It was uncovered recently that it was being used as a Botnet Control Channel, shortly before that it was subjected to a DoS attack.

This isn’t the first time DMs have been used in a Phishing attack too.

Phishers are targeting Twitter users in a new attack involving direct messages sent to Twitter users containing a link to a site requesting user log-ins.

There are reports of a new phishing scam making the rounds on Twitter. The attack seeks to steal user credentials by sending tweets out with links to a phishing site. The attack site requests the user’s log-in information; once the attackers have that, they can take over the account of the victim and use it to send out more messages.

According to messages from Twitter users, the tweets with the link to the phishing site have to do with the sender supposedly making a certain amount of money. Such periodic phishing attacks on users of the popular microblogging service have become a fact of life.

I’m not exactly sure why anyone would want to steal a bunch of Twitter accounts? Perhaps to monetize them somehow with spam/affiliate schemes.

But the current threat on Twitter is a phishing scam executed via DM with a link to various things including ways to make money, a video of you or some other juicy gossip.

The cornerstones of social engineering in phishing attacks.

In May, researchers at Sophos reported that a number of Twitter users were lured to a phishing site via a tweet with the message: “check this guy out [tinyurl address leading to the attack site].” As was the case in that instance, URL shortening services are increasingly being abused by attackers to mask the Websites they are sending their victims to.

Besides drawing attackers as it has grown, Twitter has also gotten the interest of security researchers, as shown by the “Month of the Twitter Bugs.”

Twitter warned users about the attack, stating in a message: “A bit o’ phishing going on—if you get a weird direct message, don’t click on it and certainly don’t give your log-in creds!”

If you are using Twitter you should follow @spam and keep up to date with what is happening on the network.

Source: eWeek

It seems like with China pumping out the most malware this might be a very useful project, they have designed it quite intelligently too meaning it’s useful for many applications.

A Chinese company that has created a massive database of malware found on Chinese Web sites opened up the information to other security organizations on Thursday. Beijing-based KnownSec gathered the viruses and other information with a crawler that scans nearly 2 million Chinese Web sites each day, Zhao Wei, CEO of the security company, said in an interview in Beijing. He planned to give a presentation on the subject at the Forum of Incident Response and Security Teams (FIRST) security conference in Kyoto, Japan this week.

The database covers more Chinese Web sites and provides more up-to-date information about their security than any other, Zhao said in the interview. China produces the majority of the world’s malware, he said. A history for each site in the database lists dates of malware infection, the strings of malicious code placed on the sites and which antivirus products defend viewers against their attacks. The database also stores tens of thousands of viruses found being distributed by the sites.

Apparently according to McAfee with the current rate of malware growth in China, it could be doubling every year.

And phishing is starting to wake up in China, so get ready for more spam and scam e-mails with terrible English.

KnownSec each day finds more than 100 Trojan downloader files that have never been seen before, Zhao said. Each of those can direct a victim’s PC to download up to ten viruses. The database also has a list of Web sites that are currently compromised. Only about half of the newly infected sites KnownSec finds each day are also listed by Google as dangerous, said Zhao.

Google labels search results it has found to be potentially dangerous during scans of its index. When asked for comment, a Google spokeswoman said organizations need to work together to identify online threats and stamp them out. Security companies and national computer emergency response teams can request access to the KnownSec database, Zhao said. Security companies could use the information to shield users of their antivirus programs against new malware threats, he said.

The majority of the malware is password stealing trojans, which I’d imagine are targeted at users within China themselves and users of China based banks.

The phishing attacks are targeting these same users, either way be careful. It looks like China is jumping into the malware/phishing/spam arena with both feet so expect a rise in threats.

Source: Network World

Well it looks like the spammers have got their acts back together as spam levels are back up to 91% of their previous volume.

Having McColo shut down was nice, but honestly did anyone think it was going to have a serious long term effect on spam? I didn’t…the spammers are going to find another ISP they can use, even if it’s in another country.

Junk e-mail now back to 91% of its usual levels, says Symantec.

The days of blissfully empty in-boxes are long gone – get ready for another onslaught of spam. Symantec’s monthly State of Spam report, out today, shows that levels of spam are approaching the dizzy heights they reached last year, before the sudden shutdown of rogue hosting company McColo.

It estimates that spam now comprises about 85 per cent of all email traffic, thanks to old bot-nets being brought back online and new ones created.

So if you’re a sys-admin and you’ve been enjoying the break from super high volumes of spam – be prepared for it to start pouring back in again.

It seems like South America is seeing a rise in spam activites too, perhaps due to the spread of Internet connectivity and broadband rollout.

You often see the numbers of compromised machines in a country or region is extremely high when they first get connected (remember when Korea came online?).

The EMEA (Europe, the Middle East and Africa) region continues to be the leading source of all zombie IP addresses, hosting 45 per cent of active zombie computers in March 2009 – although Brazil has seen a surge in compromised computers. It now has 14 per cent of all the world’s zombie machines.

Despite these figures, the US continues to be the main source of spam messages (accounting for a full quarter of all spam sent) – the UK has the dubious honour of rounding out the top ten, with a 2 per cent share.

Symantec has also noticed a change in spam subject matter, from get-rich-quick schemes to the sad business of avoiding having your home repossessed.

One ray of spring sunshine – video spam has not taken off as some experts feared. The most common size of spam email (75 per cent of all sent) is a featherweight 2 to 5 KB.

Seems like even the nature of spam is changing to accommodate the recession, these spammers really capitalise on whatever is going on in the World.

I guess that’s why it works and why they still keep spamming, basic social engineering and greed work very well together.

Thankfully no video spam though, imagine if you’re on mobile data…and you start receiving 1-3mb spams!

Source: Techradar (Thanks Navin)

Srizbi worm was pretty smart though and was picking up again by the end of November. Later in the year the botnets were somewhat neutralised leading to a huge drop in spam.

But now, they are back – re-engineered – and ready to spam without going down again.

The demise late last year of four of the world’s biggest spam botnets was good news for anyone with an email inbox, as spam levels were cut in half – almost overnight. But the vacuum has created opportunities for a new breed of bots, some of which could be much tougher to bring down, several security experts are warning.

New botnets with names like Waledac and Xarvester are filling the void left by the dismantling of Storm and the impairment of Bobax, Rustock, and Srizbi, these researchers say. The new breed of botnets – massive networks of infected Windows machines that spammers use to blast out billions of junk messages – sport some new designs that may make them more immune to current take-down tactics.

Waledac is a good example. It appears to be a complete revision of Storm, that includes the same state-of-the-art peer-to-peer technology and fast-flux hosting found in its predecessor, according to researcher Joe Stewart of Atlanta-based security provider SecureWorks. But it differs from Storm in one significant way: Weak encryption protocols, which proved to be an Achilles Heel that led to its downfall, have been completely revamped

That’s one problem with attacking these botnets and the malware behind them, the people doing it aren’t kids having fun. They are business syndicates making serious money, so whatever you do – they are going to learn from it and adapt their software and methods to circumnavigate it.

That’s what seems to be happening now with Waledac, a new re-engineered version of Storm with stronger encryption protocols. They learnt from their mistakes and released a new, updated and more powerful version.

What amazes me is that in the Xarvester malware, it actually makes use of the Windows crash reports – sending them to the developers to make the bot more stable!

“Several researchers are actively studying the communications, but I don’t know if and when it will be broken and hijackable,” said Jose Nazario, a security researcher at Arbor Networks. “The guys behind the botnet seems intent on staying up and so evading researchers seems like the most appropriate thing to do.”

Waledac has amassed some 10,000 zombie computers so far, a tiny fraction of the bigger botnets. But Stewart expects it to be a major player in the coming months. Meanwhile, a spam botnet called Xarvester is making similar inroads. It is the world’s third-biggest spammer, accounting for over 13 percent of the world’s spam, according to Marshall. What’s more, its uncanny resemblance to Srizbi has sparked suspicions it is a reincarnation of that notorious botnet. Similarities include an HTTP-based command and control center that uses non-standard ports, encrypted template files used to send spam and configuration files with the common formats and data.

It also has a sophisticated feedback system that helps bot developers squash bugs so the software is harder to detect on a victim’s machine.

“Just like Srizbi, Xarvester has the ability to upload the Windows minidump crash dump file to a control server in the event that the bot crashes a system,” according to this analysis from Marshall. “This is presumably to help the botnet controllers debug their bot software.”

It seems like Xarvester has some uncanny resembelances to Srizbi too, so maybe it’s a new updated release from the same group which fixes the flaws that made Srizbi fail in the long term.

The infection rates for these bots are quite low currently, but due to the new measures the developers have taken they are likely to gain many more infections and be much harder to remove/detect and stop.

Source: The Register

They set up a fake CNN site which prompts you to upgrade your flash player to view the video, of course it’s not Flash but a Trojan targeting your sensitive financial information.

I don’t think anyone reading this site would fall for this, but it’s good to be aware of it so you can let others know.

A new e-mail that is circulating looks like it comes from CNN and links to a fake CNN Web page offering “graphic” video related to the Israel-Hamas conflict but instead hosts a Trojan that steals sensitive data, RSA said on Thursday.

When someone clicks on the video link on the fake CNN site an error message pops up urging the visitor to download the latest version of Adobe Flash Player. Clicking on the download link installs an “SSL stealer” Trojan that captures financial and other sensitive information, RSA said in a blog.

The Trojan looks for encrypted communications between the computer and known financial institutions and when it sees data being sent it diverts it to a malicious third-party, said Sam Curry, vice president of product management and strategy at RSA.

It’s an interesting piece of malware, it seems to go after SSL communications and carries out some kind of man in the middle attack by redirecting the valuable SSL traffic to a malicious 3rd party website.

Not as simple as the usual crap which just infects the computer as a spam zombie or infests it with pop-up adverts for casinos and viagra.

The social-engineering attack is different in that the e-mail pretends to come from a media company and then tries to steal financial data, he said. “Normally when you get phished they send you an e-mail pretending to be from a bank or other financial institution,” he said.

RSA discovered the attack early on Wednesday and has worked with others to get the fake site shut down. At a peak on Thursday as many as 80,000 of the phishing e-mails were being sent out, according to Curry.

It seems to be reasonably wide spread, but not huge. It does pose some kind of a threat and I think organizations should perhaps send out some kind of memo about this as I’m sure there’s a lot of legitimate CNN Articles being forwarded around so this one might slip through and land someone in trouble.

As always – be vigilant!

Source: Cnet (Thanks Navin)

hey! check out this funny blog about you…
http://jannawalitax.blogspot.com/

It’s a link to a fake blogspot URL that redirects to a phishing URL for Twitter, it looks the same as the real login page but the actual URL is:

http://twitterblogs.access-logins.com/login (WARNING THIS IS A PHISHING SITE)

If you visit the page you’ll see a Phishing warning from Firefox.

Later on I also received the following DMs on Twitter.

hey look at this funny blog http://rosalierebyb.blogspot.com/

fixed it.. hehe here is that blog i wanted to show you
http://twitterblogs.access-logins.com/login

You’ll notice in the last one that they have moved to using the direct Phishing URL rather than the blogspot as Google closed down the blogspot account used for Phishing.

It seems quite widespread meaning a lot of people have fallen for this and there are a lot of compromised Twitter accounts out there.

There’s some good info on the whole thing here:

Twitter Phishing.

If you have received any of the above or similar direct messages from anyone on Twitter do let them know and inform them they should change their password ASAP.

SANS/ISC have also mentioned it here:

Twitter/Facebook Phishing Attempt

And the folks over at Twitter have blogged about it too:

http://blog.twitter.com/2009/01/gone-phishing.html

Older versions of Asterisk do have quite a number of serious flaws and it looks like scammers and phishing crews have been exploiting these to make thousands of outbound calls. The traditional way they did this was to setup the exchange themselves so they can receive calls that follow-up to their phishing e-mails.

Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.

The FBI didn’t say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

So if you are running any kind of Asterisk exchange or derivative (even a hardware based VoIP device based on Asterisk) please make sure you’ve updated to the latest version (this includes firmware for hardware devices).

If not you might find yourself with a very large phone bill that’s hard to explain.

“Early versions of the Asterisk software are known to have a vulnerability,” the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. “The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.”

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.

With the digital nature of Asterisk it’s very easy to dial out then play back a mp3 or wav file that was pre-recorded by the phisher.

They don’t need to take a lot of effort to do this, I imagine they just write a script that auto-generates the phone numbers to dial – then away it goes. Whatever the victim needs to do will be contained within the voice message.

I can’t believe people still fall for these things, but well they do.

Source: Network World

Twitter has exploded recently as a new ‘micro-blogging’ platform and it works really well, especially when combined with more traditional blogging and the host of tools that have been build around Twitter to enable you to find tweets about specific topics or events easily.

Now Twitter has created a new supply of valuable “names”: Twitter IDs. They take the form of twitter.com/stiennon for instance. Have you signed up for your free Twitter ID? Do you own your surname? Company name? Brand identity?

Is there evidence of Twitter squatting (squitting?) Let’s check. Yup, every single-letter TwitID is taken. Some are legitimate (Check out “S” for instance, that is a cool personal email assistant service) but X, Y, and Z are place holders. How about common words? Garage, wow, war, warcraft, Crisco, Coke, Pepsi, Nike, and Chevrolet are all taken. My guess is that Twitter squatters have grabbed all of these in the hopes that they will be worth selling in the not too distant future. Of course the legitimate holders of brands can sue for them and Twitter can just turn them over if asked. But, because the investment and risk for the squatter is zero, you are going to see the rapid evaporation of available Twitter IDs.

I wonder if this will be the next lucrative business, people registered thousands of Twitter usernames and speculating with them.

Imagine if your name or company name is taken, it’s gonna be cheaper than litigation to get it back to just pay the guy a few hundred or a few thousand dollars. If you haven’t gotten a Twitter ID yet I suggest you bag your name now before someone else does.

How to protect your own brand? Immediately go to Twitter.com and determine if your name is available. Get it while you can. While you are at it, reserve all of the names associated with your brand. You may decide that any domain you have invested in should have its Twitter ID. It is the domain name squatters who will jump on this new land grab first after all. Reserving multiple Twitter IDs is easy. Twitter attempts to limit reservations by requiring a unique email address for each sign-up. That is circumvented by using the Google “plus sign” email trick. Simply append something (your new Twitter ID for instance) to your Google email address like stiennon+itharvest@gmail.com. Gmail treats that as stiennon@gmail.com but Twitter thinks it is unique. I expect Twitter to fix this flaw shortly. They may even require email confirmation.

So go and get registering, especially if you have anything to do with the online presence of a real business – go and register the business name and derivatives now. You could save yourself some money when later the CTO or CEO thinks blogging and Twittering may really boost your brand equity.

Who knows? Better safe than sorry right.

Source: Network World

They are using Open Recursive DNS servers to poison DNS queries and return false information, thus luring consumers to even more realistic phishing domains.

Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet.

The study, set to be published in February, takes a close look at “open recursive” DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.

The scary thing about this is, you could end up at Paypal.com or HSBC.com and the site could look exactly the same, but you could actually be connected to some Russian phishers web site…and you wouldn’t even know.

Unless of course you check the SSL certificate whilst using the https version, but come on – how many average Joes would do that?

The Georgia Tech and Google researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a “second secret authority” for DNS that is undermining the trustworthiness of the Internet, the researchers warned.

“This is a crime with few witnesses,” said David Dagon, a researcher at Georgia Tech who co-authored the paper. “These hosts are like carnival barkers. No matter what you ask them, they’ll happily direct you to the red light store, or to a Web server that does nothing more than spray your eyeballs with ads.”

Oh well, another scam to look out for and another threat to monitor. Something else for us to educate the masses about, and some more ammo for us to scare people with.

It’s not all bad – is it?

Source: PC World

IGNORANCE.

Someone consumers see a Phishing attempt from ‘Brand X‘ as a negative against that brand…even though it has absolutely nothing to do with the brand and there’s nothing they can do to control it.

Email phishing attacks tarnish the reputations of targeted firms, according to a new UK survey. Two in five UK adults (42 per cent) quizzed feel that their trust in a brand would be “greatly reduced” if they received a phishing email purporting to represent it.

Despite this, the majority of respondents to YouGov’s online survey reckon the responsibility for protection against phishing attacks lies with ISPs and individuals themselves, rather than the brands targeted by fraudulent emails.

One in four (26 per cent) of 1,960 adults surveyed reckon the main responsibility for protecting against phishing attacks lies with themselves, with a similar percentage (23 per cent) responding that their ISP ought to bear the brunt of filtering spam emails. A further (17 per cent) think the sender’s ISP and email service provider holds the greatest responsibility in combating scam emails.

Pretty sad news for any big brands, and how did people work out it’s the ISP’s responsibility? If you are careful with your e-mail address and responsible about using it (or at least maintain segregated and throw-away accounts) you shouldn’t have any problems anyway.

Plus believing Phishing e-mails? Sometimes I lose faith in the human race.

The YouGov phishing survey was sponsored by anti-spam firm Cloudmark, which reports that .uk domains are the single most common target of phishing attack across Europe.

Security experts at ISPs said it was unfair for consumers to hold the targets of attacks responsible for the crud hitting their inboxes.

“Whilst awareness to the problem is essential, it is unrealistic to expect businesses to be able to secure themselves fully against such sophisticated criminal activities. The increasingly dynamic and transient nature of the latest threats requires a combination of desktop protection at the client level, and accurate message filtering from ISPs,” said Nigel Stevens, product director at THUS.

Oh well I guess we just have to keep educating, talking, discussing and teaching. There’s nothing much else we can do to combat misconceptions and public opinion.

Source: The Register