HACKING AUSTRALIA

The Daily Beast: Hacking Ring Steals Up To $1B From Banks.

2015-02-16T17:24:00.001+11:00

An international hacking ring that's been active since at least the end of 2013 has stolen up to $1 billion from banks around the world, according to a cybersecurity firm report released Monday.

The group has breached more than 100 banks in 30 countries through methods including programming ATMs to release money at certain times and transferring money to fake accounts, according to Russian security company Kaspersky Lab. The hackers become familiar with banks' systems through phishing, taking screen shots as well as filming employees using work computers, the report said.

The theft targets banks instead of customers, which means the hackers are focused on stealing money rather than information, according to Kaspersky principal security researcher Vicente Diaz.

Financial institutions in the U.S., Russia, Germany, China and Ukraine have been targeted, but the hackers may be casting a bigger net to include banks in Africa and Europe.

Source: http://google.com/newsstand/s/CBIw68zrvyA

A deep look into the Brazilian underground cyber-market

2014-11-23T10:46:00.000+11:00

Trend Micro has published a new study on black cyber-markets focusing on product and services offered on the Brazilian underground.

Trend Micro has published a new interesting report on the underground cyber-markets, this is a third study focused on the Brazilian cyber-underground offer, the previous ones analyzed Russian and Chinese marketplaces.

The new study, exactly like previous analysis, describes a thriving marketplace where cyber criminals proposes their services and products to criminal crews that instead of creating their own attack tools from scratch could benefit of the competitive offer. The study reports the principal solution and services proposed to the crooks in a model of sale known as crime-as-a-service that is able to attract new actors in the cyber arena.

A first data that immediately catches the attacention of the experts is decrease of prices recently offered, this is a further element of attractive for criminals that look to the cyber crime with increasing interest.

“The barriers to launching cybercrime have decreased. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become popular means to sell products and services to cybercriminals in the said countries. Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online “shops” harder for law enforcement to find and take down.” states the ‘The Brazilian Underground Market’ report.

Another element of distinction between the Brazilian underground and the Russian and Chinese ones, is the availability of training services, for this reason the Brazilian underground ecosystem is also considered as the market for cybercriminal Wannabes.

“What distinguishes the Brazilian underground from others is the fact that it also offers training services for cybercriminal wannabes,” according to the whitepaper. “Cybercriminals in Brazil particularly offer FUD (fully undetectable) crypter programming and fraud training by selling how-to videos and providing support services via Skype. Anyone who is Internet savvy and has basic computing knowledge and skill can avail of training services to become cybercriminals. How-to videos and forums where they can exchange information with peers abound underground. Several trainers offer services as well. They even offer support when training ends.”

The Brasilian cyber criminals seem to be more ruthless in the use of media platforms like Facebook, YouTube, Twitter, Skype, and WhatsApp, differently from Russian and Chinese players that “hide in the Deep Web and use tools that ordinary users do not such as Internet Relay Chat (IRC) channels”

For several years, Brazil has been known for the offer of banking Trojans, many malware were designed by Brazilian which targeted internal banking users and that implemented several techniques to steal victims’

credentials. Brazil ranks second worldwide in terms of online banking fraud and malware infection, on a global scale it accounts for almost 9% of the total number of online-banking malicious code that compromised

Banking Trojan source codes are sold for around US$386 each, the offer allows buyers to modify their codes according their needs, they can obfuscate strings, customize the composition of payloads and add crypters and other solution to evade the detection. Another product very popular are Bolware kits and toolkits used to create bolware that are offered for around US$155, the applications offered by cybercriminals are user-friendly and implements an easy to use control panel for monitoring and managing infections and malicious activities.

The Brazilian underground also offers a bank fraud courses for aspiring cyber-criminals, the courses are very articulated and propose detailed information for beginners to the criminal activities. The courses starts presenting the fraud workflow and tools necessary to arrange a cyber fraud. Some coursed are arranged in modules that propose interesting information on the illegal practices to cybercriminal wannabes that can acquire also interactive guides and practical exercises (e.g., simulating attacks). A 10-module corse for example is offered for US$468, the operators also offer updates and a Skype contact service.

According to the author of the study on the Brazilian underground market, Trend Micro Senior Threat Researcher Fernando Merces, several factors have contributed to the growth of cyber-criminal activity in the country like limited resources assigned to law enforcement and the existence of a flexible underground market.

“For example, Brazil has a lack of concrete laws and limited law enforcement agency resources that address cybercrime in the country,” he noted. “Additionally, the technological and consumer landscape in Brazil, which has a 50% Internet penetration rate, and a 69% credit card penetration rate, has made the country all too appealing for cybercriminals. However, another factor may have also contributed to Brazilian cybercrime: the existence of a flexible underground market with different offerings, ranging from banking Trojan development to online fraud training. The latter is highly notable as this is the most unique item in the market, which may not be found in other underground markets.” explained Merces in a blog post.

The report details prices and products for many other products and services, including Credit card credentials and number generators, SMS-spamming services and phishing pages for popular banks.

Let me close the post with a meaningful statement from the author of the study that explain how is simple today to become a dangerous cyber criminals with limited resources.

“In Brazil, it’s possible to start a new career in cybercrime armed with only US$500,” Merces blogged. “Would-be cybercriminals are supported and helped by tools, forums, and experts from the dark side of the Internet. These bad guys do not fear the authorities and their groups get bigger in a short span of time.”

Let me suggest you to read the full report published by Trend Micro, it is full of interesting data.

Pierluigi Paganini

(Security Affairs – Brazilian underground, cybercrime)

The post A deep look into the Brazilian underground cyber-market appeared first on Security Affairs.

View article...

New technique makes phishing sites easier to create, more difficult to spot.

2014-11-06T21:28:00.001+11:00

Posted on 05 November 2014.

Researchers have spotted a new technique used by phishers which could trick even more users into believing they are entering their information in a legitimate web form.

Instead of replicating as faithfully as possible a legitimate website - for example an e-commerce site - the attackers need only to set up a phishing page with a proxy program which will act as a relay to the legitimate site, and create a few fake pages for when users need to enter their personal and financial information.

"So long as the would-be-victim is just browsing around the site, they see the same content as they would on the original site. It is only when any payment information is entered that modified pages are displayed to the user," Trend Micro Senior Threat Researcher Noriaki Hayashi explains.

"It does not matter what device (PC/laptop/smartphone/tablet) or browser is used, as the attacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response."

In the spotted attack, users are directed to the malicious site by clicking on a search result they got by entering a product's name. The attackers used a number of blackhat SEO techniques to make the URL appear in the results. But spam emails and messages can also be used to lure potential victims to the malicious site.

The actual attack begins when the user clicks on the “Add to Basket” button on the legitimate site - the attacker has re-written the function so that the user is redirected to a spoofed e-cart page that leads to more fake pages simulating the checkout process.

The first page asks the victims to enter their personal information (name, address, phone number) as well as their email address and password. The second one requests the entry of credit card information (including the card's security code). The third one asks for additional information that is sometimes required to authorize a transaction.

Once the victims have submitted all this information, they will receive a fake confirmation email for the purchase to the email address submitted - and the illusion is complete.

"So far, we have only identified this attack targeting one specific online store in Japan. However, if this attack becomes more prominent, it could become a very worrying development: this makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites," Hayashi noted.

This approach makes phishing websites much easier to set up, and very difficult for the owners of the legitimate websites to detect.

Undoubtedly, we'll be seeing more similar attacks in the future.

How To Protect Yourself From Phishing Scams

2014-10-12T20:55:00.001+11:00

By: Nadia_Kovacs Posted: 30-Sep-2014 | 10:16AM

October is National Cyber Security Awareness month. Phishing is one of the oldest tricks in the Internet book that tries to trick you out of divulging your personal information. This is part 4 in a series of blog posts we will be publishing on various topics aimed at educating you on how to stay protected on today’s Internet landscape.

Phishing is essentially an online con game and phishers are nothing more than tech-savvy con artists and identity thieves. They use SPAM, malicious web sites, email messages and instant messages to trick people into divulging sensitive information, such as bank and credit card accounts, usernames and passwords.

How Do You Know It’s A Scam?

There are different forms of phishing tactics. Criminals may try to trick you into giving away your personal information via emails, Social Media messages, IMs, text messages, and even Internet chat rooms. Sometimes criminals may try to fool you into installing a malicious program, known as spyware, which can track and record the information you enter into your computer. Below are some of the commonly used tactics and warning signs you should be on the lookout for:

Phishers, pretending to be legitimate companies, may use email to request personal information and direct recipients to respond through malicious websites. Phishers have been known to use real company logos, and will also use a spoofed email address, which is an email address that is similar to the actual company’s address. However, the address may be misspelled slightly or come from a spoofed domain.
Emails may come in the form of a help desk support ticket, a message from your bank, or from someone soliciting money via a 419 scam.
Phishers tend to use a call to action. You may get a notice that an account is being shut down and you need to log into it to avoid that from happening. They may also request personal information in order to verify your identity.
Phishing websites can look remarkably like legitimate sites because they tend to use the copyrighted images the original sites.
Fraudulent messages are often not personalized and will often have misspellings of words and company names.

How Do You Know If You Have Spyware?

Spyware can be downloaded from web sites, email messages, instant messages, and from direct file-sharing connections. Additionally, a user may unknowingly receive spyware by installing a software program, and the spyware piggybacks onto that installation as additional suggested software. Users may also be unaware that some browser add-ons contain spyware.

Spyware frequently attempts to remain unnoticed, either by actively hiding or by simply not making its presence on a system known to the user. However, sometimes there can be signs that you may be infected:

Your computer starts to run slower than usual.
You start to receive an unusual amount of pop up ads.
There are new toolbars on your browser that you did not install.
Your browser’s home page has changed to a page that you are unfamiliar with.
Your web searches become redirected to other spam sites.

How Do I Avoid Spyware?

Be selective about what you download to your computer.
Watch out for anti-spyware scams.
Beware of clickable ads.
Use Norton Security to provide anti-spyware protection and proactively protect from other security risks.
Do not accept or open suspicious error dialogs from within the browser.
Spyware may come as part of a "free deal" offer - do not accept free deals.
Keep software and security patches up to date.

How Do I Protect My Privacy?

If you happen to run across any of these red flags, here are some tips to keep yourself safe and protect your privacy:

Never give out any personal information via email, social media platforms, text messages or instant messages.
If the call to action is to click on a link and sign into the site with your username and password, never click on the link. Instead, go to your web browser and type in the website’s URL. Be sure to look for the verified https:/ at the beginning of the URL in the task bar.
Never download a program or file from a suspicious email. These may contain programs such as spyware and keyloggers.

How Can You Help?

Please contact the Symantec Security Response team if:

This is part 4 of a series of blogs for National Cyber Security Awareness Month (link is external).

For more information on various topics, check out:
5 Ways You Didn't Know You Could Get a Virus, Malware, or Your Social Account Hacked
How To Choose a Secure Password
How To Avoid Identity Theft Online
How To Protect Yourself From Cyberstalkers

Avoid using Instagram on public Wi-Fi...

2014-07-30T16:50:00.000+10:00

A configuration problem in Facebook's popular Instagram application for Apple devices could allow a hacker to hijack a person's account if they're both on the same public Wi-Fi network.

Stevie Graham, who describes himself as a "hacker at large" based in London, wrote on Twitter that Facebook won't pay him a reward for reporting the flaw, which he said he found years ago.

Graham wrote he hopes to draw more attention to the issue by writing a tool that could quickly compromise many Instagram accounts. He cheekily calls the tool "Instasheep," a play onFiresheep, a Firefox extension that can compromise online accounts in certain circumstances.

"I think this attack is extremely severe because it allows full session hijack and is easily automated," according to Graham's technical writeup. "I could go to the Apple Store tomorrow and reap thousands of accounts in one day, and then use them to post spam."

Graham's finding is a long-known configuration problem that has prompted many Web companies to fully encrypt all connections made with their servers. The transition to full encryption, signified by "https" in a browser URL bar and by the padlock symbol, can be technically challenging.

Instagram's API (application programming interface) makes unencrypted requests to some parts of its network, Graham wrote. That poses an opportunity for a hacker who is on the same Wi-Fi network that doesn't use encryption or uses the outdated WEP encryption, which can be easily cracked.

Some of those Instagram API calls transmit an unencrypted session cookie, or a data file that lets Instagram know a user is still logged in. By collecting the network traffic, known as a man-in-the-middle attack, the session cookie can be stolen and used by an attacker to gain control of the victim's account.

Facebook officials didn't have an immediate comment, but Instagram's co-founder, Mike Krieger, wrote on Ycombinator's Hacker News feed that Instagram has been "steadily increasing" use of full encryption.

Its "Instagram Direct" service, which allows photos to be shared with only small groups of people, is fully encrypted, he wrote. For more latency-sensitive endpoints, such as Instagram's main feed, the service is trying to make sure the transition to https doesn't affect performance, he wrote.

"This is a project we're hoping to complete soon, and we'll share our experiences in our [engineering] blog so other companies can learn from it as well," Krieger wrote.

Google offered full encryption as an option for Gmail in 2008, but two years later made it the default. Facebook switched it on by default in January 2011

Jeremy Kirk (IDG News Service) on 29 July, 2014 15:47

Source: http://www.computerworld.com.au/article/551120/using_instagram_public_wi-fi_poses_risk_an_account_hijack_researcher_says

¿Qué tienen en común un phishing y una imagen?

2014-07-14T15:44:00.002+10:00

Recientemente hemos recibido en el Laboratorio de Investigación de ESET Latinoamérica un phishing del banco BBVA, al cual se accedía desde un correo en Perú. Aunque ya hemos visto casos parecidos en Argentina, España y también en Chile, este nos llamó la atención y procederemos a describirlo en detalle, porque estaba compuesto pura y exclusivamente por imágenes. Esto significa que no contenía archivos de programación HTML ni PHP; no tenía trabajo de programación web alguno, sino que sólo eran imágenes.

Antes que nada, debemos aclarar que no hay una vulnerabilidad en el sitio oficial, solo es una réplica exacta creada con imágenes y pequeños programas que se encargan de robar la información. Aquí cabe destacar que estas entidades financieras y demás servicios de Internet intentan acabar con estos sitios de estafas para proteger a los usuarios, por lo que estas campañas exceden a las empresas.

Por eso, queremos mostrarles el funcionamiento de este tipo de estafas, para que desde sus hogares puedan detectarlas sin la necesidad de conocimiento técnico.
La trampa que hoy analizamos estaba destinada a robar información de usuarios y empresas. A continuación mostramos una captura del correo que recibía la víctima:

Buscando en el cuerpo del mensaje llegamos a ese recuadro gris donde se encuentra el cursor, donde se encuentra el botón para acceder al enlace malicioso (por algún motivo no aparece el botón pero sí permite acceder al enlace).

Una vez que se accede a ese sitio fraudulento, la víctima se encontrará con el siguiente portal:

Al hacer clic en la solapa “Persona” y luego en el botón de color verde (botón llamativo a la derecha), el portal invita a la víctima a ingresar con su número de tarjeta y su clave personal. En la siguiente captura se aprecia el modo de ingreso:

Debemos destacar que se podía acceder ingresando cualquier número de tarjeta y cualquier contraseña, mientras que una entidad oficial verifica el número de tarjeta y comprueba la contraseña; también cabe remarcar que después de algunos intentos fallidos de ingreso, el usuario es bloqueado. Un detalle que se puede apreciar en la primer pestaña: la letra “V” de la entidad está compuesta por barra y contra barra (\/), formando una V.

Una vez dentro de la supuesta cuenta, el sitio comenzará a solicitar información personal sensible, aparte de la información bancaria, tal como se observa en la siguiente captura:

Como puede verse en el ejemplo, solicita número de documento o identificación, teléfono móvil, ciudad, dirección y también fecha de caducidad. Pero algo interesante para prestar atención, es el código ATM de 4 dígitos que solicita, es decir que también pide la contraseña para acceder desde un terminal (cajero automático).

Una vez completados los datos solicitados (en este caso con datos al azar), se procede a hacer clic en el botón “Continuar”, para procesar el formulario.

Como si todo esto no bastara, el sitio no posee SSL, por lo que no vemos “HTTPS” en la barra de direcciones. Esto significa que al capturar la comunicación entre el equipo de la víctima y el sitio en cuestión, se puede ver cómo toda la información viaja sin cifrar:

Como habrán visto, es necesario tener todos estos detalles en cuenta, los cuales bastarán para prevenir este tipo de fraudes sin tener conocimientos técnicos.

Desde el Laboratorio de Investigación de ESET Latinoamérica les recomendamos ser precavidos con este tipo de correos electrónicos, estos enlaces suelen ser engañosos y prácticas como pasar por encima de un menú sin que cambie el cursor, sin poder acceder a estos, puede ser un gran indicio de que se está simplemente frente a una imitación de la imagen de un sitio bancario y no tiene nada que ver con el sitio oficial.

A la hora de hacer consultas u operaciones de home banking recomendamos acceder al sitio oficial a través de sitios seguros con HTTPS. Afortunadamente, en el transcurso del análisis, el sitio fue dado de baja en el servidor donde estaba alojado, por lo cual ya no afectará a más víctimas. Pero no queríamos pasarlo por alto, para que vean lo simple que es detectar una estafa a tiempo.

Créditos imagen: ©palindrome6996/Flickr

Autor Ignacio Pérez, ESET

Boleto Malware: dos nuevas variantes descubiertas

2014-07-14T15:38:00.000+10:00

Hace pocos días se dio a conocer la existencia de Bolware o Boleto Malware, un fraude sofisticado en Brasil que involucra un ataque MITB (Man In The Browser), atacando transacciones en línea y modificándolas del lado del cliente. Ahora se han descubierto dos nuevas familias que apuntan al sistema de pago oficial Boleto Bancario de Brasil.

La compañía RSA, responsable del descubrimiento inicial, dijo que la sumatoria de las transacciones ilícitas con esta técnica habían logrado robar 3,75 mil millones de dólares, pero luego el sitio Linha Defensiva argumentó que era un cálculo inexacto y algo exagerado. De cualquier manera, la importancia del caso reside en que los Boletos representan alrededor del 30% de todas las transacciones de pago en línea en Brasil.

El malware en cuestion le permite al atacante interceptar las transacciones utilizando este sistema alterando información financiera que se ingresa en los sitios afectados. Una de las nuevas variantes es capaz de modificar el Document Object Model (DOM) en diferentes versiones de Internet Explorer, lo que le permite cambiar los datos internos de los sitios afectados.

La otra descarga e instala extensiones maliciosas en Firefox y Chrome, luego de lo cual escanea sitios en busca de números de Boletos Bancarios, para alterarlos y sustituirlos por otros números predefinidos, y desviar fondos desde cuentas de clientes hacia cuentas “mula”. Investigadores de Trusteer, una compañía de IBM, encontraron que aproximadamente una de cada 900 computadoras en Brasil está infectada con alguna forma de Bolware, lo cual no nos sorprende si tenemos en cuenta que Brasil es el líder en la propagación de troyanos bancarios.

En términos de seguridad, el único consejo válido aquí es la prevención: si el malware no es identificado en el dispositivo, todos los métodos de prevención posteriores como autenticación pueden ser salteados por el atacante. Por lo tanto, no está de más recordar la importancia contar con una solución de seguridad.

Créditos imagen: ©Pedro J. Concha/Flickr

El post Boleto Malware: dos nuevas variantes descubiertas aparece primero en We Live Security en Español.

Autor Sabrina Pagnotta, ESET

Tip Of The Day! - Don't enter your username and password on any computer you don't control.

2014-06-06T11:16:00.000+10:00

Using public computers will always carry the risk of exposing your personal data. "Public" computers — as in college library computers.

A Kentucky college student has been charged with identity theft and unlawful access to a computer for allegedly breaking into other students' email accounts at the University of the Cumberlands, and using the access and information to blackmail them.

He did this by allegedly placing spyware on computers at the college library to harvest the information he needed to access the email accounts. Then he threatened to divulge the contents of certain messages unless the students complied with his demands.

For more information: http://blogs.techrepublic.com.com/10things/?p=322

Tip Of The Day! - Change the combination on opened laptop locks.

2014-06-04T16:12:00.001+10:00

When people have cables with combination locks for securing their laptops at their workstation, they always remember to turn the tumblers when they secure the laptop. But what happens when they unsecure the laptop?

Many people won't turn the tumblers on the opened lock because it is much easier to lock the laptop later if the combination is already set. About half a dozen laptops in our office disappeared one day.

The laptops were stolen by someone who came by when the laptops were not there and noted the combination. They came back later when the laptops were there and used the combination they had noted earlier.

Source: http://www.sans.org/tip_of_the_day.php#72

Tip Of The Day! - Prevent USB Drives from Spreading Viruses

2014-06-03T15:54:00.000+10:00

When you stick a thumb drive infected with a worm like Conficker/Downadup into a clean system, the normally handy AutoPlay feature launches the worm and spreads the infection.

You can prevent this by flipping the master switch.

Here's how:

Click on the "Start" button and pick "Run."
Enter the text GPEDIT.MSC and press Enter. After a moment, the Group Policy editor window will open.
In the left panel, double-click on "Computer Configuration."
Double-click on "Administrative Templates."
Double-click on "System."
In the right panel near the bottom of the list, double-click on "Turn off autoplay."/
The default setting is the "Not configured." Put a bullet in "Enabled."
Make sure "Turn off Autoplay on:" is set to "All drives."
Click on "Apply," and then "OK".
Close the Group Policy editor window.

Source: http://www.sans.org/tip_of_the_day.php#1257

Ransomware: Why This New Malware is So Dangerous and How to Protect Yourself

2013-10-26T13:57:00.001+11:00

Published on October 25th, 2013 | Written by: Chris Hoffman

Ransomware is a type of malware that tries to extort money from you. One of the nastiest examples, CryptoLocker, takes your files hostage and holds them for ransom, forcing you to pay hundreds of dollars to regain access.Most malware is no longer created by bored teenagers looking to cause some chaos. Much of the current malware is now produced by organized crime for profit and is becoming increasingly sophisticated.

How Ransomware Works

Not all ransomware is identical. The key thing that makes a piece of malware “ransomware” is that it attempts to extort a direct payment from you.Some ransomware may be disguised. It may function as “scareware,” displaying a pop-up that says something like “Your computer is infected, purchase this product to fix the infection” or “Your computer has been used to download illegal files, pay a fine to continue using your computer.”In other situations, ransomware may be more up-front. It may hook deep into your system, displaying a message saying that it will only go away when you pay money to the ransomware’s creators. This type of malware could be bypassed via malware removal tools or just by reinstalling Windows.Unfortunately, Ransomware is becoming more and more sophisticated. One of the latest examples, CryptoLocker, starts encrypting your personal files as soon as it gains access to your system, preventing access to the files without knowing the encryption key. CryptoLocker then displays a message informing you that your files have been locked with encryption and that you have just a few days to pay up. If you pay them $300, they’ll hand you the encryption key and you can recover your files. CryptoLocker helpfully walks you through choosing a payment method and, after paying, the criminals seem to actually give you a key that you can use to restore your files.You can never be sure that the criminals will keep their end of the deal, of course. It’s not a good idea to pay up when you’re extorted by criminals. On the other hand, businesses that lose their only copy of business-critical data may be tempted to take the risk — and it’s hard to blame them.

Protecting Your Files From Ransomware

This type of malware is another good example of why backups are essential. You should regularly back up files to an external hard drive or a remote file storage server. If all your copies of your files are on your computer, malware that infects your computer could encrypt them all and restrict access — or even delete them entirely.RELATED ARTICLEWhat Files Should You Backup On Your Windows PC?Everybody always tells you to make sure that you are backing up your PC, but what does that really mean? And what files do you actually need to backup? Today we'll walk you through the basics of backing up your PC, what you should back up, and why. [Read Article]When backing up files, be sure to back up your personal filesto a location where they can’t be written to or erased. For example, place them on a removable hard drive or upload them to a remote backup service like CrashPlan that would allow you to revert to previous versions of files. Don’t just store your backups on an internal hard drive or network share you have write access to. The ransomware could encrypt the files on your connected backup drive or on your network share if you have full write access.Frequent backups are also important. You wouldn’t want to lose a week’s worth of work because you only back up your files every week. This is part of the reason why automated back-up solutions are so convenient.If your files do become locked by ransomware and you don’t have the appropriate backups, you can try recovering them with ShadowExplorer. This tool accesses “Shadow Copies,” which Windows uses for System Restore — they will often contain some personal files.

How to Avoid Ransomware

RELATED ARTICLE10 Important Computer Security Practices You Should FollowAntivirus programs aren’t perfect — especially Microsoft Security Essentials. If you’re relying on your antivirus alone to protect you, you’re... [Read Article]Aside from using a proper backup strategy, you can avoid ransomware in the same way you avoid other forms of malware. CryptoLocker has been verified to arrive through email attachments, via the Java plug-in, and installed on computers that are part of the Zeus botnet.Use a good antivirus product that will attempt to stop ransomware in its tracks. Antivirus programs are never perfect and you could be infected even if you run one, but it’s an important layer of defense.Avoid running suspicious files. Ransomware can arrive in .exe files attached to emails, from illicit websites containing pirated software, or anywhere else that malware comes from. Be alert and exercise caution over the files you download and run.Keep your software updated. Using an old version of your web browser, operating system, or a browser plugin can allow malware in through open security holes. If you have Java installed, you should probably uninstall it.For more tips, read our list of important security practices you should be following.Ransomware — CryptoLocker in particular — is brutally efficient and smart. It just wants to get down to business and take your money. Holding your files hostage is an effective way to prevent removal by antivirus programs after it’s taken root, but CryptoLocker is much less scary if you have good backups.This sort of malware demonstrates the importance of backups as well as proper security practices. Unfortunately, CryptoLocker is probably a sign of things to come — it’s the kind of malware we’ll likely be seeing more of in the future.

SB13-280: Vulnerability Summary for the Week of September 30, 2013

2013-10-08T17:30:00.000+11:00

There are 20 fresh security patches in Google Chrome, including fixes for a number of high-severity vulnerabilities. Google regularly pushes out new versions of its browser every few weeks, and sometimes will only have a handful of security fixes. Chrome users should update their browsers as soon as possible to protect against attacks using these vulnerabilities.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

· High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

· Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

· Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Here is the list:

High Vulnerabilities

Primary Vendor -- Product	Description	Published	CVSS Score	Source & Patch Info
google -- chrome	Use-after-free vulnerability in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to inline-block rendering for bidirectional Unicode text in an element isolated from its siblings.	2013-10-02	7.5	CVE-2013-2909
google -- chrome	Use-after-free vulnerability in modules/webaudio/AudioScheduledSourceNode.cpp in the Web Audio implementation in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.	2013-10-02	7.5	CVE-2013-2910
google -- chrome	Use-after-free vulnerability in the PepperInProcessRouter::SendToHost function in content/renderer/pepper/pepper_in_process_router.cc in the Pepper Plug-in API (PPAPI) in Google Chrome before 30.0.1599.66 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a resource-destruction message.	2013-10-02	7.5	CVE-2013-2912
google -- chrome	Use-after-free vulnerability in the RenderBlock::collapseAnonymousBlockChild function in core/rendering/RenderBlock.cpp in the DOM implementation in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect handling of parent-child relationships for anonymous blocks.	2013-10-02	7.5	CVE-2013-2918
google -- chrome	Google V8, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.	2013-10-02	7.5	CVE-2013-2919
google -- chrome	Multiple unspecified vulnerabilities in Google Chrome before 30.0.1599.66 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.	2013-10-02	7.5	CVE-2013-2923
google -- chrome	Use-after-free vulnerability in International Components for Unicode (ICU), as used in Google Chrome before 30.0.1599.66 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.	2013-10-02	7.5	CVE-2013-2924

Medium Vulnerabilities

google -- chrome	Multiple race conditions in the Web Audio implementation in Blink, as used in Google Chrome before 30.0.1599.66, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to threading in core/html/HTMLMediaElement.cpp, core/platform/audio/AudioDSPKernelProcessor.cpp, core/platform/audio/HRTFElevation.cpp, and modules/webaudio/ConvolverNode.cpp.	2013-10-02	6.8	CVE-2013-2906
google -- chrome	The Window.prototype object implementation in Google Chrome before 30.0.1599.66 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.	2013-10-02	5.0	CVE-2013-2907
google -- chrome	Google Chrome before 30.0.1599.66 uses incorrect function calls to determine the values of NavigationEntry objects, which allows remote attackers to spoof the address bar via vectors involving a response with a 204 (aka No Content) status code.	2013-10-02	5.0	CVE-2013-2908
google -- chrome	Use-after-free vulnerability in the XSLStyleSheet::compileStyleSheet function in core/xml/XSLStyleSheetLibxslt.cpp in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of post-failure recompilation in unspecified libxslt versions.	2013-10-02	6.8	CVE-2013-2911
google -- chrome	Use-after-free vulnerability in the XMLDocumentParser::append function in core/xml/parser/XMLDocumentParser.cpp in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving an XML document.	2013-10-02	6.8	CVE-2013-2913
google -- chrome	Use-after-free vulnerability in the color-chooser dialog in Google Chrome before 30.0.1599.66 on Windows allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to color_chooser_dialog.cc and color_chooser_win.cc in browser/ui/views/.	2013-10-02	6.8	CVE-2013-2914
google -- chrome	Google Chrome before 30.0.1599.66 preserves pending NavigationEntry objects in certain invalid circumstances, which allows remote attackers to spoof the address bar via a URL with a malformed scheme, as demonstrated by a nonexistent:12121 URL.	2013-10-02	4.3	CVE-2013-2915
google -- chrome	Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to spoof the address bar via vectors involving a response with a 204 (aka No Content) status code, in conjunction with a delay in notifying the user of an attempted spoof.	2013-10-02	4.3	CVE-2013-2916
google -- chrome	The ReverbConvolverStage::ReverbConvolverStage function in core/platform/audio/ReverbConvolverStage.cpp in the Web Audio implementation in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the impulseResponse array.	2013-10-02	5.0	CVE-2013-2917
google -- chrome	The DoResolveRelativeHost function in url/url_canon_relative.cc in Google Chrome before 30.0.1599.66 allows remote attackers to cause a denial of service (out-of-bounds read) via a relative URL containing a hostname, as demonstrated by a protocol-relative URL beginning with a //www.google.com/substring.	2013-10-02	5.0	CVE-2013-2920
google -- chrome	Double free vulnerability in the ResourceFetcher::didLoadResource function in core/fetch/ResourceFetcher.cpp in the resource loader in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering certain callback processing during the reporting of a resource entry.	2013-10-02	6.8	CVE-2013-2921
google -- chrome	Use-after-free vulnerability in core/html/HTMLTemplateElement.cpp in Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that operates on a TEMPLATE element.	2013-10-02	6.8	CVE-2013-2922

¿Podemos fiarnos de TrueCrypt?

2013-07-27T16:16:00.001+10:00

Nadie discute que hoy día el estándar de facto para cifrar discos duros / datos en un HD es TrueCrypt.

Funciona bien, es un software muy estable, y está disponible para múltiples plataformas.

Pero ¿Nos podemos fiar de TrueCrypt? ¿Es realmente un software libre de toda sospecha? ¿Podría ser un 'honeypot' de la CIA?

Hace tiempo encontré un post en el que se apuntaban ciertas partes oscuras con respecto a TrueCrypt y sobre quién está tras el proyecto. Todo lo que se expone es muy 'conspiranoico' pero es cierto que proyecta sombras sobre el proyecto. No obstante, después de Stuxnet, Flame y amigos, la capacidad de asombro y de negación ha quedado muy mermada.

El artículo original plantea las siguientes cuestiones (mis comentarios personales sin negrita):

El dominio truecrypt.org se registró con una dirección falsa, en concreto 'NAVAS Station, Antarctica'. Esto, per se, a mi no me parece nada sospechoso, mucha gente lo hace.

Nadie sabe quienes son los desarrolladores de TrueCrypt (su identidad, se desconoce). Esto SI me parece algo a tener muy en cuenta, me parece genial que en ciertos foros donde se liberan herramientas más 'ofensivas', estas herramientas sean firmadas por pseudos o nicks, pero todo lo que tenga que ver con criptografía debe ser totalmente transparente.

Los creadores de TrueCrypt trabajan gratis. Aseveración un poco discutible en mi opinión. Mucha gente trabaja 'gratis' en proyectos opensource, escribe blogs, etc etc.

Compilar TrueCrypt es complicado. Lo que apuntan en el post original es que, la mejor forma de incentivar la descarga de binarios pre-compilados por el equipo de TrueCrypt es hacer complicada la compilación del software. Tiene lógica
La licencia de TrueCrypt no es realmente OpenSource. Bueno, tampoco indica nada en especial, es cierto que TrueCrypt ha sido rechazado de muchas distribuciones Linux (en el post citan a Fedora), pero eso no lo tiene porque hacer necesariamente sospechoso
El código de TrueCrypt nunca ha sido auditado. El autor del post se queja de que nadie ha publicado un estudio sobre el código de TrueCrypt, en parte tiene razón, pero resulta muy aventurado decir que nadie lo ha hecho. Lo que si está claro es que si alguien realiza esa auditoría y encuentra algo, es su pasaporte a la fama. Cuesta creer que nadie haya puesto sus ojos en el tema.

Existe censura en los foros de TrueCrypt. Parece que en los foros de TrueCrypt no se puede hablar de otras soluciones de cifrado ni de herramientas para atacar a TrueCrypt.

No seré yo quien desacredite un producto como TrueCrypt que tantas alabanzas ha cosechado, pero del post original, tengo que decir que hay varios puntos que sí me preocupan bastante.

Lo de la identidad desconocida es bastante grave, ¿usarías un algoritmo de cifrado del que desconozcas su autoría? probablemente no, como decía más arriba, criptografía = transparencia como axioma

Respecto a introducir un backdoor en el software, es técnicamente posible, y voy mas allá: de estar ahí, puede ser REALMENTE complicado encontrarlo. Y si no, que se lo digan a Theo

Que cada cual saque sus propias conclusiones.

Source:
http://t.co/0CR23MDubN

OFFTOPIC: DC SHOES: KEN BLOCK'S GYMKHANA FIVE: ULTIMATE URBAN PLAYGROUND; SAN FRAN...

2012-07-11T10:37:00.001+10:00

Did you know that tagcloud.swf allows CrossSite Scripting?

2012-03-22T07:30:00.000+11:00

I would like to warn you about security vulnerabilities in plugin WP-Cumulus for WordPress. These are Full path disclosure and Cross-Site Scripting vulnerabilities. Which is a web-application vulnerabilities which allow attackers to bypass client-side security mechanisms normally imposed on web content by modern web browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.

Full path disclosure:

http://site/wp-content/plugins/wp-cumulus/wp-cumulus.php

XSS:

http://site/wp-content/plugins/wp-cumulus/tagcloud.
swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:
alert(document.cookie)'+style='font-size:
+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS. There are a lot of vulnerable tagcloud.swf file in Internet (according to Google):

http://www.google.com.au/search?q=filetype:swf+inurl:tagcloud.swf

So to all flash developers, I recommend you to attend to security of their flash files. And for the owners of sites, with vulnerables flashes like tagcloud.swf, fix them or turn over to your development team to fix it.

Kind Regards,

Alfredo Cedeno

IT Security Analyst & Advisor
http://ajcborges.blogspot.com

Phishing gang steals victim's life savings of $1.6M

2012-03-21T07:30:00.000+11:00

By Tom Espiner, ZDNet UK, 15 March, 2012 16:09

The 12 men and two women were detained on Thursday morning in raids in London and the West Midlands. More arrests may follow in the coming days, according to Metropolitan Police Central eCrime Unit (PCeU) head Charlie McMurdie.

"These were dawn raids," McMurdie told ZDNet UK. "Enquiries are still ongoing regarding potential further arrests."

The phishing gang sent out unsolicited emails with links to a fake banking website. It used a series of bank accounts assigned to individual 'money mules' to launder £1m siphoned from the life-savings account of one woman who had divulged her details. The cash was transferred via the internet, the Metropolitan Police said in a statement.

"The stolen money was spent over a three-day period, after suspects embarked on a spending spree during the Christmas sales," the Met said. "The victim, a UK citizen currently living abroad after relocating to care for an ill relative, saw her savings disappear overnight after her bank account details were illegally obtained and unauthorised access to the account was gained."

The suspected 'money mule' launderers received between £9,000 and £75,000 each from the account. All of the 14 suspects were in custody at the time of writing, according to the Met.

Around 150 police officers were involved in the operation. They included members of the PCeU, 50 special constables, and police from three regional e-crime hubs in the East Midlands, York and Humber, and the North West.

"We wanted to make the best use of resources in relation to where the suspects were located," McMurdie said.

The police said the "sophisticated" phishing operation highlighted the need for people to take care when doing banking online, warning the public not to click on links in unsolicited emails.

"This is an example of how cybercrime creates real victims through the indiscriminate actions of the criminals involved," Detective Inspector Stewart Garrick said in the PCeU's statement.

Article Source.
Dawn raids net 14 suspects in £1m phishing thef
Security Threats | ZDNet UK http://goo.gl/MYzKu

Identify a Phishing Message in Five Steps

2012-02-15T07:30:00.000+11:00

From IT Business Edge

Spear phishing, a type of email spoof, targets individuals or departments within organizations and attempts to elicits a desired action that could install malware, compromise login names and passwords and steal data. Use Paul Mah's simple checklist to spot potential phishing messages.

From the network breach at RSA to theft of intellectual property in Operation Aurora, it is no secret that some of the most visible hacking involves the use of spear phishing. A targeted form of phishing that is custom-made for a specific organization, a spear phishing email message seeks to elicit a desired action that could result in a Trojan being loaded, or the unintended leaking of confidential or privileged data.

As Paul Mah has written in the past, defending against spear phishing is a challenging task that mandates some amount of user training. To assist organizations on this front, Paul has come up with a simple checklist to help identify a potential phishing message.

To have access to Paul's checklist visit the following URL:

http://goo.gl/lmpZR

This February 14 be a Valentine not a Victim

2012-02-14T07:30:00.000+11:00

As Valentine’s Day approaches, Better Business Bureau of Southern Arizona warns that Cupid’s arrow may be aimed directly at consumers’ wallets. Those who find themselves awash in love’s emotion should remember that con artists thrive on the fact that emotion can trump logic.

There are three categories of scams that we all should be aware of at this romantic season as well as throughout the year.

Online Dating

Their photo may be attractive and their story may sound compelling but that person you met through an online dating site may turn out to be the very opposite of your soul mate. Photos, profiles and stories can be easily faked on dating sites. One common tactic is to claim to be a successful overseas businessperson with no family.

After what seems like sincere conversation in which many questions are asked of you, the scammer can skillfully employ psychology to say precisely what you want to hear.

Once the ice is broken and a comfort level has been reached on your part, the heart of the matter is arrived at: they need financial assistance. They may want you to cash a check for them or otherwise help them out of a financial difficulty. It could be travel expenses, medical expenses or some other type of debt. At any rate it is your money less than your heart that they are after. MoneyGram, one of the major global money transfer companies, has estimated that romance scams defraud victims of over $10,000 for each occurrence. For those so victimized, whatever the amount, a website called romancescams.org can be helpful.

Online Florists

When love is in bloom many rely on the traditional symbol of thoughtfulness, the bouquet, to convey their feelings for that special person. But be aware that online florists are not always reliable. If the flowers that are actually received by your loved one are inferior arrangements from those ordered, or even not delivered at all, it can be a wilting experience.

Scammers may send you emails saying that the flowers you ordered cannot be delivered unless you log in to their site and re-enter your credit card information. These emails are sent out in large numbers hoping to eventually find the inboxes of someone who has really sent flowers to their sweetheart. They are playing on consumers emotions by planting the fear that the bouquet may not reach the intended and that person will feel forgotten on Valentine’s Day. If you think the message may be legitimate, go to the florist’s website or give them a phone call, using the original site from which you ordered rather than the link on the email.

The best way to assure that flowers reach your beloved just as you ordered them is to rely on a local florist. A website devoted to uncovering florist scammers can be found at floristdetective.com.

E-card Scams

Phishing attempts abound around the e-card industry. A frequently used technique is to email a message saying you have a card waiting to be viewed. You are then directed to a fake website that resembles a popular site like Hallmark or American Greetings.

Once you are there a prompt tells you to download the latest version of Flash Player in order to view the e-card. Click that link and a virus is quickly downloaded and attacks your computer. Instead of having your loved one steal your heart, a scammer has stolen your identity.

Consumers should always exercise care in opening emails, links or attachments from those you do not know. Especially suspicious are unsolicited messages with subject lines saying “Someone just sent you an e-card” or “Send your loved one a Valentines Card today.”

Avoid becoming victimized by scammers who rely on the old adage that “love is blind.” Keep a clear head and open eyes this Valentine’s Day. Contact BBB by calling (520)888-5353 with questions or concerns if you think someone is going less for your heart and more for your wallet.

Source Article: http://goo.gl/zaSED by bbbconsumeralert

Hackers Ask 'Will You Be My Valentine?'

2012-02-13T07:30:00.000+11:00

by Tony Bradley (PC World (US online))

With Valentine's Day around the corner, cyber criminals are ramping up spam, phishing, and other attacks targeting the lover's holiday.

There are only five days to Valentine's Day. Those of you who are shocked by that revelation are prime targets for Valentine's Day related spam and phishing attacks as hackers hope to catch you with your guard down for this day of romance.

Messages targeting Valentine's Day are expected to quadruple globally in the coming days -- in part because cyber criminals are adept at targeting holidays and current events as bait for attacks. An offer for a dozen roses for $5 might get some traction any time of the year, but with the clock quickly counting down to Valentine's Day it has much higher odds of duping frantic lovers in search of a last minute gift.

A blog post from McAfee warns, "Many consumers look for a little romance on Valentine's Day, whether it is a thoughtful gift, a romantic getaway, or a heartfelt e-card, but if you're looking for these things online, beware."

McAfee points out a number of types of Valentine's Day themed threats you should be aware of:

Phishing Scams

Attackers will send out spam promoting bargains for flowers, romantic dinners, jewelry, or other Valentine's Day gift related themes. Clicking on the offer might take you to a malicious site that could compromise a vulnerable PC, or it could take you to a site that looks legitimate, and asks for your credit card, and other personal information to "complete the order".

Malicious eCards

Any holiday that traditionally involves giving and receiving cards is a prime target for cyber criminals. Everyone loves to receive a personalized greeting card -- especially if it seems to be from someone that may be romantically interested.

Seriously, though, what are the odds that someone you don't know decided to send you an ecard for Valentine's Day out of the blue? Right.

Mr. (or Mrs.) Wrong

Another scam to watch out for are fake profiles on online dating sites. Cyber criminals create online dating profiles designed to be as attractive as possible to lure unsuspecting love seekers. The idea is to make connections, and establish trust as a means to further criminal activity.

McAfee outlines some additional threats to watch out for in its blog post. To steer clear of Valentine's Day cyber threats, follow the basic principles of online common sense. Don't open emails or file attachments, or click on links from people or sources you are not familiar with -- and even if you do know the sender, think twice about whether that person would really send you a Valentine's Day email.

Another basic rule is that if it sounds too good to be true, it probably is. Don't fall for unbelievable last minute Valentine's Day gift ideas no matter how desperate you are for a gift.

Protect your wallet, your identity, and your heart by avoiding Valentine's Day cyber scams.

Source Article: http://goo.gl/NEVuU

Free Email Providers Launch DMARC.org To Prevent Phishing Scams

2012-02-10T07:30:00.000+11:00

Leading free email providers like Google, Microsoft and Yahoo are teaming up in an effort to prevent “phishing” scams. As WWJ’s Rob Sanford reports, the unprecedented effort was announced this week.

The companies have created a working group – DMARC.org – to promote a standard set of email technologies that they say will lead to more secure email.

According to its website, DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance,” standardizes how email receivers perform email authentication. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC.

With the rise of the social internet and e-commerce, spammers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards and more. Email is easy to manipulate and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well-known brand into an email gives it instant legitimacy with many users.

CNET executive editor Molly Wood said phishing is threatening the legitimacy of email.

“I think it’s hard sometimes for these companies to work together. They don’t always think it’s in their best interest to come together, but I think it’s gotten to the point now where phishing scams are so prevalent, that all of these companies are worried that their customers are going to stop trusting their legitimate email,” said Wood.

The arrangement will not stop all spam or phishing but will stop what they call a “significant chunk” of malicious messages sent.

DMARC helps email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse. Find more information at DMARC.org.

Source: http://cbsloc.al/zhdnzo

I will NEVER ask for your password

2012-02-09T07:30:00.000+11:00

by Dick Craddock

There are a lot of bad things on the Internet, and few are worse than phishing scams. But there is a certain class of phishing scam that has earned a special level of disdain and disgust, at least from me. I’m talking about the phishing scams that target Hotmail customers using my name, my picture, and even my signature. Grrrr.

Let me clear something up right off the bat: I will never ask for your password. No one from Hotmail or Microsoft will ever ask for your password. In fact, no legitimate service will ever ask for your password. If you ever get an email asking for any password to any service, you can be sure, without a shadow of a doubt, that the email is a phishing scam. Just junk it. (Or, in Hotmail, mark it as a phishing scam using the “Mark As” menu.)

Phishing scams

Spammers want to send spam. That’s what they do. As I said in my last post, we’ve made it hard for them to send spam with new accounts due to the effectiveness of our account reputation work. So, spammers have turned to hijacking customer accounts in order to send more spam.

Phishing scams are one of the simplest ways that spammers use to gain control of your account. The spammer sends an email that asks for your password, usually with a threat that your account is about to be closed. You reply, providing your password, and, Voila! Your account (and reputation) is hacked.

Spammers do this on all networks and all services – Hotmail, Gmail, Yahoo!, Facebook, AOL – spammers do not discriminate, and no service is immune.

How my picture got out there

Hotmail sends email to our customers fairly regularly to update people on various things, such as the availability of new software or features, or even to remind people about security measures, like creating a strong password or adding your mobile phone number to your account.

About a year ago, we decided that we would make these messages more personal by including my name, my picture, and my signature.

That decision has really come back to haunt me.

A gift to spammers

Almost immediately, the spammers copied that email, including my picture, name and signature, and modified the content so that it said something like “Your account is about to be shut down unless you reply to this email with your account name and password.”

This is a classic example of a phishing scam, and one of the most common ways that accounts get compromised. Here’s an example:

The bottom of that same email looks like this:

Yep. That’s me, all right. But that email is definitely not from me.

Even smart people fall for it

Phishing messages can look very real and convincing, so even smart, tech-savvy people fall for them. I get asked about this quite a bit.

Here’s a conversation that took place on my public Facebook page. The first person asks, “I got this message, is it really you?” In response, our Development Manager, Eliot, displayed both his penchant for pithiness and his mastery of high school French:

Phishing scammers know that they’ll get better response rates by using my pictures and my signature to produce email messages that look legitimate. They even translate their scams into multiple languages to broaden their reach.

The telltale signs of a phishing message

As I’ve said, any email that asks for your password is a phishing scam and shouldn’t be trusted. You don’t need to look any further to know the message is a fake. Nonetheless, it’s interesting to see how “creative” the scammers can get. Here are some tactics scammers use to get people to provide their account info:

They copy Hotmail’s marketing images. These phishing messages usually contain the latest image from Hotmail’s own marketing campaigns, like this one:

They provide a bogus reason for needing your password. The messages usually contain an introduction that offers a false explanation about why they need your password. Some of my favorites include:

“We are currently upgrading our data base and e-mail account center.”
“We are deleting all unused accounts to create more space for new accounts.”
“We encountered a problem with our database and a lot of records were lost, we are restoring our database to enable us serve you better.”
“We are having too many congested email due to the anonymous registration of Hotmail Msn-Live Accounts in our database system.”

Rest assured: NONE of these will EVER be a legitimate reason to ask for your password.

They design a subject line to scare you. The subject lines call for your immediate attention and are often intended to be scary. Here are a few common examples:

Some variation of “Account Alert!!!”, or “Account upgrade alert,” or “Email account alert.”
Some variation of “Account renewal process,” or “Verify your account details.”
Some variation of “Email Warning!!!”, or “Verify your email now to avoid being closed!!!!!”

(Scammers really like to use exclamation points!!!! A lot!!!)

They send the email from a bad “From” address. The “From” address in the email is often a dead giveaway. At a glance, it might look like you’ve gotten mail from the Hotmail Team. But if you look at the actual email address, it’s almost always something fishy (phishy?). Typically, scammers just use the name of a Hotmail customer account.

Get educated, educate others

In a perfect world, no one would ever give out their password, and the phishing scams would be ineffective, and would just stop. You’ve already taken a step to helping us get there by reading this post, and now you can help pay it forward by educating others.

Any email that asks for your password is a phishing scam. If anyone ever asks you, “Hey, is this email legit?” just say, “If it asks you for your password, then it is absolutely, definitely, without question a scam! Report it as junk!”

As a final note, some of you might be wondering, Why can’t Hotmail detect these scams? We can detect these scams and do detect many of them. But it’s just a numbers game, and spammers are capable of producing a huge volume of phishing scams, with enough variation in the text and images to fool our filters a small percentage of the time. In addition, it’s important for us to keep the false positives low – meaning that we don’t want to mistakenly identify a legitimate email sent from a good user as spam.

So, until we get to that perfect world without spammers, we’ll be here building better and better systems to battle the bad guys. Thanks for reading, and thanks for using Hotmail.

Sir Spamalot and Lady Phishing

2012-02-08T07:30:00.000+11:00

By Jon-Louis Heimerl

I am a millionaire. Actually, I’m a multi-millionaire. Or rather I could be if I helped the honorable Mr. Nagumba get his money out of Nigeria, or helped Barbara get her money out of Brazil, or picked up my unclaimed lottery winnings, or helped another half dozen people in the last month.

I have won $1500 several times a day for the last few months. I have won a new car. I have important packages waiting to pick up from FedEx and UPS. I am being audited by the IRS and they sent me an attachment that included an executable notice with instructions. I won a 15 day cruise if I qualified – they only needed a credit card number to confirm my identity and that I am over 18. I can get my teeth whitened or Lasik eye surgery for 80% off. I have qualified for a special deal on a new BMW 335 with experimental pricing, and can get in a brand new one for under $15,000. Two of my credit cards have been compromised so I needed to log onto the included website to verify and change my account information. As a matter of fact, another credit card that I don’t even have was also compromised, and I needed to log on there too. One of my bank accounts appears to have some out-of-date information associated with it. I can get really cheap Viagra (sic) cheap online, Heather thinks I’m hot, and there seems to be way too many people interested in my manhood.

My personal spam folder is pretty thin. I try to trim spam aggressively. Just in the last 24 hours I have received 42 emails. Three from family, 21 advertisements from retailers (it’s beyond me why I need a daily reminder from a retailer telling me that they are still open and selling the same stuff they’ve been selling for the last five years), and 18 spam. Now, I have no idea how much spam my ISP trims before it even gets to me, but I assume it is a lot. A quick search shows unofficial estimates that spam is somewhere between 60 and 97% of all email sent. By the best accounts I can find, that means around 40 billion spam emails every day (give or take a few billion). The numbers are down slightly from 2010 partially because three botnets (Rustock, Lethic, and Xarvester) have been somewhat throttled. The closure of spam specialist Spamit helped as well. But, as we all know, spam has not gone away.

Unfortunately, spam means money. Spam brings with it a variety of issues, but it also delivers chunks of money and other opportunities to those who generate it. Pay-per-click sites still exist, and if you send 100 million spam messages and get 1% of recipients to click through – ka-ching! Say you send 50 million spam messages that contain a link for a free virus scan, and you can get .5% of those recipients to follow through with a fake purchase for ONLY $29.99 – that’s $7.5million – ka-ching! Credit card information is not worth what it used to be, but if you can send 100 million fake “change your password” notices to BigBlueBank customers, and 1% of them go through your fake link and update their password – ka-ching! And even if they can’t get something from you, maybe they can compromise some low percentage of recipients with a Trojan or sniffer. The numbers add up quickly because of volume.

But spam and phishing emails are not always obvious, are they? Well, some of them are. If the email subject line includes things like “Cialis” or “Replica Handbags” I think the chances it is spam is probably something around 100%. But do we always know? I included an example of a recent phishing email I received (names have been changed). It looks pretty good at a glance, but there is a lot wrong with it if you pay attention.

Let’s look through it in detail.

Let’s work on the premise that the logo and all the colors are correct, and that at a glance, this looks authentic – it appears to be an email from BigBlueBank, where you have an account registered with online access. What is wrong with the email?

1. BigBlueBank Online may be the correct name, but the chances that return email address is correct is low (read “low”, think “nonexistent”). Notice that it is @onlinesvc.com. If this was really from BigBlueBank chances are pretty good that it would be @BigBlueBank.com. If the return address just shows as BigBlueBank Online, hold your cursor over the name. The actual associated email address should show in a mouse-over or in the lower left corner of your browser.

2. “To: undisclosed-recipients” - If this was genuine, it would actually be to your specific email address, and NOT show as a bulk email with hidden addressees. Check what you bank emails you now – they are all to your real email address.

3. “UPDATE YOUR INFORMATION!” – This pushes an immediate sense of urgency. Not necessarily a blazing orange flag, but it should raise your skepticism when you get an email so obviously trying to raise your personal sense of alarm.

4. “This message is a critical one…” This is obviously a person to whom English is not their primary language. Normal English phrasing would be “This is a critical message…”. If BigBlueBank is based in South Carolina this should get your attention. If they are based in Germany, it probably still should, but not quite as much.

5. “It has come to our attentions,” “This require” - The extra “s” on attention and the missing “s” are perfect examples of disagreement in tense, and errors. These are strong indicators that the writer is not a natural English speaker, and that whoever sent the email did not spend enough time proof reading and editing the content. If BigBlueBank is a top 10 bank in the Americas, what are the chances that they would not have a proof reader check everything that went out (Hint: the answer is 0%).

6. “Your Account information” and “The Account update…” – What is with the random capitalization of “Account”? Errors like this should be blazing a hole in your brain by now.

7. “Is also a new BigBlueBank” – This is just an awkward sentence. Read the whole sentence from the email. Perhaps “the account update also includes” or something similar, but again, it is an error in grammatical construction that should tell you this is not a professional email.

8. “Services security statement…” – Again with the random capitalization of “Services”? Brain. Hole. Burning.

9. “Goes according” – Perhaps if it read “is in accordance” this would not raise alarms, but the misuse of the “ing” is a common error for a non-natural English speaker.

10. “On our terms of service” – “in” our terms of service would be appropriate for an English speaker, and even more appropriate in a professionally prepared communication.

11. 5:55 AM 20/01/2012 – This is actually the first thing I saw in the email that made me say “fake”. The date is shown as day/month/year, which is predominantly European or other international convention. Standard in the United States would be 01/20/2012. I know the other way sorts better, but it is aberrant construction in the U.S. If you are not from the U.S., this probably does not bother you as much as it did me.

12. “May result on a suspension of your account” – “on” is again wrong. A natural English speaker would say “in”. This also implies a threat designed to increase your sense of urgency and decrease your vigilance.

13. BigBlueBank Upgrade Home – Look at that. How convenient it was of them to include a link back to Bigbluebank for you. Just hold your mouse over the hyperlink (don’t bother; it won’t work on the example, since the hyperlink has been removed). By now you realize the chances that the link actually has anything to do with bigbluebank is exactly 0%. In the example of this email, it actually linked to something like the following – the fact that bigbluebank is not the domain should be an obvious clue: http//generalupdates.gh.ost.de/bigbluebank/account_update/index.php.

14. 1-888-XXX-XXXX – Very nice to have an included phone number. It really does help make the whole thing look better. Especially if you dial the number and someone in a call center answers it “Big Blue Bank – Customer Service, how can I help you?” First of all, check the provided number against the customer service number on your bank statements or against the number provided on Bigbluebank’s real website. It may be close but it will not match. Your second clue is that someone actually answered the phone and you did not have to go through a Voice Response system – when was the last time that happened?

15. “Will be helping” – there is that “ing” again. “This will help us” would not raise alarm, but the improper English should have your spinal column on fire by now. You should almost expect it say to “will to be helping us” like some alien speaking through an electronic translator.

If in doubt, bring up the genuine bigbluebank.com website by typing it into your browser yourself (completely ignoring their link, if you please), and check for information there. Locate their contact information to email, or call them to ask if they sent the information. Chances are that bigbluebank has its own security group that is interested in abuse and phishing emails. They may want you to forward a copy of the email to them for their own review if you feel like going that far.

Perhaps this was not the best example because this email was chock full o’ clues. But these are exactly the types of indicators you will see in many phishing emails. The fact that you even got this email should immediately raise your level of awareness, so everything else should follow.

Social Engineering Yourself A BotNet

2012-02-07T07:30:00.000+11:00

Not too long ago the announcement about an Internet Sponsorship Law, SOPA, basically caused the Internet to blow up with people voting, supporting, and showing how much they disliked this proposed bill. The way the “Internet Community” came together is a lesson in mass influence itself, but we are going to focus on a different aspect of this drama.

The hacktivist group Anonymous reared its head in this debate to show it’s disdain for any law that would censor or prohibit the use of the Internet, and they do so using a form of social engineering.

One of the less influence based forms of social engineering involves drawing people to a website that is either loaded with malicious software/code or has downloads that are dangerous or infected. Apparently, Anonymous used this form of social engineering to create, in essence, one of the world’s largest botnets full of unsuspecting participants.

How?
Anonymous used its legions of faithful supporters to spread shortened links that drew interested parties to certain links. Since a user can’t possibly know what to expect when they load a URL, Anonymous capitalized on this to create it’s botnet.

As users went to the list of URL’s, their browsers were hijacked and then some code was executed. Once executed it causes the users browser to make a massive amount of requests to the targets websites (in this case DOJ and FBI). When you get hundreds or thousands or even more people hitting these malicious URL’s so much traffic is sent that it DDoS’ the sites in question.

What are the implications of this type of attack? This form of social engineering is pretty malicious. Even simple curiosity can make the site visitor an unwilling participant in an act that could be considered terrorism. This, of course, is a very serious matter as traffic from home or work users becomes inundated with this malicious traffic.

In the age of shortened URL’s, this kind of a story just makes it ever more clear that the user needs to take responsibility before clicking a link. These types of attacks are how people’s computers get hacked and how accounts are compromised. Now, it’s how massive botnets are created.

Posted in Social Engineering

Be on the Lookout for Phishing Emails

2012-02-06T07:30:00.000+11:00

Posted on: February 2, 2012 in Industry Issues by Chris Williams

If you keep up with tech news, you might have seen the story recently about a new technology standard developed by Microsoft, Yahoo, Google, and Facebook to cut down on spam emails and phishing attempts. It’s an exciting new technology that will help protect users by increasing checks and reporting on sent emails.

However, even with stricter standards for spam filtering, the occasional phishing email might still find its way to your inbox. Phishing emails are standard emails from people trying to convince you to give them information like passwords, usernames, credit card numbers, social security numbers, or other secure data. Every email user needs to know how to spot phishing emails so they can be deleted.

Here are five easy things to look for that you can use to spot phishing emails before you respond with sensitive information.

Emails from companies or people asking for information they should already have, such as accounts and passwords – a company will never ask you for your password.

Emails asking for personal identity information – your date of birth, bank account information, social security number, or other personal information. There’s no reason to ever give personal information via email.

Emails with weird formatting, spelling mistakes, or bad grammar – most phishing attempts come from overseas, so they often contain mistakes a native English speaker wouldn’t make. Others are hurriedly prepared, so they may contain mistakes as well.

Links or attachments you didn’t request – never click on a link in an email, or open an attachment, if you didn’t request for a link or attachment to be sent to you.

Unknown senders or strange domain names – if the domain name of the sender looks strange, or the sender is unknown to you, learn more about the sender or company before you take action. If it looks strange, delete or report the email.

Here’s an example of a phishing email:

For more information on spotting a phishing email, check Microsoft’s support page. If you’re a Google user and receive phishing emails, you can learn how to report them to Google here.

Remember the first step is staying vigilant. Don’t provide personal or sensitive information through email if you can avoid it, especially to people you don’t know.

...don't forget to leave a comment... thanks.

9 Reasons to Enforce Web Security within the Organization

2012-02-03T07:30:00.000+11:00

Considering the wide range of malicious content threatening your users, implementing strong web security within the organization is a crucial part of any defense-in-depth strategy. Web security doesn’t have to mean blocking your users’ access to the Internet, but it does mean protecting them from the types of threats they will encounter every day. Here’s a rundown of the top nine threats that are there to help you understand the importance of strong web security. Some of these are threats to your users; others are threats to their productivity. All are things web security can help you protect against.

1.Compromised sites hosting malware
Every day you can read about sites that have been compromised by attackers. Hacked sites hosting malware are a common way to spread the damage to hundreds or thousands of others very quickly. Strong web security can protect your users by blocking access to compromised sites, and by scanning any downloads for malware.

2.Cross-site scripting attacks
Cross-site scripting can steal credentials, direct users to sites specifically hosting malware, and worse. Web security can detect when an XSS is attempted and protect users from the effects.

3.Typo-squatters
It’s common for people to register domains that are either misspelled, or simple one-offs from other sites to try to get traffic from users’ typos. Sometimes these sites simply have aggressive sales content; other times they are set up to look like the real site to fool users. Either way, web security can prevent this all too common mistake from doing damage.

4.Phishing sites
Phishing emails almost always include links to sites, where the real damage can be done. Web security can block access to these phishing sites.

5.Adult content
The last thing you need is an HR issue to deal with because someone clicked the wrong link in some search results. Web security can enforce the acceptable use policy, preventing both the intentional and accidental violations from occurring.

6.Controversial content
Adult content is not the only risk; political and religious sites may not be appropriate for users to access while at work and web security can ensure that Internet access is business appropriate.

7.Time sinks
If you have ever surfed the web, you have probably experienced the time loss that comes from a planned 30 second check-in that becomes a 30 minute catch up with what else is going on. “Just one more click…” can cost your company hours of lost productivity. Web security doesn’t have to block all personal Internet access; it can permit that within reasonable time limits.

8.Bandwidth hogs
One Internet audio stream may seem like it uses an insignificant amount of bandwidth, but with everyone streaming music, your pipe can quickly become clogged. Web security can monitor and identify the major bandwidth users, or block access to streaming media completely to save that bandwidth for important things, like customer orders.

9.Copyright violations
If a user downloads a pirated movie from your network, you could face liability. Web security can block access to these download sites, and block torrents and peer-to-peer sharing so you don’t worry about C&D letters or lawsuits.

With strong web security protection technology in place, you protect your users, your infrastructure, your data and, ultimately, your company. Look at web security as a critical component of your information security strategy.

This post was provided by Casper Manes on behalf of GFI Software Ltd.