Month: June 2010

Search engine optimization (SEO) poisoning is nothing new, but here’s a nasty new twist. Early this morning someone apparently found a way to game Google Trends, sending an ugly racist string to the number one position on the “Hot Searches” list.

A post on the 4chan.org boards seemed to hint that someone, somewhere discovered something: “omg it works guyz every time”

4chan apparently took down a number of posts that contained the string.

By about 9 a.m. (EDT) Google was showing 269 hits for the string, many of them seemed to be sites that scrape Google Trend Hot Topics.

Searching the Google hits for the string didn’t really turn up much about its origin, but it did show some interesting SEO techniques in which web site owners scraped Google’s Hot Searches to attract visitors to their sites. This has the potential of amplifying any nastiness that anybody can get into the trends.

This site apparently scraped Hot Searches then told visitors they could see the “full un-edited version” by clicking on a link which took them to an anchor on the same page – thus getting (at least) two clicks for the price of one.

http://www.poodlesnatcher.com/comic-book-stores-4841/

This appears to be just nasty old fashioned hacking for (racist) kicks, however, the same mechanism could be used to pass along a link to sites with malicious drive-by downloads.

Bottom line: think twice when you click on Google’s Hot Topics.

Tom Kelchner

Adobe Flash Player in update is out of date

Apple has released its latest security update, 2010-004, which brings the Mac OS X Snow Leopard operating system up to version 10.6.4.

The company is telling users, however, that the version of Adobe Flash Player that ships with it must be updated. The OS X version install will not DOWNGRADE users’ Flash Player installations, so, if they had the latest Flash Player version (10.1.53.64) installed before the Apple update, they’re good to go.

See Apple notice here: “Apple Security Update 2010-004 / Mac OS X v10.6.4 Shipping with Outdated Version of Adobe Flash Player”

Tom Kelchner

CNet is reporting that Gaotse Security group member Andrew Auernheimer, 24, (also known by the handles “Weev” and “Escher”) was arrested by Fayetteville, Ark., police after officers serving an FBI search warrant at his home allegedly found cocaine, ecstasy and LSD. He faces four felony counts and one misdemeanor count of possession of a controlled substance.

Last week the Goatse group publicized their hack of AT&T servers and said they had obtained email addresses and cell ID numbers of 114,000 purchasers of the new 3G Apple iPad. The accounts included those of prominent federal government, military, media and corporate officials.

Auernheimer is being held in Washington County Detention Center in Fayetteville, Ark., without bail awaiting a June 18 preliminary hearing. Authorities have not made public the reason for the search warrant.

Story here: “Hacker in AT&T-iPad security case arrested on drug charges”

See Sunbelt Blog June 11 post “FBI looks into AT&T hack that revealed iPad 3G owner info”

Tom Kelchner

Now this wouldn’t be some kind of rip off spam would it?

You’ve won the sum of NINE HUNDRED AND FIFTY THOUSAND POUND
(£950,000.00) from the UK GOLF INTERNET emails Lottery Edition 2010

TO RECEIVE AND CLAIM YOUR PAYMENT OF PRIZE

The English seems a bit shaky.

You are therefore advised to send the following information to our claims agent(Mr.Piland woods) to facilitate the remittance of your winning prize to you at once from the UK GOLF INTERNET EMAILS LOTTERY.

They want the kind of information that scammers usually want:

1. Full name…………
2. Country…………..
3. Contact Address……..
4. Telephone Number…….
5. Marital Status………
6. Occupation………….
7. Company…………..
8. Age………………..

They don’t really have a company Internet presence. Their “site” is a LinkedIn account.



You can also view our lottery site : http://uk.linkedin.com/in/internetgolflottery

They are “fully special” and they “glob round the world” – yea, that sounds REAL legitimate.

The writer doesn’t seem to know that in English you capitalize last names.

Mr.Piland woods. (VERIFICATION DEPARTMENT MANAGER)

And “Mr.Piland woods” does business from a hotmail email address.

Email: golf_internet222@hotmail.com

LOTTERY VERIFICATION DEPARTMENT MANAGER

Google Maps and Street View reveal that their company headquarters is a billboard advertising the “Sex in the City” movie.

GOLF INTERNET EMAIL LOTTERY 2010
21 Craven Park, Harlesden
London NW20, United Kingdom.
Batch number: 12/25/0340
Ref number: MSN-L/200-26845

Winning number: GQ-667890-D

My guess is that it’s a troll for some kind of Nigerian 419 operation (in spite of the fact that they are “a blessed company.)

Thanks Bharath

Tom Kelchner

The Gobernacion Departmento Central (or “Central Department”) is a curious thing. A Department is (according to Wikipedia) an

“administrative political subdivision of a country established by the cognizant (usually legislative) government authority holding sovereign power for the territory.

Departments are roughly equivalent to a state, province or county”.

Now that’s out of the way, we can take a look at something rather nasty on the Central Department .gov portal which can be found at central(dot)gov(dot)py.

Here’s what the site looks like to the regular vistor:

Click to Enlarge

However, digging around the site reveals something a little disturbing:

No less than fourteen different banking / financial services phishes including Barclays, Abbey, Northern Rock, Halifax and Lloyds TSB. Clearly, someone is desperate to get their hands on as many UK banking credentials as possible. These phishes are all online at the moment although some appear to be flagged in browsers such as Firefox. We’ve contacted the hosts and hopefully all of the above will be offline shortly.

Christopher Boyd

While Runescape is free to play, you can upgrade your account with a variety of billing options in order to gain access to features that free users cannot obtain. As a result, paid up accounts are popular targets of phishers and scammers who like to go trading accounts on forums, and sell all of your pointy wizard hats just to annoy you.

If you run the below program, you’re going to lose your pointy wizard hats.

Presenting the “Runescape Screwover”:

Click to Enlarge

While a very crude looking program, it does have a “Click here to add 30 member days” checkbox on it and that combined with endless fake Youtube comments will mean lots of people throwing their login details away.

“I’m selling membership to people now because of this” is a particularly nice touch.

Only one small problem – the program is a phisher. There are two standout clues:

1) The program has a bunch of email addresses inside it that the data is mailed to once you enter your login details.

2) The executable actually says “phisher” in the description text.

Of course, that won’t prevent some people from running the program and sending their login to Mr Pointy Hat Stealer. One to avoid? Most definitely.

We detect this as Trojan.Win32.Runeover.A.

Christopher Boyd

ReadWriteWeb is citing a story in Russia’s state paper Rossiiskaya Gazeta that said the Russian prosecutor’s office is moving to require Internet service providers to block web sites that carry “extremist” content.

“Freedom of speech advocates in Russia call the extremism laws too vague and sweeping, arguing that they are open for abuse by government officials,” they wrote.

“Surprisingly, surveys show that many Russians actually favor government control of the media. A 2005 study found that 82% of Russians were in favor of censorship on television, though generally that referred to the removal of “ethically questionable” material (such as sex or violence) rather than the suppression of free political thought. It should be noted that Article 29 of the Russian Constitution guarantees freedom of the press.”

Story here: “Internet Censorship Coming to Russia”

It just amazes me that the governments of major countries in this world spend so much time and effort trying to suppress Internet discourse about sex and political dissent. Yet they largely ignore entire “bullet-proof” ISPs that provide services for financial criminal activity, the banking fraud industry, vast numbers of pharma sites and sites selling goods that infringe on patents.

Do they believe that sites with sexual content are low-hanging-fruit? Clearly the suppression of opposition voices helps keep them in power.

The only half effective attack on crime on the Internet seems to be civil litigation against those distributing massive amounts of copyrighted materials and (in the U.S.) regulatory bodies — chiefly the Federal Trade Commission — going after rip-off artists. And those only started in earnest in the last year.

Also in the U.S., the FBI has made one token campaign against money mules — the lynch pin of ACH transfer fraud that rakes in over $100 million per year apparently for residents of the Ukraine. That was probably to get the attention of the idiots who fall for the “work from home” scams and get recruited to wire money out of the country.

China, which seems to shoot itself in the foot every time it tries to do anything (remember Green Dam), at least got something half right when it started requiring real identification of the owners of domains. The half they got wrong was forbidding non-registered business entities from obtaining domains at all.

And, (as long as I’m on a screed) why is the U.S. the second biggest haven for the world’s spammers? At least Brazil – the number one – can claim it’s a developing nation.

Beam me up Scotty! FAST!

Tom Kelchner

Not with a bang but a crackle

Scientists at U.S. National Aeronautics and Space Administration have said that the peaks of two cycles in the Sun will coincide in 2013 to produce massive magnetic storms that could shut down power grids and disrupt the operation of GPS navigation, portable digital devices and even microcomputers. And, the storms could begin very abruptly.

Dr Richard Fisher, director of the Heliophysics division at NASA, said in an interview with the Telegraph of the UK that the Sun’s 22-year magnetic energy cycle and 11-year sunspot cycle will coincide in 2013 and hit the Earth with high levels of magnetic radiation.

It is possible, though unlikely, that large areas could be without power for several months, Fisher said.

“We know it is coming but we don’t know how bad it is going to be,” he said.

Story here: “NASA warns solar flares from ‘huge space storm’ will cause devastation”

Tom Kelchner

Our good friends at Webroot found this: A Trojan that only runs on Windows Vista or Win7.

Andrew Brandt blogged that when Webroot researchers analyzed a sample of Trojan-Downloader-Tacticlol they found it ran on Windows Vista, but wouldn’t run on a Windows XP machine at any patch level. He said it’s one of those utility Trojans that runs after a machine is rebooted and can download a variety of malware.

The Trojan turned up as an infected .zip attachment, disguised to look like a Microsoft Word document, in a spam email with a subject line: “Statement of fees 2009/2010.”

Brandt’s very nicely done analysis is here: “Spammed Trojan Won’t Run Under Windows XP”

Tom Kelchner

There appears to be a bit of a mad dash to infect people by the boatload on Twitter, with a variety of different messages being sent to random targets:

Click to Enlarge

The above account endlessly says “Wow, a marvelous product”. Click the link, and you might be redirected to some sort of paid movie service:

If you’re unlucky, however, you’ll end up at a URL such as fqsmydkvsffz(dot)com/tre/vena(dot)html, where PDF exploits await.

We detect the above as Exploit.PDF-JS.Gen(v). Some of the other phrases used for this spamrun include:

Wow, An incredible Product
Wow, A shocking Discovery
Watch This
I Just Cant Beleive This
Wow, A stunning Product
Wow, A Revolutionary Product
Wow, A fascinating Site

This isn’t the first malicious spamrun on Twitter, and it certainly won’t be the last. With that in mind, it might be best to avoid random links sent to you from strangers. You never quite know what’s at the other end…

Christopher Boyd

/ Hat tip to Ed Bott who sent over one of the links last night.

ZDNet Australia is carrying a story today saying that country’s Attorney-General Robert McLelland said he was NOT considering a controversial data retention policy that would require ISPs to track Australians’ web browsing history.

A spokesman for McLelland’s office said, “This is not about web browser history. It’s purely about being able to identify and verify identities online” He said the initiative was intended to give law enforcement authorities the ability to track criminals.

Friday the AG’s Department said it had been examining the European Directive on Data Retention and considering similar regulations for Australia. “The directive requires telcos to record and retain data such as the source, destination and timing of all emails and telephone calls — even including Internet telephony,” ZDNet said.

Story here: “Govt denies it wants web history records”

For earlier story on Sunbelt Blog see: “Oz AG wants ISPs to retain browsing histories”

Tom Kelchner

Homeland Security could become regulatory agency

A bill submitted in the U.S. Senate would give the U.S. Department of Homeland Security responsibility for security of the Internet and give the president emergency authority over private networks, according to TheHill.com.

The bill was introduced by members of the Senate Homeland Security and Governmental Affairs Committee. Senators Susan Collins (R-Maine), Joe Lieberman (I-Conn.) and Thomas Carper (D-Del.) made a floor statement introducing the legislation.

Lieberman said “Our economic security, our national security, our public safety are all at risk as a result from new kinds of enemies with new kinds of names like cyber warriors cyber spies, cyber terrorists and cyber criminals. And that risk may be as serious to Homeland security as anything we face today.”

TheHill.com wrote: “Privacy advocates are likely to raise concerns about the emergency provisions; the decision to house operational security at DHS will also likely meet with opposition. Critics point to (Gen. Keith) Alexander’s role as proof the intelligence community already has too much influence over cybersecurity.”

Alexander is the head of the National Security Agency and commander of the new U.S. Cyber Command.

Story here: “Cybersecurity legislation that would put DHS in charge of civilian cybersecurity to get hearing”

Tom Kelchner

Just in case you weren’t sure about it, this story from the BBC tells us in no uncertain terms the alarming finding that porn sites might host malware and – shock – are visited mostly by guys.

Alex Eckelberry

Without wanting to turn into this guy, it’s fair to say that World Cup scams are underway. A friend of mine contacted me in relation to an Email that dropped into his mailbox – good job he did.

VISA Brazil are running a number of promotions that involve picking up “travel points” every time you use their cards with the ultimate aim of winning a trip to the World Cup. Of course, this has “phish target” written all over it – enough that the official site pops a warning message that I can share with you thanks to the wonders of Google Translate:

“Visa will never ask the full number of your card and bank details or send direct links in mail and promotional campaigns.”

Good advice. Anyway, this is the site his email was directing him to:

The site is located at visaevocenacopa2010(dot)110mb(dot)com, and as you can see it asks for various bits and pieces of personal information along with the all important card details. Seeing a fake “You have been registered” message appear onscreen isn’t going to be much consolation when the phisher is going into extra time with your card details, so please take care.

Christopher Boyd

It seems someone compromised the ministryofrum(dot)com recently, replacing an understanding and appreciation of rum with malicious PDF files instead.

The site is fixed now, but compare the clean site results here with the results served up while the page wasn’t looking too healthy.

The PDFs were coming from korvet(dot)in, and you can see some of the VirusTotal results here (6/40) and here (24/41). Those are Alureon and Sasfis variants, typically linked to scareware installs, banking trojans and keyloggers – not really what you want ending up on your computer. It seems that the files loaded up are a little bit random, so detection rates could go up or down depending on what happens to be served at the time (and I’m certainly not talking about rum).

Thanks to Todd Towles for the heads up!

Christopher Boyd

The Australian Attorney-General’s Department is working on a controversial data retention requirement that would have Internet service providers in the country hold on to users browsing histories for years for law enforcement investigations.

ZDNet.com.au is reporting that the AG’s department has been in discussions with industry representatives who are generally not in favor of it.

The AG’s department said in a statement: “The Attorney-General’s Department has been looking at the European Directive on Data Retention, to consider whether such a regime is appropriate within Australia’s law enforcement and security context. It has consulted broadly with the telecommunications industry.”

ZDNet wrote: “Currently, companies that provide customers with a connection to the internet don’t retain or log subscriber’s private web browsing history unless they are given an interception warrant by law enforcement, usually approved by a judge. It is only then that companies can legally begin tapping a customer’s internet connection.”

Colin Jacobs, chair of the Electronic Frontier Australia said, “At some point data retention laws can be reasonable, but highly-personal information such as browsing history is a step too far. You can’t treat everybody like a criminal. That would be like tapping people’s phones before they are suspected of doing any crime.”

Story here: “Govt wants ISPs to record browsing history”

Tom Kelchner

The Finnish Ministry of Justice, citing the fact that there doesn’t seem to be much harm done by the unauthorized use of unsecured Wi-Fi networks, is investigating the possibility of decriminalizing it.

The ministry pointed to the difficulty in monitoring networks and the ease with which someone can use an unprotected network undetected. They also pointed out that users could find it difficult to know when an open network is public or private since there are many networks available in public places in the country.

Google translation of Finnish article on yle.fi here: “Extracts from the wireless network becoming legitimate”

This probably isn’t a bad idea. The BAD idea is carelessly USING public Wi-Fi networks where malicious operators could easily be sniffing traffic. They are places where road warriors should be using VPN connections to communicate with company networks and nobody should be logging on to their bank web account or doing credit card transactions

Tom Kelchner

The FBI has said that it will investigate the hack of AT&T servers that compromised account details of 114,000 iPad 3G users.

Intruders extracted the data by entering batches of iPad ICC-IDs by way of specially formatted HTTP requests. AT&T fixed the exposure Tuesday, according to news accounts.

FBI spokesman Jason Pack said, “The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyber threat.”

The hackers obtained the addresses of prominent federal government, military, media and corporate officials.

Story here: “FBI investigating AT&T security breach that revealed iPad owner emails “

According to the story yesterday on the Gawker blog:

“The subscriber data was obtained by a group calling itself Goatse Security. Though the group is steeped in off-the-wall, 4chan-style internet culture—its name is a reference to a famous gross-out Web picture—it has previously highlighted real security vulnerabilities in the Firefox and Safari Web browsers, and attracted media attention for finding what it said were flaws in Amazon’s community ratings system.

“Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet.”

Hmmm, lets see: a group hacks a server with email details of early adopters of the hottest new product on the planet, chortles about the military and White House accounts it found and exposes them. And maybe they were expecting the FBI NOT to jump on this?

Wow! That’s world class stupid! They can’t even claim they were looking for information about UFOs.

Tom Kelchner

I saw a phish randomly posted to an IRC session, and just had to share. There’s good, there’s bad then there’s this:

Sign me up. I’m not entirely sure what I’m signing up to (or indeed how it’s going to be upgraded), but have my login information anyway.

Christopher Boyd

Not so long ago, script kiddies would happily give away their leet haxing tools to all and sundry – the only cost was using up some bandwidth to grab them, though of course sometimes their programs came with something a little extra and the cost would rise dramatically for the unfortunate “victim”.

These days it’s a growing trend to see people attempting to make money from their downloads in a very specific way that infuriates both researcher and script kiddie alike. Here’s a typical Youtube video advertising some sort of hack related shenanigan.

Notice it has two different download links, because they want to make as much money as possible. If you visit the links, you’ll see lots of pages that look like this:

“Regular download” means you’ll have to fill in a survey to access the download link:

Every time you fill one in, the uploader makes some money. More often than not, files uploaded to pay-to-access sites are worthless, or don’t perform as advertised. This is bad for security researchers, who don’t particularly want to generate income for the uploader to get their hands on the file. It’s also bad for random web users who have no real way of knowing what they’re going to end up with before signing their life away to adverts, spam and marketing databases.

With that in mind, I was rather amused to see someone advertising a program designed to get around pay-to-download services such as Sharecash:

Download the program, run it and you’ll be working your way around all of those surveys in no time. It’s a hacking / cracking tool buffet and everyone is invited!

It sounds good. However, clicking the link on the video takes you to the homepage (which has been around since 2009):

What do you think happens when you hit the Download button?

You couldn’t make it up.

Christopher Boyd