Month: April 2011

XBox Live currently has a warning issued in relation to “phishing attacks” in the Modern Warfare 2 game. However, information is frustratingly thin on the ground leading to much confusion as to what the attack is, how it takes place, what to avoid and so on.

Things I have seen in the past:

* Social engineering attempts in a game session. The attacker picks a game full of distractions – Left 4 Dead, for example – then gets talking to their random team mates. You’d be surprised how easily people let their guard down in relation to password reset questions while filling hordes of the undead with shotgun pellets.

* A hack that enabled users to temporarily change their gamertag while in a gaming session. This meant attackers would look at publicly available lists of Gamertags used by game developers, then jump into those titles and pretend to be said game dev. At that point, the “give me your login and I’ll give you a sparkly machine gun” messages started to flow thick and fast. Of course, not everyone using this glitch tried to phish people (warning: swear words, as you probably expected).

This time around, it looks like a particular game mod gives users lots of crazy abilities, but (from a quick scan of Youtube and elsewhere) also allows them to post chat messages onscreen, and they look like the kind of messages that are posted in certain games by developers every now and then:

Click to Enlarge

Posting links to URLs ingame? Oh my. I could be wrong, but if anything screams out “Danger Will Robinson” this would probably be it. Hopefully Infinity Ward and / or Microsoft can patch this one up asap.

For now, keep in mind that you should NEVER give out your login credentials ingame.

You won’t get a sparkly machine gun for your efforts…

Christopher Boyd

XBox Live currently has a warning issued in relation to “phishing attacks” in the Modern Warfare 2 game. However, information is frustratingly thin on the ground leading to much confusion as to what the attack is, how it takes place, what to avoid and so on.

Things I have seen in the past:

* Social engineering attempts in a game session. The attacker picks a game full of distractions – Left 4 Dead, for example – then gets talking to their random team mates. You’d be surprised how easily people let their guard down in relation to password reset questions while filling hordes of the undead with shotgun pellets.

* A hack that enabled users to temporarily change their gamertag while in a gaming session. This meant attackers would look at publicly available lists of Gamertags used by game developers, then jump into those titles and pretend to be said game dev. At that point, the “give me your login and I’ll give you a sparkly machine gun” messages started to flow thick and fast. Of course, not everyone using this glitch tried to phish people (warning: swear words, as you probably expected).

This time around, it looks like a particular game mod gives users lots of crazy abilities, but (from a quick scan of Youtube and elsewhere) also allows them to post chat messages onscreen, and they look like the kind of messages that are posted in certain games by developers every now and then:

Click to Enlarge

Posting links to URLs ingame? Oh my. I could be wrong, but if anything screams out “Danger Will Robinson” this would probably be it. Hopefully Infinity Ward and / or Microsoft can patch this one up asap.

For now, keep in mind that you should NEVER give out your login credentials ingame.

You won’t get a sparkly machine gun for your efforts…

Christopher Boyd

You probably saw that whole “Obama birth certificate” thing yesterday.

You’re also aware this means hunting around for pictures of his birth certificate is going to result in Rogue AV files popping up.

The first page of Google Image Search:

Click to Enlarge

That one in the middle was (until a little while ago) using a java exploit to install the Security Shield rogue.

Click to Enlarge

Click to Enlarge

You may want to avoid both tdssdt45(dot)cz(dot)cc and lopasana32(dot)cz(dot)cc. VirusTotal currently gives us 10/42, and we detect it as FraudTool.Win32.MSRemovalTool.ek!a (v).

Elsewhere, we have more rogue action – our old friend bestrxfinder(dot)com served up another search engine site, topdaofinder(dot)com, which directed the end-user to freemobilescannerprotection(dot)com after clicking on a search result. You wanted a birth certificate, you ended up with XP Anti-Spyware 2011.

Click to Enlarge

Whoops. We catch that one as FraudTool.Win32.FakeRean.d(v). Big news stories will always result in a wave of Rogue AV in both regular search and image links, so be careful where you click (as much as you possibly can, at any rate).

Thanks to Matthew, Adam and Patrick.

Christopher Boyd

You probably saw that whole “Obama birth certificate” thing yesterday.

You’re also aware this means hunting around for pictures of his birth certificate is going to result in Rogue AV files popping up.

The first page of Google Image Search:

Click to Enlarge

That one in the middle was (until a little while ago) using a java exploit to install the Security Shield rogue.

Click to Enlarge

Click to Enlarge

You may want to avoid both tdssdt45(dot)cz(dot)cc and lopasana32(dot)cz(dot)cc. VirusTotal currently gives us 10/42, and we detect it as FraudTool.Win32.MSRemovalTool.ek!a (v).

Elsewhere, we have more rogue action – our old friend bestrxfinder(dot)com served up another search engine site, topdaofinder(dot)com, which directed the end-user to freemobilescannerprotection(dot)com after clicking on a search result. You wanted a birth certificate, you ended up with XP Anti-Spyware 2011.

Click to Enlarge

Whoops. We catch that one as FraudTool.Win32.FakeRean.d(v). Big news stories will always result in a wave of Rogue AV in both regular search and image links, so be careful where you click (as much as you possibly can, at any rate).

Thanks to Matthew, Adam and Patrick.

Christopher Boyd

Nothing says “whoops” like having anything up to 77 million of your userbase seeing their personal information (and possibly credit card data) stashed in a bag and hurled out the window, which is a shame because that’s exactly what’s happened to SONY.

The Playstation Network has been offline for days, and only now has the reason come out: someone accessed things they shouldn’t have done, and that person has been rummaging around behind the scenes.

While this is indeed a “very bad thing”, some points to consider:

* Is it even remotely possible that the person responsible was able to grab all the data on 77 million people and save it all somewhere in the short time they had available to do so? I would hope this is up there at the top of the “unlikely” scale, and the actual affected number is much lower.

That’s still bad for those affected, though.

* I’m seeing a lot of panic in relation to credit card details. If you feel your card data isn’t safe anymore, by all means jump into the (likely very large) queue in your bank and cancel it.

* Many people register on game networks and change bits and pieces of information, card details, security questions and everything else. As the PSN is currently offline, there’s no way for anybody who is unsure what data is stored to check what they have in there. As a result, you may want to go change your password reset questions on unrelated accounts along with passwords shared across different accounts too.

You don’t use the same password on different accounts anyway though, right?

Elsewhere, we have phishing attempts on XBox Live and the news that previously banned consoles may be having certain functionality restored.

Is this the videogame apocalypse? Who knows, but this probably wouldn’t have happened if you’d all stuck with your Dreamcasts. Have some information on console hacking and scams either way and stay safe.

Christopher Boyd

Nothing says “whoops” like having anything up to 77 million of your userbase seeing their personal information (and possibly credit card data) stashed in a bag and hurled out the window, which is a shame because that’s exactly what’s happened to SONY.

The Playstation Network has been offline for days, and only now has the reason come out: someone accessed things they shouldn’t have done, and that person has been rummaging around behind the scenes.

While this is indeed a “very bad thing”, some points to consider:

* Is it even remotely possible that the person responsible was able to grab all the data on 77 million people and save it all somewhere in the short time they had available to do so? I would hope this is up there at the top of the “unlikely” scale, and the actual affected number is much lower.

That’s still bad for those affected, though.

* I’m seeing a lot of panic in relation to credit card details. If you feel your card data isn’t safe anymore, by all means jump into the (likely very large) queue in your bank and cancel it.

* Many people register on game networks and change bits and pieces of information, card details, security questions and everything else. As the PSN is currently offline, there’s no way for anybody who is unsure what data is stored to check what they have in there. As a result, you may want to go change your password reset questions on unrelated accounts along with passwords shared across different accounts too.

You don’t use the same password on different accounts anyway though, right?

Elsewhere, we have phishing attempts on XBox Live and the news that previously banned consoles may be having certain functionality restored.

Is this the videogame apocalypse? Who knows, but this probably wouldn’t have happened if you’d all stuck with your Dreamcasts. Have some information on console hacking and scams either way and stay safe.

Christopher Boyd

Celebrities and Hollywood gossip sites. Can’t say I frequent them very much, but if I did, I’d probably see something similar to karibyron-hot(dot)cz(dot)cc.

Click to Enlarge

Besides the images of people walking away from explosions in slow motion and photographs of actors I’ve never heard of are videos lurking further down the page. What do you think happens if the end-user tries to watch them?

This:

Click to Enlarge

Click to Enlarge

It seems there’s an error connecting to the server, and you need to go watch the video on “ExclusioTube”, which is surely one of the better YouTube style names I’ve seen.

Presenting Exclusiotube(dot)usa(dot)cc:

Click to Enlarge

If you want to see the “hot Kari Byron video”, you have to update your Flash Player.

Imagine the dismay of the end-user dismay when they realise Kari has turned into a rogue security program.

She probably won’t sign any autographs, either…

Christopher Boyd (Thanks to Patrick Jordan for finding this one)

Celebrities and Hollywood gossip sites. Can’t say I frequent them very much, but if I did, I’d probably see something similar to karibyron-hot(dot)cz(dot)cc.

Click to Enlarge

Besides the images of people walking away from explosions in slow motion and photographs of actors I’ve never heard of are videos lurking further down the page. What do you think happens if the end-user tries to watch them?

This:

Click to Enlarge

Click to Enlarge

It seems there’s an error connecting to the server, and you need to go watch the video on “ExclusioTube”, which is surely one of the better YouTube style names I’ve seen.

Presenting Exclusiotube(dot)usa(dot)cc:

Click to Enlarge

If you want to see the “hot Kari Byron video”, you have to update your Flash Player.

Imagine the dismay of the end-user dismay when they realise Kari has turned into a rogue security program.

She probably won’t sign any autographs, either…

Christopher Boyd (Thanks to Patrick Jordan for finding this one)

Ah, Kate. When she isn’t waving at babies, mingling with the commoners or appearing on Tumblrs she likes to set down some thoughts on her blog located at katemiddleton997(dot)typepad(dot)com:

Click to Enlarge

She also wants you to check out her movie clip. Unfortunately, this movie clip can’t be viewed unless you update your version of Flash. Alarm bells ringing yet?

Click to Enlarge

I’m not entirely convinced legit installs of Adobe Flash Player come from pornmovie(dot)cz(dot)cc, but in the mad dash to see some rich people larking about with money you’ll actually end up with AntiVirus AntiSpyware 2011 on your computer:

Click to Enlarge

Reports that every tenth install come with a Wills & Kate towel set are unconfirmed, but you definitely don’t want to commemorate the wedding with a Fake AV program.

Christopher Boyd (Thanks Patrick)

Ah, Kate. When she isn’t waving at babies, mingling with the commoners or appearing on Tumblrs she likes to set down some thoughts on her blog located at katemiddleton997(dot)typepad(dot)com:

Click to Enlarge

She also wants you to check out her movie clip. Unfortunately, this movie clip can’t be viewed unless you update your version of Flash. Alarm bells ringing yet?

Click to Enlarge

I’m not entirely convinced legit installs of Adobe Flash Player come from pornmovie(dot)cz(dot)cc, but in the mad dash to see some rich people larking about with money you’ll actually end up with AntiVirus AntiSpyware 2011 on your computer:

Click to Enlarge

Reports that every tenth install come with a Wills & Kate towel set are unconfirmed, but you definitely don’t want to commemorate the wedding with a Fake AV program.

Christopher Boyd (Thanks Patrick)

Eugene Kaspersky’s son, Ivan, has apparently been kidnapped.  As a parent, I can only dare to imagine the deep pain and worry the family must be going through right now. 

Our thoughts and prayers go out to the Kaspersky family for a peaceful and rapid conclusion to this crisis. 

Alex Eckelberry
General Manager, Security
GFI

Eugene Kaspersky’s son, Ivan, has apparently been kidnapped.  As a parent, I can only dare to imagine the deep pain and worry the family must be going through right now. 

Our thoughts and prayers go out to the Kaspersky family for a peaceful and rapid conclusion to this crisis. 

Alex Eckelberry
General Manager, Security
GFI

Oh dear, that whole Royal Wedding thing is attracting internet weirdness.

I’ll list a few of the newest examples here, and update this post with any further ones we come across.

Straight off the bat, we walk into “dubious Youtube video central” with some of these:

Click to Enlarge

Good old Wills and Kate, contributing to the sale of iPads everywhere. At least they would be, if all of the linked sites were actually online. Even better, one video actually presents us with this guy:

Click to Enlarge

You couldn’t make it up.

Elsewhere we have video footage of the wedding, which is pretty impressive considering it hasn’t actually taken place yet.

Click to Enlarge

All you get for your troubles and your clickthroughs is someone asking you to buy something.

Click to Enlarge

Thanks for that, free video from the future guy!

As we’ve already seen, Fake AV is going to be a feature of this one and we’ll probably see some malware related fun and games further down the line. If you’re at all interested in royalty, weddings and people having lots and lots of money then please be careful when hunting for commemorative plates and bunting or whatever.

Christopher Boyd

Oh dear, that whole Royal Wedding thing is attracting internet weirdness.

I’ll list a few of the newest examples here, and update this post with any further ones we come across.

Straight off the bat, we walk into “dubious Youtube video central” with some of these:

Click to Enlarge

Good old Wills and Kate, contributing to the sale of iPads everywhere. At least they would be, if all of the linked sites were actually online. Even better, one video actually presents us with this guy:

Click to Enlarge

You couldn’t make it up.

Elsewhere we have video footage of the wedding, which is pretty impressive considering it hasn’t actually taken place yet.

Click to Enlarge

All you get for your troubles and your clickthroughs is someone asking you to buy something.

Click to Enlarge

Thanks for that, free video from the future guy!

As we’ve already seen, Fake AV is going to be a feature of this one and we’ll probably see some malware related fun and games further down the line. If you’re at all interested in royalty, weddings and people having lots and lots of money then please be careful when hunting for commemorative plates and bunting or whatever.

Christopher Boyd

The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the “Big Day”. As a result, you might want to think twice before looking for jellybeans bearing the visage of Kate Middleton or strange turnips that look a bit like the future King of England when held at the right angle.

The culprit here is our search engine “friend” from this entry regarding Easter card searches.

Rummaging around for Royal Wedding sites will start off well enough, with a collection of normal looking search engine results:

Click to Enlarge

Clicking those links could be hazardous to your health, as redirects to fake AV sites such as documentscannerprotectionfree(dot)com will swing into action.

Click to Enlarge

In this instance, XP Antispyware will be the prize awarded to anybody not running in the opposite direction.

Click to Enlarge

There are also search results leading to Fake AV when hunting for wedding dresses, and you bet that pretty much every search term under the Sun between now and the wedding day will be a target for SEO poisoning.

Weddings, eh?

Christopher Boyd (Thanks to Patrick Jordan for finding this one).

The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the “Big Day”. As a result, you might want to think twice before looking for jellybeans bearing the visage of Kate Middleton or strange turnips that look a bit like the future King of England when held at the right angle.

The culprit here is our search engine “friend” from this entry regarding Easter card searches.

Rummaging around for Royal Wedding sites will start off well enough, with a collection of normal looking search engine results:

Click to Enlarge

Clicking those links could be hazardous to your health, as redirects to fake AV sites such as documentscannerprotectionfree(dot)com will swing into action.

Click to Enlarge

In this instance, XP Antispyware will be the prize awarded to anybody not running in the opposite direction.

Click to Enlarge

There are also search results leading to Fake AV when hunting for wedding dresses, and you bet that pretty much every search term under the Sun between now and the wedding day will be a target for SEO poisoning.

Weddings, eh?

Christopher Boyd (Thanks to Patrick Jordan for finding this one).

Vanessa Hudgens: not very good in Sucker Punch, but wonderful for spreading rogue AV and other nonsense on a number of cut and paste blogs.

Many of these blogs appear to be hosted on Typepad, usually taking the form of  “celebrity name,random numbers(dot)typepad(dot)com”. Typically, the end user will stumble upon these sites by searching for things like “Vanessa Hudgens scandal site” then wandering into a collection of redirects, porn adverts and rogue AV installers.

For example, vanessahudgens507(dot)typepad(dot)com.

Click to Enlarge

Hitting the links provided will bounce the user through a chain of websites until they arrive at a rogue AV scan located at hardscanerjupm(dot)cz(dot)cc.

Click to Enlarge

Depending on geographical location, the user may instead end up on a “My eyes, the goggles do nothing” style porno site which I’m sure will look very fetching in their browser history.

Elsewhere, we have various downloads up for grabs that you’re probably better off not grabbing. For example, becjjruhvx(dot)typepad(dot)com/blog.

Click to Enlarge

Downloading a crack from some random website? Yeah, that’s going to end well.

Or not.

VirusTotal currently pegs that one at 10/41, and we catch it as virtool.win32.obfuscator.da!e (v). If you’re wondering, it’s a Trojan that typically installs DNS Changer and other junk depending on how badly the attacker wants to mess up your PC.

Here’s another one, found at latrinal(dot)typepad(dot)com:

Click to Enlarge

You really don’t want any of this on your computer. Treat blogs with celebrity name / random number mashups in the URL with suspicion, and steer clear of keygen / cracks while you’re at it.

You knew that already though, right?

Christopher Boyd (thanks to Adam Thomas and Patrick Jordan for finding the above)

Vanessa Hudgens: not very good in Sucker Punch, but wonderful for spreading rogue AV and other nonsense on a number of cut and paste blogs.

Many of these blogs appear to be hosted on Typepad, usually taking the form of  “celebrity name,random numbers(dot)typepad(dot)com”. Typically, the end user will stumble upon these sites by searching for things like “Vanessa Hudgens scandal site” then wandering into a collection of redirects, porn adverts and rogue AV installers.

For example, vanessahudgens507(dot)typepad(dot)com.

Click to Enlarge

Hitting the links provided will bounce the user through a chain of websites until they arrive at a rogue AV scan located at hardscanerjupm(dot)cz(dot)cc.

Click to Enlarge

Depending on geographical location, the user may instead end up on a “My eyes, the goggles do nothing” style porno site which I’m sure will look very fetching in their browser history.

Elsewhere, we have various downloads up for grabs that you’re probably better off not grabbing. For example, becjjruhvx(dot)typepad(dot)com/blog.

Click to Enlarge

Downloading a crack from some random website? Yeah, that’s going to end well.

Or not.

VirusTotal currently pegs that one at 10/41, and we catch it as virtool.win32.obfuscator.da!e (v). If you’re wondering, it’s a Trojan that typically installs DNS Changer and other junk depending on how badly the attacker wants to mess up your PC.

Here’s another one, found at latrinal(dot)typepad(dot)com:

Click to Enlarge

You really don’t want any of this on your computer. Treat blogs with celebrity name / random number mashups in the URL with suspicion, and steer clear of keygen / cracks while you’re at it.

You knew that already though, right?

Christopher Boyd (thanks to Adam Thomas and Patrick Jordan for finding the above)

Looks like we have more shenanigans involving rogue AV products and Easter.

Patrick Jordan found this one lurking a few days ago, after searching for Easter Cards at bestrx finder(dot)com and hitting one of the links served up:

Click to Enlarge

Click to Enlarge

The rogue AV URL in this instance is antiviscannermuslim(dot)com. Note that the rx website was listed in January in relation to PDF exploits. Elsewhere there are malicious emails doing the rounds – the Easter scams are in full swing so be careful.

Christopher Boyd

Looks like we have more shenanigans involving rogue AV products and Easter.

Patrick Jordan found this one lurking a few days ago, after searching for Easter Cards at bestrx finder(dot)com and hitting one of the links served up:

Click to Enlarge

Click to Enlarge

The rogue AV URL in this instance is antiviscannermuslim(dot)com. Note that the rx website was listed in January in relation to PDF exploits. Elsewhere there are malicious emails doing the rounds – the Easter scams are in full swing so be careful.

Christopher Boyd