1 in 6 emails contains a virus: study

After Locky, here comes KePanger, PowerWare and Petya. According to a current analysis by Retarus security experts, 17% of all incoming email messages are blocked due to a suspected virus. The security experts are currently observing a significantly higher incidence of the crypto trojan Locky, as well as new variations. This corresponds to a fivefold rise in comparison with the previous month and can be explained primarily by the large increase in ransomware.

On average, in March, one in six emails sent to mailboxes used for business purposes contained a virus. In total, this means just as many infected messages occurred per hour as occurred per month in 2015 on average.

The analysis by the Retarus experts revealed that this can be explained by the huge rise in the incidence of crypto trojans. Whilst in February only around 3% of all incoming emails were infected, the number of messages filtered in March due to viruses had already risen to 17%. The reason: During this period, numerous additional versions of the virus appeared after the first Locky threat wave.

As crypto trojans can morph their structure quickly and frequently and, as a result, are able to assume the most diverse forms at lightning speed, ransomware is not detected immediately by every virus scanner. Nevertheless, security can be increased using professional cloud services. Specialized email security services access several scanners in parallel, thereby continuously expanding their filter rules, which means they can always offer the latest protection levels. Additional mechanisms, such as a four-level virus scan, also increase the likelihood of identifying and blocking extortion trojans in good time.

Heightened vigilance is essential
To ensure the best possible protection from attacks by Locky and similar ransomware, email users must be highly vigilant. Retarus recommends that users deactivate the automatic execution of embedded macro code in Office programs and that macros should only be activated if they are absolutely essential and where the corresponding documents originate from known sources.

In principle, users should only open email attachments if the sender or the process described in the email is trustworthy. So that potentially affected data can be restored quickly and - wherever possible - without losses, important data should be backed up on a regular basis. Here it should be noted that Locky can also attack external data media if this is permanently connected to the computer.

Caution is also advised in the event of an extremely slow processor response, elevated hard drive activity without a detectable reason, or files with the extension .locky on the hard drive. To close existing gaps in security, the latest versions of virus scanners should always be installed and regular patches performed.

Facebook login exploit 'a phishers dream'

Data breaches happen in numerous ways. So many ways in fact that it's difficult for security teams to predict where an attack will happen next. The latest is an exploit of Facebook login on numerous websites. Once accounts are hijacked in this way, they can be held for ransom or used by a phisher to work their way into much larger and more profitable data sets.

It's accomplished through the use of a ready-to-use tool called Reconnect. The tool has been released to the wild and is therefore accessible by anyone. Essentially, Reconnect enables the user to log on to a website using stolen Facebook credentials.

"I tested this out and it looks legitimate. This is a phishers dream really, I am sure we will see a lot of Facebook accounts compromised by this. Hopefully, Facebook is working on a fix," said Ken Westin, senior security analyst at Tripwire.

Security researchers believe that most if not all websites that enable Facebook login are vulnerable to the exploit. The blackhat release site says Reconnect can be used to hijack accounts on websites such as Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.

"This is indeed a very big issue as many popular websites use Facebook's delegated identification, so a widespread exploit could wreak a lot of havoc," said Branden Spikes, CEO of Spikes Security.

"Giving Facebook a little benefit of the doubt here, this looks like an instance of an unfortunate practice where black hats or corrupt penetration testing firms discover big vulnerabilities like this, and rather than submitting them through the standard bug bounty channels (or on the terms of their professional contract with the victim) they choose to ransom them instead," he added.

Phishing: it's not just for email anymore. Until Facebook finds a fix, it may behoove companies to disable the login.

Hacked Hotel Phones Fueled Bank Phishing Scams

A recent phishing campaign targeting customers of several major U.S. banks was powered by text messages directing recipients to call hacked phone lines at Holiday Inn locations in the south. Such attacks are not new, but this one is a timely reminder that phishers increasingly are using lures blasted out via SMS as more banks turn to text messaging to communicate with customers about account activity.

The above-mentioned phishing attacks were actually a mix of scams known as “SMiShing” — phishing lures sent via SMS text message — and voice phishing or “vishing,” where consumers are directed to call a number that answers with a voice prompt spoofing the bank and instructing the caller to enter his credit card number and expiration date.

Over the past two weeks, fraudsters have been blasting out SMS messages to hundreds of thousands of mobile users in the Houston, Texas area. The messages alerted recipients about supposed problems with their bank account, urging them to call a supplied number and follow the automated voice prompts to validate or verify their credit card account information.

On Saturday, Jan. 30, I called one of the numbers that was sent out in the smishing/vishing scam — 281-866-0500 – which is the main phone line for a Holiday Inn Express in Houston. At the time, calls to the number went straight to an automated voice prompt targeting Bank of America customers:

“Thank you for calling Bank of America. A text message has been sent to inform you that your debit card has been limited due to a security issue. To reactivate, please press one now.” After pressing one, the caller is prompted to enter the last four digits of their Social Security number, and then the full card number and expiration date.

My recording of the call was garbled, but here’s a copy of a very similar voice prompt targeting Key Bank customers earlier in January that also was run off the fax line tied to a different Holiday Inn a few miles away in Houston [number: 832-237-8999], according to Numbercop, a telephony threat intelligence firm.

Holiday Inn’s corporate office did not return calls seeking comment, but the company apparently got the message because the phone lines were answering normally on Monday. A front desk clerk who answered the line on Tuesday said the hotel received over 100 complaints from people who got text messages prompting them to call the hotel’s main number during the time it was hacked.

According to Jan Volzke, Numbercop’s chief executive, these scams typically start on a Saturday afternoon and run through the weekend when targeted banks are typically closed.

“Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider,” he said. “That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”

Volzke said the recipients of the phony texts in Houston were geo-targeted by area code.

“The texts were sent in bursts with varying bank affiliations, including Bank of America, Fifth Third Bank, and Susquehanna Bank,” he said. “The campaign last week was an identical case to one a week or so earlier that referenced Key Bank, Bank of America and Wells Fargo.”

Numbercop says the text message lures were sent using email-to-SMS gateways, but that the company also has seen similar campaigns sent from regular in-network numbers (prepaid mobile phones e.g.), which can be harder to catch. In addition, Volzke said, phishers often will target AT&T and Verizon users for use in furthering these schemes.

Many banks now offer their customers the ability to receive text message alerts about activity on their credit card accounts — such as recent transactions — so it’s not surprising that crooks are exploiting this medium. While vishing and SMiShing attacks are not new (see this story from 2010), they are on the rise: According to Cloudmark, the incidence of SMS bank account phishing in the U.S. more than tripled in September 2014. Cloudmark’s recently released Annual Threat Report found more than one in four unsolicited SMS messages reported in 2014 attempted to steal the victim’s personal or financial information.

Volzke says it’s unfortunate that more financial institutions aren’t communicating with their customers via mobile banking apps.

“Banking apps are among the most frequently downloaded and used apps,” Volzke said. “If the user has an app from the bank installed, then if the bank really has something to say they should use the in-app messaging method, not text messages which can be spoofed and are not secure. And yet we see almost no bank making use of this.”

Regardless of whether you communicate with your bank via text message, avoid calling phone numbers or clicking links that appear to have been sent via text message from your bank. Also, be extremely wary of any incoming calls from someone calling from your bank. If you think there may be an issue with your account, your best bet is to simply call the number on the back of your credit or debit card.

Cyber attack on Japan Airlines impacts up to 750,000

A phishing attack may have resulted in the theft of personal information belonging to customers of Japan Airlines's frequent flier club.

The leak was due to an 'unauthorised access' to JAL's database by an external server, an airline official told the local news agency Kyodo on Wednesday

The data compromised includes names, addresses, genders and places of work of anywhere between 110,000 and 750,000 members of the program, according to the Japan Times.

Following an investigation – which found that 23 computers contained malware – the airline determined that no credit card or financial information was impacted by the breach. The airline detected the intrusion on Friday and Monday, however, it believes the attacks have gone undetected for more than one month and were introduced to the airline's network via a phishing email.

This incident follows a similar attack on the airline in February, in which hackers penetrated a different program Japan Airlines offers, which allows customers to trade in mileage points for gift coupons.

Mozilla fixes "phishing friendly" cryptographic bug in Firefox and Thunderbird

Here's a quick note about an important issue!

Mozilla just patched a bug in its cryptographic library, NSS.

NSS stands for Network Security Services, used by Mozilla products such as Firefox (web browsing), Thunderbird (email) and SeaMonkey (both).

All these products have now been patched, including the Firefox Extended Support Release (ESR) verions.

→ As far as I am aware, Google's Chrome and Chromium browsers, as well as Opera, also use NSS.

The bug is rated "critical" because is deals with the validation of digital signatures in TLS connections.

TLS (Transport Layer Security), often also known by its old name of SSL (Secure Sockets Layer), is the cryptographic protocol that puts the S in HTTPS.

When you use HTTPS, it's not just confidentiality you are after, but also integrity (to stop a crook fiddling with the message in transit) and authenticity (to stop a crook claiming to be your bank).

Without certificate validation, you could easily end up conducting a totally secure and unsniffable interaction...

...with a complete imposter.

Unfortunately, this recently-patched NSS vulnerability affects digital signature verification in all the abovementioned products.

Phishing HTTPS logins
Remember that crooks who have hacked into your Wi-Fi access point – at your local coffee shop, for instance – could sneakily redirect any of your HTTPS logins to to phishing sites instead.

Uusally, however, the crooks can't present a digital certificate to vouch for the fake site they have drawn you into.

Sometimes, the crooks avoid the need for digital certificates altogether by dropping back to a plain old HTTP site that doesn't use encryption at all.

You should be able to spot this sort of ruse due to the absence of any security indicators in the address bar of your browser.

Or the crooks could present a TLS certificate that claims to be from your bank, but which isn't vouched for by any recognised certificate authority.

You should be able to spot this sort of ruse due to an "untrusted connection" warning from your browser.

But if there's a cryptographic vulnerability that can be exploited to make a bogus digital certificate seem valid, then the crooks may be able to redirect you to an imposter site without raising any alarms.

And that could lead to the digital theft of your personal information, including usernames and passwords.

Get the latest update

If you have a software product (e.g. Firefox) that uses NSS, make sure you've got the latest update; for Mozilla software, that means (at 2014-09-24T23:45Z):

• Firefox 32.0.3
• Firefox ESR 24.8.1
• Firefox ESR 31.1.1
• Thunderbird 31.1.2
• Thunderbird 24.8.1
• SeaMonkey 2.29.1

For what it's worth, I'm using Firefox 32 on OS X, and the update was so small I didn't get time to read its size during the download.

Applying the update was quick: less than a second to download the patch, and a few more seconds to restart the browser process.

So my recommendation is, "Just do it."

“YouTube Account Manager has sent you a Message…”

We’ve seen some complaints of a message sent to YouTube users via the YouTube messaging system, warning of account suspension:

YouTube account manager has sent you a message

We’d like to inform you that due to repeated or severe violations of our community guidelines and your YouTube account will be suspended 3 days from the time of this message. After careful review we determined that activity in your account violated our community guidelines, which prohibit spam, scams or commercially deceptive content. Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts.

Please follow the following instructions to recover your account:

1. Please contact your account manager here: [url]

2. You have to complete a quick survey to make sure you are human.

3. Wait for our email explaining the next steps.

* If you decide to ignore this message and not follow the above steps your account will be suspended.

You can see examples of this on posts made by puzzled YouTubers over on Instagram [1], [2], Yahoo [1] and a few more people complaining about it in Google Groups.

This is what you would see after hitting the supplied link in the message:

“Complete a survey to verify your account”

This one is a survey scam, and whoever is sending these messages is looking to make a little cash along with the panic they’re no doubt whipping up in YouTube users right about now.

The links displayed on the left hand side are regional and will take clickers to various offers / surveys / signups and downloads.

If you’re in any doubt as to the status of your YouTube account, you’d be better served contacting them directly than being tricked by these false messages currently in circulation. Scammers will often use similar tactics to send phishing links and malware, so in some ways recipients of this missive are getting the best of a bad deal – it’s “only” surveys and forms to fill in, along with the occasional download.

However, that doesn’t mean we should rush to jump through their survey sign-up hoops either.

Steer clear of this one, and keep on making those videos.

Care2.com servers breached

Seems like friends around me are getting targeted for some reason. I received an email from a friend, which obviously looks like a phishing email. Here's the sample (click to enlarge):


If this is making its way around, it's got to be on Google. And so it is.

"Yesterday we discovered that Care2.com servers were attacked, resulting in a security breach. The hackers were able to access login information for a limited number of Care2 member accounts. Our team has worked to secure Care2.com against this type of attack from recurring.

To protect Care2 members we are resetting access to all Care2 accounts. The next time you login to Care2, you will be automatically emailed a new password, which will enable you to access your Care2 account as usual.

To secure your privacy, we highly recommend you immediately change your password for any accounts that share the password you previously used on Care2.

We sincerely apologize for this inconvenience. Given our large membership size, we have become a significant target for spammers and hackers over the past few years, and this was the first hacking attempt that successfully breached our protective walls. We take the security of our members very seriously and are taking this extreme step of changing all passwords to reduce the chances of any possible negative consequences."

More details here.

Hoax: Apple is giving away macbooks

Received this on my IM from a friend. Sometimes I really question the AI of the bots. (click to enlarge)

Double checked on the sources:
http://techjost.com/2011/11/05/spam-alert-apple-is-giving-away-5000-macbooks-today-in-honor-of-him-steve-jobs/

Sometimes I just wanna strike up a proper conversation, so can't they be any cleverer?

Thousands of Tumblr accounts compromised

Tumblr users have been targeted with an aggressive phishing campaign in the last week or so and are still being lured into entering their login credentials for access to adult content.

And it seems that the scheme is working very well - GFI researchers have accessed one of the dropzones for the stolen credentials and have discovered a massive amount of data.

What makes this phishing scheme stand out from others is the fact that the scammers are using the compromised Tumblr accounts to set up more and more phishing pages:


Various domains were also used to perpetuate the scam, including tumblriq(dot)com, tumblrlogin(dot)com and tumblrsecurity(dot)com - all registered in the last few weeks to bogus clients.

"The problem has become so pervasive that regular Tumblr users are setting up dedicated anti phishing sites to advise users of the problem," say the researchers.

Also, Tumblr has created an automated reply for people reporting the scheme, in which it advises affected users to reset the password for their account, to remove the fake login template by choosing a new theme and to "unfollow" all the blogs their account is following thanks to the scammers.

"What does somebody want with that many Tumblr logins?" ask the researchers. "We can only guess. The stolen accounts could be used as some form of advert affiliate money making scam, or maybe we could see lots of pages with survey popups pasted over them. There is the very real possibility that the Tumblr accounts are simply a way to test if those users are logging into other services with the same credentials - at that point, everything from email accounts to internet banking sites could be fair game."

Facebook scam baits users with LulzSec suspect photo

Attention to all Facebook users, here's another FB scam bait. Refrain from clicking on the fake links, it doesn't lead you anywhere.

As the hunt for individuals behind LulzSec is underway, and reports about these worldwide efforts spilled over into the mainstream news, cyber crooks have jumped on the opportunity to misuse the curiosity of the public and have set up a Facebook scam targeting them:


The scam was revealed by Sophos' Graham Cluley when he received a request from a British journalist to share the photo of the recently arrested Essex hacker that is thought to have links with the hacking group.

Cluley said to the journalist that he didn't have the photo in question, but the journalist insisted: "But you do have a photo of the hacker! I've seen it on Facebook! But we want an unblurred version!"

This statement led him to investigate the matter, and he unearthed the above pictured scheme. Sure enough, the link used in the story was one who pointed to Cluley's blog post - but the story didn't include a picture of the suspect.

Following the link to the page in question and to the tab labelled "The Picture", he found out that the scam required the victims to "like" and "share" the page before supposedly being redirected to the unblurred picture. Once they did it, they got redirected to a third-party webpage where they were urged to download a program that installs a series of toolbars on the victims' browser.

He doesn't mentioned whether the unblurred photo is shown in the end, but he managed to track it down to a Wired article from 2008.

Certification authority reports security breach

Following in the likes of the RSA incident, another certification authority has fallen prey to attackers in need of certificates for phishing authentication pages.


The authority in question is StartSSL, operated by StartCom, and according to the short message posted on their site, the breach occurred on the 15th of June.

"Subscribers and holders of valid certificates are not affected in any form. Visitors to web sites and other parties relying on valid certificates are not affected," it says.

The authority has immediately suspended the issuing of new certificates and has still not resumed services.

The Register reports that Eddy Nigg, StartCom's CTO and COO, has confirmed that the attackers were looking to issue certificates for a list of websites that's very similar to those targeted with the Comodo breach (Gmail, Google, Skype, Yahoo and others), but that they failed to do so.

Nigg also pointed out that the attackers haven't managed to compromise the authority's private encryption key because it is stored on a computer that isn't connected to the Internet.

Phishers exploit New Zealand earthquake

Natural disasters are practically always exploited by scammers, and the earthquake that hit New Zealand and left thousands of its citizens homeless is not an exception.

Unfortunately for the more gullible benefactors out there, this time the scammers turned out a rather well executed phishing page that spoofs the legitimate New Zealand Red Cross website.

And while the legitimate one provides a short form for the donators to fill out in order to make the donation and the payment processing page asks only the card brand, number, expiry date and security code, the phishing page asks much more:


As a rule of thumb, you should be instantly suspicious of any website that asks you to share your credit card PIN code.

It is also good to remember that following links from unsolicited e-mails is never a good idea. If you are determined to do some good, visit the organization's website by typing in the URL in the address bar of the browser and then proceed to donate the money.

CYBER BANKING FRAUD: Global Partnerships Lead to Major Arrests

Just when you thought you could get away with cyber crime just becoz of anonymity online? Think again.

Law enforcement partners in the United States, the United Kingdom, Ukraine, and the Netherlands announced the execution of numerous arrests and search warrants in multiple countries in one of the largest cyber criminal cases ever investigated.

Using a Trojan horse virus known as Zeus, hackers in Eastern Europe infected computers around the world. The virus was carried in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the malicious software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.

The hackers used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of “money mules.” Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and phony names. Once the money was in their accounts, the mules could either wire it back to their bosses in Eastern Europe, or turn it into cash and smuggle it out of the country. For their work, they were paid a commission.

On 30 Sept 2010, New York office arrested 10 subjects related to the case, and they are seeking 17 others. Those arrested are charged with using hundreds of false-name bank accounts to receive more than $3 million from victimized accounts.

In all, the global theft ring attempted to steal some $220 million, and was actively involved in using Zeus to infect more computers.

More details here:
http://www.fbi.gov/page2/oct10/cyber_100110.html

World of Warcraft phishing scams

Blizzard's MMORPG World of Warcraft is one of the most popular games out there, and its players are among the most targeted by online scammers.

It is common knowledge that login credentials for WoW accounts are very much sought after by phishers, so TrendLabs warns about a couple of scams currently going around.

The in-game chat/whisper system is often used to lure players to phishing sites. The phishers usually pose as Blizzard employees or unknown players and "whisper" to the victim that they have been selected for receiving a free gift or that their account has been flagged as hazardous:

In both cases, the victims are urged to follow the offered link that will take them to a phishing page where they are supposed to register with their account credentials in order to receive the gift/prevent the suspension of their account.

Recently, WoW's in-game mail system has also been employed to deliver similar malicious messages to players:

To add to the credibility of the message, the text and the offered phishing URL make many references to WoW and other Blizzard games. Just as a side note - the phishing website domain is registered and hosted in China. The website in itself resembles very closely the official Battle.net site, making it easy for some people to fall for the scam.

Blizzard is aware of these phishing attempts, and has made it their business to intensify its efforts when it comes to informing the players about them on Battle.net’s security page. They have also made it possible to report scammers from within the game (see, for example, the "Report Spam" button in the in-game mail system).

How to Protect Yourself From the "Here You Have" Virus

A harmful new computer worm infested the computers of large companies and federal agencies through an e-mail attack Thursday, bringing down such major companies as Disney, NASA, Comcast and more.

The worm disguises itself as a benign e-mail message with the subject line "here you have," and replicates itself by tricking you into clicking a link in the e-mail message's body. Then it can disable anti-virus products stored on your computer and send copies of the original, dangerous message to all the contacts in your e-mail address book.

Once the virus infests a computer, it can also spread to the local network -- which can include home and office computers -- surreptitiously copying itself to the shared hard drives of machines.

The threat is rapidly spreading through the enormous quantity of e-mail messages it has generated, said Internet security companies Norton and McAfee Labs, which have detected that many e-mail servers have ground to a halt due to the sheer volume of wire-clogging spam. The Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) even weighed in on the worm, with advice for users.

“US-CERT is in the process of collecting and analyzing samples of the malware and has developed and disseminated mitigation strategies,” spokeswoman Amy Kudwa said. “Basic cyber security practices and hygiene are essential to maintaining the security of networks and individual computers.”

US-CERT recommends that you take more caution with your e-mail than usual, advising not to click on links in unsolicited e-mails, to install anti-virus software and frequently update it, and to turn off an option on your computer that automatically downloads attachments.

Security experts from Norton advise additional, more extreme steps you can take, such as disabling network sharing and disconnecting infected computers from the local network. If you've already gotten a "here you have" e-mail, the company suggested blocking outbound traffic to the domains or IP addresses contained in the e-mail to prevent users from connecting to distribution sites to download.

But the easiest way to protect yourself from this and other viruses is the simplest: Make sure you're running an anti-virus program and make sure it's up to date. PCMag.com security analyst Neil J. Rubenking agreed, stressing the importance of your own actions in keeping you safe.

"People! DO NOT click links in e-mail messages from unknown people. DO NOT even click links in e-mail messages from your friend, since the real source of the message might be a virus. DO keep your computer protected with an antivirus or a security suite," he wrote in an entry on the Security Watch blog.

"That way if you click the wrong link in a fit of weakness, you'll still be protected from whatever new threat replaces 'here you have,'" he pointed out.

PayPal fails to follow its own anti-phishing advice

PayPal credentials are one of the most sought after by phishers, so it stands to reason that the company would try to educate its users on Internet safety. And it does - by offering a can-you-spot-phishing? quiz.

But what happens when PayPal itself doesn't follow the advice it's preaching?

According to The Register, PayPal UK has violated its own anti-phishing advice when it sent out an email containing a direct link to the updated user agreement to its users, because one of the tips on avoiding phishing scams contained in the quiz says that the users should "always log into PayPal by opening a new browser and typing in the following: https://www.paypal.com."

PayPal confirmed that the email is legitimate, but points out that it also contains the information that the users can type paypal.co.uk into the browser if they aren't completely sure that the offered link is safe to click on.

"PayPal does not advise people not to click on links in emails, rather to exercise caution. Users are advised to check the URL of any link to make sure it does not direct them to something unexpected, as you know they can do this by hovering their mouse over the link," it says in their comment.

This might seem like a non-issue, but a lot of users have a tough time learning all the online safety advice given by safety practitioners and various companies and institutions - giving good advice but failing to follow it makes it that much harder for them to know what things are safe and what not.

Facebook Hacker: A dangerous tool

Phishing is known to be the weapon of choice for all cybercriminals that are after login credentials. However, a new attack tool – Facebook Hacker - has drawn attention to the ill-intentioned people in need of passwords and usernames that are not theirs. This do-it-yourself kit helps the wrong doer steal login credentials from whoever was targeted without the user even having to type in any of these desired fruits.


The kit is intuitive, thus extremely easy to configure, just like any do-it yourself hack tool designed with the “skiddie” in mind. There are only two fields that need filling in: a disposable e-mail and a password that will eventually constitute the location where the stolen information is to be delivered to.

After clicking the “build” button, a server.exe file is created and deposited into the facebook Hacker folder along with the initial files. This server.exe file is to be sent to the intended victims.

Once run, the malicious tool will snatch the victim’s Facebook® account’s credentials, along with all the usernames and passwords that we carelessly ask the browser to remember for us. Yes, because facebook Hacker also targets the Internet browser and Instant Messaging clients to pick up the entire list of “remembered” identification data.

In order to successfully collect passwords, the malicious binary includes applications able to squeeze data out of the most popular browsers on the market, as well as of almost all instant messaging clients available. To add insult to injury, the application also enumerates all dialup/VPN entries on the computer and displays their logon details: User Name, Password, and Domain.

To avoid detection, the facebook Hacker will also look for all the processes related to a security suite and kill them upon detection. It is important to mention that it is accessorized with a hard-coded list of processes associated with AV solutions that are to be checked and stopped, if found.

Last but not at all the least, the piece of malware looks for network monitoring applications and terminates them. This is a safety measure that will prevent curious users from seeing their passwords leave the system.

TCP dump of the information sent by the application. Since the SMTP server uses TLS encryption, sniffed traffic will not reveal much of what’s going on.

As it can be seen, the author took a lot of time to think of various elements that could interfere with the smooth operation of this tool and to eliminate them one by one.

The stolen credentials of our test accounts got mailed on the specified address.BitDefender identifies this threat as Trojan.Generic.3576478. In order to stay safe, please ensure that you are running a frequently updated antivirus utility. Also, remember not to run files you may receive as attachments or via IM, or at least, to scan them beforehand.

Phishers target mobile phone users

Mobile phone users in the UK and Norway have been targeted by malicious emails purporting to come from their mobile service providers, claiming that the users have to confirm their billing information, Symantec reports.

The emails contain a link to a legitimate but compromised web page that masquerades as the page for the billing and payment services of the provider:


If the victim fails to notice the unusual URL of the page, he/she will be giving over to the phishers a great amount of personal and financial information that can be effectively used to steal their identity and their money.

After the victims have entered and confirmed the information, the page redirects them to the legitimate site of the provider, thus making the illusion complete.

WoW players targeted with phishing emails

World of Warcraft players are once again targeted by a phishing scheme, says F-Secure.

Emails purporting to come from Blizzard Entertainment - the creators of WoW - have hit inboxes around the world, claiming that the Blizzard is investigating recent thefts of accounts and requiring of the users to change/restore their passwords. Of course, the email contains a link that takes the user to a web page that does not belong to Blizzard:

Apart from the suspicious link, a good indication that this email is not coming from Blizzard are the noticeable grammatical and language errors.

F-Secure experts have investigated further and discovered that the sender used a SMTP relay attack to spoof the "From" address to make it look like the email is coming from Blizzard, but is in fact coming from an individual Hotmail email account.

WoW players are advised to be careful when receiving such emails, and are asked to remember that a real account changes verification process includes more than just contributing your password - you must also provide a valid ID.

FIFA World Cup Soccer - Malware based attacks continue

Symantec and Message Labs continue to warn of malicious email, scams and websites, using the 2010 Soccer World cup theme. Some of these continuing attacks are arriving in my own email, so please be careful:

FIFA World Cup Soccer - Malware based attacks continue
http://www.symantec.com/connect/blogs/fifa-world-cup-scams-continue-circulate

QUOTE: As reported in the June MessageLabs Intelligence Report, MessageLabs Intelligence is seeing a great variety of different threats relating to the upcoming FIFA World Cup. We’ve seen 419-style scams, including emails offering tickets to games; fake accommodation providers; offers of contracts to supply clothing and boots; offers of free mobile phones; scams looking for companies to provide additional electricity/power for the World Cup; and more. All designed to ultimately obtain the recipient’s personal details, and/or money by means of deception and fraud.

MessageLabs Intelligence has also seen fake World Cup tickets for sale on well known auction websites, or advertisements offering tickets, that in reality are unlikely to give the buyer access to any games. Moreover, we’ve seen a huge volume of spam that contains World Cup related content, but is actually not about the World Cup.