NEWS - June 15, 2011

Hit by MacDefender, Apple Web Security (name your Mac FakeAV here)...


All started with iPhone...Happy

Some days ago I had to replace the battery on my wife's iPhone, and after that I noticed that the Wifi was not working properly I decided to check on Google for pictures of the iPhone antenna so that I could open again and verify if I left anything loose (which later I found to be the case...)

A regular search for "iphone wifi antenna" (BE CAREFUL) and I got several hits...and as Google is proactive, it also showed some examples of pictures related to my search.

Well, I decided to see one of the pictures and clicked on it. It then started to load and suddenly was redirected to another page, which looked like my Finder screen: [Screenshot]

As you can see, this looks a lot as a common Finder screen. It also looks a LOT like the common FakeAV (FakeAlert) tactics for Windows, where they use JavaScript to simulate a fake scan on "My Computer", showing all drivers and folders being scanned.

That is exactly what happens on the next screenshot: [Screenshot]

Continued :
Discussion is locked
Reply to: NEWS - June 15, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 15, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Adobe Fixes 36 Critical Bugs in Quarterly Security Update

As part of its regularly scheduled quarterly security updates, Adobe patches its Reader, Acrobat, Shockwave and Flash products.

Adobe released five security bulletins as part of its quarterly security update. Three are rated "critical" and two "important."

Adobe fixed 11 vulnerabilities in Adobe Reader as part of its quarterly update released June 14. The company also resolved 24 vulnerabilities in its Shockwave Player and another serious flaw in Flash Player. The Flash Player bug could cause a crash and allow an attacker to take complete control of a system, Adobe said in its announcement.

"These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system," Adobe said.

Adobe patched Adobe Reader X and Acrobat X for Windows and Mac (APSB11-16), corresponding fixes in 8.x and 9.x versions, Shockwave Player for Windows and Mac (APSB11-17), and Flash Player (APSB11-1Cool for Windows, Mac OS X, Linux and Solaris. An updated version of the Flash Player for Android is expected later in the week, Adobe said. Important vulnerabilities in ColdFusion (APSB11-14), LiveCycle Data Services, LiveCycle ES and Blaze DS (APSB11-15) were also closed for Windows, Mac OS X and Unix versions.

"Some of these fixes have been a long wait for administrators," said Jason Miller, manager of research and development at VMware.

Several of the zero-day vulnerabilities that were resolved in Adobe Reader X in this update were addressed for 8.x and 9.x versions in March and April. Adobe had chosen to not update Reader X at the time because the sandbox technology in the latest version trapped the exploits and prevented them from executing. The vulnerabilities were exploited in the wild against older versions while Reader X remained unpatched, Miller said.

Continued :

Further Details:
Adobe Product Security Updates Available

- Collapse - becomes the latest site to get hacked

It seems you're not really up there with the big boys like Sony and Codemasters these days unless you've been hacked. The latest victim is the unfortunately named which publishes business and consumer credit reports. Specifically the attack is on not, which is a totally different company.

We're not sure how many customers it has but a sign posted on the site this morning says that is was subject to an unauthorized attack but an "initial review indicates that no personally identifiable information has been compromised." Unfortunately they say the hack means that visitors accessing the site via a search on google may have been redirected to a malicious website "that attempts to install a malicious .exe file."

Here's their statement:

'Dear valued Creditsafe Limited customer, On Tuesday the 14th of June, we detected unauthorized access was gained to our website. As soon as the intrusion was detected, we immediately took offline in order to prevent any further intrusion. We have instigated a thorough investigation in order to ascertain the extent and scope of the breach and our enquiries are ongoing at this time. Our initial review indicates that no personally identifiable information has been compromised. Similarly we do not believe the attack has compromised our email system or internal records. But the nature of the intrusion has meant that visitors ... '

Continued :

Also: Creditsafe suspends website in wake of drive-by download attack

- Collapse -
Updates for Office 2004, 2008 and 2011 for Mac

Users of Microsoft's Office for Mac should activate the update feature as Microsoft has released updates for Office 2004 for Mac, Office 2008 for Mac and Office 2011 for Mac. All three releases fix a hole in Microsoft Excel which potentially allows remote code execution with the use of specially crafted spreadsheets. Code executed would run with the privileges of the logged-in user. Exploits for the Mac have not been seen to date. The issues have already been fixed in the Windows version of Excel.

The issues also affect Open XML File Format Converter for Mac. The updates range in size from 13 MB for the Office 2004 version to 333 MB for the Office 2008 version. Users can download the updates from the relevant advisory pages or by selecting Help->Check for Updates. According to Microsoft, the Office 2011 update also has improved stability and has other non-security related bug fixes.

- Collapse -
Close to US$500k stolen in first major Bitcoin theft

In the first Bitcoin theft of its size, a user has lost 25,000 BTC - or nearly $487,749 at today's market rates - to an unknown thief.

While the Bitcoin community has always been quick to point out that it's harder to forge a Bitcoin than to forge a dollar, it's quite easy to take someone else's Bitcoins: all you have to do is gain access to their computer's hard drive. Once you're in, stealing Bitcoins is easier than taking a wallet in the real world, and there's no recourse for getting them back.

That said, it is possible to verify the movement of funds to ensure complainants are telling the truth due to Bitcoin's public nature - services such as BlockExplorer allow users to see every transaction that has ever occurred through the network. The receiving account in this case, for instance, can be seen here.

As a decentralized network with no authority and no identities attached to the addresses used to send and receive Bitcoins, once Bitcoins are stolen they're as good as gone.

While at the time of this writing the BTC is trading at $19.51, I wouldn't be surprised to see their value drop over the course of the day as this news spreads.

Also: Cyber Theft Incident Outlines the Downside of Bitcoin

- Collapse -
Medical research group slammed over laptop loss

"8.6 million patient records went waltzing out the door"

An NHS laptop containing medical records for more than 8.63 million people has been missing for three weeks, a health authority admitted, before coming under fire from police for failing to report the loss in a timely manner.

A staggering 20 laptops at London Health Programmes disappeared from a storeroom three weeks ago, and while eight have been recovered a further 12 are still missing. One of those still unaccounted for is known to hold confidential data on 8.6 million patients, including postcodes, genders, age, ethnic origins, and details of illnesses and procedures ranging from cancer, HIV, and abortions. Only the names of the afflicted or otherwise are missing from the database

While the losses were noticed by the group three weeks ago, The Sun claims that it took until last week for the police to be notified. The delay has left those investigating the loss "dismayed," and could well harm efforts to recover the missing laptops and their payload of private data.

According to the newspaper's coverage, the laptops are worth around £10,000 each. It's not clear how this valuation is reached - as even the most expensive Apple-branded system retails for a fraction of that figure - but the value of the hardware and software lost is likely to pale into insignificance when compared to the medical data.

The loss is currently under investigation by the Information Commissioner's Office, but both it and the NHS North Central London health authority were unable to comment on this story.

- Collapse -, a heaven for phishing pages

From Zscaler Research:

Phishers, scammers and other attackers love free hosting services. They constantly need to set up plenty of malicious sites as their old ones are taken down or blacklisted. Fake AV authors loved, a free DNS service that allows them to redirect users to sites such as They then used a similar service from, etc. . was used to redirect users to malware. Free hosting service Ripway is still full of phishing sites.

The ultimate dream of a phisher it to be able to set up thousands of phishing sites freely, anonymously, and quickly. Luckily for them, offers a service which empowers them to do just that. It is a "Free anonymous web hosting" site, which allows anyone to create any page with a simple POST request. [Screenshot]

To be clear, like many other free services, PasteHtml was not designed to host malicious content. They have many legitimate pages, but they are also used to host many Phishing pages. Try searches on the site for terms such as " facebook login" or " paypal", Most of the pages are malicious.

Continued :

- Collapse -
Dial-a-Hacker: LulzSec Opens Request Line for Next Target

Have you ever felt so angry at a company that you wished its website was hacked to shreds, but you didn't have the technical expertise required? Here comes LulzSec to the rescue. The marauding hackers, with their huge and growing list of conquests -- including PBS, the FBI and the U.S. Senate, pornography and gaming sites, and most of all, Sony -- opened a hack request line during their latest merry jaunt, Titanic Takeover Tuesday.

Titanic Takeover Tuesday saw the disruption of the websites for The Escapist and the IT security company Finfisher, as well as the login servers for EVE Online, Minecraft and League of Legends. Afterward, the group posted a telephone number on its Twitter feed with this message:

"Now accepting calls from true lulz fans - let's all laugh together at butthurt gamers. 614-LULZSEC, accepting as many as we can, let's roll."

A few hours later the group claimed to have received 5,000 missed calls and 2,500 voicemails. The 614 area code represents the metropolitan area of Columbus, Ohio, but only an irresponsible gambler would wager that that'll help authorities locate members of LulzSec in the slightest.

It's unsure whether the phone number will be used for future hacks or if its purpose has been spent. Either way, posting a number where anonymous users can recommend future victims of the group's illegal activity is a brazen move. LulzSec is begging to get busted, but also, in a perverse way, "giving back" to a community that enjoys seeing the flaws of big companies exposed. The ironic twist is that these big companies are made big by the average public whose private information is being revealed in the hacks.

Also: LulzSec fields calls via hacking request line

- Collapse -
Incognito exploit kit

Exploit kits are becoming an increasingly popular means of spreading attacks. Umesh recently blogged about seeing a spike in the usage of the Blackhole exploit kit. This exploit kit targets multiple known vulnerabilities present in a victim's browser, increasing the probability of a successful compromise. Various exploit kits differ in the way they are packaged, designed and implemented. The most distinguishing factor among different exploit kits is how exploits are obfuscated, in order to bypass various security controls.

Recently, I have noticed a significant increase in the usage of the Incognito exploit kit. Similar to the Blackhole exploit kit, Incognito also targets vulnerabilities in Java and Adobe products. Another item that stands out to differentiate among these exploit kits is the URL patterns used. Most of the time, the URL pattern remains same within a given exploit kit. A quick look at malwaredomainlist shows the usage of common patterns used in URLs associated with Incognito.

Common URL patterns for Incognito:

Continued :

CNET Forums