Blog

Our good friends at Hanoi, Viet Nam, -based security firm Bkis have written about an interesting malcode lure: Trojans masquerading as updates for popular applications such as Adobe, Java or Windows. The fake updates are distributed with icons of the application they’re impersonating. Analyst Nguyen Cong Cuong wrote: “In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.” ...

The Inquirer security news site were reporting that the 25-year-old arrested by French police for hacking a Twitter data base and accessing U.S. President Barak Obama’s account guessed the admin’s password. The unemployed man, who went by the handle “Hacker Croll.” is not a genius, the news site concluded. “Apparently it was a doddle to do. He simply guessed people’s passwords by working them out from information on their blogs or online pages they had created about themselves,” it said. ...

Well, this is unfortunate. In the UK, they have something called “The Big Issue”, which is a magazine designed to help the homeless get back into society via a legitimate income. It sells around 300,000 copies a week and is listed as the third-favourite newspaper of young British people aged 15 to 24, according to Wikipedia. At this moment in time, The Big Issue website is playing host to a French Paypal Phish – they have a zipped copy of the Phish uploaded to the server, and a live Phish directory too: ...

Malware authors use numerous unconventional techniques in their attempts to create malicious code that is not detected by antivirus software. As malicious code analysts, though, it is our job to analyze their creations, and as such we have to be constantly vigilant for the latest tricks that the malware authors employ. While looking at some PDFs yesterday, something suspicious caught my eye. The PDF file format supports compression and encoding of embedded data, and also allows multiple cascading filters to be specified so that multi-level compression and encoding of that data is possible. The PDF stream filters usually look something like this: ...

Despite the global economic slowdown, India witnessed a high number of new jobs in the country during the first quarter of 2010. With the job market looking positive, job sites seem to have benefited with more users accessing their websites. Below is a screenshot of a phishing website that takes advantage of the brand of a popular Indian job site: The increased number of candidates seeking jobs in India has led to the launch of phishing attacks on Indian job sites. The phishing page in the above example is asking for potential employers’ login credentials. The phishing website was created on servers located in the Netherlands. The credentials consist of a username and password as well as the employer’s email ID and password. After stealing these credentials, fraudsters send targeted spam messages to the employers. The spam message states that the employer is required to pay an amount to upgrade or continue his access of particular recruitment solutions. The link provided to make the payment leads to a phishing page that asks for confidential information such as credit card numbers, pin number, etc. Attackers also masquerade as the employer to send spam containing fake job opportunities to job seeking candidates—an action that means the attackers are always seeking financial gain. ...

Lots of little newsworthy updates recently . . . they’ve been well-covered elsewhere, but we wanted to make sure our readers saw them as well. Russia: Safe Haven no more? One of the constant complaints that we hear is “the criminal is probably in Russia”, as an excuse for why a case is not worth investigating. Back on November 11, 2009, we posted a story The $9 Million World-wide Bank Robbery, where VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia; SERGEI TŠURIKOV, 25, of Tallinn, Estonia; and OLEG COVELIN, 28, of Chişinău, Moldova were charged with leading the robbery, which actually occurred in 2008. This week the Financial Times has revealed that Viktor Pleshchuk was arrested by the FSB. Their story leads with: ...

A friend of mine forwarded a suspicious email message recently. I’ve replaced the domain, order number, etc. below: I validated for my friend that the email was bogus. The domain was not held by Domain Registry of America (DROA), and never had been. The domain was not expiring in the next 90 days. Later he received a follow-up email: The scam attempts to get domain holders to transfer service and pay accordingly. It seems this scam has been around for at least eight years, though it has morphed over time. Apparently the DROA has chosen to test the 2003 judgment by the Federal Trade Commission (http://www.ftc.gov/opa/2003/12/domainreg.shtm). One thing of interest here is the two-staged approach: The first message requires no action by the recipient, but the second message tells the user to obtain and hand over the keys to the castle.

There are a couple of programs in circulation at the moment designed to steal Steam account login credentials. People can have a lot of money invested in Steam purchases (if you purchase PC games online Steam is probably the best digital delivery service around), and it isn’t really the greatest thing in the world to have one stolen. Steam is a popular thing to have in webcafes, and the company behind it actually support this in a very big way. These particular infection files would cause the most trouble on the networks of netcafes with minimal security in place, allowing chancers to install files with a USB stick, let the stealer grab account logins then come back later to collect the passwords. ...

One our researchers was reading the comments about Dancing With The Stars, and Kate Gosselin’s performance (He’s a huge fan … don’t ask), when he noticed a link to a URL shortening service. Given that it was advertising a video of Kate Gosselin topless, he astutely realised that was a bit suspicious, and checked it out inside a nice, safe virtual pc. Indeed, the shortening service immediately transferred to a website showing a picture of Kate at the beach… ...

Facebook is, by its nature, a social experience. But as the undisputed king of social networking expands ways for its users to interact, it’s raising more questions about how much of their information is made available to people they don’t know. In some cases, users may not even realize it’s happening. One example is the hundreds of thousands of developers approved by Facebook to create games, quizzes and other applications. Some of those developers are able to access basic information about users after a Facebook friend has started using their application. ...