Spyware, Viruses, & Security

Alert

NEWS - April 03, 2012

by Carol~ Forum moderator / April 3, 2012 12:11 AM PDT
Computer expert who stole eight million people's personal details for an 'intellectual challenge' jailed for two and half years

A computer hacker illegally acquired enough credit and debit card details to carry out a potential £800,000 worth of fraud.

Edward Pearson, 23, of Lendale, York, used a trojan virus to download thousands of credit card details along with the postcodes, passwords, names and dates of birth of more than eight million people in the UK.

One of his programs scanned through 200,000 accounts registered to online payment service PayPal - identifying names, passwords and current balances.

Pearson, an 'incredibly talented' boarding school student who carried out the crime for an 'intellectual challenge', has been jailed for two years and two months.

He also managed to shut down part of the mobile phone giant Nokia's internal network for two weeks after hacking in and copying the details of over 8,000 members of staff, Southwark Crown Court heard.

Continued : http://www.dailymail.co.uk/news/article-2124114/Computer-hacker-Edward-Pearson-Lendale-York-stole-million-people-s-personal-details-jailed-half-years.html

Also:
York computer hacker, Edward Pearson, jailed for identity fraud
Hacker jailed for stealing millions of banking and PayPal identities
23-Year-Old Cybercriminal Gets 2.5 Years Jail Sentence
Post a reply
Discussion is locked
You are posting a reply to: NEWS - April 03, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - April 03, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Facebook Facelift: Ice IX Malware Injects Fake Page to ..
by Carol~ Forum moderator / April 3, 2012 12:45 AM PDT
In reply to: NEWS - April 03, 2012
.. Commit Credit Card Fraud

From the Trusteer Research Blog:

Our researchers have discovered a new configuration of the Ice IX malware that attacks Facebook users after they have logged in to their account and steals credit card and other personal information. We even discovered a "marketing" video used by the creators of the malware to demonstrate how the web injection works.

The global reach and scale of the Facebook service has made it a favorite target of fraudsters. We recently wrote about criminals stealing e-cash vouchers from Facebook users and selling bulk Facebook login credentials.

This latest attack uses a web injection to present a fake web page in the victim's browser. The form requests the user provide their cardholder name, credit/debit card number, expiry date, CID and billing address. The attackers claim the information is needed to verify the victim's identity and provide additional security for their Facebook account. [Screenshot]

For anyone who believes the cybercrime economy lacks the sophistication of the legitimate economy, the following marketing video provides conclusive evidence that it does not. We discovered this video circulating in underground forums. It demonstrates in step by step fashion a webinject cycle performed to attack Facebook users.

The video begins at the Facebook logon page with the criminal logging-in to a Facebook account. [Screenshot]

Continued: http://www.trusteer.com/blog/facebook-facelift-ice-ix-malware-injects-fake-page-commit-credit-card-fraud
Collapse -
Mozilla Adds Older Java Versions to Firefox Blocklist
by Carol~ Forum moderator / April 3, 2012 12:45 AM PDT
In reply to: NEWS - April 03, 2012

Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks.

The specific vulnerability in Java that Mozilla is trying to protect users against was patched by Oracle in February, but Java is one of the many browser components and extensions that users sometimes will fail to update for long periods of time. If users don't have the automatic updates enabled for Java, it could be a long time before they remember to update the software and that's a dangerous habit given how much attackers love to exploit Java.

"This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms," Mozilla's Kev Needham said.

Mozilla's decision to add a legitimate piece of software, albeit a highly vulnerable and oft-exploited one, to its blocklist is an unusual and bold step. Java is a ubiquitous application that's used on millions of Web pages and other apps across the Internet and while most people in the security community are aware of the dangers that it can pose, many typical users are not. As a result, Mozilla officials took the remarkable step of blacklisting all but the most recent version of Java.

"Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied," Needham said.

Continued : http://threatpost.com/en_us/blogs/mozilla-adds-older-java-versions-firefox-blocklist-040312

Collapse -
A Mysterious Java Exploit
by Carol~ Forum moderator / April 3, 2012 2:07 AM PDT
In reply to: NEWS - April 03, 2012

From the F-Secure Antivirus Weblog:

Last week Kahu Security blogged about Escalating Java Attacks. Kahu's post dissects two Java exploits. [Screenshot]

The first exploit targets CVE-2012-0507, the latest Java vulnerability that's been seen being exploited in the wild. This vulnerability was patched (for Windows) by Oracle in February 2012. I found the second exploit to be more interesting. It clearly appeared to be related to some Java CORBA vulnerability, possibly CVE-2012-0506, a Java vulnerability not yet known to be exploited in the wild. Last Friday I decided to take a closer look at this mysterious exploit.

First, I decompiled and analyzed the applet. However, I did not recognize anything in particular as there have not been any exploits or Proof-Of-Concepts made publicly available for CVE-2012-0506. So I decided to test the exploit with different versions of Java Runtime Environment to narrow down the list of potential vulnerabilities. I started by trying the latest version (JRE6 update 31) and, as expected; the exploit did not work because it was already patched. Then I tested with an older Java version (JRE6u25) just to make sure that the exploit would work in my test environment, and it did. I was a bit surprised when I tested JRE update 30 and the exploit did not work. This was a clear indication that the sample was not exploiting CVE-2012-0506 (as I was expecting) because JRE6u30 still had this vulnerability.

I continued testing different JREs and determined that JRE6 update 29 is the version that patches this mysterious vulnerability. The Update Release Notes link to an Oracle Java SE Critical Patch Update Advisory - October 2011 that lists all the vulnerabilities patched in the update. Based on my initial analysis it was clear that the sample exploits some deserialization problem and the only vulnerability in the Risk Matrix related to deserialization is CVE-2011-3521. The ZDI advisory reveals two interesting facts. Firstly, the vulnerability was discovered by fellow Finn Sami Koivu who recently joined Oracle. Secondly, the problem is in IIOP deserialization which is exactly the piece of CORBA code that the exploit calls. This confirms that the mysterious vulnerability is... CVE-2011-3521.

Continued : http://www.f-secure.com/weblog/archives/00002343.html

Collapse -
Facebook logins easily slurped from iOS, Android kit
by Carol~ Forum moderator / April 3, 2012 3:58 AM PDT
In reply to: NEWS - April 03, 2012
Exclusive Facebook's iOS and Android clients don't encrypt users' logon credentials, leaving them languishing in a folder accessible to other apps or USB connections.

A rogue application, or two minutes with a USB connection, are all that's needed to lift the temporary credentials from either device - a problem compounded by Facebook's idea of "temporary" as lasting beyond the year 4000. In the case of iOS, one can even lift the data from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications for fun and profit.

That's according to Reg reader Gareth Wright, who stumbled across the file and tested it to see if it really was that easy to pretend to be someone else. Turns out it is, and after knocking out a proof of concept (a high-score editor for jailbroken iOS devices) which lifted "several thousand" IDs, Gareth deleted the collected data and dutifully reported the matter to Facebook.

Turns out Facebook was already aware of the problem and working on a fix - though it won't say how long that's going to take or what customers should do in the meantime.

Continued : http://www.theregister.co.uk/2012/04/03/facebook_security_weak_logon/
Collapse -
A gift from ZeuS for passengers of US Airways
by Carol~ Forum moderator / April 3, 2012 3:58 AM PDT
In reply to: NEWS - April 03, 2012

From the Kaspersky Labs Weblog:

Spam

On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways: [Screenshot]

There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.

The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link "Online reservation details".

Different emails contained different links — for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.

After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.

BlackHole Exploit Kit: redirections and infection

A typical BlackHole infection routine is used to infect users' computers.
The first port of call after clicking the link in the email is a page with the following html code:

Coontinued : http://www.securelist.com/en/blog/208193439/A_gift_from_ZeuS_for_passengers_of_US_Airways

Collapse -
Oz launches DNSChanger testing site
by Carol~ Forum moderator / April 3, 2012 6:42 AM PDT
In reply to: NEWS - April 03, 2012

Australia's government has created a website which detects the presence, or otherwise, of DNSChanger, a nasty piece of malware which the sites says "... changes a user's Domain Name System (DNS) settings, enabling criminals to direct unsuspecting internet users to fraudulent websites and otherwise interfere with their web browsing."

"It has been associated with 'click fraud', the installation of additional malware and other malicious activities," the site adds.

The hiply-named www.dns-ok.gov.au does what it says on the can: load up the site and you'll be told whether or not the malware lurks within your system and if, ergo, your DNS is okay. If you are infected, the site urges you to do something about it before the FBI switches off its kludge fix that stops the malware from doing it's worst,

http://www.theregister.co.uk/2012/04/03/dns_ok_gov_au/

FBI: Check to See if Your Computer is Using Rogue DNS

Collapse -
Email mix-up blamed in Check Point domain expiry snafu
by Carol~ Forum moderator / April 3, 2012 6:43 AM PDT
In reply to: NEWS - April 03, 2012

Check Point has downplayed the significance of a domain renewal mix-up that resulted in its home page being replaced by a holding page for a brief period on Monday.

The problem arose because Network Solutions sent the security firm's domain renewal notice to the wrong email address, a statement by the firewall and VPN firm explained.

' Earlier today there was an issue accessing www.checkpoint.com - the site was being re-directed to another page (a Network Solutions page). The problem was that the Checkpoint.com domain registration expired. This happened due to Network Solutions, our domain host, sending our renewal notification to an incorrect email address at Check Point.

There was no security issue whatsoever.

The domain record was wrong and redirected for approximately 23 minutes. During that time DNS servers around the world were updated with the wrong record. We corrected the issue at 15:30 IL time (13:30 UK) on Monday April 2nd.

The update is currently being propagated to all DNS servers in the world. This process takes time, depending on the setting of the DNS servers. Some servers are already updated, while others will be in their next refresh in the next few hours.
'

Check Point's domain was due to be renewed on Friday, 30 March. The late renewal may have affected the delivery of email to the security giant as well as the ability of surfers to reach its home page, independent security experts point out.

Continued : http://www.theregister.co.uk/2012/04/03/check_point_domain_renewal_snafu/

Collapse -
Maliciousness in Top-ranked Alexa Domains
by Carol~ Forum moderator / April 3, 2012 6:43 AM PDT
In reply to: NEWS - April 03, 2012

From BarracudaLabs Internet Security Blog:

For the infographic associated with this post, see http://www.barracudalabs.com/goodsitesbad.

At Barracuda Labs, we use a variety of research technologies to identify and study maliciousness on the web. One of these tools is an automated system that forces a web browser inside a Windows virtual machine to visit a URL to see what happens to the browser, its plugins, and the operating system. The resulting network-level actions of the virtual machine help us determine, without prior knowledge of specific exploits served to the browser or its extensions, whether a URL serves malicious content.

A few months ago we began using the above-described system to examine the Alexa 25,000 most popular domains. As these sites are popular and long-lived, many people assume that it is safe to visit them. However, automated examination of the Alexa top 25,000 each day for the month of February 2012-which found 58 sites serving drive-by download exploits-shows that this assumption does not always hold.

Continued : http://www.barracudalabs.com/wordpress/index.php/2012/03/28/maliciousness-in-top-ranked-alexa-domains/

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech Tip

Know how to save a wet phone?

It's not with a dryer and it's not with rice. CNET shows you the secret to saving your phone.