Posted by Laureli Mallek
Fri, 30 May 2008 18:58:00 GMT
Alex Eckelberry at Sunbelt noted a nifty phishing development: embedded forms. Phishers are spoofing forms from reputable sources- think PayPal, large banks, etc. Considering the advances in phishing: correllating name, position, and email addresses for high-level corporate interests; these emails may look very convincing in the future.
There is some irony in the content of this phishing message, which warns users that their accounts may have been highjacked by a third party – aside from the tense, the sentence is honest. Eckelberry writes: “This makes things easier: No phishing site to have to maintain. No browser-based phishing filters to worry about.” And a bit more of a pain for users.
Remember to be skeptical in cases when “service providers” diverge from normal protocols. Checking with the service provider (though not by clicking on links contained in the email) can help you avoid phishing pitfalls.
Posted in all | Tags email, phishing
Posted by Maxim Weinstein
Fri, 30 May 2008 14:27:00 GMT
Yesterday evening, I was wondering why an e-mail of mine to a friend using Comcast’s e-mail bounced. Then I saw a message on a listserv I use asking if anyone else had experienced difficulty sending e-mail to Comcast addresses. Thirty seconds and one Google search later, I discovered why. Slashdot explains:
Fallen Andy notes that Comcast, one of the largest US ISPs, lost control of its domain name to what appeared to be juvenile social engineers of the old school — i.e. not in it for the money. The intruders got into Comcast’s registrar account at Network Solutions and repointed the domain’s DNS records. A blog entry at SANS points out how trivially easy this can be. Reader ElvenKnight points out an insightful interview up at Wired with the two young guys who perpetrated the hack.
While I’m sure Comcast and its customers are none too happy about this incident, it’s probably a positive for them in the sense that the hackers were tricksters, not serious criminals. Using the same technique, a criminal organization could have delivered malware or collected usernames and passwords (or potentially bank/credit card account information). Hopefully, Comcast, the domain registrars, and other companies will learn from this example and will tighten up their security processes and controls to reduce the risk of more dangerous abuses in the future.
Posted in all | Tags comcast, dns, stopbadware
Posted by Maxim Weinstein
Wed, 28 May 2008 12:40:00 GMT
It appears that someone took advantage of an unpatched hole in Adobe Flash player, along with a SQL injection attack, to initiate a drive-by download to visitors of some 20,000 websites. The target? “It turns out that the whole attack just steals World of Warcraft passwords...”
Even if you’re not a World of Warcraft player, you may still want to protect yourself from the download. Since the Flash vulnerability is not yet patched, this will require some combination of heeding warnings about dangerous sites and keeping your security software up to date. Or, if you want full protection with a corresponding loss of functionality, you can always uninstall Flash Player or use a browser plug-in that blocks Flash objects.
Posted in all | Tags flash, malware, stopbadware
Posted by Maxim Weinstein
Tue, 27 May 2008 16:52:00 GMT
Brian Krebs at the Washington Post recently wrote about a new software tool developed by Trusteer and provided by ING to help its customers bank online more securely, even when using PCs that may be compromised by spyware.
At an incremental level, this approach may prove valuable. After all, if the tool is any good, it should prevent the theft of some financial account information, while also providing a sense of security for those ING customers who use it.
As a solution to the larger problem, though, this approach falls short for a number of reasons:
- Installing the application is one more step that a user has to take (and know to take) just to conduct what should be a simple yet secure web transaction.
- New software applications, however well designed, introduce the potential for new vulnerabilities and compatibility issues.
- Additional software means another layer of troubleshooting for the vendor, the user, PC consultants, etc.
- PC security is a broader issue than just protecting the transmission of usernames and passwords. An application such as the one from ING might mask the larger problem that a user’s PC is unpatched and infested with a variety of badware applications.
Again, I don’t mean to criticize the ING/Trusteer application itself, as it might be a useful tool. Rather, it’s important to note that the long-term solution lies in software producers and website owners protecting users more transparently and holistically. This includes approaches such as:
- Providing users with real-time, user-understandable notice of risky websites (see, for example, Google’s and Yahoo/McAfee’s search results warnings and Firefox’s anti-phishing warnings).
- Designing software, websites, and hosting services with security in mind.
- Making automatic software updates easy and unobtrusive (without abusing the user’s trust by using this capability to push unwanted software or features).
- Educating users about online privacy and security.
- Using the collective knowledge of Internet users to gather intelligence about, and react to, rapidly-changing threats.
- Providing full disclosure to users about the privacy and security implications of applications and websites before the user commits to using them (see, for example, our Badware Guidelines).
There’s still a lot of work to be done in helping users maintain their privacy and security online. I hope that the software from Trusteer and ING will be successful in thwarting some identity theft attacks, but more than that, I hope that in a few years, this software won’t be needed.
Posted in all | Tags identitytheft, ing, stopbadware, trusteer
Posted by Maxim Weinstein
Fri, 23 May 2008 14:42:00 GMT
Allysa Myers at McAfee blogged about this FBI press release announcing criminal charges against 38 alleged baddies from the U.S. and overseas.
According to the indictment, the Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack. Once directed to a bogus site, victims were then prompted at those sites to enter access device and personal information. The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet “chat” messages. The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys. Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point of sale terminals that the cashiers had determined permitted the highest withdrawal limits. A portion of the proceeds was then wire transferred to the supplier who had provided the access device information.
It’s great to see that the Romanian and U.S. authorities were able to successfully work together to bring down what sounds like a pretty serious criminal enterprise.
Posted in all | Tags cybercrime, government, phishing, stopbadware
Posted by Brandon Palmen
Thu, 22 May 2008 19:03:00 GMT
StopBadware.org released a badware alert about the Uniscope Toolbars today. These toolbars are produced and distributed by RPM Performance Media, and include variants such as “MySpace Guardian”, “Amber Alert Toolbar”, and “BizRate Bar” :
We find that the Uniscope Toolbars are badware because they fail to inform users that the software will function as adware by inserting sponsored websites into search engine webpages when users search for particular keywords, and because the software fails to identify itself as the source of these advertisements.
We attempted to contact RPM Performance Media through the contact options provided on their website, but we received only an automated response acknowledging our communications.
We currently recommend that users do not install MySpace Guardian, Amber Alert Toolbar, BizRate bar, or other Uniscope Toolbars, unless users are comfortable with the behaviors we identify in our alert, or until the applications are updated to be consistent with the recommendations made in our alert.
Posted in all | Tags alerts, stopbadware
Posted by Erica George
Wed, 21 May 2008 18:52:00 GMT
Google has rolled out a new resource for owners of compromised websites that it flags as potentially dangerous in its search results.
Google Diagnostics shows information about malware and malware-distributing behaviors that Google has observed on the site within the past 90 days.
We’re already hearing from website owners and the volunteers in our discussion group that the new diagnostics pages are helpful in discovering problems with a site. We’d like to applaud Google for taking this step in greater transparency. This new resource should help website owners in cleaning and securing their sites faster, which will help protect even more internet users.
You can see an example diagnostics page here.
Posted in all | Tags Google, hacking, resources, webmasters, websites
Posted by Laureli Mallek
Mon, 19 May 2008 17:09:00 GMT
You may recall that StopBadware.org recently played a role in successfully encouraging Apple to improve its disclosure in pushing the Safari web browser to users through its Apple Software Update application. Now, Nitesh Dhanjani, a security researcher, writes about his recent interaction with Apple. Dhanjani alerted Apple to several potential issues that he discovered in the company’s web browser, Safari, most notably the potential for a “Safari Carpet Bomb.”
He writes that Safari “cannot be configured to obtain the user’s permission before it downloads a resource,” and provides this example:
Now assume that http://malicious.example.com/cgi-bin/carpet_bomb.cgi is the following:
#!/usr/bin/perl
print “Content-type: blah/blah\n\n”
Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.”
CNET commented that files downloaded by Safari to the desktop on Windows, or the Downloads folder on Mac OS, create the potential for multiple files of unknown nature to mingle with legitimate downloads.
The Apple security team replied to Dhanjani’s emails courteously, but making it clear that this is not a security priority for the company:
We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
Assuming Nitesh’s analysis is accurate, “unwanted downloads,” as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file. StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.
Posted in all | Tags apple, browser, by, download, drive, security
Posted by Brandon Palmen
Wed, 14 May 2008 05:00:00 GMT
StopBadware.org released a badware alert about Spyware Striker Pro today:
We find that Spyware Striker Pro is badware because it does not disclose the fact that it installs additional “Performance Center” software which is registered to run automatically at startup, and fails to remove this software when Spyware Striker Pro is uninstalled.
The company responsible for Spyware Striker Pro, Ascentive, responded to our communications about the application by assuring us that they intend to release a future version of Spyware Striker Pro that will disclose the bundled installation of Performance Center in the software’s End User License Agreement and will remove the software when Spyware Striker Pro is uninstalled. Although these changes will be welcome, the application will not fully comply with our recommendations unless it also discloses the software bundling in a clear and conspicuous manner outside of the EULA.
Until such an update is released, we recommend that users do not install Spyware Striker Pro unless users are comfortable with the behaviors that we identify in our alert.
Posted in all | Tags alerts, stopbadware
Posted by Laureli Mallek
Tue, 13 May 2008 20:13:00 GMT
Over the last several weeks, users downloaded more than they were bargaining for from several P2P networks. TechNewsWorld reported on McAfee’s Avert Labs that more than 500,000 computers have been infected. Users download a faux-mp3 file from a legitimate music group, which initiates a request that users download a codec offering free mp3s. By clicking on the EULA and authorizing the download, users are actually downloading a host of executables.
Craig Schmugar, a researcher for McAfee Avert Labs, wrote on that blog, “In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.” During further investigation, Schmugar found that hundreds of infected files were circulating on the internet. Many of those sites pointed to freemp3player.com or “different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files.” The fake mp3 files were actually ASF files instructing media players to navigate to specific urls rife with downloads to further corrupt users’ computers.
More recently, Trend Micro researcher Ivan Macalintal found a malicious script inserted into “various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program.” The drive-by-download directed users to a compromised site which downloaded TROJ_ZLOB.CCW onto unprotected computers. Trend Micro notes that Zlobs in general, and this one in specific, change DNS and browser settings which further open the computer to future infections.
Both of these incidents reinforce the need to keep your security software updated. Downloading files from unknown sources carries with it inherent risk. Badware production has developed into an expanding economy that relies on a sense of inherent security associated with internet use.
Click safely!
Tags badware, by, download, drive, security, trojan
|
