302 redirects pass the affiliate account of the attacker to a remote script, probably for remuneration purposes.

According to Mr. Howard’s analysis, a cookie for a domain name rich-traffic.com is set in the visitors’ browsers, this site being a Russian affiliate network allowing users to sell or to buy IFrame traffic. “We sell only high quality iframe traffic for your various needs!” is written on the main page. Apparently, this offer refers to huge amounts of unique visitors spread across a wide variety of countries.

The issue of header.php files being modified without authorization has also been discussed in the support forums over at wordpress.org, with users suggesting that compromised FTP accounts might be the cause. This is consistent with the Sophos researcher’s conclusion, who writes that, “In this particular attack however, an out of date Wordpress installation does not appear to be the root cause – many of the sites I checked, appear to be running the latest available version (2.9.1 at time of writing).”

It is worth noting that TechCrunch, one of the most popular technology blogs on the Internet, has recently faced several attacks, which resulted in its home page being altered. At least in one particular attack, the header.php file was modified to include a rogue message.

Credit: Softpedia.com News

Twitter has lifted the lid on its recent advice to many users to reset their passwords for the micro-blogging site.

Originally, it was thought that the guidance had come in response to a common or garden phishing attack. In a post on Tuesday, Twitter explained that the attack was actually far more devious and elaborate.

Hackers established Torrent user sites and forums with hidden backdoors. They waited for these forums to grow in popularity before they harvested login details.

These login credentials were then used in attempts to break into accounts on third party sites such as Twitter. The attack relied on the frequent mistake of using the same password and user ID combination for multiple sites.

In other words, victims are using the same password/userID combo on warez forums and Twitter, a mistake that left them open to attack because unidentified hackers had backdoor access to these forums.

Twitter detected the attack after it became suspicious of a “sudden surge in followers” to two previously obscure accounts last week. Followers of these accounts were advised to change their passwords over concerns that hackers involved in the attack had compromised their accounts to, err, gain more followers on Twitter.

It’s unclear how many profiles were pwned by the attacks or what other sites might have been involved. All might have been prevented via the use of rudimentary password security precautions.

“The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites,” writes Del Harvey director of Trust and Safety at Twitter. “We strongly suggest that you use different passwords for each service you sign up for,” he adds.

Credit: The Register