CyberInsecure.com

Archive for the ‘Spam’ Category

A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports. Both lists have been taken offline, so are no longer directly accessible.

Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. The phishing scam was originally thought to target just Hotmail users. It was brought to light when 10,000 Hotmail addresses were posted online at Pastebin, a website commonly used by developers to share code.

A spokesperson for Microsoft said phishing was an “industry-wide problem”. “Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.”

Google has confirmed to BBC News that its e-mail system - Gmail - has been targeted as part of an “industry-wide phishing scheme”. The search giant said that it had taken immediate action to safeguard the affected accounts.

Yahoo also confirmed that an unspecified number of Yahoo webmail accounts were on the leaked list. It couldn’t confirm how many of the profiles were genuine:

We are aware that a limited number of Yahoo! IDs have been made public.

Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security. We urge consumers to take measures to secure their accounts whenever possible, including changing their passwords. We also encourage our customers to review resources that provide guidelines on email safety.

Rik Ferguson, a security researcher at Trend Micro, said that the security firm had begun detecting spam sent through these compromised Hotmail accounts.

As many as two in five people use the same password for every site they use. That means access to a webmail account gives hackers a head start in accessing online banking or PayPal accounts linked to the same address. Underground bazaars and carder forums are full of sales of these more sensitive login credentials. Email addresses have sold alongside purloined credit card numbers and online bank accounts for months if not years on such black market forums.

Credit: BBC News, The Register

Hackers have figured out how to create computer-generated Facebook profiles and are using them to trick unsuspecting users into installing malware, a security researcher warned Thursday.

The fraudulent profiles display the same picture of a blond-haired, blue-eyed woman, but with slightly different names and birthdates, said Roger Thompson, chief of research at security firm AVG Technologies. Each invites visitors to click on what purports to be a video link that ultimately tries to trick viewers into installing rogue anti-virus software.

AVG’s LinkScanner product, which monitors webpages in real time to make sure they’re not malicious, has encountered “hundreds” of separate pages. But because AVG only sees a page when one of its subscribers tries to click on one, Thompson suspects the total number of fake profiles is in the thousands.

“There are enough of them that it’s probably an indication of an automated attack. I just can’t see someone creating the same profile time after time after time,” Thompson said.

That means the attackers have figured out how to crack the captcha Facebook uses to ensure profiles are created by humans, rather than computer scripts that automate the process so it can be carried out thousands of times.

If Thompson is correct, it’s by no means the first time hackers have figured out how to bypass the measure on a high-profile website. Captchas for Google Mail and Microsoft’s Windows Live email services have been successfully cracked before. In some cases, scripts that use optical recognition technology are suspected to be at work. In other cases, sweat shops that rely on people to solve the captcha puzzles are likely at play.

In any case, the availability of an unlimited number of fraudulent accounts is extremely valuable to scammers. Web-based email accounts typically get the green light from anti-spam products, and end users have an inherent, if misplaced, trust in social networking profiles.

Thompson’s report came the same day that the FBI issued this advisory warning people to be wary of fraud on social networking sites.

Facebook engineers are doing a good job killing the fake profiles, Thompson said. But at time of writing, many were still available, as pages like this one attests.

Credit: The Register

An alleged copy of the UK postcode list has tipped up on WikiLeaks which claims to currently be hosting a database containing 1,841,177 Blighty postcodes “together with latitude and longitude, grid references, country, district, ward, NHS codes and regions, Ordnance Survey reference, and date of introduction”.

The list is a 241MB plain text file that runs to more than 100,000 pages and was last updated on 8 July. WikiLeaks has zipped the database up to 20MB and made it available for download via the site as well as providing a fast BitTorrent version of the file that can be grabbed over at The Pirate Bay.

According to the Guardian the Royal Mail made about £1.6m from licensing the Postcode Address File (PAF) database in 2007. This leak online isn’t that significant, however, given that it doesn’t contain the names and/or addresses of houses in each postcode that the PAF holds.

On the other hand, online availability of the PAF could prove a big blow to the Royal Mail, which has repeatedly ignored requests from freedom of information campaigners to publish the postcode database free of charge.

Campaigners have long argued that the PAF should be freely available to help businesses create services around the taxpayer-funded data, and while this leak might get a few wannabe-web entrepreneurs mildly excited, the real juicy postcode stuff remains locked behind closed doors - for now.

Royal Mail statement should be available soon.

Credit: The Register

Websense Security Labs has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country.

When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way.

Screenshot of Web site hosting rogue AV:

Credit: Websense Security Labs

Miscreants have recently begun peppering Facebook with a variety of new phishing scams with sex, sex, sex and more sex featuring prominently.

One example involves a fake customer dispute application page, since pulled, that appeared to have a valid Facebook URL.

The content was actually hosted by Ripway hosting, a service that’s often used and abused by script kiddies, according to Chris Boyd of IM security firm FaceTime.

Boyd said that no Facebook application was involved in the scam, just a valid Facebook app URL and the Ripway hosted scam page.

“It seems someone set up an application developer account with Facebook, placed a fake ‘customer dispute page’ onto their Ripway hosting, which they were somehow able to post onto their Application page and start directing Facebook users to it,” Boyd added.

Another Facebook phishing threat discovered over the weekend involves messages and a rogue Facebook application. The ’sex sex sex and more sex!!!’ app is sending out notifications that attempt to direct prospective marks to a credential harvesting site.

Ne’er-do-wells have taken steps to disguise the location users are directed towards, explains Rik Ferguson, a security researcher at Trend Micro.

“The hyperlinks in the notification both lead to a malicious website hosted on the fucabook.com domain,” Ferguson explains. “The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refreshtags to pull up the real Facebook website and prompting the victim for their login credentials.”

Harvesting credentials is not entirely new and often not an end in itself. Compromised accounts can be used to send spam or distribute perhaps more pernicious scams. The fact that many people use the same credentials on multiple websites opens up the means for hackers to break into webmail accounts. From there, they can find out what online banking or ecommerce accounts a prospective mark holds, before attempting to break into those accounts.

Credit: The Register

Twitter was knocked offline on Thursday after the site became the victim of a distributed denial of service attack. Users of the micro-blogging service are used to seeing the fail whale, a graphic that appears when service is over capacity, but this time around the site was left completely unreachable from around 1500 on Thursday (UK time) for around 90 minutes.

A terse messages on Twitter’s status blog initially said the site was down before adding “We are defending against a denial-of-service attack, and will update status again shortly”.

Graham Cluley, a security consultant at Sophos, initially said the hallmarks of the outage were not those of a planned downtime.

“Something has clearly gone wrong,” he said. “It could be human error or some other cause. We have nothing to indicate that the outage is caused by a security problem at this point.”

The outage has at least one positive effect. “All those Twitter addicts will be doing something more useful instead,” Cluley quipped.

As Twitter struggled to return to normal Wednesday evening, a trickle of details suggested that the outage that left 30 million users unable to use the micro-blogging service for several hours - at least in part - may have been the result of a spam campaign that targeted a single user who vocally supports the Republic of Georgia.

According to Bill Woodcock, research director at the non-profit Packet Clearing House, the torrent of traffic that brought the site to its knees wasn’t the result of a traditional DDoS, or distributed denial of service attack, but rather people who clicked on a link in spam messages that referenced a well-known blogger called Cyxymu.

As spam goes, the emails looked benign enough. One of them carried the subject “Visit my blog” and contained the words “thanks for looking at my blog” in the body. They contained respective links to Cyxymu’s accounts on Twitter, Facebook, LiveJournal and YouTube, all of which also reported receiving abnormal amounts of traffic on Thursday.

“This was not like a botnet-style DDoS,” Woodcock told The Register. “This was a joejob where people were just clicking on links in email and the people clicking on the links were not malefactors. They were just the sort of idiots that click on links in email without knowing what they are.”

Joejobs are spam messages that are designed not to push Viagra but to induce someone to click on a link in the hopes of harming the site being linked to.

Twitter has so far said little on its blog and status page except that it spent much of the day fighting against a denial of service attack and that as late as 4:45 pm California time, latency problems were still causing some users to receive error pages. Company representatives didn’t respond to emails seeking comment.

The theory was backed by this article from CNET News, which quoted Facebook’s chief security officer saying the attacks targeting multiple websites all contained traffic linking to accounts held by Cyxymu.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Facebook’s Max Kelly told reporter Elinor Mills. “We’re actively investigating the source of the attacks and we hope to be able to find out the individuals involved in the back end and to take action against them if we can.”

Kelly made no reference to spam messages, so it remained unclear if the emails were the only cause of the mass requests to Cyxymu’s profiles or if there were other causes as well.

Cyxymu has long been viewed as an antagonist by some Russian supporters, who take issue with the blogger’s coverage of recent military conflicts in Georgia.

Credit: The Register

The Koobface worm, which previously infected users of Facebook and MySpace, is spreading among users of micro-blogging website Twitter.

The scale of the attack is unclear but serious enough for Twitter to issue a warning on Friday morning, via the service’s status page:

Some users’ PCs have been infected with a variant of the Koobface malware. This malware sends bogus tweets when the user logs into Twitter.

We are currently suspending all accounts that we detect sending such bogus tweets. If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC.

Koobface-related activity has been detected on Twitter before, but the latest assault has provoked a more concerted response from the micro-blogging service, including plans to temporarily suspend compromised accounts.

Accounts accessed from compromised PCs inject rogue updates into a Twitter stream, supposedly containing a link to a video but actually pointing towards one of around 20 sites loaded with exploit code that poses as a video codec. Windows users who follow this links and install the “codec” wind up getting infected with Koobface, re-starting the whole infection cycle.

Some messages that point to exploit sites promise “michaeljackson’ testament on youtube” while others refer to “My home video :)”, Sophos reports, adding that users should avoid following malvertised links.

Panda Security reports that attempts to install rogue anti-virus (scareware) packages onto compromised machines are made, strongly suggesting that the attack is financially motivated.

Credit: The Register

Researchers from NetQin Tech. are reporting on a newly discovered mobile malware variant (Transmitter.C) distributed through a modified version of legitimate mobile application. Upon execution, the malware attempts to automatically spread by sending hundreds of SMS messages linking to a web site where a copy of it (sexySpace.sisx) can be found.

NetQuin’s CEO, Dr. Lin Yu provided more insight into the nature of the malware, its financial implications for the infected user, as well as thoughts on the future of mobile malware.

As a foreign variant of previous erotic short message virus (Transmitter.A), this virus camouflages in a normal third party mobile phone software ” Advanced device locks” to inveigle the users to install it. After installation, this virus will be automatically started up and it will automatically access network for about 3 minutes. Later, the virus will send short messages externally at interval of 10 - 15 seconds. As can be observed from the communication record, there are large amount of records of sending short messages, all the numbers to which short messages are sent are strange numbers, but it is completely impossible to find the record of short messages that have been sent in the Sent Box.

After having sent about 500 strange short messages, this virus will traverse the cards folder to send out short messages. Furthermore, this virus can automatically identify mobile phone languages and send different short message contents including “Classic Gongfu stories, City passion, Wife change, School girl, Violent incest… Please immediately access?” A very interesting girl. Try it now!” etc., and attach a URL after each short message.

This virus will run away with user’s tariff by sending out short messages at such high frequency. In addition, it is very likely that this virus forcibly subscribes some services for the users, thus consuming user’s tariff.

Furthermore, this virus has transmissibility. In the form of obscene short messages, it will inveigle the users to click the links in the contents of short messages. Upon clicking such links, a user will download virus to his/her mobile phone, becoming the next virus-spreader. In addition, this virus can also transmitted in the form of legitimate third party software that is put in the Website and Forum for downloading mobile phone software.

As compared with the Symbian malicious software formerly discovered, Transimitter.C has even stronger transmissibility and harmfulness: It not only has the corresponding server end for coordination, but can also be dynamically adapted to the current language of mobile phone and thus send short messages to address lists and strange numbers in different languages Furthermore, utilizing obscene short messages with links, it can inveigle the users to click it for installation. If this virus has been transmitted to mobile phones, it will bring tremendous economic loss and reputation crisis to the users.

This virus can camouflage as legitimate software for transmission. Camouflage mode: The executable body of virus attaches at normal software to inveigle the users to install it. This malicious software is designed to realize the object of making commercial profit. Transimitter.C has promoted some malicious links. Very likely, it forcibly subscribes some services for the users, thus consuming the tariff of users; These malicious links may induce a user to download virus to his/her mobile phone, so that this user will become the next virus-spreader.

Credit: ZDnet.com Security Blogs

Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to supposed videos of Independence Day fireworks which are, in reality, fresh copies of the Waledac malware family.

ESET estimates the size of Waledac’s botnet as tens of thousands of infected computers. More than 20,000 compromised computers will be used to send the malicious emails, in an effort to increase the size of the botnet. This effort will allow the criminals to send out even more spam. Currently, detection of the new variants of Waledac is quite low, with only a handful of antivirus products detecting the newest threat.

The Waledac family has been active since the end of 2008 and has been known to exploit events such as Christmas or Valentine’s day in order to spread in a way very similar to methods used by the infamous Storm Worm. Also, just like the Storm Worm, Waledac uses a peer-to-peer network to receive commands from its controllers. The main objective behind the Waledac operation is to use infected computers to send spam.

Consumers are reminded not to follow links in unsolicited emails, even if they appear to come from someone they know. As dangerous as fireworks can be, when used as directed, they are still safer than unsolicited emails!

Credit: ESET ThreatBlog
Credit: Websense

Miscreants have created a Michael Jackson mass-mailing worm. The malware follows a growing list of other hacking attacks in the wake of the superstar’s death last week and claims to offer secret songs and photos of Jackson in an attached zip file. In reality, the emails (which claim to come from sarah@michaeljackson.com) offer malicious code.

Prospective marks duped into opening the infected attachment on Windows machines get infected while further spreading the worm. The malware is also capable of spreading via USB memory sticks. The mass mailing worm - identified by Symantec as Ackantta-F - spreads in messages that typically bear the subject line “Remembering Michael Jackson.”

Ackantta is far from the only item of malware trying to ride on the coat-tails of Michael Jackson’s death. For example, an executable file posted on counterfeit photo-sharing sites was detected by F-Secure last week. The malware tried to established a backdoor on compromised Windows PCs.

Separately, a domain loaded with exploit code - supposedly touting Jackson death conspiracy theories - is actually just an outlet for an exploit tool, Sunbelt Software warns. The domain, complete with Matrix-like animation, is running “Unique Pack” exploit package version 2. The malicious domain is being promoted via an enthusiastic spamming campaign.

Credit: The Register