Archive | Spam RSS for this section

Added Security for Twitter Users to Come Soon!

Two-Factor Authentication

From spam to ham, Twitter deals with a lot of security issues on a daily basis. What about viruses/malware? I’m sure, yes. But, more importantly: account security. What do Twitter users need? Security assurance!

Therefore, Twitter is developing and perfecting a two-factor authentication method that will allow Twitter to not only ask for a password, but also a different credential to be sure of who is accessing your account.

From recent issues with Twitter accounts being hacked, it is best to have this in place, before it happens to other high profile organizations. Some of the recent organizations hacked were high profile including the Associated Press‘s account, CBS 60 Minutes account, and the BBC’s account.

Expect a shift in all online high profile websites switching to two-factor authentication. Apparently, it is the go-to emergency security solution.

Advertisements

Recent Hacks: NBC.com, Twitter, and Zendesk – Warnings: Tumblr, Pinterest

After dealing with multiple attacks on several sites, including Apple, Facebook, and Twitter – this being Java exploits. Now, it’s time to deal with more hacks, including NBC.com (which has been serving up malware for a day now) and Twitter. As in recent reports now, Tumblr and Pinterest have been forewarned.

The latest high profile organization that was recently hacked is the National Broadcast Company (NBC), more specifically on their website. The idea from the hackers is to use the website to infect visitors, using exploits and other JavaScript injections.

NBC.com’s hacked pages were modified to include additional HTML component called IFRAME, which is inline frame. This allows at least a 1px x 1px frame to be included independently in the webpage, which may contain malicious code. In HTML code, frames can be made to host web content. But, in the hands of the evildoers, aka cybercriminals, it is used as an effort to launch malware campaigns.

Malicious JavaScript was added to the mix, and also used the exploit kit called RedKit. It delivers one of two exploit files to try to take control of your browser.

I recognized something was wrong with NBC.com, which may have already been hacked a few weeks ago, and I posted the information on my Twitter account that a downloaded file was sent to my browser asking me to save or open it. This was on a sister site/blog, RedTape. I asked people to replicate it. The Twitter status can be found here.

What type of malware was delivered? Citadel or ZeroAccess, which are both crimeware families and botnets. They are usually part of several exploit kits.

This drive-by download situation is no good, as the pages were taken offline. Therefore, that dropped the traffic of those specific areas of the site. It is sure that this situation is a matter of cybercrime aimed at a financial side of things, not defacement or pranks.

Was it a big deal that it was NBC? No. In fact, it is sure the hackers were aimed at using a high-profile site, and apparently NBC.com was the easiest or quickest to access. Hackers rely on time and many other factors to make their approach(es).

Zendesk hacks and other various warnings

Zendesk is all about customer support…therefore no one really knows, except for those in the business of customer support. Big names use this service, which include Tumblr, Twitter, and Pinterest, among others. Hackers broke into the Zendesk systems, accessing email addresses of those big name customers, namely Twitter, Tumblr, and Pinterest.

How “pinteresting” that another hack has been born, which is related to a social network. Zendesk detailed the hack:

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

The companies involved made a point to tell its customers that they haven’t been hacked, but private information was stolen. Luckily, no password thievery was involved.

Obviously, an incident like this, just like the NBC.com incident, needs to be taken very seriously. Something must be done to stop the continuous hacks.

Twitter hacks additionally are nothing new. Many times, hackers used a backdoor, such as the tools the support team uses, to infiltrate the information of Twitter users. It’s not a huge gain, more possibly a waste of time.

Symantec Teams With Microsoft to Destroy Bamital Botnet

The Bamital Botnet, known for grossing about $1 million a year using fraudulent means has been destroyed by the investigative teams of Microsoft and Symantec. With help from the feds, the two teams collaborated in the investigation of a number of data centers for the botnet servers. This operation is the sixth operation in the past three years to take down botnets, titled Operation b58. This operation began around a year ago, when Symantec approached Microsoft with intent to collaborate and take down this botnet.

The most notorious means of the botnet are very typical, inflicting a fraudulent payload via search redirects. The victims were lured in to a scam (social engineering), in which malware was then installed to infect the machine. Once done, the victim will do their normal activities including searching, which the malware will redirect to scam sites, selling fake (or legitimate but modified) software or services, attempting to steal credit card data.

For the last two years of its continual attack on internet users, the botnet totaled 8 million computers, approximately, and stole/racked in around $1 million USD. Right now, it’s estimated that anywhere from 300,000 to 1 million computers are still infected with the botnet.

During the takedown operation, Microsoft’s crew constructed a lawsuit against the botnet operators to pull the plug on the zombie network. Yesterday, February 6, after the request was granted by the court, Microsoft was escorted by the US Marshals Service to go to every facility in Virginia and New Jersey to seize servers.

According to Richard Boscovich, assistant general counsel with Microsoft’s Digital Crimes Unit, the operators of the Virginia data center were persuaded to take down the server at the parent facility in the Netherlands.

Many of the cybercriminals involved include about 18 of them, scattered all around the world from the US, to the UK, to Australia, and even Romania.

Cleaning Up

Microsoft and Symantec seek to help users who’re infected. The search redirect and querying system by the rogue servers will be broken, therefore the search function on victim computers will be broken, too. There will be removal tools to help this, as well as the ability to repair the broken functions.

It is sure this will make it a lot harder for the cybercriminals behind Bamital to restart their servers, as Microsoft and possibly others like the feds and Symantec, have the servers in their custody.

 

Take down of the Virut Botnet in Progress

Virut is being targeted now in an effort of allied security forces. Virut is a very dangerous botnet, which when infecting your computer can cause irreversible damage to your files, can steal a lot of personal information, and cause you to lose almost all of your data.

(Our security arm, SecuraGeek Forums, published an article helpful to users about Virut a few years ago, here.)

This takedown effort involved researchers of Poland’s Computer Emergency Response Team (CERT), Russian CERT-GIB, and the Spamhaus Project that aimed at disrupting the operations of the Virut botnet, which involved 300,000 some infected machines.

In December, the Spamhaus Project helped to work against all the domains owned in the Virut botnet, and attempted to have them shutdown. Most of the domains, if not all, were registered under the .pl cc TLD. However, the gang behind the botnet moved all of the malicious domain names toward a new registrar called home.pl.

The botnet’s operations were limited a bit during this time, when NASK (Research and Academic Network) in Poland, began to move on the infrastructure of this botnet. The NASK operates the Poland CERT and is the national registry of the .pl domain. Therefore, its presence in this situation is very important.

“In past few days, Spamhaus has been in close contact with the sponsoring registrar (home.pl), the Polish Computer Emergency Response Team (CERT.pl) to get the domain names suspended,” Morrison blogged Jan. 19. “In cooperation with the Polish CERT and the registrar home.pl, we managed to get all the Virut domain names within the .pl ccTLD sinkholed.”

“In addition, Spamhaus reached out to the Austrian CERT and the Russian-based Company Group-IB CERT-GIB to shut down the remaining Virut domains within the .at and .ru ccTLDs,” he added. “In cooperation with Spamhaus, and due to the evidence and intelligence provided by Spamhaus, CERT-GIB was able to shut down all the Virut domains within the .ru ccTLD within a few hours.”

Symantec researchers have noted that the maintainers of Virut are also involved with the Waledac botnet. The evidence is due in part to the malware writers behind both botnets using affiliate programs to spread the threats. It’s been noted also that Virut has helped to spread malware such as TDL, Zeus, and others. Also, Symantec warned that Virut had been used to redeploy Waledac. Problem is, the Waledac botnet was seized by Microsoft in 2010. So, redeploying that botnet is opening up the fields for lots of trouble.

As this takedown has occurred, three dozen domain names have been seized in total, with no sign (to researchers) of them starting back up on a different network. Since domains are so critical in the infrastructure, it’s going to be difficult for the malware writers to orchestrate a new plan.

For the past five or so years, domains like ircgalaxy.pl, zief.pl, etc. were used by the botnet…now are seized! It’s not exactly clear how NASK will affect the future operations of Virut, but right now, things are looking good and steady!

Want a Rolex? Let me have your ID first! (Case study)

ID Fraud

Of course, holidays for the US and even other parts of the world light up big time (no pun intended), this time of year. Rolex spam rolls out by attackers, and they want your identity.

They’ll say they give you a Rolex watch, one the of most expensive timepieces sold on the watch market. This is for their own little Black Friday sale. What do they want, though? Your credit card, and other personal information!

Screenshot of email:

    From: Designer Watches by LR (could be random, too)     To: {random}     Subject: Start Black Friday today     Message body:     BLACK FRIDAY EVERY DAY UNTIL NOVEMBER 23RD!      The best quality watch replicas on PLANET EARTH!     The lowest priced high-end watches on the PLANET!      www(dot)LRblackfridaytoday(dot)com      BLACK FRIDAY HAS STARTED!     Black Friday every day until November 23!     All items reduced by 25-50% as of TODAY.      Over 25,000 exact watch-copies have been reduced until Friday November 23rd.     There plenty of time to get the watch of your dreams but we recommend doing it as soon as possible.     This will ensure INSTOCK availability and fast delivery.      NOTE: BLACK FRIDAY PRICES ARE AVAILABLE ON INSTOCK ITEMS ONLY!     Currently every watch model is INSTOCK and ready to ship within 1 hour.      THESE ARE NOT CHEAP CHINA STOCK KNOCK-OFFS:      These are hand crafted high-end watch-copies.     These are made using identical parts and materials.     These are tested inside and out to be identical.     There is no difference between our watch-copies and the originals!      www(dot)LRblackfridaytoday(dot)com

From: Designer Watches by LR (could be random, too)
To: {random}
Subject: Start Black Friday today
Message body:
BLACK FRIDAY EVERY DAY UNTIL NOVEMBER 23RD!

The best quality watch replicas on PLANET EARTH!
The lowest priced high-end watches on the PLANET!

www(dot)LRblackfridaytoday(dot)com

BLACK FRIDAY HAS STARTED!
Black Friday every day until November 23!
All items reduced by 25-50% as of TODAY.

Over 25,000 exact watch-copies have been reduced until Friday November 23rd.
There plenty of time to get the watch of your dreams but we recommend doing it as soon as possible.
This will ensure INSTOCK availability and fast delivery.

NOTE: BLACK FRIDAY PRICES ARE AVAILABLE ON INSTOCK ITEMS ONLY!
Currently every watch model is INSTOCK and ready to ship within 1 hour.

THESE ARE NOT CHEAP CHINA STOCK KNOCK-OFFS:

These are hand crafted high-end watch-copies.
These are made using identical parts and materials.
These are tested inside and out to be identical.
There is no difference between our watch-copies and the originals!

www(dot)LRblackfridaytoday(dot)com

 

Their main website is blacklisted. It’s also hosted on a network blacklisted by Google SafeBrowsing  and SURBL.

Battle.net Account Verification Email Spam Continues, More Users Compromised

More spam is lighting up for Battle.net account users, Diablo, and World of Warcraft members. The latest spam update is below, where once again, the spammers are using a fake email account (diablo@email.com) as the sender, and stating that you are trying to sell your Battle.net account and need to verify it so it will not be suspended.

However, the link it gives looks real, however, it is fake.

Greetings!   It has come to our attention that you are trying to sell your personal World of Warcraft account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled. It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.   You can confirm that you are the original owner of the account to this secure website with:   hxxps://www.battle.net/account/support/password-verify.html  If you ignore this mail your account can and will be closed permanently. Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.   Regards,   Account Administration Team World of Warcraft , Blizzard Entertainment 2012

Here are the technical details:

Return-path (email address the email actually came from): ab[at]vlrpc.com

IP address: 112.65.228.185 belonging to an unknown/private user (WHOIS states the IP master’s name: yanling ruanof) China Unicom, a telecommunications company governed by The People’s Republic of China. They seem to either ignore abuse reports, or do not know much about their users’ activities. We know a private user sent this spam, because the message header clearly states the application used to send the email: Microsoft Outlook Express 6.00.2900.5512.

Known blacklisting: Spamhaus.org (listed as “Illegal 3rd party exploits, including proxies, worms and trojan exploits”), abuseat.org, barracudacentral.org, uceprotect.net

Now, it’s believed that the recent spam outbreak (like the one above, for example) is a result of the latest Blizzard lawsuit. However, spam like this has happened before (also look in the comments for a user who posted about Diablo 3 spam).

The only thing to best protect against spam is having an anti-spam program. Please visit the vendor below for more information.

Caretaker Antispam download link

More celebrity sex tapes (Hulk Hogan), more security problems

Now, spam makers have more juice with a sex tape leak on Hulk Hogan. The alleged porn tape appeared earlier this year, place in at least one studio, and now it is a key spam topic in email/IM/SEO spamming.

If that isn’t bad enough, Heather Clem, one alleged to be involved in the footage, and is “completely devastated” by it.

There are many other stories popping up about the tape and it’s becoming a big buzz. What’s sad is, with the rise of social networking, contributes to the rise of celebrity problems, which was predicted I’m sure. Celebrities don’t belong with normal people, because either the celebrity goes crazy, or the fan goes crazy.

As usual, if you receive any emails containing information about the Hogan sex tape, kindly ignore it, and do not download the attached EXE file or video that apparently has the footage. Doing so can cause malware to take control of your computer.

To prevent spam from causing problems on your computer, it’s best to secure your computer Surfright Anti-Spam.

%d bloggers like this: