Culture Jamming

[Multiple Facebook scams]

FYI...

Multiple Facebook scams...
- http://www.theregister.co.uk/2011/05/12/facebook_spam_prevention_scam/
12 May 2011 - "... junk messages on Facebook is been used to bait a new scam doing the rounds on the social network. Prospective marks in receipt of the fraudulent messages are invited to "verify" their account in order to "prevent spam". Recipients who respond to the message by clicking on a link end up sharing it on their wall as well as spreading highly obfuscated JavaScript... A full write-up of the scam, including images of the offending messaging, can be found in a blog post by Sophos here*..."
* http://nakedsecurity.sophos.com/2011/05/12/preventing-spam-scam-on-facebook-does-exactly-the-opposite
May 12, 2011

- http://www.f-secure.com/weblog/archives/00002157.html
May 12, 2011

- http://isc.sans.edu/diary.html?storyid=10870
Last Updated: 2011-05-12 08:38:17 UTC
- http://blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/

   

[Win7/Vista e-mail malware - unicode tricks]

FYI...

Win7/Vista e-mail malware - unicode tricks...
- http://www.theinquirer.net/inquirer/news/2070768/windows-malware-camouflaged-unicode-filename-trickery
May 13 2011 - "... Windows PC users have been warned about malware Trojans that camouflage malicious executable files using a fancy unicode trick*. Unicode is a computing industry standard that provides a unique number for every character you use, no matter what system you are using. With malicious trickery, criminals have worked out how to fiddle with unicode so that some characters in a Windows filename can be reversed. Security firm Norman* found malicious email attachments that appeared on the surface to have filenames with standard alphabetical characters, with unicode-capable viewers seeing nothing out of the ordinary. However, if you look at the file from a command prompt, it shows that the last bit of the filename has actually been reversed, and that this seemingly innocuous emailed file is actually an executable.
Norman tested other filenames, and found that the same unicode trick allowed files to hide the fact that they were executable in the email client Lotus Notes. The firm said that any filename could hide extensions like PDF and EXE using the trick.
The firm said that the issue only affects Windows Vista and Windows 7 users, as Windows XP users have to install support for right-to-left languages in order to be vulnerable..."
* http://norman.com/security_center/security_center_archive/2011/rtlo_unicode_hole

 

[Disaster brings Scams, Fake AV, and Phishing attacks]

FYI...

Disaster brings Scams, Fake AV, and Phishing attacks...
- http://www.us-cert.gov/current/#mississippi_flooding_disaster_email_scams
May 16, 2011 - "Users should be aware of potential email scams, fake antivirus, and phishing attacks regarding the Mississippi flooding disaster. Email scams may contain links or attachments that may direct users to phishing or malicious websites. Fake antivirus attacks may come in the form of pop-ups that flash security warnings and ask the user for credit card information. Phishing emails and websites requesting donations for bogus charitable organizations commonly appear after these types of natural disasters..."

  

[Geek.com hacked with an exploit kit]

FYI...

Geek.com hacked with an exploit kit
- http://research.zscaler.com/2011/05/geekcom-hacked-with-exploit-kit.html
May 15, 2011 - "... The attack vector remains the same, namely injecting a malicious HTML Iframe or script tag into the legitimate pages... the malicious Iframe is injected at the bottom of the page... -redirects- victims to a malicious website hosting an exploit kit. Once you visit, heavily obfuscated JavaScript is returned which will target various known vulnerabilities..."
(Screenshots and more detail available at the URL above.)

- http://www.theregister.co.uk/2011/05/17/geek_dot_com_infected/

 

[Criminals trading in Twitter]

FYI...

Criminals trading in Twitter ...
- http://www.f-secure.com/weblog/archives/00002159.html
May 18, 2011 - "Surely nobody would sell stolen credit cards on Twitter? Except they do... he seems to sell credit card info, most likely collected with keyloggers from infected home computers. The prices of stolen credit cards range from $2 to $20, depending on the country where they were stolen from... if you'd rather not use stolen credit cards yourself, you can have him buy you iPhones, iPads and laptops with stolen credit cards and ship them to you. In practice, the thief will log into an online store, then purchase an iPad as a gift purchase, giving your address as the delivery address and paying for the good with a stolen credit card. An iPad bought like this goes for $150... But keyloggers collect more than credit cards. They also record passwords when you log into online services. So this vendor is also selling access to other people's online bank accounts. An account with a balance of $28,000 sells for $1,000... to prove he really has the goods, the vendor posts "demo" information. Which basically is personal information of handful of victims, including names, home addresses, credit card numbers and passwords...
The accounts shown above* have been reported to relevant authorities."
* (Screenshots and more detail at the f-secure URL above.)

 

[Fraudsters suck $1.4 Billion from Airlines]

FYI...

Fraudsters suck $1.4 Billion from Airlines
- http://www.securityweek.com/fraudsters-suck-14-billion-airlines
May 18, 2011 - "According to recent survey findings coming from CyberSource*, a Visa company, airlines lost an estimated $1.4 billion due to online payment fraud in 2010. But with so many security checks that come along with air travel, how is this possible? A typical fraud scenario in the airline industry plays out like this:
1. A fraudster illegally obtains credit card data;
2. The fraudster obtains the name, address, and other appropriate information for a genuine customer interested in buying "discount" tickets;
3. The fraudster buys the ticket in the innocent person's name, using the stolen credit card number;
4. The fraudster delivers ticket to the customer and receives payment typically in cash..."
* http://www.cybersource.com/news_and_events/view.php?page_id=1900
May 18, 2011

... Meanwhile, the TSA "security" groping and fondling continues...

 

[SpyEye attack on Verizon]

FYI...

SpyEye attack on Verizon...
- http://www.trusteer.com/blog/spyeye-attack-verizon-exposes-pci-shortcomings
May 18, 2011 - "We recently discovered a configuration of the SpyEye Trojan targeting Verizon’s online billing page and attempting to steal payment card information. The attack took place between May 7th and 13th. SpyEye uses a technique called “HTML injection” to modify the pages presented in the victim’s browser, in this particular case the injected HTML is used to capture the following credit card related data. The attack is transparent to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica webpage that requests this information. Since the user has logged on and has navigated to the familiar billing page they have no reason to suspect this request for payment information is fraudulent... it continues a financial malware trend we have been tracking in recent weeks: a shift away from stealing usernames and passwords to stealing payment and credit card data... this practice allows criminals to commit card non present fraud on the Internet, and also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot be traced back to a specific computer. Whether it’s on consumer machines, call center computers, or point of sale systems, attackers are targeting endpoints to steal readily available payment card data. This trend is exposing a major shortcoming in the Payment Card Industry Data Security Standard (PCI-DSS), which only requires endpoints to be running anti-virus software. As we have seen, anti-virus software is unable to effectively defend against zero day attacks..."
(More detail available at the trusteer URL above.)

 

[Fake Apple store order notifications]

FYI...

Fake Apple store order notifications...
- http://community.websense.com/blogs/securitylabs/archive/2011/05/19/an-apple-a-day-promotes-wikipharmacy.aspx
19 May 2011 - "Fake Apple Store Order Notifications have been making rounds for months now. The volume of this particular spam campaign is not as astonishing as other past campaigns. It is actually the exact opposite of those massive outbreaks that distribute hundreds of thousands of spam emails for a few hours and suddenly -stop- the next day. Typically, the email contains a link that -redirects- users to a very familiar pharmacy spam site. These links either belong to compromised sites or newly registered domains... Today, we noticed the same fake Apple Store email redirecting users to a different, relatively new pharmacy spam web template. The new template channels a wikipedia feel to it and is cleverly titled "WikiPharmacy". Looking deeper into the IP where this domain is hosted, we learned that it caters to over 24,000 other domains. These domains were all used in pharmacy spam campaigns at one point."
(Screenshots available at the websense URL above.)

- http://sunbeltblog.blogspot.com/2011/05/dear-apple-store-customer.html
May 20, 2011

 

[PHP file injections - osCommerce malware: Cannot redeclare corelibrarieshandler]

FYI...

PHP file injections - osCommerce malware: Cannot redeclare corelibrarieshandler
- http://blog.sucuri.net/2011/05/oscommerce-malware-cannot-redeclare-corelibrarieshandler.html
May 19, 2011 - "...for the last few days we started to see many of those osCommerce sites that were hacked, generating errors when trying to access them:
    Fatal error: Cannot redeclare corelibrarieshandler() ..
And according to Google, there is probably about 10k pages with this type of error. So what is going on? It seems that the attackers tried to inject more -malware- into sites, but made a mistake... at the top of every PHP file... Which instead of doing what they planned, caused all the sites to fail with this error “Fatal error: Cannot redeclare corelibrarieshandler() (previously declared in…”. Very annoying for both sides involved. To clean it up, you have to remove that piece of code from the top of every PHP file and properly secure osCommerce..."

 

[64-bit banker rootkit spies on online customers]

FYI...

64-bit banker rootkit spies on online customers
- http://www.h-online.com/security/news/item/64-bit-rootkit-spies-on-online-banking-customers-1247881.html
23 May 2011 - "... Kaspersky has discovered* another rootkit with 64-bit Windows support: a variant of the Banker rootkit is targeting the access credentials of online banking customers in Brazil. The malware is injected into systems via a hole in an obsolete version of Java and first disables the Windows User Account Control (UAC) feature so that it can go about its business without being interrupted. It then installs bogus root certificates and modifies the HOSTS file in such a way that victims trying to access the banking web site are redirected to a phishing site operated by the criminals. The injected certificate prevents the browser from issuing an alert when establishing an encrypted connection to the phishing site, and the victim is left unaware. Kaspersky says that the malware also deletes a security plug-in used by various Brazilian banks. Unusually, the malware installs a custom system driver to uninstall the security plug-in and modify the HOSTS file. On 64-bit Windows systems, this requires some effort because Microsoft's Kernel Patch Protection (PatchGuard) prevents unsigned drivers from being installed. As 64-bit Windows installations still have a relatively small market share, rootkits with 64-bit support are currently still quite rare; a 64-bit version of the Alureon/TDL rootkit was discovered last November..."
* http://www.securelist.com/en/blog/11266/Rootkit_Banker_now_also_to_64_bit

 

[Pharmacy SPAM sucks]

FYI...

Pharmacy SPAM sucks...
- http://www.theregister.co.uk/2011/05/23/spam_economics/
23 May 2011 - "Computer scientists are advocating the targeting of card-processing middlemen as a way of clamping down on spam... the vast majority (95 per cent) of the credit card payments to unlicensed pharmaceutical sites are handled by just three payment processing firms – based in Azerbaijan, Denmark and Nevis, in the West Indies, respectively. By putting the squeeze on these firms it might be possible to choke the flow of money to spammers, making spam less profitable and, hopefully, less prevalent.
Pharmacy spam levels fluctuate but the class of junk mail has long been the biggest single category of spam. The findings came after three months of analysing spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. The study* discovered that payment-processing for replica and software products advertised through spam was also monetised using merchant services from just a handful of banks. Spam makes up 74.8 per cent of all email messages, compared to 90 per cent last year, according to the latest statistics from Symantec, published last week. The net security efforts credits botnet takedown efforts, most notably against the infamous Rustock botnet, for the decrease..."
* http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf
(16-page pdf/2.3MB)

  

[Qakbot malware infections spike]

FYI...

Qakbot malware infections spike
... infected 1,500 Massachusetts state PCs... exposing 250,000 residents' personal details.
- http://www.informationweek.com/news/security/attacks/229625414?printer_friendly=this-page
May 23, 2011 - "The Qakbot worm, which targets consumers' financial website credentials, appears to be growing more sophisticated and virulent... in the past month there's been a spike in the overall number of infections**... daily levels reaching 20,000 or more infected machines... according to an analysis of the worm released last week by Symantec*. Qakbot targets online bank account holders and can record keystrokes; digital certificates; and website, email, and FTP passwords. The worm puts the FTP credentials to work immediately, looking for new websites into which to inject code, to then infect the PCs of whoever visits the site. But the worm can also spread via network shares and removable drives. Otherwise, the worm waits for the PC user to log on to a targeted website - including sites operated by Bank of America, Citibank, JPMorgan Chase, SunTrust, Wachovia, and Wells Fargo. At that point, the worm "immediately sends the attackers session authentication tokens allowing the attackers to piggyback on the active session," according to the report from Symantec... State officials identified the virus as Qakbot and said that because of the malware, the personal information of up to 250,000 state residents had been potentially exposed. That data included names, addresses, and Social Security numbers... "Qakbot-infected systems were observed uploading more than 200 megabytes of data each day to command and control server during a period that covered the Qakbot infection on the Department of Labor network"..."
* http://www.symantec.com/connect/blogs/w32qakbot-under-surface

** http://www.symantec.com/connect/sites/default/files/images/qak-pings-051911_0.PNG

> http://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99&tabid=2

 

[Web-based attacks use JavaScript tricks]

FYI...

Web-based attacks use JavaScript tricks...
- http://krebsonsecurity.com/2011/05/blocking-javascript-in-the-browser/
May 25, 2011 - "... Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time... Noscript*... lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session... Firefox.. offers the most options for dealing with JavaScript. But, whichever browser you use, be aware that running JavaScript can be the point of entry for intrusive and infectious malware. Use caution before deciding to allow it on any site that you visit."
* https://addons.mozilla.org/en-US/firefox/addon/noscript/
Downloads: 85,892,086...

   

[Fake VirusTotal site serves malware]

FYI...

Fake VirusTotal site serves malware
- http://www.net-security.org/malware_news.php?id=1730
24.05.2011 - "VirusTotal - the popular free file checking website - has been spoofed by malware bakerys, warns Kaspersky Lab*. A simple -visit- to the site triggers the download of a worm via a java applet embedded in the code... It's aim is to recruit the computer it infected into a botnet that would ultimately be used to perform DDoS attacks, and to communicate to the C&C information about the system (hostname, type and version of the OS, etc.)... malware bakerys have lately begun combining the use of malicious JavaScript code and social engineering techniques, since it allows them to infect computers regardless of the browser or operating system used."
* http://www.securelist.com/en/blog/208188086/Fake_virustotal_website_propagated_java_worm
"... the website looks the same way as the original**. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware..."
** http://www.securelist.com/en/images/pictures/klblog/208188087.png
(Screenshot at the URL above.)

(Hat tip to cnm @ spywareinfoforum.com)

   

[Fake Epsilon phish - Breach Warning]

FYI...

Fake Epsilon phish - Breach Warning...
- http://isc.sans.edu/diary.html?storyid=10930
Last Updated: 2011-05-26 14:53:19 UTC - "... website that attempts to scare people into purchasing a credit report. The website... reminds the visitor of the relatively recent Epsilon data breach. The goal is to persuade the person into proceeding to another site that is being promoted. This looks like a technique to make money through affiliate marketing..."
(Screenshot and more detail at the URL above.)