9 total posts
Facebook Facelift: Ice IX Malware Injects Fake Page to ..
.. Commit Credit Card Fraud
From the Trusteer Research Blog:
Our researchers have discovered a new configuration of the Ice IX malware that attacks Facebook users after they have logged in to their account and steals credit card and other personal information. We even discovered a "marketing" video used by the creators of the malware to demonstrate how the web injection works.
The global reach and scale of the Facebook service has made it a favorite target of fraudsters. We recently wrote about criminals stealing e-cash vouchers from Facebook users and selling bulk Facebook login credentials.
This latest attack uses a web injection to present a fake web page in the victim's browser. The form requests the user provide their cardholder name, credit/debit card number, expiry date, CID and billing address. The attackers claim the information is needed to verify the victim's identity and provide additional security for their Facebook account. [Screenshot]
For anyone who believes the cybercrime economy lacks the sophistication of the legitimate economy, the following marketing video provides conclusive evidence that it does not. We discovered this video circulating in underground forums. It demonstrates in step by step fashion a webinject cycle performed to attack Facebook users.
The video begins at the Facebook logon page with the criminal logging-in to a Facebook account. [Screenshot]
Mozilla Adds Older Java Versions to Firefox Blocklist
Mozilla has made a change in Firefox that will block all of the older versions of Java that contain a critical vulnerability that's being actively exploited. The decision to add these vulnerable versions of Java to the browser's blocklist is designed to protect users who may not be aware of the flaw and attacks.
The specific vulnerability in Java that Mozilla is trying to protect users against was patched by Oracle in February, but Java is one of the many browser components and extensions that users sometimes will fail to update for long periods of time. If users don't have the automatic updates enabled for Java, it could be a long time before they remember to update the software and that's a dangerous habit given how much attackers love to exploit Java.
"This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms," Mozilla's Kev Needham said.
Mozilla's decision to add a legitimate piece of software, albeit a highly vulnerable and oft-exploited one, to its blocklist is an unusual and bold step. Java is a ubiquitous application that's used on millions of Web pages and other apps across the Internet and while most people in the security community are aware of the dangers that it can pose, many typical users are not. As a result, Mozilla officials took the remarkable step of blacklisting all but the most recent version of Java.
"Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied," Needham said.
Continued : http://threatpost.com/en_us/blogs/mozilla-adds-older-java-versions-firefox-blocklist-040312
A Mysterious Java Exploit
From the F-Secure Antivirus Weblog:
Last week Kahu Security blogged about Escalating Java Attacks. Kahu's post dissects two Java exploits. [Screenshot]
The first exploit targets CVE-2012-0507, the latest Java vulnerability that's been seen being exploited in the wild. This vulnerability was patched (for Windows) by Oracle in February 2012. I found the second exploit to be more interesting. It clearly appeared to be related to some Java CORBA vulnerability, possibly CVE-2012-0506, a Java vulnerability not yet known to be exploited in the wild. Last Friday I decided to take a closer look at this mysterious exploit.
First, I decompiled and analyzed the applet. However, I did not recognize anything in particular as there have not been any exploits or Proof-Of-Concepts made publicly available for CVE-2012-0506. So I decided to test the exploit with different versions of Java Runtime Environment to narrow down the list of potential vulnerabilities. I started by trying the latest version (JRE6 update 31) and, as expected; the exploit did not work because it was already patched. Then I tested with an older Java version (JRE6u25) just to make sure that the exploit would work in my test environment, and it did. I was a bit surprised when I tested JRE update 30 and the exploit did not work. This was a clear indication that the sample was not exploiting CVE-2012-0506 (as I was expecting) because JRE6u30 still had this vulnerability.
I continued testing different JREs and determined that JRE6 update 29 is the version that patches this mysterious vulnerability. The Update Release Notes link to an Oracle Java SE Critical Patch Update Advisory - October 2011 that lists all the vulnerabilities patched in the update. Based on my initial analysis it was clear that the sample exploits some deserialization problem and the only vulnerability in the Risk Matrix related to deserialization is CVE-2011-3521. The ZDI advisory reveals two interesting facts. Firstly, the vulnerability was discovered by fellow Finn Sami Koivu who recently joined Oracle. Secondly, the problem is in IIOP deserialization which is exactly the piece of CORBA code that the exploit calls. This confirms that the mysterious vulnerability is... CVE-2011-3521.
Continued : http://www.f-secure.com/weblog/archives/00002343.html
Facebook logins easily slurped from iOS, Android kit
Exclusive Facebook's iOS and Android clients don't encrypt users' logon credentials, leaving them languishing in a folder accessible to other apps or USB connections.
A rogue application, or two minutes with a USB connection, are all that's needed to lift the temporary credentials from either device - a problem compounded by Facebook's idea of "temporary" as lasting beyond the year 4000. In the case of iOS, one can even lift the data from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications for fun and profit.
That's according to Reg reader Gareth Wright, who stumbled across the file and tested it to see if it really was that easy to pretend to be someone else. Turns out it is, and after knocking out a proof of concept (a high-score editor for jailbroken iOS devices) which lifted "several thousand" IDs, Gareth deleted the collected data and dutifully reported the matter to Facebook.
Turns out Facebook was already aware of the problem and working on a fix - though it won't say how long that's going to take or what customers should do in the meantime.
Continued : http://www.theregister.co.uk/2012/04/03/facebook_security_weak_logon/
A gift from ZeuS for passengers of US Airways
From the Kaspersky Labs Weblog:
On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways: [Screenshot]
There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.
The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link "Online reservation details".
Different emails contained different links — for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.
After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.
BlackHole Exploit Kit: redirections and infection
A typical BlackHole infection routine is used to infect users' computers.
The first port of call after clicking the link in the email is a page with the following html code:
Coontinued : http://www.securelist.com/en/blog/208193439/A_gift_from_ZeuS_for_passengers_of_US_Airways
Oz launches DNSChanger testing site
Australia's government has created a website which detects the presence, or otherwise, of DNSChanger, a nasty piece of malware which the sites says "... changes a user's Domain Name System (DNS) settings, enabling criminals to direct unsuspecting internet users to fraudulent websites and otherwise interfere with their web browsing."
"It has been associated with 'click fraud', the installation of additional malware and other malicious activities," the site adds.
The hiply-named www.dns-ok.gov.au does what it says on the can: load up the site and you'll be told whether or not the malware lurks within your system and if, ergo, your DNS is okay. If you are infected, the site urges you to do something about it before the FBI switches off its kludge fix that stops the malware from doing it's worst,
FBI: Check to See if Your Computer is Using Rogue DNS
Email mix-up blamed in Check Point domain expiry snafu
Check Point has downplayed the significance of a domain renewal mix-up that resulted in its home page being replaced by a holding page for a brief period on Monday.
The problem arose because Network Solutions sent the security firm's domain renewal notice to the wrong email address, a statement by the firewall and VPN firm explained.
' Earlier today there was an issue accessing www.checkpoint.com - the site was being re-directed to another page (a Network Solutions page). The problem was that the Checkpoint.com domain registration expired. This happened due to Network Solutions, our domain host, sending our renewal notification to an incorrect email address at Check Point.
There was no security issue whatsoever.
The domain record was wrong and redirected for approximately 23 minutes. During that time DNS servers around the world were updated with the wrong record. We corrected the issue at 15:30 IL time (13:30 UK) on Monday April 2nd.
The update is currently being propagated to all DNS servers in the world. This process takes time, depending on the setting of the DNS servers. Some servers are already updated, while others will be in their next refresh in the next few hours.'
Check Point's domain was due to be renewed on Friday, 30 March. The late renewal may have affected the delivery of email to the security giant as well as the ability of surfers to reach its home page, independent security experts point out.
Continued : http://www.theregister.co.uk/2012/04/03/check_point_domain_renewal_snafu/
Maliciousness in Top-ranked Alexa Domains
From BarracudaLabs Internet Security Blog:
For the infographic associated with this post, see http://www.barracudalabs.com/goodsitesbad.
At Barracuda Labs, we use a variety of research technologies to identify and study maliciousness on the web. One of these tools is an automated system that forces a web browser inside a Windows virtual machine to visit a URL to see what happens to the browser, its plugins, and the operating system. The resulting network-level actions of the virtual machine help us determine, without prior knowledge of specific exploits served to the browser or its extensions, whether a URL serves malicious content.
A few months ago we began using the above-described system to examine the Alexa 25,000 most popular domains. As these sites are popular and long-lived, many people assume that it is safe to visit them. However, automated examination of the Alexa top 25,000 each day for the month of February 2012-which found 58 sites serving drive-by download exploits-shows that this assumption does not always hold.
Continued : http://www.barracudalabs.com/wordpress/index.php/2012/03/28/maliciousness-in-top-ranked-alexa-domains/