CyberInsecure.com

Archive for the ‘Scams’ Category

A malvertising attack targeted TweetMeme.com users today after a rogue advertiser made its way onto the website. The malicious advertisements directed user to third party websites displaying fake malware alerts with the purpose of convincing users to install scareware.

Malvertising (malicious advertising) is a type of attack where cyber crooks manage to insert rogue ads that lead users to malicious content into a legit website. The practice is commonly employed by scareware pushers to distribute their fake antivirus products.

According to StopMalvertising, a website dedicated to researching and stopping such attacks, TweetMeme users were targeted via malicious advertisements served by a rogue advertiser at y5-media.com. An investigation of the incident revealed that the threat distributed through these malvertisements was a fake antivirus called Security Threat Analysis.

The researchers explain that requests to y5-media.com bounce through two other websites before landing on the scareware domains. In order to fly under the radar the cyber crooks tried to make the attack as subtle as possible.

“Both domains perform various checks to see whether you’re a bot, a search engine, a proxy … as in those cases the redirect to the scareware will not happen,” the researchers explain. Also, if a user visits the malicious websites once, a cookie is added in his browser to prevent him from being targeted again.

The landing websites at www3.luckfind42td.in and www2.guardhere5.in, display the typical fake malware scans associated with scareware scams. When these scans are “done” the users are taken to another domain called www1.wareforyou10.in, which serves a file called packupdate107_302.exe for download. This is a program in the FakeAV family of malware, which currently has a very low AV detection rate.

Malvertisements can be very dangerous, because unlike black hat search optimization campaigns that poison search results with malicious links, they can are a lot harder to detect, and abuse the trust that users put into legit websites. Popular websites that were previously affected by similar attacks include the New York Times, Gizmodo or Digital Spy.

Credit: Softpedia.com News

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.

The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.

Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.

In other cases the flaw has become the fodder of comment spam. Google iced the problem hours after it first appeared, techie-buzz.com reports.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago,” said Google. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt charts the genesis of this rumour, which is just the sort of thing that’s likely be used in new anti-virus (scareware) scams.

Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.

“They [hackers] could steal your YouTube cookies, which probably doesn’t mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube,” an ISC handler writes. “I’ve seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts.”

Credit: The Register

A two-year-long investigation into an international credit-card fraud ring has culminated with the arrest of 178 individuals and dismantling of numerous credit-card cloning laboratories. Authorities estimate that, while it was operational, the cybercriminal network, with branches in several European countries, the U.S. and Australia, has stolen almost $25 million.

According to the Spanish National Police (Policía Nacional), the investigation began almost two years ago in the city of Valencia, where a group of individuals was suspected of counterfeiting credit cards. The evidence-gathering efforts of the authorities eventually revealed that one of the suspects was the leader of a larger, but very well structured, cross-border criminal organization.

“The organization had multiple subgroups that would function autonomously in the various countries where they carried out their illegal activities. Every subgroup had a leader who, for safety reasons, was the only one to keep in contact with the head of the organization. This is why they were able to carry on with their business despite the arrest of some local members. The leaders would divide the territories between themselves and have no second thoughts about using coercive methods to eliminate the competition. To ensure this ‘territoriality’ part of the profits was delivered to the high-ups of the organization,” the Spanish National Police explains.

In true Mafia style, in order to prevent local leaders from speaking if arrested, the organization took care of all legal fees and provided for their families while they remained in jail. Furthermore, the organization did not hold back from threats and extortion to achieve its goals. To avoid discovery, the leaders’ cut was always delivered to them personally by trusted associates.

In Spain, the police executed 48 search warrants and detained 76 individuals. Six card-cloning laboratories and an R&D one were raided, the authorities finding 30 ATM skimmers, 5,000 cloned cards, 120,000 stolen credit card numbers and various electronic equipment used in counterfeiting.

Additionally, 16 people were arrested in Romania in connection with this investigation, 30 in France, seven in Italy, 16 in Germany (where a skimming device-manufacturing lab was also dismantled), 12 in Ireland, four in Hungary, three in Finland and two in Greece and Sweden, respectively. U.S. authorities also arrested eight suspects and the Australian police two.

Credit: Softpedia.com News

Microsoft on Thursday unveiled a program to alert banks and online services when accounts they oversee are compromised.

The Internet Fraud Alert will serve as a centralized repository for stolen account credentials and personal information, Microsoft said in a press release announcing the system. It creates a single place for researchers to match researchers who discover large caches of pilfered passwords and payment card numbers with the organizations responsible for the compromised accounts. The service is supported by almost a dozen online businesses and fraud-prevention groups.

The vast amount of stolen credentials stashed on servers and sites such as Pastebin.com often makes it hard for people who discover the information to bring it to the attention of the service providers, retailers and other groups whose customers are affected by the breaches. What’s more, many organizations don’t provide a prominent email address or weblink where compromises can be reported. The Anti-Phishing Working Group alone received more than 410,000 unique phishing reports last year.

Microsoft is billing Internet Fraud Alert as a secure location where researchers can systematically report information about compromised accounts. The service then alerts the proper banks, service providers or authorities.

Microsoft developed the technology underpinning the service and donated it to the National Cyber-Forensics and Training Alliance, a group that trains law enforcement agents, academics and public- and private-sector groups to combat online crime. The new project is supported by eBay, PayPal, the American Bankers Association, Citizens Bank, and the Federal Trade Commission, among others.

It goes into effect immediately. More information, including how to participate, is available at http://ifraudalert.org/

Credit: The Register

A clickjacking worm that forced hundreds of thousands of unsuspecting Facebook users to unknowingly post spam messages on their profiles, rapidly spread through the social networking website over the weekend. The worm used catchy news headlines to lure its victims into the trap.

Clickjacking is a Web attack technique that involves hijacking users’ mouse clicks on a page (hence its name) and using them to trigger unauthorized actions. The attack is technically known as user interface (UI) redressing because it hides a clickable object, such as a button, by making it transparent and superimposing it over a non-dangerous looking one.

Though not new, the technique was only brought into the public attention last year, when reputed Web security researchers Jeremiah Grossman and Robert Hansen disclosed some critical attacks based on it. One of them allowed ill-intent hackers to turn on a computer’s Web camera and microphone by exploiting a bug in the Flash Player Settings Manager.

The latest Facebook worm seems to be a proof of concept, because it does nothing destructive and its only purpose is to propagate. The offending messages posted on its victims’ profiles are based on real and catchy news topics from the past several months. “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE”, “This man takes a picture of himself EVERYDAY for 8 YEARS!!”, “The Prom Dress That Got This Girl Suspended From School”, or “This Girl Has An Interesting Way Of Eating A Banana, Check It Out!” are some of the examples.

Clicking on the messages takes users to external pages hosted at blogspot.com, which only display a text that reads “Click here to continue.” However, clicking anywhere on the page abuses a user’s active Facebook session to publishing a spam message back to his profile.

“The trick, which uses a clickjacking exploit, means that visiting users are tricked into ‘liking’ a page without necessarily realising they are recommending it to all of their Facebook friends. […] If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your ‘Likes and interests’ section,” advises Graham Cluley, senior technology consultant at Sophos, who’s antivirus products detect this threat as Troj/Iframe-ET.

To protect themselves, Mozilla Firefox users can install and use NoScript, a browser extension, which includes protection against clickjacking attacks, amongst others.

Credit: Softpedia.com News

Miscreants have created a Trojan that poses as a Google Chrome extension. Spammed messages attempt to dupe prospective marks into trying an add-on that “helps you better organize your documents received in your email”.

Interested parties are pointed towards a counterfeit Google Chrome Extensions page, which offers a malware executable. More observant punters will notice that the download is offered in an .exe file and not a .crx Google Chrome extension. Such markers are easily missed, however.

The Trojan horse malware on offer (identified by Romanian security firm BitDefender as the Agent-20577) blocks access to Google and Yahoo webpages. Attempts to reach these sites on infected machines are hijacked and redirected to counterfeit sites. Such trickery is commonly a prelude to either phishing attacks or a technique by the hackers behind the trick to gain affiliate income from scareware slingers or other undesirables.

The appearance of the attack shows that cybercrooks have begun targeting Google Chrome users, something that only tends to happen when a product or service becomes widely used among end users and is therefore a compliment (of sorts) to the success of Google’s browser technology.

Credit: The Register

A Trojan circulating in Japan seeks to extort money from shame-faced fans of hentai-themed games. Those who download illegal copies of ”over 18″ hentai-themed games from file sharing networks are liable to wind up with a nasty surprise, Trend Micro warns.

Some bogus files posing as games from Abel software attempt to trick victims into handing over personal information as part of a supposed game registration process:

Meanwhile, in the background, the malware is collecting information on the victim’s computer including domain, OS version, file use history and IE favourites.

Screenshots from a prospective mark’s PC are also obtained.
 
This data is then published on a publicly-viewable website before victims receive an email pointing them towards the incriminating content from Romancing Inc, which also maintains the domain hosting the incriminating data.

The email offers to resolve the “copyright infringement” and remove incriminating (and potentially embarrassing) information in exchange for a fee.

Trend Micro notes that the Trojan forming the centrepiece of the attack drops MP3 files on a victim’s machine that are elsewhere offered for sale online at an extortionate price of hundreds of thousands of dollars.

Security researcher Rik Ferguson writes: “Could it be that once a victim has shown themselves to be extortion-friendly they will get hit with yet another ‘copyright infringement’ notice from Romancing Inc? Japanese copyright law was strengthened this year largely in an attempt to address the problem of illegal downloading.

“This is certainly another illustration of why, in the long run, you may well be better off paying up front for your downloads and steering clear of file-sharing networks.”

Previous scams along the same lines have claimed to be FBI notices of copyright infringement. The Hentai-themed ruse goes further by publicly shaming prospective marks before hitting them with extortionate demands.

Credit: The Register, TrendMicro

A Facebook game with more than 9 million users has been caught serving ads that try to trick viewers into installing malware.

Hundreds of users of Farm Town have reported seeing the ads, which falsely claim the user’s PC is infected and can only be fixed by buying and running the anti-virus software being advertised. Farm Town developer SlashKey warned users to ignore the ads but failed to suspend third-party adverts, much to the anger of security experts.

“It may not be Farm Town’s fault that a third-party advertising network is serving up malicious ads, but doing anything less is surely showing a careless disregard for the safety of its players,” wrote Graham Cluley, a senior technology consultant at Sophos. “Until the makers of Farm Town resolve the problem of malicious adverts, my advice to its fans would be to stop playing the game and ensure that their computer is properly defended with up-to-date security software.”

Rogue AV software like that advertised to Farm Town players has proved to be a bane to computer users. Such titles generate billions of dollars per year in revenue to fraudsters, while stealing credit card data and often planting backdoors on end-user’s machines.

Over the years, The New York Times, MySpace, and scores of other sites have been caught serving ads that try to trick viewers into believing their machines are infected, often by displaying mock hard drive scans with a list of malicious files detected. The ads are usually the work of fly-by-night advertisers who trick advertising networks into distributing the sham banner ads.

Credit: The Register

A sneaky new Trojan attempts to extort money from BitTorrent users under the guise of a fictitious copyright infringement lawsuit. Malicious pop-up messages generated by the malware, which is being spread via fake files offered up for download through BitTorrent, seeks to bully victims into agreeing to pay out for a “pre-trial settlement” of $400 in order to avoid possible prosecution over supposed copyright piracy violations.

Both the Antipiracy foundation scanners that supposedly identified pirated content on the PCs of targeted individuals and ICPP Foundation “law firm” are fakes.

Infected users receive warnings every time they reboot their system, warns net security firm F-Secure. The scammers have sought to lend credibility to the ruse by setting up an official-looking but bogus website at icpp-online.com, which was taken offline on Monday afternoon.

The domain was registered to “Shoen Overns”, using an email address previously associated in the registration of domains associated with the Zeus information-stealing Trojan and Koobface scams.

Credit: The Register, F-Secure

Security researchers from antivirus vendor Trend Micro warn that a new FAKEAV version operates a ransomware-like component as a Layered Service Provider (LSP) routine. The malicious .DLL blocks access to websites such as Facebook, YouTube, MySpace, The Pirate Bay and others.

The Layered Service Provider is a Winsock feature that has long been abused by malware because it allows altering Internet traffic. The scareware analyzed by Trend installs a .DLL file in the LSP chain, with the purpose of intercepting calls to facebook.com, youtube.com or myspace.com, from Internet Explorer, Firefox and other applications (through svchost).

Trying to access any of these domains from an infected computer will result in a page with red background reading: “Restricted Site! This web site is restricted based on your security preferences. Your system is infected. Please activate your antivirus software.”

“It will only allow the users access if the registry key, HKEY_CURRENT_USER\Software\IS2010, exists in their systems. However, the said key will only exist if the FAKEAV application Internet Security 2010 (aka TROJ_FAKEAL.SMDO, TROJ_FAKEAL.SMDP, or TROJ_FAKEINIT.BC), is present on the affected system,” the Trend Micro researchers explain.

FAKEAV is a generic name used by the antivirus company to detect scareware or rogueware applications. These programs masquerade as antivirus products and attempt to scare users into paying for unnecessary license fees by displaying alerts about fake malware infections.

The distribution of scareware used to be a very profitable model for generating illegal income. However, with a constantly shrinking market due to successful public education against these scams, scammers found themselves forced to come up with ways to get an edge over their competition.

This fighting amongst competing cybercriminal gangs has lead to the appearance of more aggressive approaches, like disabling critical system functionality until the user agrees to pay up. Programs that display such behavior are referred to as ransomware and blocking access to popular websites certainly falls into this category.

Credit: Softpedia,com News