NEWS - September 18, 2012

Dump Internet Explorer until Microsoft issues patch, security experts warn

If you use Internet Explorer 6, 7, 8 or 9 as your default browser on a Windows PC, security experts are advising you to use a different Web browser until Microsoft patches a critical vulnerability in IE. Microsoft on Monday confirmed that hackers were actively exploiting an IE vulnerability that could allow an attacker to take over your PC. The exploit does not affect users running IE10 on the Windows 8 Release Preview.

So far, Microsoft says it has received reports of "a small number of targeted attacks" using this exploit. The software maker is working on a security patch for the problem, but the company has not yet said whether it will issue a security update as soon as possible or as part of its monthly "patch Tuesday" update cycle. The next "patch Tuesday" would be October 9.

The exploit was made public on security firm Rapid7's Metasploit Project and first discovered in the wild by security researcher Eric Romang. Metasploit is advising users to dump IE until Microsoft issues a security update. The new IE security flaw was developed by the same group that created the recent Java zero day flaw, according to Metasploit.

Continued :

Microsoft Recommends Workarounds to Mitigate Latest IE Zero-Day; Patch Still to Come
Microsoft and Germany's BSI warn against using IE
Critical zero-day bug in Internet Explorer under active attack
Microsoft confirms hackers exploiting critical IE bug, promises patch

See: Microsoft Releases Security Advisory 2757760
Discussion is locked
Reply to: NEWS - September 18, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 18, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Virgin Mobile Shrugs as Coder Warns Accounts Easily Hijacked

Virgin Mobile U.S. promises its customers that it uses "standard industry practices" to protect its customers' personal data - but according to a Silicon Valley web developer, any first-year coder can bust into a subscriber's account, see who they call and text, register a different phone on the account and even purchase a new iPhone.

That's according to developer Kevin Burke, who discovered the flaws on his own account in August and notified the company, only to be told that the company had no intention of fixing its systems. Virgin Mobile U.S. serves millions of customers through pre-paid plans and is a wholly owned subsidiary of Sprint.

Virgin Mobile U.S. account security uses a customer's phone number as the account name, which is very guessable, and then requires a 6-digit PIN as the password — which only provides a million possible passwords. Even worse, the site allows as many password guesses as one likes — something Burke confirmed by writing a short script to guess his own password in a day.

Once an unauthorized user is in, they can change read a customer's communication logs, register a different phone to lock the customer out and read their text messages, change their address and order a new phone with the credit card on file. They can also lock a user out by changing the PIN and e-mail address on the account — without notification to the previous address.

Continued :

Also: Virgin Mobile USA user accounts vulnerable to brute-force attack

- Collapse -
2 men admit to $10M hacking spree on Subway sandwich shops
Two men admit to $10 million hacking spree on Subway sandwich shops

"The Romanians admitted their role in ring that compromised some 146,000 cards."

Two Romanian men have admitted to participating in an international conspiracy that hacked into credit-card payment terminals at more than 150 Subway restaurant franchises and stole data for more than 146,000 accounts. The heist, which spanned the years 2009 to 2011, racked up more than $10 million in losses, federal prosecutors said.

Iulian Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit credit card fraud, documents filed on Monday in US District Court in New Hampshire showed. Dolan admitted he helped alleged ring leader Adrian-Tiberiu Opera scan the Internet for point-of-sale systems. "These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary," Monday's plea agreement, which was signed by the defendant, stated. "Next, once he cracked the password and gained administrative access, Dolan remotely installed software programs called 'keystroke loggers' (or 'sniffers') onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants' POS systems, including customers' payment card data."

Continued :

Two men plead guilty to hacking hundreds of Subway POS computers
Romanians plead guilty to credit card hack on US Subway shops
- Collapse -
Grum Botnet Attempts Another Comeback, Fails Again

The Grum botnet, which Dutch authorities and security researchers knocked offline earlier this summer, made a second, unsuccessful attempt at a comeback over the weekend when the bot herders stood up two new command-and-control servers in Turkey. The revival was short-lived however, and both C&Cs now are offline.

Grum at one time was one of the larger spam botnets on the Web, accounting for a huge percentage of worldwide spam during its heyday. As most large, noisy botnets do, Grum attracted the attention of security researchers and law enforcement. In June, authorities in the Netherlands, in a joint operation with security researchers from FireEye, located and disabled four Grum C&C servers being hosted in that country. There were two other C&Cs in use by the botnet at the time, one in Russia and the other in Panama.

Those servers were taken offline a few days after the initial Grum takedown, and all seemed right with the world. However, within a week, the bot herders were able to bring up a new set of C&C servers in Ukraine. Those were quickly taken down, as well, after researchers discussed the issue with the ISP that was providing hosting services. Strike two.

Now, the bot herders have swung and missed a third time, in this instance barely getting the servers up and running before they were yanked offline.

Continued :

- Collapse -
Would you open a sexy email sitting in your business inbox?

Imagine you are at work. You are rattling through your email. And in your inbox, sitting quietly, is a message with the word "sexy" in the title...

Do you open it? (probably not, as you wouldn't likely be a reader of Naked Security)

But what about others in your organisation? Do you think they might be tempted?

More than 6100 government workers in Taiwan's New Taipei faced this exact scenario. According to, they each received an email message with the following subject line:

"Justin Lee's sex videos, download it, quick"

For those, like me, who aren't aware, Justin Lee is hailed by many as one of Taiwan's richest playboys.

He has recently been in the press for leaked videos and photos of him engaged in "private" activities with models and celebrities.

A quick search on Google for the phrase "Justin Lee Taiwan" finds a myriad of images: [Screenshot]

Continued :

- Collapse -
Bogus "Refund Pending" emails targeting PayPal customers

Fake PayPal notifications about a bogus refund are hitting inboxes around the world, trying to trick users into following the offered link and supposedly log into their accounts in order to receive it: [Screenshot]

Unfortunately for those who fall for the ruse, the link will take them to a page that looks like PayPal's login page, but is actually a fake one mimicking PayPal's, and all the information submitted into it gets forwarded directly to the phishers behind this scheme, who can then use it to hijack the victim's PayPal and probably even gain entrance to other online accounts.

"PayPal is a favorite target of phishers, probably because PayPal does conduct so much of its business via email," points out Hoax-Slayer.

Continued :

Also: Phishing Scam: PayPal Apologizes for Mistake Caused by System Errors

CNET Forums