CyberInsecure.com

Archive for the ‘Spam’ Category

A cross-site scripting worm was spreading in Twitter profiles for several hours during April 12. People started reporting that their profile had sent Twitter messages without their knowledge. Messages looked like this:

Later on the messages morphed several times:

Many people followed the links to promoted website, as they believed the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages.

It is unclear if the spammed site was actually associated with the worm.

According to an explanation on DCortesi blog:

What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.

It looked like Twitter fixed the issue but another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. Here’s of the current variants:

Besides the “original” worm that was supposedly written by a teenager, there are some copycats out. The code had also been run through an obfuscator. The copycat Twitter XSS worms exploit the same vulnerability and actually most of the code remains the same. The new version got obfuscated to make analysis a bit harder.

It looks like the folks from Twitter are still fixing all the vulnerabilities so seems that there’s going to be quite a few modified Twitter worms for a day or two. Twitter stats blog said that they are currently addressing a new manifestation of the worm attack.

No passwords, phone numbers, or other sensitive information were compromised as part of this renewed attack, according to Twitter.

All these attacks are Javascript-based so it is possible to turn Javascript off if you’re worried or use a NoScript Firefox add-on.

F-Secure detects the script file as Worm:JS/Twettir.A.

Credit and screenshots: Mikko, F-Secure Weblog
Credit: DCortesi.com Blog
Credit: SANS Internet Storm Center

The Foreign and Commonwealth Office (FCO) has warned Brits and others to ignore a phishing scam currently circulating around the internet.

Scam emails attempt to trick users into submitting personal data, in exchange for a chance to benefit from a fictitious “Recession Relief Programme Fund”. The bogus emails purport to come from Foreign Secretary David Miliband and feature subject lines such as “Global economic crisis relief aid”, as explained in an FCO warning here, issued on Monday.

The stimulus package announced by government leaders at the G20 conference last month makes the attempted FCO-themed fraud timely, without making it any more plausible. Most internet savvy users would smell a rat a mile off, but it only takes a tiny fraction to respond to make the ruse worthwhile for cybercrooks. Trend Micro notes the ploy is similar to “Obama Stimulus Check” scam emails spammed out in January.

Phishing scams began as an attempt to trick the gullible into handing over login credentials for online banking or PayPal accounts under the guise of security checks.

Over the years the brands targeted by such attacks have expanded to include a much wider range of e-commerce outlets, and more occasionally, as with the latest example, posing as messages from government departments. Government-themed phishing scams used to offer tax refunds but now we’re seeing examples of supposed grant offers, another sign that fraudsters are adapting to the recession.

Phishing scams in general are more frequently targeted towards consumers, but businesses are not immune to getting taken to the cleaners either.

Credit: The Register

Match.com, an online dating service with reportedly more than 15 million members from 37 countries, is being used by miscreants to infect users with malware. Websense Security Labs has noticed that this new spam campaign aimed at Match.com is being used to spread a trojan called Papras.

On April 7 2009, Websense received thousands of malicious emails in their email Honey Pot system. The emails claim that someone wants to show the user her pictures and videos, and lures the user into visiting the Web site set up by the attacker. When the user starts the video on the Web site, they are asked to install a streaming video player (a malicious file called ADOBE_PlayerInstallation.exe) which is actually a trojan with relatively low AV detection, according to VirusTotal:

BitDefender     7.2     2009.04.08     Trojan.PWS.Papras.V
eSafe     7.0.17.0     2009.04.07     Suspicious File
F-Secure     8.0.14470.0     2009.04.08     Trojan-PSW:W32/Papras.DS
GData     19     2009.04.08     Trojan.PWS.Papras.V
McAfee+Artemis     5577     2009.04.07     Generic!Artemis
Prevx1     V2     2009.04.08     High Risk System Back Door
Sophos     4.40.0     2009.04.08     Mal/EncPk-HJ
Symantec     1.4.4.12     2009.04.08     Infostealer
VBA32     3.12.10.2     2009.04.08     suspected of Malware-Cryptor.Win32.General.3

Easter is around the corner and as expected, attackers have already started to poison search engine queries to redirect users to websites that deliver misleading applications. Various search keywords related to Easter have been poisoned in Internet search results so that links to rogue websites are returned in the search listings. Some of the examples of poisoned keywords are:

Easter verse

Popular Easter Bible verse scriptures

Easter greeting card verses

Easter Bible verses

Easter verses poems

Bible Easter verse

Easter-Bible

Easter Bible quotes

Here is a Google search results example (do not visit those sites):

Attackers are using various tricks, such as referrer checking, in order to evade security researchers. If the bogus domains returned in the search listing are visited directly, we will see a page with many Easter-related keywords and links used to bolster the page’s search ranking. However, if the bogus links are clicked on from the search engine results, users will be redirected to malicious websites delivering misleading applications. In addition, the attackers are using “no-store, no-cache” in their HTTP headers so that these malicious pages are not stored or cached. Below are a couple of snapshots of the poisoned search results:

These bogus domains are hosting malicious scripts that redirect users to websites delivering misleading applications. This script redirects users to a website that displays a fake antivirus “scan” screen and delivers a rogue application.

Many of these bogus domains in question are currently redirecting to wikipedia.org, which most likely means that the attackers will change the redirection to point to malicious domains sometime in the future.

Credit: Security Response Blogs, Symantec

The growing trade in rogue security software is being driven by the gaming of search engines to direct surfers to sites peddling scareware.

Scareware affiliate networks are using black-hat search engine optimization techniques to drive traffic volumes. To promote their wares, these well-organized cybercrooks are compromising legitimate websites and inject links to SEO-targeted pages which include repetitive references to popular search terms.

The tactic means that compromised websites appear at the top of search results. This black-hat SEO targeted technique yielded almost half a million Google searches to compromised sites, according to stats found on a cybercrime server by net security firm Finjan. A total of 1.8m unique users were diverted to sites peddling rogue anti-virus software during 16 consecutive days.

Scareware applications typically try to frighten users into believing their PCs are riddled with malware, even if their computer is clean, as a ploy designed to trick people in purchasing ineffective clean-up tools.

Between 7-12 per cent of surfers visiting sites punting scareware packages installed the trial version of the fake software, with 1.79 per cent paying $50 for software of little or no utility.

Members of scareware affiliate network made 9.6 cents per redirection, raking in a total of $172,800 or $10,800 per day during the duration of the scam, Finjan estimates.

According to a study by the Anti-Phishing Working Group, published last week, the number of rogue anti-malware programs in circulation rose from 2,850 in July to 9,287 in December 2008, more than tripling in the space of only six months.

Campaigns promoting traffic to sites punting scareware packages have been themed around the tragic death of actress Natasha Richardson and the recent confusion around the Norton forum ‘Pifts’ purge, which followed in the wake of an accidental distribution of an unsigned program update by Symantec.

Credit: The Register

Micro-blogging site Twitter suffers from a potentially devastating vulnerability that forces logged-in users to post messages of an attacker’s choice simply by clicking on a link. It could be used to spawn a self-replicating worm.

The XSS, or cross-site scripting, error was discovered by Secure Sciences Corp researchers Lance James and Eric Wastl, who have fashioned this link to demonstrate their finding. Clicking on it while logged in to Twitter causes users to immediately broadcast an innocuous message to all of their followers, as this dummy account shows.

Of course, it would be just as easy to craft links that do considerably more damage. Tweets are limited to just 140 characters, making it almost mandatory to use shortened URLs that obscure their final destination. While it’s possible to preview the link before visiting, many Twitter users have grown so accustomed to them they click on them directly.

As the user base of Twitter has skyrocketed, so too have attempts to exploit the site. Hackers have waged cat-and-mouse attacks on the site using so-called clickjacking exploits that, like the XSS vulnerability exposed by James and Wastl, forced logged-in users to tweet simply by clicking on an innocent-looking button. Twitter has been quick to patch the vulnerabilities, but the hackers have been known to launch new attacks that work around the countermeasures.

More than 15 hours after this story was first published, the gaping hole remained.

Credit: The Register

The Federal Trade Commission is warning against the boom of new online scams that promise government grants to aid cash-strapped consumers. Cybercriminals, as expected, are jumping in the economic recession bandwagon. Trust these fraudsters to take advantage of and cash in on the global recession.

These include spammed email messages containing links to websites purported to provide information on how to qualify for the economic stimulus package. These sites download spyware into the affected user’s system instead.

Sample spammed message:

A number of malicious websites could also be posing as pages of government agencies, some complete with logos of various news networks, or even a photo of a smiling President Barack Obama urging users to claim their “free grant money.”

These sites promise free information on how to avail of the stimulus money in exchange for a user’s personal information, including name, employment status, salary range, and bank account details. These information are needed supposedly to gauge whether the prospective victim is qualified for a grant but in reality, scammers and phishers sell these stolen credentials in underground markets or use them to hack into bank and other online accounts.

The FTC is advising individuals who have divulged their personal and banking information to such sites to check their bills for unauthorized charges. Trend Micro continues to monitor the Web for recession-related threats as cybercriminals are expected to ride on the popularity of this global concern.

Credit: Ailene Dela Rosa, Technical Communications, Trend Micro

Twitter users were hit by a new series of attacks on Friday. The subscribers received malicious messages from compromised accounts inviting them to visit a pornographic website. The messages, which posed as tweets, tried to tempt users into visiting a site called chatwebcamfree.com.

Twitter confirmed around 750 accounts were hit during the attack. Passwords of affected profiles have been reset so as to restore control of the profiles to their rightful owners. Victims of the attack included technology journalist Dennis Howlett.

It’s unclear how the compromised accounts were hacked in the first place.

Sophos notes that the same website was recently promoted in spam messages sent through Facebook. The mechanism of that attack isn’t clear either, but using phishing tactics to obtain login credentials prior to sending spam messages has been used in previous junk message attacks involving Facebook and is the favorite method this time around.

The latest Twitter attack comes hot on the heels of a SMS spoofing attack and shortly after an even more high profile attack back in January.

Credit: The Register

A new strain of the Koobface worm is spreading across numerous social networking sites. The malware posts invitations to the friends of infected users inviting them to view a video. The linked website tries to trick prospective marks into believing they need an updated version of Adobe Flash Player plugin to view the clip. The software offered is, of course, loaded with Windows-specific Trojan code. This malware establishes a back-door on compromised Windows machines.

The first link takes the victim to a site supposedly hosting a video posted by the same person that sent the message. Not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. This social engineering trick is supposed to make the victim believe that its the actual friend who sent the message.

Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ by Trend Micro. It is hosted on as many as 300 different unique IP addresses and the number will probably grow. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA by Trend Micro.

Analysis reveals that WORM_KOOBFACE.AZ propagates through facebook.com, hi5.com, friendster.com, myyearbook.com, myspace.com, bebo.com, tagged.com, netlog.com, fubar.com, livejournal.com. It first searches for cookies created by those sites. The worm then connects to a respective site using login credentials stored in the gathered cookies. It searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This also allows hackers to execute commands on the affected machine.

The attack follows the appearance of two rogue applications - “Error Check System” and Facebook closing down - last week which used misleading messages in order to hoodwink users into activating software packages. Neither app spread malware as such but Error Check System has been linked to indirect attempts to attract surfers to sites punting rogue anti-malware (AKA scareware) packages.

Credit: Rik Ferguson, Trend Labs
Credit: The Register

Scoundrels have created another rogue Facebook application, the second to hit the social networking site in less than a week. In the second attack, Facebook users receive notices that they have supposedly being reported for violation of the social networking site’s terms of service by someone in their friends list. A link on the notification leads to an application called “f a c e b o o k - - closing down!!!” which, post installation, spams all the affected user’s friends with the same message.

Last weekend a similar application called Error Check System, which posed as notification of errors in a Facebook user’s profile, used almost identical tricks to spread itself across Facebook.

Searches for the phrase “Error Check System” via Google and the like returned numerous results linking to sites punting rogue antivirus (aka scareware) packages. Security watchers use this factor to support the theory that black-hat search engine optimisation may have been the real motive behind the attack.

The rationale behind the latest (eerily similar) scam is unclear, with some attempt to harvest personal information or building up a database for subsequent spamming among the possibilities. The attack kicked off on Thursday, but has already spawned a Facebook group for victims.

Security watchers urge Facebook to become more active in vetting applications. “These two events in just a single week mean that it’s about time that Facebook reviews its application hosting policy,” said Rik Ferguson, senior security advisor at Trend Micro. “Prevention of rogue applications with extremely dubious intent to propagate freely within the site is needed.”

Credit: The Register