NEWS - May 27, 2011

ChronoPay Fueling Mac Scareware Scams

Some of the recent scams that used bogus security alerts in a bid to frighten Mac users into purchasing worthless security software appear to have been the brainchild of ChronoPay, Russia's largest online payment processor and something of a pioneer in the rogue anti-virus business.

Since the beginning of May, security firms have been warning Apple users to be aware of new scareware threats like MacDefender and Mac Security. The attacks began on May 2, spreading through poisoned Google Image Search results. Initially, these attacks required users to provide their passwords to install the rogue programs, but recent variants do not, according to Mac security vendor Intego.

A few days after the first attacks surfaced, experienced Mac users on an Apple support forums began reporting that new strains of the Mac malware were directing users to pay for the software via a domain called Others spotted fake Mac security software coming from When I first took a look at the registration records for those domains, I was unsurprised to find the distinct fingerprint of ChronoPay, a Russian payment processor that I have written about time and again as the source of bogus security software.

Continued :
Discussion is locked
Reply to: NEWS - May 27, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - May 27, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Vendor's List Of Backdoor Accounts Leaked Online

An internal document listing the backdoor accounts for switches manufactured by networking equipment vendor Allied Telesis was circulating online Friday, a day after an internal support page providing instructions on accessing hard coded back door accounts in the company's products was found to be publicly accessible.

The Excel spreadsheet, "Password_List" was apparently downloaded from Allied's support Web site and posted to a public, file sharing Web site on Thursday. It contains instructions for accessing around 20 models of network switching equipment manufactured by Allied Telesis, including default administrative user name and password information and special key combinations and passwords that can be used to enable back door features in the switches.

The spreadsheet was one of four documents accessible from an Allied Telesis support page containing instructions on enabling back doors. The page was marked for internal use only, but ended up visible to the public Internet. While some of the switches listed in the document have hard coded back door account passwords, many have dynamic passwords that are based on the MAC address of the hardware and require a separate password generator application to create. The password generator application was also available from the support page and has also been leaked online.

Continued :

Also: Allied Telesis divulges secret backdoor

- Collapse -
Microsoft downplays IE 'cookiejacking' bug

Microsoft today downplayed the threat posed by an unpatched vulnerability in all versions of Internet Explorer (IE) that an Italian researchers has shown can be exploited to hijack people's online identities.

The bug, which has been only discussed and not disclosed in detail, was part of an attack technique described by Rosario Valotta, who dubbed the tactic "cookiejacking," a play on "clickjacking," an exploit method first revealed in 2008.

Valotta combined an unpatched bug, or "zero-day," in IE with a twist on the well-known clickjacking tactic to demonstrate how attackers can steal any cookie for any site from users duped into dragging and dropping an object on a malicious Web page.

He had demonstrated the attack at a pair of security conferences in Amsterdam and Zurich earlier this month, then published more information on his blog Monday.

By hijacking site cookies from IE7, IE8 and even IE9, attackers would be able to access victims' Web email, Facebook and Twitter accounts; or impersonate them on critical sites that encrypt traffic, like online banks and retail outlets.

Continued :

Internet Explorer: cookie theft made easy
Unpatched IE bug exposes sensitive Facebook creds

- Collapse -
"F-Secure HTK4S" is Fake

From F-Secure:

We've seen this one before, but there's been a new run today.

Some clown is trying to pose as us. If you see an e-mail like the one below, please ignore it:

Subject: Security Maintenance.F-Secure HTK4S
To: undisclosed-recipients:;

Dear Email Subscriber,

Your e-mail account needs to be improved with our new
F-Secure HTK4S anti-virus/anti-spam 2011-version.
Fill in the columns below or your account will be
temporarily excluded from our services.

E-mail Address:
Phone Number:

Please note that your password is encrypted
with 1024-bit RSA keys for increased security.


Copyright 2011. All Rights Reserved.

We've seen this same desperate attempt in multiple languages (done with machine translation), for example:

Continued :

- Collapse -
"Install this to get the password"

From the Sunbelt Blog:

Ourpcgame(dot)net would like it if you downloaded some of their games. [Screenshot]

In the above example we're looking at Portal 2, though a wide selection is on offer. Under each game, there's a "Click here for free download" link. Do that, and you'll end up with two tantalisingly named folders: "CD Keys" and "Game Direct Links". [Screenshot]

Ooh. Except it isn't so much "Ooh" as "wait, both of these stupid folders are password protected". That's right, you're dealing with what we in the business like to call "bait". The Readme says this:

"To know password do follow steps:

1. go to ourpcgame(dot)net
2. Look on the left side. click on Babylon banner
3. download the Babylon Toolbar which is 100% free and safe, install it. you will get a message after completing the installation.
4. fifth word of that message is the password to open the game links folder."

Yes. Of course it is.

These files are a little out of date, because the site now sports an eMule download instead. They were pulling this one back in July of 2010 (scroll down). Didn't work then, either. You install the program regardless, hoping for some red hot password action:

Continued :

- Collapse -
MacDefender: The sky is not falling ..

The ESET Threat Blog"

In the last few days, I have been asked by a journalist (or four) what MacDefender means for the future of Apple security, and if I thought there was excess hype around it.

I'll address the second question first. I think its safe to say the current malware would not be newsworthy if it affected Windows. Compared to many Windows malware packages, it is relatively easy to identify the attack, it is not hard to avoid installation if you recognize the social engineering, and if the malware is installed, it's easy to remove.

But why is there so much hype? MacDefender is not only not novel, it's just an instance of a problem that's been around for years. And Microsoft researchers have concluded there's a high probability the MacDefender malware originates from existing scareware for Windows, yet in the Windows community this scareware draws no attention at all.

The hype is primarily because this is the first socially engineered malware attack to successfully target Mac OS X, and a number of people are jumping on the "we told you so" bandwagon. As there is one family of Mac OS X malware and there are multitudes of threats for Windows, it's hardly something to crow about, especially as this particular threat exists on Windows. I don't say this to trivialize the problem; MacDefender is fake software designed to process fraudulent transactions and/or potentially steal card data, and people have certainly been impacted.

Secondly, we've seen some vendors (I won't name names, but reading the news makes it pretty obvious) hyping the threat MacDefender poses to users. We saw this effect with Conficker, as well. A number of vendors declared an imminent apocalypse when Conficker was set to update itself. As my colleague Randy Abrams said at the time, update your operating systems with appropriate patches and run antivirus and you shouldn't have a problem. Predictably, when Conficker updated not much happened except that infected systems remained infected.

Continued :

- Collapse -
89% say they would tell Mac-using friends to install A/V
89% say they would tell Mac-using friends to install anti-virus, poll reveals

Just over a week ago we ran a poll on the Sophos Facebook page asking folks if they would now recommend that friends and family install anti-virus software.

89% of the 968 people who answered the poll said yes, they would recommend friends install anti-virus software on their friends' Macs. Just 104 respondents answered no. [Screenshot]

Now, of course, people who have joined Sophos's page on Facebook are likely to have a higher-than-average interest in computer security, and we can't claim it's a scientific poll - but it's worth realising that we asked this question before the latest revelations about how the latest Mac fake anti-virus malware has evolved to not require users to enter their passwords.

From what I'm seeing in comments online, and the increasing number of home users downloading Sophos's free anti-virus for Mac, there's a real sea change taking place, and the recent attacks have woken up Mac fans to the advantages of running anti-virus software.

More and more Mac users are realising that they do need to take the security of their computers seriously, and anti-virus is part of that.

Continued :
- Collapse -
Microsoft Safety Scanner detects exploits du jour

From the Microsoft Malware Protection Center:

We recently updated the Microsoft Safety Scanner - a just-in-time, free cleanup tool. The new version adds support for 64-bit Windows systems and also allows for the download of the tool to run in non-networked systems such as those behind an air-gap network, those within an ISPs walled garden, and those where the infection has impaired internet connectivity. You can download the Microsoft Safety Scanner (MSS) at

Early results have been very positive with this tool and we are actively reviewing telemetry from our customers who use it in order to better understand aspects of threat impact from specific malware families. In addition, we urge our customers to install security updates provided by Microsoft for our operating systems and applications, as well as from other third-party applications and any security updates that may be provided by Internet service providers. Early telemetry gathered from the release of the Microsoft Safety Scanner echoes this continuous messaging.

During the first seven days of the MSS release, there were close to 420,000 downloads, or 60,000 downloads per day, of the product. It cleaned 20,097 infected computers in total, for users that suspected their computers were infected and downloaded MSS to scan their machines. Kudos to these users for having security awareness.

Continued :

- Collapse -
Five Infamous Database Breaches So Far In 2011

"An alarming trend of security companies getting hacked serves as a wake-up call that no one is immune"

In today's era of the massive data breach, 2011 seems to have only continued the trend of database exposures slamming organizations large and small. According to the Privacy Rights Clearinghouse, the first half of 2011 has seen 234 breaches that affected more than hundreds of millions of individuals.

Here's a look at some of the most impactful database exposures so far this year, all of which lessons for IT security pros:

1. Victim: HBGary Federal
Assets Stolen/Affected: 60,000 confidential emails, executive social media accounts, and customer information.

Following an announcement by security firm HBGary Federal that it was planning on exposing information about the renegade Anonymous hacking community, the firm was assaulted by Anonymous members. Anonymous hacked into HBGary's CMS database through a vulnerable front-end Web application, stealing credentials that they were able to then leverage to break into the company's executives' e-mail, Twitter, and LinkedIn accounts. They were also able to access, and then dump publicly, the email spools of HBGary proper via the HBGary Federal hack.

Lessons Learned: This attack proves once again that SQL injection remains a hacker's prime tool to jimmy into database systems; Anonymous used this method to make its first foray into HBGary Federal's systems. But the attack probably wouldn't have been able to go deeper if the credentials stored within the affected database had been hashed with something stronger than MD5. More disconcerting, though, was the fact that the passwords used by the executives were simple and the credentials were reused across many accounts.

2. Victim: RSA
Assets Stolen/Affected: Proprietary information about RSA's SecurID authentication tokens.

After an employee retrieved a spear phishing e-mail from the Junk folder and opened an infected attachment contained within, the hackers responsible for this breach were able to dig deep enough into the RSA network to find a database containing sensitive information pertaining to RSA's SecurID authentication products......

Continued :

CNET Forums