The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
…you could deface two library websites and play some music in the background. I guess.
Click to Enlarge
Both sites (hardinglibrary(dot)org and mendhamtownshiplibrary(dot)org) are sitting on a server with a huge number of library websites on it – however, only these two domains appear to have been defaced. The admins have of course been notified, and hopefully all of your book related needs will be back online shortly…
Christopher Boyd
Microsoft issued four security bulletins yesterday fixing vulnerabilities in:
— Microsoft Windows Help and SupportCenter (MS10-042)
— Microsoft Windows Canonical Display Driver (cdd.dll) (MS10-043)
— Microsoft Office Access ActiveX Controls (MS10-044)
— Microsoft Office Outlook (MS10-045)
The vulnerability in Help and SupportCenter, (MS10-042), was in the news last month when a researcher released proof of concept code which malicious operators then exploited. The vulnerability allowed execution of code from a malicious Web page or malicious link in an e-mail
Microsoft summary here.
The monthly updates also mark the end of Microsoft’s support for Windows XP Service Pack 2. Users should upgrade to XP SP3 or Win 7.
Tom Kelchner
Just because a site is a .gov doesn’t mean it’s safe from harm. A Chinese .gov portal that appears to be for tourism in the Hadian District of Beijing currently looks like this:
The homepage has been bumped out of the way in favour of the following fake login:
Click to Enlarge
The location of the phish in question is ns(dot)bjhd(dot)gov(dot)cn/update/, and it’s been reported to the admins.
Christopher Boyd
New vector for malicious links – WoW whisper message leads to keylogger
Our friend Douglas received a whisper (chat message) from someone using the handle “BlizzaICOL” while he was playing WoW telling him that the beta is available for the new Cataclysm expansion for the WoW map. The expansion will make everything appear as though it’s on fire, being burned by a dragon. The “whisperer” also passed along a URL which led to Cataclysmtest.net (don’t go there) which APPEARED to be the WoW login screen.
(click to enlarge)
To see where this went, we entered a fictitious username and password and the site accepted it, meaning that it’s probably snatching login information. It’s a known phishing site (Firefox alert box below.)
(click to enlarge)
Another authentic-looking page (also tagged as a malicious site by Firefox) with a “download” button awaited at worldofwarcrayt.com (which as you can notice is one letter off from “worldofwarcraft.com.”
(click to enlarge)
Nice reproduction of the real thing:
Clicking on the “Download for PC” (don’t try this at home) we downloaded this – which turned out to be a Trojan that installs a key logger intended to steal passwords.
The Cataclysmtest.net domain was registered earlier in the month and whoever registered it either has a really obscene name or is faking it. The “,cm” country domain – Cameroon – is well known for malicious code, because it’s only one mistyped URL from the “.com” top-level domain. Operators there have set up a wild-card DNS record which will respond to any URL with a .cm domain. (More info here: http://en.wikipedia.org/wiki/Wildcard_DNS_record )
It appears the worldofwarcrayt.com domain was registered (in April) by the same person who used “ukukukuk” in place of “usususus.”
Thanks Douglas and Wendy.
Tom Kelchner
Today, it was announced that Sunbelt Software has been acquired by GFI Software. The new combined entity will provide a wide range of security and infrastructure software solutions, both on-premise and in the cloud.
First, let me say that we’re thrilled to be part of the GFI team. Throughout our discussions and interactions with GFI, we have been continually impressed with their dedication to quality, customer service and superior performance throughout the company. Both companies are similar in their attitudes and practices with regard to customer service, product quality, strategic vision, organizational styles and culture.
On the technology side, the acquisition allows us to expand into several areas, which we believe are essential for us to grow as a company and continue to provide leading-edge technologies to our customers. These areas include vulnerability assessment, patch management, data leakage prevention, hosted/cloud-based technologies, and solutions for MSPs.
We have already identified a number of synergies between the products, and are working with the GFI team on these areas. These include putting our VIPRE technology into various GFI products (such as GFI MAX and GFI MailSecurity); and integrating GFI’s DLP technology and vulnerability/patch management into VIPRE Enterprise. More details will be forthcoming as we execute on the product roadmap.
In addition to the technology side, GFI provides additional resources in terms of capital, management expertise, systems and new markets that will continue to propel our products and our teams to the highest level of achievement possible.
For the time being, both companies are hard at work, integrating the various sales, marketing, finance, and technology teams. Our goal is to make the combination of the companies as seamless as possible to our customers and partners.
Our management team, including the product teams — Mark Patton (VP R&D), Eric Sites (CTO) and Bill Emerick (SVP Products and Services) — will continue with the new organization. I will be staying on as well, continuing to run the VIPRE business and other security offerings. Stu Sjouwerman, our co-founder, is retiring but will continue to be involved with our various publications (WServerNews, Win7News, and SecurityNews).
It’s an exciting day for us here at Sunbelt, and I believe sincerely that this acquisition was in the best interests of all parties — not only our shareholders and employees, but most importantly, our customers and partners.
Alex Eckelberry
Over the past month or so we’ve seen quite a lot of malware coming from sub-domains of DynDNS.com, which is a dynamic DNS provider. A typical link might look like this:
http://upogoteluqike.scrapper-site.net/1111111ggg/get.php?name=Anal_Porn_Movie_162.mpeg
(scapper-site.net is a DynDNS site.)
The sub-domains are changing every hours, though the folder and file name generally do not. The sub-domains, which appear to be semi-randomly named, usually resolve to this IP:
80.91.176.172
The files coming down are typically detected as Trojan.Win32.Alureon,
Trojan-Downloader.Win32.FraudLoad, and Trojan.Win32.FakeAlert — although detection among major antivirus providers is spotty and varies wildly by file.
WhoIS data for DynDNS.com:
DynDNS.com
Hostmaster, DynDNS <hostmaster@dyndns.com
1230 Elm St.5th Floor
Manchester, NH 03101
The list of their domains that we’ve seen being used by the bad guys closely matches the list of available domains you see on their web site in the dropdown box for “Free Domain Name.” The ones we’ve seen in particular over the last couple of weeks are:
boldlygoingnowhere.org
dnsalias.com
dnsalias.net
dnsalias.org
dnsdojo.com
doesntexist.com
dynalias.net
doesntexist.org
dvrdns.org
dynalias.com
dynalias.org
dyndns.biz
dyndns.tv
dyndns.ws
endofinternet.net
endofinternet.org
game-host.org
getmyip.com
gotdns.com
gotdns.org
hobby-site.com
hobby-site.org
homedns.org
homeftp.org
homelinux.com
homelinux.net
homelinux.org
homeunix.net
homeunix.org
is-a-chef.com
is-a-geek.net
is-a-geek.org
isa-geek.org
kicks-ass.net
kicks-ass.org
scrapper-site.net
scrapping.cc
selfip.biz
selfip.com
selfip.info
selfip.net
selfip.org
servebbs.com
servebbs.org
serveftp.net
serveftp.org
servegame.org
thruhere.net
webhop.biz
webhop.info
webhop.net
It should be noted that DynDNS.com’s services and those of No-IP.com have been used to distribute a variety of malware over the past year, but these “anal porn” malware files are the most recent and noteworthy examples.
Free file hosting sites (e.g., Rapidshare.com, FileAve.com), social media sites (Facebook, Twitter), and blog sites have been and still are being exploited by the bad guys in similar fashion.
Bottom line: any company that makes available services allowing anonymous users to post or distribute content/files for free will become a preferred means for distributing malware. These services have a responsibility to police the use of their free services.
Alex Eckelberry
(With many thanks to Eric Howes)
Update: Great response from the DynDNS abuse team, the situation is now under control.
“Ye Olde Facebook be an aid to findin’ and linkin’ with your crew…”
Funny:
(Click to enlarge)
Thanks Rodney.
Update 4:52 p.m. (EDT)
It belongs to Facebook according to Whois:
Thanks Francis
Tom Kelchner
Oracle has announced that it will push a Critical Patch Update tomorrow fixing 59 security vulnerabilities in hundreds of Oracle products. The pre-release announcement said 21 out of 59 vulnerabilities are in the Solaris product suite.
Vulnerabilities addressed by the update are in the following products:
• Oracle Database 11g Release 2, version 11.2.0.1
• Oracle Database 11g Release 1, version 11.1.0.7
• Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
• Oracle Database 10g, version 10.1.0.5
• Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
• Oracle TimesTen In-Memory Database, versions 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, 7.0.5.4.0
• Oracle Secure Backup version 10.3.0.1
• Oracle Application Server, 10gR2, version 10.1.2.3.0
• Oracle Identity Management 10g, version 10.1.4.0.1
• Oracle WebLogic Server 11gR1 releases (10.3.1, 10.3.2 and 10.3.3)
• Oracle WebLogic Server 10gR3 release (10.3.0)
• Oracle WebLogic Server 10.0 through MP2
• Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
• Oracle WebLogic Server 8.1 through SP6
• Oracle WebLogic Server 7.0 through SP7
• Oracle JRockit R28.0.0 and earlier (JDK/JRE 5 and 6)
• Oracle JRockit R27.6.6 and earlier (JDK/JRE 1.4.2, 5 and 6)
• Oracle Business Process Management, versions 5.7.3, 6.0.5, 10.3.1, 10.3.2
• Oracle Enterprise Manager Grid Control 10g Release 5, version 10.2.0.5
• Oracle Enterprise Manager Grid Control 10g Release 1, version 10.1.0.6
• Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
• Oracle E-Business Suite Release 11i, versions 11.5.10, 11.5.10.2
• Oracle Transportation Manager, Versions: 5.5.05.07, 5.5.06.00, 6.0.03
• PeopleSoft Enterprise Campus Solutions, version 9.0
• PeopleSoft Enterprise CRM, versions 9.0 and 9.1
• PeopleSoft Enterprise FSCM, versions 8.9, 9.0 and 9.1
• PeopleSoft Enterprise HCM, versions 8.9, 9.0 and 9.1
• PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50
• Oracle Sun Product Suite
Oracle July Critical Patch Update Pre-Release Announcement here.
Tom Kelchner
Twitter is filled with these “Free!!” deals (just search for the word “free” and see what slithers out.)
We clicked on the shortened URL in the tweet (you should NOT do this at home) and landed here:
So, why not try it? It has a privacy policy and addresses to opt out of the massive phone, SMS and email advertising that you’re signing up for (check the fine print.)
What information do you need to decide whether to try this or not?
1. READ the privacy policies, disclaimers and any other information on the page. Usually they’re on the bottom of the page in VERY small letters or grayed out. Cut and paste the text into a word processing program so you can see them. This one shoveled paragraph after paragraph at you clearly stating they were going to use your contact information for lots and lots of advertising and they were going to give it to all their friends and let them have a crack at you too.
2. Use a search engine to check out any addresses listed. Google street view is a help too. If the corporate headquarters is a billboard in London, you might be a bit leery about doing business with them.
We checked out the fine print, including two addresses in this one and got a bit suspicious:
Prize-Wave.com
Privacy Policy
http://track.prize-wave.com/Privacy.aspx?p=0f7b859ce29146c0b40c5b915b0c8eb8
SPECIAL OFFER SERVICE SUBSCRIPTION & EXPRESS CONSENT TO RECEIVE MESSAGES.
“To unsubscribe: You may cancel your SOS subscription and revoke your consent to receive calls at any time by either (a) utilizing the opt-out procedure included in any message you receive; (b) by sending an e-mail that includes your telephone number to optout@specialofferservice.com; (c) by calling 800-269-0281; or (d) by sending a written request to Worldwide Commerce Associates, 7251 West Lake Boulevard, Suite 300, Las Vegas, NV 89128.”
There doesn’t seem to be a West Lake Boulevard in Las Vegas, although there is a West Lake Mead Boulevard.
Delete/Deactivate Policy
“Users at any time may unsubscribe to our electronic mailings by following the instructions that we include at the end of every mailing. To correct, update or request that we delete information you provided, please contact us via email, or by writing
Prize-Wave.com
ATTN: CUSTOMER CARE
101-1001 W Broadway
Suite 765
Vancouver, BC V6H-4E4”
A web search for that address shows other businesses there have a V6H 4B1 (not V6H 4E4) postal code.
And Google Maps lookup has it as:
1001 W Broadway
Vancouver, BC V6H 4B1, Canada
|
Hmmm, a business that makes two mistakes in two addresses. I wonder if it’s real.
Tom Kelchner
Is it me or has the quality of trolls sunk to even more amateur levels?
And, clicking on the attachment (kids, don’t try this at home) we get:
Wow. Word 97! I guess this is a low budget operation.
From: Lotto Manager. South African 2010 World cup lottery online Lottery Headquarters: 210-211 Universal Building
Parkhaust, Balfour Unit 1440
Johannesburg, South AfricaBatch: (18/006/1094/LIPDA/SL.)
REF: (GFA/MMS/HWEAS/SA)
CONGRATULATIONS FOR YOUR WINNING:We happily announce to you the draw of South African 2010 World cup Bid lottery Award International programs held in Zurich, Switzerland. Your e-mail address attached to ticket number: (7017-4162-1018)
. . . blah, blah, blah
Also provide the following information and after fill this information of yours we will officially send you our verification that you are the winning,
NAME:………………
ADDRESS:………………….
NATIONALITY:……………
SEX:………………
AGE:…………….
PHONE/MOBILE:………..
FAX:……………………………
OCCUPATION:……………
COMPANY:…………………
blah… blah… blah…
Signed: President Nelson Mandela (chairman)
Malefic OLIPHANT (President)
Chief Operations Officer Albert MOKOENA
Chief Executive Officer Danny JORDAAN.
N.B/email the Zonal co-coordinator for urgent verification of your clam, the name is Mr. Jim Parson
Nelson Mandela hasn’t been president of South Africa for 11 years.
Tom Kelchner
Microsoft has issued advance notification for the July patch on Tuesday. Four bulletins are expected.
Security bulletins will be issued for Microsoft Windows (two critical bulletins fixing vulnerabilities that could allow remote execution of code) and two for Microsoft Office (one critical and one important – both fix vulnerabilities that could allow remote code execution.)
The patches will include a fix for the vulnerability in Windows Help and Support Center (XP and Server 2003 only) that can allow execution of code from malicious Web pages or malicious links in e-mail (CVE-2010-1885). There were reports of the vulnerability being exploited after Google researcher Tavis Ormandy made public proof of concept code earlier this month.
This month also marks the end date for support for Windows XP SP2 and Windows 2000.
Tom Kelchner
Internet users in Australia are beginning to push back against Internet censorship with Web sites advocating political action as well as those giving instructions on the use of the Tor proxy network to avoid analysis by the censors
The country is considered to have the strictest censorship of any developed nation for video games and Internet sites hosted in the country.
http://www.dontfilterme.com/ (Domain registered July 2)
http://openinternet.com.au/take_action/ (Registered February 2010)
http://nocleanfeed.com/ (Registered February 2008)
And, of course, as with all censorship schemes, stories detailing what exactly is being censored can get pretty strange:
January 28, 2010
http://www.inquisitr.com/59633/australian-government-censor-confirms-small-breast-ban-sort-of/
Thanks Alex
Tom Kelchner
If you’ve been keeping an eye on the news you’ll probably be aware of a chap called Raoul Moat. If not, all you need to know is that he’s popping up in articles with titles such as “Timeline of a gun rampage” – and there are more armed police walking around than you can shake a very large stick at.
They still haven’t found him, mind, but let’s move on to the security angle in all of this.
It seems our favourite friends the Blackhat SEO Poison Brigade are out in force, utterly trashing the Image Search results and filling them up with dubious links.
These are the very top entries from a basic search on “Raoul Moat” in Google Images:
Click to Enlarge
At time of writing, ALL of the image searches from the top line of Google Image Search will redirect you to serveradobe(dot)co(dot)cc. As you’ve probably guessed from the name, you’ll get a fake Flash “install this” prompt from the website in question, followed by an attempted download of a file called V11_adobe_flash.exe:
Click to Enlarge
Here’s the VirusTotal result for this one – currently a bit low, with 11/41 detecting it. We’re still examining the file, but a fake antivirus or similar shenanigans look likely.
We detect this as VirTool.Win32.Obfuscator.hg!b (v).
Christopher Boyd
Hat tip to Kevin Church for pointing this one out to me.
Every now and again 419 scammers will use YouSendIt to send out their “please help me / send me money / travel to another country and be horribly beaten” missives to the masses.
Here’s an example of one currently in circulation:
Click to Enlarge
Here’s the YouSendIt version, stored for all time. Or at least until July 21st, 2010.
Click to Enlarge
Christopher Boyd
We recently investigated a “Work from home” recruitment spam email. A trail of web links revealed an interesting labyrinth of sites peddling expensive “training” courses that suggest they can teach you can make huge amounts of money with very little effort.
And, while not being overtly illegal, they feature:
— disclaimers that say, in effect, everything on the page is fiction
— phony site-security certification seals
— blocked Whois information
For the inexperienced Web user who might be looking for a high-paying job, we’re going to walk through these sites and list eight clues that should make anyone suspicious.
The spam email
Yahoo! Mail
How would you like to make $75 hour working from home?
From: “Immediate Placement” ImmediatePlacement@hith757upfront.com
To: mailto: Undisclosed-Recipient@yahoo.com
(click to enlarge)
(A business advertised by spam email – this is your clue #1 that this should be avoided.)
The site
Clicking the link in the spam email (don’t try this at home) leads to:
http://www.workathomepositionplacement.com/index/
On the Work At Home Position Placement site “Elizabeth Jackson, America’s top work-at-home consultant” tells you in just 7,000 breathless words about how you can make $75 per hour posting merchandise on eBay, The (inferred) premise is that major companies are doing away with their bricks and mortar stores, selling on eBay and they need lots of people like you to work from home.
“All you have to do is spend a little time online cruising around eBay’s website, and you’ll soon see what I mean. Huge and successful companies like Apple, Coleman, Adidas and Compaq routinely list their products on eBay auctions…”
The cost of the training program: $197.
(A sales pitch that is too good to be true – this is clue #2 – with a lot of bold face type and colorful heads – clue #3)
Whois info is blocked
The Whois information for the domain is blocked. (clue #4) and the site has been registered only since April (clue #5). Legitimate businesses identify themselves and usually they’ve been in business (and had a domain registered) for more than a few days or weeks. Malicious or fraudulent sites are taken down quickly.
Domain name: workathomepositionplacement.com
Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()
Fax:
PMB 368, 14150 NE 20th St – F1
C/O workathomepositionplacement.com
Bellevue, WA 98007
US
Creation date: 07 Apr 2010 19:02:47
Expiration date: 07 Apr 2012 19:02:00
The site’s privacy policy lists what appears to be an attorney’s office in Henderson, Nevada.
Disclaimer
Disclaimers are a great view of the truth of the claims that these Web hucksters are making. They think they can skirt truth-in-advertising laws by drastically qualifying in their disclaimer everything they emphasize on their Web pages.
There is a disclaimer at the bottom of the Work At Home Position Placement Web page. It’s grayed out and clearly designed to be ignored (clue #6):
(click to enlarge)
You can cut and paste the text into a word processing application to make it readable. It’s interesting. Here are the highlights:
— “INCOME CLAIM WARNING: Testimonials are not typical of most results.”
— “All Testimonials are 100% Real and Accurate and the attestants have been remunerated for allowing Work At Home Position Placement’s use of the same.” (That means the “attestants” were paid for their testimonial.)
— “Photographs or images are a depiction of individuals and payment methods.” (That means the pictures with the testimonials are not of the people who SOLD their testimonials.)
— “Some individuals purchasing the program may make little or NO MONEY AT ALL.” (emphasis mine.)
— AND, Elizabeth Jackson isn’t even REAL: “For purposes of privacy, the creator of Work At Home Position Placement is using the name Elizabeth Jackson.” (We’re disappointed. She sounded so sincere.)
— “Work At Home Position Placement is not affiliated with, endorsed by or in any way associated with Apple, Coleman, Adidas, Compaq, The New York Times, Esquire, America Online, CNN, USA Today, Forbes, Yahoo. Work At Home Position Placement does not have the express permission of Apple, Coleman, Adidas, Compaq, The New York Times, Esquire, America Online, CNN, USA Today, Forbes, or Yahoo logo.” And that leads one to wonder why those logos are on the Work At Home Position Placement page. (Clue #7)
Security certifications?
The page uses the following graphics, which don’t seem to mean anything, but do leave the impression that there some kind of certification body approving their security/privacy policies/business (Clue #8):
Link to “training” site number two
A web searches for these “Web Guard” graphics above (with the unique file name wahr_order_webguard.jpg) leads to a second “training” site:
https://internetcareerbuilder.com/jobs/order2_files/wahr_order_webguard.jpg
Oddly, this site has the “Web Guard” graphics (above) on what appears to be an unused page and it carries other meaningless seals that state “Security Verified” and “Privacy Verified.”
They don’t link to any organization (the way legitimate certification seals do) and don’t offer any other information.
https://internetcareerbuilder.com/jobs/images/seals.gif
On InternetCareerBuilder.Com a visitor also is presented with:
“Special Report from Michelle Miller, the #1 work at home consultant in America”
Michelle’s pitch is just as wordy and enthusiastic as the fictitious “Elizabeth Jackson, America’s top work-at-home consultant” at workathomepositionplacement.com. And the cost of Michelle’s program: a familiar $197.
In the privacy policy, the site lists Las Vegas Navada, address:
Internet Career Builder
11136 Ferragamo CT
Las Vegas, NV 89141
Effective Date: August 25, 2009.
At least they didn’t deflate your enthusiasm by revealing that Michelle Miller is a fiction like Elizabeth Jackson just when you start to really like her.
Link to training site number three
Doing an image search for “seals.gif” – the “Security Verified” and “Privacy Verified” seals above oddly turns up the same graphic of the WebGuard seals on yet another “work from home” site:
http://www.auctiontrainingarea.com (caution)
Here the shill is “Joseph Delafont” and he wants you to know (in a succinct 5,800 words):
And the cost of the training is – you guessed it – $197.
The “earnings disclaimer” is in all caps and the central sentence:
“. . .WE DO NOT GUARANTEE OR IMPLY THAT YOU WILL WIN ANY INCENTIVES OR PRIZES THAT MAY BE OFFERED, GET RICH, THAT YOU WILL DO AS WELL, OR MAKE ANY MONEY AT ALL.”
The site’s Whois info is blocked
Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (vkytynhr@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St – F1
C/O auctiontrainingarea.com
Bellevue, WA 98007
US
Creation date: 05 Dec 2008 23:37:17
Expiration date: 05 Dec 2010 23:37:00
The address listed on the bottom of the page:
Olympiad Inc – C/O Nisbetts Chamber, Charlestown, St Kitts
The disclaimer, however, claims:
“This Agreement shall be governed by and construed in accordance with the laws of Cyprus, without regard to its conflict of laws rules.”
Bogus security certifications can be very insecure
Interestingly enough, the “Web Guard” graphics on the sites we discussed are good imitations of the seals of a questionable “Trust Guard” certification provided by:
http://www.1automationwiz.com/trust-guard.html (only go there with caution.)
Which apparently nobody on the web has heard of and on Tuesday was infected with an iFrame Trojan: Trojan-Clicker.HTML.IFrame.fh (v)
(click to enlarge)
Conclusion:
We’ve listed eight clues that let you know that this flavor of work-from-home-training scheme is probably not something you want to spend almost $200 for. Two of the sites, Work at Home Position Placement and InternetCareerBuilder, share most design elements and a probably a Nevada connection. Obviously they’re part of the same business. The third, AuctionTrainingArea which has the same graphic file on its site, is the same idea, possibly different owner.
And what about the bogus security certifications? Whoever designed the Work at Home Position Placement site obviously lifted the design of the certification graphics from 1automationwiz.com and that site either intentionally contains an iFrame exploit designed to download malware on your machine or has such bad security it got infected itself. That is not a “security” provider with any credibility.
Tom Kelchner
The AppleInsider site (not part of Apple) is reporting that Apple says about 400 iTunes accounts were involved Sunday when a Vietnamese developer’s applications were pushed to the top levels in the Apple App Store by fraudulent credit card purchases.
Developer Thuat Nguyen was banned from the store and his applications removed.
Observers believe that the victims’ credit card information was stolen, possibly by phishing, then used to make the fraudulent purchases. Apple has said its systems were not hacked.
Apple said App Store users should check their iTunes and credit card accounts for evidence of fraudulent transactions. The company also said it was ramping up security procedures.
Story here: “Only 400 iTunes accounts compromised in fraud, Apple says”
On Sunday, AppleInsider reported: “Apple’s iTunes Store users are increasingly being targeted in a number of fraud cases, some of which appear to be orchestrated by iOS app developers seeking to boost their sales rankings, and others which appear to be a widespread hack of user accounts.”
“The books in question are a low-quality series of mostly Japanese manga titles all published by ‘developer’ Thuat Nguyen, whose publishing company is listed by Apple as “mycompany” with a website of “Home.com.” It’s impossibly unlikely that 80% of the American App Store’s book sales were legitimately dominated by sales of shoddy anime book apps that are not localized, appear to violate intellectual property rights, and were all dumped into the App Store at once over a period of a couple days.”
Story here: “iTunes App Store hit by developer and account fraud”
Tom Kelchner
You’ve probably already heard about what happened with Youtube yesterday – an XSS vulnerability allowed people to perform all manner of, er, interesting things on videopages (mostly involving Justin Bieber, but quickly spreading to random videos). It started with the ability to block fresh comments, but quickly moved into the realms of scrolling text (the red “Come to Korea”):
Click to Enlarge
…then delved into everything from Goatse redirects (if you don’t know, don’t ask – and don’t go Googling it in work, either) and text overlays to particularly nasty shock sites such as this one:
Click to Enlarge
You REALLY do not want to go searching for the above. Trust me on this.
Google patched it up relatively quickly – however, I was more interested by other aspects of the attack.
Incorrect information filled sites such as Twitter and quickly took on a life of its own. This was on the frontpage of Twitter with over 100+ retweets shortly after the cut and paste code action took place:
Click to Enlarge
Advising people to steer clear until the problem is fixed? That’s good. Lots of people running around telling lots more people that there’s a “virus”? That’s not so good.
The “virus” talk went viral, and you can see a huge slice of people amplifying the “virus” talk here. Even hours after it’s been fixed, people continue to talk about “getting infected” by a nonexistent virus and there’s a lot of unscheduled scans now taking place:
This next chap took a swing at the “common folk”, which inevitably resulted in him having to apologise for something else afterwards:
Here’s a popup on one of the videos, courtesy of 0ph3lia:
Click to Enlarge
“Malware has been detected. Please go to my computer, C Drive, Windows and delete the folder named System32 to correct this error”.
Of course, by the time the story had appeared on various news sites something like the above (a piece of self inflicted computer destruction) had become an honest-to-goodness exploit:
That is indeed “scary stuff”, but for entirely different reasons. Despite the attack having been fixed, there’s going to be a lot of screenshots like this doing the rounds for some time.
Anyway, I just thought the Chinese Whispers style misinformation clouding the actual attack was pretty interesting.
Something else to think about: if this exploit had been discovered by a professional moneymaking outfit, there could have been all sorts of subtle attacks taking place for a long time – not good, given the apparent simplicity of the attack.
In the time it took to launch all the popups, messages involving Bieber dying horribly and porno redirects I did see some small evidence of “the usual suspects” getting in on the act.
A collection of Youtube videos were obscured by a large, black overlay – if you held down your mouse button and highlighted inside it, you’d reveal some text:
Click to Enlarge
You’ll never guess what kind of scam artist jumped on the bandwagon:
Click to Enlarge
Yes, one of those wonderful “fill in the survey to watch a film” portals that never actually seem to give you the promised reward – although in this case the reward is a Twilight movie so we’ll let them off with it this time.
Christopher Boyd
Oh dear.
And when a writeup starts with that as an opener, you know you’ve got problems.
This is a facebook page, with a rather happy cow on it:
Click to Enlarge
The cow is happy because it knows people like to click on things. In fact, they just can’t help themselves. 31,769 have clicked the “Like” button for this, and that doesn’t appear to be automated – after jumping through hoops, my test account hasn’t given this the “Thumbs up” so it seems like they’re just hitting “Like” because they like being scammed.
Click to Enlarge
If you want to “Adopt the secret cow”, you’ll have to move fast – you only have 1 hour and 18 minutes before the offer expires! Or at least, you would if it wasn’t a static image that is absolutely without any sort of timer. There’s also a mention of a FarmVille Game Bar underneath, but that doesn’t put in an appearance. Click the box, and…
Click to Enlarge
Yes, you’re going to have to spam them with this in order to get your Secret Cow. Click the “Skip” button, and you’ll see a popup like this one:
Oh no! You’ll never get the ultra rare secret cow! A spamming we will go, then. Can you guess the reward for shunting the below spam to all and sundry?
Click to Enlarge
Of course you can. It’s one of these things:
Click to Enlarge
Spamtacular.
In the time it took me to put this writeup together, the amount of “Likes” has risen from 31,769 to 32,215 – an increase of 446 people in around 20 minutes. I wonder how many have realised the horrible secret of the secret cow:
It doesn’t exist. Sorry, kids.
Christopher Boyd
These links have been popping up over the last day or so, and seem to be related to the Twitter PDF spam run from a week or so ago. In all cases, the spam comes from accounts with names with no spaces between first and last name, with two random letters at the end.
The one sent to me just now redirected me to a fake antivirus page:
Click to Enlarge
Click to Enlarge
I’ve seen other links taking me to pages that tried to do something with Java, and another one that involved lots of women jumping around who apparently forgot to put some clothes on when they got up. I’ve no doubt there are all kinds of horrible things lurking on some of the pages linked to from this spamrun, so please do try to avoid anything that looks like this:
Something particularly interesting where this spamrun is concerned is the retweeting going on. There’s a couple in the above shot, but look at this:
Not sure why some of them show up as “zero retweet”, but there’s a lot of spam posts with 1 or 2 sitting underneath. The spammers are evolving! Run for the hills!
Well, it’s either that or regular users are happily retweeting the spam. Not sure I want to think about that possibility too much…
Christopher Boyd
Here’s a Facebook phish that claims you’ve won $200,000,000 from “Zynga Special Gifts”, while displaying elements from the legit Texas Holdem Poker App page. It also pastes a popup box over the top:
Click to Enlarge
As I’m logged into Facebook, you can see a little picture of my head as Texas Holdem asks for permission to access my information. All of this is going to seem very convincing to a Facebook user unfamiliar with dubious popups and other nonsense. Let’s see where we go from here after clicking the popup:
Click to Enlarge
“Welcome to Winner’s Circle”, it says – along with a request for your email, password and “code” to prove you’re a legitimate winner. I’ve no idea what the Code is all about, but entering your data into the box and hitting the “Claim Gifts” button sends your login to the phisher.
Where this gets really interesting is the state of play this morning.
Visit the phish now, and Facebook redirects you to the following page:
Click to Enlarge
“Warning, the website that directed you here was not a Facebook page. If you entered your Facebook login information on the previous site, you will need to reset your password”.
While this is pretty clever, there is one small problem. The warning appears underneath the phish popup, which is still alive and kicking:
Click to Enlarge
Performing a password reset depends upon the victim paying enough attention to notice the warning message once they’ve been phished – otherwise there won’t be any account reclaiming action taking place.
Still, it’s better than no warning at all. This one starts with a redirection link – bit(dot)ly/braovG, which now takes you to a Bit.ly warning page, and winner-gift(dot)110mb(dot)com/welcome(dot)htm, which is currently flagged as a phish by both Firefox and IE.
Christopher Boyd
