9 total posts
Ragebooter: 'Legit' DDoS Service, or Fed Backdoor?
On Monday, I profiled asylumbooter.com, one of several increasingly public DDoS-for-hire services posing as Web site "stress testing" services. Today, we'll look at ragebooter.net, yet another attack service except for one secret feature which sets it apart from the competition: According the site's proprietor, ragebooter.net includes a hidden backdoor that lets the FBI monitor customer activity.
This bizarre story began about a week ago, when I first started trying to learn who was responsible for running RageBooter. In late March, someone hacked and leaked the users table for ragebooter.net. The database showed that the very first user registered on the site picked the username "Justin," and signed up with the email address "email@example.com."
That email address is tied to a now-defunct Facebook account for 22-year-old Justin Poland from Memphis, Tenn. Poland's personal Facebook account used the alias "PRIMALRAGE," and was connected to a Facebook page for an entity called Rage Productions. Shortly after an interview with KrebsOnSecurity, Poland's personal Facebook page was deleted, and his name was removed from the Rage Productions page.
Mac Spyware Found at Oslo Freedom Forum
From the F-Secure Antivirus Research Weblog:
The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.
Our Mac analyst (Brod) is currently investigating the sample.
It's signed with an Apple Developer ID. [Screenshot]
The launch point: [Screenshot]
It dumps screenshots into a folder called MacApp: [Screenshot]
zPanel hacked after support team member insults forum user
The official web site for the web hosting interface zPanel is currently unavailable. The cause seems to be a hacker attack provoked by a member of the support team who swore at a user on the official forum.
On Wednesday, a forum member going by the name joepie91_ posted details of a vulnerability in zPanel that has been known about for some time, saying that the developer team has been refusing to fix it. He explained that specially prepared templates can be used to execute commands on the server with root privileges and called zPanel "the most insecure hosting panel with any significant userbase" that he had ever seen.
Forum participant PS2Guy, a member of the support team, was clearly not willing to let that accusation stand. In the very first sentence of his response, he called joepie91_ a "fucken little know it all", adding that all security problems in zPanel have been fixed and challenging the accuser to try to hack into any server with the current version 10.0.2 of zPanel.
Also: App developer calls critic "f*cken little know it all"; site goes down
Critical Linux vulnerability imperils users, even after..
... "silent" fix
May 15, 2013 4:44 pm UTC
"A month after critical bug was quietly fixed, "root" vulnerability persists."
For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole.
The severity of the bug, which resides in the Linux kernel's "perf," or performance counters subsystem, didn't become clear until Tuesday, when attack code exploiting the vulnerability became publicly available (note: some content on this site is not considered appropriate in many work environments). The new script can be used to take control of servers operated by many shared Web hosting providers, where dozens or hundreds of people have unprivileged accounts on the same machine. Hackers who already have limited control over a Linux machine—for instance, by exploiting a vulnerability in a desktop browser or a Web application—can also use the bug to escalate their privileges to root. The flaw affects versions of the Linux kernel from 2.6.37 to 3.8.8 that have been compiled with the CONFIG_PERF_EVENTS kernel configuration option.
Continued : http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/
Related noting recent (16-05-13 10:12) update: Exploit for local Linux kernel bug in circulation - Update
SysAdmin Hoax Goes International; Spanish Passwords Go..
... Straight to Scammer Database
The SysAdmin scam that makes people believe they need to restore their account because of hacking attempts went international. The Spanish are now sending their passwords straight to the cyber-criminals' database. [Screenshot]
The e-mail targeting the Spanish in their language claims the user's email account needs to be urgently restored.
"Several incorrect login attempts on your email account," the phishing e-mail reads. "Open the attachment to the message and start the session of the details of your correct email account. NOTE: FAILURE CAN RESULT IN SUSPENSION of permanent account."
The messages aren't from any system administrator, of course. The e-mail is a phishing attempt designed to trick Spanish-speaking users into giving away their login details.
Mobile crimeware and the global criminal marketplace
The sprawling mobile devices marketplace has spawned an industrialized mobile financial fraud plexus that today drives increasingly sophisticated criminal technical innovation to exploit the mobile devices explosion. It is funded by increasing revenues derived from potent new developments in mobile malware, according to the APWG.
Mobile devices increasingly present an attractive, practical and economical alternative to traditional desktops. In the coming years, global mobile payments are predicted to exceed $1.3 trillion, moreover, presenting a mother load of opportunity for cybercrime gangs who appreciate the vulnerabilities of these peripatetic communications and computing platforms, the APWG's analysis reports.
Continued : http://www.net-security.org/malware_news.php?id=2494
Japanese One-Click Fraud on Google Play Leads to Data ..
... Stealing App
From the Symantec Security Response Blog:
Since the beginning of the year, a Japanese one-click fraud campaign has continued to wreak havoc on Google Play. The scammers have published approximately 700 apps in total since the end of January. The apps are published on a daily basis and the scammers have invested around US$4,000 in order to pay the US$25 developer fee to publish apps on Google Play. [Screenshot]
Dealing with the fraudulent apps has really become a game of cat and mouse. Once the apps are removed from Google Play, the scammers simply publish more under new developer accounts. These are again removed shortly afterwards, but the scammers simply continue to publish more. Most of the apps are removed on the date of publication, but some, especially those published over weekends, tend to have a longer life and in some cases have download numbers in the triple digits.
The scam attempts to lure users interested in adult videos to a site that attempts to trick them into registering for a paid service. Even if only one user falls for the scam and pays, that's JPY99,800 (around US$1,000 at the current exchange rate) in the pocket for the scammers, which also means they can make more money by creating even more developers accounts to publish more fraudulent apps
Continued : http://www.symantec.com/connect/blogs/japanese-one-click-fraud-google-play-leads-data-stealing-app