The notorious LulzSec hacking outfit has leaked over 26,000 email addresses and plain text passwords stolen from the database of an adult website Pron.com. After dumping the data online, the group encouraged people to try the login credentials on Facebook and tell the victims’ family members how they signed up for the adult site.
The reason? Just for fun. “Watch the hilarity. Tell us about it on twitter!” the hackers wrote in their announcement. Fortunately, word of the potential abuse quickly reached Facebook’s security team which forced password resets for all accounts corresponding to those email addresses.
This impressed LulzSec members, but also gave them new ideas for future attacks. “Props to Facebook security for locking all emails located on our list so fast. That’s the kind of security that earns a tip of our hat,” the hackers wrote.
“Hmm… so Facebook automatically locks every email on our list… exploitable. >:] Until next time, Facebook. Bwahahaha,” they later tweeted.
LulzSec pointed out that there were a number of .gov and .mil email addresses registered on the compromised site, as well as some 55 accounts belonging to admins of other adult portals.
Partial screenshot from the 26,000 emails and passwords txt file released online on LulzSec website:
The group didn’t stop with this leak. It also published the personal information (dox) of executive officers and other employees from vulnerability research company Endgame Systems and anti-DDoS solutions provider Prolexic Technologies.
The dox didn’t only include information about these individuals themselves, but also their spouses, children and other family members, and their respective social media accounts.
Endgame Systems is a company set up by former ISS and CIA executives with the purpose of selling offensive security solutions and zero-day vulnerability information. The HBGary Federal email leak from earlier this year revealed that the company and its management make significant efforts to keep a low profile.
Meanwhile, Prolexic Technologies has made a selling point from the DDoS attacks orchestrated by Anonymous. In 2010 the company helped firms considered by the hacktivist group as WikiLeaks enemies to protect themselves.
Credit: Softpedia.com News
In order to exploit it, attackers created a Web page containing a specially crafted iframe element that forced all logged in Facebook users visiting it to post rogue messages on their walls. By crafting the spammed message to lure users into visiting the malicious site, the hackers were able to create a self-propagating worm.
The Symantec experts say the vulnerability was exploited in more limited attacks before being used to launch the worm, but also note that more copy cats followed the initial wave.
Some browsers have anti-XSS filters built-in by default, but they are not very efficient. The only one that can block a significant number of attacks is included in the NoScript Firefox extension.
XSS worms used to be quite frequent in 2009, however, social media websites have since gotten better at preventing such attacks. Nevertheless, some continue to pop up from time to time. Actually, the last one launched on Facebook occurred earlier this month and was used to spread weight loss spam.
In October last year, French security researchers demonstrated two information stealing worms that worked by exploiting cross-site request forgery and cross-site scripting vulnerabilities on Facebook.
According to Symantec’s Candid Wueest, Facebook has since addressed the vulnerability. “Facebook has informed us that they have patched this XSS vulnerability. In addition, they are currently working on steps to remediate damage caused by the attacks,” he says.
Last year Twitter was hit by a massive and more resilient XSS worm that locked hundreds of thousands of users out of their accounts.
Credit: Softpedia.com News
Online retailer Play.com has named its marketing partner Silverpop as the guilty party behind the disclosure of customer names and email addresses. Play.com is one of the UK’s largest online retailers of DVDs, CDs, books and consumer electronics gadgets.
The breach led to distribution of spam to email addresses only registered with the online retailer on Sunday, a development that led to howls of protest from users. These emails offered supposed software updates from Adobe but actually linked to sites serving up malware.
The offer of the latest version of Adobe Reader X out of the blue and via email is unlikely to have taken in many, since the ruse was neither timely, subtle nor salacious.
Play.com, which issued an apology to users via email on Tuesday morning, has since come forward with an official statement from chief exec John Perkins (below) that seeks to downplay the significance of the admitted breach. In particular the online retailer stresses that the snafu only affected email details, and not credit card details or other sensitive information.
On Sunday 20 March some customers reported receiving a spam email to email addresses they only use for Play.com.
We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps. We believe this issue may be related to some irregular activity that was identified in December 2010 at our email [marketing] service provider Silverpop.
Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email [marketing] service provider was email addresses. Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again.
We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained.
On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue.
Credit: The Register
Security researchers advise users to exercise caution when searching for information about the massive earthquake and tsunami waves that hit Japan, because they might end up on scareware pages.
The Internet is abuzz with updates on the devastating effects of the 8.9-magnitude earthquake that hit today 130 kilometers off the coast of Japan and triggered 10-meter-high tsunami waves. There are at least 500 confirmed deaths and over 110,000 people missing so far as a result of the catastrophe and their number keeps growing by the hour.
Unfortunately, cyber criminals are trying to exploit disasters like this for profit by poisoning search results with links leading to fake antivirus programs. Known as black hat search engine optimization (BHSEO), these attacks can be observed after every major event that manages to attract considerable interest from the public. We’ve seen BHSEO campaigns following the Haiti earthquake last year, the 2009 California wildfires, the recent floods in Australia, Brazil and the Philippines and even the New Zealand Christchurch earthquake last month.
Fake antivirus programs, also known as scareware or roguware, attempt to trick users into purchasing useless licenses by falsely claiming their computers are infected. Scareware distribution has been one of the most profitable cyber criminal businesses during the past several years and the generated income is commonly used to finance other types of illegal activities.
“Blackhat SEO leading to rogue antivirus is still very much a common Web attack. We recommend that our readers get the latest news from trusted media outlets to prevent being victimized by this blackhat SEO,” Trend Micro security researchers write.
The vast majority of BHSEO attacks have traditionally occurred on Google, but since the company has significantly improved its detection, attackers are increasingly targeting other search engines as well.
Credit: Softpedia.com News
Domain name scammers are once again targeting domain name owners in an attempt to generate some easy income by an unsophisticated blackmail.
Typically, the scam starts with an email to domain owners warning them about a foreign company that is trying to purchase websites using your domain and trademark names. However being the responsible and caring Domain Name Registration Service they are, they are first contacting you, the owner of the existing domains and, possibly, trademarks, and will give you the amazing opportunity to get these website names first and therefore protect your brand.
Here is one example of such scam email:
from Fnew Law
subject Concerning ” domainname ” Brand Name dispute
(If you are not the person who is in charge of this, please forward to the right person/ department, as this is urgent, thank you.)
We are the department of registration service in China. we have something which needs to confirm with you. We formally received an application on Jan.10th 2011. One company called “TSMI Research & Development Corp” is applying to register ” domainname ” as Brand name and domain names as below:
After our initial checking, we found the Brand name and domain names being applied are as same as your company! So we need confirmation with your company. If the aforementioned company is your business partner or your subsidiary, please DO NOT reply us, we will approve the application automatically. If you don’t have any relationship with this company, please contact us within 7 workdays. If over the deadline, we will approve the application submitted by “TSMI Research & Development Corp” unconditionally.
Domain WHOIS about chinesenic.net shows the following:
Shanghai Fengwang Wangluo youxian gongsi
He Ping Wei firstname.lastname@example.org
+86.2137529318 fax: +86.2137529316
No.258.North Yunhe Road Fengxian
shanghai Shanghai 201400
A reputable “department of registration service” with a live.cn free webmail contact and a domain registered few days ago. Replying to such emails might not only make scammers send you bills and payment demands, but also encourage them and target you in the future, possibly in more sophisticated scams and blackmail attempts.
As you can see from an older list at Firetrust, the scammers got plenty of domains, which might indicate the fact this business brings certain income:
It appears that a new worm is spreading by hijacking Twitter accounts and using them to advertise links to a drive-by download website. The attack starts with goo.gl shortened URLs being sent by users whose computers have already been infected by the new threat.
The links get changed as soon as Google suspends them for abuse. One goo.gl URL pointed to a page hosted on a compromised website belonging to a French furniture manufacturing business.
This page takes visitors through several redirects and eventually lands them on a drive-by download site that tries to exploit vulnerabilities in outdated versions of Java and Adobe Reader.
According to various reports, in addition to the compromised .fr website, an .it one has also been observed, which ironically belongs to a firm offering computer repair services. An interesting aspect about these websites is that both of them are entirely designed in Flash. We’re not sure at this point if this is just a coincidence or a pattern.
There is still no detailed analysis of the malware installed in case of successful exploitation. However, it’s pretty clear that it can hijack the Twitter accounts of people using the infected computers.
The rogue messages are sent through Twitter’s mobile site instead of the main Web interface, but this is probably done by attackers for convenience reasons. The behavior of hijacking accounts like this is reminiscent of the Koobface social networking worm, which also targeted Twitter in the past. However, at this point this is only speculation.
According to TechCrunch, Twitter is aware of the attack and is actively resetting the passwords of the compromised accounts.
Users are advised to be suspicious of goo.gl links that are posted with no other message attached; although this behavior might change.
Credit: Softpedia.com News
Symantec warns that a 0-day vulnerability, affecting stable versions of Internet Explorer, is being exploited in a sophisticated attack, which targets key people in various organizations.
The attack begins with fake emails posing as hotel reservation notifications. “About the hotel room, please take the attached list for booking [link],” part of the rogue messages read.
The link directs recipients to a page hosted on a compromised, but legitimate website, which checks their operating system and browser version.
Only users running Windows XP and Internet Explorer 6 or 7 get redirected to the exploits. Others are sent to a blank page.
Successful exploitation results in a trojan being installed on the computer. The malware registers itself as a service called “NetWare Workstation” and opens a backdoor.
It reports back to the attackers and downloads encrypted files with commands from a compromised server in Poland.
“Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations,” Symantec researchers revealed.
“The files on this server had been accessed by people in lots of organizations in multiple industries across the globe,” they added.
Microsoft has confirmed the existence of the vulnerability and has published a security advisory with mitigation instructions.
“Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue.
“This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms,” Jerry Bryant, manager of response communications at Microsoft, explained.
Internet Explorer 9 Beta is not vulnerable and the company has since released a Fix It tool to help users apply the workaround until a permanent patch becomes available.
Credit: Softpedia.com News
Scammers are posing as law firms and are sending fake copyright infringement notification emails to Internet users in an attempt to scare them into paying settlement fees.
According to TorrentFreak, which reported this new type of scam, the fake emails bear a subject of “Investigation Against You” and purport to be sent by a legit German law firm called Rechtsanwalt Florian Giese.
The from field is spoofed and the sender email address can vary. Some of the addresses observed so far are: email@example.com, firstname.lastname@example.org, email@example.com and firstname.lastname@example.org.
The messages claim that the law firm is acting on behalf of Videorama GmbH, a German film production and distribution company dating back to 1993.
“The subject of our assignment is that your Internet connection was used on a so-called peer-to-peer network and committed copyright infringement on works held by our clients,” the scammers claim in the fake emails.
They go on to list the IP address allegedly used by the recipient when committing the offense and the number of files involved.
The emails also cite German laws and mention a real case when a German court imposed a significant penalty against a man for illegaly downloading music.
“As you may have already noticed from the media, today copyright infringement cases in court usually lead to a large fine and court costs,” the scammers write, in an attempt to scare users.
Eventually, people are told that everything can be settled out of court if they agree to send 100 euros via Ukash or Paysafecard.
Unfortunately, such scam emails have a high chance of success, because the sending of copyright infringement pre-settlement letters is common in many countries.
“Rechtsanwalt Florian Giese is not responsible for the fraudulent e-mails with the subject ‘investigation against you’. These are spam emails from fraudsters,” a spokesperson for the law firm told TorrentFreak.
Credit: Softpedia.com News
Facebook’s privacy rules aren’t as watertight as the company would have its users believe, after the Wall Street Journal uncovered that some of the social network’s most popular apps have siphoned off personal information to ad firms and internet tracking outfits.
According to the report, many Facebook apps have transmitted identifiable details about individual users to around 25 companies, in effect breaking the terms laid down by the Mark Zuckerberg-run website.
The privacy breach, which gives advertising and internet tracking firms access to people’s names, affects a huge number of Facebook app users. Worse still, the newspaper found that users whose profiles have rigorous privacy settings have also had their details exposed. It said that the 10 most popular Facebook apps, including Farmville and Texas HoldEm Poker, were transmitting users’ IDs to external firms.
Game Network Inc’s Farmville was found to also be transmitting personal details about a user’s Facebook “friends” to advertisers and internet tracking companies.
Facebook, which claims to have around 500 million users of its service, told the WSJ that the social network would bring in new tech to close the breach.
One company, RapLeaf Inc, was found to have linked Facebook ID details taken from apps to its own database of internet users, which it sells on to companies. RapLeaf insisted that the transmission of data hadn’t been intentional. “We didn’t do it on purpose,” the company’s biz development veep Joel Jewitt told the newspaper.
The company put out a separate statement at http://developers.facebook.com/blog/post/418 to its third-party developers that was part finger-wagging, and partly an assertion that the press had exaggerated the implications of sharing a UID.
Credit: The Register
For the past three weeks, internet addresses belonging to Microsoft have been used to route traffic to more than 1,000 fraudulent websites maintained by a notorious group of Russian criminals, publicly accessible internet data indicates.
The 1,025 unique websites — which include seizemed.com, yourrulers.com, and crashcoursecomputing.com — push Viagra, Human Growth Hormone, and other pharmaceuticals though the Canadian Health&Care Mall. They use one of two IP addresses belonging to Microsoft to host their official domain name system servers, search results from Microsoft’s own servers show. The authoritative name servers have been hosted on the Microsoft addresses since at least September 22, according to Ronald F. Guilmette, a researcher who first uncovered the hijacking.
By examining results used with an internet lookup tool it was determined that 126.96.36.199 and 188.8.131.52 — which are both registered to Microsoft — are housing dozens of DNS servers that help convert the pharmacy domain names into the numerical IP addresses that host the sites.
The most likely explanation, they say, is that a machine on Microsoft’s campus has been programmed to do so, probably after it became infected with malware.
“The important part seems to be some sort of compromise appears to be in play,” said Randal Vaughn, a professor of information systems at Baylor University. “It could be an NS compromise, an OS compromise, a rogue customer machine, or something else entirely. In order to get the DNS zones entered in there, they must have pwned the box.”
Vaughn also held out the possibility that servers connected to the Microsoft IPs might be part of a honey pot that’s deliberately hosting the name servers so that researchers can secretly monitor the gang’s operations. Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft.
A Microsoft spokeswoman said she was investigating the findings and expected to provide a statement once the investigation was completed.
California-based Guilmette, who said he has uncovered evidence that other large organizations have been similarly hijacked in the past, said he’s convinced the results mean that Microsoft has faced some sort of system compromise.
“I’m a paranoid kind of person,” he said. “There’s no other immediately apparent, reasonably plausible explanation for the facts that I’m looking at.”
Another researcher who goes by the pseudonym Jart Armin said that there may be no Microsoft server compromise at all. Rather, he said, criminals may have figured out a way to cache the zone files on the Microsoft IP addresses and make them appear to be the authoritative results. He didn’t fully explain how this could be done, however, and Guilmette and Vaughn discounted the likelihood of this hypothesis.
Canadian Health&Care Mall is believed to be run by affiliates of a group known alternately as Bulker.biz, Eva Pharmacy, and Yambo Financials, according to Spamtrackers.eu, a site that monitors online scams. The operation, which researchers say also engages in child pornography, identity theft, and rampant spamming, specializes in maintaining websites and name servers that run on infected hosts without the owners’ knowledge, the website says. Members are known to infect Linux and Unix machines with custom-written binaries that act as proxy web hosts.
The benefits of running the website and DNS servers on infected machines are manifold. Not only does doing so drastically reduce the cost of the illegal operation, but the use of IP addresses from organizations with good reputations may make it easier for the scams to fly under the radar of spam filters and search-engine blacklists, Armin said.
Over the past few weeks, Guilmette said, the IP addresses of several other large organizations have also been observed to be hosting name servers for the same criminal outfit. The University of Houston, the government of India, and City University of New York are just three of the names on the list. They have since corrected the problems, so the DNS servers are no longer hitching a free ride on their systems, the researcher said.
In the past year, Microsoft has adopted a more active role in hunting down the very types of criminals Guilmette believes have hijacked Microsoft’s network to help operate the illegal pharmacy. Company researchers were instrumental in founding the Conficker Working Group, which actively infiltrates the massive botnet that was built by the Conficker worm in an attempt to disrupt it or shut it down.
The company recently succeeded in shutting down the Waledac botnet through a combination of technical and legal maneuvers.
The irony that Microsoft IP addresses are playing a crucial role in enabling such scams wasn’t lost on Baylor University’s Vaughn.
“I almost guarantee that there’s somebody up there at Microsoft, probably more than one, that are trying their darnedest to get rid of the Canadian pharmacy group,” he said. “It would be nice if they had that IP information available.”
Credit: The Register