Fake Facebook alert leads to Blackhole, malware

Due to the huge popularity of Facebook and its one billion active users, bogus emails impersonating the social network are constantly hitting users' inboxes.

The latest of these is a notification alert about "activity you may have missed on Facebook":



Clicking on any of the offered buttons or the "unsubscribe" link ultimately lands users on a page hosting the Blackhole exploit kit serving an exploit for Adobe Reader and Acrobat.

Victims who use any of the vulnerable versions of these two software and no AV solution are automatically saddled with an information-stealing Trojan.

The Trojan variant in question is now detected by 28 of the 43 AV products used by Virus Total, but at the beginning of the spam campaign even those who had AV software installed were not safe, as the malware was detected by only three of them, Webroot warns.

Users are advised never to follow links offered in unsolicited emails, no matter how legitimate they look. Check your Facebook account for "activity you have missed" if you must, but do it by logging in through the legitimate login page.

Bogus Apple invoice leads to Blackhole, banking malware

If you receive an invoice seemingly coming from Apple that apparently shows that your credit card has been billed for $699,99 (or a similar preposterously huge amount of money) because you bought postcard, don't click on any of the embedded links no matter how curious or alarmed you are.

The bogus invoice looks good enough to fool many (click on the screenshot to enlarge it):



"The link 'View/Download' ends in download.jpg.exe, while the 'Cancel' and 'Not your order' URLs end in check.php," shares Graham Cluley. "The smart social engineering bit is that, whether you are simply curious what this is about or furious about this unauthorized charge, you are still likely to click one of the links."

A click on the former link will automatically download the malware, while a click on the latter ones will take the victims to a bogus IRS page warning them that they are using an unsupported browser.

But this is simply a smokescreen designed to puzzle the user while the Blackhole exploit kit works furiously in the background, trying to exploit a host of Oracle Java, Adobe Flash Player and Adobe Reader vulnerabilities.

If it succeeds, the victims' computer is infected with a variant of the Zeus / Zbot banking Trojan. If not, they are offered a download of the latest version of their browser. The offered file is named update.exe and is also a Zeus Trojan variant.

Digitally signed ransomware lurking in the wild

Trend Micro researchers have spotted two ransomware variants bearing the same (probably stolen) digital signature in order to fool users into running the files.

Other than that, the malware acts like any other ransomware: it blocks the victims' computer and shows messages that seem to come either from the FBI or the UK’s Police Central e-crime Unit:



"Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability," say the researchers.

And if the bogus law enforcement messages are anything to go by, it seems that those same malware peddlers have managed to hack the DNS records of Go Daddy hosted websites so that they can redirect victims to malicious sites hosting the Cool exploit kit.

Sophos' researchers speculate that the DNS records hijacking was due to stolen or weak passwords.

"Go Daddy customers who wish to check they have not been affected by these attacks should check their DNS configuration according to the Go Daddy support page," they advise.

Facebook Black Is Scamming You

As more and more people join social networks like Facebook and Twitter, it only gets easier for scam artists to pick off a few non-discerning users. The latest scam that's making its way across Facebook offers to change your user interface to a cool, new color if you're sick of the boring old Facebook blue.

Users are now seeing images advertising the new "Facebook Black" in their news feeds. The image asks users to click a link shared above, which will then lead them to an official-looking app permissions screen. Of course, there's no such thing as "Facebook Black" and clicking on the link will only open you up to a possible security breach.

Sophos' Naked Security blog reports that the ruse is the work of survey scammers, who prey on unsuspecting users who will complete surveys in order to receive the promised product. These surveys earn affiliate cash for the scammers.



"Are you sick fo that boring old blue theme? Well now you have the power to change your facebook color to anything your heart desires," reads the page. Sophos claims that some versions of the dubious link attempt to fool users by displaying a limited time offer and prompting them to generate a code to access the new feature.

Although they may look legit to the untrained eye, some of the scam landing pages can be easily identified because they have failed to wipe the text from previous clickjacking scams, such as the Remove Facebook Timeline scams popular earlier this year.



As always, the advice here is to investigate any "new feature" or "offer" that seems too good to be true or out of the ordinary. And if you happen to get caught up in a scam, make sure you remove any corresponding likes and app permissions from your Facebook account.

Malware targeting Skype missed a trick

Last week reports came out stating that the Dorkbot worm is now targeting Skype users. The worm fools users into downloading the malware, whose payload locks down machines. Once infected, users' contact lists are pinged with the message "LOL is this your new profile pic?" and a .zip file.

When the .zip file is clicked it opens a backdoor and installs the worm. The machine is then enlisted into a botnet and users are asked to make a $200 payment within 24 to 48 hours in order to receive their files back.

This ransomware aspect of the worm is a new element compared to the previous strains that affected Facebook and Twitter.

Dominique Karg, Chief Hacking officer from AlienVault, comments on why he thinks the Dorkbot will not be as effective as it could have been:

“There are three things about this worm that surprises me:

Firstly, the phrase "LOL is this your new profile pic?" makes it look like this is targeted at a younger segment of the population. Therefore really narrowing down on the victims.

If the target is the younger generation then $200 seems like a lot of money for that "target" audience. Why not make it $50? I think a lot more people who have contacts who would send them a .zip file with a "LOL is this your new profile pic?" message would pay $50 or $100 rather than $200. And I'm thinking about the US here. $200 in some other countries is a small fortune...

Why the 24/48 hour timeframe? Are the authors trying to urge people into paying before the malware gets deleted? The harm is done anyway at this point, deleting the malware won't get the files back, as far as I know, so why the urge?

This malware doesn't exploit any system vulnerability; it exploits trust so with the right message they could have got a lot more people to be fooled into executing the program (worm). We always warn people to disregard attachments from unknown people. However, in this case this file is being sent from your trusted ‘buddies’.

It surprises me that the people who have written this malware have not made the message change depending on the target. If the target's name is 2 words, then they could have put something more serious, like "please don't share this but I wanted you to have it", while to a 1 word destination (much more likely to be a nickname or a "buddy") they could have sent the above message.

Finally, in Skype you can also see the local time for your contacts, which should give you a rough idea of where they are located at "wealth" wise, therefore enabling them to adjust the ransom accordingly. The writers of this malware are definitely missing a trick."

New TDL4 rootkit successfully hiding from AV

A new variant of TDL4 has been identified, and it is now ranked as the second most prevalent malware strains within two months since detection.



The characteristics are similar to the iteration of the TDL4 rootkit, detected by Damballa a month ago. Damballa picked it up through its network behavioural analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication.

Since Damballa could only determine the existence of the new malware by looking for domain fluxing, it was concluded that no binary samples of the new malware had been identified and categorised by commercial antivirus products operating at the host or network levels.

HitmanPro, however, has detected Sst.c – also known as Maxss, a modification of the TDL4 strain and it is spreading fast.

This new variant is capable of infecting the Volume Boot Record (VBR) (also known as Partition Table), and commercial antivirus products are unable to detect it, let alone remove the malware.

Joseph Souren, Vice President and GM Wave Systems EMEA, has provided the following commentary:

“Following the success of TDL4, hackers have been able to use the rootkit to develop new variants that continue to go undetected by antivirus. The latest iteration, dubbed Sst.c, infects the Volume Boot Record.

Without embedded hardware security to detect anomalies of behaviour in the boot process, it starts to cause havoc damaging the network. It also reduces the window of detection for the enterprise to contain the threat.

The best defence is based on the Trusted Platform Module (TPM) chip. The TPM stores the signatures of critical start-up components of the machine, and the ones that are most important are used early in the boot process before the antivirus initiates.

By utilising TPMs, the enterprise can collect data from the computers and correlate computer information that is not visible for traditional malware scanning software. The IT manager is alerted when unwanted changes are detected.

It’s undoubtedly not the last we will hear of these types of Advanced Persistent Threats (APT) and activating and managing embedded hardware security is the only way to detect these attacks early enough to prevent damage to the network.

Malware Infested Twitter Messages Contain Fake Facebook Links

Twitter users need to be on the lookout for a new round of malware-carrying spam messages that are coming from compromised accounts, possibly even from Twitter profiles they trust.

If you receive a direct message suggesting that someone has posted or tagged you in a Facebook video, beware. Clicking on the link could infect your computer with malware. According to the Sophos Naked Security blog, the direct messages are not originating from spam accounts, but instead compromised accounts of friends - which makes it even more likely that a careless user could fall victim.

Although the messages vary, the common thread between all of them is that they contain a "facebook.com/________" link and mention that a video of you has been posted on Facebook. "Your in this facebook.com/________ video, LOL" reads one spam message, while another says "you even see him taping u, that's awful."

When an unsuspecting user clicks on the link, they are shown a YouTube video player and prompted with a message that says, "and update for YouTube player is needed. It says that it will install Flash Player 10.1 onto your computer, but instead installs "Troj/Mdrop-EML, a backdoor Trojan that can also copy itself to accessible drives and network shares," according to Sophos.

Of course, clicking on any link in a direct message that links you offsite is risky, and the fact that these messages are coming from trusted sources makes it especially tricky. However, the fact that the messages contain various misspellings and gramatical errors should suggest to the discerning user that they might not be legit.

HOWTO Brute Force Android Encryption on Santoku Linux

This HOWTO will guide you through the process of cracking the pin used to encrypt an Android device (Ice Cream Sandwich and Jelly Bean) using brute force on Santoku Linux Community edition.

iPhone 5 release brings out email scammers

Apple's long awaited release of iPhone 5 has provided cyber crooks with a perfect opportunity to scam users.

Even before yesterday's official presentation of the new device, a mass mailing campaign offering a protective case for it has been spotted by Kaspersky Lab researchers:



Now - even if this offer was legitimate, it is highly unlikely that the case would fit, as the iPhone 5 is thinner and longer than its predecessor. The fact that the senders sent out the email before the release of the device indicates that this is likely a scam.

It's hard to tell just what type of scam it is, but at best you can get saddled with a case that doesn't fit, and at worst your credit card information can be stolen and used by the scammers.

In any case, beware of offers like these and restrict your online shopping to legitimate e-commerce sites.

USB drives left in car park as corporate espionage attack vector

A number of infected USB flash drives were recently left in the car park of Dutch chemical firm DSM in a failed corporate espionage attempt. According to a report from Dutch newspaper Dagblad De Limburger, these drives were planted by an unknown party in hopes that one or more of the company's employees would insert them into their office systems.

However, instead of plugging it into one of the company's systems, an employee who found one of the USB sticks turned it over to DSM's IT department. Upon examination, they discovered that the drives contained malware that was set to automatically run upon being inserted into a computer. The malware is said to have been a key logger designed to capture usernames and passwords, and access the company network to send them to an external site.

Upon finding this, the company blocked all access to the IP addresses which the malware attempted to contact. Because, they say, it was a clumsy attempt to steal data and as no damage was done, DSM decided not to contact the police.

Would you report to the police?

Disable Windows Sidebar and Gadgets NOW on Vista and Windows 7. Microsoft warns of security risk

Users of Windows Vista and Windows 7 have been advised to completely disable their Windows Sidebar and Gadgets, in response to what appears to be a serious security risk.

The Windows Sidebar is a vertical bar that can appear at the side of your desktop, containing mini-programs (known as gadgets) that can provide a number of functions such as a clock, the latest news headlines, weather report and so forth.

A security advisory issued by Microsoft's security team advises that vulnerabilities exist that could allow malicious code to be executed via the Windows Sidebar when running insecure Gadgets.

The warning comes ahead of a talk scheduled for Black Hat later this month by Mickey Shkatov and Toby Kohlenberg. Shkatov and Kohlenberg's talk, entitled "We have you by the gadgets", threatens to expose various attack vectors against gadgets, how malicious gadgets can be created, and the flaws they have found in published gadgets.

"We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets."

If the researchers have managed to find ways to exploit existing gadgets that's particularly worrying.
Clearly Microsoft is worried about the security researchers' findings, and has issued a "Fix It Tool" which will protect Windows 7 and Vista users by entirely disabling the Windows Sidebar and Gadgets functionality.
Yes, that's right. Microsoft hasn't issued a security patch to fix the vulnerability. They're suggesting you completely nuke your Windows Sidebar and Gadgets.

Which is bad news if you found those sidebar gadgets useful. You better find a new way to tell what time it is, or catch the latest from your favourite RSS feeds.

Sorry if it causes you any pain, but I would recommend you follow Microsoft's advice if you run Windows 7 or Vista and apply their "Fix It tool" as soon as possible. It may be a sledgehammer to crack a nut - but it's a nut that needs smashing, and fast.

Interestingly, Microsoft has dropped Gadgets from the upcoming Windows 8. In retrospect, that was probably a very good idea.

FixMeStick: USB device for removing malware

FixMeStick has launched the first ever, consumer-ready USB device for removing viruses from infected PCs.



The principles of the FixMeStick are not new to security IT professionals: multiple anti-virus engines increase the number of detectable viruses, and clean external scanning devices prevent viruses from hiding or from interfering with their removal. But, for the first time, FixMeStick has built these principles into a ready-to-go USB device.

"This is about enabling everyone to rid their machines of malware," says co-founder Marty Algire. "And it will help people continue to enjoy their computers and the Internet."

The FixMeStick costs $49.99 for an unlimited number of uses on three PCs per year. Renewals can be purchased for $24.99 annually.

The FixMeStick is powered by three of the biggest names in anti-virus software: Kaspersky Lab, Sophos, and GFI.

"This collaboration will allow organizations and their users to significantly minimize the impact of a malware infection," stresses Michael Rogers, Vice President, Global Alliances & OEM at Sophos.

IE 9.0.6 Now Available, Fixes Security Flaws

I remember just a few years ago when Internet Explorer was the laughing stock of the browser community. It lacked the functionality that other browsers had while lacking even basic security functions. It's what led to the impression that IE was a virus haven, but Microsoft has made great strides in making IE a more attractive and secure browser. The new update today only reaffirms that.

Microsoft today announced the release of Internet Explorer 9.0.6. It fixes "five privately reported vulnerabilities in Internet Explorer." The worst vulnerability would allow "remote code execution" if a user visited an infected Web site. This would allow somebody to gain control of the PC in question with the same user rights as the local user.

These are the kind of vulnerabilities that can lead to the creation of a botnet. People visit a Web site and get their computer hijacked by a foreign party. Their computer then becomes part of the botnet collective which usually goes unnoticed by the user if the creator of the botnet is good at their job.

Microsoft says that this updated is rated critical for IE6, IE7, IE8 and IE9 on Windows clients. It's rated moderate for the same versions of IE on Windows servers. You can check out the full security bulletin for all the information including which operating systems are affected.

If you have automatic updating turned on, the update should have already been applied. If you're like me and have automatic updates turned off, you can apply it the usual way through Windows Update. While I don't use Internet Explorer and many Windows users reading this now probably don't either, it's still suggested that you install the update. There's always that small chance of a friend using your computer and browsing with Internet Explorer. It's better to be safe than sorry.

Trojan posing as Flash Player for Android

Russian Android users are constantly targeted with Trojans posing as legitimate apps. Last month it was fake Instagram and Angry Birds Space apps, this time the lure is a bogus Flash Player for Android:



"When users opt to download and install the said fake app, the site connects to another URL to download a malicious .APK file," Trend Micro researchers warn.

The file in question is a premium service Trojan that saddles users with unwanted charges.

Both the website offering the fake app and the one from which the Trojan is downloaded are hosted on the same IP address - a Russian domain.

"Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme," conclude the researchers.

55,000 Twitter Accounts Hacked, Passwords Exposed

Hackers appear to have successfully exposed the passwords of as many as 55,000 Twitter accounts yesterday, sparking the website to conduct an investigation into just how the security breach occurred.


The hack was first reported on the blog Airdemon.net where it was said that "anonymous hackers" - note that it's not the proper Anonymous, as in the hackivist collective, but it's not clear whether that punctuation difference was intentional or not - gained access to the the accounts, some of which are said to belong to celebrities. The account information was so enormous that it took five pages on Pastebin to share all of the information.

According to CNET, Twitter is looking into the breach and have notified the affected accounts with notices to reset their password.

Yesterday evening, Twitter, via the @twittercomms account, said that many of the accounts affected were duplicates or spam-ish.

@twittercomms Twitter CommsThe list of alleged accounts & passwords consists of more than 20,000 duplicates. Also suspended spam accounts & incorrect login credentials
12 hours ago via Twitter for Mac ·  Reply ·  Retweet ·  Favorite · powered by @socialditto

After crunching the numbers and identifying the duplicate accounts shared on Pastebin, Anders Nilsson at Säkerhetsbloggen determined that the total amount of actual accounts is 34,062 and, of those, only 25,068 appear to be legit. He also postulates that a majority of the accounts appear to be associated with email accounts from Brazil, which would make sense since when I looked at the list of account info on Pastebin my browser offered to translate the webpage into Portuguese. More interesting, Nilsson also points out that the list of yesterday's hacked accounts appear to be accounts that were hacked last summer.

So maybe Twitter's right to downplay this security breach and it's not really as threatening or legitimate as it first appeared to be. Do you think Twitter's responded appropriately, or should it be taking the matter a little more seriously? Think this situation is more hoax than actual hack?

Update [14 May 2012]: Even though the sentiment is pretty much summarized above, here is the official Twitter statement a spokesperson provided to WPN:

We are currently looking into the situation. In the meantime, we have pushed out password resets to accounts that may have been affected. For those who are concerned that their account may have been compromised, we suggest resetting your passwords and more in our Help Center.

It's worth noting that, so far, we've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other).

SMS-controlled Android malware records calls

Researchers at NQ Mobile Security have discovered a new piece of Android malware that receives instructions, i.e. is controlled, via SMS.

Dubbed TigerBot, the Trojan hides by not showing any icon on the home screen and takes the names and icons of popular and common Google and Adobe apps like "Flash" or "System" in order to blend in with the legitimate apps installed on the phone.

"In order to receive remote commands, it registers a receiver with a high priority to listen to the intent with action 'android.provider.Telephony.SMS_RECEIVED'," point out the researchers. "As a result, it can receive and intercept incoming SMS messages before others with lower priorities."

The capabilities of the malware include: recording phone calls, changing network settings, uploading the current GPS location, capturing and uploading images, sending text messages to a particular number (but, it seems, not a premium service one), rebooting the phone and killing other running processes. Still, not all the actions are always effective.

So far, the Trojan hasn't been detected being offered on Google Play (the former Google’s Android Market), but only on third-party online marketplaces.

The researchers urge users to always be careful when downloading new apps.

"Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading," they say.

Polymorphic Facebook scam targets users

An insidious scam that can result in multiple malware downloads is currently targeting Facebook users, warns Bitdefender.

It starts rather predictably, as users inadvertently share links to a supposedly leaked pornographic video. If their friends follow the link, they are faced with a request to download a Divx plugin in order to watch the video:


"The page recommending users to install the missing plugin features several other elements to encourage users to keep clicking," points out Bitdefender.

"The video’s name hints that the sex tape belongs to a celebrity; the warning that the user’s antivirus must be disabled works on reverse psychology: though prospective viewers know this action is risky, they do it precisely because they have been warned about it; and the reference to age verification further hints at the salaciousness of the video."

When run, the downloaded "Extension YouTube" immediately changes all newly opened tabs to a page advertising an adult chat service, then leads the user to to another page that supposedly hosts the video the users wanted to check out in the first place.

But, now the users are asked to download another piece of software - the "7pic Video Premium Player".

Unfortunately for them, it's another bogus extension that allows the scammers to access hijack the users' account by accessing the needed cookie information and propagate the scam further.

“This is an interesting and quite complex type of scam," says Andrei Serbanoiu, Bitdefender Online Threats Analyst Programmer.

"In data security lingo, this would qualify as a polymorphic attack, which basically means that the malicious content served can be changed by the attacker thanks to the browser extension installed. If one user lands on the adult chat page, another may reach the malware downloader or even a whole different web page set up for phishing.

Instagram users targeted with spam

It's almost a given that any social service, network or app that attracts a large number of users will eventually be facing the spam and scam problem.

It happened to Facebook, Twitter, YouTube, Pinterest and many others, and Instagram - the popular photo sharing application and the network of users that grew up around it - is no exception.

Symantec researcher Satnam Narang shared the example of a spam campaign that he encountered when a user commented on a photo of his, saying that the Best Buy was giving away $100 gift cards for free to Instagram users.

The offered shortened link takes the users to a page where they are asked to input their cell phone number in order to win the card, and only if they scroll all the way down will they be able to notice the fine print saying that prior to qualifying for their prize they will be presented with optional third party offers, and that they need not to complete the offers in order to qualify.

The third party "offers" look like this, and is not really clear what exactly they are offering:


Notice that the offers can be skipped without inputing the information, but the links to do so are difficult to notice as they are small text links put in the upper right corner and designed to blend in with the background.

The collected information is likely to be used for future spamming, but it's likely that users have also unknowingly agreed to subscribe to a pricy service.

"If you have given your cell phone number up during one of these scams, be sure to check your next phone bill to see if there are any unwanted charges on it for some kind of subscription service," says Narang.

He also advises users to report these type of offers by clicking on the wheel icon in the top-right corner of their Instagram profile and reporting the user that posted them.

As we haven't seen an overwhelming amount of spam hitting Instagram users, I guess that some of the changes the service has introduced do work.

Apple patches critical Java flaw

This update comes almost two months after the release of the corresponding Java version by Oracle, and only a couple of days after evidence surfaced that malware authors have been using an included Java flaw (CVE-2012-0507) to attack Mac computers.

Our recommendation: apply the update as quickly as possible.

In addition, Mac users and IT admins for Macs should review whether Java is actually needed for their usage. If not Java can be disabled through the Java Preferences program, just uncheck both 64-bit and 32-bit versions.


Alternatively you can use Google Chrome which has a dialog each time you use a site that uses Java plugins. With the right discipline this can be a very effective measure to avoid attacks.

Yesterday Mozilla included Java in its "blocklisting" approach for Firefox. "Blocklisting" forbids running outdated plug-ins, unless specific approval is given. Unfortunately, this is exclusive for Windows at the moment and is not available on the Mac yet.

Searching for Easter eggs leads to malware

Blackhat SEO is a popular tactic for malware peddlers to distribute their wares to unsuspecting victims, and the weeks before major holidays are always a perfect time for poisoning search results for search terms tied to them.

Easter is a couple of days away, and since gifting chocolate Easter eggs and thematically decorating homes is a big part of the celebration, it's no wonder that the results for typically innocuous search terms like "chocolate", "easter eggs" or "decorating tips easter secrets" include malicious ones.

According to Sophos, when those last two search terms are combined, the very first result leads users to be infected with a fake AV variant by the name of "Windows Care Taker":

The malware feigns to have discovered a massive infection, and in order to clean the computer asks the victim to purchase the full version:


"The reason why SEO attacks are successful, is that all of us tend to trust search engine results," says Sophos' Fraser Howard.

To prevent bad things to result from this tendency, he advises installing a reputable security product; using plug-ins that hide or modify the referrer that tells the page that one has landed on it via a search engine; and looking critically at the URL of the page before clicking on it, as most of the time the domain looks completely unrelated to the topic.

Scammers advertise Pinterest bots on Facebook

Internet scammers have launched a paid advertising campaign on Facebook targeting Pinterest fans, bringing the hunt for victims to a higher level of investment and sophistication to online social fraud, according to Bitdefender.

The ad, created by a web site promoting Pinterest bots, promises to show interested parties how to “make money with Pinterest”. This is an element of novelty as scammers actually seem to be taking money out of their pockets to make sure that their scams hit it big.

The paid advertising campaign can increase the efficiency of scams as the Facebook ad targeting mechanism allows you to “define your ideal audience by what they are interested in, using terms people have shared in their Facebook profiles (timelines). These may be drawn from their listed interests, activities, education and job titles, pages they like or groups to which they belong,” according to Facebook’s help centre.

The embedded link in the ad takes users to a web page that features a survey they are supposed to take in exchange for a Visa gift card and an e-mail address submission form for possible subscribers. While the “free gift card” method is reminiscent of a recent spam wave that hit the Pinterest platform, the bot-based money making mechanism advertised in the ad is very similar to the #followback scams on Twitter.

“Pinterest is one of the hottest social platforms of the moment, which would explain scammers’ malicious interest in its huge user base. The interesting thing about this scam is that it pays a twisted tribute to Facebook by targeting its users with ads,” said Catalin Cosoi, Chief Security Researcher at Bitdefender. “We should all be on the lookout for new, customized scam mechanisms.”

The Pinterest team indicated that the spam and money-making mechanisms violate the platform’s acceptable use policy in two areas: unsolicited advertising materials and use of the service for third parties’ benefit without Pinterest’s agreement. Pinterest recently updated its policies to eliminate a few unclear matters regarding ownership of pinned content and more general copyright issues.

“As a growing service, Pinterest is not immune to challenges faced by sites across the web including spam and phishing. However, it is a tremendous priority for us to quickly address them. Our engineers are actively working to manage issues as they arise and are revisiting the nature of public feeds on the site to make it harder for fake or harmful content to get into them”, stated Erica Billups from The OutCast Agency, on behalf of Pinterest.

How much does a 0-day vulnerability cost?

The market for exploits for zero-day vulnerabilities has exploded in the last year, says Adriel Desautels, the founder of Netragard, a penetration testing and vulnerability assessment outfit that, among other things, acquires and develops exploits.


The number of buyers and the money they are willing to pay for working exploits has dramatically increased, and so has the number of exploits offered for sale each month, he says. Also, the purchase deals are made much more quickly than in the past.

Obviously, the whole economy around this "product" has matured.

As a legitimate company, Netragard must be very careful when selling its exploits. According to Desautels, the firm rejects the majority of those who want to buy them.

“Realistically, we’re selling cyberweaponry,” he points out, but does not share how the vetting process is performed or the price that specific exploits can reach.

It is very well known what some software vendors offer for them through their own bug bounty programs, as well as the prizes offered for working exploits to participants in hacking contests such as Pwn2Own and Pwnium.

These sums are considerably smaller that the ones that can be earned by enterprising vulnerability researchers and hackers if they choose to sell exploits to other organizations, and that's counting in the fee for the intermediary.

The Bangkok-based security researcher that goes by the handle “the Grugq” is one of these mediators. His contacts in various governments and knowledge of the matter at hand make him eminently suitable for brokering such deals.

He is also careful when choosing to whom to sell the offered exploits, and that's mostly US and European governments and agencies. Ethical considerations aside, they simply pay much more than a Middle Eastern or Asian government can offer.

The Chinese government doesn't need his services, he says, because its huge number of hackers usually sell their exploits exclusively and directly to them. He also says that he has no contacts in the Russian government, and that "selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money.”

So how much does a working exploit go for? Well, the price depends on a number of things.

An exploit of a vulnerability in a widely used piece of software is more costly than that of one in a less popular one, and the same goes for those that take advantage of vulnerabilities in the latest software versions. Exploits for software that is more difficult to crack is also more pricey.

Taking all this in consideration, it's easy to see that an exploit for Windows will be more expensive than one for breaking into a Mac OS X machine, and that the tougher security features of iOS will raise the price for its exploits above that for Android.

According to Andy Greenberg, the current rough price list looks like this:


"Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor," he says.

"Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit."

Event though considered unethical by some, these sales and acquisitions are sure to continue for the time being.

Demand creates supply and, according to the Grugq, banning the sale of exploits would have the same effect that the war on drugs has had on eliminating drugs - none.

Call center employees are selling user information

Indian call center employees sell confidential data belonging to users for as little as $0.03, reports the Daily Mail.

According to the news outlet, reporters from The Sunday Times have gone undercover in India and have tried to discover if the information that call center employees have access to is in danger of being shared with marketers and crooks.

Unfortunately, the answer is yes, as two IT "consultants" were ready to meet and to offer for sale over 45 different sets of information on nearly 500,000 Britons.

Among the information contained in the data sets were names, addresses and phone numbers, credit and debit card information complete with the expiry dates and the three-digit security verification codes, information about loans and mortgages, mobile phone contracts, television subscriptions, medical records and more.

Most of the information comes from a number of major banks and financial organizations, and its usually less than 72 hours old, allowing its buyers to easily take advantage of it.

"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number," boasted the "consultants" to the reporters, showing the records on a laptop.

The financial data is definitely a boon for cyber crooks, but the rest is a goldmine for marketers. Having that much insight into the personal lives of the users allows them or their clients to make their efforts at targeting users more successful.

According to DM, some 330,000 people are employed in call centers in India, and it's logical to assume that these particular "consultants" are not the only ones selling. Some British companies have already closed down the call centers they had in India and transferred them to other countries, the problem is likely to remain.

As long as the theft can be executed without getting caught, there are always those who will try to get away with it, even in "rich" countries.

It seems to me that the answer to this problem to make it as difficult as possible for employees to exfiltrate the data in the first place. Data leakage prevention solutions come to mind, as well as making it impossible for them to use movable data storage devices.

It is also important to put data security policies in place, and punish those who break them. Of course, all these are not full-proof solutions by themselves, but used together they can seriously lessen the risk of data being stolen.

Apple, Facebook and others named in privacy lawsuit

Thirteen individuals have filed a lawsuit against a number of app makers including Path, Facebook, Instagram, Yelp and Rovio, accusing them of uploading the information stored in their mobile phones' address book to their servers and using the appropriated data for their own ends, Venture Beat reports.

The suit, filed in U.S. District Court in Austin, Texas, is the result of last month's discovery by app developer Arun Thampi that the Path app copies the entire contents of the users' address books and sends them to the company servers without asking the users for permission or notifying them of it in any way. Path has subsequently admitted to doing it.

Further investigation into the matter revealed that other app developers have seemingly been doing the same thing, and Twitter has also confirmed the practice, explaining that the data is collected and stored only if the user takes advantage of the “Find Friends” feature because it scans the address book to search for individuals who also have a Twitter account.

Even though the developers of the apps have been found violating Apple's privacy policies by distributing these apps through its App Store, the company has also been named as a defendant in the suit because it approved the apps, allowing them to be sold from its Store.

"Literally billions of contacts from the address books of tens of millions of unsuspecting wireless mobile device owners have now been accessed and stolen," claim the plaintiffs. "The surreptitious data uploads—occurring over both cellular networks and open, public wireless access nodes in homes, coffee shops, restaurants, bars, stores and businesses all across the nation—have, quite literally, turned the address book owners’ wireless mobile devices into mobile radio beacons broadcasting and publicly exposing the unsuspecting device owner’s address book data to the world."

As a result of the companies' wrongful actions and/or inaction, the plaintiff say that they suffered damages and incurred many expenses, for which they want to be reimbursed. They accused the companies of having invaded their privacy, having been negligent, breaching their devices, earning money by using and selling things that don't belong to them, and more.

The plaintiffs asked for the suit to be allowed to gain class-action status, and their attorneys say that the list of defendants could also be expanded.

Hacker group Anonymous fights back, in support of #MegaUpload

Is this really happening? After hearing about the MegaUpload shut down, the hacker or ‘hactivist’ group Anonymous is already taking a stance on the situation, and fighting back. They have already taken down Justice.gov and UniversalMusic.com and shot off a tweet saying:


As of this writing, both sites are down, see screen shots below. One can only assume that they will be or are already targeting other sites to take down in regards to this MegaUpload piracy issue. More to come I am sure.

UPDATE 1: Anon is going hard. They just took down riaa.org!
UPDATE 2: MPAA.org is down as well!

Symantec admits its networks were hacked and source code stolen

After having first claimed that the source code leaked by Indian hacking group Dharmaraja was not stolen through a breach of its networks, but possibly by compromising the networks of a third party entity, Symantec backpedalled and announced that the code seems to have exfiltrated during a 2006 breach of its systems.


Symantec spokesman Cris Paden has confirmed that unknown hackers have managed to get their hands on the source code to the following Symantec solutions: Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere.

And while he claims that the only customers that should be somewhat worried are those using pcAnywhere, ITIC analysts Laura DiDio says that that might not be the whole truth. "Unless Symantec wrote all new code from scratch, there are going to be elements of source code in there that are still relevant today," she shared with Reuters.

In the meantime, a hacker that goeas by the handle of "Yama Tough" and is part of the aforementioned group has announced the release of the source code for Norton Antivirus, but then backed up saying that the group has decided to delay it until it has had the chance to take advantage of the vulnerabilities in the code.

He then announced the release of pcAnywhere code for the blackhat community to exploit, but the group has yet to deliver on the promise.

"Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information," commented Paden.

Identities of likely Koobface gang members revealed

It was a well-known fact in security circles that some researchers were involved for quite some time in an investigation aiming at revealing the identities of the individuals behind the Koobface worm and the botnet it created.


In the past week, details about a likely member of the "Ali Baba & 4" group (as they dubbed themselves) were made public by researcher Dancho Danchev on his blog and, as the story begun to unfold, security firm Sophos and the NYT revealed the names of the five individuals thought to be part of the KoobFace gang.

Their names are Anton Korotchenko (a.k.a. “KrotReal”); Stanislav Avdeyko, (“leDed”); Svyatoslav E. Polichuck (“PsViat” or “PsycoMan”); Roman P. Koturbach (“PoMuc”); and Alexander Koltysehv (“Floppy”), and they all apparently live in St. Petersburg, Russia.

The NYT reveals that Facebook, law enforcement officials and security investigators involved in the investigation have known their identities for years, but the fact that they are still free to live their rather comfortable lives and travel to around the world points to an unfortunate reality: it is extremely hard to prove conclusively that these individuals are guilty.

Facebook started its own investigation into the gang shortly after the Koobface worm first began to spread on the social network in 2008, and it took them only weeks to link the attacks to the suspects.

In 2009, independent researcher Jan Drömer mounted his own investigation. Starting with crucial information gleaned from one of the Koobface C&C servers and searching for links to it on the Internet - IP addresses, domain registration information, underground and legitimate forum posts, social network accounts and more - he made a beeline to the aforementioned group of individuals.

According to him, there is a variety of reasons behind the success of the Koobaface gang: they misused powerful online services to spread the worm, didn't overdo on the size of the botnet, haven't aimed at making the worm perfect but invested just enough revenue to earn more than enough money, and have operated in countries whose law enforcement agencies haven't a good record when it comes to cooperating with their US and European counterparts.

Currently, none of the five individuals have been charged of crimes and no law enforcement agency has confirmed they are under investigation or even commented on the situation.

All who are interested in a fascinating blow-by-blow report of how Jan Drömer and SophosLabs' Dirk Kollberg followed the crumbs to the suspected Koobface gang members - go here.

Analysis of Stratfor Site Breach Reveals Weak Passwords, Poor Enforcement

Update from Hacked and discredited: Anonymous takes down Stratfor

Stratfor’s clients include the U.S. Army and Air Force and the Miami Police Department, and a report released by Identity Finder, an identity theft and data loss prevention company in New York, stated that personal information about Stratfor’s subscribers with first names starting with A to M were already released. Information about those with first names beginning with N to Z are believed to be soon released in the coming week, along with 2.7 million email copies.

Information obtained from the hack so far released include:

• 50,277 unique credit card numbers (9,651 not expired)
• 86,594 e-mail addresses (47,680 unique)
• 27,537 phone numbers (25,680 unique)
• 44,188 encrypted passwords (50% can be cracked with ease)

While users need to select stronger passwords to access on online services, enterprises also need to enforce strong security policies for the Web sites and applications.

As Stratfor continues rebuilding its Website after the cyber-attack in which email addresses of its subscribers and other personal details were leaked, the company is coming under fire for its weak passwords and security policies.

Using a group of lists containing common passwords, names of people in Congress, words from the King James Bible, various computer jargon and programming phrases, previously dumped lists from Gawker and other sites and other lists, Hashcat was able to crack 25,690 passwords. A more extensive list that used words and phrases from various languages as well as common 3- and 4-character passwords, among others, yielded 21,933 additionally cracked hashes. It took Hashcat less than an hour to crack over 47,000 password hashes, according to the analysis.

The list of cracked password showed a high degree of passwords that used birthdates, names of family members, or something with a personal reference (such as 'ford1996'). Unlike "throwaway" passwords, such as '123456' and 'qwerty,' these personal passwords are more likely to be re-used on other sites because they are easier for the user to remember.

Detailed analysis here.