2072 replies to this topic

[AplusWebMaster]

FYI...

Facebook apps used for phishing
- http://blog.trendmic...d-for-phishing/
Aug. 19, 2009 - "It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before*. Earlier this week, however, Trend Micro... found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s -legitimate- Facebook profile... While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites..."
* http://blog.trendmicro.com/?s=Koobface

(Screenshots available at the URL at the top listed above.)

[AplusWebMaster]

FYI...

Employers block social networking, web surfing at work
- http://www.darkreadi...cleID=219401053
Aug. 21, 2009 - "... According to new data collected by ScanSafe, which filters more than a billion Web queries each month, some 76 percent of companies are now blocking social networking sites - a 20 percent increase over the past six months. More companies now block social networking sites than block Webmail (58 percent), online shopping (52 percent), or sports sites (51 percent), ScanSafe says*. "Social networking sites can expose businesses to malware, and if not used for business purposes, can be a drain on productivity and bandwidth," says Spencer Parker, director of product management at ScanSafe... Companies are also increasing their restrictions on other types of sites, including travel, restaurants, and job hunting sites, according to the data..."
* http://www.scansafe...._networking_use

.

[AplusWebMaster]

FYI...

Cybercrime Hub in Estonia
- http://blog.trendmic...hub-in-estonia/
Aug. 26, 2009 - "... this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu (Estonia), employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation. This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company owns two networks in the United States. We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Malware in the mail...
- http://www.theregist.../postal_trojan/
27 August 2009

- http://preview.tinyurl.com/kkwztk
August 27, 2009 [Infoworld] - "... The (FBI) is trying to figure out who sent five Hewlett-Packard laptop computers to West Virginia Governor Joe Mahchin a few weeks ago, with state officials worried that they may contain malicious software... According to sources familiar with the investigation, other states have been targeted too, with HP laptops mysteriously ordered for officials in 10 states. Four of the orders were delivered, while the remaining six were intercepted..."

Malicious CD ROMs mailed to banks
- http://isc.sans.org/...ml?storyid=7024
Last Updated: 2009-08-26 22:16:01 UTC - "The National Credit Union Administration (NCUA) published an interesting advisory here:
http://www.ncua.gov/.../MR09-0825a.htm
Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware..."

Edited by AplusWebMaster, 28 August 2009 - 05:01 AM.

[AplusWebMaster]

FYI...

Rogue AV goes Green
- http://securitylabs....Blogs/3469.aspx
09.02.2009 - "Given the world's ever-increasing environmental concerns, it’s easy to see why malware authors are monetizing via an eco-friendly strategy. Just as the scare tactics of rogue AVs have already taken their toll, yet another ingenious twist appears - this time resorting to a friendlier, “greener” tone. Green-conscious people, beware! The latest scheme states that, for every fake AV you buy, a donation will be made to an environmental care program. It’s very simple and direct – buy the software and save the planet. Unlike other rogue AV campaigns that offer “free trial versions,” this ploy actually requires the user to buy the malware with a credit card, all the while assuring the user that a donation will be made to a green cause. This social engineering scheme appears to be picking up steam—as stories of fake AV grief from victims posted on the Web continue to pour in." (including search engine poisoning w/links to the rogue software)

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Malicious blogs on Blogspot...
- http://www.symantec....s-koobface-gang
September 1, 2009 - "... We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques. The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones... The use of SEO techniques by Koobface has only recently come under analysis. For example, a recent post* by Finjan’s Daniel Chechik has described how Koobface automatically creates malicious blogs on Blogspot, Google’s blogging platform, to attract and infect victims. During our monitoring we detected 11,337 such malicious blogs..."
* http://www.finjan.co...px?EntryId=2317

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Swine flu SPAM leads to malware
- http://blog.trendmic...ead-to-malware/
Sep. 5, 2009 - "No one is absolutely safe from Influenza H1N1, not even world leaders. This is the scenario painted by cybercriminals in their latest spam run. The spammed message informs recipients that the President of Peru, Alan Gabriel Ludwig García Pérez, and other attendees of the delegation of UNASUR (Union of South American Nations) summit have confirmed cases of Swine flu. Furthermore, it states that the presidents of Brazil and Bolivia were also both infected but are now recovering... Written in Spanish, the spam attempts to stir recipients’ curiosity by saying that the incident is being kept from the public. It also urges them to click on the malicious link, which purports to contain the audio news pertaining to this incident. Instead of news, however, all victims get is an executable file ( Alan.Gripe.Porcina.mp3 .exe ) detected by Trend Micro as TSPY_BANCOS.AEM. BANCOS variants are known for its info-stealing capabilities..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

WordPress worm circulating...
> http://forums.whatth...=...st&p=594069

[AplusWebMaster]

FYI...

Koobface attacks on Facebook and MySpace...
- http://www.associate...ook.html?cat=15
September 07, 2009 - "Rumors of a Fan Check virus have circulated in the Facebook community. The Kaspersky Lab* two variants of Koobface viruses which (for now) are only attacking Facebook and MySpace users... As a Facebook user, it's important to remember not to open suspicious links, even if they are from "friends".... had problems in the past with hackers using my friends' accounts to spam or to send viruses. One of the current links is to a YouTube video and a message asking the users to update to the latest version of Flash Player. By clicking, the user will have effectively downloaded a worm..."
* http://www.kaspersky...ws?id=207575670

- http://www.eset.com/...-about-facebook
September 8, 2009 - "... Quite a few people are talking about Fan Check at the moment, but mostly in the context of the "Facebook Fan Check Virus" hoax: briefly, the bad guys are using SEO poisoning to ensure that if you look for search terms like "Facebook Fan Check Virus" in a search engine, some of the top-ranking hits you get will be to sites that will try to trick you into downloading a rogue anti-malware application..."

Edited by AplusWebMaster, 08 September 2009 - 08:05 AM.

[AplusWebMaster]

FYI...

Bogus work-at-home schemes...
- http://voices.washin...447000_fro.html
September 9, 2009 - "Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag. In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes..."

Edited by AplusWebMaster, 10 September 2009 - 06:13 AM.

[AplusWebMaster]

FYI...

FakeAV for 9/11
- http://blog.trendmic...r-september-11/
Sep. 10, 2009 - "As the anniversary of the horrible September 11 attacks in The United States approaches, Trend Micro researchers donned their research coats and waited for the people behind FAKEAV to make their move. Predictably, they did not disappoint. Through SEO poisoning, users searching for any reports related to September 11 may find themselves stacked with Google search results that lead to a rogue AV malware... several malicious Web sites that can all be found in the poisoned Google search results... The people behind FAKEAV still show no sign of slowing down. With the holiday season coming up, users are also advised to refrain from visiting unknown sites returned in Search Engine results and rely on reputable news agencies instead."
(Screenshot available at the URL above.)

- http://www.sophos.co...ers-exploit-911
September 11, 2009

Edited by AplusWebMaster, 12 September 2009 - 06:11 AM.

[AplusWebMaster]

FYI...

Google Groups trojan
- http://www.symantec....e-groups-trojan
September 11, 2009 - "... A back door Trojan that we are calling Trojan.Grups* has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected. It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility. The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:
Escape[REMOVED]@gmail.com
h0[REMOVED]t
The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time."
* http://www.symantec...._...-99&tabid=2

Edited by AplusWebMaster, 11 September 2009 - 08:27 PM.

[AplusWebMaster]

FYI...

NY Times pushes Fake AV malvertisement
- http://countermeasur...malvertisement/
Sep. 14, 2009 - "...the New York Times issued a warning over Twitter and also on the front page of the web site. The newspaper advised visitors that they had had reports from “some NYTimes .com readers” relating to a malicious pop-up window while browsing the site... In the warning, the influential newspaper stated their belief that the pop-ups were the result of an “unauthorised advertisement”... it looks as though the problem may have been ongoing for upwards of 24 hours. The pop-up window itself... was the all-too-familiar sight of rogue antivirus software informing the NYTimes reader that their computer is infected with random, spurious, non-existent malware and promising “Full System Cleanup” for a fee of course... The malicious software being punted in this case, is the same as we were seeing in much of the black-hat SEO around the 9/11 attacks, as reported previously on the TrendLabs malware blog*. In this particular example, the malicious site and sofware is being hosted by a German provider, Hetzner AG, which has a colourful track record when it comes to spewing dodgy content, having hosted literally hundreds of malicious URLS. Here’s a really simple tip to remember. If you *ever* see a pop-up windows that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache... UPDATE: Troy Davis was fortunate enough to be able to examine the attack in real-time and provides an excellent code level analysis here**".

* http://blog.trendmic...r-september-11/

** http://troy.yort.com...-on-nytimes-com

[AplusWebMaster]

FYI...

Fake A/V hacks for another celebrity death...
- http://www.sophos.co...reware-hackers/
September 15, 2009 - "Patrick Swayze, the star of movies such as "Dirty Dancing" and "Ghost", has died after fighting cancer of the pancreas for two years. Although the entertainment world mourns his loss, heartless hackers are taking advantage of the hot news story by creating malicious webpages that lead to fake anti-virus (also known as scareware) alerts... This is the same tactic used by cybercriminals after the death of Natasha Richardson and when they exploited interest amongst the public in the anniversary of the 9/11 terrorist attack last week. Clearly the cybercriminals are no slackers when it comes to jumping on a trending internet topic, and are more professional than ever before in spreading their fake anti-virus scams..."

[AplusWebMaster]

FYI...

Rogue Anti-Virus SEO Poisoning...
- http://securitylabs....Blogs/3479.aspx
09.16.2008 - "SEO poisoning is fast becoming a trend in spreading rogue anti-virus software. This type of attack coupled with relevant news items that might be of interest to users from all walks of life is a lethal combination. Search terms related to the recent MTV Video Music Awards brouhaha and President Obama’s off-the-record comments about Kanye West, as well as updates on murdered Yale graduate student Annie Le, are the latest targets... Upon visiting these search results, visitors would be presented with the standard fake / rogue AV Web site. To make matters worse, (real) anti-virus have very poor detection rates..."

- http://www.virustota...9896-1253125434
File setup_build6_195.exe received on 2009.09.16 18:23:54 (UTC)
Result: 1/41 (2.44%)

- http://www.virustota...610e-1253125440
File Soft_71.exe received on 2009.09.16 18:24:00 (UTC)
Result: 3/41 (7.32%)

(Screenshots of the fake AV Web site, as led to by the search engine, available at the Websense URL above.)

- http://isc.sans.org/...ml?storyid=7144
Last Updated: 2009-09-17 07:36:18 UTC

Edited by AplusWebMaster, 17 September 2009 - 06:21 AM.