CyberInsecure.com

Archive for the ‘Phishing’ Category

Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.”

Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” Kurtz wrote. “Our investigation has shown that Internet explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.”

Shortly after the report, Microsoft confirmed the new IE vulnerability was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.” A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee’s report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the “highly sophisticated and targeted attack” on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed “congressional and industry sources.”

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

“This wasn’t something that got blasted to 300,000 people in a corporation,” Kurtz said in an interview with The Register. “It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera.”

Kurtz has dubbed the attack “Aurora,” a reference to the filepath on the attacker’s machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn’t say when an update would be released that patches the vulnerability.

Credit: The Register, SANS ISC

A phisher hoping to harvest bank login details managed to smuggle his app onto the Android app store. The Android Market, launched in October 2008, offers more than 20,000 mobile applications for download.

Malicious apps posted by Droid09 were quickly identified, prompting a warning to legitimate users and a ban for the VXer. The incident raises questions about whether a tighter vetting process is needed for the Android Marketplace.

The rogue Android application posed as a legitimate banking applet, but was actually designed to trick marks into handing over bank login details to fraudsters, an alert by credit union First Tech warns. The credit union, which said it wasn’t targeted by the attack, doesn’t even have an app for Android as yet.

Android fans who downloaded any of Droid09’s apps are advised to purge them from their phones before consulting their mobile phone firm for further advice.

The incident happened in December, but became public after news outlets picked up on First Tech Credit Union’s fraud alert on Monday.

Credit: The Register

CA research blog recently published a list of threats to remind everyone about online safety this holiday season. Here are the top ten according to their list:

No. 1 - Avoid ‘Click-happy’ Accidents

Don’t be ‘Click-happy’ person, be cautious before clicking and following links.

No. 2 - Evil Greeting Cards

Watch your incoming emails! In the past we’ve seen Waledac malicious greeting cards such as “e-Cards”, “You’ve received a Greeting Card…” and recent ones are getting more personalized subjects like “Hello Darling”.

No. 3 - Phishing Tricks

Be aware of Phishers! Phishing email commonly targets PayPal, eBay and Amazon users although bank notification emails and credit card frauds are also on the top schemes of these financially motivated attackers.

No. 4 - Surfing Disaster

Surf the internet safely, make sure your online security protection is turned on(firewall, HIPS and anti-malware). Cyber threats uses blackhat search engine optimization to direct traffic to malicious websites.

Another surfing disaster is when you visit a legitimate website that is infected with Drive-by download.

No. 5 - Holiday Scammers

If it sounds too good to be true, then think again.

This scams may arrive in very powerful convincing strategy either by offering you a job, big discounts or winning from a lottery. In most cases, it provides instructions on how to claim the offer which often require users an initial sum of money or personal information like credit card details.

No. 6 - Charity Fraud

Are you in the mood of helping and giving this season?

Donate but make sure you know and understand the cause of your selected Charity organization. Avoid engaging into hasty decision by just following a good looking email or visiting unfamiliar website. Spend time to research and don’t hesitate to ask!

No. 7 - Deceptive Shopping Deals

In a gloomy economy, many of us try to maximize by finding the best deal for our money. Internet has been a great source of information and this includes discount coupons, gift cards and freebies. Scammers will often mislead users and often require money such as from joining/membership fee, selling items or getting credit card information.

For online shopper, please be aware of dubious “price-comparison” websites as well.

No. 8 - Dangerous Downloads & Installs

Spammed malware uses social engineering technique such as the “Delivery Problem”. This email message pretends to be coming from legitimate companies such as UPS, DHL and FedEx. The convincing looks and content often leads to manual download and installation of malicious program.

Another source of dangerous download and installs is when looking for pirated softwares.

No. 9 - Identity Theft

Holiday hackers, password stealers and banking trojans may take advantage of the festive season.

Social networking site is another notable target this season. This communities are source of communication and exchange where people get in-touch with friends and families by sending greetings, updates and showing photos and videos. Threats such as Koobface may take advantage of “happy mood” by deploying customized theme to increases its chances of infection.

No. 10 – Enable Security Protections

Be cautious about your online activity, enable online projection, update your security software and save energy by turning off your computer when not in-use (this also avoid inside and outsider threat sneak into your files).

Credit: CA Community Blogs, Methusela Cebrian Ferrer

The second worm to infect jailbroken iPhone users reportedly targets customers of Dutch online bank ING Direct. Surfers visiting the site with infected devices are redirected to a phishing site designed to harvest online banking login details, the BBC reports. ING Direct told the BBC it planned to warn users’ of the attack via its website, as well as briefing front line call centre staff on the threat.

Mikko Hypponen, chief research officer at F-Secure, said the threat had in any case been neutralised. “It [the worm] was targeting ING. The websites it needed for this to work have now been taken down.”

Anti-virus analysts, still in the process of analysing the malware, caution that the attack is a bit more complex than simple phishing and seems to involve an attempt to snatch SMS messages associated with online banking transactions. We’re yet to hear back from ING Direct on this point but we’ll update this story as and when we hear more.

What is clear is that the “Duh” or Ikee-B worm, like the earlier Rickrolling worm, exploits an SSH backdoor on jailbroken handsets in order to spread.

Part of the process of jailbreaking iPhones to allow unofficial software to be installed can involve installing SSH (secure shell) remote access. Users who go through this step but fail to change the default root password of iPhones from alpine leave a backdoor that wide open to attack.

Although Duh exploits the same SSH backdoor as the original Ikee worm, the latest malware is far more dangerous than its predecessor. Doh turns compromised devices into a botnet under the control of unidentified hackers. The Rickrolling ikee worm, by contrast, only changes users’ wallpaper to an image of cheesy pop warbler Rick Astley.

Duh also searches across a wider range of IP ranges than Ikee, which only ever affected Optus users in Australia. It includes IP ranges allocated to carriers in several countries, including The Netherlands, Portugal, Australia, Austria, and Hungary. All the infections reported thus far have happened in The Netherlands. The attack only came to light after a Dutch ISP noticed unusual traffic and began to investigate.

As previously reported, compromised phones are left under the control of a botnet server in Lithuania. Duh changes the root password of compromised iPhones, allowing crooks to log into compromised units and carry out malicious further actions.

SophosLabs researcher Paul Ducklin used a password cracking tool to discover the malware changes iPhone root passwords from ‘alpine to ‘ohshit’.

In addition to the two iPhone worms, an earlier hacking/extortion attack (targeting iPhone users in the Netherlands) also exploited the default password SSH backdoor on jailbroken iPhones.

Security experts strongly advise users of jailbroken phones to change their passwords from ‘alpine’ immediately to avoid further attacks along the same lines.

Credit: The Register

A recently conducted ethical phishing experiment impersonating LinkedIn by mailing invitations coming from Bill Gates, has achieved a 100% success rate in bypassing the anti-spam filters it was tested against.

The experiment emphasizes on how small-scale spear phishing campaigns are capable of bypassing anti-spam filters, and once again proves that users continue interacting with phishing emails.

The scenario was an invitation from Linkedin, posing as an invitation from Bill Gates to join his network. Linkedin was selected due to availability, and the fact that it is a social network recognized by most executives. The selection of Linkedin was also based on the fact that linked-in email should be already identified by most existing email system(s), and this may have helped delivery through into the mailbox.

The Phishing site was based on the Linkedin sign in page. The form action was changed so that the user would be redirected to a subsequent page on our site. No usernames or passwords were collected during this assessment. All targeted users were contacted before the phishing email was sent, and were expecting a Linkedin invitation from Bill Gates.”

A similar study was conducted by ethical phishing vendor PhishMe.com in March this year, pointing out that based on the 32 phishing scenarios tested against 69,000 employees, people are less cautious when clicking on active links in emails than when they are requested for sensitive data. This behavior is not surprisingly cited by PhishCamp as a possible opportunity for the introducing of blended threats, similar to known cases where phishing and scareware sites were also serving client-side exploits.

With the average price for a thousand active Gmail, Yahoo Mail and Hotmail accounts decreasing due to the economies of scale achieved by the vendors of CAPTCHA-solving services, and the numerous tools available at the spammer’s disposal to take advantage of these accounts, in the long-term all spammers will start abusing the already established DomainKeys trust among the most popular free email service providers.

Credit: ZDNet.com Security Blogs

US and Egyptian authorities have charged 100 people with conducting a phishing operation that siphoned at least $1.5m from thousands of accounts belonging to Bank of America and Well Fargo customers.

Fifty-three defendants from California, Nevada and North Carolina were named in a federal indictment unsealed Wednesday. Prosecutors said it was the largest number of defendants ever charged in a cybercrime case. Authorities in Egypt charged an additional 47 people.

Operation Phish Phry, as the case was dubbed, marks the first joint cyber investigation between law enforcement agencies in those two countries. The case was filed in federal court in Los Angeles.

According to the indictment, the Egypt-based defendants phished individuals’ personal information and then used it to access victims’ bank accounts. The phishers then worked with their counterparts in the US so money could be transferred into fraudulent accounts created specifically to receive the stolen funds.

The ring leaders were named as Kenneth Joseph Lucas, Nichole Michelle Merzi and Jonathan Preston Clark, all of California. They directed dozens of “runners” to set up the accounts that would receive the stolen loot. A portion of the funds were wired to the individuals in Egypt who originated the scam. Other defendants were located in Nevada and North Carolina.

Each defendant named in the 51-count indictment is charged with conspiracy to commit wire fraud and bank fraud. If convicted, each faces a maximum penalty of 20 years in federal prison. A handful of defendants were charged with additional felonies, including bank fraud, aggravated identity theft, conspiracy to commit computer fraud and domestic and international money laundering.

The operation is an object lesson in the scale and coordination found in today’s professional phishing operations. The charges are the result of an investigation that began in 2007, when FBI agents identified criminal enterprises targeting US financial institutions.

“The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed,” Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, said in a statement.

Credit: The Register

A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports. Both lists have been taken offline, so are no longer directly accessible.

Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. The phishing scam was originally thought to target just Hotmail users. It was brought to light when 10,000 Hotmail addresses were posted online at Pastebin, a website commonly used by developers to share code.

A spokesperson for Microsoft said phishing was an “industry-wide problem”. “Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.”

Google has confirmed to BBC News that its e-mail system - Gmail - has been targeted as part of an “industry-wide phishing scheme”. The search giant said that it had taken immediate action to safeguard the affected accounts.

Yahoo also confirmed that an unspecified number of Yahoo webmail accounts were on the leaked list. It couldn’t confirm how many of the profiles were genuine:

We are aware that a limited number of Yahoo! IDs have been made public.

Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security. We urge consumers to take measures to secure their accounts whenever possible, including changing their passwords. We also encourage our customers to review resources that provide guidelines on email safety.

Rik Ferguson, a security researcher at Trend Micro, said that the security firm had begun detecting spam sent through these compromised Hotmail accounts.

As many as two in five people use the same password for every site they use. That means access to a webmail account gives hackers a head start in accessing online banking or PayPal accounts linked to the same address. Underground bazaars and carder forums are full of sales of these more sensitive login credentials. Email addresses have sold alongside purloined credit card numbers and online bank accounts for months if not years on such black market forums.

Credit: BBC News, The Register

Neowin.net has reported regarding a possible Windows Live Hotmail “hack” or phishing scheme where password details of thousands of Hotmail accounts have been posted online.

An anonymous user posted details of the accounts on October 1 at pastebin.com, a site commonly used by developers to share code snippets. The details have since been removed but according to Neowin, the accounts are genuine and most appear to be based in Europe. The list details over 10,033 accounts starting from A through to B, suggesting this is only a part of a bigger list. Currently it appears only accounts used to access Microsoft’s Windows Live Hotmail have been posted, this includes @hotmail.com, @msn.com and @live.com accounts. Some accounts are from @hotmail.fr, @live.it, few from @yahoo.es.
Neowin has reported this immediately to Microsoft’s Security Response Center and to Microsoft’s PR teams in the UK and US and we are currently awaiting feedback on the situation. As this is a breaking story, updates by Neowin can be found here.

If you are a Windows Live Hotmail user Neowin recommends that you change your password and security question immediately.

According to Neowin, Microsoft has fully confirmed their initial reports. According to a Microsoft spokesperson “over the weekend Microsoft learned that several thousand Windows Live Hotmail customer’s credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.”

Unfortunately, according to our check, the list can still be found in Google’s cache, here is the screenshot:

Google has already been contacted by CyberInsecure in order to remove the cached page from search results.

UPDATE: Google removed cached page after about 3 hours.

One of Brazil’s biggest banks has suffered an attack that redirected its customers to fraudulent websites that attempted to steal passwords and install malware, according to an unconfirmed report.

The redirection of Bradesco was the result of what’s known as a cache poisoning attack on Brazilian internet service provider NET Virtua.

DNS cache poisoning attacks exploit weaknesses in the internet’s domain name system. ISPs that haven’t patched their systems against the vulnerabilities are susceptible to attacks that replace the legitimate IP address of a given website with a fraudulent number. End users who rely on the lookup service are then taken to malicious websites even though they typed the correct domain name into their browser.

“That’s pretty serious when you’re talking about a banking organization,” said Paul Ferguson, a security researcher with anti-virus provider Trend Micro. “If people are trying to log in to their account and they get rejected, they’ll try again and again with the same user name and password.”

DNS cache poisoning has been around since the mid 1990s, when researchers discovered that DNS resolvers could be flooded with spoofed IP addresses for sensitive websites. The servers store the incorrect information for hours or days at a time, so the attack has the potential to send large numbers of end users to fraudulent websites that install malware or masquerade as a bank or other trusted destination and steal sensitive account information.

In 1998, Eugene E. Kashpureff admitted to federal US authorities that on two occasions the previous year he used cache poisoning to divert traffic intended for InterNIC to AlterNIC, a competing domain name registration site that he owned.

Makers of DNS software were largely able to prevent the attacks by adding pseudo-random transaction ID numbers to lookup requests that must be included in any responses. Then, last year, IOActive researcher Dan Kaminsky revealed a new way to poison DNS caches, touching off a mad scramble by the world’s ISPs to fix the vulnerability before it was exploited.

The article from Globo.com cited a Bradesco representative who said that about 1 percent of the bank’s customers were affected by the attack. It went on to suggest that customers who were paying attention would have noticed Bradesco’s secure sockets layer certificate generated an error when they were redirected to the fraudulent login page.

Interestingly, it also said that a domain used for Google Adsense was redirected to a site that used malicious Javascript to install malware redirected machines. The attacks have since been resolved, the article stated.

It’s still not clear exactly how the caches were tainted. Representatives for the ISP and the bank hadn’t responded to requests for comment at time of publication.

Credit: The Register

Fans of Chelsea, Arsenal and Manchester United are being targeted in a new email scam that attempts to trick recipients into sending premium rate text-messages in the hope of winning non-existent Champions League final ticket prizes.

The ruse promises entry in a draw for a chance of a seat at the Stadio Olimpico on 27 May but promises only to empty fans’ pockets, net security firm BitDefender warns. The Champions League and similarly-themed Uefa Cup scam are aimed at mobile subscribers and began circulating earlier this week, before Liverpool and Manchester City were knocked out of the competitions.

“Under the false appearance of a lottery that offers tickets to the final matches, the text-based spam invite recipients to send text messages with the name of their favorite team to a specific number,” BitDefender analyst Razvan Livintz explains. “Most likely, cybercriminals collect a fee for each SMS, but they do not give any ticket to Sükrü Saracoglu Stadium or Stadio Olimpico in return.”

Credit: The Register