Month: February 2011

It always pays to be on your guard, as a phish attempt may crop up in the most unlikely of places.

Sure enough, we have an example of a scammer going phishing on Play(dot)com, the second biggest online retailer in the UK market. Play allows individuals to buy / sell their wares, much like the Amazon marketplace. Here’s an example of what I’d see while shopping for Batman DVDs (because really, what else am I going to be wasting my money on?):

Sellers are awarded ratings depending on how awesome they are at selling things – or not. Thanks to MrTom for sending this one over, because what seemed like a bargain videogame purchase resulted in the following email from a seller:

Yes, it’s the old “Problem with payment” trick so beloved of scammers on sites such as eBay (with random “verified by..” graphics to sweeten the deal) . What makes this attempt particularly silly is the following ramble regarding security:

“fill in the following secure form by clicking reply you should then be able to fill in the form. This is just for verfication and a security check  please note we do not see any of your personal details as its encrypted through our server and part of data protection”

There is, of course, no “secure form” – all the victim is doing is sending a regular email to a @live.co.uk account. It’s worth bearing in mind that a copy of said email could well be stored on the servers it passes through, which isn’t really the best thing in the World when you just sent your card details to the Wallet Inspector.

The scammers here are rather lazy, too – hyperlinking their images from other sources and causing a little brand damage in the process. You should NEVER send a seller your card details in this manner, especially if they’re claiming there are problems and asking for card details via email. Play(dot)com is setup so that you’d never have to do this – any other reputable merchant would be doing the same thing.

Unfortunately these kind of scams cause a chilling effect for new sellers and makes it more difficult to get started selling Batman DVDs – and while you’ll get your money back from the initial transaction made through the Play(dot)com system, you may find it’s a little more tricky to get results after firing the “Take my money, and take it now” emergency flare in the general direction of an Email scammer.

Christopher Boyd

I’m almost certain this compromise of a .gov.uk domain (specifically, a page added to chickerell-tc(dot)gov(dot)uk) is supposed to be humorous, but you never know:

If the intention is to freak the site owners out with an introduction to those guys that pull the strings, using Tupac related references on a local council .Gov site in the Dorset area of the UK may not have the desired effect.

I’m informed the site owners have been notified, and we’ve dropped them a line as well – the compromise is still live at time of writing, but there doesn’t appear to be any Malware involved.

We’re through the looking glass with this one…

Christopher Boyd

Not so long ago, we heard news of a “Playstation 3 rootkit” which turned out to be rumours based on misinterpretation of comments made in IRC.

Today, we wake up to the alleged relevation that your “credit card info is not secure” on the Playstation 3 network. This all stems from a five page research document entitled “Call of Privacy: Modern Spyware by Playstation network”.

Click to Enlarge

As a result of the above document mentioning unencrypted credit card data, reports quickly spread that your payment information was being sent unencrypted across the network, which seemed strange (what happened to SSL?) – and sure enough, it seems initial reports were inaccurate. The (theoretical) danger to your payment details is an issue when using custom firmware – otherwise, you should be fine. Even then, the attacker would apparently have to use custom firmware, certificates, proxies and third party DNS.

The research document above did mention that custom firmware was the reason payment information was being sent unsecured, but that seems to have got lost in the background noise – even though the sole reference to credit cards takes up one single page out of the five. The rest of the document mainly talks about banhammers, the fact that SONY may know what kind of television you have connected to the PS3 and provides links to the (completely unrelated) rootkit story from 2005.

Ars Technica has an updated article which sheds some light on the confusion. For now, if you’re running non custom firmware on your PS3 you shouldn’t panic too much about this one.

Christopher Boyd

As you can see, the budding phish hunter needs to be careful – while using genuine login credentials and having all your information stolen to verify a phish is a new one on me, many phish directories can host malware, drivebys, extremely dubious pornography and more besides.

Here’s a file being hosted on Dropbox(dot)com that popped up on the Phishtank list today and (instead of being a phish, as you might expect) is a live infection called “Cheque487002.com”

A file ending in .com is highly unlikely to be your friend. In this case, we have an 18/42 detection rate for a data theft Trojan we detect as BehavesLike.Win32.Malware.rwx (mx-v).

As a sidenote, I’ve noticed a lot of scammers taking advantage of Dropbox(dot)com lately – everything from fake IRS tax returns and Paypal to Runescape logins and, er, Barbara Streisand albums.

Suddenly that malware looks a lot more appealing…

Christopher Boyd

Java is out of date on more than 40 percent of machines

Wolfgang Kandeck, CEO of Qualys, said during a presentation at the RSA Security Conference in San Francisco that 80 percent of browsers his company’s BrowserCheck service checked were missing one or more patches, ComputerWorld has reported.

BrowserCheck checks for vulnerabilities in browsers (on Windows, Linux and Mac) and 18 browser plug-ins. Plugins include Flash and Reader (Adobe), Java (Oracle) and Silverlight (Microsoft) and Windows Media Player (Microsoft).

Excluding plug-ins from the figures showed that 25 percent of the machines scanned by BrowserCheck last month had an unpatched browser.

The fact that there are a lot of unpatched machines out there isn’t a surprise, but the fact that there are so many is shocking. Apparently Kandeck said as much in his presentation.

The average home user needs to be made aware of the importance of updates and it would probably help if it were a bit easier.

Tom Kelchner

The “BBC Lottery” scam mails are in circulation once again, with the following missive appearing in mailboxes:

—–Original Message—– From: BBC ONE NATIONAL LOTTERY
Sent: Wednesday, February 16, 2011 12:05 PM
Subject: “Final Notification”

Contact (Mrs. Winifred Peterson) with your Payment processing form for
payment of £1,263,584.00 POUNDS which your email won in THE BBC ONE
NATIONAL LOTTERY.
PAYMENT PROCESSING FORM:
(1) FULL NAME:
(2) FULL ADDRESS:
(3) NATIONALITY:
(4) AGE:
(5) OCCUPATION:
(6) TELEPHONE NUMBER:
(7) SEX:
(8) COUNTRY OF RESIDENCE:

Sincerely,
Mrs. Myleene Klass
Lottery Presenter General.
BBC One Lotto.

Apart from the fact that Myleene Klass is NOT going to send you a random email claiming you won lots and lots of money, “Mrs. Winifred Peterson” is a dead giveaway – appearing in many BBC Lottery scams time and time again. Of course, not actually playing the Lottery but winning anyway might also set some alarm bells ringing. Thanks to MrTom for sending this one over.

Christopher Boyd

Sometimes, a piece of software is released with a couple of bugs.

More often than not, videogames hit the shelves with a ton of the things – and since console games can be patched / updated just like their PC counterparts, the old days of “get it right first time” are fading fast.

Every now and again, a title comes along that is so stuffed with glitches and bugs you may wonder how it managed to escape the testing labs. Despite being a wonderful game, Fallout New Vegas is one such title.

Here’s a list longer than your arm of bugs, gitches and fixes. Here’s a Top Ten collection of Youtube videos highlighting said problems. I myself have experienced very strange things, and no doubt quite a few of you out there have similar tales.

What this means is we have a great target for scammers to take advantage of: frustrated gamers hungry for a game fixing patch (or twelve).

We’ve seen a few emails in circulation on various security lists, forums and elsewhere mentioning a harmful update for Fallout New Vegas. Here’s an example:

Click to Enlarge

The Torrent includes four files – an MSInfo file containing details of the “update”, the update itself which weighs in at 216MB and two smaller executables.

Click to Enlarge

While there’s no way to know who infected the file, it certainly sounds tempting to anyone having problems with the game.

This is what it claims to fix:
     
Pip-Boy Interface Repair Menu  Caravan  Weapons and Weapon Mods  Hardcore Mode  Perks   Skills  Crafting Recipes  Crafting Menu  Mojave Express  Chems/Addiction  doctors vendors preorder dlc items reputation system radio stations companion fixes companion quests

Fixes following quests: Ain’t that a kick in the head, by a campfire on the trail, they went that a way, my kind of town, boulder city showdown, ring a ding ding, king’s gambit, for the republic part 2, render unto caesar, et tumor, brute? The house always wins, wild card, beyond the beef, Gi blues, How little we know, oh my papa, Still in the dark, you’ll know when it happens, arizona killer,  eureka, veni, vidi, vici, all or nothing, no gods no masters, birds of a feather, i put a spell on you, come fly with me,    that lucky old sun, don’t make a beggar of me, the white wash, ghost town gunfight, restoring hope, bleed me dry, aba daba honeymoon, tend to your business, wang dang atomic tango, flag of our foul ups, debt collector, talent pool, left my heart, someone to watch over me, hard luck blues

In a nutshell, it pretty much fixes the whole game. Humorously, the above hasn’t been put together to fool end-users into downloading a “magic patch” – it’s actually a genuine update(!)

The two small files are the New Vegas launcher and the New Vegas executable – both of which appear to be the real thing and non infectious.

The 200+ MB update file, however…

Whoops.

It appears we have Alureon in our midst, and Alureon isn’t a particularly nice thing to have on your PC – username / passwords and credit cards are fair game, click fraud is a possibility and that’s before we get to the rootkit aspect.

You can witness someone having a bit of a nightmare post infection on a Swedish help forum – not a situation you really want to be in.

The file dropped by the update is doing well in terms of VirusTotal scores, with a 35/42 detection rate, and we detect this as Trojan.Win32.Generic!BT. You can see some information on staying safe with torrents on the InfoCarnivore website, although as this game update appears to be a designed for users running cracked versions of Steam games you’re sailing close to the wind in terms of “What did you expect”?

Ladies and Gentlemen, Alureon has left the building. Hopefully it won’t be back for a while…

Christopher Boyd (Thanks to Adam Thomas for additional research).

The GFI Malware Minute video is available for your viewing pleasure on the GFI-Labs YouTube channel (and below).

Malware Minutes are short videos (1-2 minutes) that provide a weekly roundup of top stories from the GFI-Labs Blog, the GFI- Rogue Blog and anything else we think might be of interest.

This week: distressed traveler scam, Nigerian phishing scam, fake free VPN and .edu forum spam.

Tom Kelchner

“Facebook” revolutions? Or just revolutions?

The demonstrations that are roiling countries in North Africa and the Middle East are being extensively broadcast: on various social media channels.

In Manama, Bahrain, apparently peaceful demonstrations in Pearl Square have followed fatal police shootings of two demonstrators yesterday.

If you do just a bit of searching, the amount of data and photography contributed by the crowdsourcing is vast. You can follow the action pretty much as it happens on the Twitter channel #PearlRoundabout where a number of people are photographing the demonstrations and posting their observations and links to the photos on yfrog.com and plixi.com, among other places.

Here are some photos from Pearl Square that were posted about 10 a.m. (EST) this morning (click on photos to enlarge):

 
http://yfrog.com/h0nhwrfj

http://plixi.com/p/77586539

http://yfrog.com/h4y1bvrj

And Twitter traffic on #PearlRoundabout gives a up-to-the-minute narrative of onlooker’s observations.

 

(The New York Times was carrying estimates of “more than 10,000”  )

 
The open question is: to what extent are the crowds being organizing through social media channels? Are these “Facebook revolutions” or just your old garden variety revolutions?

Tom Kelchner

Social media: more power than we thought

There are news stories today of demonstrations building in at least five Middle Eastern or North African countries in the wake of “Facebook” revolutions that brought down the leaders of Tunisia and Egypt. New stories on the web are being updated rapidly in many cases.

In general, the demonstrators are protesting their poverty and want to topple governments that fix elections, rule autocratically and make themselves, family members and friends rich through corrupt rule. Hot spots include:

Algeria

Monday the government of Algeria announced that it would end the state of emergency that has been in effect there since 1992. Demonstrators have filled the country’s capital of Algiers and clashed with police. Clashes have also been reported in Annaba in the east of the country, according to the Times of India.

Armenia

Armenian authorities are monitoring Internet traffic looking for such terms as “revolution” and “rally” as the Armenian National Congress (HAK) organizes a rally February 18th, to protest the rigged presidential elections two years ago, according to The Armenian Observer Blog.

The blog said dozens of HAK supporters have been posting the word “revolution” in their Facebook statuses in protest.

The AllFacebook site (not part of Facebook) said the number of Armenians on Facebook doubled in the past six months. Only about four percent of the country uses it, however.


Bahrain

Security forces in Bahrain have used tear gas and rubber bullets against protesters in several villages today. The protesting groups (largely Shiite”) have declared a “Day of Rage” to protest lack of democratic reform by Sunni rulers, according to Voice of America’s web site.

King Hamad bin Isa al-Khalifa recently gave every Bahraini family $2,600 and larger food subsidies. Yesterday his government also said it would reduce state control over the media industry and expand freedom of the press, VOA said.

Iran

Iranian leaders have sent security personnel into the streets to use riot sticks and tear gas on scattered groups of protestors. They also placed under house arrest two opposition figures, Mir Hossein Mousavi and Mahdi Karroubi, according to the Jerusalem Post.

Yemen

About 2,000 people are demonstrating against Yemeni President Ali Abdullah Saleh in the country’s capital of Sanaa. It’s the fourth day of protests there, according to Deutsche Press-Agentur.

Tom Kelchner

There seems to be a rather nasty spamrun taking place on many .edu sites hosting forums at the moment. Filtering out lurid trackback spam and genuine .Edu articles about pornography in various search engines reveals pages and pages of forum spam, dubious keywords and sites that currently look like this:

Click to Enlarge

As you can imagine, the shot above is one of the tamer spamruns.

Elsewhere, you have the kind of pages that induce headaches for bloggers hovering their fingers over the “blank this out” key:

Click to Enlarge

Notice that 45 people have hit the “Like” button – I’m hoping those are spam accounts and not regular forum users.

Most of this seems to have kicked in since around the 4^th or 5^th of February, and there doesn’t seem to be much in the way of spam control or preventative measures going on right now so please be careful if looking around your University forums, official or otherwise. While not everything in the below screenshot is related to this spamrun, it should give you an idea of the kinds of things in circulation:

Click to Enlarge

The sites currently being targeted desperately need to take control of the situation – if things continue as they are, I can’t imagine many users being persuaded to stick around…

Christopher Boyd

A VPN can be a wonderful thing, if you have one. If not, there are a wide range of free / paid services out there – the problem is knowing which ones are legit and which ones, er, aren’t so legit. Another issue is that free / paid VPN services can vanish quite quickly – on any given list, you tend to find entries scored out or mentioned services flatlining without warning.

With that in mind, let’s take a look at a free service.

Click to Enlarge

The free trial plans sound good, fast server speed is always a bonus and MIA serverlogs / ISP logs ensure you’ll be flying under the radar with a total lack of personal information straying into parts unkno-

Click to Enlarge

…surveys? Offers? Downloads? Entering emails, zipcodes and more besides to access a “secret page”?

Click to Enlarge

Oh dear.

Signing up to Macbook competitions, gucci boot giveaways and sparkly Twilight graphics seems a little at odds with what’s on offer here, much like this example from a little while ago.

Is there anywhere a CPAlead popup doesn’t appear these days?

Christopher Boyd

 Many news sources have mentioned in passing the use of social media channels in organizing the nearly three weeks of demonstrations throughout Egypt that led to the resignation of the country’s president Hosni Mubarak earlier today.

One can be sure that the use of Facebook and Twitter and other SM in organizing the efforts will be studied for a while. The Twitter channel #Jan25 was at least one point of contact that protesters used. Today it is carrying massive traffic as the celebrations sweep the nation of 80 million. We noticed nearly 5,000 tweets in about half an hour.

Earlier we blogged about the five-day Internet blackout that the government attempted:

 “Experiment over: Egypt is back on line”

“Egypt’s government turns off the Internet – An experiment in non-communication.”

It isn’t clear why Mubarak’s administration told providers they could go back on line. A five-day Internet blackout must have been quite damaging to commerce in the country even though the Egyptian stock exchange was allowed to remain on line.

Does this mean a countrywide “kill switch” is not an option — even in the face of a major revolution — because the Internet is now too vital to normal life?

What did the Egyptian protesters learn about organizing via social media from their  peers in Tunisia who organized a similar uprising with similar results?

What did the Egyptian protesters learn that future protesters will use?

Tom Kelchner

Vote VIPRE

VIPRE Antivirus has been selected as a finalist for Best Windows Antivirus in the 2011 About.com Reader’s Choice awards.

Voting opened today (February 11) and will run through March 8. The winner will be announced March 15.

Tom Kelchner

Industry vet has nearly 30 years experience in channel sales

GFI Software today announced the appointment of Patricia “Pat” Hume as senior vice president of worldwide sales. Reporting directly to GFI CEO Walter Scott, she will expand GFI’s worldwide channel sales program.

Scott said: “Pat Hume is a respected industry veteran with chronicled success building and growing profitable sales programs at some of the largest technology companies in the world. We look forward to having her extensive experience and leadership guiding and expanding our global network of partners and customers.”

Prior to GFI, Hume held two positions at SAP and started as global senior vice president of channel sales for small/medium enterprises. After two years in that position, she was promoted to senior vice president of all indirect sales. Before SAP, Hume was with Avaya where she oversaw global channel sales for small/medium enterprises and was quickly promoted to Group Vice President of the SME Division.

Hume began her career at IBM where she held management positions in research and development, marketing, sales and channel sales. After 17 years at the company she was named vice president of business partner sales and marketing for IBM’s Lotus Division.

Hume said: “GFI is poised for success and it presents to me the opportunity I was seeking. The prospect of working closely with Walter Scott and the GFI team made this an easy decision.”

Tom Kelchner

Scam clue #1: FBI personnel can probably write proper English

Alert reader Brian in GFI Business Customer Support forwarded this gem:

From: Sean Dean. [mailto:Sean.Dean@Fbi.gov.us]
Sent: Thursday, February 10, 2011 5:00 AM
To: xxxxxxxx
Subject: Payment Codes: R5109176K

Federal Bureau of Investigation
FBI Seattle Division
1110 Third Avenue
Seattle, Washington 98101-2904

Payment Codes: R5109176K
Reg No: 132731593
Date: February 09, 2011

The Federal Bureau of Investigation (FBI) has discovered through our intelligence Monitoring Network, that you have an on going transaction with a Financial Institution in Nigeria, as the owner of 7.500,000 United State Dollar.

Therefore, the FBI Seattle Division in conjunction with the Economic and Financial Crimes Commission (EFCC), Has screened through our various Monitoring Networks and has been confirmed and notified that the transaction you have with the Financial Institution is Legal and you have the Lawful Right to claim your due fund. We advise you to go ahead with the transaction as we are monitoring all their services and networks. Be advised that any letter or claims notification received from anybody or company should be forwarded to us with immediate effect.

Meanwhile, you are advised to follow the procedure of the Financial Institution. They have their own legal procedure which we have examined and confirmed legal. Follow their instructions while you keep us updated for more details. You are advised to contact the necessary office for more details of transfer as we are monitoring every move now.

Please, be advised and be aware that your funds had been insured and the necessary charges would be taken care of by you, as confirmed by the Monitoring network. For your own good you are advised to confirm any transaction or lottery promo you have either involved yourself with in the past to enable us trace this scammers. Only the Financial Institution has been confirmed Legal any other are still under investigation, and so many others are scam, most especially from Nigeria and Africa.

Please contact the Head of Operations Dr. Tolu Williams, Central Bank of Nigeria.

Dr. Tolu Williams (Head of Operations)
International Remmitance Department
Telephone: +234 808 089 0964
Fax: +234 1 473 5623
Email: central_desks@live.com

Provide him with the information below for verification:

Your name:…………………….
…………………
Residential Address:……………………………
Telephone number:……………………………..

If you need to contact me at any stage please do not hesitate to call (206)350-6981.

Sincerely,

Steven M. Dean (Assistant Special Agent-in-Charge)

One hopes the hilariously bad spelling, punctuation, grammar and capitalization in this thing warn any recipient that it just might not be genuine.

Tom Kelchner

Adobe has issued patches to fix a number of vulnerabilities in:

— Adobe Reader X (10.0) for Windows and Macintosh;
— Adobe Reader 9.4.1 (and earlier) for Windows, Macintosh and UNIX
— Adobe Acrobat X (10.0) and earlier versions for Windows and Macintosh.

The vulnerabilities could crash the applications and enable an intruder to take control of the system. Adobe Reader X are protected from some vulnerabilities by Protected Mode mitigations.

Updates available:

— Adobe Reader X (Windows and Macintosh) update to version 10.0.1),
— Adobe Reader 9.4.1 (UNIX) update to Adobe Reader 9.4.2 (available February 28)
— Adobe Reader 8.2.6

Tom Kelchner

Microsoft has issued 12 security bulletins making fixes in Windows, Office and Internet explorer.

MS11-003 — Cumulative Security Update for Internet Explorer
Critical (Remote Code Execution)
Microsoft Windows, Internet Explorer

MS11-004 — Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution
Important (Remote Code Execution)
Microsoft Windows

MS11-005 — Vulnerability in Active Directory Could Allow Denial of Service
Important (Denial of Service)
Microsoft Windows

MS11-006 — Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution
Critical (Remote Code Execution)
Microsoft Windows

MS11-007 — Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution
Critical (Remote Code Execution)
Microsoft Windows

MS11-008 — Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution
Important (Remote Code Execution)
Microsoft Office

MS11-009 — Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure
Important (Information Disclosure)
Microsoft Windows

MS11-010 — Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

MS11-011 — Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

MS11-012 — Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

MS11-013 — Vulnerabilities in Kerberos Could Allow Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

MS11-014 — Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege
Important (Elevation of Privilege)
Microsoft Windows

Tom Kelchner

It appears we have “a bit of thing”.

FIFA Ultimate Team is a free to download football strategy game that involves using in-game money to purchase the best players then conquer the known universe (or at least a couple of other football teams). From the looks of it, scammers are jumping on the popularity bandwagon to swipe some EA accounts (and potentially console specific gamertags that may be tied to said EA accounts).

Examples:

Click to Enlarge

Above, we have a standard phishing page (and a popular template to use, from a quick scout around the web). It isn’t long before the scammers get creative…

Click to Enlarge

More like “Please allow up to 48 hours so I can change all your login details and steal your stuff”.

Click to Enlarge

“Send me your logins. Thanks”.

Click to Enlarge

Ah, Ye Olde Coin Generator. That couldn’t possibly fail to work!

Most of the fake logins out there seem to involve claims of “star player duplication” and free money, so you may want to avoid those (and anything else that’s too good to be true).

EA are to be commended for putting up a really good information page on this wave of phishing, along with clear examples of what to look out for – hopefully that should go some way to keeping a few more accounts locked down.

Christopher Boyd

This wandered into a spamtrap last night, and you should consider firing it into the heart of the Sun:

“Am sorry for not informing you about my propose trip to UK and presently I’m writing this with tears in my eyes,my family and I came down here to Cardiff,United Kingdom for a short vacation unfortunately we were mugged at the park of the hotel where we stayed,all cash,credit card and cell were stolen off us but luckily for us we still have our passports with us.

We’ve been to the embassy and the Police here but they’re not helping issues at all and our flight leaves in less than 3hrs from now but we’re having problems settling the hotel bills and the hotel manager won’t let us leave until we settle the bills.

Am freaked out at the moment,

Judy.”

Thanks, random person I’ve never met before!

Cardiff: where muggings prompt unsolicited emails and hotel managers chain you to your room until bills are settled. Or not (it’s actually a nice place, they film Doctor Who there and everything).

Christopher Boyd