General discussion

NEWS - October 14, 2010

Your Federal Tax Payment Has Not Been Rejected

It?s been more than a week since we started seeing spam email, supposedly sent by the EFTPS (Electronic Federal Tax Payment System, a division of the US Department of the Treasury), informing recipients in dire, bolded text that Your Federal Tax Payment ID: 01037513 has been rejected. I had hoped it would be a faded memory by now, but apparently it just won?t die.

Spam, ladies and gentlemen. It?s a lie, cooked up in a criminal?s troubled mind, with the goal of convincing signficant numbers of people to click a link in the message. It?s a pretty contrived message, which also informs the recipient, in characteristic Spamglish, to ?In other way forward information to your accountant adviser.? Apparently, whoever began the campaign needs a refresher in the history of recent Internet scams ? this particular scam has been going on again, off again for four years.

Judging by the number of other people asking about this online, the campaign must have been massive. And like a squirrel harassing birds on a feeder, it?s not likely to go away anytime soon.

In this case, the link looks like it?s supposed to go directly to the EFTPS Web site, but the author of the spam simply hyperlinked the URL to point elsewhere. In the case of some of the samples we?ve seen, the messages link to a page on the domain; That page contains a single line of HTML to redirect victims to yet another site, which has since been shut down.

Discussion is locked

Reply to: NEWS - October 14, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 14, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Antivirus Action "Standart" rogue

From Sunbelt Blog:

This wouldn?t be a rogue security product from somewhere in the east would it?

The Antivirus Action sales site:

We currently detect it as "Trojan.Win32.Generic.pak!cobra"

That spelling would be a less-than-optimal translation into of English of c??????? ? the word for ?standard? in many of the Slavic languages. In Bulgaria there is a newspaper by that name

- Collapse -
Best Practices For Oracle and Database Patching

Oracle's massive pile of patches this week complicated the already onerous process of updating the database, other apps

As Oracle prepares to dump a passel of 81 security fixes on its user base--including seven critical patch updates (CPUs) for its database product--many database administrators are preparing to patch their Oracle database platforms accordingly. But if recent numbers from the Independent Oracle Users Group annual security survey are an accurate barometer, there are still plenty of others who will sit on the CPUs due out next week for a year or longer. Security experts believe organizations first need to improve these numbers by instituting patching best practices for databases.

"I find it funny that there are patches everywhere else that are applied on a regular basis to machines like desktops and so on, but it is still not a general practice for the databases," says Michelle Malcher, director of education for IOUG and a DBA and team lead at a Chicago-based financial firm.

According to a recent survey of its members, only 37 percent of organizations patch their systems within the same three month cycle that CPUs are released. Approximately 28 percent either take a year or more to patch, have never applied a CPU, or don't know how long it takes them to patch their databases.

- Collapse -
Pill Gang Used Microsoft?s Network in Attack Krebs site
Pill Gang Used Microsoft?s Network in Attack on

An organized cyber crime gang known for aggressively pushing male enhancement drugs and other knockoff pharmaceuticals used Internet addresses belonging to Microsoft as part of a massive denial-of-service attack against late last month.

The attack on my Web site happened on Sept. 23, roughly 24 hours after I published a story about a criminal online service that brazenly sold stolen credit card numbers for less than $2 each (see: I?ll Take Two MasterCards and a Visa, Please). That story got picked up by BoingBoing, Gizmodo, NPR and a variety of other sites, public attention that no doubt played a part in the near-immediate suspension of that criminal Web site.

At first, it wasn?t clear what was behind the attack, which at one point caused a flood of traffic averaging 2.3 gigabits of junk data per second (see graph above). Not long after the attack ended, I heard from Raymond Dijkxhoorn and Jeff Chan, co-founders of SURBL, which maintains a list of Web sites that have appeared in spam. Chan sent me a message saying he had tracked the attack back to several Internet addresses, including at least one that appeared to be located on Microsoft?s network ?

According to SURBL, the culprits were botnets under the thumb of ?the usual Russian pill gangs?: Dozens of domains that resolve(d) to online pharmacy sites ? including,,, and ? were using a compromised machine at that Microsoft address as a domain name server.

The attackers then told machines they controlled to access a number of non-existent pages at sites that were pointing to the Internet address my hosting provider has assigned to ( This forced several hundred or thousand machines to direct their traffic at my site, all in an attempt to prevent legitimate visitors from visiting it.
- Collapse -
Microsoft confirms Russian pill-pusher attack on its network

Microsoft has confirmed that two devices on its corporate network were compromised to help a notorious gang of Russian criminals push Viagra, Human Growth Hormone, and other knockoff pharmaceuticals.

The admission came in response to an article The Register published on Tuesday. It reported that two internet addresses belonging to Microsoft were helping to route traffic to more than 1,000 websites that belong to a fraudulent online pharmacy known as the Canadian Health&Care Mall. Microsoft on Wednesday said an investigation of that report confirmed the hijacking was the result of an attack on machines connected to its network.

?We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error,? the five-sentence statement said. ?Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are internet accessible are configured with proper security controls.?

According to network security researcher Ronald F. Guilmette, the Microsoft IP addresses had been used to host the websites' authoritative name servers since at least September 22. El Reg ran the data he supplied by experts in DNS and botnet take-downs, and most said it likely indicated that one or more machines on Microsoft's network had been infected with malware.

Also see:;msg5007302

- Collapse -
Microsoft's Bing to slurp Facebook users' data and likes

Microsoft and Facebook are partnering on Bing, folding in information from 500 million Facebookers into Microsoft's search engine ? but claiming they'll respect your privacy.

The companies rolled out a feature Wednesday that will search through your Facebook contacts' Likes and fire recommendations into Bing trawled from your peeps' Facebook posts to supplement Bing searches.

Also, Bing will slurp your friends' profiles to help Bing users when they're searching for specific individuals ? contacts, long-lost school friends ? or just Binging around on a wet Friday afternoon waiting for the clock to run down. Returns in both cases are pulled into the Bing results page using a Facebook module for Bing.

The features are live now, with deeper integration planned. Microsoft and Facebook want to bring in your friends across different pages in the "near term". The ability to supplement Bing with returns from Facebook users considered domain experts is "further out".

Microsoft called this the initial step in harnessing the "tremendous potential" of social networks and the Facebook platform, "taking today's search experience to the next level."

- Collapse -
ZeuS Busts Bring Botnet Beatdown?

Authorities in the United States, United Kingdom and Ukraine launched a series of law enforcement sweeps beginning late last month against some of the world's most notorious gangs running botnets powered by ZeuS, a powerful password-stealing Trojan horse program. ZeuS botnet activity worldwide took a major hit almost immediately thereafter, but it appears to be already on the rebound, according to one prominent ZeuS-watching site. [Screenshot: Zeus Tracker]

Statistics collected by the Web site Zeus Tracker indicate that while ZeuS botnet activity was already on the wane in the weeks leading up to the end of last month, that activity positively tanked following the recent busts, dipping to its lowest level since the Troyak takedowns earlier this year. For instance, prior to the arrests that began on Sept 29, Zeus Tracker was tracking more than 90 active Zeus control domains. By Oct. 3, that number had fallen to just 20.

- Collapse -
Is Facebook's one-time password system safe?

Facebook announced a new feature yesterday, which claims to give you another way to keep your social networking account secure.

A one-time password is said by Facebook to:

".. make it safer to use public computers in places like hotels, cafes or airports. If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

Facebook explains that by sending an SMS text message of "otp" (one-time password, y'see?) to 32665 on your mobile phone, you'll be sent a temporary password to your account that will expire after 20 minutes. Of course, you'll need to have registered a mobile phone number with your account.

That means that even if malware manages to grab your password as you type it in, it will only be valid for a short period of time.

The service isn't yet rolled out to everybody (and it's unclear to me whether it will work outside of the United States), but I have some concerns.

1. How often have you mislaid your mobile phone? If you're anything like me, quite often I'll wager. If someone else is able to gain access to your phone (and you haven't locked it with a password to prevent SMS texts being sent) than that's an open door for mischief-makers to access your Facebook account. Of course, they would still need to know your email address - but if you leave your cellphone unattended in the workplace or at a social gathering then that shouldn't be too difficult for an unwanted intruder to determine.

Continued @ Graham Cluley's Blog

Prior (Related) Post : Facebook introduces one-time passwords

- Collapse -
USA, your poorly protected PCs are polluting the world with

Latest estimates reported in the press suggest that more than 2.2 million PCs based in the USA were hijacked by cybercriminals in the first half of 2010, and used as part of a botnet.

And what's one of the principal reasons why cybercriminals compromise innocent users' PCs? To send spam without their knowledge.

It's still a surprise to many people who don't work in the field of computer security, but the vast majority of the spam you receive in your inbox is not sent from the spammers' own computers but relayed through infected PCs belonging to regular members of the public.

The top twelve spam relaying countries for July - September 2010

1. USA 18.6%
2. India 7.6%
3. Brazil 5.7%
4. France 5.4%
5. UK 5.0%
6. Germany 3.4%
7= Russia 3.0%
7= S Korea 3.0%
9. Vietnam 2.9%
10. Italy 2.8%
11. Romania 2.3%
12. Spain 1.8%
Other 38.5%

Top spam-relaying continents, July - September 2010

1. Europe 33.1%
2. Asia 30.0%
3. N America 22.3%
4. S America 11.5%
5. Africa 2.3%
Other 0.8%

You should never even be tempted to open a spam message out of curiosity, as it can only take a second to effectively hand over control of your computer to the spammers. If your computer does become part of a botnet, you're also inviting further malware infections, which may compromise your personal or banking details.
- Collapse -
For Marketing, Twitter Crushes Facebook

Facebook makes up 78 percent of traffic among all social network sites and micro-blogging site Twitter accounts for 5 percent, but on average "tweets" with embedded links get 19 clicks while Facebook's shared links only get three clicks, according to a study by SocialTwist.

The marketing firm, which offers viral social media marketing campaigns, analyzed more than a million shared links through its Tell-a-Friend widget that lets people share information on Websites. SocialTwist measured success by a clickthrough rate, a term for the number of clicks on a link that takes a user to a specific destination.

The survey yielded other surprises, such as that MySpace still has 15 percent of social media market share.

If you're using Twitter or Facebook to reach out to customers, here's what each service has going for and against it.

Twitter Pros:

165 million registered users
New Twitter Layout is Better
It's for the Social-Media Savvy
Third-Party Applications

Twitter Cons:

It's a Cocktail Party
Security Issues

Facebook Pros:

600 million users

Facebook Cons:

General Audience of All Backgrounds
The Clicks Aren't There.
More Like a Dorm Than a Cocktail Party

Which to Use?

None of the above.

- Collapse -
Mining events for profit

The rescue of the 33 miners from the Chilean mine was an epic, record-setting event followed on TV, print, and internet by one of the largest audiences ever.

Not all of those watching were benevolent.

As interest peaked during the October 13 rescue, some of the search terms were hijacked. These were used to redirect internet surfers - particularly those without an effective antivirus program - to bogus sites and infect their computers with malware.

Some of the more than 35 infected terms included: Miners Rescue, Chilean Mine Rescue, and Rescate De Los Mineros

The cybercriminals interest in the miners was statistical, not emotional. With millions of people looking for information on their fate, cybercriminals had a higher statistical chance that some of them would click on an infected link. "If the search term is visible on Google Trends, it will be infected," wrote Jindrich Kubec, avast! Virus Lab director of virus research, in a midnight message to me.

Wherever people are gathering, there is a higher chance of encountering criminals on the hunt. The same principle is at work for malware and for pickpockets as they work over crowds of shoppers. The only difference is that one has a high-tech approach and the other has a direct, hands-on methodology as they reach for your wallet.

- Collapse -
Short time website blocking

For a short time this morning (between 7:00 am and 8:45 am MEST), some domains slipped through into our WebGuard filtering system which caused some users to not be able to visit some regular web sites. In such a case, either update Avira AntiVir manually or just wait for the automatic update to take place, the issue is already fixed.

The problem occurred due to a special combination of a new techniques used within spam which just recently has been seen. We are taking precautions so this can?t happen again.

Our sincere apologies for those who were affected!

- Collapse -
Facebook leaked users' real names with advertisers, suit say

"Tell-tale referrer headers violated privacy policy"

Two California men have filed a federal lawsuit accusing Facebook of sharing their real names and other sensitive information with advertisers in violation of the social network's own privacy policy.

The personally identifiable information was relayed in referrer headers that were sent over three months to advertisers when users clicked on banner ads, according to an amended complaint filed this week in US District Court in San Jose, California. The header, which is included in URLs that lead to an advertising webpage, shows the Facebook address the user was browsing when he encountered the ad. The information is designed to help advertisers serve content that's geared to his age, location and interests.

Following a site overhaul in February, Facebook began embedding data in the headers that included ever more user information, including in many cases the user's Facebook username, according to the complaint.

- Collapse -
A quarter of WiFi networks unsecured, finds survey

Years after WiFi security was supposed to have gone 'critical', a quarter of access points in the UK remain open and unsecured, a new 'wardriving' survey has discovered.

Worse, large numbers of people will happily log on to an open 'rogue' access point in city centres, no questions asked, opening themselves to the risk of serious data theft.

This first disturbing aspect of the ethical hacking survey on behalf of financial firm CPP was its size, taking in nearly 40,000 access points in London, Edinburgh, Birmingham, Cardiff, Manchester and Bristol. The claim that WiFi security is a problem is no mere statistical spin.

In London, 4,746 out of 14,908 surveyed were open, in Birmingham it was 910 out of 3,753, and in Manchester, 870 out of 2,894. Assuming the access points weren't left open for a reason, such as public use, encryption still has some way to go in the UK.

- Collapse -
Canon copiers to tell tales

Canon has announced version 5 of its uniFLOW central document management system, which can reportedly prevent the copying, faxing or printing of a document that contains certain keywords. Canon say that, if required, the system can even notify a system administrator and provide a copy of the suspicious documen t.

This feature is intended to help prevent proprietary data from leaking or being duplicated without permission. The blocking mechanism is based on an "Optical Character Recognition" (OCR) technology from the Belgian company, Iris, which analyses documents on UniFlow servers. How exactly this is to function on a photocopier remains an open question.

- Collapse -
RIM Patches Another PDF-Related Flaw in BlackBerry (BES)
....BlackBerry Enterprise Server'

"A vulnerability could have allowed hackers to access BES infrastructure and cause DoS attacks"

Research In Motion yesterday released an "interim security update" for BlackBerry Enterprise Server (BES) 5.0 Service Pack 2 (SP2) for Microsoft Exchange and IBM Lotus Domino due to a vulnerability that could have potentially allowed a hacker or other malicious person access to organisations' BES infrastructure. That flaw could have also been used to execute Denial of Service (DoS) attacks, according to the BlackBerry-maker. And it affects not just the full version of BES, but the free BES Express, as well.

And the BES security flaw is currently ranked 7.6, or "high severity," on a Common Vulnerability Scoring System (CVSS) scale of 0 to 10, with 10 representing the most critical flaws.

"The vulnerability could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution on the computer that the BlackBerry Attachment Service runs on."

See Vulnerabilities & Fixes :
BlackBerry Enterprise Server PDF Distiller Unspecified
BlackBerry Professional Software PDF Distiller Unspecified Vulnerability

CNET Forums

Forum Info