10 total posts
Gateline.net Was Key Rogue Pharma Processor
It was mid November 2011. I was shivering on the upper deck of an aging cruise ship docked at the harbor in downtown Rotterdam. Inside, a big-band was jamming at a reception for attendees of the GovCert cybersecurity conference, where I had delivered a presentation earlier that day on a long-running turf war between two of the largest sponsors of spam.
The evening was bracingly frigid and blustery, and I was waiting there to be introduced to investigators from the Russian Federal Security Service (FSB). Several FSB agents who attended the conference told our Dutch hosts that they wanted to meet me, but in a private setting. Stepping out the night air, a woman from the conference approached, formally presented the three men behind her, and then hurried back inside to the warmth of the reception.
A middle-aged stocky fellow introduced as the senior FSB officer spoke in Russian, while a younger gentleman translated into English. They asked did I know anything about a company in Moscow called "Onelia"? I said no, asked them to spell it for me, and inquired as to why they were interested in this firm. The top FSB official said they believed the company was heavily involved in processing payments for a variety of organized cyber criminal enterprises.
Continued : http://krebsonsecurity.com/2012/04/gateline-net-was-key-rogue-pharma-processor/
Active Zeus C&Cs Remain Following Microsoft Takedown
It appears that Microsoft's recent Zeus takedown attempt left some bots behind. Days after the company announced it had sinkholed the troublesome botnet, researchers say that there are still some C&C domains active.
FireEye Malware Intelligence Lab's Atif Mushtaq is reporting that, despite a largely successful takedown, part of the botnet has recovered from the takeover attempt. FireEye claims that this part of the botnet works with a Zeus variant that is well-known for rapidly changing command and control(C&C).
FireEye reports that the operation resulted in Microsoft gaining control of 147 of 156 C&C domains. Of the nine remaining domains, six are either dead or abandoned and present no threat. However, three of those C&C domains evaded the sinkhole and are actively sending and receiving commands.
Mushtaq is not certain how the Microsoft Digital Crime Unit missed some of the C&C domains.
"Their main concern should be the three active domains," Mushtaq wrote. "Without these domains completely destroyed, this botnet can not be officially declared as dead."
Continued : http://threatpost.com/en_us/blogs/active-zeus-ccs-remain-following-microsoft-takedown-040412
Microsoft takedown of Zeus botnets missed a few C&Cs
Botnets Takedowns: A Game of Whack-A-Mole?
Police Themed Ransomware Continues
From the F-Secure Antivirus Research Weblog:
Over the last several weeks, we've been monitoring a rash of ransomware campaigns across Europe, in which messages, supposedly from the local police, are displayed demanding that a fine must be paid in order to unlock the computer. We wrote about a Finnish language variant last month. Attacks are still quite active according to our statistics. [Screenshot]
Even when somebody is savvy enough to recognize the message is a fake, the malware's accusations of offensive materials having been discovered on the user's hard drive creates a chilling effect, which has likely prevented some folks from seeking outside help.
Here's a screenshot we took earlier today using a recent variant: [Screenshot]
To unlock their computer, the user is asked to purchase a Paysafecard from a local convenience store chain (in Finland, it's R-Kioski) in the amount of 100 euros. The technique is effective, as even non-technical people who might not be able to use online payment services such as Webmoney or eGold will be able to walk to the nearest store to part with their money.
In this particular case, the e-mail address email@example.com shown in the screenshot does not belong to the attackers. The domain cybercrime.gov is valid and belongs to the US Department of Justice.
Continued : http://www.f-secure.com/weblog/archives/00002344.html
From TrendLabs Malware Blog: Trojan on the Loose: An In-Depth Analysis of Police Trojan
New Android Malware Variant Can Remotely Root Phone
A new version of Android malware has been tweaked so it doesn't require user interaction for an attacker to own the device, according to research published by Lookout Mobile Security yesterday.
An updated variant of the Legacy Native (LeNa) malware utilizes the GingerBreak exploit to gain root permission on Android phones. LeNa, according to Lookout principal engineer Tim Wyatt, hides its exploit in a functional JPEG file. The exploit communicates with a command and control server to install and launch packages unbeknownst to the phone's user.
Last fall, LeNa - looking like an authentic application - relied on a user to unwittingly utilize the SU utility to gain access and install a native binary file to the phone. LeNa was similar to DroidKungFu, a strain of malware that became popular in alternative Chinese markets last summer and collected various information about whatever phone it infected. While LeNa gained popularity in Chinese markets as well, it also surfaced in the Android Market (Google Play) a few times.
The malware has found a home on alternative mobile application marketplaces which are blocked by default on Android devices. While it doesn't appear to have made the jump to Google's new Play marketplace yet, the new version of LeNa has been seen making the rounds disguised as a version of the popular game Angry Birds Space.
Continued : http://threatpost.com/en_us/blogs/new-android-malware-variant-can-remotely-root-phone-040412
@ The Lookout Mobile Security Blog: Security Alert: New Variants of Legacy Native (LeNa) Identified
Cybercriminals target Google, LinkedIn & Mass Effect 3 users
During March 2012, GFI Labs documented several spam attacks and malware-laden email campaigns infiltrating users' systems under the guise of communications purporting to be from well-known companies and promotions for popular products and services.
Google, LinkedIn, Skype and the video game Mass Effect 3 were among the brands exploited by cybercriminals in order to attract more victims.
"Taking advantage of the notoriety of companies, celebrities and major events is a tactic cybercriminals continue to use because it works," said Christopher Boyd, senior threat researcher at GFI Software.
"They know that Internet users are bombarded with countless emails every day, and these scammers prey on our curiosity and our reflex-like tendency to click on links and open emails that look like they're coming from a company we know and trust," he added.
Continued : http://www.net-security.org/malware_news.php?id=2055
Windows Hacker Tool Creates Word Docs that Can Infect Macs
From The Mac Security Blog:
We recently published information about poisoned Word documents that can infect Macs with a backdoor. These documents look like Word files, but, when double-clicked, after displaying text, they infect Macs with a backdoor.
Intego's Malware Research Team has found samples of a Windows tool called MalHost-Setup.exe which can be used to create this type of infected Word file. (It can also be used to create Excel and PowerPoint files, but Intego has not seen any samples of these files being used to deliver this type of malware yet.) The sample found included an infected Word file with Mac-specific payload.
As we pointed out in our blog post, "the code in these Word documents is not encrypted, so any malware writer who gets copies of them may be able to alter the code and distribute their own versions of these documents." This tool suggests that this type of infected Microsoft Office file will become more common.
Continued : http://www.intego.com/mac-security-blog/windows-hacker-tool-creates-word-documents-that-can-infect-macs/
Mobile 'Wallets' Attract Greater Interest From Thieves,
From McAfee Labs Blog Central:
As mobile phones allow us to carry our money in an electronic "wallet," they will also become a greater target for crooks. Picking a pocket is a risky endeavor for a thieves, but it will be much less so if all they need to do is bump into their victims or brush by them with a mobile phone. Thieves are now more likely to go after both mobile payment software and phones enabled with near-field communications (NFC). However, things are not so bad; security researchers proof-of-concept (PoC) attacks against Google Wallet and Square's credit card readers have prompted improvements in security.
Security researchers have already tested Square's credit card readers, using exploits and keyloggers to intercept credit card numbers as they pass to their mobile phones. Square has now added encryption to new versions of its credit card reader. Does that mean that they're completely secure? Not necessarily. Security researcher Adam Laurie is taking a closer look. Laurie has a large amount of experience in reverse-engineering embedded systems and RFID hardware. His research includes finding vulnerabilities in hotel room safes, RFID passports, and chip and PIN credit cards. As word of the new, more secure Square readers arrived, he posted an open request on Twitter. This can only be good for the security of the mobile payment system.
Bogus Apple gift card offer leads to phishing
An email purportedly sent by Apple and offering to long term customers the possibility of buying a gift card worth a 100 Australian dollars for the price of 9 has been targeting Australian Apple devotees, warns Hoax-Slayer.
Dear Apple Customer, Apple is rewarding its long-term customers," states the email, then continues:
Your loyalty for our products made you eligible for buying an Apple Discount Card. With this only 9 AU$ Discount Card you will have 100 AU$ credit at any Australian Apple Store or on
To acquire your Apple Discount Card please click here
(You will receive your Apple Discount Card via e-mail in the following 24 hours after your payment has been made.)
The offered links take the victims to a website mimicking Apple's and first asks them to input their Apple ID, then to fill out a form with information such as name, address, date of birth, number of driving license, credit card number, expiration date, authorization number and more.
Continued : http://www.net-security.org/secworld.php?id=12697
How to Use Twitter Safely
We've all heard of Twitter accounts getting hacked. It's happened to Ashton Kutcher, Justin Bieber, Steve Wozniak, numerous media outlets. Even we "normal" folks can be compromised, unwittingly. Recently my coworker accidentally clicked a URL-shortened link that resulted in her account spewing Direct Messages with a phishing link.
We were reminded again last week when Twitter took its popular application TweetDeck offline for a day after an Australian user discovered a bug that exposed a number of Twitter accounts.
As incredibly useful as Twitter is, we can't ignore the fact that we share the Twitterverse with spambots, cyber criminals, crazy exes, etc. So how do you stay safe on Twitter? It's a mixture of choosing the right Twitter client and remaining vigilant.
Continued : http://securitywatch.pcmag.com/security/296223-how-to-use-twitter-safely