Phishers exploit New Zealand earthquake

Natural disasters are practically always exploited by scammers, and the earthquake that hit New Zealand and left thousands of its citizens homeless is not an exception.

Unfortunately for the more gullible benefactors out there, this time the scammers turned out a rather well executed phishing page that spoofs the legitimate New Zealand Red Cross website.

And while the legitimate one provides a short form for the donators to fill out in order to make the donation and the payment processing page asks only the card brand, number, expiry date and security code, the phishing page asks much more:


As a rule of thumb, you should be instantly suspicious of any website that asks you to share your credit card PIN code.

It is also good to remember that following links from unsolicited e-mails is never a good idea. If you are determined to do some good, visit the organization's website by typing in the URL in the address bar of the browser and then proceed to donate the money.

Facebook Stalker Tracker Tool Turns Users into Spammers

Privacy has been one of the major concerns of Facebook users today, especially as the social network continues to increasingly grow to become a massive directory of personal information. Users are becoming very concerned as to who can access the information they post, fearful that these may be viewed and used in a malicious way. Given this, stalkers—people who aim to invade other people’s privacy—are considerably becoming Facebook users’ worst nightmare.

Facebook scams play on people’s fear of being stalked. This is not surprising, we have recently seen newly created domains that offer help to users in order to track down who most view their profiles, as well as how many times these were viewed. The domains contain strings like “profile view” and “creepers” in their URLs, suggesting their alleged purpose.

The pages list down certain instructions the user must follow to use the “stalker tool.” The instructions include copying a certain script and pasting it into one’s browser address bar.

The technique is very similar to a scheme we saw last year, which used the lure “10 lies girls ALWAYS tell guys! Funny!” In this case, the lure may be different but the effect is pretty much the same. Once the user copies the script into his address bar and executes it, his Facebook account is accessed by the script then used to spam messages that promote the stalker tool.

The said messages are randomly generated and may be posted either as a private message or as a wall post.

We tested if the so-called stalker tool works in all browsers and found that it does as long as JavaScript is enabled. The said script is now detected by Trend Micro as HTML_FBSPAM.ASM while access to the related domains is now blocked.

Christmas Spam in February?

Holidays like Christmas and Valentine’s Day inevitably come with threats related to the holidays themselves. These attacks have become more persistent throughout the years, perfectly timed to dupe the greatest number of users with the most appropriate social engineering techniques for their holiday of choice.

Just today, we saw a certain spam run that seems a little bit too late or, seen in another way, a little too early for the season it’s supposed to ride on.

Christmas greeting cards are being spammed out with messages similarly fashioned to those from popular websites known for free e-card sending services.

The messages arrive with a file attachment in .ZIP format, which the recipients must open to view the e-card. Of course, the file in the .ZIP file being an e-card is just as accurate as it is being the Christmas season in February. The .ZIP file contains malicious files that Trend Micro now detects as WORM_PROLAC.SME, WORM_PROLAC.AB, and WORM_PROLAC.AA. When executed, WORM_PROLAC.SME drops a file detected as TROJ_CUTWAIL.IZ. It also has rootkit capabilities that allow it to hide its processes and files from users. Similar to WORM_PROLAC.SME, WORM_PROLAC.AB has rootkit capabilities and drops several files detected by Trend Micro as TROJ_HILOTI.SMAE, TROJ_FAKEAV.SM3, and TROJ_HILOTI.SME1.

Such threats, it seems, will be seen as long as holidays are observed, as these events, in one way or another, affect users’ computing behaviors. Whether they’re deployed at the right time or not, users should remain vigilant and keep themselves protected.

Hackers compromised Nasdaq's network

Hackers continue to breach systems of vital importance to the US, and the latest one to be compromised is the one belonging to the company that operates the Nasdaq Stock Market.

According to the WSJ, hackers have repeatedly managed to access the network during the past year. And even though people familiar with the investigation into the matter - mounted by the Secret Service and the FBI - say that the actual trading platform was not compromised, it is worrying that so far it has failed to explain what the attackers were looking for.

Investigators can think of a number of possible motives behind the hacks - the prominent two are financial gain (through theft of information) and compromise of national security (through the disruption of the functioning of a critical national economical asset).

So far, it seems that the hackers haven't tampered with the network in any way and that they simply took a look around. It is likely that the attackers were simply scouting the network and are currently thinking about the best way to use the gathered information, but the most worrying thing is that the investigators are not and can not ever be sure if all security holes have been plugged.

Since unequivocal attribution of such attacks to a group of hackers or a specific country is notoriously difficult, the investigators have yet to define exactly who targeted Nasdaq's networks. There is some evidence that points to computers in Russia, but they could be operated from anywhere in the world, so that's not saying much.

USB autorun attacks against Linux

Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS - including the addition of features that can allow Autorun attacks.

This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things.

Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not.

The talk concludes with steps that Linux vendors and end-users can take to protect systems from this threat to head off a wave of Linux Autorun malware.

Pwn2Own Contest Pays Hackers To Exploit Firefox, Internet Explorer, And Google Chrome

Pwn2Own is a contest put together which pits hackers against the major web browsers. Their goal is to successfully exploit the browsers and find bugs which allow for these hacks. The hackers aren't just doing this to be nice either, there's a prize pool worth $125,000. Cash, laptops, and desktops will all be available to win.

The contest features all the major browsers (Firefox, Internet Explorer, Safari, and Chrome), and will be functioning on both Windows 7 PC's and Mac OS X machines. The contest is hosted by TippingPoint, a research organization who works to provide protection against system vulnerabilities.

There are a couple of new additions to the contest, both of which will pay prize money. First, there will be a mobile hacking event. This will pit researchers against the likes of Apple's iOS, Google Android, Microsoft's Windows 7 Phone, and RIM's Blackberry OS.

The news which is really drawing attention to the event is Google Chrome joining in on the action. Not only are they participating, but they're ponying up their own dough to award the hackers. $20,000 will go to the hacker who can find an exploit in Google Chrome first.

Google has been very confident in their belief that Chrome cannot be hacked. This is due to their using of a 'sandbox' anti-exploit defense. This type of defense isolates a program from other system processes, and requires hackers to take an additional step to truly perform a successful breach.

Only on the first day will Google be providing their $20,000 prize. This is due to the fact that on the first day only the browsers themselves will be available to the contestants. On the second and third day, they are allowed to utilize system bugs on the operating systems to perform their hacks. For the last two days Google will still provide a $10,000 award, which will be matched by Tipping Point. So no matter what day a hacker might successfully exploit Chrome, they'll still receive $20,000.

This is the contest's fifth running, and the award money has never been higher. The contest itself is about helping the browser developers better implement security strategies that keep malicious hackers from fulfilling their exploits.