CyberInsecure.com

Archive for the ‘Spam’ Category

Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat.

Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month.

“Huge numbers of users of the Freenode network ended up getting banned themselves because they would click the link and then they would join the network and flood the network,” one of the hackers, who goes by the moniker Weev, said. “We get his huge rollover effect.”

He added: “We got the the people who run Freenode to actually k-line each other,” a reference to the process of banning a user from an IRC server for spamming or other inappropriate actions.

The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren’t related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn’t work with Internet Explorer or Apple Safari, but “might” work with other browsers, Weev said.

IRC channels such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them.

“While we are doing what we can to mitigate the spam, we would ask that you take a careful look at any unusual sites or URLs you might visit in the near future to be sure you are not being tricked into visiting such a site,” a note on Freenode’s website read. Representatives of the network didn’t respond to an email seeking comment.

Security researchers have long known that it’s possible to abuse features designed to make browsers work seamlessly with other internet applications. Web security expert Robert “RSnake” Hansen calls the technique “interprotocol exploitation.”

“It’s the first time I’ve actually seen it used in the wild,” he said. “We’ve been theorizing this attack was possible for some time. Browsers absolutely should not be able to connect to ports unrelated to HTTP.”

Hansen said other internet technologies, such as the Sip protocol for voice over IP, are also ripe for abuse.

Credit: The Register

Cybercrime affiliates of unlicensed pharmaceutical websites have begun moving on from attacks purely designed to poison Google search engine results, and are now targetting Microsoft’s web properties.

Search engine poisoners are actively making use of Microsoft’s Windows Live Spaces blog hosting environment, net security firm eSoft reports. Miscreants are creating accounts which they use only to push links to the pharma-fraud sites. As a result the search engine ranking of these spamvertised sites is pushed up.

In addition, spam emails contain the URLs of fake blogs, from which surfers are redirected onto penis pill sites. The tactic is designed to evade spam filters that might already have blacklisted the fraudulent website.

The misuse of fake blogs on Live Spaces is a refinement of the well established practice of link spamming: posting “comments” on legitimate blogs that supply links to dodgy pharmaceutical websites and the like.

Attacks similar to the Live.com blogspamming for fraudulent pharmacy sites have also recently been thrown against both Yahoo and Blogger sites, eSoft adds. The security firm adds that the recent Google job spam scam also infiltrated Microsoft’s Life Space environment.

Whatever the distribution method, its clear these cybercriminals will continue to evolve new ways of advertising their bogus sites. An alert by eSoft containing screen shots of the fake pharma punting blogs that have begun affecting Live Spaces can be found here.

Credit: The Register, Threat Center Live Blog

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that’s the way it’s supposed to work everywhere. Applicants who can’t show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don’t have the resources to investigate every application as fully as they’d like.

The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they’ve taken a layer of potential problems out of the equation.

“It’s gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,” said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. “It takes one more level out of it: You own your own IP space and you’re your own ISP at that point.

“If there’s a problem, who are you going to talk to? It’s a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16. They’re not the Internet police,” Lanstein said.

The most famous example of this is the Russian Business Network case, in which a group of criminals was able to get a large amount of IP space by using an LIR to get an allocation from RIPE, the European RIR. The LIR gave RIPE documentation that supposedly showed a need for the allocation, and that’s as far as it went.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case. But the allocation was made in 2006 and it wasn’t until May 2008 that RIPE was able to close down the LIR and get the IP space back.

In most regions, a new organization requesting a large allocation will have to go through a fairly rigorous process to show the need for the address space. The RIR staff often will request a listing of each machine the organization has and may go as far as to request purchase receipts for the machines, as well, said John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), which is responsible for the U.S., Canada and parts of the Caribbean.

Criminals subverting this process has become a major problem in some regions, particularly parts of Europe and the Caribbean, where there are dozens of jurisdictions and multiple languages, which can lead to confusion and difficulty in tracking down exactly who is doing what online, security experts say.

“There are a lot of instances where they don’t go past the letter of justification,” Lanstein said. “There are plenty of IP allocations I can pull up and look at the domains and see that they’re total BS. U.S. data centers are much better, but in Europe there are so many languages and countries, it’s impossible for them to check everyone. And the bad guys know this.”

This set-up has become a useful tactic for the criminals running botnets and large spam and carding operations. Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There’s no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses.

“The policies for handing out IP space and verifying the people behind and application are global, they apply to all of the RIRs. But within that framework, there’s room for RIRs to set their own local policies too,” said Curran. “The bad news is, those policies are very local. How does someone verify an organization when in some regions they may only have written records and it’s a town of 2,000 people? It’s very difficult in Africa, parts of Europe, parts of the Caribbean. It’s very much the case that parts of our process are very hard to implement in other regions. Other regions have different ways of recording how a company is formed and they recognize very informal structures. The record-keeping is decentralized and it might take a while to determine who is behind a company.”

And once the IP space has been allocated, getting it back can be a long and arduous process. Criminals often will use a certain IP block for as long as it’s useful and profitable for them. But if security researchers and ISPs notice suspicious activity in a certain block, they will sometimes stop accepting traffic from it and block any traffic from their own networks to that block. This can be an effective tactic, but once the criminals abandon the IP space, it can take a long time for a legitimate business to be able to get traffic flowing there again.

“This is part of the problem that’s causing the IPv4 shortage,” Lanstein said, referring to the imminent exhaustion of the IPv4 address space, forecasted to occur in less than two years. “They stop paying the bills, the space gets null-routed and then it’s a mess. There’s clear fraud going on, but who can do something about it?”

Credit: ThreatPost.com

Cybercrooks have begun punting World Cup ticket and HD TV viewing scams as a successor to earlier lottery-based cons.

The revision of earlier fraud follows the final draw for the 2010 World Cup last Friday. Now, in addition to the opportunity to “claim cash prizes” in a draw by South African Football Association they have never entered, prospective marks are also getting offers to “watch live games online”.

Victims of this particular scam pay to download a HD video player, which will supposedly come into its own next year, but actually receive only a rogue security (AKA scareware) product, net security firm McAfee warns. In addition, fake club offers, which promise desperate fans a chance to win match day tickets but are solely geared towards collecting subscriptions, have also begun springing up.

A blog post by McAfee illustrates these varied threats.

Football fans looking to buy tickets are advised to book through fifa.com, or obtain packages via local football association or reputable travel agents. Unsolicited online offers are almost inevitably going to be fake, while offers through auction sites are also fraught with risk.

Credit: The Register

A Swiss iPhone developer has released a new application that is capable of harvesting huge amounts of personal data from iPhones, including geolocation data, passwords, address book entries and email account information, all using just the public API.

The application, called SpyPhone, uses the public iPhone API that Apple made available for application developers, and does not need any exploits or hardware attacks in order to access the iPhone’s data. Instead, SpyPhone relies on using the iPhone’s usability and depth of features to its advantage. Once an application is on an iPhone, it has unfettered access to much of the data and settings on the device, a circumstance that SpyPhone’s developer, Nicolas Seriot, exploited.

Seriot has posted the source code for SpyPhone online and gave a talk about SpyPhone’s capabilities at a security conference this week. All of SpyPhone’s operations are conducted in the background, without the knowledge of the iPhone’s user, and the application can be set to email reports on each infected phone back to the attacker.

Once on the iPhone, the application begins looking at the stored data that’s available in various other programs, such as the email address book and the keyboard cache, which keeps a record of every keystroke the user enters in a non-password field, Seriot said. This data normally is used for the iPhone’s autocomplete feature, but can be a gold mine of information for an attacker searching for intelligence on the iPhone’s owner.

By default, the iPhone will tag any photos taken with the device with the date and location of the picture. The user can turn this feature off, but if it’s enabled, SpyPhone can access that data, as well as the log of which WiFi hotspots the device has connected to. All of this gives the attacker a better picture of the iPhone’s owner, his location and his interests, which is valuable data.

Apple has taken pains to keep strict control over what applications can run on the iPhone, but malicious apps have been found in the company’s AppStore in the past. And while Apple has to approve all of the programs in the AppStore, users who have jailbroken iPhones can run any app they choose on their devices. That leaves plenty of opportunity for seemingly innocuous apps that contain malicious components.

Credit: Threatpost.com

The Koobface botnet has pushed out a new component that automates the following routines:

Registering a Facebook account
Confirming an email address in Gmail to activate the registered Facebook account
Joining random Facebook groups
Adding Facebook friends
Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages: http://www.facebook.com/safety and http://www.facebook.com/security.

Credit: Trend Micro Malware Blog

A botnet that was once responsible for an estimated third of the world’s spam has been knocked out of commission thanks to researchers from security firm FireEye.

After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.

Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.

The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change, said Jamie Tomasello, an abuse operations manager at antispam firm Cloudmark.

The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.

With head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye’s control, an indicated of the massive number of zombies believed to have belonged to the botnet. FireEye researchers plan to work with the ISPs to identify the owners of the orphaned bots so their owners can clean up the mess.

FireEye researchers said the key to dismantling the giant ring was a coordinated effort that worked in multiple directions all at once so that bot herders didn’t have a chance to counteract. “As it turns out, no matter how many fallback mechanisms are in place, if they aren’t all implemented properly, the botnet is vulnerable,” they wrote.

Credit: The Register

Facebook and MySpace have closed gaping security holes in their sites that gave attackers full access to accounts that had automatic-login features enabled.

The vulnerabilities were significant. Because the unauthorized access would be mapped to the victim’s IP address and website cookie, the intrusions would be virtually untraceable. Attackers were then free to upload photos and messages designated as private with no indication at all to the victim.

Facebook and MySpace closed the backdoors shortly after being notified, a marked improvement from the past, when the sites sometimes allowed serious security holes to persist for months. Still, it probably shouldn’t have taken an outsider to discover the bug. This is the latest episode to demonstrate that the only sure way to ensure that data is private is to keep it off social networking sites altogether.

The backdoors were the result of a misconfiguration of a crossdomain.xml, a file websites use to share content using Adobe Flash across domains. Some of the domains that were accessible exposed authentication tokens for accounts that had the auto-login feature turned on.

Facebook developers had blocked access from the main domain, but didn’t bother to notice the sensitive data was accessible when Facebook subdomains were used. MySpace similarly locked its front door but left a window at farm.sproutbuilder.com, which had full access to the data.

The holes could be exploited by luring victims to sites that had a Flash application installed designed to grab the authentication information, the developer said.

Credit: The Register

A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports. Both lists have been taken offline, so are no longer directly accessible.

Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. The phishing scam was originally thought to target just Hotmail users. It was brought to light when 10,000 Hotmail addresses were posted online at Pastebin, a website commonly used by developers to share code.

A spokesperson for Microsoft said phishing was an “industry-wide problem”. “Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.”

Google has confirmed to BBC News that its e-mail system - Gmail - has been targeted as part of an “industry-wide phishing scheme”. The search giant said that it had taken immediate action to safeguard the affected accounts.

Yahoo also confirmed that an unspecified number of Yahoo webmail accounts were on the leaked list. It couldn’t confirm how many of the profiles were genuine:

We are aware that a limited number of Yahoo! IDs have been made public.

Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security. We urge consumers to take measures to secure their accounts whenever possible, including changing their passwords. We also encourage our customers to review resources that provide guidelines on email safety.

Rik Ferguson, a security researcher at Trend Micro, said that the security firm had begun detecting spam sent through these compromised Hotmail accounts.

As many as two in five people use the same password for every site they use. That means access to a webmail account gives hackers a head start in accessing online banking or PayPal accounts linked to the same address. Underground bazaars and carder forums are full of sales of these more sensitive login credentials. Email addresses have sold alongside purloined credit card numbers and online bank accounts for months if not years on such black market forums.

Credit: BBC News, The Register

Hackers have figured out how to create computer-generated Facebook profiles and are using them to trick unsuspecting users into installing malware, a security researcher warned Thursday.

The fraudulent profiles display the same picture of a blond-haired, blue-eyed woman, but with slightly different names and birthdates, said Roger Thompson, chief of research at security firm AVG Technologies. Each invites visitors to click on what purports to be a video link that ultimately tries to trick viewers into installing rogue anti-virus software.

AVG’s LinkScanner product, which monitors webpages in real time to make sure they’re not malicious, has encountered “hundreds” of separate pages. But because AVG only sees a page when one of its subscribers tries to click on one, Thompson suspects the total number of fake profiles is in the thousands.

“There are enough of them that it’s probably an indication of an automated attack. I just can’t see someone creating the same profile time after time after time,” Thompson said.

That means the attackers have figured out how to crack the captcha Facebook uses to ensure profiles are created by humans, rather than computer scripts that automate the process so it can be carried out thousands of times.

If Thompson is correct, it’s by no means the first time hackers have figured out how to bypass the measure on a high-profile website. Captchas for Google Mail and Microsoft’s Windows Live email services have been successfully cracked before. In some cases, scripts that use optical recognition technology are suspected to be at work. In other cases, sweat shops that rely on people to solve the captcha puzzles are likely at play.

In any case, the availability of an unlimited number of fraudulent accounts is extremely valuable to scammers. Web-based email accounts typically get the green light from anti-spam products, and end users have an inherent, if misplaced, trust in social networking profiles.

Thompson’s report came the same day that the FBI issued this advisory warning people to be wary of fraud on social networking sites.

Facebook engineers are doing a good job killing the fake profiles, Thompson said. But at time of writing, many were still available, as pages like this one attests.

Credit: The Register