Culture Jamming

[Mac Trojan spreading in-the-wild]

FYI...

Mac Trojan spreading in-the-wild...
Exploits Java vulns and packs fake certificate
- http://www.theregister.co.uk/2012/02/24/flashback_mac_trojan/
24 Feb 2012 - "... a new variant of a Mac-specific password-snatching Trojan horse is spreading in the wild. Flashback-G initially attempts to install itself via one of two Java vulnerabilities. Failing that, the malicious applet displays a self-signed certificate (claiming to be from Apple) in the hope users just install the malware. Once snugly in place, the malware attempts to capture the login credentials users enter on bank websites, PayPal, and many others. OS X Lion did not come with Java preinstalled, but Snow Leopard does, so users of Mac's latest OS are more at risk of attack. Mac security specialist Intego warns that the variant is infecting Mac users and spreading in the wild. Symptoms of infection can include the crashing of browsers and web applications, such as Safari and Skype. Intego, which has added detection for the malware, has a write-up* of the attack with a screenshot of the self-signed certificate used by the malware in action..."
* http://blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/
"... essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available... Macs are (also) getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple... If you see this, don’t trust it, and cancel the process..."

- http://h-online.com/-1442810
24 Feb 2012 - "... If an up-to-date version of Java is in use, to become infected the user has to approve a certificate clearly marked as not trusted..."

 

[“Chat-in-the-Middle” phishing attack fraud]

FYI...

“Chat-in-the-Middle” phishing attack fraud...
- http://www.trusteer.com/blog/speaking-devil-%E2%80%93-malware-adds-live-chat-commit-fraud
Feb 28, 2012 - "Working with a leading financial institution we recently discovered a disturbing new attack against online banking users. It uses a technique we have not seen exhibited before by financial malware.. Technically, it writes to you... the attack uses the familiar online customer service tool most of us are familiar with – live chat... The attack is being carried out using the Shylock malware platform... This particular Shylock configuration uses a classic MitB (Man in the Browser) structure with plenty of fake HTML page injections and uses complex external Javascript resources. It specifically targets business/commercial online banking customers. When the victim logs in to the online banking application, the session -stalls- for few minutes and the user is told that security checks are being performed... This exchange is apparently used to gather more information from the victim. The session may even be used to perform real time fraud by enticing the victim to sign/verify fraudulent transactions that Shylock is initiating in the background... In 2009, RSA* discovered a phishing attack that incorporated live chat... In that attack, the victim was lured to a phishing site where they were presented with a fraudulent chat window. In 2012, apparently, fraudsters have decided to make house calls by extending this capability from phishing web sites and embedding it in malware platforms..."
* http://blogs.rsa.com/rsafarl/chat-in-the-middle-phishing-attack-attempts-to-steal-consumers-data-via-bogus-live-chat-support/

 

[Cybercriminals target phones - Android 'most exposed']

FYI...

Cybercriminals target phones - Android 'most exposed'
- http://news.yahoo.com/cybercriminals-target-phones-android-most-exposed-003516512.html
Feb 28, 2012 AFP - "Cybercriminals are sneaking a fast-increasing amount of malware into smartphones to steal data or even money, with those running on Google's Android most exposed to security threats, analysts said... Anyone can create or install an application on an Android phone... as opposed to the Apple controlled Appstore which imposes a layer of screening... Trend Micro surveyed independent analysts about security features on the four main mobile operating systems - Apple's iOS, RIM's BlackBerry, Microsoft's Windows and Google's Android - and found that Blackberry was ranked most secure and Android the least. BlackBerry benefitted from the fact that it was originally designed more as a platform than a device, while iOS, ranked second most secure, was tightly controlled by Apple... Technology company Juniper Networks compiled a "record number of mobile malware attacks" in 2011, particularly on Android phones. In 2010, just 11,138 mobile malware samples were recorded, but they soared 155 percent to 28,472 in 2011, the company said. Just under half - 46.7 percent - occurred on Android phones, said Juniper, whose study did -not- look into Apple breaches... Some criminals are hiding "malicious code in legitimate applications" that consumers are downloading unwittingly. Once they have gained access to data on the phone, they are stealing information that could be used in identity theft or in illegal transactions. A further incentive for cybercriminals to breach smartphone security is that unlike computers, each phone "has a direct link to money" through the SIM card... Criminals are able, for instance, to implant so-called trojan horses that prompt phones to send SMSes to premium numbers..."

  

[Olympic phishing messages]

FYI...

Olympic phishing messages...
- http://community.websense.com/blogs/securitylabs/archive/2012/03/01/who-already-won-the-olympic-games-2012.aspx
01 Mar 2012 - "... Websense... detected and tracked a significant number of these kinds of Olympic phishing messages whose goal is to entice users to submit their personal information... the well-known "National Lottery"-type scam, where the targeted users are tricked into believing they are winners of some sort of local lottery... Once the user opens the Microsoft Word document, the sender informs the user that he or she is the lucky "winner" of £200,00.00 GBP, and then requests that the user provide personal information, such as full name, address, nationality, occupation, and mobile number to help process the claim... Although this email attachment is not malicious, it is clear that the sender has some other questionable activity in mind by asking for and collecting personal information. This could range from email spam using the victim's email address and mobile phone number to other rogue promotional messages that could potentially have web links leading to malicious websites. Threats like these Olympics scams are also known as advanced-fee fraud in which victims are asked to contact a claims agent. They may then be asked to pay "processing fees" to receive their money, which never happens... This is also a good way to collect, with social engineering techniques, mobile phone numbers and to start other kinds of fraudulent activities like asking for details about mobile banking accounts..."

 

[Employees disabling security controls]

FYI...

Employees disabling security controls
- https://www.net-security.org/secworld.php?id=12508
29 Feb 2012 - "Corporate mobile devices and the bring-your-own-device (BYOD) phenomenon are rapidly circumventing enterprise security and policies, say the results of a new global study sponsored by Websense... 77 percent of more than 4,000 respondents in 12 countries agree that the use of mobile devices in the workplace is important to achieving business objectives, but only 39 percent have the necessary security controls to address the risk their use entails. According to a previous Ponemon Institute survey, IT respondents said 63 percent of breaches occurred as a result of mobile devices, and only 28 percent said employee desktop computers were the cause. This latest research shows that organizations often don't know how and what data is leaving their networks through non-secure mobile devices, and that traditional static security solutions are not effective at stopping advanced malware and data theft threats from malicious or negligent insiders... More than 4,600 IT and IT security practitioners in Australia, Brazil, Canada, France, Germany, Hong Kong, India, Italy, Mexico, Singapore, United Kingdom, and the United States were surveyed. With an average of 10 years' experience in the field, fifty-four percent are supervisors (or above) and 42 percent are from organizations with more than 5,000 employees. This survey defines mobile devices as laptops, USB drives, smartphones, and tablets."

  

[US SEC SPAM leads to exploit and stealer]

FYI...

US SEC SPAM leads to exploit and stealer
- http://www.gfi.com/blog/us-securities-and-exchange-commission-spam-leads-to-exploit-and-stealer/
March 2, 2012 - "... received an email** in his GMail inbox that purports to originate from the U.S. Securities and Exchange Commission (SEC)... Clicking the link leads users to ftp(dot)psimpresores(dot)com(dot)ar/QH1r1tTd/index(dot)html, which then -redirects- them to trucktumble(dot)com/search(dot)php?page=d44175c6da768b70... This page contains a Blackhole exploit kit that targets the following vulnerabilities:
    CVE-2010-0188, an old Adobe Reader and Acrobat vulnerability (patch already available)
    CVE-2010-1885, an old Microsoft Windows Help and Support vulnerability (patch already available)
Based on the deobfuscated script, this exploit can also target other vulnerabilities on Java, Adobe Flash, and Windows Media Player. Once vulnerabilities of these software were successfully exploited, users are then led to the website, trucktumble(dot)com/content/ap2(dot)php?f=e0c3a, where the file about.exe can be downloaded... about.exe was found to be a variant of ZBOT, that infamous information stealer, and we detect it as Win32.Malware!Drop. Only 12 AV vendors* detect the variant as of this writing..."
* https://www.virustotal.com/file/bc434de7885e517b5dd2764fa0533b5a5b1fc6d890f09267db03728ef8d27c4a/analysis/
File name: about.vxe
Detection ratio: 12/43
Analysis date: 2012-03-02 05:19:43 UTC

** http://www.gfi.com/blog/wp-content/uploads/2012/03/email01.png

 

[Verizon Investigative Response Caseload Review]

FYI...

Verizon Investigative Response Caseload Review
- http://atlas.arbor.net/briefs/index#1790571886
Feb 29, 2012 - "Verizon -2011- Investigative Response (IR) Caseload Review* is a preview of their pending larger Data Breach Investigations Report (DBIR).
Analysis: This report indicates that outside attacks towards servers comprise the largest source of data breach incidents. Financial gain continues to be a motive, however increasing amounts of hacktivism accelerates data breach trends. System penetration and malware are the highest threats, with default and weak passwords and backdoor tools being the highest vectors. 90% of organizations were alerted by an outside organization, pointing to the fact that internal monitoring systems, if used, were not as useful. Encryption can help reduce the pain of a data breach incident, but much sensitive data is not properly encrypted."
* http://securityblog.verizonbusiness.com/2012/02/29/quick-look-at-2011/
(Info below from linked PDF report at URL above - pg. 5)
Top 10 threat action varieties by number of breaches
Hacking - Exploitation of default or guessable credentials - 29%
Malware - Backdoor (allows remote access / control) - 26%
Hacking - Use of stolen login credentials - 24%
Hacking - Exploitation of backdoor or command and control channel - 23%
Malware - Keylogger / Form-grabber / Spyware (capture data from user activity) - 18%
Malware - Send data to external site / entity - 17%
Malware - System / network utilities (PsTools, Netcat) - 14%
Hacking - SQL Injection - 13%
Malware - Capture data resident on system (e.g., cache, disk) - 9%
Malware - Download / install additional malware or updates - 9% ...
(... pg.6)
"... Among servers involved in breaches in our 2011 cases, point-of-sale servers, web/application servers, and database servers led the pack. Desktops, laptops, and point-of-sale terminals comprised the bulk of compromised end-user devices.
With respect to the data stolen from these assets, criminals got away with a mixed bag. Payment cards, personal information, and authentication credentials were most often compromised, but other types of sensitive organizational data, trade secrets, and copyrighted information were taken..."

 

[Flashback Mac -malware- using Twitter as C&C center]

FYI...

Flashback Mac -malware- using Twitter as C&C center
- http://blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/
Mar 5, 2012 - "... Flashback... uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. These hashtags aren’t as simple as, say, #Flashback or #MacMalwareMaster, but are seemingly random strings of characters that change each day. Intego’s malware research team cracked the 128-bit RC4 encryption used for Flashback’s code and discovered the keys to this system. The hashtags are made up of twelve characters. There are four characters for the day, four characters for the month, and four characters for the year... In addition, in order to ensure that people checking logs don’t spot the malware, it uses a number of different user agents... It’s worth noting that the people behind the Flashback malware most likely to not send commands every day, and certainly delete their tweets, as Intego has found no past tweets in its searches. However, the malware clearly sends these HTTP requests, looking for such tweets..."

 

[Ransomware attacks]

FYI...

Ransomware attacks...
- http://blog.trendmicro.com/ransomware-attacks-continue-to-spread-across-europe/
Mar 8, 2012 - "Ransomware attacks are growing in popularity these days. French users were a recent target of an attack that impersonated the Gendarmerie nationale. A few months ago, Japanese users were also hit by ransomware in a one-click billing fraud scheme targeted for Android smartphones... the more recent ransomware variants appear to be targeting other European countries. They are disguised as notifications from country-specific law enforcement agencies such as eCops of Belgium and Bundespolizei of Germany... a majority of the top eight countries infected with ransomware are from Europe:
- http://blog.trendmicro.com/wp-content/uploads/2012/03/ransomware_countries.jpg
... While ransomware are also being distributed through affiliate networks like FAKEAVs, these attacks operate using payments outside of traditional credit card payments, specifically via Ukash and Paysafecard vouchers. Ukash and Paysafecard are widely used online payment methods that do not require personal details. Such level of anonymity has naturally earned the attention of cybercriminals and, as we can see, is now being abused for the ransomware business... based on feedback taken from the past 30 days."

- https://www.f-secure.com/weblog/archives/00002325.html
March 9, 2012 - "... reports of Finns being targeted by ransomware which is localized in Finnish language and claims to be from Finnish police..."

Police Themed Ransomware continues
- https://www.f-secure.com/weblog/archives/00002344.html
April 4, 2012 - "Over the last several weeks, we've been monitoring a rash of ransomware campaigns across Europe, in which messages, supposedly from the local police, are displayed demanding that a fine must be paid in order to unlock the computer... easiest way to manually disable it is as follows:
1 – Press Ctrl-O (that's the letter O, not the number zero).
2 – Select "Browse", go to c:\windows\system32 and open cmd.exe.
3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again.
4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).
> https://www.f-secure.com/weblog/archives/ransomware_startup.png
5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.
6 – Reboot the computer.
After this the threat is disabled but malicious files still remain on the computer. Scanning the computer with an antivirus product is highly recommended.
The steps may vary slightly depending on the variant... Microsoft provides information in their description*.
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Reveton.A#recovery_link
Updated to add on April 5th: Our description for Trojan:W32/Reveton includes removal instructions."
** http://www.f-secure.com/v-descs/trojan_w32_reveton.shtml

 

[Bogus prescription drug trade]

FYI...

Bogus prescription drug trade...
- https://krebsonsecurity.com/2012/03/half-of-all-rogue-pharmacies-at-two-registrars/
Mar 12, 2012 - "Half of all “rogue” online pharmacies - sites that sell prescription drugs without requiring a prescription — got their Web site names from just two domain name registrars... but at least one-third of all active rogue pharmacy sites are registered at Internet.bs, a relatively small registrar that purports to operate out of the Bahamas and aggressively markets itself as an “offshore” registrar. That’s according to LegitScript*, a verification and monitoring service for online pharmacies... Anti-spam and registrar watchdog Knujon (“nojunk” spelled backwards) also released a report (PDF**) on rogue Internet pharmacies today, calling attention to Internet.bs, AB Systems and a host of other registrars with large volumes of pharma sites..."
* http://legitscriptblog.com/2012/03/report-documents-internet-bs-support-of-drug-related-cybercrime-bogus-prescription-drug-trade/

** http://krebsonsecurity.com/wp-content/uploads/2012/03/rogue_registrars_2012_DRAFT.pdf

> https://krebsonsecurity.com/wp-content/uploads/2012/03/LSregistrars.png

 

[Mobile phones - weak link in Online Bank Fraud scheme]

FYI...

Mobile phones - weak link in Online Bank Fraud scheme
- https://www.trusteer.com/blog/sim-ple-mobile-handsets-are-weak-link-latest-online-banking-fraud-scheme
March 13, 2012 - "... two online banking fraud schemes designed to defeat one time password (OTP) authorization systems used by many banks... in these -new- scams the criminals are stealing the actual mobile device SIM (subscriber identity module) card...
> In the first attack, the Gozi Trojan is used to steal IMEI (international mobile equipment identity) numbers from account holders when they login to their online banking application. The bank is using a OTP system to authorize large transactions. Once they have acquired the IMEI number, the criminals contact the victim’s wireless service provider, report the mobile device as lost or stolen, and request a new SIM card. With this new SIM card, all OTPs intended for the victim’s phone are sent to the fraudster-controlled device...
> The second attack combines online and physical fraud to achieve the same goal. We discovered this scheme in an underground forum. First, the fraudster uses a Man in the Browser (MitB) or phishing attack to obtain the victim’s bank account details, including credentials, name, phone number, etc. Next, the criminal goes to the local police department to report the victim’s mobile phone as lost or stolen. The criminal impersonates the victim using their stolen personal information (e.g., name, address, phone number, etc.). This allows the fraudster to acquire a police report that lists the mobile device as lost or stolen. The criminal then calls the victim to notify them that their mobile phone service will be interrupted for the next 12 hours. In the meantime, the criminal presents the police report at one of the wireless service provider’s retail outlets. The SIM card reported as lost or stolen is -deactivated- by the mobile network operator, and the criminal gets a new SIM card that receives all incoming calls and OTPs sent to the victim’s phone number. This allows the fraudster authorize the fraudulent transactions he/she executes...
Since accounts protected by OTP systems typically have higher transfer limits and are less scrutinized, they are more lucrative. This explains why criminals are willing to go to great lengths to gain access to them. The one common thread in both schemes is that they are made possible by compromising the web browser with a MitB attack to steal the victim’s credentials. By combining stolen personally identifiable information with clever social engineering techniques, criminals using these attacks don’t need to trick users into verifying fraudulent transactions. They are able to bypass out of band authentication mechanisms like SMS-delivered OTPs by authorizing these transactions themselves."

- https://en.wikipedia.org/wiki/Man_in_the_Browser

 

[Unsolicited support calls - iYogi]

FYI...

Unsolicited support calls - iYogi ...
- https://krebsonsecurity.com/2012/03/aghast-at-avasts-iyogi-support/
March 14, 2012 - "The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast's customer support. A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support... Unfortunately, Avast is not the only security and antivirus firm that has outsourced its support to this company. iYogi also is the support service for AVG, probably Avast’s closest competitor."

- https://blog.avast.com/2012/03/12/you-call-us-we-wont-unsolicited-call-you/
Mar 12, 2012 - "... we -never- phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either..."

- https://encrypted.google.com/
Unsolicited support calls
... About 7,230,000 results...
___

Avast Antivirus drops iYogi support
- https://krebsonsecurity.com/2012/03/avast-antivirus-drops-iyogi-support/
March 15, 2012

- https://blog.avast.com/2012/03/15/iyogi-support-service-removed/
March 15, 2012 - "... we have removed the iYogi support service from our website and shortly it will be removed from our products... users can receive support via the other support options provided on our website. We will also work to ensure that any users that feel they have been misled into purchasing a premium support receive a full refund..."

 

[Brute force attacks - WordPress sites]

FYI...

Brute force attacks - WordPress sites...
- http://blog.sucuri.net/2012/03/brute-force-attacks-against-wordpress-sites.html
Mar 15, 2012 - "... Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and -never- changes it... There is a technique known as brute-force attack... access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..)... the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware... in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example:
    146.0.74.234 – 32 attempts
    212.67.25.66 – 47 attempts
    176.31.253.139 – 211 attempts
    91.226.165.164 – 39 attempts
    95.79.221.169 – 105 attempts
    91.217.178.235 – 40 attempts
And many more IP addresses. We will adding all of them to our IP blacklist* and Global Malware view**..."
* http://sucuri.net/sucuri-blacklist

** http://sucuri.net/global
___

WordPress Page is Loading... an Exploit
- https://www.f-secure.com/weblog/archives/00002328.html
March 15, 2012 - "... Spam appears to be the driver of these campaigns. Various websites have already been identified to be redirecting to Blackhole exploit kit... Currently, these sites redirect to the following domains that host Blackhole exploit kit:
  •  georgekinsman.net
  •  icemed.net
  •  mynourigen.net
  •  synergyledlighting.net
  •  themeparkoupons.net ..."

 

[iPhone malware - CrossTalk]

FYI...

iPhone malware - CrossTalk ...
- http://atlas.arbor.net/briefs/index#1608668149
Tue, 13 Mar 2012 18:54:02 +0000
Those tasked with the defense of smartphones could benefit from this detailed document.
Source: http://secniche.blogspot.com/2012/03/crosstalk-iphone-malware-paradigm.html

Attempts to Spread Mobile Malware in Tweets ...
- http://atlas.arbor.net/briefs/index#-815968668
Tue, 13 Mar 2012 18:54:02 +0000
Yet more attempts to spread mobile malware are being seen, this time Twitter is the spreading platform of choice.
Source: http://www.symantec.com/connect/blogs/attempts-spread-mobile-malware-tweets

Android Malware Stealing Online Banking Credentials
- http://atlas.arbor.net/briefs/index#-1589555277
Friday, March 16, 2012 01:36
... Android malware continues with multi-factor financial credential theft and remote update capabilities.
Analysis: As mobile devices proliferate, cybercrime goes where the money is. While the style of this attack is not new, extra capabilities are being seen and it is likely just a matter of time before very sophisticated malware targeted towards mobile devices becomes a larger problem. Additionally, malware awareness and safe browsing on handhelds may not be as common as on dekstop or notebook systems in enterprises with security policies. If mobile devices are not yet part of the organizational security policy, such threats may quicken this change.
Source: https://threatpost.com/en_us/blogs/android-malware-stealing-online-banking-credentials-031512

 

[Fake Linkedin e-mails lead To Cridex]

FYI...

Fake Linkedin e-mails lead To Cridex
- http://www.gfi.com/blog/fake-linkedin-mails-lead-to-cridex/
March 16, 2012 - "... there are fake Linkedin invitation reminders in circulation sending users to a BlackHole exploit which attempts to drop Cridex* onto the PC. Cridex is a rather nasty piece of work that does everything from target banks and social networking accounts to a little bit of CAPTCHA cracking... This particular run shares the IP address 41(dot)64(dot)21(dot)71 with various BBB and Intuit spam runs from recent weeks. If in doubt, go directly to Linkedin and check your invites from there."
* http://community.websense.com/blogs/securitylabs/archive/2012/01/30/trojan-caught-on-camera-shows-captcha-is-still-a-security-issue.aspx

> http://www.gfi.com/blog/wp-content/uploads/2012/03/LinkedIn_exploit.png

- http://labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/
March 1, 2012