NEWS - June 09, 2011

Citibank victimized by hackers, insists cardholders are safe

Reuters is reporting that Citibank's systems were hacked, resulting in a loss of Personally Identifiable Information (PII).

Citibank says that data for 1% of their cardholders was accessed through this breach, but customers' Social Security Numbers (SSNs), birth dates, card expiration dates and CVV codes are safe.

Information that may have been disclosed to the hackers includes customers' names, account numbers, contact details and email addresses.

According to Citibank's website they are the world's largest provider of credit cards, issuing more than 150,000,000 cards globally. Based on these numbers, information for 1,500,000 or more individuals may have been compromised.

In April Paul Gaulant, former head of the bank's credit card unit, told Reuters, "Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments."

Continued :

Also: Customer data stolen from Citibank
Discussion is locked
Reply to: NEWS - June 09, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 09, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Pirate Bay, MegaUpload & Others Blocked By Government Order

In what appears to be a memo sent to ISPs by the regulator of Internet industries in Malaysia, all service providers have been ordered to completely block various file-sharing sites including The Pirate Bay, MegaVideo and other hosting services. The move follows an April statement by the country's Prime Minister in which he promised his administration would never censor the Internet.

The regulation of the communications and multimedia industry in Malaysia is handled by SKMM - the Malaysian Communications and Multimedia Commission. Under a 1998 Act of the same name, the Commission is empowered to carry out a range of functions, several of which are law-related.

According to SKMM's website, the Commission has the power to "implement and enforce the provisions of the communications and multimedia law", "regulate all matters relating to communications and multimedia activities not provided for in the communications and multimedia law" and to recommend reforms to existing law.

Continued :

- Collapse -
French cert authority reveals its private key by mistake

Certigna, a major French certification authority whose certificates are trusted in all of today's most popular browsers - IE, Firefox, Safari, Opera, and many others - has somehow managed to make its private key accessible via browser for anyone who might be looking.

"A visit to the site's revocation list page - which is fully publicly accessible via a standard web browser - allows anyone and everyone to download the private key and other supposedly secret files, potentially enabling the creation of their own valid Certigna-signed SSL certificates," points out Gareth Halfacree. [Screenshot]

This private key in the wrong hands can result in malicious pages seemingly possessing valid certificates signed by a trusted certification authority, reassuring potential victims that it's safe to give out their private or financial information or to download offered files.

According to Halfacree, Certigna has been alerted to the fact and has removed the files in question from the website, but has not offered any comment. Since it's possible that the private key has been downloaded by malicious individuals, the only thing for Certigna to do is to revoke it and create another, then reissue all the certificates and sign them with the new key.

Continued :

- Collapse -
Sony: Full restoration of Qriocity services starts Thursday

"According to a press release issued by Sony, all Qriocity services will finally be restored on Thursday."

Electronics giant Sony has announced that on Thursday the company will fully restore all Qriocity services following a lengthy period of downtime which occurred as a result of a massive security breach back in April.

The restoration will see full functionality returning to Qriocity's Video On Demand and Music Unlimited services across all compatible devices.

In a statement released in Tokyo on Thursday, Sony said it will "fully restore all Qriocity services today June 9, 2011, in all serviced territories, excluding Japan." It continued: "As a result, all PlayStation Network and Qriocity services which were shut down on April 20 will be available. In addition to full PlayStation Network services as well as "Music Unlimited powered by Qriocity" for PlayStation 3 (PS3), PSP (PlayStation Portable), VAIO and other PCs which have already resumed, full restoration of Qriocity services will include:

Continued :

- Collapse -
FakeRean Comes of Age, Turns Hard-core

Avid readers of this blog can attest that we've been writing about FakeRean for, oh, quite a number of months now. In case you missed out on those posts or you no longer remember them, I have for you here a short list of what we've written about this rogue AV family so far:

What's in a (rogue) name? VirusTotal 2010
Malicious warez site offers Firefox 4.0 beta download scam
Rogue downloads look real: read the fine print
Obama, birth certificates, and Rogue AV

FakeRean is initially discovered by Microsoft a couple of years ago. Like all rogue AV families, it displays fake scanning results to users in an effort to dupe them into coughing up cash in order to register the software and clean their systems supposedly. This family also alters the infected system's registry quite extensively and drops lots of component and shortcut files, among other things. What sets FakeRean apart from the usual rogues is its ability to hijack a file association for executable (.EXE) files, which allows it to reappear every time an application is run.

Our intrepid rogue AV hunter, Patrick Jordan, spotted new ways on how FakeRean is currently being distributed online, and by the looks of things, the bad guys behind it have not only casted a wider net but also went, erm, hard-core. Case in point: [Screenshot]

The above page is found on, a prominent repository of open-source software, as a profile page. Of course, it wouldn't matter whether you're 18 or not, you still get a free but malicious software to download and run on your systems once you click any of the buttons there. This software is a PDF exploit that, once installed, drops and also installs FakeRean. We detect the exploit as Exploit.PDF-JS.Gen (v).

Continued :

- Collapse -
Sony Portugal latest to fall to hackers

The same Lebanese hacker who targeted Sony Europe on Friday has now dumped a database from Sony Portugal.

The hacker claims to be a grey hat, not a black hat, according to his post to

"I am not a black hat to dump all the database I am Grey hat"

Instead of dumping the entire database like many previous Sony attackers, idahc only dumped the email addresses from one table in Sony's database.

He claims to have discovered three different flaws on, including SQL injection, XSS (cross-site scripting) and iFrame injection.

By my count, this is the 16th attack against Sony since the chaos came raining down on them in mid-April.

There were two other breaches on Monday by LulzSec, but I simply couldn't bring myself to write about more Sony hacks.

Continued :

Also: Sony Music Portugal Website Hacked, Email List Leaked

- Collapse -
Plankton Android Trojan found in 10 apps on Android Market

Ten more applications have been pulled from the Google's official Android Market following a notification that they contained a new kind of Android malware.

The malware was discovered by Xuxian Jiang, an assistant professor at the NC State University, and his team. As we have already witnessed before, the malicious code is "grafted" onto legitimate applications, and once the app is installed, it works as a background service whose goals is to gather information and transmit it to a remote server.

The server takes the information in consideration and returns a URL from which the malware downloads a .jar file that, once loaded, exploits Dalvik class loading capability to stay hidden by evading static analysis.

According to them, Plankton - as they named the malware - and the payloads it downloads do not provide root exploits. "Instead, they only support a number of basic bot-related commands that can be remotely invoked," they say.

Continued :

- Collapse -
W3C to manage development of the Privacy Dashboard

W3C has announced on its blog that it has taken on the open source development of the Privacy Dashboard. This grew out of the PrimeLife research project that was funded by the European Commission "to counter the trend to life-long personal data trails without compromising on functionality." To this end, the project funded the development of the Privacy Dashboard, a Firefox add-on that monitors the personal information that is collected by web sites and enables the user to control this - block or allow - for each web site that is visited.

The add-on displays an icon in the Firefox toolbar that acts as an indicator, changing between three states according to what the system knows about the site currently displayed: if it is benign regarding privacy, if it collects some information but does not have a machine readable privacy policy, or, if it enables tracking by third-party web sites. The first time a user visits a web site that is not known to be benign, then the Dashboard alerts the user to set their preferences - there are three choices: "Accept always", "Protect me" and "Tell me more". Selecting the latter option brings up a dialogue box that lists the information that is available, including the number of session cookies, lasting cookies, external third party sites and invisible images.

Continued :

- Collapse -
United Parcel Service malware attack spreads fake anti-virus

Email inboxes around the world are being spammed today with a malicious attack designed to infect Windows computers with a fake anti-virus attack.

The emails claim to be notification from United Parcel Service (UPS) that a package is winging its way to your address. The cybercriminals behind the scheme hope that recipients will be intrigued enough to open the attached file, which can infect their computer with malware.

A typical message looks as follows: [Screenshot]

Subject: United Parcel Service notification #[number]

Message body:

United Parcel Service
tracking number #[number]

Good morning
Parcel notification

The parcel was sent your home adress.
And it will arrive within 3 buisness days.

More information and the parcel tracking number are attached in document below.

Thank you

United Parcel Service of America (c)
153 James Street, Suite100, Long Beach CA, 90000

Attached file:

Would the spelling mistakes and grammatical errors be enough to ring an alarm bell in your head? Or would the promise of an unexpected parcel being delivered be enough to trick you into opening the attachment?

Continued :

- Collapse -
Pay-Per-Install a Major Source of Badness

New research suggests that the majority of personal computers infected with malicious software may have arrived at that state thanks to a bustling underground market that matches criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs.

Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware-a spambot, fake antivirus software, or password-stealing Trojan-to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims.

The PPI services also attract entrepreneurial malware distributors, or "affiliates," hackers who are tasked with figuring out how to install the malware on victims' machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install.

Continued :

- Collapse -
Movable Type 0-Day Vulnerability Used to Hack into PBS,Patch
.. Available

Six Apart, the company developing Movable Type, has released updates for the popular blogging platform in order to patch a zero-day vulnerability used by hackers to break into the website two weeks ago.

At the end of May, LulzSec, a hacker group that recently captured headlines with attacks against Sony and other companies, have hacked into the website of the Public Broadcasting Service (PBS) and posted fake news articles.

The hackers did this because they didn't like a WikiLeaks documentary that aired on PBS Frontline a day earlier.

In a post on its official blog, Six Apart admits working with PBS following the incident to determine how hackers managed to compromise its website which runs on Moveable Type.

The company has released mandatory security updates today across all branches - 4.0, 5.0 and 5.1 - in order to address the security issues exploited by LulzSec.

Users are strongly recommended to upgrade to Movable Type 5.11, 5.051, and 4.361, depending on what branch they use, the company stressed.

Changes include the addition of a blacklist and whitelist for uploaded files. These were implemented as two configuration directives called DeniedAssetFileExtensions and AssetFileExtensions.

Continued :
- Collapse -
Warning: Urgent Microsoft Update May Be Firefox Malware

A phony anti-virus scam is presenting itself as a near-perfect Microsoft update popup with one notable exception - it appears only on machines using Firefox browsers.

According to the Sophos Naked Security blog machines infected in drive-by downloads from compromised sites receive the scareware that appears as urgent update notifications.

The clue that the updates are phony is that they appear only when the affected computer uses Firefox. Legitimate updates come via Internet Explorer, Sophos says.

Victims click to receive the urgent updates and their computers are infected with malware that seizes up the machines. A persistent popup says the infection can be cleaned up by buying anti-virus software - a phony product sold by the criminals behind the phony Microsoft update notification.

Sophos recommends accepting updates only from vendors from whom users have requested updates.

From Sophos: Fake anti-virus cloaks itself to appear to be Microsoft Update

- Collapse -
Feds seize Swiss bank account of scareware mogul

Federal authorities have seized all the cash in a Swiss bank account held by a scareware mogul and scam artist who is charged with selling phony Symantec security software.

The U.S. Attorney's office in New York filed for the forfeiture of $14.8 million stashed in the account by Shaileshkumar "Sam" Jain, who has fled the U.S. after being charged in the counterfeit antivirus scheme.

Jain was charged three years ago, but has been on the run since after failing to show for court appearances, and is believed to have moved to the Ukraine. He is charged with trafficking in counterfeit goods, wire fraud and mail fraud.

The charges stem from a scheme that employed spam to lure victims to a website where they used credit cards to buy what was purported to be genuine Symantec antivirus software. In return, they were sent counterfeit software from a facility in Ohio, according to U.S. Immigration and Customs Enforcement.

He is also charged with selling scareware products as WinFixer, Antivirus 2008 and VirusRemover 2008, all of which are represented as antivirus software but which actually install spyware and malware and otherwise slow down victim computers. Jain ran Innovative Marketing, which prosecutors say sold a million copies of fake antivirus products.

Continued :

- Collapse -
May MSRT by the numbers

Microsoft Malware Protection Center:

In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged. As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families.

Top 25 detections by MSRT, May 10 - May 20 [Chart]

You may have noticed that Ramnit, like several of the other viruses mentioned in the above chart, is classified as an "evolved" virus - as described in Scott's previous Ramnit post, one that combines earlier and later generations of malicious infection techniques.

Allow me to go 'back to the book' for the definition of a parasitic virus. A parasitic virus, or a file infector, is a type of 'old school' malware that attaches, modifies or resides in a host file on the file system. Due to its invasive spreading technique, one may wonder why malware are still in love with this old method, particularly when file infectors tend to leave the computer in an unstable state, slow and crashing often, while some even render the infected computer useless.

With today's malware authors aiming to make profit from their victims, one would expect the malware authors are motivated to create stealth threats with the least overhead to the machine as to keep the windows of time open long enough to harvest data (or perform other payloads).

Continued :

- Collapse -
Eurocops carry out massive piracy bust

An international task force of police officers from Germany, Spain, France and the Netherlands has carried out one of the biggest piracy busts in the history of the Internet.

Several addresses were raided throughout Europe and a number of admins from movie indexing site were hauled off after being arrested.

The site has been closed and contains a message in German which roughly translates as, "The site you have selected has been closed on suspicion of commercial and criminal copyright infringement. Several of the site's operators have been arrested. Internet users who illegally pirated or distributed copies of films may be subject to criminal prosecution."

Although Kino didn't actually host any illegal files on its own servers, it provided thousands of links to other sites, many of the them beyond the reach of European laws, which offered dodgy streams of Hollywood blockbusters. It was one of the 100 most visited web sites in several European countries.

The size of the international task force is not yet known but TorrentFreak reports that 250 officers form Germany alone took part in the raids on 20 premises. 13 people have been arrested and a 14th is being hunted down as we write.

The MPAA recently named Kino as one of the world's biggest enablers of copyright theft and estimated that it offered links to 300,000 TV shows and 66,000 movies.

Continued :

CNET Forums