11 total posts
Browser extension hijacks Facebook profiles
From the Microsoft Malware Protection Center Blog:
We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox.
When installed, it attempts to update itself using the following URLs:
Mozilla Firefox browser:
Note: Updated versions of this threat have been verified and are still detected as Trojan:JS/Febipos.A.
To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook. It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do.
Depending on the file, this malware can do any of the following in the Facebook profile of an infected system:
Continued : http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx
DDoS Services Advertise Openly, Take PayPal
The past few years have brought a proliferation of online services that can be hired to knock Web sites and individual Internet users offline. Once only found advertised in shadowy underground forums, many of today's so-called "booter" or "stresser" services are operated by U.S. citizens who openly advertise their services while hiding behind legally dubious disclaimers. Oh, and they nearly all rely on Paypal to receive payments.
Many of these booter sites are based on the same source code, meaning that any vulnerabilities in that code can be used to siphon data from the back-end databases of multiple, competing services. This happened in March to booter.tw, a service that was used to launch a volley of attacks against this blog, among others.
Today we'll be taking a closer look at another booter service whose customer database was recently leaked: asylumstresser.com (a.k.a. asylumbooter.com/net/us). Like other booter services, asylumstresser.com isn't designed to take down large Web sites that are accustomed to dealing with massive attacks from Internet extortionists. But these services can and are used to sideline medium-sized sites, although their most common targets are online gaming servers.
Continued : http://krebsonsecurity.com/2013/05/ddos-services-advertise-openly-take-paypal/
Font apps on Google Play deliver spyware
Everybody should know by now that downloading apps from Google Play is not as safe as we all would like. Admittedly, the probability of downloading malware is much smaller than on third party online Android markets, but it still exists.
Webroot researchers have recently unearthed two apps that install additional fonts on an Android device, but also offer a way in for spyware.
The apps in question, Free Galaxy Classic Fonts and Galaxy Fonts, have since been removed from Google Play, but are still offered on their developer's official website.
Once the user downloads and runs one of the apps, and requests it to download and implement a new font, the app downloads the ikno.apk file - a spying app that forwards SMS, call logs, and location information to a web portal where the person doing the spying can review the information.
Also: Android Font Apps Hosted on Google Play Install Spyware
Report: U.S. cyberwar strategy stokes fear of blowback
Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.
The strategy is spurring concern in the technology industry and intelligence community that Washington is in effect encouraging hacking and failing to disclose to software companies and customers the vulnerabilities exploited by the purchased hacks.
That's because U.S. intelligence and military agencies aren't buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate computer networks overseas, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.
The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired.
Continued : http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510
Related: U.S. government becomes 'biggest buyer' of malware
USAID Workers Also Targeted by DoL Watering Hole Attackers
One of the nine sites serving malware tied to the recent watering hole attack on the U.S. Department of Labor was located in Cambodia and has ties to the United States Agency for International Development (USAID).
Speculation has it that the DoL attack was targeting downstream employees at the Department of Energy who work on nuclear weapons programs. This site, meanwhile, was apparently after employees of USAID, which is a federal organizations that funnels assistance to impoverished or oppressed nations.
Bloomberg Apologises Over 'Inexcusable' Access To Client..
"After a complaint from Goldman Sachs, Bloomberg says it is sorry it let workers access data on clients to guide news coverage"
Bloomberg News has admitted some of its journalists could access client information from terminals used for market updates, after claims employees used the data to guide their coverage and chase leads.
Goldman Sachs had complained about the practice last month, leading Bloomberg to change its policy.
According to a person familiar with the matter, the investment banking firm became concerned when a Bloomberg reporter, contacted them to investigate what she believed was the departure of a Goldman employee. Her interest had apparently been sparked because the worker had not accessed a Bloomberg terminal for a number of weeks, AP reported.
For Bloomberg's journalists to access this information would be a breach of customer privacy, Goldman complained.
Also: Bloomberg Journalists Accused of Spying on Customers [Bloomberg]
Police unable to decrypt iPhones, asks Apple to do it
Court documents from a drug trial in Kentucky have revealed that the U.S. federal Bureau of Alcohol, Tobacco, Firearms and Explosives nor any other U.S. local, state, or federal law enforcement agency are able to break the hardware encryption on an iPhone 4S device or higher, so they have resorted to asking Apple to do it for them.
In fact, the move is so popular with law enforcement agencies, that Apple has been forced to create a "waiting list" to handle all requests.
In this particular case the agents had to wait at least seven weeks for their request to be handled, and the whole process seems to have taken at least four months.
It is also largely unknown how Apple does it - it is only confirmed that once Apple analysts bypass the passcode, they download the (probably decrypted) contents of the phone to an external memory device and ship it to the law enforcement agency that requested it.
Continued : http://www.net-security.org/secworld.php?id=14899
Lookout targets privacy-invading mobile ad networks
Mobile security vendor Lookout plans to start flagging as adware mobile apps that use aggressive ad networks if they don't obtain explicit consent from users before engaging in behavior that potentially invades privacy.
Ad networks, advertisers and app developers have until June 24 to start conforming to the company's set of privacy and security best practices for mobile app advertising if they want to avoid being blacklisted.
"In 45 days, Lookout will classify as adware, ad networks that do not request explicit and unambiguous user consent for the following actions: display advertising outside of the normal in-app experience; harvesting unusual personally identifiable information; perform unexpected actions as a response to ad clicks," Jeremy Linden, security product manager at Lookout, said Friday in a blog post.
According to a study released by Bitdefender in March, the number of adware apps for Android devices increased by 61 percent during a five-month period ending in January. In the U.S. in particular, the number of adware apps increased by 35 percent during the same period.
Adblock Plus hits back at German newspapers urging readers..
Adblock Plus hits back at German newspapers urging readers to disable the free-to-use ad blocker
Adblock Plus, a free-to-use service that blocks unwanted adverts across the Web, has responded to a number of news outlets in Germany that are encouraging their readers to disable the free-to-use adblocker on their respective sites.
Spiegel Online, Sueddeutsche.de, Faz.net, Zeit, Golem.de and RP Online launched a joint campaign asking users to abandon the tool, or at the very least setup an exception rule for their particular site.
The top of the Spiegel Online front page says (translated): "Spiegel Online is for you free of charge. We're entirely funded by advertising. Adblocker means for us that we do not get paid for our work. We therefore ask you to refrain from Adblocker or allow an exception rule for Spiegel Online."
A link then redirects users to a separate webpage explaining, in detail, how they can set up an exception rule for any of the supported browsers.
Till Faida, co-founder of Adblock Plus, defended the service and said it was "part of the solution, not the problem."
Continued : http://thenextweb.com/insider/2013/05/13/adblock-plus-hits-back-at-german-newspapers-urging-readers-to-disable-their-ad-blocker/
A Phone Call, a Phish, and a Remote Access Trojan
From the Symantec Security Response Blog:
In April 2013, Symantec was alerted to a series of sophisticated social-engineering attacks targeting a limited set of organizations in Europe. The most distinguishing feature of these attacks is that the victim will receive a phone call from the attacker who impersonates an employee or business associate of the organization. The caller spoke in French and asked the victim to process an invoice that they were to receive in an email.
Here is an example of an email that was received during one of the attacks. The email typically contains a malicious link or an attachment, which is actually a variant of W32.Shadesrat, a Remote Access Trojan (RAT). [Screenshot]
There is evidence to suggest that these attacks began as early as February 2013, however, it was only more recently in April that phone calls were being placed prior to sending the victim the phishing email. The attacks are currently localized to French organizations but have also included subsidiaries that operate outside of France. [Screenshot]
Continued : http://www.symantec.com/connect/blogs/phone-call-phish-and-remote-access-trojan