News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
September 02, 2014, 20:34:34
Pages: [1] 2 3 ... 10
 1 
 on: Today at 10:25:54 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Credit Card breach at Home Depot ...
- http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/
Sep 2, 2014 - "Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity. Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating. “I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said... There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market:
A massive new batch of cards labeled “American Sanctions” and “European Sanctions” went on sale Tuesday, Sept. 2, 2014
> http://krebsonsecurity.com/wp-content/uploads/2014/09/americansanctions.png
... this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.” It is not clear at this time how many stores may be impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico. This is likely to be a fast-moving story with several updates as more information becomes available. Stay tuned.
Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period."

- http://www.bloomberg.com/news/print/2014-09-02/home-depot-shares-drop-after-retailer-investigates-data-breach.html
Sep 2, 2014

 Evil or Very Mad

 2 
 on: Today at 07:10:52 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Firefox 32.0 released

From an admin. account, start Firefox, then >Help >About >Check for Updates ...
-or-
Download: https://www.mozilla.com/firefox/all.html

Security Advisories for 32.0:
- https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox32
Fixed in Firefox 32
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-71 Profile directory file access through file: protocol
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8 )

Release notes
- https://www.mozilla.org/en-US/firefox/32.0/releasenotes/
Sep 2, 2014

... complete list of changes in this release... 3198 bugs found.

 Exclamation

 3 
 on: Today at 04:40:30 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Opera 24 released
- http://www.opera.com/docs/changelogs/unified/2400/
2014-09-02 - "...  updates to the latest Chromium/Blink release, version 37...
Improvements since Opera 23:
- Stability enhancements.
- Enhanced support for Chromium extensions.
- Fixes and enhancements for how Opera handles HiDPI on Windows."

 Exclamation

 4 
 on: Today at 03:03:53 
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Something evil on 95.163.121.188 (Sweet Orange EK)
- http://blog.dynamoo.com/2014/09/something-evil-on-95163121188-sweet.html
2 Sep 2014 - "95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip*). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before**...
(Long list of domains at the URL above.)
... The domains appear to be legitimates ones that have been hijacked in some way.
95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had -half- of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you -block- either the /19 or /18..."
* http://www.malware-traffic-analysis.net/2014/08/29/index.html

** http://blog.dynamoo.com/search/label/DINETHOSTING

> https://www.virusbtn.com/virusbulletin/archive/2013/03/vb201303-SweetOrange-ProPack
"... automated iframe obfuscating services for use in web injections. The iframes are -injected- into high-traffic-volume websites and force the users of the websites to visit end points that serve exploits carrying malware..."
___

Fake 'Bonus' SPAM/SCAM ...
- http://myonlinesecurity.co.uk/automated-draw/
2 Sep 2014 - "email received that tells you that you have won £1000 in an automated draw and haven’t claimed it yet:

Attempting to contact <REDACTED>
    This is automated draw #23851
    Our system shows you have been awarded with £1000!
    According to our records, voucher wasn’t collected yet
    Please be informed that your voucher is still valid. You may claim your wininngs and use them without making any deposit.
    Confirm your email here to claim your £1000 voucher.
    Have fun !
    Lindsey Lane
    CRM Manager..
    * This offer is available to new players only.
    You have received this email because you have requested more information from BonusNews...


Clicking the button that says claim your reward (or any other of the buttons) gives you a  file to run on your computer that installs some casino software that is detected by several anti-malware programs as unwanted*..."
* https://www.virustotal.com/en/file/a615d125ab7423f6c89e5074ed42e568a898f3beab6c3c3c174f417c54529f89/analysis/
___

Hacks behind biggest-ever Password Theft begin Attacks
- http://it.slashdot.org/story/14/09/01/2213202/hackers-behind-biggest-ever-password-theft-begin-attacks
1 Sep 2014 - "Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports* the hackers have begun using the list to try and access accounts. 'Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through -fake- browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts'. They report that most login attempts are failing, but some are succeeding. -Now- is a good time to check that none of your important accounts share passwords."
* http://community.namecheap.com/blog/2014/09/01/urgent-security-warning-may-affect-internet-users/

 Evil or Very Mad  Sad

 5 
 on: September 01, 2014, 02:02:24  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Tesco Phish ...
- http://myonlinesecurity.co.uk/tesco-payback-rewards-phishing/
1 Sep 2014 - "... email arrives saying 'Tesco Payback Rewards'... email arrives apparently from Tesco saying 'Tesco Payback Rewards' that offers you £150 for filling in a Tesco customer satisfaction survey... it is a -scam- and is a phishing -fraud- designed to steal your bank and credit card details. The email says something like this:
   Tesco Customer Satisfaction program selected you to take part in our quick survey.
    To earn your 150 £ reward, please click here and complete the form.


Screenshots:
- http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/tesco_payback-_rewards1.png

- http://myonlinesecurity.co.uk/wp-content/uploads/2014/09/tesco_payback-_rewards2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them... careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
___

Fake Statement SPAM - PDF malware
- http://myonlinesecurity.co.uk/statement-01092014-fake-pdf-malware/
1 Sep 2014 - "'Statement as at 01/09/2014' pretending to come from Cathy Rossi < C.Rossi@ tcreidelectrical .co.uk > is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... emails are not being sent from tcreidelectrical .co.uk or T C REID (ELECTRICAL) LTD, As far as we can determine they have not been hacked or their website or email system compromised... Email reads:

   Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.

1 September 2014 : D0110109.PDF.zip ( 274kb): Extracts to D0110109.PDF.exe
Current Virus total detections: 2/55* . This Statement as at 01/09/2014 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7/analysis/1409570924/
___

O/S Market Share - August 2014 ...
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
Browser Market Share
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
9/1/2014
___

China gives MS 20 days to provide explanation in anti-trust probe
- http://www.reuters.com/article/2014/09/01/us-china-antitrust-microsoft-idUSKBN0GW1FD20140901
Sep 1, 2014 - "A Chinese anti-trust regulator said on Monday it has given Microsoft 20 days to reply to queries on the compatibility of its Windows operating system and Office software suite amid a probe into the world's largest software company. The State Administration for Industry and Commerce (SAIC) questioned Microsoft Vice President David Chen and gave the company a deadline to make an explanation... Microsoft is one of at least 30 foreign companies that have come under scrutiny by China's anti-monopoly regulators as the government seeks to enforce its six-year old antitrust law. Critics say the law is being used to unfairly target overseas businesses, a charge the regulators deny. According to a state media report on Monday, Microsoft's use of verification codes also spurred complaints from Chinese companies. Their use "may have violated China's anti-monopoly law", the official Xinhua news agency said on Monday. Verification codes are typically used by software companies as an anti-piracy mechanism. They are provided with legitimate copies of software and can be entered to entitle customers to updates and support from the manufacturer. Microsoft has long suffered from piracy of its software within China. Former Chief Executive Steve Ballmer told employees in Beijing that the company made less revenue in China than it did in the Netherlands... SAIC also repeated that it suspected the company has not fully disclosed issues relating to the compatibility of the software and the operating system... Last month, a delegation from chipmaker Qualcomm, led by company President Derek Aberle, met officials at the National Development and Reform Commission (NDRC) as part of that regulator's investigation of the San Diego-based firm. NDRC said earlier this year that the U.S. chipmaker is suspected of overcharging and abusing its market position in wireless communication standards. Microsoft's Nadella is expected to make his first visit to China as chief executive later this month."

 Evil or Very Mad  Sad

 6 
 on: August 31, 2014, 02:48:55  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

MDB updates - 8/26, 8/30
- http://www.malwaredomains.com/?p=3647
August 30th, 2014
8/26 – 383 domains
8/30 – 239 domains (including backoff domains)

 Exclamation

 7 
 on: August 29, 2014, 02:41:22  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake 'new photo' SPAM - malware
- http://myonlinesecurity.co.uk/new-photo-malware/
29 Aug 2014 - "'my new photo' pretending to come from Yulia <random name@ madmimi .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... These all have the same subject of 'my new photo' and come from somebody called 'yulia' and today all pretend to come from same domain madmimi .com... Email reads:

   my new photo  ..
    if you like my photo to send me u photo


29 August 2014: photo.zip ( 23kb): Extracts to photo.exe
Current Virus total detections: 2/55* ... more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."
* https://www.virustotal.com/en/file/e4c328815cc2840b53514e7bdcc43c83b29c0ae4676c755b4ee9587aa8c37db9/analysis/1409297373/
___

Netflix PHISH ...
- https://blog.malwarebytes.org/fraud-scam/2014/08/fraudulent-netflix-site-wants-to-leave-you-high-and-dry/
Aug 29, 2014 - "... This type of -scam- is called phishing and typically starts with an urgent-looking message in your inbox. Upon following the directions (typically clicking on a link), you’re taken to a page that looks like an exact -replica- of the genuine company. Eric Lawrence, creator of the famous Fiddler web debugger, spotted a phishing attack targeting Netflix customers... This new one is more sophisticated (better graphics, etc) although it does -not- have the tech support scam element but instead goes after your identity and wallet.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/phish1.png?w=564
The -bogus- domain netflix-ssl .net (IP address: 176.74.28.254) was registered a few days ago through the “Crazy Domains FZ-LLC” registrar... The information requested on the phishing page includes name, address and credit card details. It’s sent back to the bad guys’ server with multiple POST requests... Note the clever use of a long URL that resembles the genuine one and that may be particularly effective on mobile devices:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/iphone5.png
We are reporting this site to the registrar and hosting company so that it can be taken down as soon as possible. Phishing scams are always getting more elaborate and unfortunately very hard to block because they keep popping up on new domains, registrars etc. truly making this a cat and mouse game between crooks and the security community. While many web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) do have anti-phishing technology that blocks access to fraudulent sites, there often is a bit of a lag between the time a new site comes up and when it gets blacklisted. The best defence against these scams is awareness and suspicion from any email purporting to be from a company you deal with. There are some telltale signs to recognize phishing attacks such as poor grammar, spelling mistakes or obviously unrelated URLs as well as a general ‘urgency’ in the tone of the message."

176.74.28.254: https://www.virustotal.com/en/ip-address/176.74.28.254/information/

netflix-ssl .net / 92.222.121.100: https://www.virustotal.com/en/ip-address/92.222.121.100/information/
8.31.2014 9:02AM EDT
___

Internet Disconnection SCAM calls
- http://www.hoax-slayer.com/telstra-tech-support-scam-calls.shtml
Aug 29, 2014 - "Callers claiming to be from the technical department of Internet Service Providers (ISPs) such as Telstra warn that your Internet service is about to be disconnected because hackers have accessed your computer or it has been infected with viruses... The calls are -not- from your ISP... The best way to deal with these scammers is to simply hang up on their bogus calls... if you are unsure, terminate the call and contact the service provider directly. DO NOT use a phone number supplied by the scammers... find a phone number for the provider via a legitimate source such as a phone directory or bill. In some cases, if you are doubtful of their claims, the scammers may provide a 'technical support' phone number supposedly belonging to your ISP. But, when you call the number, you will simply be reconnected to the same scammer... service providers such as Telstra may contact you from time to time to review your service options or discuss a problem with your account, they will -never- demand an immediate -fee- over the phone to rid your computer of hackers or viruses. Nor will they ask you to download software that gives them access to your computer. Any caller that makes such a request should -not- be trusted..."
___

Fake Refund email targets UK taxpayers
- https://blog.malwarebytes.org/fraud-scam/2014/08/fraudulent-refund-mail-targets-uk-taxpayers/
Aug 29, 2014 - "Taxpayers in the UK should be wary of emails claiming they’re owed a tax refund to the tune of 100.60 GBP... The mail reads:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/faketax1.jpg
Clicking the Ow.ly link in the email sends potential victims to a .zip download hosted on what appears to be a -compromised- German bicycle shop website. Inside is a .html file containing a -fake- refund form. As a sidenote, it’s a little unusual to see scammers making use of Ow.ly shortening links for a HMRC phishing scam. The -fake- refund form asks for name, DOB, address, postcode, account number, full card details …all the usual bits and pieces of information required to -swipe- the payment information.
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/faketax2.jpg
... the refund amount pre-filled on the form is 100.65 GBP. I’m not sure where the extra five pence comes from, though given that this is all a massive work of fiction anyway I don’t think it matters besides helping to tip off recipients that this isn’t a real refund. Feel free to report these missives to HRMC directly*, and remember: HMRC will -never- ask for payment information or notify taxpayers of refunds by email."
* http://www.hmrc.gov.uk/security/reporting.htm
___

New BlackPOS Malware emerges in-the-Wild - targets Retail Accounts
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/
Aug 29, 2014 - "... a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A. In 2012, the source code of BlackPOS was -leaked- enabling other cybercriminals and attackers to enhance its code. What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems... The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service. Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes. It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip. The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013... we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware..."
(More detail at the trendmicro URL above.)
> http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf
___

Microsoft boots 1,500 apps from its Windows Store
- http://www.theinquirer.net/inquirer/news/2362576/microsoft-boots-1-500-apps-from-its-windows-store
Aug 29 2014 - "... Microsoft GM of Windows Apps and Store Todd Brix said in a blog post*, "As Windows Store expands to reach more customers in more markets with a growing list of great titles, we are continuously looking for ways to improve both customer experience and developer opportunity. We strive to give our worldwide customer base easy access to amazing app experiences while keeping developer friction to a minimum. From time to time this process slips out of sync and we need to recalibrate". Brix admitted that Microsoft found that some customers weren't satisfied with the Windows Store and some of the apps they found there, but he described the problem as involving merely misleading app descriptions... After relating how Microsoft tackled identifying apps having "confusing or misleading titles", Brix said, "Most of the developers behind apps that are found to violate our policies have good intentions and agree to make the necessary changes when notified. Others have been less receptive, causing us to remove more than 1,500 apps as part of this review so far....", not forgetting to reassure customers that "as always we will gladly refund the cost of an app that is downloaded as a result of an erroneous title or description".
* http://blogs.windows.com/buildingapps/2014/08/27/how-were-addressing-misleading-apps-in-windows-store/

 Evil or Very Mad  Sad

 8 
 on: August 28, 2014, 16:12:33  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

The ‘Unknown’ Exploit Kit ...
- https://blog.malwarebytes.org/exploits-2/2014/08/shining-some-light-on-the-unknown-exploit-kit/
Aug 28, 2014 - "... Unless you have tracked the drive-by / exploit kit scene from day one or been able to map it out down to the tiniest details, this is not something easy... A couple of weeks ago, we observed a new traffic pattern (new to us) that first caught our attention for a couple of reasons:
- The payload’s size did not match that of any URL from the capture
- The URL patterns were new
... This exploit kit targets two different pieces of software: Microsoft Silverlight and Adobe Flash. However, unlike some other exploit kits it will only push one exploit per load giving preference to Silverlight first and then Flash.
Attack paths:
Silverlight only:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Silverlight_only.png
Flash only:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Flash_only.png
Silverlight and Flash:
> https://blog.malwarebytes.org/wp-content/uploads/2014/08/Silverlight_and_Flash.png
All three successful paths lead to either a:
- Silverlight exploit
- Flash exploit
... Conclusions:
The payload appears to be a -browser- hijack whose goal is to illegally gain advertising revenue from infected computers. What is perhaps more puzzling is the fact that this exploit kit has been around for so long and yet has been so quiet, not to mention the fact that reproducing an infection even with the proper referers is rather difficult (IP blacklisting, geolocation, etc). Another big question remains: Why would the author(s) bother with such advanced fingerprinting and evasion techniques, something we don’t normally see in typical malware... this bit of research has brought up more questions than when we started. That is not unusual though, and at least some dots have been connected."
(More detail at the malwarebytes URL at the top.)

 Sad  Shocked

 9 
 on: August 28, 2014, 15:36:45  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

PHP 5.6.0 released
- http://php.net/
28 Aug 2014 - "... immediate availability of PHP 5.6.0. This new version comes with new features, some backward incompatible changes and many improvements..."

Migrating from PHP 5.5.x to PHP 5.6.x
- http://php.net/migration56

Change Log
- http://php.net/ChangeLog-5.php#5.6.0

Download
- http://php.net/downloads.php

- http://windows.php.net/download/

 Exclamation

 10 
 on: August 28, 2014, 08:27:18  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Apache HttpComponents client updated
- https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577
18 Aug 2014 - "Apache HttpComponents (prior to revision 4.3.5/4.0.2) may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used.
Background: During an SSL connection (https) the client verifies the hostname in the URL against the hostname as encoded in the servers certificate (CN, subjectAlt fields). This is to ensure that the client connects to the 'real' server, as opposed to something in middle (man in the middle) that may compromise end to end confidentiality and integrity..."

> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577 - 5.8
Last revised: 08/21/2014

 Exclamation

Pages: [1] 2 3 ... 10
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.453 seconds with 16 queries.