Advanced Zeus Trojan Hits Polish ING Customers

A version of the Zeus malware that intercepts one-time passcodes sent by SMS (Short Message Service) is targeting customers of the financial institution ING in Poland.

IDG News Service — A version of the Zeus malware that intercepts one-time passcodes sent by SMS (Short Message Service) is targeting customers of the financial institution ING in Poland.
The security vendor F-Secure blogged on Monday about the issue, which was analyzed on the website of security consultant Piotr Konieczny.
F-Secure wrote that it appears to be the same style of attack found by the Spanish security company S21sec last September, which marked a disconcerting evolution in Zeus, one of the most advanced banking Trojans designed to steal passwords.
Zeus has changed its tactics, since some banks are now using one-time passcodes sent by SMS to authorize transactions performed on a desktop machine. First, attackers infect a person's desktop or laptop. Then, when that person logs into a financial institution such as ING, it injects HTML fields into the legitimate Web page.
Those fields ask for a person's mobile phone number and the model of their phone. When that information is entered, the attacker sends an SMS leading to a website that will install a mobile application that intercepts SMSes and forwards messages to another number controlled by the attackers. The Zeus mobile component will work on some Symbian and Blackberry devices.
Once that setup is complete, the attacker can simply do a transfer whenever it is convenient, such as when an account has just received a deposit. An attacker can log onto the account, receive the SMS code and begin transferring money.
ING officials contacted in the Netherlands on Monday afternoon did not have an immediate comment.
The SMS ability of Zeus has prompted vendors such as Cloudmark to warn about how SMS spam -- or SMS messages designed to enable other malware -- are a growing threat. Cloudmark sells a system to operators that analyzes SMS messages and can filter ones that have spam or other offensive content.
Copyright 2010 IDG News Service, International Data Group Inc. All rights reserved.

Online banking hit by thieves

A new Trojan dubbed "OddJob" is stealing people's money by taking over their online banking sessions after they think they've logged off.
The Trojan, which targets Windows-based computers, is being used by criminals in Eastern Europe to steal money from accounts in the United States, Poland, and Denmark, Amit Klein, chief technology officer of Trusteer, writes in a blog post today.
Klein said in an e-mail that he could not identify the banks being targeted or provide an estimate on the number of victims.
"It is early days for this malware," he said. "It appears to be a work in progress, so we expect the code to become more sophisticated over time."
The Trojan intercepts communications that customers have with banking sites via Internet Explorer or Firefox, stealing or interjecting information and terminating user browser sessions when done, Trusteer said.
When a bank customer is on the bank site, the Trojan takes advantage of the session IT token to impersonate the customer, riding the coattails of the existing authenticated session. It then bypasses the logout request of the customer so that the session is not actually terminated when the customer thinks he or she is logging out.
To avoid triggering security software, the malware's configuration is not saved to disk, but a fresh copy is fetched from the command and control server each time a new browser session is opened.
Web surfers can protect themselves by installing software security updates, refraining from clicking on URLs in e-mail messages, and using software that secures Web access, like Trusteer's Rapport product, the company said.

Beware enticing Bieber links, free offers on Facebook

A clickjacking attack on Facebook lures victims in with purported video and then surreptitiously "likes" the post, spreading it further.

Old scams hiding under new headlines were circulating on Facebook this week, including promises of video involving obsessed Justin Bieber fans.

"I can't believe a GIRL did this because of Justin Bieber," says the post that has been appearing on Facebook walls and status updates.

Clicking the link leads to a fake YouTube-looking page that says "Please Watch this video only if you are 16 years or older," according to an M86 blog post. Hidden behind the video window is an iframe linked to Facebook so that clicking anywhere in the window will submit a "like" click to the page and spread the post on the victim's Facebook page. This is a standard clickjacking attack that is taking advantage of a current hot topic--the teen singer.

The scam doesn't stop there. A fake Facebook dialog box also pops up that asks the victim to verify his or her age by completing a survey with links to sites relating to auto insurance, according to M86.

Facebook was able to stop this scam fairly quickly, but not before it had garnered more than 20,000 likes. Other variants of the scam were spreading, M86 said.

Separately, scammers had rehashed some scams involving offers of free iPads, free Southwest Airlines tickets, and a Miley Cyrus-related video link via posts on the site and e-mail messages. It's unclear exactly how those scams worked and if they involved clickjacking.

Clickjacking prompts a victim to click something while a different action is taken behind the scenes. It takes advantage of a vulnerability in a Web browser and is not specific to Facebook.

If you see a potential or obvious scam on Facebook report it to the person whose account is spreading it, M86 said. The NoScript Firefox plug-in protects against clickjacking attacks such as this, it added.

Because clickjacking exploits a browser weakness, Facebook can't technically prevent it completely, a Facebook spokesman said. "We continue to build additional protections to mitigate its impact," he said in an e-mail. "We're also involved in discussions with others in the industry on how to fix the underlying issue on the browser side."

Facebook users should be suspicious of anything that looks or feels strange, even if it has been posted by a friend. Facebook offers tips for how to recognize and avoid clickjacking on the "Threats" tab of the Facebook Security Page here.

The company also has developed automated systems to detect and flag Facebook accounts that are likely to be compromised based on suspicious activity like lots of messages sent in a short period of time or messages with links that are known to be bad. Once Facebook detects a phony post it is deleted across the site. The company blocks malicious links from being shared and works with third parties to get phishing and malware sites added to browser blacklists or taken down. And Facebook displays warnings when people click on a link that has been identified as malicious from an e-mail notification.

Here are some basic safety tips for using Facebook or any site on the Web:

• Use an up-to-date browser that features an antiphishing blacklist.

• Choose unique log-ins and passwords for each of the Web sites you use.

• Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.

• Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional log-in.

WordPress hit by 'extremely large' DDoS attack

Blog host WordPress.com was the target of a distributed denial-of-service (DDoS) attack earlier today described by the company as the largest in its history.

As a result, a number of blogs--including those that are a part of WordPress' VIP service--suffered connectivity issues. That includes the Financial Post, the National Post, TechCrunch, along with the service's nearly 18 million hosted blogs.

According to a post by Automattic employee Sara Rosso on the company's VIP Lobby (which had been down at the time of the attacks, though was archived by Graham Cluley over at Naked Security), the size of the attack reached "multiple Gigabits per second and tens of millions of packets per second." Rosso had also said putting a stop to the attack was "proving rather difficult."

Rosso had also said the company would be handling its VIP sites ahead of general users.

Denial-of-service attacks are designed to overwhelm Web sites with requests, effectively shutting them down. The ones that are distributed present a much larger challenge to combat, since they can come from a wider variety of networks and hosts.

Update at 10:35 a.m. PT: In an e-mail to CNET, WordPress founder Matt Mullenweg said the attack had affected three of the company's data centers, and was the largest its seen in the company's six-year history. Mullenweg also said that the attack "may have been politically motivated against one of our non-English blogs," but that that detail had not been confirmed. Full e-mail below:

There's an ongoing DDoS attack that was large enough to impact all three of our data centers in Chicago, San Antonio, and Dallas--it's currently been neutralized but it's possible it could flare up again later, which we're taking proactive steps to implement.

This is the largest and most sustained attack we've seen in our six-year history. We suspect it may have been politically motivated against one of our non-English blogs but we're still investigating and have no definitive evidence yet.

The company has also posted a notice on its product uptime status blog:

Anonymous Denies Hacking Sony, Stealing Credit Cards

The hacking group Anonymous has denied responsibility for the attack on Sony's networks, claiming that it has "never...engaged in credit card theft."

Computerworld— The hacking group Anonymous has denied responsibility for the attack on Sony's networks, claiming that it has "never...engaged in credit card theft."
In a long statement posted to the Daily KOS site, the group said others were trying to frame it for the hack of Sony's PlayStation and Online Entertainment networks.
"Whoever broke into Sony's servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history," said Anonymous. "No one who is actually associated with our movement would do something that would prompt a massive law enforcement response."
Although Sony declined to testify yesterday before a House subcommittee investigating data breaches, in its written response Tuesday to questions ( download PDF ) the company said Anonymous was at least partially responsible for the hacks because it had conducted denial-of-service (DoS) attacks against Sony in the weeks prior to the credit card hack.
"Whether those who participated in the in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," said Sony. "In any case, those who participated in the denial of service attacks should understand that -- whether they knew it or not -- they were aiding in a well planned, well executed, large-scale that that left not only Sony a victim, but also Sony's many customers around the world."
Sony also said the credit card hackers had left a file named "Anonymous" on one of its servers. The file contained the words "We are legion," a trademark phrase of the group.
"Anonymous has never been known to have engaged in credit card theft," the group countered Wednesday.
Tuesday's accusations that Anonymous may have been involved was a reversal for Sony.
In a Tokyo press conference Monday, Kaz Hirai, CEO of Sony's games subsidiary, said the company had not found find any link between Anonymous and the newest attacks.
Anonymous had denied responsibility for the Sony network breaches before. On April 22, it issued a statement titled, "For Once We Didn't Do It" that argued "Sony is taking advantage of Anonymous' previous ill-will toward the company to distract users from the fact that the [PlayStation Network] outage is actually an internal problem with the company's servers."
The group had taken credit for the DoS attacks against Sony two weeks before the April breach. Those attacks were launched as a protest of Sony's legal pursuit of George Hotz, who had hacked the PlayStation 3 to run Linux OS.


Hotz, who settled with Sony, has also said he had nothing to do with the network attacks.
"I'm not crazy, and would prefer to not have the FBI knocking on my door," Hotz said in an April 28 blog post . "Hacking into someone else's server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony."
But Hotz also said Sony had essentially reaped the whirlwind.
"The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts," said Hotz. "Alienating the hacker community is not a good idea."
It would obviously be in Anonymous' interest to deny responsibility for the credit card theft. Sony contacted the Federal Bureau of Investigation (FBI) three days after it discovered the intrusion, and five days later met with the agency to provide details of the attack.
The FBI, along with law enforcement authorities in other countries, have been pursuing Anonymous since last year, when the group targeted a large number of Web sites -- including those for Amazon, PayPal, MasterCard and Visa -- for withdrawing services from Wikileaks , the document leaking organization that began publishing U.S. diplomatic cables in November 2010.
In December 2010 and January 2011, the FBI seized hardware from several U.S. Internet service providers, then executed dozens of search warrants in its search for Anonymous.
Sony took its PlayStation Network offline on April 20. As of today, that network, as well as the Online Entertainment network, was not operational.
The company told Congress on Tuesday that it had not identified the people who broke into its servers and lifted the personal information -- and possibly credit card numbers, as well -- of millions of customers.

Internet hit by wave of Fake PC 'defrag' tools

A spate of scareware apps that trick users into buying useless hard disk repair tools appears to be part of a concerted campaign to push fake 'defrag' software, a security company has said.
The Internet abounds with Windows utilities, usually free, some not very good. Users have an unquenchable appetite for them.
According to a GFI-Sunbelt Security blog, a new type of bogus disk software has suddenly become very common on the back of this, with a clutch of convincing examples appearing in recent weeks.
Users encountering new examples HDDRepair, HDDRescue and HDDPlus should ignore them. They are bogus applications that claim to defragment a user's hard disk even though such a requirement is barely needed given that Windows does a lot of this work behind the scenes anyway.
The apps will, however, claim that a user's hard disk is riddled with problems, as will the slightly older examples UltraDefragger, ScanDisk, Defrag Express and WinHDD. Sorting out the non-existent issue can cost anything from $20 and up.
Such apps have been around for some time in fact but have simply been less documented compared to the fake antivirus programs that have caused chaos on the Internet in the last two years.
The phenomenon of fake software is now deeply entrenched on the Internet and criminals have even taken to aping the way security companies are creating all-purpose security programs. Fake apps adopting this verisimilitude tactic include PCoptomizer, PCprotection Center and Privacy Corrector.
A quick trawl of Google reveals that all of the above scareware examples are easy to encounter. So how does a user tell the real and useful from the fake and expensive?
Depending on the type of app, it is sometimes easier to consult lists of real apps that worry about working out which ones aren't genuine.
As the author points out, the overworked Virus Total is one site that allows files and URLs to be checked against known rogue lists, while certification company ICSA Labs publishes a separate, more high-level list of known vendors. These are not perfect warning systems however. Rogue URLs change constantly and might not be spotted by Virus Total, for instance.

Security researchers split on whether 'ComodoHacker' is the real deal

Security researchers split on whether 'ComodoHacker' is the real deal

Computerworld - A solo Iranian hacker on Saturday claimed responsibility for stealing multiple SSL certificates belonging to some of the Web's biggest sites, including Google, Microsoft, Skype and Yahoo.
Early reaction from security experts was mixed, with some believing the hacker's claim, while others were dubious.
Last week, conjecture had focused on a state-sponsored attack, perhaps funded or conducted by the Iranian government, that hacked a certificate reseller affiliated with U.S.-based Comodo.
On March 23, Comodo acknowledged the attack, saying that eight days earlier, hackers had obtained nine bogus certificates for the log-on sites of Microsoft's Hotmail, Google's Gmail, the Internet phone and chat service Skype and Yahoo Mail. A certificate for Mozilla's Firefox add-on site was also acquired.
SSL certificates validate the legitimacy of a Web site to the browser, assuring users that they're connecting to the real site, and that the traffic between their browsers and the site is encrypted.
Comodo CEO Melih Abdulhayoglu said last week that circumstantial evidence pointed to a state-backed attack, and claimed the Iranian government was probably behind it. "We believe these are politically motivated, state driven/funded attacks," said Abdulhayoglu.
He based his opinion on the fact that only Iran's government -- which could jigger the country's DNS (domain name system) to funnel traffic through fake sites secured by the stolen certificates -- would benefit.
In Abdulhayoglu's analysis, authorities could have used the certificates to dupe anti-government activists into believing they were at a legitimate Yahoo Mail, for example. In reality, however, the phony sites would have collected users' usernames and passwords, and thus given the government access to their e-mail or Skype accounts.
On Sunday, a single hacker took responsibility for the Comodo attack, backing up his claim with decompiled code.
"I'm not a group of hacker [sic], I'm single hacker with experience of 1,000 hackers," wrote the attacker in a post on Pastebin.com late Saturday. He called himself "ComodoHacker" and said he's 21 years old.
ComodoHacker alleged that he had gained full access to InstantSSL.it, the Italian arm of Comodo's InstantSLL certificate selling service, then decompiled a DLL file he found on its server to uncover the reseller account's username and password.
With the username and password in hand, said ComodoHacker, he was able to generate the nine certificates, "all in about 10-15 minutes." His message was signed "Janam Fadaye Rahbar," which reportedly means "I will sacrifice my soul for my leader."
The InstantSLL.it Web site is currently offline.
Robert Graham, the CEO of Errata Security, believes ComodoHacker is telling a straight story.
"As a pentester who does attacks similar to what the ComodoHacker did, I find it credible," Graham said Sunday on the Errata blog. "I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he's patriotic but not political."
But Mikko Hypponen, the chief research officer of Helsinki-based F-Secure, sounded skeptical.
"Do we really believe that a lone hacker gets into a [certificate authority], can generate any cert he wants...and goes after login.live.com instead of paypal.com?" asked Hypponen on Twitter.
Graham had an answer for Hypponen's question.
"[Comodo Hacker] started with one goal, that of factoring RSA keys, and ended up reaching a related goal, forging certificates," said Graham. "He didn't think of PayPal because he wasn't trying to do anything at all with the forged certificates."
ComodoHacker also lit into the West -- Western media in particular -- for quickly concluding that the Iranian government was involved when it had downplayed possible U.S. and Israeli connections to Stuxnet, the worm that most experts believe was aimed at Iran's nuclear program.
He also threatened to unleash his skills against those he said were enemies of Iran.
"Anyone inside Iran with problems, from fake Green Movement to all MKO members and two-faced terrorists, should [be] afraid of me personally," said ComodoHacker. "I won't let anyone inside Iran, harm people of Iran, harm my country's Nuclear Scientists, harm my Leader (which nobody can), harm my President."
MKO, or the "People's Mujahedin of Iran," is an Islamic group that advocates the overthrow of the current government of Iran.
"As I live, you don't have privacy in internet, you don't have security in digital world, just wait and see," ComodoHacker said.
Comodo was not available Sunday for comment on ComodoHacker's claims.

Panda Security has reaffirmed its policy of not hiring hackers following incorrect reports that it had hired a infamous Chinese virus writer.

Panda Security has reaffirmed its policy of not hiring hackers following incorrect reports that it had hired a infamous Chinese virus writer.
Li Jun, author of the Fujacks worm, "found a job with Panda following his recent release from prison", according to local reports. Not so, according to Panda Security chief exec Juan Santana, who explained that the confusion had arisen because Li had gotten a job with a local software distributor.
"[Li] does not work for Panda Security, and has never worked for Panda Security, either as an employee or as a consultant," Santana explained in a blog post. "We believe the confusion arises from a marketing initiative by a distributor of Panda China where Mr Li was involved. We have a policy whereby we do not and will not hire black-hat hackers and certainly not previously convicted hackers."
Panda was quick to reject attempts by local suspects in the Mariposa botnet case to get themselves hired by the Spanish security software firm, a development that had made the (incorrect) reports that it had hired the author of the Fujacks worm all the more surprising. Anti-virus firms are regularly accused, mostly in jest, of writing virus code themselves or hiring hackers to do it for them.
The truth is that the bad guys are producing more than enough malware variants to keep everyone busy. In addition, the skills that might be needed to write a virus are very different from the knowledge needed to reverse-engineer malware samples and produce an antidote.
Convicted virus authors ought to be allowed a chance at rehabilitation but finding work at an anti-virus firm is certainly not in the supplier's best interests especially since such a firm would generate tons of negative publicity, as a post by net security firm Sophos explains.
Most security software firms – even those outside anti-virus – are similarly not keen on the idea of hiring convicted cybercriminals while been more open to the idea of hiring more ethical white-hat hackers. Even hiring ethical hackers and hobbyists sometimes turns out badly, however.
Chris Soghoian earned notoriety by developing software that allowed users to print fake boarding passes for Northwest Airlines back in 2006, before later creating a map of where tubes of sexual lubricant Astroglide were shipped online – using data supplied by its manufacturer, Biofilm. Soghoian completed the latter exercise to illustrate a privacy concern. Although the exercise failed to result in any prosecution, it did result in a job offer from US consumer watchdog the Federal Trade Commission last year, which Soghoian accepted.
But there were culture clashes from the first day, with Soghoian refusing to submit to a fingerprint scan or complete a background check request. He also strayed from the corporate line by secretly taping Sprint executives talking about handing over customer GPS data at an industry-only conference.