CyberInsecure.com

Archive for the ‘Scams’ Category

German authorities have recalled more than 100,000 credit cards over fears that crooks may have obtained details of the cards via an unnamed Spanish payment processing firm.

Holidaymakers who used their Visa or Mastercard credit card in Spain may be at risk of fraud following the reported security breach, which prompted the largest plastic card recall in German history. The Volks and Raiffeisenbank banking group alone recalled 60,000 potentially compromised credit cards as a precautionary measure, AFP reports.

Holders of cards issued by DKB-Bank, Barclays and Karstadt-Quelle are among those at risk, El Pais adds.

In a statement, the German Central Credit Card Commission (ZKA) described the measures as precautionary, adding that affected cardholders would be notified by their banks and not left out of pocket in the event of any fraud. Cardholders are nonetheless advised to check their statements for suspicious transactions.

ZKA’s statement (translated below) goes on to explain that the exchange of cards is almost complete.

The German banking industry has responded rapidly to the warning of Visa and MasterCard regarding a possible theft at a Spanish company to credit card data from German customers. The potentially compromised cards will be exchanged free of charge reported by German banks and savings banks. This exchange is almost complete. It is primarily a precautionary measure and a routine operation.

Both Visa and Mastercard maintain their systems have not been compromised, pointing to problems elsewhere in the payment chain. UK customers will be contacted directly if their details have been exposed.

Spanish reports in El Pais (here) and El Mundo (here) suggest that the breach affects a payment processor in Spain that handled card payments for cards issued outside of the country but this remains unclear.

Visa Europe told the BBC that it is “aware of a possible card data security issue in Spain. No details are yet confirmed, but we do not believe that the issue is specific to Visa.”

Credit: The Register

Rogue anti-virus slingers are getting even sneakier. Instead of offering to clean up non-existent malware threats as per the traditional approach, one rogue scanner offers to clean up images of porn it claims to have found on a prospective mark’s PC.

In reality, these images get downloaded by the purported clean-up package itself. Victims were exposed to the pitch on behalf of a especially malodorous scareware package called Win Spy Protect simply by visiting a hacked website.

Roger Thompson, chief of research at security firm AVG, ran across the threat months ago but held back on publishing details until Thursday. Heightened concerns about how malware infection could result in presence of image of child abuse on the PCs of non-paedophiles prompted Thompson into publishing a video of the threat (below).

The hacked website linked to the attack was a children’s site and the content strictly adult porn. However, the tactic could result in child abuse images getting dropped onto the machines of surfers whose only mistake was to stray onto hacked websites, as Thompson explains.

Fortunately, LinkScanner detects the rogue-spyware aspects of this and blocks it just fine, but without LinkScanner, these images would now be in the browser cache, and it would sure look like the owner was guilty. Worse still, the images could just as easily be kiddy porn, and just being your cache would be regarded as possession, and therefore highly illegal by most law enforcement agencies.

In related scareware news, hackers have set up 260,000 fake blog pages on compromised sites in preparation for a scareware distribution campaign that relies on manipulating search engine rankings so that booby-trapped sites appear prominently in the search indexes for topical terms.

Between the latest attack (detected this week) and an even larger assault along the same lines detected in September, there are now well over 800,000 fake blog pages. Few of these pages are detected by Google as malicious, net security firm eSoft warns.

A blog post by eSoft explains the mechanism of the scam. “The key to this scheme is JavaScript uploaded to the compromised server and used in the fake blog pages. The file, css.js, contains obfuscated JavaScript which redirect users to Rogue AV [anti-virus] if the site is accessed through certain search engines,” it said.

“Using this technique allows the attackers to quickly and easily change distribution points and payloads. The current payloads have low detection rates among AV [anti-virus] scanners.”

Credit: The Register

Trojan attacks are likely in the wake of the Windows 7 product activation system cracks developed last week, less than a month after the release of Microsoft’s latest operating system.

The RemoveWAT (and the similar ChewWGA) utility allow a prospective Windows 7 user to bypass the Windows Genuine Advantage registration procedure. Both hacks circumvent product activation without the need to have OEM keys, unlike earlier hacks on pre-release code.

Security firm Sunbelt Software warns that Trojans posing as Win 7 cracks are very likely to follow.

“RemoveWAT and Chew-WGA… join the grimy world of cracks and key-gens – oft-Trojanised applications that defeat activation passwords or other security on legitimate software,” writes Sunbelt researcher Tom Kelchner.

“Trojanized versions of RemoveWAT and Chew-WGA soon will be available on websites and file-sharing networks near you. Look for them (or maybe we should say ‘look out for them’),” he added.

The release of the Win 7 cracking tools last week came as little surprise to security watchers.

Richard Kirk, European director at application vulnerability firm Fortify, noted that similar types of cracks arrived shortly after the release of Windows Vista in January 2007, and were solved when Microsoft issued an update. “Similar utilities for Windows XP also started appearing in the summer of 2005, shortly after the Windows Genuine Advantage system was made mandatory in July of that year,” he added.

Credit: The Register

Researchers from CA have intercepted a new ransomware variant encrypting popular file extensions (.zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc) and demanding a $100 for the decryption software.

According to the message which replaces the desktop’s background upon execution, the files are encrypted with 256-bit AES encryption, and that “there’s a 0% chance that you will be able to manually decrypt the files without the encryption key“. However, this particular cybercriminal appears to be bluffing since the ransomware encrypts the data using the XOR cipher.

Naturally, by doing so he allowed CA’s researchers to release a free decryptor for Win32/Gpcode.J. Despite that compared to previous campaigns, this one looks rather primitive, ransomware is clearly a trend, one that has already started converging with popular delivery channels such as scareware, and utilizing efficient payment processes such as the ubiquitous SMS micro-payment.

Throughout the entire 2009, cybercriminals have indicated their long-term interest in the development of alternative extortion tactics in order to efficiently earn as much micro-payment revenue as possible. The most recent case of such an alternative extortion tactic, was the introduction of SMS ransomware variant that was displaying persistent inline ads within the browsers of infected victims, often showing disturbing adult content, while requiring a premium-rate SMS for removal.

With the ever-decreasing price for do-it-yourself SMS ransomware building tools within the underground marketplace (average price is between $15 and $30), new market entrants will inevitably prompt the vendors of these releases to “innovate” and introduce new features in an attempt to compete with one another.

Interestingly, despite GPCode’s and LoroBot’s practice of encrypting popular file extensions, the majority of SMS-based ransomware releases currently offered for sale, emphasize on the practice of locking down an infected party’s computer using “Unlicensed copy of Windows” themes, instead of encrypting files.

Credit: ZDNet.com Security Blogs

Malware-infected computers are increasingly being used to perpetrate click fraud, according to a study released Thursday that found their contribution was the highest since researchers began compiling statistics on the crime.

In the third quarter of this year, 42.6 percent of fraudulent clicks were generated by computers that were part of botnets, compared with 36.9 percent the previous quarter and about 27.6 percent in the same period of 2008. The increase comes as criminals trying to profit from click fraud take advantage of new advances in malware that make the practice harder to detect.

“As the botnets get more sophisticated, they’re able to perpetrate more click fraud,” said Paul Pellman, CEO of Click Forensics, the advertising auditing firm that prepared the report. “They’re finding new ways of being distributed, and that’s reflected in the data.”

The jump in botnet use over the past year comes as the overall amount of click fraud dropped, from 16 percent of all paid ads in Q3 of 2008 to 14.1 percent last quarter. That means manual forms of click fraud, in which large numbers of individuals engage in the practice, has decreased by an even larger margin. Many of those people get paid to knowingly gin the advertising results, while others are tricked into it.

The data was compiled by monitoring pay-per-click campaigns on more than 300 ad networks and on advertisers’ web sites.

Click fraud attempts to siphon away the commissions advertisers pay web site operators each time an ad on one of their pages is clicked on by a legitimate visitor. Fraudsters often set up websites with little or no content and then pocket big profits when ads from Google and other providers are viewed through the process.

Automated click fraud has existed for years, but over the past few months, researchers have identified several botnets that prominently offer such capabilities. Both the web-based infection known as Gumblar and the so-called Bahama Botnet contain malware that causes infected PCs to return altered Google results. When users click on them, they are taken to a series of intermediate links before arriving at their final destination.

“It’s in everyone’s best interest in the online community to find and stamp out click fraud,” Pellman said. “The fraudsters are trying to stay a step ahead of those efforts.”

Credit: The Register

A researcher has unearthed fresh evidence of cyber criminals’ growing attraction to Apple’s OS X platform with the discovery of a now-disbanded group that offered 43 cents for every infected Mac.

Mac-codec.com was just one of hundreds well-organized affiliate networks that pay a small bounty each time their malware is installed on an unsuspecting end user’s computer. What makes this one stand apart is its dedication to the Mac platform.

The site advertised various promotional materials Mac-based “video players” and offered “webmasters” the fee in exchange for each installation on Macs that visited their exploit sites. The 43-cent fee is slightly lower than the 50 cents to 55 cents the codec-partnerka pay for infections of Windows-based machines.

The outfit was holding out the offer in January and February of this year, but has since closed its doors, said Samosseiko, who is manager of Sophoslabs in Canada, a research arm of anti-virus firm Sophos. He presented his findings as part of a larger discussion about codec-partnerka presented at this week’s Virus Bulletin conference in Geneva. The groups’ malware typically masquerades as legitimate video codecs or anti-virus software.

“I suspect that it wasn’t as profitable to target the Mac platform at that point,” he explained. Mac-codec.com “probably closed because it wasn’t commercially viable for them to conduct business.” “I suspect there are others targeting other Mac users,” he said.

Infiltrating the highly secretive networks is by no means an easy task. Most of them are based in Russia or elsewhere in Eastern Europe, and interlopers must first gain the trust of other members. Although Mac-codec.com is no longer active, Samosseiko doesn’t believe that’s the end of the bounty program for infected OS X systems.

Credit: The Register

Eastern European hackers are offering to crack into any Facebook,  Myspace and ICQ account for a fee of $100, payable online through Western Union, though circumstantial evidence suggests that the scheme might just as easily be geared towards ripping-off potential clients while delivering nothing.

The Facebook hacking service, offered by Ukrainian hackers via a domain registered in Moscow, offers to provide clients with the login and password credentials of any account. Potential clients are offered a money-back promise in cases where a targeted profile (which might belong to celebrities, politicians, or well-known companies as well as ordinary users) proves unhackable.

Hackers claim they’ve been offering the service for four years, during which time they’ve enjoyed a 99 per cent success rate. However, the domain via which the service is offered is only a few days old, raising doubts about the authenticity of the service.

“The system’s real purpose may be hacking Facebook accounts as they say, or profiting from those that want to try the service,” said Luis Corrons, Technical Director of PandaLabs. “In any case, the Web page is very well designed. It is easy to contract the service and become, either the victim of an online fraud, or a cyber-criminal and accomplice in identity theft.”

Corrons, who explored the service without handing over a fee to the cybercrooks behind it, concludes that it’s very probably a scam. “This is all about taking the money from users. And at the end, as the user wanted to hack an account, he won’t call the police,” he concludes.

Compromised social networking profiles in general might be used to distribute spam or malware or as stepping stones towards attacks on a mark’s webmail or online banking accounts.

Credit: The Register
Credit: PandaLabs

The New York Times was co-opted into pushing fake anti-virus malvertisements after hackers broke into its banner ad feed over the weekend. Surfers visiting the site were confronted by malicious pop-up window that falsely warned that their systems were infected. The ruse was designed to scare people into buying a clean-up utility of little or no value.

The NYT issued a warning on the front page of the website and via its Twitter feed on Sunday. The paper explained that the pop-ups were the result of an “unauthorized advertisement”:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.

Trend reports that the scareware involved in the attack was served up by German ISP Hetzner AG. Similar attacks have hit media outlets including The Daily Mail and ITV of recent months. Sophos reckons that the prime responsibility in defending against the attack relies on ad-serving networks rather than media outlets.

Credit: The Register

Websense Security Labs has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country.

When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way.

Screenshot of Web site hosting rogue AV:

Credit: Websense Security Labs

Out to steal online gold and other assets worth real money, scammers are stepping up attacks on World of Warcraft players, according to security researchers.

A researcher from anti-virus firm Webroot has explained how official forums offered by WoW creator Blizzard are being used to spread links that lead to malware, which steals passwords and other game credentials. The scam employs the common technique of telling visitors that their Adobe Flash player needs to be updated and then offering a malicious trojan instead of the real installation file.

Elsewhere, phishers are churning out emails that purport to be official communications from Blizzard, according to researchers from security provider Sophos. The emails claim the game maker is launching a new service and invites them to click on a link for a free sneak peak. The resulting website, in turn, phishes user credentials.

The attack outbreaks come a few weeks after Blizzard issued an update for Warcraft III that fixed a gaping hole, which could lead to the complete hijacking of machines running the real-time strategy game. According to Webroot researcher Andrew Brandt, it was exploited simply by getting vulnerable victims to join a custom game hosted with booby-trapped maps.

Attackers targeted the vulnerability in a game called DotA, or Defense of the Ancients, by creating fake maps that used the same file configurations as legitimate custom maps.

“What makes this exploit particularly nasty is the fact that your PC gets infected the moment you join a game where the infected DotA map is in use,” Brandt wrote. “Once downloaded, the game automatically unpacks the infected map and executes the malicious code.”

In April, Blizzard took the drastic step of advising players steer clear of all custom games until a patch could be released. With the hole plugged, attackers are falling back on other ways of preying on players.

Credit: The Register