2072 replies to this topic

[AplusWebMaster]

FYI...

Ransomware - Fake G-Men attack Hijacks computers ...
- https://www.trusteer...omputers-ransom
May 01, 2012 - "... new use of the Citadel malware platform (a descendent of the Zeus Trojan) to deliver code ransomware that poses as the US Department of Justice and highjacks victims’ computers. This ransomware, named Reveton, freezes the compromised machine’s operating system and demands a $100 payment to unlock it. Reveton was observed a few weeks ago being used as a standalone attack, but has now been coupled with the Citadel platform... Citadel is able to target employees to steal enterprise credentials, and in this example targets victims directly to steal money from them, instead of their financial institution. The attack begins with the victim being lured to a drive-by download website. Here a dropper installs the Citadel malware on the target machine which retrieves the ransomware DLL from its command and control server. Once installed on the victim’s computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen* claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.
* https://www.trusteer.....Gmen blog.png
In order to unlock their computer, the victim is instructed to pay a $100 fine to the US Department of Justice using prepaid money card services. The payment service options presented to the victim are based on the geographic location of their IP address. For example, users with US IP addresses must pay using MoneyPak or Paysafecard... Independent of the Reveton ransomware secondary payload, Citadel continues to operate on the compromised machine on its own. Therefore it can be used by fraudsters to commit online banking and credit card fraud by enabling the platform’s man-in-the-browser, key-logging and other malicious techniques. It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack. Through a combination of social engineering, data capturing and communication tampering these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information... cyber-crime and cyber-security protection begins with the endpoint now more than ever."

[AplusWebMaster]

FYI...

Multi-Layer malware attack uses same exploit as Flashback
- http://atlas.arbor.n...ndex#1402527155
Severity: Elevated Severity
Published: Monday, April 30, 2012 16:24
Yet another malware is using the recent Java flaw to exploit both OSX and Windows systems.
Analysis: The malware determines which OS is being attacked and then delivers the proper payload... case in point that there are many copycat attacks that take place when a serious flaw emerges and organizations must anticipate multiple threats rather than the threats that get the most media attention.
Source: http://nakedsecurity...on-malware-mac/
> Python-based malware attack targets Macs - Windows PCs also under fire
April 27, 2012 - "... there may still be some users whose computers are not patched against the Java vulnerability - and are at risk of attack. The malicious Java code downloads further code onto the victim's computer - depending on what operating system they are using... The downloaded programs will then install further malicious code... This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user's knowledge... The backdoor Python script allows remote hackers to steal information... We have a free Mac anti-virus for home users*, if you think it's time to take your computer's security more seriously..."
* http://www.sophos.com/freemacav
> https://www.avira.co...ee-mac-security

OSX.Flashback.K – motivation behind the malware - $$$
- http://www.symantec....-behind-malware
Apr 30, 2012

Edited by AplusWebMaster, 01 May 2012 - 03:31 PM.

[AplusWebMaster]

FYI...

Bogus invoices set virus trap
- http://h-online.com/-1567059
3 May 2012 - "Criminals are currently sending out a large number of bogus order confirmations that are designed to make recipients open the attached malware. The attackers appear to be using stolen online store customer data to address email recipients by their real names. The criminals pretend that the email recipient has placed an order worth several hundred euros at an online store. To make things difficult for spam filters, they vary the store names... Users who receive an order confirmation or invoice that they can't associate with a purchase should -not- open these file attachments under any circumstances. Unfortunately, virus scanners don't offer reliable protection in this case... it isn't just invoices in ZIP or EXE format that should make users suspicious: attackers have also been circulating bogus Deutsche Telekom and Vodafone invoices as PDF attachments that try to infect computers via an old security hole in Adobe Reader. This attack scenario is also possible using Office documents."
* https://www.virustot...0e294/analysis/
File name: Rechnungsdaten.zip
Detection ratio: 9/42
Analysis date: 2012-05-03 10:55:17 UTC

Edited by AplusWebMaster, 03 May 2012 - 07:46 AM.

[AplusWebMaster]

FYI...

Mapping cybercrime by country
- http://hostexploit.c...by-country.html
3 May 2012 - "All cybercrime is hosted and served from somewhere. A simple enough truism and yet little research, or even initiatives, emerge from this area. A new interactive web-based tool aims to provide deeper insights into this domain in search of solutions to a global problem. How much cybercrime is served by the hosting providers registered to, or routing through, an individual country? An interesting question that can now begin to be quantifiably answered thanks to a collaborative association between HostExploit, Russian Group-IB1 and CSIS2 in Denmark. The Global Security Map* displays global hot spots for cybercriminal activities based on geographic location... The Global Security Map* is the outcome of extensive research on Autonomous Systems (ASNs) – servers, ISPs, and networks routed publically via their respective IP (Internet Protocol) addresses. It has been the long-held vision of HostExploit, heading a group of respected independent community researchers, to be able to provide a tool to aid hosts, registrars, Internet Service Providers (ISPs), researchers, law enforcement, academics and other parties, interested in tracking Internet security-related issues worldwide. HostExploit established a method of rating levels of malicious activity on all ASes worldwide (currently 40,909), known as the HE Index, which is used to compile data for its widely respected quarterly reports. The statistics used for the ‘Top 50 Bad Hosts & Networks’ reports and tables are applied now to countries as a whole (based on registration information and routing locations) to create a ranking order by level of malicious activity (1,000 = highest). At the time of the report, Lithuania ranks at #1 with the highest levels of malicious activities in the world while Finland at #219 has the cleanest servers and networks. With this information in place, the next step is to consider realistic mitigation methods or plans that can help reduce levels of malicious activity..."
(More info at the hostexploit URL above.)

* http://globalsecuritymap.com/

> English report (PDF) here: http://hostexploit.c...april-2012.html

[AplusWebMaster]

FYI...

Fake Facebook emails...
- http://msmvps.com/bl...04/1809472.aspx?
May 4 2012 - "The pictured emails (below) are not real Facebook emails – look at the URLs that are exposed when you hover your mouse cursor over the “sign in” and “reactivate” links..."

> http://msmvps.com/cf...00_2B858634.png

> http://msmvps.com/cf...00_0F64A17C.png
___

-13- million US Facebook users not using, or oblivious to, privacy controls
- http://nakedsecurity...ivacy-controls/
May 4, 2012

- https://www.consumer...ok-privacy.html

Edited by AplusWebMaster, 04 May 2012 - 11:25 AM.

[AplusWebMaster]

FYI...

SPAM - BBB assistance e-mails w/malware...
- http://nakedsecurity...-strikes-again/
May 4, 2012 - "Once again, cybercriminals have spammed out emails claiming to come from the Better Business Bureau (BBB), with the intention of infecting Windows computers with malware... widespread malware attack that is being spammed out as an attachment to an email claiming to come from the BBB. The emails vary in their wording, but -all- claim that a consumer has complained about the company receiving the email. The details of the complaint, naturally, are contained inside the attached "BBB Report.zip" file (which, of course, contains malware)..."

[AplusWebMaster]

FYI...

Recent badware stats
- http://blog.stopbadw...-badware-stats/
April 27, 2012 - "... Enterprise users experienced an average of 339 Web malware encounters per month in 4Q11 (205% year over year).
• Avg. 20,141 unique Web malware hosts per month in 2011 (vs. 14,217 in 2010)...
• Approx. 30,000 new malicious URLs each day in 2H11; 80% of those are legitimate. 85% of malware comes from the web.
• Malicious sites up 240 percent in 2011...
• 40% of malnet entry points are via search engines/portals...
• 23% of malicious domain registrations could be blocked with basic validation of contact info
• Rogue AV campaign infected 200,000 Web pages, 30,000 unique hosts... geographically dispersed visitors.
• On average, -two- popular websites (among the Alexa top 25,000) serve drive-by downloads each -day-. An estimated 1.6 million vulnerable users were exposed to drive-by downloads in one month across 58 popular (Alexa top 25,000) sites."
(Links to sources available at the stopbadware URL above.)

Edited by AplusWebMaster, 06 May 2012 - 11:53 AM.

[AplusWebMaster]

FYI...

Malware attacks on hotel net surfers...
- http://www.ic3.gov/m...012/120508.aspx
May 8, 2012 - "Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms. Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available. The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor’s Web site if updates are necessary while abroad..."

> https://krebsonsecur...ccess-bad-idea/
May 11, 2012 - "... avoid updating software while using hotel or other public Internet connections... There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups..."

Edited by AplusWebMaster, 11 May 2012 - 06:22 AM.

[AplusWebMaster]

FYI...

Bogus emails: Amazon.com - Your Cancellation
- https://isc.sans.edu...l?storyid=13177
Last Updated: 2012-05-09 17:49:29 UTC - "There are bogus order cancellation emails going around claiming to be from Amazon... copy I received linked to the URL... which contains this is in the body:
<script type="text/javascript">window.location="http ://leibypharmacylevitra .com";</script> ... It is probably safe to assume that the content of that site is -not- user friendly..."
(More detail at the ISC URL above.)

[AplusWebMaster]

FYI...

Gh0st RAT served on compromised Amnesty International UK website...
- http://community.web...ompromised.aspx
11 May 2012 - "Between May 8 and 9, 2012... Websense... detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site. In the most recent case, we noticed that the exploit vector used was the same Java exploit (detailed in CVE-2012-0507) that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback... screen shot of the detected code injection:
> http://community.web...55.sshot001.png
... we can see the similarities between this injection and the INSS injection* we reported last week. This clearly shows the use of the Metasploit framework and the precise name of the Java class used. In addition, the associated JAR file is a well-known vector exploit for the CVE-2012-0507... we recognize that this is a variant of the well-known Remote Administration Tool Gh0st RAT**, which is used mainly in targeted attacks to gain complete control of infected systems... The Remote Administration Center commands to the compromised system originate from this address: shell .xhhow4 .com. At the time of this writing, the address is still active."

* http://community.web...ction-flow.aspx

** http://en.wikipedia.org/wiki/Ghost_Rat

[AplusWebMaster]

FYI...

Fake Flash Player for Android = Malware
- http://blog.trendmic...er-for-android/
May 10, 2012 - "... social engineering tactic using Adobe‘s name...
> http://blog.trendmic...ndroid011_1.jpg
... This webpage is also found to be hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps that we previously reported. To further entice users into downloading the fake Adobe Flash Player app, the text on the webpage claims that it is fully compatible with any Android OS version... When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A. ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user’s permission, thus leading to unwanted charges. This type of Android malware is just one of the types we were able to identify in our infographic, A Snapshot of Android Threats*. Upon further investigation, we have seen a bunch of URLs that are hosted on the same IP as this particular website. Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme..."
* http://blog.trendmic...ts-infographic/

> http://about-threats...ed-smartphones/

Edited by AplusWebMaster, 11 May 2012 - 06:54 AM.

[AplusWebMaster]

FYI...

Spamvertised ‘Pizzeria Order Details’ ...
- http://blog.webroot....ts-and-malware/
May 11, 2012 - "... Cybercriminals are currently spamvertising hundreds of thousands of emails, impersonating FLORENTINO`s Pizzeria, and enticing users into clicking on a client-side exploits and malware serving link in order to cancel a $169.90 order that they never really made. Once the user clicks on the link, they will be -redirected- to a compromised site serving client-side exploits and ultimately dropping multiple malicious binaries on their hosts upon a successful infection.
Malicious URL: hxxp ://oldsoccer .it/page1 .htm?RANDOM_STRINGS
... The Russian domains are -fast-fluxed- by the cybercriminals in an attempt to make it harder for security researchers and vendors to take down their campaign. We’ve seen a similar fast-flux technique applied in the following campaign – "Spamvertised ‘Your tax return appeal is declined’ emails* serving client-side exploits and malware..."
(More detail at the webroot URL above.)

* http://blog.webroot....ts-and-malware/

Global Fast Flux
> http://atlas.arbor.n...ummary/fastflux
___

spamalysis - VALERIO Pizza Order Confirmation
- https://spamalysis.w...r-confirmation/
"... malicious page contained javascript that redirected victims to a Phoenix Exploit kit..."

Edited by AplusWebMaster, 13 May 2012 - 08:01 AM.

[AplusWebMaster]

FYI...

IC3 2011 Internet Crime Report released
- http://www.ic3.gov/m...012/120511.aspx
May 10, 2012 - "The Internet Crime Complaint Center (IC3) today released the 2011 Internet Crime Report* — an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million ...
In 2011, IC3 received and processed, on average, more than 26,000 complaints per month. The most common complaints received in 2011 included FBI-related scams — schemes in which a criminal poses as the FBI to defraud victims — identity theft, and advance-fee fraud. The report also lists states with the top complaints, and provides loss and complaint statistics organized by state..."
* http://www.ic3.gov/m...1_IC3Report.pdf

[AplusWebMaster]

FYI...

Gh0st RAT served on compromised Amnesty International Hong Kong website...
- http://community.web...ompromised.aspx
May 14, 2012 - "... Update: Websense... detected that the Amnesty International Hong Kong sister website was also compromised to serve Gh0st RAT over the weekend, and the malicious codes are still live and active. Below are some of the pages infected redirecting to the exploits. Websense Security Labs will continue to monitor and update any new changes to this attack..."
> http://community.web..._2D00_550x0.png

[AplusWebMaster]

FYI...

Zeus P2P variant exploits... steal Debit Card Data
- https://www.trusteer...debit-card-data
May 15, 2012 - "... recently discovered a series of attacks being carried out by a P2P variant of the Zeus platform against some of the internet’s leading online services and websites. The attacks are targeting users of Facebook, Google Mail, Hotmail and Yahoo – offering rebates and new security measures. The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data. In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account. The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points. The fake web form prompts the victim to enter their debit card number, expiration date, security code, and PIN...
> https://www.trusteer.....re inject.png
Malware web inject presented to Facebook users ^
... In the attacks against Google Mail, Hotmail and Yahoo users, Zeus offers an allegedly new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs. To complete an online transaction many merchants require cardholders to authenticate using their personal 3D Secure password... The scam that targets Google Mail and Yahoo users claims that by linking their debit card to their web mail accounts all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively... The victim is prompted to enter their debit card number, expiration date, security code, and PIN... leveraging the Verified by Visa and MasterCard SecureCode brands to make the scam more credible.
> https://www.trusteer.....re inject.png
Malware web inject presented to Gmail users ^
> https://www.trusteer.....re inject.png
Malware web inject presented to Yahoo users ^
... The attack against Hotmail users is similar to the Google Mail and Yahoo scam... The offer states that the service will prevent purchases from being made on the internet with the card unless the Hotmail account information and additional password are provided. The webinject requests the same information (debit card number, expiration date, security code, and PIN) as in the previous two scams.
> https://www.trusteer.....re inject.png
Malware web inject presented to Microsoft Hotmail users ^
... These webinjects* are well crafted both from a visual and content perspective, making it difficult to identify them as a fraud... the fraudsters are using the fear of the very cybercrime they are committing to prey on their victims."
* http://www.trusteer....erground-market

Edited by AplusWebMaster, 16 May 2012 - 09:41 AM.