NEWS - January 23, 2013

"Reporters without Borders is latest site used in "watering hole" campaign."

The website belonging to non-governmental organization Reporters Without Borders is the latest to be hit by attacks that use the recently patched Java and Internet Explorer vulnerabilities to surreptitiously hijack computers of visitors, security researchers said.

The compromise comes a week after similar attacks successfully commandeered sites belonging to major Hong Kong political parties, Jindrich Kubec, a security researcher with antivirus provider Avast, wrote in a blog post published Tuesday. It's most likely another example of a "watering hole" attack, in which attackers target the sites their victims are likely to visit, in much the way predators position themselves near a river or lake bed to lie in wait for thirsty prey.

"Such an organization is an ideal target for [a] watering-hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites—many Tibetan, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation," Kubec wrote. "In our opinion the finger could be safely pointed to China (again)."

Continued : http://arstechnica.com/security/2013/01/just-patched-java-ie-bugs-used-to-snare-human-rights-sites/

Related:
Reporters Without Borders website abused in malware campaign
Reporters Without Borders Site Hacked, Abused in Watering Hole Attacks

With Skype expanding its reach with services designed for small businesses, and other messaging platforms such as Microsoft Windows Messenger shutting down, Skype is becoming an attractive target for malware writers.

Reports surfaced last week of the Shylock financial malware spreading on Skype and yesterday, researchers reported the discovery of more malware propagating on Skype.

Researchers found two worms, Bublik and Phorpiex, spreading mostly in Japan. Bublik is a backdoor with rootkit functionality. It opens a communication channel with a command and control server and downloads additional plug-ins. In this case, Trend Micro discovered the Kepsy worm, which helps Bublik spread over Skype and also clears Skype message history.

Bublik can enable remote access for an attacker, download and upload files to a C&C server, download additional plug-ins and monitor browser activity. It also gathers and reports application data, system and network information, hardware specs and running processes.

Continued : https://threatpost.com/en_us/blogs/more-malware-moving-skype-012213

Also: Skype Malware Campaign Grows - Businesses and Consumers Targeted

From TrendLabs: Shylock Not the Lone Threat Targeting Skype

"Java is the newly crowned "king of foistware.""

Remember the Ask search engine? Oracle sure does—and by extension, so do Java users. Oracle has taken the practice of bundling useless add-ons and toolbars with legitimate software to new heights while collecting a commission each time it tricks a user into installing an Ask toolbar.

That's what Windows expert and legendary skeptic Ed Bott of ZDNet reports after examining Java's installation and update practices. Bott has done extensive reporting on "foistware," previously crowning Adobe and Skype as the worst offenders. But over the past year, Adobe and Skype have reformed themselves a little bit, while Oracle's Java now deserves the crown for "king of foistware," he wrote today.

"The evidence against Oracle is overwhelming," Bott wrote, continuing:

Continued : http://arstechnica.com/information-technology/2013/01/how-java-dumps-useless-add-ons-and-toolbars-on-pc-users/

Related : Oracle, please stop sneakily foisting third-party toolbars on us with your Java updates

From Ben Edelman within IAC Toolbars and Traffic Arbitrage in 2013::

The Special Problems of IAC Ask Toolbar Installed by Oracle's Java Updates

Federal prosecutors today announced criminal charges against three men alleged to be responsible for creating and distributing the Gozi Trojan, an extremely sophisticated strain of malicious software that was sold to cyber crooks and was tailor-made to attack specific financial institutions targeted by each buyer.

According to charging documents filed in the U.S. District Court for the Southern District of New York, authorities believe Gozi was the creation of Nikita Kuzmin, a 25-year-old Russian national. Authorities say Kuzmin was aided by 27-year-old Latvian resident Deniss "Miami" Calovskis, and Mihai Ionut Paunescu, a 28-year-0ld Romanian national who allegedly used the screen name "Virus". The charges include bank-fraud conspiracy, conspiracy to commit computer intrusion, wire-fraud conspiracy.

A press conference announcement sent to reporters today by the office of New York U.S. Attorney Preet Bharara states that Gozi infected more than one million computers — at least 40,000 of which were in the United States — and caused millions of dollars in losses. Kuzmin was arrested in California in Nov. 2010; Calovskis was arrested in Latvia in Nov. 2012; Paunescu was arrested in last month in Romania. Bharara's office called Gozi "one of the most financially destructive computer viruses in history."

Continued : http://krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/

Also: Three Charged with Creating, Distributing Gozi Banking Malware

From the Trendlabs Security Intelligence blog:

The "post-PC era" is a phrase which has been a veritable buzzword for some time. However, 2012 saw cybercrime expanding to mobile platforms, highlighting how threats have entered the post-PC era, too.

Mobile Threats: 350,000 and Growing

By the end of 2012, the number of Android malware grew to 350,000. This was a monumental growth from the 1,000 mobile malware we saw at the end of 2011. Much of this growth was driven by adware and premium service abusers, which accounted for a sizable majority of the seen growth.

The popularity of Android in the mobile space means that it is now facing threats similar to what has faced Windows in the desktop space. This threat grew and became more sophisticated throughout the entire year, and we expect that this will continue into 2013.

Data breaches and Malware: Business as Usual

The year saw a continuation and evolution of many familiar threats. Data breaches and APTs continued to hit organizations large and small. Increasingly, the question is no longer if a system will suffer a data breach, but when. Throughout the year, we discovered and looked into various information theft campaigns, as well as the tools used.

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/2012-annual-security-roundup/

Related: Android malware could reach the 1 million mark by year's end

Malware writers target companies and public and private institutions by tricking employees into downloading a password stealer disguised as a confidential corporate document addressed to employees only.

The document in the form of a ZIP file is attached to an e-mail addressed to company employees under the confidentiality mark. The sender's address is spoofed to make it look as if the mail is sent by DocuSign Electronic Signature Service, on behalf of the administrative department of the employer company. [Screenshot]

Under the pretext of viewing or printing a confidential document, recipients in fact download a password stealer that snatches passwords of their e-mail client (TheBat, Thunderbird, Outlook, or IncrediMail) and website passwords - saved under popular browsers such as Chrome, Firefox, Opera or Internet Explorer - to send them to a remote attacker.

Continued : http://www.hotforsecurity.com/blog/confidential-message-infects-employees-with-password-stealer-5089.html

Representatives of newly launched file-storage and sharing service Mega addressed some of the concerns raised by security researchers in recent days about the site's architecture and the implementation of its cryptographic features.

In a blog post published Tuesday, Mega officials acknowledged that some of the security risks pointed out by researchers are valid, but said that users had already been informed about some of them through the FAQ (Frequently Asked Questions) section of the website. In the case of other issues, they promised some improvements.

For example, it has been pointed out that the encryption keys generated by users during the sign-up process, and which are later used to encrypt their files, are encrypted using the account password and are only stored on Mega's servers. Since there is no password recovery feature, users will lose the ability to decrypt their files if they forget their passwords, some people said.

Continued: http://www.computerworld.com/s/article/9236059/Mega_acknowledges_security_concerns_promises_changes

Related:
Mega facts
Mega's first crypto faux pas