CyberInsecure.com

Archive for the ‘Phishing’ Category

According to CBC News, an unprecedented cyberattack on the Canadian government, apparently from China, has given foreign hackers access to highly classified federal information and forced at least two key departments off the internet.

The attack, first detected in early January, left Canadian counter-espionage agents scrambling to determine how much sensitive government information may have been stolen and by whom. Highly placed sources tell CBC News the cyberattacks were traced back to computer servers in China. They caution, however, that there is no way of knowing whether the hackers are Chinese, or some other nationality routing their cybercrimes through China to cover their tracks.

The government initially issued a terse statement, passing it all off as merely an “attempt to access” federal networks. It has refused to release any further information. Sources have confirmed, however, that the attackers successfully penetrated the computer systems at the federal government’s two main economic nerve centres, the Finance Department and Treasury Board.

The hackers apparently managed to take control of computers in the offices of senior government executives as part of a scheme to steal the key passwords that unlock entire government data systems. It is unclear whether the attackers were able to compromise other departmental computer networks, including those that contain Canadians’ sensitive personal information such as tax and health records.

Once the attack was detected in early January, government cybersecurity officials immediately shut down all internet access in both departments in an attempt to stop stolen information from being sent back to the hackers over the net. The move left thousands of public servants without internet access, although officials in both affected departments report service has slowly been returning to normal since the attack.

The hackers, posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks. At the same time, the hackers sent other staff seemingly innocuous memos as attachments. The moment an attachment was opened by a recipient, a viral program was unleashed on the network.

The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet.

Auditor-General Sheila Fraser, for one, first raised the alarm in 2002 when she warned “there are weaknesses in the system. “There are access controls that need to be fixed; there are a whole series of minimum security issues that are not being dealt with. There are vulnerabilities. Government needs to fix them.” Three years later, Fraser checked again and found not much had changed.

Credit: CBC.ca News

Security researchers from Sunbelt warn that phishers are trying to steal Live IDs from Xbox users, through a fake program which promises a free Gamertag change.

Gamertags are the unique names used by players on Microsoft’s Xbox LIVE platform and they can only be modified through a special service in exchange of 800 Microsoft Points.

Microsoft also forces users to change their Gamertag if it is deemed offensive by other users, in which case the operation is free of charge.

According to Christopher Boyd, a senior threat researcher at Sunbelt (now part of GFI Software), many users still believe that it is possible to trick the system into allowing a free Gamertag change, if all their friends report it.

Of course, Microsoft has checks in place to detect such fraud attempts, but the myth’s persistence offers a good opportunity for phishers to prey on less knowledgeable players.

Boyd reports that there’s a program called “Gamertag Changer” going around that does nothing more than steal Windows Live credentials from Xbox gamers.

The application claims that it will file numerous complaints regarding the user’s Gamertag in order to trigger an automatic change from the system.

“Microsoft has an automatic system that makes you change your gamertag somewhere between 100-200 complaints.

“This program will send out around 500 at most to be sure you can change your gamertag,” part of the description reads.

Users who fall for the trick and input their credentials will see a message asking them to leave the application open for at least two minutes and then try to re-login on Xbox LIVE.

Meanwhile in the background, the program sends the captured Gamertag, Live ID and password to an email address controlled by the phisher.

“Considering all the things you can use a Windows LIVE ID for, it isn’t really something you want to be handing over to Little Jimmy Hackpants. VirusTotal scores are extremely low at this point – just 2/43,” the Sunbelt researcher advises.

Credit: Softpedia.com News

Security researchers from Sunbelt warn of a new wave of spam emails, which masquerades as official communications from Google in an attempt to steal login credentials from Gmail users.

The fake emails are well formulated and display visual elements associated with Web search giant, such as the Google accounts logo or the copyright notice.

The messages purport to originate from the Google Team and read as follows:

“Hello,

Your Google account information is incomplete, We recommend that you update your Google account for security reasons.

Download and open the attachment in this mail and follow the direction to update your Google account.”

The attached file is an HTML document called Gmail_access.html. Opening it in any browser will display a fake page almost identical to the one used to sign into Gmail.

In fact the images and other elements present on the rogue page are actually loaded from Google’s real website. “If you check the attachment source code you can see that it sucks genuine Gmail page elements,” Tom Kelchner, writes on the Sunbelt blog.

The fake sign in form sends inputted data to a ServiceLoginAuth.php script hosted on an external domain, which stores it for the attackers. “The information entered on the bogus page is snatched by a site registered to someone in Sremska Kamenica, Serbia,” Kelchner explains.

However, this seems to be a legit website that has been compromised, as it runs an outdated and probably vulnerable version of the e107 content management system. This campaign appears to have started sometime at the beginning of this month as there are reports about it on the official Gmail help forum dating back to September 1.

Fortunately, there’s a simple way for users to always check if they are on the real Gmail login page or not, since the website comes with SSL enabled by default.

Credit: Softpedia.com News

Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe’s Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers “have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident.”

Kurtz said his findings were based on malware samples taken from “three to five” of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer,” Kurtz wrote. “Our investigation has shown that Internet explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.”

Shortly after the report, Microsoft confirmed the new IE vulnerability was “one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks.” A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee’s report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the “highly sophisticated and targeted attack” on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed “congressional and industry sources.”

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

“This wasn’t something that got blasted to 300,000 people in a corporation,” Kurtz said in an interview with The Register. “It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera.”

Kurtz has dubbed the attack “Aurora,” a reference to the filepath on the attacker’s machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn’t say when an update would be released that patches the vulnerability.

Credit: The Register, SANS ISC

A phisher hoping to harvest bank login details managed to smuggle his app onto the Android app store. The Android Market, launched in October 2008, offers more than 20,000 mobile applications for download.

Malicious apps posted by Droid09 were quickly identified, prompting a warning to legitimate users and a ban for the VXer. The incident raises questions about whether a tighter vetting process is needed for the Android Marketplace.

The rogue Android application posed as a legitimate banking applet, but was actually designed to trick marks into handing over bank login details to fraudsters, an alert by credit union First Tech warns. The credit union, which said it wasn’t targeted by the attack, doesn’t even have an app for Android as yet.

Android fans who downloaded any of Droid09′s apps are advised to purge them from their phones before consulting their mobile phone firm for further advice.

The incident happened in December, but became public after news outlets picked up on First Tech Credit Union’s fraud alert on Monday.

Credit: The Register

CA research blog recently published a list of threats to remind everyone about online safety this holiday season. Here are the top ten according to their list:

No. 1 – Avoid ‘Click-happy’ Accidents

Don’t be ‘Click-happy’ person, be cautious before clicking and following links.

No. 2 – Evil Greeting Cards

Watch your incoming emails! In the past we’ve seen Waledac malicious greeting cards such as “e-Cards”, “You’ve received a Greeting Card…” and recent ones are getting more personalized subjects like “Hello Darling”.

No. 3 – Phishing Tricks

Be aware of Phishers! Phishing email commonly targets PayPal, eBay and Amazon users although bank notification emails and credit card frauds are also on the top schemes of these financially motivated attackers.

No. 4 – Surfing Disaster

Surf the internet safely, make sure your online security protection is turned on(firewall, HIPS and anti-malware). Cyber threats uses blackhat search engine optimization to direct traffic to malicious websites.

Another surfing disaster is when you visit a legitimate website that is infected with Drive-by download.

No. 5 – Holiday Scammers

If it sounds too good to be true, then think again.

This scams may arrive in very powerful convincing strategy either by offering you a job, big discounts or winning from a lottery. In most cases, it provides instructions on how to claim the offer which often require users an initial sum of money or personal information like credit card details.

No. 6 – Charity Fraud

Are you in the mood of helping and giving this season?

Donate but make sure you know and understand the cause of your selected Charity organization. Avoid engaging into hasty decision by just following a good looking email or visiting unfamiliar website. Spend time to research and don’t hesitate to ask!

No. 7 – Deceptive Shopping Deals

In a gloomy economy, many of us try to maximize by finding the best deal for our money. Internet has been a great source of information and this includes discount coupons, gift cards and freebies. Scammers will often mislead users and often require money such as from joining/membership fee, selling items or getting credit card information.

For online shopper, please be aware of dubious “price-comparison” websites as well.

No. 8 – Dangerous Downloads & Installs

Spammed malware uses social engineering technique such as the “Delivery Problem”. This email message pretends to be coming from legitimate companies such as UPS, DHL and FedEx. The convincing looks and content often leads to manual download and installation of malicious program.

Another source of dangerous download and installs is when looking for pirated softwares.

No. 9 – Identity Theft

Holiday hackers, password stealers and banking trojans may take advantage of the festive season.

Social networking site is another notable target this season. This communities are source of communication and exchange where people get in-touch with friends and families by sending greetings, updates and showing photos and videos. Threats such as Koobface may take advantage of “happy mood” by deploying customized theme to increases its chances of infection.

No. 10 – Enable Security Protections

Be cautious about your online activity, enable online projection, update your security software and save energy by turning off your computer when not in-use (this also avoid inside and outsider threat sneak into your files).

Credit: CA Community Blogs, Methusela Cebrian Ferrer

The second worm to infect jailbroken iPhone users reportedly targets customers of Dutch online bank ING Direct. Surfers visiting the site with infected devices are redirected to a phishing site designed to harvest online banking login details, the BBC reports. ING Direct told the BBC it planned to warn users’ of the attack via its website, as well as briefing front line call centre staff on the threat.

Mikko Hypponen, chief research officer at F-Secure, said the threat had in any case been neutralised. “It [the worm] was targeting ING. The websites it needed for this to work have now been taken down.”

Anti-virus analysts, still in the process of analysing the malware, caution that the attack is a bit more complex than simple phishing and seems to involve an attempt to snatch SMS messages associated with online banking transactions. We’re yet to hear back from ING Direct on this point but we’ll update this story as and when we hear more.

What is clear is that the “Duh” or Ikee-B worm, like the earlier Rickrolling worm, exploits an SSH backdoor on jailbroken handsets in order to spread.

Part of the process of jailbreaking iPhones to allow unofficial software to be installed can involve installing SSH (secure shell) remote access. Users who go through this step but fail to change the default root password of iPhones from alpine leave a backdoor that wide open to attack.

Although Duh exploits the same SSH backdoor as the original Ikee worm, the latest malware is far more dangerous than its predecessor. Doh turns compromised devices into a botnet under the control of unidentified hackers. The Rickrolling ikee worm, by contrast, only changes users’ wallpaper to an image of cheesy pop warbler Rick Astley.

Duh also searches across a wider range of IP ranges than Ikee, which only ever affected Optus users in Australia. It includes IP ranges allocated to carriers in several countries, including The Netherlands, Portugal, Australia, Austria, and Hungary. All the infections reported thus far have happened in The Netherlands. The attack only came to light after a Dutch ISP noticed unusual traffic and began to investigate.

As previously reported, compromised phones are left under the control of a botnet server in Lithuania. Duh changes the root password of compromised iPhones, allowing crooks to log into compromised units and carry out malicious further actions.

SophosLabs researcher Paul Ducklin used a password cracking tool to discover the malware changes iPhone root passwords from ‘alpine to ‘ohshit’.

In addition to the two iPhone worms, an earlier hacking/extortion attack (targeting iPhone users in the Netherlands) also exploited the default password SSH backdoor on jailbroken iPhones.

Security experts strongly advise users of jailbroken phones to change their passwords from ‘alpine’ immediately to avoid further attacks along the same lines.

Credit: The Register

A recently conducted ethical phishing experiment impersonating LinkedIn by mailing invitations coming from Bill Gates, has achieved a 100% success rate in bypassing the anti-spam filters it was tested against.

The experiment emphasizes on how small-scale spear phishing campaigns are capable of bypassing anti-spam filters, and once again proves that users continue interacting with phishing emails.

The scenario was an invitation from Linkedin, posing as an invitation from Bill Gates to join his network. Linkedin was selected due to availability, and the fact that it is a social network recognized by most executives. The selection of Linkedin was also based on the fact that linked-in email should be already identified by most existing email system(s), and this may have helped delivery through into the mailbox.

The Phishing site was based on the Linkedin sign in page. The form action was changed so that the user would be redirected to a subsequent page on our site. No usernames or passwords were collected during this assessment. All targeted users were contacted before the phishing email was sent, and were expecting a Linkedin invitation from Bill Gates.”

A similar study was conducted by ethical phishing vendor PhishMe.com in March this year, pointing out that based on the 32 phishing scenarios tested against 69,000 employees, people are less cautious when clicking on active links in emails than when they are requested for sensitive data. This behavior is not surprisingly cited by PhishCamp as a possible opportunity for the introducing of blended threats, similar to known cases where phishing and scareware sites were also serving client-side exploits.

With the average price for a thousand active Gmail, Yahoo Mail and Hotmail accounts decreasing due to the economies of scale achieved by the vendors of CAPTCHA-solving services, and the numerous tools available at the spammer’s disposal to take advantage of these accounts, in the long-term all spammers will start abusing the already established DomainKeys trust among the most popular free email service providers.

Credit: ZDNet.com Security Blogs

US and Egyptian authorities have charged 100 people with conducting a phishing operation that siphoned at least $1.5m from thousands of accounts belonging to Bank of America and Well Fargo customers.

Fifty-three defendants from California, Nevada and North Carolina were named in a federal indictment unsealed Wednesday. Prosecutors said it was the largest number of defendants ever charged in a cybercrime case. Authorities in Egypt charged an additional 47 people.

Operation Phish Phry, as the case was dubbed, marks the first joint cyber investigation between law enforcement agencies in those two countries. The case was filed in federal court in Los Angeles.

According to the indictment, the Egypt-based defendants phished individuals’ personal information and then used it to access victims’ bank accounts. The phishers then worked with their counterparts in the US so money could be transferred into fraudulent accounts created specifically to receive the stolen funds.

The ring leaders were named as Kenneth Joseph Lucas, Nichole Michelle Merzi and Jonathan Preston Clark, all of California. They directed dozens of “runners” to set up the accounts that would receive the stolen loot. A portion of the funds were wired to the individuals in Egypt who originated the scam. Other defendants were located in Nevada and North Carolina.

Each defendant named in the 51-count indictment is charged with conspiracy to commit wire fraud and bank fraud. If convicted, each faces a maximum penalty of 20 years in federal prison. A handful of defendants were charged with additional felonies, including bank fraud, aggravated identity theft, conspiracy to commit computer fraud and domestic and international money laundering.

The operation is an object lesson in the scale and coordination found in today’s professional phishing operations. The charges are the result of an investigation that began in 2007, when FBI agents identified criminal enterprises targeting US financial institutions.

“The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed,” Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, said in a statement.

Credit: The Register

A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports. Both lists have been taken offline, so are no longer directly accessible.

Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. The phishing scam was originally thought to target just Hotmail users. It was brought to light when 10,000 Hotmail addresses were posted online at Pastebin, a website commonly used by developers to share code.

A spokesperson for Microsoft said phishing was an “industry-wide problem”. “Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.”

Google has confirmed to BBC News that its e-mail system – Gmail – has been targeted as part of an “industry-wide phishing scheme”. The search giant said that it had taken immediate action to safeguard the affected accounts.

Yahoo also confirmed that an unspecified number of Yahoo webmail accounts were on the leaked list. It couldn’t confirm how many of the profiles were genuine:

We are aware that a limited number of Yahoo! IDs have been made public.

Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security. We urge consumers to take measures to secure their accounts whenever possible, including changing their passwords. We also encourage our customers to review resources that provide guidelines on email safety.

Rik Ferguson, a security researcher at Trend Micro, said that the security firm had begun detecting spam sent through these compromised Hotmail accounts.

As many as two in five people use the same password for every site they use. That means access to a webmail account gives hackers a head start in accessing online banking or PayPal accounts linked to the same address. Underground bazaars and carder forums are full of sales of these more sensitive login credentials. Email addresses have sold alongside purloined credit card numbers and online bank accounts for months if not years on such black market forums.

Credit: BBC News, The Register