Sustainable Energy Finance Initiative (SEFI) site hacked via Black Hat SEO attack

Posted: May 27, 2011 in Malware, News
Tags: , , , , , , ,
0

Websense Security Labs Threatseeker network has detected the Black Hat SEO attack on a domain that belongs to the United Nations Environment Programme (UNEP).  The domain appears to be compromised by a number of medical spam-related URLs, most of which are compromised sites themselves.  As you can see from the screenshots below, unless you were to view the source code for the Web page, it is almost impossible to know that this page has been modified.

The sub-domain in question is the Sustainable Energy Finance Initiative (SEFI) site – sefi.unep.org. SEFI is a division of UNEP and provides support and tools to financiers in regards to the use of clean energy technologies.

Like most Black Hat SEO attacks on compromised sites, the site tends to look perfectly fine, and there is no indication that the site has been compromised.

However further analysis of the source code reveals that the entire block for the Black Hat SEO is appended to the end of the HTML code.  Also notice that the code contains a hidden disposition, and the height and width pertaining to the size of the displayed content is set to zero.

Trailing through a chunk of the appended code, you can see the use of drug names such as ‘viagra’ and ‘levitra’. These keywords help result in a better search engine ranking.

Most of the mainstream search engines such as Google know of these tricks and do their best to prevent these attacks, but it does not always work. However, the prevention success rate is higher for well-known search engines compared to the less mainstream ones.

At the time of posting this blog, the Black Hat SEO threat has been removed and the sefi.unep.org Web site is safe for browsing.

‘Baby Born Amazing effect – WebCamera’ scam spreads virally on Facebook

Posted: May 27, 2011 in News, Scam, Social Networks
Tags: , , , ,
0

Facebook scams are on a sprawl. Almost everyday we’re seeing new scams and spams popping on Facebook and using social engineering techniques on the ubiquitous social network to trick users into clicking malicious code. The latest messages that are spreading rapidly across Facebook trick users into clicking on links claiming to show an amazing video of a big baby being born, reports Sophos Labs.

The messages are spreading with the assistance of a clickjacking scam (sometimes known as likejacking) which means that users do not realise that they are invisibly pressing a “Like” button to pass the message onto their online friends.

A typical message looks as follows:

Baby Born Amazing Effect

Baby Born Amazing Effect – WebCamera

[LINK]

Big Baby Born !

“The links we have seen so far all point to pages hosted on blogspot.com, and appear to contain a video player that you are urged to click on. The pages are headlined: “Baby Born Video – Amazing Effects”,” explains Graham Cluley, senior technology consultant at Sophos.

Baby Born Amazing Effect

See the message at the bottom of the page? It reads:

If Play Button don’t work please click on the Like button and Confirm, then you can watch the Video.

It’s at this point that the clickjacking scam plays its part. If you try to play the video then you will be secretly and unwittingly saying that you “Like” the link, and sharing it with your friends. In this way the link spreads virally.

It’s a shame that Facebook’s own security measures don’t warn about this clickjacking attack.

If you were running anti-clickjacking protection, such as the NoScript add-on for Firefox, then you would see a warning message about the attempted clickjacking:

Baby Born Amazing Effect

Unfortunately, thousands of Facebook users appear to have fallen for the scam – and are helping the links spread rapidly across the social network.

Sophos suggests the following steps to clean-up your Facebook page.

Find the offending message on your Facebook page, and select “Remove post and unlike”.

Baby Born Amazing Effect

Unfortunately that doesn’t completely remove the interloping link. You also need to go into your profile, choose Activities and Interests and remove any pages that you don’t want to “Like”.

Baby Born Amazing Effect

Users need to be careful before ‘liking’ any page on Facebook as this is a trap that’s a little complex for a non-techy user to come out of. Facebook recently  added new features to combat clickjacking techniques, but evidently that doesn’t seem to be a deterrent for spammers and scammers.

Panda Introduces Panda Cloud Office Protection (PCOP) solution in India

Posted: May 27, 2011 in News
Tags: , , , , ,
0

Cloud security provider, Panda Security, today announced the launch of Panda Cloud Office Protection (PCOP) solution in India. Designed to protect all endpoints devices, static or mobile, anytime and anywhere, PCOP applies profile based policies in real time to users providing them with highest security in real time.

Targeted towards mobile workers, decentralized and franchised businesses, Panda Cloud Office Protection is offered to consumers over a SaaS architecture designed for fast deployment and implementation. PCOP includes firewall protection, personal or managed as well as protection for files, email, http/ftp and instant messaging.

“Keeping up with the growing threat of malware can be expensive and resource-intensive task, “ says Raj Rathi, Managing Director, Cyberstar Infocom,  “with Panda Cloud Office Protection web-based subscription customers now no longer need to invest in expensive security infrastructure or in-house security expertise,” he added.

At the heart of Panda Cloud Office Protection solutions, is the powerful web based collective intelligence database, which analyzes all files entering and leaving a network, efficiently detecting and blocking malware before it can penetrate a customer’s infrastructure. Since all this analysis is done in the cloud and there is no impact on system’s performance.

“By installing PCOP customers can save upto 50% on total cost of ownership versus traditional based software solutions,” said TS. Wong, Director Sales, APAC, Panda Security, “PCOP’s ingenious web based management console makes it easy for administrators to implement and monitor security across all PCs, Laptops, and servers from anywhere in realtime and even systems in remote offices are covered,” he added.

NSS labs discovers vulnerabilities in Siemens industrial control systems

Posted: May 26, 2011 in News
Tags: , , , , , , ,
0

Exploitation of vulnerabilities in computer systems can always have negative effects, such as loss of availability, productivity, data or other compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems (ICS) can, in rare circumstances, have potentially devastating physical world implications such as loss of life and environmental impact.

A number of vulnerabilities have been discovered by NSS researchers and validated on the Siemens Simatic S7-1200 PLC. Other Siemens device models have yet to be tested. There is the possibility that PLCs from other vendors are similarly affected. Currently, these vulnerabilities could enable an attacker to control an affected S7-1200 PLC.

In the course of the NSS labs research, significant vulnerabilities in industrial control systems have been identified, responsibly disclosed and validated by the affected parties. Due to the serious impact these issues could have on a industrial systems worldwide, further details will be withheld until effective remediation measures have been released by the affected vendor(s) and validated by NSS researchers.

The vulnerabilities discovered, if exploited by an attacker, would enable the attacker to gain full control of the system and perform actions such as:

  • Start and stop the CPU
  • Arbitrarily control devices connected to the PLC
  • Arbitrarily reprogram the PLC and read and write memory contents
  • Cause arbitrary (false) data to be returned to logging and management stations
  • Hijack control of the PLC from an administrator
  • Bypass security controls

“The most effective remediation will be based upon accepted best practices and specific knowledge of the operating environment. Given the implications of the problem, a true air-gap separation between ICS and internet-connected corporate networks should be enforced wherever possible. In many cases, the operator may not be fully aware of the connectivity an attacker may be able to gain. An exposure assessment is recommended in such cases,” the report suggests.

Mariposa botnet rise from the ashes

Posted: May 26, 2011 in DDoS, Malware, News
Tags: , , , ,
0

The Mariposa botnet made headlines when three of its alleged operators were arrested in Spain prior to its supposed shutdown. This was followed by a sudden and drastic decrease in Mariposa-related incidents, which was very understandable because the botnet was reported to have already been taken down.

Lately, however, Trend Micro has observed a strange increase in activity related to WORM_PALEVO—the Trend Micro detection name for malware related to the Mariposa botnet. The increase started late in the fourth quarter of 2010.

“It seems that despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to abuse.ch, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name—Mariposa,” explained Jessa De La Torre, Trend Micro’s Threat Response Engineer.

“We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same,” said.

WORM_PALEVO is a modularized bot mainly used to perform distributed denial-of-service (DDoS) attacks and to download other files. As a commercial bot, its modules can be separately bought should herders want to add features such as propagation, browser monitoring and hijacking, cookie stuffing, and flooding and download routines to their creations. The bots communicate with their C&C server using UDP, which firewall devices do not typically block.

Employee of central coast bank arrested for stealing nearly $110,000, mostly from elderly customers

Posted: May 26, 2011 in Data Loss, Law & Order, News
Tags: , ,
0

An Arroyo Grande woman was arrested Tuesday by special agents with the FBI on charges of stealing money from a federally insured financial institution.

Brenda Bautista Hurtado, 25, was taken into custody without incident after being named in a three-count indictment returned by a federal grand jury last Friday.

The indictment accused Hurtado of stealing money while employed last year at the U.S. Bank branch in Arroyo Grande. The indictment alleges that Hurtado stole nearly $100,000 from two customers’ accounts, as well as another $10,000 in cash from the bank’s vault.

The investigation in this case revealed that Hurtado secretly accessed U.S. Bank’s computer system and changed the contact information for the accounts of two elderly customers at the bank. After changing their contact information, Hurtado then allegedly closed these accounts and took out cashier’s checks for the balance of each account.

When one of the customers came to the bank and learned that his account had been closed, Hurtado went into the bank’s vault and took $10,000 in cash. Hurtado then went to Mexico for several weeks before returning to the United States. She was arrested this morning in Guadalupe, California, where she has been staying for the past few months.

The indictment alleges that Hurtado stole $50,907 on February 24, 2010 and another $48,163 on February 26, 2010. The indictment further alleges that Hurtado stole $10,000 in cash from the bank vault on June 7, 2010.

An indictment contains allegations that a defendant has committed a crime. Every defendant is presumed to be innocent until and unless proven guilty in court.

Each count of theft by a bank employee carries a statutory maximum penalty of 30 years in federal prison and a fine of up to $1 million.

How a poisoned Google Image Search redirects the user to download malware on Mac OSX

Posted: May 26, 2011 in Malware
Tags: , , , ,
0

A picture says a thousand words. And we’ve got a video this time. So, here’s  is a quick video from Internet security firm F-secure explaining how a poisoned Google Image Search redirects the user to download malware on Mac OSX

Mac OS X viruses take cue from Windows malware: admin password not required any more

Posted: May 26, 2011 in Malware, News
Tags: , , ,
0

Click for larger versionMac OS X malware community is advancing fast and taking many cues from the Windows malware scene, says security firm, Sophos.

Just like in the Windows versions, the latest variants seen today (OSX/FakeAvDl-A) no longer require administrative credentials. “They now install into areas of the system that only require standard user privilege. In other words, the attacks no longer ask for an admin password. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases,” Chester Wisniewski, Senior Security Advisor at Sophos Canada explained.

Apple has stated:

In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants.

Some key considerations for Mac users to be aware of are:

  1. The name and user interface displayed by this malware will change, so don’t rely on the name.
  2. The nature of the enticing message, however, will remain a variant of the “viruses (or Trojans, or spyware, etc) have been detected on your computer” message, followed by a request to install the cleanup software, which of course is only available for a fee.

Mac users can defend themselves from variants of this attack by:

  1. Going to Safari->Preferences->General and deselecting the “Open “Safe” files after downloading” option
  2. Installing a reputable  antivirus software from a trusted source

Finally, users of any system should be aware there is currently no legitimate antivirus or security software that alerts you through a browser that malware of any type has been detected and that security software must be installed to remove it. A modern browser may block a suspect site, but it won’t behave in this manner. This is a sure-fire attempt to scare a user into installing a malicious program. In general, if you see a suspicious warning that asks you to install software, simply close the browser, or Force Quit if you need to. NEVER click “OK,” “Cancel” or any other button or links in the window alerting you to fake infections, as that is often what starts the actual download or installation of the malware.

When Apple introduced XProtect with OS X 10.6 Snow Leopard, they added rudimentary detection of malware. In the nearly two years since its introduction, they have only updated it a few times.

Are they going to develop their own anti-virus software? The fast pace with which new variants arrive requires a very different style of software development and updating than Apple is accustomed to.

Technology obsolescence something to sweat about

Posted: May 26, 2011 in News
Tags: , , , , , , ,
0

The total percentage of network devices which have passed last-day-of-support (LDoS) has dropped dramatically from 31% in 2009 to 9% in 2010. However, the total amount of technology late in the obsolescence phase remains high, with the percentage of devices in late stage end-of-life sitting at a substantial 47%. This could be evidence that more organisations are choosing to sweat assets up to, but not beyond, the highest risk lifecycle stage. That’s according to data in the Network Barometer Report 2011 published by Dimension Data, an IT services and solutions provider. The Report covers aggregate data compiled from 270 Technology Lifecycle Management (TLM) Assessments conducted worldwide in 2010 by the Group for organisations of all sizes across all industry sectors. It reviews the networks’ readiness to support business by evaluating the configuration variance from best practices, potential security vulnerabilities, and end-of-life status of those network devices.

Raoul Tecala, Dimension Data’s global Business Development Director, Network Integration says, “While some organisations appear to be wising up to the financial benefits of intelligently, sweating network assets, if the cost savings aren’t weighed against the risks, they could also be exposing themselves to serious business continuity issues.”

“Sweating assets is a term applied to extending or maximising the useful life of an existing technology asset, and thereby avoiding the need to replace or update it until absolutely necessary. This allows organisations to maximise their return on investment while minimising their capital expenditure,” explains Tecala. While there’s no definitive method of telling whether the drop in the percentage of devices beyond LDoS means that organisations are actually choosing to push certain assets past a certain lifecycle stage, the results certainly suggests that clients are more aware of their network assets and are refreshing those devices where risk is greatest. Tecala says the assertion that older devices are at higher risk of security breaches is acknowledged by standards and compliance bodies.

Neil Campbell, Dimension Data’s global General Manager, Security says, “If organisations detect a critical asset past end-of-software maintenance, they’re not likely to have access to the latest vendor-supplied security patches. And failing to apply patches would be a direct violation of many compliance standards, including the Payment Card Industry Data Security Standard (PCI DSS). Then the door’s not only open to security breaches, but the ensuing nightmare of litigation, punitive damages and reputational loss.”

“The critical question is whether organisations know about their aging assets. Previous research not related to the Network Barometer Report that was conducted by Dimension Data found that clients were unaware of as much as 25% of their networking devices,” adds Tecala and points out that full visibility of the technology estate is a fundamental prerequisite to intelligent asset management and targeted sweating.

“Organisations need to know where it is, what it does, and what the implications are when it breaks and becomes unsupportable. In order to achieve this, visibility into the lifecycle status of their assets so that their age and viability can be properly assessed is critical, or they’ll continue to run with issues that could have a devastating effect on overall business productivity and efficiency.”

“Not only do IT departments leave themselves exposed to crisis management spend in the event of a failure on the network but, from a strategic perspective, they may well find that older devices don’t support new applications and solution investments.”

Other findings in the Report include:

  • Over 73% of corporate network devices analysed by Dimension Data during 2010 were carrying at least one known security vulnerability. This is almost double the 38% recorded in 2009;
  • a single high-risk vulnerability – PSIRT 109444 – which was identified by Cisco in September 2009, was found in a staggering 66% of all devices;
  • TLM Assessment results showed that if PSIRT 109444 was taken out of the equation, organisations had patched fairly well: the next four vulnerabilities were found in less than 20% of all devices.
Older Entries