The latest to hit is a spam e-mail claiming to be from the Facebook team that actually spreads a nasty piece of malware called Bredolab. It’s also been observed the trojan will connect to additional servers to install more malware.

The ultimate goal as usual is to make the victims part of a botnet.

Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.

Researchers at several security firms have tied the Bredolab Trojan to a spam campaign targeting Facebook users.

The malware is being blasted out by spammers in e-mails claiming to come from “The Facebook Team.” Inside the e-mails is a message that the recipient’s Facebook password has been changed. In order to get the new one, recipients are told to open the accompanying attachment containing the malware.

Researchers at Websense told eWEEK Oct. 27 that they have observed more than 350,000 of the messages. On the company’s blog, researchers explained that the malware connects to two servers to download additional malicious files. Among them is Pushdo, also known as Cutwail.

This spam campaign seems to be generating some fairly high levels of traffic meaning whoever is behind it is pretty serious and committed to this vector for disseminating malware.

Social engineering isn’t a new method for propagating malware as always the weakest link is never the technological barriers but is always the stupidity/greed/gullibility of humans.

You can ALWAYS hack the wetware.

“One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails,” according to M86 Security.

MX Logic noted that Bredolab bypasses firewalls by injecting its own code into the legitimate process svchost.exe and explorer.exe. It also contains anti-sandbox code to thwart researchers, and creates the following files: %AppData%\wiaservg.log, %Windir%\temp\wpv861256600826.exe and %Programs%\Startup\isqsys32.exe. Bredolab also creates the processes isqsys32.exe and svchost.exe.

Sophos is detecting the malware as Troj/BredoZp-M or Mal/Bredo-A.

“Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account – exercise caution when you receive unsolicited emails and protect your computer with up-to-date security software,” Graham Cluley, senior technology consultant at Sophos, advised in a blog post.

It looks like a pretty advanced piece of malware code which evades firewall measures and even tries to thwart analysis by AV companies.

Anti sandbox code and process injection, these bad guys are getting smart.

That does not bode well for the average citizen.

Source: eWeek

The biggest news last week was most certainly his death, as usual the bad guys were extremely quick to capitalize on this and were sending out spam within hours of the announcement.

It was suspected malware would follow shortly after, and it did according to F-secure.

Within hours of the death of pop star Michael Jackson, spam trading on his demise hit inboxes, a security firm said today as it warned that more was in the offing.

Just eight hours after news broke about Jackson, U.K.-based Sophos started tracking the first wave of Jackson spam, which used a subject head of “Confidential — Michael Jackson.” The spam wasn’t pitching a product or leading users to a phishing or malware Web site, but instead was trying to dupe users into replying to the message in order to collect e-mail addresses and verify them as legitimate.

“The body of the spam message does not contain any call-to-action link such as a URL, e-mail or phone number,” said Sophos in its company’s blog today. “But the spammer can harvest receivers’ e-mail addresses via a free live e-mail address if the spam message is replied to.”

The original versions were just plain old spam to harvest addresses, but later malware laden versions followed which dropped IRC bots and backdoors detected as “Trojan.Win32.Buzus.bjyo”.

It’s sad to see such things happening, but social engineering attacks to spread malware are always expected when some big news like this breaks.

Nothing is sacred to the dark side of the Internet.

The timing of that campaign was not coincidental: It followed Jackson’s acquittal on all charges in child sexual abuse. “The news of his suicide attempt was believable,” said Cluley, who noted that scammers and hackers often trade on tragedies to get people to click links. In that case, users were hit with a hacker toolkit that tried several exploits against Internet Explorer.

“I wouldn’t be surprised to see hackers claiming that they have top-secret footage from the hospital, perhaps [allegedly] taken by the ambulance people, that then asks you to install a video codec,” said Cluley, talking about a common malware ploy. Users who click on the supposed codec update link are, in fact, then infected with attack code, often a bot that hijacks their computer.

So do warn people, if someone e-mails them pictures or videos claiming to be secret or exclusive footage surrounding the death of Michael Jackson – it’s most likely an infection vector.

Common sense prevails, but is sadly not common.

RIP Michael.

Source: Network World

There was a recent Phishing issue on Twitter and before that Twitter Jacking and a CSRF bug that allowed auto-following.

Due to the large update of Twitter, the amount of datable available on the site and it’s easily searchable nature it has become a great platform for data-mining and information gathering (the first and sometimes most important parts of any pen test/vuln ass or security test).

Twitter is fun. It’s also a powerful research tool. People increasingly use Twitter to share advice, opinions, news, moods, concerns, facts, rumors, and everything else imaginable. Much of that data is public and available for mining.

Here’s how to use Twitter to gather useful information about topics, companies, and individuals. I’ll cover native Twitter features, as well as third-party tools with catchy names, such as 5and2fish, Twitter Venn, TwitterFriends, PeopleBrowsr , Twitturly, Twitter Spectrum, and others.

Most of the techniques mentioned here don’t require you to be a registered Twitter user. If you use Twitter, consider what data tidbits you release there, and whether you need to be more careful.

People don’t tend to be so careful or post in such a considered manner when using Twitter as the tidbits posted are so short and off-the-cuff.

This leads to an interesting source of information for people like us doing research about an individual or organization. You can really get a good gauge on the publics feelings for a certain topic too by searching Twitter for relevant keywords.

For example if you search Twitter for ‘Darknet‘ you can see some people mentioning our posts and one guy pretty consistently re-syndicating our content onto the micro-blogging platform.

As you gather information on Twitter, be mindful of others attempting to manipulate you into arriving at their conclusions by feeding you misinformation. Cross-check data and understand its sources. For more on this, see Is Twitter A Market Manipulator’s Dream on the TwiTip blog. If the topic of reputational attacks interests you, also look at the SpinHunters blog.

If using Twitter to share information and stay in touch with your friends, be mindful of how others might misuse what you reveal about yourself, others, or your company. In the words of Wired magazine’s Steven Levy, “No matter how innocuous your individual tweets, the aggregate ends up being the foundation of a scary-deep self-portrait. It’s like a psychographic version of strip poker–I’m disrobing, 140 characters at a time.”

It’s an article well worth reading if you are a Twitter user or not, if you are an infosec professional it gives you another source to search when you are doing information gathering or data-mining tasks.

The Internet is always evolving along with the way people use it, as it becomes a more social platform – more information is bound to be ‘exposed‘ online – for us to find..

Source: SANS ISC

Older versions of Asterisk do have quite a number of serious flaws and it looks like scammers and phishing crews have been exploiting these to make thousands of outbound calls. The traditional way they did this was to setup the exchange themselves so they can receive calls that follow-up to their phishing e-mails.

Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.

The FBI didn’t say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

So if you are running any kind of Asterisk exchange or derivative (even a hardware based VoIP device based on Asterisk) please make sure you’ve updated to the latest version (this includes firmware for hardware devices).

If not you might find yourself with a very large phone bill that’s hard to explain.

“Early versions of the Asterisk software are known to have a vulnerability,” the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. “The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.”

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.

With the digital nature of Asterisk it’s very easy to dial out then play back a mp3 or wav file that was pre-recorded by the phisher.

They don’t need to take a lot of effort to do this, I imagine they just write a script that auto-generates the phone numbers to dial – then away it goes. Whatever the victim needs to do will be contained within the voice message.

I can’t believe people still fall for these things, but well they do.

Source: Network World

In less than half a day Google Adwords adverts and custom malware was popping up conning users into a sense of security by using Obama’s name.

Malware purveyors have wasted no time capitalizing on Barack Obama’s landslide victory in the US presidential race. Within 12 hours of his acceptance speech Tuesday night, net users were being treated to scams involving Google AdWords and prodigious volumes of spam.

The spam comes masked as dispatches from legitimate news sources, including the BBC and CNN, and invite readers to click a link to view a video of Obama accepting his country’s vote. Those who take the bait are sent to a spoof page of the news site that claims they need to update their Adobe Flash Player before viewing the speech.

It seems to be a generic trojan/rootkit aiming for banking details, it’s just a new vector for installation.

I guess a lot of people will fall for it though with the election fever hitting all around the World, not just in USA. Everyone is going Obama crazy!

In fact, Adobe_flash9.exe installs the notorious Trojan-PSW:W32/Papras.CL, according to anti-virus provider F-Secure. Earlier Wednesday, just 14 of the 36 major anti-virus programs detected the trojan, according to this analysis from VirusTotal. Once installed, the malware, which cloaks itself in a rootkit, logs passwords for bank sites and other sensitive information and sends them to a server located in Ukraine.

The fraudulent news sites are being hosted on a fast-flux network of infected machines, according to this analysis by the CyberCrime & Doing Time blog. Cloudmark, a company that provides spam filtering service, has already seen more than 10 million of the spam messages, according to the Zero Day blog.

Anyway just let the non-tech savvy amongst the people you know that this is going on and that they are likely to get e-mails or messages about Obama pretending to be from legitimate sources.

Under no circumstance should they follow the link and especially don’t install any flash or other software updates from such sites.

Source: The Register

But we had discussed this in part before, some people will give out their passwords if you just ask, some if you offer chocolate and this time in the guise of a ’survey’ for a gift voucher.

Although the majority (60 percent) of 207 London residents were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher, the public at large take a hard line on firms who fail to keep tight hold of customer data.

In exchange for the voucher, a number of those quizzed during a street survey in Covent Garden earlier this week went on to explain how they remember their password and which online websites (from a range of email, shopping, banking and social networking sites) they most frequently use. A sizeable chunk of those surveyed (45 per cent) said they used either their birthday, their mother’s maiden name or a pet’s name as a password.

Perhaps it’s just as well that stolen identities are worth a lot less than £5, fetching as little as 50p on the underground black market, according to Symantec.

It seems like rather than giving out the actual password they answered questions put together in such a way that a profiler could easily work out what their password was and which sites they used it on.

Pretty sneaky methinks, it’s a good way to test how paranoid people are about their data security…it’s ironic really seeing how much they complain but at the end of it they are their own worst danger.

ine in ten (89 per cent) of 1,000 Brits quizzed during a wider survey, commissioned by Symantec and price comparison site moneysupermarket.com, expressed the opinion that “reckless and repeated” data breaches ought to be punished by criminal prosecutions. Sanctions should include the ability to incarcerate directors of negligent firms in jail. Eight out of ten of those quizzed agreed there should be a “one strike and you’re out” rule for data loss.

Almost four in five of those polled reckon their personal data is not secure in the hands of companies that hold it, a finding that probably stems from the steady drip of data breach stories that have followed from the massive HMRC child benefit lost disc bungle last year. Three in four consumers are concerned about the amount of information organisation hold on them, regardless of whether or not this information is held online or offline. Online payments were perceived as the single greatest risk for losing data.

The general public are pretty harsh too when it comes to dishing out punishment, but then again that is human nature and that is why there’s jury service.

It’s not surprising either that people have very little faith in data stored by the government and their greatest fear is carrying out online transactions.

I think we all know well enough to keep ourselves safe…but sadly as always it seems the rest of the world don’t.

Source: The Register

The latest target appears to be Google Calendar.

As always be on your guard as these scams are coming from all directions.

A few months ago, spam came to Google Calendar. Now phishing has arrived.

Intrepid Google watcher Philipp Lenssen wrote late last week about being the target of a phishing attempt via Google Calendar.

He received an e-mail to his Gmail account with a reference to a legitimate event from his calendar. The sender was listed as “customer care,” and it asked him to verify his account by supplying his username and password.

It seems to the same old style as normal e-mail phishing but utilising the Google Calendar interface. It comes bundled with the usual spelling and grammatical errors that plague phishing e-mails.

I wonder how many people are falling for this one? If generic phishing ploys are anything to go by…it will be quite a lot.

On May 28, a Google Talk Guide addressed the issue in a Google Groups thread, urging users to click the “Report Phishing” link if they receive suspicious e-mails and not to click on links within the e-mails or open attachments.

Late on Monday, a Google representative e-mailed this statement: “Spam is an issue for all Internet users, and we work very hard to fight it. Using Google Calendar, or any Google product, to send spam is a violation of our product policies. We are actively identifying Calendar accounts that send spam and disabling them.”

Perhaps drop a note to any non-tech friends using Google Calendar just to warn them that this is happening.

You might save someone a lot of trouble.

Source: Cnet (Thanks to Navin)

Even though Caller ID Spoofing was Made Illegal in the USA – people will still continue to do it, remember the FCC said it’s still easy to spoof caller ID. This scam as always includes some Social Engineering, it’s not that easy after all to get people to give up their important info over the phone.

Scams involving email and fake banking websites may get all the attention, but a recent rash of fraudulent phone calls shows criminals haven’t given up on more traditional tools for tricking people into surrendering credit card numbers and other sensitive information.

The calls begin with a recording that makes a tempting offer – usually for a lower credit-card interest rate or an extended car warranty – and then invite the caller to speak to a live agent. The agents then ask for information including the credit card number and expiration, name, address, and in some cases social security number and other data. Recipients who have fallen for the ploy report finding charges as high as $900 on their credit card.

So be careful, don’t be tempted by lower credit card rates or any kind of nonsense offers that you receive from strangers. Honestly I don’t believe any readers of Darknet would fall for this kind of thing..but as always educate those you aren’t so savvy and you are doing your part.

The surge of calls come as security researchers report an up-tick in so-called vishing attacks, which use VoIP, or voice over IP, to trick people into turning over banking credentials and other sensitive data. Last fall, more than 12,000 people in Texas were targeted in a scam that attempted to capture their account details for eTrade and two local banks, according to a recent report from iSIGHT Partners.

Vishers typically set up demo accounts with one of the many VoIP providers, carry out their attack and then move to another provider. The attacks observed in the report were different from the recent scam, however. They typically rely on emails that encourage recipients to call an automated number and manually enter their account information.

It’s worrying, people are getting spammed, scammed and phished from every direction now. All these frauds and spammers are making technology more complex and polluting the Internet with stuff like CAPTCHAs.

I guess it’s here to stay though, so we have to accept with it and deal with it as best we can.

Source: The Register

In the earlier days Myspace was a big target, now they are moving on to other sites such as Facebook. Social networking sites are an ideal place for spammers as they can exploit the trust between ‘friends’ in the system to deliver more compelling messages.

I personally haven’t seen any spam on Facebook yet, but I’m outside of the US, rather selective about my friends, networks and the information I publish there.

Social networking sites have become the new front in the war against spam, according to security watchers.

In the six months leading up to March 2008, social networking sites saw a four-fold growth in the amount of spam on their network. At several major social networking sites, 30 per cent of new accounts created are automated fraudulent ‘zombie’ accounts, designed to be used for spam and other malicious attacks, according to anti-spam firm Cloudmark.

JF Sullivan, VP of marketing at Cloudmark, said the type of spam advertised through social networks is the same type as that advertised by email spam and punted by much the same people. “There’s an implicit trust in social networking. People don’t think they’re going to be attacked with spam,” Sullivan told El Reg. “People don’t trust email anymore. Spammers are following peoples’ online habits.”

It’s scary though that 30% of new accounts are created for spam purposes, that’s a huge number! I imagine it’s a fairly simple process to search for accounts with a generated list of names and just ass them all as friends…then spam them with invites to few phishing sites.

Sometimes flaws in the sites can be used to generate messages that appear to be from people’s other friends.

Social networking spam can be messages between users or posts to walls or other similar applications. Social network spammers most often hijack accounts using fake log-in pages. Phishing-like tactics, password guessing and the use of Trojans to capture keystrokes are also in play.

Junk messages, rigged to appear as though they came from their friends, are more likely to be acted on by recipients on social networking sites compared to the same messages received by email. Social network spammers try to recruit friends by posting profile pictures that depict them as attractive young women. By recruiting people into their groups or networks it’s easier for spammers to subsequently send them spam.

All the major social networks have a problem with spam, according to Sullivan, with volumes of spam ranging from 15 to 30 per cent.

So watch your wall, it might be getting spammed soon. It’s true too that the demographic of most social networking sites is quite low on a technological level so it’s very likely that it would be easy to socially engineer them into clicking something.

Certainly something to watch out for, especially on how they are going to counter it. It’s gets boring to say it…but educating the users is the solution – not more technological strangleholds.

Source: The Register

Even more so if you are a pretty girl, and in this case you offer someone chocolate. Hey who doesn’t love chocolate? I have to say I don’t love it enough to give out my passwords..

A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.

That’s 1 in 5, amazing! It just shows a bit of simple social engineering targeted against a certain company or just using a certain location will yield valuable info.

Similar tests have been conducted before, I would have though awareness might be slightly higher now – but it seems like it’s just the same.

As depressing as the survey may be for the security pros whose job it is to keep corporate networks safe, the results are a substantial improvement over last year. That was when 64% of people were willing to give away their passwords. But there were other disturbing signs this year: 61% of workers surveyed shared their birthdates and a similar number – 60% of men and 62% of women – shared their names and telephone numbers.

This doesn’t sound particularly damaging, but cyber criminals could use this information to craft so-called phishing emails that install malicious computer code when opened or try to convince people to cough up more damaging information like a bank account number.

It’s good to see a substantial improvement since last year, but still I’d prefer if the figures were below 5%. Sharing personal info is also a bad idea as it gives people with malicious intent a lot more ammunition to break into the corporate cookie jar.

Most peoples’ passwords are likely to be based on personal information unless they are generated by the company…if complex passwords are generated by the company it’s generally even easier..as they will be written on a post-it not in the drawer or under the keyboard.

Source: WSJ