This Week's Trends
We're off to a great start so far this year. After a brief respite we're seeing an exponential rise in levels of spam and scams.
Reports and monitoring this last week have shown the return or growth of several criminal trends. Some of the items below will probably
look familiar but they bear repeating as they are a continuing threat.
We're still seeing lots of the fake news items, and today there were new spam emails purporting to be from the U.S. Treasury. We've also
had reports of some very offensive material being caught in our spam filters.
Also, we have a report this week of a very sneaky new attack that can fool you while you're working on a secure site (like your banking
web page). Make sure you read about that one and watch for it.
Pay attention, be vigilant, spread the word.
More on the Infected Digital Photo Frames
We reported on this last time around, but some new information on the digital photo frames has come out this week.
Digital photo frames infected with computer viruses
are the latest problem import from China. "Essentially, it's a supply chain
problem," said the director of the Internet Storm Center at the SANS
Institute. The culprit is believed to be poor quality-assurance testing
procedures in which one of every 1,000 or so devices is plucked off an
assembly line and tested on a computer that is infected with a virus, he
said.
Before Christmas, Samsung and Amazon issued alerts warning customers
that some Photo Frame Driver CDs for Samsung's SPF line of digital photo
frames contained a virus in the frame manager software. Customer PCs running
Windows XP are at risk of being infected by the virus, W32.Sality.AE, which
drops a keylogger or backdoor onto the system. Element and Mercury brand
frames sold at Circuit City and Wal-Mart, respectively, also were reported
to be infected, according to the San Francisco Chronicle.
"Anything that has
flash storage or bootable storage is exposed to this kind of threat," said
the director of security research for McAfee Avert Labs.
"It doesn't mean
you shouldn't buy them. You should just realize before you plug it in that
you might want to disable the Windows auto-boot functionality and run an
antivirus scan on it, just to be safe."
Banks Warn of Fraudulent Robocalls
These incidents happened in Maine, but it's always good to be aware of these types of scams because they are quite likely to show
up on a telephone near you.
Across the [central Maine] region January 12, fraudulent automated phone calls asked recipients for credit card numbers and other account
information, claiming to be from two local banks.
The calls went out to customers and non-customers alike; one was received at the main switchboard of one of the banks, the bank
president and chief executive said.
Bank officials warn that they do not call customers to ask for credit card numbers, account numbers, and other information of
that type. “We are just reinforcing that the bank would never call a customer and request that kind of information,” said an executive
vice president for one of the banks.
Credit Union Target of ‘Phishing’ Scam
This is another example of a scam that is being reported elsewhere (Central New York this time), but that can and will happen here
someday.
Central New Yorkers have been targeted by a text-message “phishing” scam that asks for the personal identification numbers
associated with their bank cards.
The fraudulent text messages purport to be from Empower Federal Credit Union, but they are not, said an individual speaking for the
credit union. The messages say that the recipient’s ATM card has been deactivated and asks the recipient to call a toll-free number to
reactivate the card. If people call the number, they are prompted to enter their card number, expiration date and PIN.
Phishing scams, which are criminal attempts to gain private information, are common in e-mail, but relatively new on cell phones.
Customers and non-customers alike have been targeted by the recent scam.
With the wide proliferation and use of texting services, we can certainly expect to see more of these types of scams. Again,
remember that banks and credit unions will not use this type of communications to contact you for personal information. If you get an
email, phone call or text message purporting to be from your bank, you should contact your bank on a known good phone number and let
them know. Their anti-fraud divisions will want to hear about it.
eCard Scam Growing - Probably Related to Storm Trojan
This is another story we reported last time. The new twist this week is that researchers believe this may be the next generation of a
Storm Trojan type of attack. The Storm Trojan was an extremely prominent and successful recruiter of botnets last year and this looks
like the latest attempt by the criminals to infect unsuspecting folks and capture their computers for their botnets.
US Cert sent out a notice this week saying that the ongoing and growing malicious e-card campaign is spreading a new Trojan that's being
called "Waledac". This trojan shares a number of significant characteristics with the Storm Trojan.
Now new evidence has helped confirm that this new botnet is, indeed, Storm reincarnated. Storm all but disappeared off of the grid last
year, basically going dormant in mid-September after its last major spam campaign in July — a “World War III” scam. In October,
researchers started to write off Storm, at least in the short term. But now they say the big botnet has reinvented itself with new
binary bot code, and that it is no longer using noisy peer-to-peer communications among its bots. It has instead moved to HTTP
communications, which helps camouflage its activity among other Web traffic.
The manager of security research for Arbor Networks says he was initially skeptical of speculation that Waledac and Storm were one in
the same. But the latest findings on the malcode and its activity, the botnet is using many of the same IP addresses that were used in
Storm, changed his mind. “[The Waledac bots] are talking to the same servers we saw in Storm,” he says. So far Storm’s M.O. is the same:
to send traditional spam, typically in the form of e-greetings, such as the Christmas Eve spam run of e-cards that had the earmark of
Storm. But the biggest difference is it is no longer as easily detectable now that it has converted to HTTP communications. “P2P was
part of the reason for Storm’s demise. It was easy to filter it,” the manager says. “With HTTP, it is a little harder [to filter]
because you have got to know what you are looking for.”
New Phishing Scam Pops Up Messages During Sessions on Secure Websites
An advisory from security vendor Trusteer demonstrates a new method of phishing which uses pop-up windows that appear when a user is
logged into a secure web site. Trusteer have informed the major vendors of web browsers of the technique, which they call "Session
Phishing."
An in-session phishing attack occurs while the victim is logged onto an online banking application
and therefore is much more likely to succeed.
A typical attack scenario would occur as follows. A
user logs onto their online banking application to perform some tasks. Leaving this browser window
open, the user then navigates to other websites. A short time later a popup appears, allegedly from
the banking website, which asks the user to retype their username and password because the
session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc.
Since the user had recently logged onto the banking website, he/she will likely not suspect this
popup is fraudulent and thus provide the requested details.
To protect themselves from in-session phishing attacks, Trusteer recommends that users:
- Deploy web browser security tools
- Always log out of banking and other sensitive online applications and accounts before navigating
to other websites
- Be extremely suspicious of pop ups that appear in a web session if you have not clicked a
hyperlink
Downadup Worm Infects More Than 3.5 Million
The Downadup worm, a malicious program that spreads using a recently patched Windows flaw, has compromised more than 3.5
million computers, security firm F-Secure stated this week.
The Downadup worm has successfully spread because it uses a major flaw that Microsoft patched in October to remotely compromise
computers running unpatched versions of the Windows operating system. However, the malicious program’s greatest strength appears to be
a feature that allows worm-controlled computers to download malicious code from a random drop point. The program generates addresses for
250 different domains each day. The botnet controller need only register one of the domains and set up a download server to update the
bot program with different functionality, said the chief research officer at F-Secure.
The worm uses a vulnerability in Windows’ processing of remote procedure call (RPC) requests by the Windows Server service. When it
issued an emergency patch for the flaw in October, Microsoft warned that the vulnerability could be used to automatically spread
malicious code to systems running Windows XP and earlier versions of the company’s operating system. Symantec, the owner of
SecurityFocus, has also recorded large numbers of infections by Downadup. The company recorded more than 600,000 systems infected with
the program in a 72-hour span. Almost all of the system were running Windows XP.
If you are running Windows XP or earlier Windows operating systems, you must be sure that you are patched and up to date. If you
have missed any of the updates from Microsoft you should go to their website and apply them, then make sure your Antivirus is up to date
and run a full scan on your computer.
Paris Hilton's Website Infects Users with Data-stealing Trojan
Paris Hilton apparently has not fallen out of favor with cybercriminals. Months after the celebrity and hotel heiress' Sidekick phone
and Facebook profile were hacked, attackers now have turned to her official website to spread malware and steal data.
Users who visited ParisHilton.com during the weekend and on Monday were met with a pop-up box that informed them they needed to "update"
their systems, according to web security firm ScanSafe, which first reported the infection on Monday. The dialogue box gave users the
option to choose “cancel” or “OK," but any click downloaded the malware.
“Regardless of what you click, the execution will occur -- the download has already happened,” Mary Landesman, senior security
researcher at ScanSafe, told SCMagazineUS.com late Monday. “The user is trapped. The user is a complete victim. All they did is visit a
website.”
The infection, which was first detected by ScanSafe starting Friday, was cleared late Monday night, the company said on Tuesday.
If infected, end-users risk having their banking credentials exposed, Landesman said. For enterprises, the malware can redirect and
intercept all their HTTP and internal network traffic.
Apple Safari Feed Reader Flaw Could Expose Private Information
An open-source programmer has discovered a potentially major vulnerability in Apple Safari, affecting both the Mac and Windows versions
of the web browser, he said this week.
Brian Mastenbrook said on his website that the bug, if exploited, can allow malicious websites to read files sitting on a user's hard
drive, without the victim needing to take any action.
"This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords or cookies that could
be used to gain access to the user's accounts on some websites," he said, adding that Apple is aware of the bug.
Users of Mac OS X 10.5, code-named Leopard, are affected if they use the default feed reader application preference, regardless if they
use a different browser or use RSS feeds at all, Mastenbrook said. Users of Safari for Windows are also impacted, unless they do not
use it for browsing.
Mastenbrook said he does not think the vulnerability is publicly known, but users should nonetheless take action to prevent against an
exploit.
To protect themselves in advance of a fix from Apple, users should select another feed reader besides the Safari default, he
said.
Vulnerability in Nokia Phones
The Chaos Computer Club, at its annual conference in late December, reported a vulnerability in many recent Nokia mobile phones that
allows blocking the receipt of any further SMS and MMS messages, by sending a specially-crafted SMS. According to the speaker, the
problem occurs in the Nokia S60 2.6, 2.8, 3.0 and 3.1 while S60 3rd Edition, Feature Pack 2 are not affected. According to tests carried
out by F-Secure, however, the Sony Ericsson UiQ is also prone to this attack.
Nokia's current recommendation for guarding against crafted messages is that users of Nokia phones, based on the S60/Symbian OS, should
only open SMS and MMS messages if they are from a trusted sender.
Microsoft Patches ‘Super Nasty’ Windows Bugs
Microsoft Corp. patched three vulnerabilities in the company’s Server Message Block (SMB) file-sharing protocol, including two that
could make “Swiss cheese” out of enterprise networks, according to one researcher. “This is super nasty,” said the chief technology
officer at Shavlik Technologies LLC, who also called the January 13 update “super critical” as he sounded the alarm. “Expect to see a
worm on this one in the very near future, [because] this is Blaster and Sasser all over again.”
Those two worms, 2003’s Blaster and 2004’s Sasser, wreaked havoc worldwide as they spread to millions of Windows machines. Of the three
bugs outlined in the MS09-001 security bulletin, two were rated “critical,” the most serious ranking in Microsoft’s four-step scoring
system, while the third was pegged “moderate.” The pair identified as critical are extremely dangerous because attackers can exploit
them simply by sending malformed data to unpatched machines, according to the chief technology officer. “These flaws enable an attacker
to send evil packets to a Microsoft computer and take any action they desire on that computer [with] no credentials required,” he said.
“The only prerequisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS ports, TCP 139
or TCP 445.
By default, most computers have these ports turned on.” Much the same situation led to Blaster and Sasser, the chief technology officer
noted. “More people have blocked those ports, and more personal firewalls block them by default, but they are typically left open in a
corporate network.”
If you are comfortable with changing ports on your computer or network firewall, you could disable those ports to be safe.
However, at the very least, ensure you have installed this latest patch from Microsoft if you use their operating systems.
Microsoft Updates Free Tool to Remove Persistent Worm
Microsoft has updated its free security tool to remove a persistent worm that is targeting a now-patched but severe vulnerability that affects
several server products.
The latest update to the Malicious Software Removal Tool (MSRT) can now remove infections of Conficker (also known as Downadup), a worm that infects a server and
then tries to download other malicious software, according to a company blog. Conficker targets a flaw in Windows Server Service.
Microsoft thought the flaw was so severe that it issued an out-of-cycle patch on October 23 for Windows 2000, XP, Vista, Server 2003 and
Server 2008. The latest statistics show that this worm has compromised over 3.5 million computers.
Microsoft has observed a new variation of the worm, called Win32/Conficker.B, which has been infecting servers. Systems become infected when
a hacker constructs a malicious Remote Procedure Call (RPC) to an unpatched server, which then allows arbitrary code to run on a machine.
Conficker. B uses other methods to spread, including trying to copy itself to other shared network machines by guessing passwords. It can
also spread via removable media.
When you have automatic updates set in your Microsoft Operating System, it will download this tool automagically and run it for
you. If you don't have that set, we recommend going to the Microsoft site and downloading and running this tool.
