The FBI is warning of e-mail and social networking accounts being compromised and used in a social engineering scam to swindle consumers. Portraying themselves as the victim, the hacker uses the victim’s account to send a notice to their contacts. The notice claims the victim is in immediate need of money due to being robbed of their credit cards, passport, money, and cell phone; leaving them stranded in London or some other location. Some claim they only have a few days to pay their hotel bill and promise to reimburse upon their return home. A sense of urgency to help their friend/contact may cause the recipient to fail to validate the claim, increasing the likelihood of them falling for this scam. If you receive a similar notice, you should always verify the information before sending any money.
Archive for the ‘Phishing’ Category
FBI Warns of New Social Networking Scam
Wednesday, July 7th, 2010Microsoft SharePoint bug exposes credentials, sensitive data
Friday, April 30th, 2010A cross-site scripting vulnerability has been confirmed in SharePoint Server 2007 and is likely also present in earlier versions of the content management system software, a Microsoft advisory warned. It allows adversaries to inject malicious javascript into the application by appending commands to the address of the targeted system.
“The vulnerability exists due to failure in the ‘/_layouts/help.aspx’ script to properly sanitize user-supplied input in ‘cid0′ variable,” the advisory states. “Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.”
Microsoft was notified of the bug on April 12, but only made the report public on Thursday.
A Microsoft spokeswoman said Thursday that researchers are in the process of drafting a security advisory that includes mitigation and workaround details. With 17 days notice, it’s unclear why Redmond’s security team didn’t already have that information ready to go.
XSS bugs are by far the most common form of vulnerability plaguing the web. Web masters and software makers often downplay them as insignificant, because the severity of many of them is minimal in their opinion. What they tend to not understand is the ability for compromised sites to hand out malware to unsuspecting users and redirector type attacks.
Facebook Password Stealing Scam
Tuesday, March 23rd, 2010Facebook warns over password reset scam
Facebook has taken the unusual step of warning users about a bogus password reset scam designed to trick victims into downloading a password-stealing Trojan.
Prospective marks are falsely told in widely distributed spam emails that their password has been changed because of a supposed security incident. Targets are invited to open an email attachment for more information. This email attachment, you’ll be unsurprised to learn, contains keystroke snaffling malware. Once bitten, every password a user enters onto an infected PC becomes compromised.
Facebook points out that it would never send users a new password in an email attachment.
Facebook use in corporate settings should be limited based upon the potential policy violations and malware. Koobface is malware that specifically targets facebook.
Ongoing Botnet Penetration: 2500 companies and counting
Friday, February 19th, 2010Large scale botnet penetrations continue to make the news. This really highlights the fact that what the mainstream security industry is offering is not working. Botnet infestations can easily be defeated by passive monitoring and a dynamic blacklist, components included in Cyber RiskTools.
Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.
Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.
The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies, according to research from NetWitness, a Herndon, Virginia-based network forensics firm. Many of the victims are Fortune 500 firms in the financial, energy, and high technology industries.
Company researchers have already reported the attacks to federal authorities and are in the process of notifying individual victims.
Is your Google Email at Risk?
Thursday, January 21st, 2010The code that was used to hack Gmail accounts in China is now publicly available on the Internet. Computer users throughout the world are being warned not to use Internet Explorer 6 until a patch can be developed.
The hack involves Internet Explorer 6, the browser that came with the Windows XP operating system and dangerously compromised. Many users still use IE 6.
On Thursday, the code that was used to hack Gmail accounts in China and led Google to threaten to close shop there was posted to a malware-analysis Web site. By Friday, a demonstration of just how easily the exploit can be used to gain complete control over a computer.
The software is intended to let security professionals test out security threats via penetration testing. Such testing is beneficial to discover security holes.
Microsoft has yet to patch the hole in IE 6, a flaw so serious it’s prompted the German government to suggest citizens avoid IE. Microsoft has posted a security advisory detailing the problem, and urging users to upgrade to newer browsers.
Rogue phishing app smuggled onto Android Marketplace
Friday, January 15th, 2010A phisher hoping to harvest bank login details managed to smuggle his app onto the Android app store.
Malicious apps posted by Droid09 were quickly identified, prompting a warning to legitimate users and a ban for the VXer. The incident raises questions about whether a tighter vetting process is needed for the Android Marketplace.
The banking app posed as a real banking application, but also intercepted users credentials and forwarded them on for phishing purposes.
Apple has been the target for much criticism as being too heavy handed in the application approval process. Past exploits against Blackberry devices involved the rubber stamping of applications that were designed to capture credentials and take over handsets.
Android fans who downloaded any of Droid09’s apps are advised to purge them from their phones before consulting their mobile phone firm for further advice.
The incident happened in December, but became public after news outlets picked up on First Tech Credit Union’s fraud alert on Monday.
Domain name extension opens fresh opportunities for cyber-crime
Friday, January 8th, 2010The introduction of Internet addresses in non-Roman scripts could offer fresh opportunities to cyber-criminals, experts have warned.
The Internet Corporation for Assigned Names and Numbers (ICANN) will for the first time accept Internet domain names in non-Roman scripts.
The new internationalized domain names will open up the Internet as never before to users whose native language does not use the Roman alphabet. But Roman-reading users face a possible deluge of phishing and e-mail scams.
To a Roman-reading eye, an e-mail containing a link to any one of these sites might appear genuine, while to a Russian-reading eye, “paypal”, for example, reads as “raural”. An e-mail link could thus lead to a clone site constructed by unscrupulous thieves, who could then use it to harvest personal and financial details, or to steal cash.
At present, most e-mail phishing does not use anything that resembles the real site name. We could see the level of sophistication in phishing attacks increased by the use of foreign languages.
H1N1 Email Phishing Scam
Friday, December 4th, 2009The CDC has put out a warning for an H1N1 based e-mail phishing scam.
CDC has received reports of fraudulent emails (phishing) referencing a CDC sponsored State Vaccination Program for H1N1. The messages request that users create a personal H1N1 (swine flu) Vaccination Profile on the CDC.gov web site.
An example of the phishing email is below:
Users that click on the embedded link in the email are at risk of having malicious code installed on their system or having their personal information compromised.
RiskAnalytics reminds users to take the following steps to reduce the risk of being a victim of a phishing attack:
- Do not open or respond to unsolicited email messages.
- Do not click links embedded in emails from unknown senders.
- Use caution when entering personal information online.
- Update anti-virus, spyware, firewall, and anti-spam software regularly.
FBI Warns of New Spear Phishing Scam Targeting Law Firms and PR Firms
Wednesday, December 2nd, 2009The FBI has issued a new alert warning law firms and public relations firms that hackers are using spear phishing e-mails to exploit U.S. law firms and public relations firms. The specific intrusion vector used against the firms is a targeted socially engineered e-mail designed to compromise network security defenses. Hackers attach malicious files to the email message or include a link to the domain housing the malicious file and entice users to click the attachment or link.
The subject lines of the messages are typically crafted, in such a way to uniquely engage recipients with content appropriate to their specific business interests, making defense strategies difficult. In addition to appearing to originate from a trusted source, the attachment name and message body are also crafted to associate with the same specific business interests. Infection occurs once someone opens the attachment or clicks the link, which launches a self-executing malicious file. Once executed, the malicious payload will attempt to download and execute the file ‘srhost.exe’ from the domain ‘http://d.ueopen.com’; e.g. http://d.ueopen.com/srhost.exe.
Any traffic associated with ‘ueopen.com’ should be considered as an indication of an existing network compromise and addressed appropriately. The malicious file does not necessarily appear as an ‘exe’ file in each incident. On occasion, the self-executing file has appeared as other file types, e.g., ‘.zip’, ‘.jpeg’, etc.