General discussion

NEWS - April 23, 2010

VeriSign warns of major social networking threat

"Firm uncovers black market trading in millions of compromised accounts"

VeriSign's iDefense managed security services arm has released new research warning of "exponential" growth in demand for black market data stolen from social networking sites, as criminals internationalise their campaigns.

As an indication of the growth in activity on these sites, iDefense has uncovered evidence of one particular black market forum user, known as 'kirllos', who claimed to be selling 1.5 million compromised accounts in bulk quantities.

Prices for the accounts depend on how many contacts or friends the user has on the site, and range from $25 (
Discussion is locked
Follow
Reply to: NEWS - April 23, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 23, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
NHS computers hit by voracious, data-stealing worm

The UK's National Health Service has been hit by a voracious, data-stealing worm that's easily detected by off-the-shelf security software, according to researchers who directly observed the mass compromise.

Researchers from anti-virus provider Symantec have been monitoring the Qakbot worm since last May and have documented its behavior here and here. On Thursday, after infiltrating two of the six servers used to collect pilfered data from infected machines, they provided an update that didn't exactly instill confidence in the healthcare system.

"The logs show that there is a significant Qakbot infection on the National Health Service (NHS) network in the UK," the Symantec update states. "This threat has managed to infect over 1,100 separate computers that are spread across multiple subnets within the NHS. We have attempted to contact the affected parties and have no evidence to show that any customer or patient data has been stolen."

Continued here: http://www.theregister.co.uk/2010/04/23/nhs_worm_infection/

- Collapse -
A Fake Fast Food Survey

From the Security Response Blog:

In the past couple of months, Symantec observed phishing attacks against a major fast food brand. The attacks were carried out through spam mails requesting customers? answers for a bogus satisfaction survey. The fast food brand is one of the most popular worldwide, so fraudsters sent the spam globally. The spam email states that the brand is planning major changes to their chain of restaurants to improve their quality of service. The mail further states that to implement these changes, customer opinion is required by means of a survey (which is of course fake). Fraudsters try to trick customers by claiming a reward for those who participate in this survey. The spam email contains a link that leads to the phishing website containing the fake survey: [...]

In the above example, the phishing website claims to provide an $80 reward for the customer taking part in a quick, 8 question survey. Upon completing the survey, the Web page is redirected to a fake user authentication page that asks for sensitive information such as credit card number and pin number so as to supposedly credit the bogus reward to the customer?s fast food account. The page claims to credit the reward within 3 business days after user authentication and will reflect on the customer?s account history. [...]

Continued here: http://www.symantec.com/connect/blogs/fake-fast-food-survey

- Collapse -
Twitter Spam Campaign Selling Viagra

From M86 Security Labs:

Hello Tweeple (Twitter people)! As Twitter has grown in popularity, it has become a target for cybercriminals, some of which we've blogged and written about in our most recent Security Labs report for the end of 2009. This is something that Twitter users should be wary of when using the service. Yesterday, we started receiving spam messages as part of a spam campaign impersonating a Twitter notification email from "Twitter Support". The spam message arrives as a notification about an unread message from Twitter. [...]

If you are a Twitter user and you received one of these emails, you should always check to see where the link points to before clicking on it.The link should point to the Twitter.com domain for an email to be fairly legitimate. However, we recommend that users who receive these types of emails should visit go to Twitter.com manually instead of clicking on the link in the e-mail. [...]

The link from this particular email actually points to a Canadian Pharmacy website, which, unsurprisingly is quite similar to a social engineering tactic used from an Apple Invoice spam we blogged about previously. [...]

Continued here: http://www.m86security.com/labs/i/Twitter-Spam-Campaign-Selling-Viagra,trace.1308~.asp

Also: Email from support@twitter.com? It's a Viagra spammer
Don't Be Fooled by Twitter Spam in Your Inbox

- Collapse -
A newfangled pyramid scheme?

From Kaspersky Lab Blog:

Yesterday we received a very enticing email offering users the chance to earn loads of money for just one hour of work per day. Put another way, it was an offer to join a financial pyramid. [...]

The funny thing is that the spammer has obviously not tried to limit the amount of information offered to the user ? the message was 7 MB. Normally, spammers try to make their emails as small as possible (usually no more than 5 KB) because it means they can send more of them.

So why are these attachments such ?heavyweights?? As you may have noticed from the screenshot above, one file is an mp3 and the other has a .doc extension.

The text document contains 18(!) pages that explain in detail the principles behind the financial pyramid. The document stresses that though this ?super program? may resemble network marketing, it is actually something completely different. However, one part has been lifted directly out of a well-known book on network marketing. It states: ?THE THING IS, THERE IS A SECRET FORMULA BUILT INTO THE PROGRAM WHICH ENSURES 100% SUCCESS FOR ALL PARTICIPANTS IN THE BUSINESS WHICH IS DOWN TO FACTORS THAT ARE SO SUBTLE THAT THE HUMAN BRAIN IS INCAPABLE OF COMPREHENDING THEM. WHAT IS THIS FORMULA? IT?S A SECRET OF THE LEGENDARY CREATOR OF RMI, MIYAMOTO ICHIKAWA.?

Continued here: http://www.securelist.com/en/blog/218/A_newfangled_pyramid_scheme

- Collapse -
Hiding from Anti-Malware Search Bots

Malicious hackers spend quite a bit of time gaming the Internet search engines in a bid to have their malware-laden sites turn up on the first page of search results for hot, trending news topics. Increasingly, though, computer criminals also are taking steps to block search engines bots from indexing legitimate Web pages that have been hacked and booby-trapped with hostile code.

Search giants Yahoo! and Google each have automated programs that crawl millions of Web sites each week in search of those hosting malicious code. When the search providers find these sites, they typically append a warning to the hacked Web site?s listing in search results, alerting the would-be visitor that the site could be dangerous. These warnings not only result in fewer people visiting infected sites, but they have a tendency to alert a listed site?s owners to a malware problem that needs attention.

This is all well and good for you and me, but not so wonderful for the bad guys. Unless, of course, said bad guys have planned ahead, by inserting code in their hacked sites that hands out malicious code to everyone except the automated anti-malware bots deployed by the top search providers.

Which is precisely what security expert David Dede found earlier this month while analyzing some Web-based malware.

Continued here: http://krebsonsecurity.com/2010/04/hiding-from-anti-malware-search-bots/#more-2366

- Collapse -
McAfee retracts bug damage estimate

"McAfee has changed its official response on how many enterprise customers were affected by a bug that caused havoc on computers globally."

A McAfee update released on Wednesday caused computers using Microsoft's Windows XP Service Pack 3 to incorrectly identify a legitimate operating system component as containing a virus. Affected computers experienced networking problems or repeated rebooting. McAfee has since removed the buggy update code from the company's servers.

McAfee's executive vice president, Worldwide Technical Support & Customer Service, Barry McPherson said on an official McAfee blog yesterday that the problem wasn't widespread. "We believe that this incident has impacted less than one half of 1 per cent of our enterprise accounts globally and a fraction of that within the consumer base," he said.

But today the mention of "less than one half of 1 per cent" appears to have been modified. "We believe that this incident has impacted a small percentage of our enterprise accounts globally and a fraction of our consumer base home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection," the blog now states.

The reason for the removal was "to restate number of customers impacted", according to the blog.

Continued here: http://www.zdnet.com.au/mcafee-retracts-bug-damage-estimate-339302649.htm
~~~~~~~~~

Barry McPherson's most recent posting at the McAfee Security Insights Blog not referenced in above article:

"An Update on False Positive Remediation"

- Collapse -
Phishing "Education Test" is blocked...for phishing

From the Sunbelt Blog:

There?s a site you may have seen being pinged around on Twitter today, called ismycreditcardstolen(dot)com. This is what it looks like: [...]

Yes, alarm bells were ringing for me too. ?If you fear your credit card info has been stolen, enter it here and you can find out for free". (Emphasis mine). "Avoiding fraud has never been easier!?

Oh boy.

Anyway, there?s a nice looking yellow padlock and a big green tick which always means something like this is safe, right? [...]

As it turns out, you just failed a test ? or so the above text claims. It seems this site has been set up to warn people about the dangers of phishing, giving some hints and tips in relation to phish attacks and also providing a link to the Anti-Phishing Work Group?s Website. The site also mentions it doesn?t send your card details anywhere, and this appears to be the case.

Not sure I?d want to ever be in a situation where I had to take the word of a random third party in relation to something like that, but there we go.

There?s an About page, which lists the people who created it, along with the following message: [...]

Continued here: http://sunbeltblog.blogspot.com/2010/04/phishing-education-test-is-blockedfor.html

- Collapse -
Oversharing and a powerful search engine = FAIL

From the Websense Security Labs Blog:

Update 1: Blippy has posted a response here.

Update 2: Google's search results have been cleaned up and the information is no longer available.

Users of the Blippy service, a website that lets people share their credit card purchases online, are scrambling to change their settings or even closing their accounts after VentureBeat published a story about how Google searches can disclose users credit card details. [...]

As can be seen in the screenshot above Blippy shows every purchase made with linked credit cards, bank accounts, Amazon, iTunes account and more. In today's world of social media and an eagerness to share your with friends (and sometimes the world), Blippy fits right in. And Blippy claim to take privacy seriously as can be seen from the following statement from their website. [...]

However, things don't always work as planned. Google has indexed the private information and it's now publicly visible in search results as can be seen below. [...]

Continued here: http://securitylabs.websense.com/content/Blogs/3596.aspx#

CNET Forums