CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 22nd, 2012

UK Is Sixth In The World As Cyber Crime Target, Cyber Security Is Not Marketed Enough

It has been suggested by UK ministers recently that there should be better awareness of theimportance of cyber security.

Although conventionally, it is the more traditional generations that are wary of sharing their details in the new digital world, it is perhaps not such a bad thing to be more cautious.

Jim Murphy, the Shadow Secretary of state for Defence recently said that cyber security could be the “arms race of the 21st century” – and he isn’t wrong.

In fact, he went on to say that the UK is particularly vulnerable to cyber attacks, ranking sixth in the world as a cyber crime hotspot, suffering losses of £27 billion a year.

Taking this startling statistic on board, action is clearly needed. Without getting too political, the government are currently making a number of cuts across the country in order to save money and reduce national debt. Imagine if this loss could be prevented, what a difference it could make.

The government has been urged to start a campaign on the same lines of the drink-driving campaigns that were launched in the past few years, with the aim of raising awareness of the devastating implications to drinking and driving.

Those promotions were created with the intention of shocking the audience into taking notice and that’s what is needed here.

It is not something that a government can do alone after all. It is important that the defence systems in the UK – or any country hoping to protect themselves – aren’t vulnerable to others. But this also goes for business and personal users of the internet.

Information security, as well as how to main safer online, is easily accessible but many don’t know what to look for, where to find it, and why they should. And for many, the only warning is Terms & conditions, for which very few people actually pay attention to.

For the everyday user, losing a few pounds from a hacker may not be the end of the world, no matter how frustrating. It of course means having to change your details, but in most cases, banks will reimburse this amount. Thinking of this large scale however, the amounts build up, and if a bank is hacked into, this affects everyone.

Mr Murphy recommended that for businesses, there is a ‘kitemarking’ system in place to offer an incentive to take more action.

He said: “Kitemarks for those with high standards of cyber security must become a reality across the private sector. The defence industry is one of the most at risk sectors and so the Ministry of Defence could work with business to set a series of benchmarks for firms’ cyber security performance which would be taken into account when making procurement decisions.”

For the largest organisations with backing, essential information will find its way into their laps, but for the general public, they need awareness and they need guidance.

As previously mentioned it is usually the older generations who are wary of the online world but perhaps the rest of us are too keen to disclose all of our personal details: particularly when you consider than by simply answering a few basic questions could give someone access to your online banking password.

Whether this campaign will happen or not, there is certainly a service of this nature if we are to continue to become more digital in the upcoming years. Looking back only a few short years, it would have appeared very odd to do all your banking or shopping on the web – a concept that is now normal. Times are changing, and training in some sense may be required for everyone to be kept up to speed.

Either way, at least the government is acknowledging this and are trying to think of ways that improvements could be made.

In fact, Mr Murphy spoke just one day after the Ministry of Defence budget was announced for next year, with a focus on cyber security and listening to younger generations to know what is “really happening out there.”

More on CyberInsecure:
May 17th, 2012

Hijacked High-Ranked Sites Serve Malicious, Illegal Content, Blacklisted By Google

Researchers have found that Google Safe Browsing has blacklisted a number of legitimate sites after they’ve been hijacked and set up to serve malicious or illegal content. Many of them are ranked high, according to Alexa.

Zscaler experts have scanned the first 1 million websites found in the Alexa top and found that 621 of them are blacklisted by Google, even though some of them are legitimate websites visited by numerous users every day.

Rank Domain Threat Comment
6,239 subtitleseeker.com Malicious JavaScript Hijacked
18,784 financereports.co Scam Work from home scam
35,610 tryteens.com PDF malware Porn
41,560 iranact.co Malicious JavaScript Hijacked
47,016 creativebookmark.com Fake AV Hijacked
52,409 ffupdate.org Adware download
52,431 vegweb.com Malicious JavaScript Hijacked
53,902 delgets.com Malicious JavaScript Hijacked
78,202 totalpad.com Fake AV Hijacked
81,403 kvfan.net Malicious JavaScript Hijacked
82,344 hgk.biz Malicious JavaScript Hijacked
83,858 youngthroats.com Malicious IFRAME Porn
125,305 metro-ads.co.in Malicious JavaScript Hijacked
133,455 salescript.info Malicious JavaScript Hijacked

For instance, subtitleseeker.com, a website that offers subtitles for movies and TV shows, is ranked 6,239. By nature, the site is not malicious in any way, but that doesn’t prevent Google from cataloging it as being so once it detects abnormal activity on it.

According to Zscaler, Subtitle Seeker has been compromised and altered to host a malicious JavaScript.

Other examples include sites that promote “work from home” scams, adult content, and fake antivirus software, but the majority of them have been simply altered to push malicious PDF files, adware, and other types of malware.

Some of them were blacklisted because they were found to contain iframes and JavaScripts that weren’t exactly added to serve a noble purpose.

Government sites are always tempting to cybercriminals. Recently, the same researchers have found a French government website and one from China, both containing pieces of JavaScript added by the attackers.

Statistically speaking, most of the blacklisted domains are hosted in the United States, followed by Germany, France, the Netherlands and China.

Experts advise administrators to regularly verify their websites’ integrity, otherwise all their hard work could go down the drain in an instance once Google identifies it as being malicious.

Credit: Softpedia.com News, research.zscaler.com

More on CyberInsecure:
April 5th, 2012

Apple Plugs Java Hole After Flashback Trojan Creates 550,000 Strong Mac Botnet

Apple released a security update for OS X Java on Tuesday, plugging a security vulnerability exploited by the latest Flashback Trojan. The latest variant of the Mac-specific malware appeared on Monday and targeted a vulnerability in Java (CVE-2012-0507) which was patched on Windows machines more than six weeks ago.

Apple’s new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion) offers Mac users equivalent protection.

Doctor Web, a Russian anti-virus vendor, conducted a research to determine the scale of spreading of Flashback Trojan in Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.

Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web’s virus analysts discovered a large number of web-sites containing the code. The recently discovered ones include:

godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu

According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com.

Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507). The vulnerability has been closed by Apple only on April 3 2012.

The exploit saves an executable file onto the hard drive of the infected Mac machine. The file is used to download malicious payload from a remote server and to launch it. Doctor Web found two versions of the Trojan horse: attackers started using a modified version of BackDoor.Flashback.39 around April 1. Similarly to the older versions, the launched malware first searches the hard drive for the following components:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders’ statistics server and sends consecutive queries at control server addresses.

It should be noted that the malware utilizes a very peculiar routine for generating such addresses. It can also switch between several servers for better load balancing. After receiving a reply from a control server, BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server.

Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web’s analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts.

Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth.

In related news, Mozilla introduced changes in Firefox on Monday that will block older versions of Java that harbour critical vulnerabilities, specifically the increasingly infamous CVE-2012-0507 security flaw. “Blocklisting” forbids outdated plugins from running, unless specific approval is given. Mozilla has only introduced the technology into Windows versions of its open-source browser software, leaving Mac users without the added safety net.

Java is not needed to surf the net, with the exception of applications on some e-banking websites. Security firms – including F-secure, Sophos and others – have begun advising users to disable the technology in their browsers as a largely unnecessary security risk.

Credit: The Register
Credit: news.drweb.com

More on CyberInsecure:
April 4th, 2012

Free Malware Scanning Service SiteInspector Launched By Comodo

Security solutions provider Comodo released a free service called SiteInspector, designed to scan websites for pieces of malware and compare them against a range of blacklisting services, such as the ones offered by Google Safe Browsing, PhishTank or Malwaredomainlist.

Drive-by-download malware attacks launched from websites that fall victim to mass infections are highly common these days. SiteInspector allows users to choose 3 pages on a domain that they want monitored. If the service identifies any trace of malicious elements, the customer is immediately notified via email.

In these situations, one of the main problems is that the owner doesn’t even know that his site is altered to serve pieces of malware. Another issue is that once the site is infected, blacklisting services, such as the ones run by Google, will restrict the traffic, a measure that can have devastating consequences for the business workflow.

This is why security firms come up with such tools and services. SiteInspector can take that burden off the shoulders of the administrator and automatize the malware scanning and blacklist monitoring process.

“SiteInspector dramatically reduces the time between problem identification to problem resolution for business websites,” Melih Abduhayoglu, Comodo CEO and chief architect, revealed. “No longer will businesses have to wait for angry customers to complain that their website contains malicious content. To take advantage of this essential service, webmasters just need to take a few minutes to sign up and configure the service. SiteInspector will do the rest.”

The service includes features such as automatically recurring daily scans on three webpages, daily verifications against blacklists, email notification in case of an infection, threat mitigation advice in the situation where a malicious element is found, and an easy-to-use interface for users.

Website owners and administrators can sign up for the service right away at siteinspector.comodo.com.

Credit: Softpedia.com News

More on CyberInsecure:
March 22nd, 2012

US Army CECOM Website Breached, 30 Record Sets With User IDs, Clear-text Passwords, Private Data Posted On Pastebin

Black Jester, the hacker who yesterday demonstrated that he managed to gain unauthorized access to a NASA site, leaked sensitive contract information from a site connected to the US Army Communications and Electronics Command (CECOM).

A number of 30 record sets that include names, user IDs, physical addresses, email addresses, telephone numbers, and clear-text passwords were published in a Pastebin document.

“Old crappy server, but has good info inside it. The list is not complete due the lazy condition and msaccess db , enjoy!” the hacker wrote next to the data dump.

The Pastebin post doesn’t contain the name of the site from where the data was leaked, but the hacker provided us with the IP address associated with it. That IP address led us to a Software Engineering Services site on which only “eligible users” may register.

We couldn’t reach the hacker for further comment, but he told us on a different occasion that the names of such sites would not be disclosed to the public to prevent “script kiddiez” from breaching them.

We have sent an email to the webmaster of the site in question and notified him on the incident, but so far we haven’t received any response.

Black Jester is known in the hacker community as the one who wanted to help the United Nations patch up a couple of its public websites. Instead of doing what most security researchers do in this situation and send an email, he went down to their offices in person.

His other hacks, which he claims are unrelated to the UN incident, targeted NASA and a Qwest datacenter, whose servers he held hostage with the purpose of forcing the company to patch up the vulnerabilities.

Credit: Softpedia.com News

More on CyberInsecure:
March 8th, 2012

Scareware Makes Files And Folders Invisible, Demands Ransom For Repair Utility

Bitdefender experts came across a piece of scareware that makes victims believe that something may have happened to all the files and folders stored on their computers. The user is then requested to pay $80 (60 EUR) for a tool that allegedly addresses the problem.

Scareware or ransomware is not uncommon, many security solutions providers releasing advisories on how to handle threats which pose as law enforcement agencies that demand the payment of fines, accusing the user of copyright infringement. However, this Trojan relies on the fact that many computer owners panic if they see that all their personal files and folders have suddenly disappeared.

Identified as Trojan.HiddenFilesFraud.A, the rogue disk repair utility starts operating by informing the user of certain issues that affect the computer. Since many people are already accustomed to fake AV’s, this malicious application has an ace up its sleeve that makes everything look more realistic.

It changes the attributes of all files and folders, setting them as Hidden, so that the user may think that everything has been deleted from the hard drive. Certain key shortcuts are also disabled to induce more panic. Even worse, the worm that downloads HiddenFilesFraud.A, Win32.Brontok.AP@mm, ensures that the files’ attributes can’t be modified from Windows Explorer back to their original state.

After displaying the numerous “errors” that affect the system, the scareware advertises a repair utility that costs $80 (60 EUR). Of course, just as in the situations presented on other occasions, the so-called utility does absolutely nothing.

Brontok.AP@mm, the element responsible for installing Trojan.HiddenFilesFraud.A, quickly copies itself on removable media drives to ensure that it spreads without difficulty from one computer to another.

Scareware most often relies on the fact that users fail to keep their security software constantly up-to-date. That’s why internauts are always recommended to ensure that a decent, updated antivirus solution is always keeping an eye out for malicious elements.

Credit: Softpedia.com News

More on CyberInsecure:
December 26th, 2011

US Security Firm Stratfor Hit By ‘Anonymous’, Clients Credit Cards And Passwords Stolen

The hacking group “Anonymous” on Sunday Christmas claimed it has stolen thousands of credit card numbers and personal information of clients of the U.S. based security think-tank Stratfor and pilfered funds it gave away as Christmas donations to charity.

Anonymous said it stole information from organizations and individuals that were clients of Stratfor, including Apple Inc., U.S. Air Force the Miami Police Department. They said they obtained more than 4,000 credit card numbers, passwords and home addresses. Some clients of Stratfor have confirmed unauthorized transactions linked to their credit cards.

Stratfor is a company providing services to help clients manage risk. The company charges subscribers for reports and analysis it issues. The company’s main website was down in Sunday with the message: “site is currently undergoing maintenance.” Most of the victims were individual subscribers and not companies and government agencies. Anonymous in a Twitter message taunted Stratfor, saying: “Not so private and secret anymore?” The group promised that Stratfor was only the beginning of attacks to come.

Anonymous claims that it was able to steal as much as 200 gigabytes of information from Stratfor because Stratfor did not bother to encrypt them. This Revelation, if true, is serious indictment of a security services related company. The hackers published a list of what they claimed was Stratfor’s client list and tweeted a link to encrypted files with stolen names, phone numbers, emails addresses, credit card and account details. The hackers claimed that the information they have published so far is only a small part of what they stole from Stratfor.

PC Magazine reports that besides using the stolen funds for donations to charity the attackers said they were also hoping to use the incident to draw attention to the case of Pfc. Bradley Manning of the U.S. Army who is on trial over alleged involvement in leak of hundred of thousands of confidential military documents. A statement that claimed to be from the hackers said: “We hereby ask that Bradley Manning be given a delicious meal this Lulzxmas, and no, not the ‘holiday special’ in the prison chow hall. We want him out on the streets at a fancy restaurant of his choosing, and we want this to happen in less than five hours.”

values greatly. This hack is most definitely not the work of Anonymous.”
Huffington Post said that credit card owners whose cards have been hacked may contact the credit card company to dispute the charge. A member of Anonymous said on Twitter that 90,000 credit cards from law enforcement, the intelligence community and journalists have been hacked and used “steal a million dollars” for charity donations. The statement mentioned “corporate/exec accounts of people like Fox” News. But Huffington Post reports it was not possible to verify the claims.

Credit: DigitalJournal.com

More on CyberInsecure:
December 6th, 2011

Ultimate Bet Players Accounts Compromised, 3.5 Million Records Freely Available Online For Weeks Still In Google Cache

In a breach of security at Ultimate Bet, information from every player’s account had been publicly posted on the internet, revealing personal information of approximately 3.5 million poker players holding accounts at the nearly-dead poker site.

A popular poker forum website posted a link to the account information via an anonymous posting, but removed the link roughly eight minutes later. In that short span of time, enough people identified the link and apparently passed the information around privately.

The data leaked from the accounts included each player’s name and screen name; birth date; email, mailing and IP addresses; phone number; deposit methods typically used; VIP, affiliate and blacklist statuses; account balance; and players’ UB account numbers, but not bank account numbers as far as we know.

The data listed was organized by specific countries, with about 2 million accounts from the U.S., 319,000 Canadian accounts, 137,000 United Kingdom accounts, and approximately 1 million accounts from all other countries combined. The data contained more than a dozen other columns which were not clearly identifiable. The unidentifiable columns were not labeled and contained inconsistent information. For example, one column that listed IP addresses also contained physical addresses and another column listing screen names for some users contained account numbers for different users.

The data is still partially available in Google cache. Files organized by country:

One of the files showing details in XLS format in Google cache:

Financial information of each player, excluding account balances and deposit methods, was not listed. And no personal credit card numbers were shown either. It is not known who leaked the account information or the reason why.

Ultimate Bet and Absolute Poker, who together make up the Cereus Network and were the third largest internet poker network prior to Black Friday, have been virtually defunct since the U.S. Department of Justice’s actions that seized their domains and much of their assets and indicted the company’s principals in mid-April. Since that time, most of the poker room’s players haven’t been able to cashout, while some overseas non-U.S. players have been able to withdraw small amounts sporadically. In mid-June, it was reported that both poker sites combined had only approximately ten percent of the funds owed to players, said to be $54 million. Toward the end of October, the Kahnawake Gaming Commission, who issued the operator’s license to the Cereus Network, announced that company owners were planning to liquidate assets to reimburse players with money in their account balances at the sites. However, the company’s full assets are not known.

The data leaked on the internet was exclusive to Ultimate Bet players and did not include Absolute Poker players. Ultimate Bet players with valid accounts on the site should be vigilant in realizing that personal account information may have gotten into the wrong hands and to be wary of suspicious phone calls or emails received. Account holders would also do well to ensure that their online passwords to email addresses and other login information to various accounts is sufficiently secure to ward off any possibilities of identity theft or fraudulent activity.

Various players at the Cereus Network have reported the inability to join real money sit-n-go tables the last two days. It is possible to log onto the network, but attempting to join a sit-n-go table results in nothing happening. There are a couple players listed as sitting at sit-n-go tables waiting for more players, but these are believed to be props. At the time of this writing, there was only one real money table in action, a $.01/.02 no-limit hold’em table with an average pot of $.44. At the lone table, 57% of players were seeing the flop and 120 hands were being played per hour. However, play money tables are quite populated and going strong.

Credit: PokerNewsReport.com

More on CyberInsecure:
December 6th, 2011

Restaurant Depot, Jetro Cash & Carry Processing System Compromised, Credit Cards Sold On Russian Blackmarket

If you used a credit card between the dates of Sept. 21 and Nov. 18th at national restaurant wholesalers Restaurant Depot or Jetro Cash & Carry, then you should probably know that Russian cyberthugs wearing leather blazers and gold chains and stinking of Armani Aqua di Gio are currently selling your information on the black market.

The following is an excerpt of the letter currently being sent to all customers deemed to be at risk:

“We recently determined that computer hackers stole credit and debit card information from the card processing system we use…”

“You are receiving this letter because we believe your credit or debit card information was stolen. This letter explains actions we have taken in response to the theft and describes some actions you can take to protect yourself against fraud.”

“How the thieves stole the card information — The investigators determined that the thieves inserted malicious software or ‘malware’ into the credit and debit card processing systems we use in our stores. The malware collected card information as it was processed, stored it temporarily, and then sent it to a computer server in Russia.”

If you’re wondering if you’ve ever shopped at a Restaurant Depot but aren’t quite sure, run through this simple checklist:

1. Do I regularly purchase kitchen items like bacon and mayonnaise in bulk?
If you answered NO, please skip to step 5.
If you answered YES, continue to:

2. Do I belong to Restaurant Depot?
If you answered NO, please skip to step 5.
If you answered YES, continue to:

3. Have I noticed any strange charges on my accounts lately, say, for one dozen lynx fur jackets with fox trim?
If you answered NO, please skip to step 5.
If you answered YES, continue to:

4. You MAY be at risk for credit card fraud. Please contact your credit card company immediately.

5. You are NOT at risk for credit card fraud. Continue gorging yourself on bacon and mayonnaise in sensible quantities, free from worry.

Credit: Gawker.com

More on CyberInsecure:
December 6th, 2011

InternationalCheckout.com Database Hacked, Customers Credit Cards Abused

International Checkout customers began receiving emails that alert them on the fact that the organization has recently fallen victim to a cyberattack which resulted in the theft of a large quantity of personal information, including credit card details.

“International Checkout was recently the victim of a system intruder who was able to access encrypted credit card information,” reads the email provided by SpywareSucks.

“You are receiving this email from International Checkout because your credit card information was in the database which was compromised.”

It seems as the breach was discovered sometime in mid-September and an investigation has immediately commenced. Besides the fact that the authorities were notified of the issue, the credit card information from the databases was removed to make sure no one still had access.

Even though the information was encrypted, the attacker managed to obtain the encryption key that was stored in a separate location.

“As a precaution, International Checkout is providing notification to people whose information may have been in the database that was accessed so that if it turns out the information was compromised in any way, they can take the appropriate measures to protect themselves,” the notification adds.

The company is advising customers to closely monitor their bank account statements for any suspicious transactions. Bank account numbers were not exposed, but credit cards numbers were and in some situations the financial institutions involved may even recommend the changing of the account number.

An important thing customers should know is that they will not be directly contacted by International Checkout, unless they call them first. They alert individuals on the fact that some might profit from the situation and call them pretending to represent the firm, requesting sensitive information.

“We will not call you to ask for bank account information or personal identification numbers (PINs) or for your full credit card or social security number.”

Unfortunately, a lot of companies are on International Checkout’s partner list so the number of potential victims is high and people are already starting to complain about abusive transactions made with their credit cards. Some of the websites listed on http://www.internationalcheckoutsolutions.com/merchant-partners.php include TahoeMountainSports.com, MoreschiShoes.com, LaurenKlein.com, SofiaBean.com, EnvyCig.com, WTeaShop.com, PromoStadium.com, PTTechSolutions.com, ViveDecor.com, HUFWorldwide.com, SavingLots.com, MGallerie.com, Audioque.com, LuckyTeria.com, FrankliWild.com, Vivarati.com, BuyRailings.com, RackMountSales.com.

Credit: Softpedia.com News

More on CyberInsecure: