CyberInsecure.com

Nigerian Spammers – Now In Google Calendar

BitDefender(R), a provider of antivirus software and data security solutions, announced today that BitDefender antispam analysts have detected that Nigerian scam spammers are using Google Calendar to target their victims.

Nigerian scammers are sending meeting invites in Google Calendar, which are actually nothing but scam “hooks”. All emails are sent personally to different Google Calendar users and got a different link for each recipent, making spam/abuse URL filtering harder. The scam works by informing the victim that they have inherited or are otherwise due a large amount of money from an unlikely source. The spammer then tells the victim to extract the payment in order to “set up the delivery” of the said large sum. Google support has been notified to block the accounts used in the scam.

BitDefender CTO, Bogdan Dumitru, says this is a new and untried social engineering approach. The fact that these things are being spammed in huge numbers is a bit odd. Usually there is a testing phase, to evaluate the response rate. After some testing, some techniques are found ineffective and never get used again. This one’s different.

The new spam wave was detected two days ago by BitDefender antispam analysts and is already added to the spam signatures base. BitDefender users are guarded from this type of aggravation.

Spam And Malware In Google Ads

Starting last year and until today, there were few exposed cases when spammers used Google pages ads in HTML-formatted emails in order to redirect users who clicked the URL to some bad sites, usually containing both spam and infected software, for example:

http://www.google.com/pagead/iclk?sa=l&ai=MfeNYS

&num=123456&adurl=http://www.infectedsite.com

Many considered a scenario where Google page ads were used to conceal the actual URL and avoid detection by traditional anti-spam techniques. However, it seems one can change the linked URL to point to any site of your choice, especially since no validation appears to be done on Google’s end.

Malicious user could also point the Google page ad to executable files (.exe, .pif. scr etc.) and some malware authors have started doing this and such link will redirect and download the malware without any problems or warnings. Although Google is very strict about the kind of file attachments one can upload/download via their Gmail service, anyone can craft a URL that looks like it belongs to Google (=safe?) and point it to download any software executable file. Here is a simple and safe demonstration:

http://www.google.com/pagead/iclk?sa=l&ai=MfeNYS&num=123456

&adurl=http://fpdownload.macromedia.com/get/shockwave/default/

english/win95nt/10.2.0.023/Shockwave_Installer_Slim.exe

Clicking this link will download Shockwave Player from Adobe Download Center.

Google probably aware of this redirect abuse by now, and it’s hard to understand why they don’t prevent these redirects working for known bad file types or for spam and infected/hacked malware sites.

Microsoft Released Service Pack 1 for Vista

Microsoft has released a service update for all versions of its Windows Vista operating system. It supposed to improve the stability, security and performance of the software.
The update, or service pack, includes some fixes released before now and adds many new ones as well.

Microsoft has warned that the update could clash with some security software and other programs customers may have installed on their machine. Those using Vista can download the update directly from Microsoft or wait for it to be automatically installed on their machine in mid-April. Advice about drivers and prequisites is provided on the Vista blog and in support articles.

Third-party software companies got mixed reactions to SP1. While it will open up access to the built-in search functionality for third-party desktop search apps, it has already raised problems for some third-party security software vendors whose utilities have been disrupted by the update.

On the security front, the service pack enables single sign-on for authenticated wired networks, which should streamline the end user experience in enterprise environments, in addition to many other updates.

While most users are likely to find Vista SP1 benign (if not beneficial), some organizations, such as large corporate IT departments, may wish to wait a while before deploying this software update. To do so, administrators should download the Windows Service Pack Blocker Tool, which will prevent the service pack from being installed. This tool creates a registry key entry that can be later removed by the administrator, and can be run remotely across a network.

Vista SP1 is being released initially in only five languages – English, French, Spanish, German, and Japanese. Another 31 will follow in mid-April when the software starts being pumped out to those that have their PCs automatically updated.

Microsoft recommends that Vista users go to Windows Update to get the service pack rather than use its download service. The version available via Windows Update is only 65 MB in size (compared to 434MB via download) and can diagnose driver problems before installation.

Troubleshooting for those who would like to install the SP1:

1. Windows Vista Service Pack 1 is not available for installation from Windows Update and is not offered by Automatic Updates

2. Uninstall any previous SP releases

ValueClick to Pay $2.9 Million in Spam Case

According to a government agency, online advertiser ValueClick Inc. will pay $2.9 million to settle charges that it made deceptive claims in e-mails and online advertisements.

Westlake Village, Calif.-based ValueClick had said last month it would pay the fine to settle the matter, without admitting that it violated any laws. The company said in February that it took a $2.9 million charge against fourth-quarter earnings to account for the settlement.

The FTC also charged that ValueClick did not adequately protect its customers’ sensitive financial information, even though it claimed to protect such data using encryption. The company agreed to create a comprehensive online security program and get third-party assessments of it for 20 years as part of the settlement.

ValueClick’s Hi-Speed Media subsidiary violated the anti-spam act, the FTC alleged, by sending spam e-mail that offered consumers ”free gifts” to lure consumers to ValueClick’s Web sites. Consumers then learned that they had to purchase satellite television subscriptions, obtain car loans or buy other expensive products or services in order to obtain the gifts, the FTC alleged.

ValueClick said last month that ”the settlement is based solely on the past practices” of the Hi-Speed Media division, and added that it has reached agreement with the FTC on standards for its lead-generation business.

The fine is the largest ever imposed for a violation of the federal CAN-SPAM Act, the Federal Trade Commission said. The act, approved by Congress in 2003, bars deceptive practices in e-mail advertising.
Shares of ValueClick fell 90 cents (5%), to $16.57 in midday trading. The company has traded between $16.24 and $36.70 in the past year.

3$ for breaking the CAPTCHA

Google representative claims that breaking Gmail accounts CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) is extremely hard and hiring people who would register email accounts for spam purposes is much cheaper. During last months its been mentioned numerous times that Windows Live and Gmail email services have been bypassed. Access to Google services also grants spammers email addresses that are not blacklisted, which is another advantage.

Spam analysis in Feb. 2008 by MessageLabs shows that only 4.6% of entire spam traffic are sent using webmail services and the concept of bypassed CAPTCHA during automated mass spam accounts registrations was a hypothesis among the IT specialists.
Brad Taylor, Google senior engineer, claims that underpaid workers in third world countries, not the infected PCs, are being drafted in order to register large amounts of email accounts that are used solely for spam. According to Taylor, there is a chance that some software might be used for automation of this process, yet CAPTCHA technology remains very efficient against mass account registrations by infected zombie computers.
According to Websense, some documents in Russian language prove that workers are being paid the minimum of 3$/day for such assignment.

A brief check (by me) shows there is no need for investigations and secret documents. One of Russian language websites, kolotibablo dot com in particular, offers easy money and here what it says on main page:

“Your new job will be recognizing texts from pictures. It will require english letters knowledge and a normal level ability to type those letters using english keyboard layout. With each properly recognized image you will earn 1 cent and you are only limited by your skills, which means you can process up to 10 pictures in 1 minute. Hence, if you choose to get 0.5 cent per image, you might earn 3 dollars per hour.”

This is just one example, there are many others on the russian online segment and probably even more in other countries, where the internet is common and people are trying to think of easy ways to make money.

Japan to disconnect p2p users

Four major Japanese ISP organizations have agreed that they will work with copyright holders to track down copyright infringing file-sharers and disconnect them from the internet. The reason for such an act would probably be a huge increase in complaints from the music, movie and software industries.

According to the report in Yomiuri Shimbun, the agreement would see copyright holders tracking down file-sharers on the Internet using “special detection software” and then notifying ISPs of alleged infringers. ISPs would first send out warnings by email to those traced and then interrupt the Internet connection if file sharing continues. For persistent breaches, the ISP would ultimately terminate the accounts of its subscribers.

These four major ISP organizations – which include Telecom Service Association and the Telecommunications Carriers Association – are made up of around 1,000 other ISPs, a large portion of the Japanese market. In collaboration with the copyright holders, the ISPs will set up a panel in April to decide exactly how the system should operate.

In 2006, a Japanese ISP decided to plan measures to stop their subscribers using file-sharing software, by tracking their activities and disconnecting them from the Internet. The plan didn’t come to fruition as the government stepped in and said that such monitoring might have privacy implications. Under huge pressure from the movie, music and software industries, the four major ISP organizations in Japan are at it again, and have agreed to take drastic action against online pirates. There is a discussion surrounding the suggestion that persistent file-sharers could be banned from the internet. So far there have been proposals in countries like France, the UK and Australia.

During December last year we reported that the number of internet users file-sharing in Japan had increased by a 180% in a single year.

Yesterday’s Mass Hack Attack

The number of yesterday’s attack (over 10.000) websites has doubled according to Avertlabs.

Another recent mass attack, is using a JavaScript file rather than an IFRAME. The attack seems to have started about two weeks ago, and nearly 200,000 web pages have been found to be affected or compromised, most of which are running phpBB forum software. The vast majority of attacked websites yesterday’s were active server pages (.ASP). The ASP attacks methods and payload are different than the phpBB ones. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004.

A brief video demonstrating how the phpBB attack looks from the end user’s perspective can be found at http://www.vimeo.com/moogaloop.swf?clip_id=781981&server=www.vimeo

.com&fullscreen=1&show_title=1&show_byline=0&show_portrait=0&color=

Harvard System Compromised By A Hacker

Harvard University has notified thousands of it’s graduate students and applicants that their personal information may have been exposed by a data breach. A computer hacker gained entry to the server in February, according to Harvard, and about 10,000 of last year’s applicants may have had their personal information compromised, with 6,600 having their Social Security numbers exposed. Social Security numbers might be used during bank credit application or a credit card application.

The school says it will provide the applicants with free identity theft recovery services and help them with credit monitoring and fraud alerts.

iPhone 2.0 Unlocked Before The Release

A renegade group of developers called “iPhone Dev Team” claimed they cracked Apple’s not-yet available iPhone 2.0 software.

The iPhone Dev Team claims to have cracked the software, meaning yet more pressure on Apple Inc. in the cat and mouse game between software developers and the owners of a million unlocked iPhones and the company and its network partners. They also say they have decrypted and have jailbroken the new iPhone software, and have published a series of screenshots of third-party applications running on the device. The jailbreak currently works only with hacked activation, meaning it won’t work with AT&T iPhones yet.

Apple executives have characterized the buoyant global market in unlocked iPhones as a positive thing, suggesting strong pent-up demand for the product, which is as yet available in just four markets: U.S., U.K., Germany and France.

CNET Sites Under IFRAME Attack

IFRAME campaign targeting several more CNET Networks web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com. In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet’s international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. Three more sites part of CNET Networks’ portfolio, getting injected with more IFRAMEs, abusing their search engine’s local caching, and storing of any keyword feature, in a combination with a loadable IFRAME. Over 51,900 pages at zdnetasia.com continue to be indexed by search engines. ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at TV.com, News.com and MySimon.com, again pushing the fake “XP AntiVirus”, “Spyshredderscanner” and another fake codec called “MediaTubeCodec.exe”, hosted and distributed under two new domains.

Sites that are currently targeted:
ZDNet Asia – currently has around 52,000 injected pages.
TV.com – 51,000 locally hosted IFRAME injected pages.
News.com – 167 locally hosted pages, injection is ongoing.
MySimon.com – currently around 10 pages, the campaign is ongoing.

Domains and IPs that are behind the IFRAMEs:
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21

Malware hosts:
hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)

Only two pieces of malware currently served, XP AntiVirus 2008 and a fake codec.
What’s important to note is that this is the current state of the campaign, and with the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis are possible, and since they ensure you’re served on the basis of where you’re coming from, things might change pretty fast. These domains above are the ones that follow after IFRAME redirects for all the campaigns currently detected.

Malware files:
MediaTubeCodec.com – 11% Scanners (4/36) found malware at 2008/03/06 16:38:39 (EET). File Size : 85520 byte, MD5 : 25708e1168e0e5dae87851ec24c6e9f7, SHA1 : 33b502b13cab7a34bb959d363ae4b7afd23919a6. Detected as:
AVG – I-Worm/Nuwar.P
Fortinet – Suspicious
Prevx – TROJAN.DOWNLOADER.GEN
Quick Heal – Suspicious – DNAScan

MediaTubeCodec.com tries to connect to websoftcodecdriver.com; websoftcodecdriver2.com and 77.91.227.179, in between listening on local port 1034. The downloader tries to drop Adware.Agent.BN – “Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer.” and RogueAntiSpyware.AntiVirusPro – “RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent.”

Spyshredderscanner.exe – 42% Scanner(15/36) found malware at 2008/03/06 17:02:23 (EET). File Size : 33224 byte, MD5 : bc232dbd6b75cc020af1fcf7cee5f018, SHA1 : fc2f70fd9ce76fe2e1fe157c6d2d8ba015ad099f, detected as Win32.FraudTool.SpyShredder and Downloader.MisleadApp.
Opening local port 1034 and tries to connect to 69.50.168.51, ATRIVO = RBN’s well known netblock.