Information Security Newsletter

Bulletins posted 1/30/2009

Google's Chrome Gets Webmail and Security Updates
Google has patched the latest versions of Chrome to make the browser work better with Microsoft's Hotmail and Yahoo Mail. Mark Larson, Google Chrome program manager, said in a blog posting that both webmail services were now working with Chrome.

He described the Hotmail fix as a "workaround" while the Hotmail team at Microsoft works on a "proper fix". This is the second attempt at resolving compatibilty issues between Chrome and Hotmail. Google released the first fix for this problem in December, when the company said it was preparing to take Chrome out of beta in January.

The latest beta and stable versions of Chrome also include two security updates. One is a workaround for the Adobe Reader cross-site scripting vulnerability that could allow a PDF document to run scripts on arbitrary sites. The other update deals with a bug in the V8 JavaScript engine that could disclose sensitive information from one website to a third party.

If you are using Google's Chrome Internet browser, we recommend updating to the newest version as soon as possible

Online Hotel Booking Fraud
A well-organized online fraud is scamming over 71,000 travelers each month as they book rooms online at some of America's best known hotel chains, including Hyatt, Clarion, TraveLodge, Comfort Inn, Red Roof, EconoLodge, Super 8, Ramada, Days Inn, and Wyndham, according to an exclusive report by FraudTip.com.

Findings released for the first time this morning show that the Internet scam combines advanced online advertising, bogus hotel locators, third-party reservation systems, and Internet browser crimeware to redirect hotel guest traffic to fake versions of well-known hotel chain websites.

The scam casts a big net and is evolving daily, reports FraudTip.com. Affected properties include hotels and suites, budget motels, airport hotels, luxury hotels, resorts, and casinos. Hardest hit are Super 8 Motels, Days Inn, and Ramada, which are owned by Wyndham Worldwide in Parsippany, New Jersey, the world's largest hotel chain. A total of over 50,000 travelers seeking out these hotels are redirected to the bogus sites each month.

Be careful if you are booking hotels online. It might be smarter and more secure to simply call their 1-800 number to insure you are talking to the actual hotel booking services.

Google Video Search Results Poisoned to Serve Malware
Cybercriminals are constantly looking for new ways to acquire traffic by enjoying the clean reputation of each and every Web 2.0 property, from LinkedIn, Bebo, Picasa and ImageShack, to Twitter.

During the last couple of days, a single group involved in a countless number of blackhat campaigns across the Web, started massively targeting Google Video with a campaign that has already managed to hijack approximately 400,000 search queries in order to trick users into visiting a bogus and malware serving adult web site.

Upon clicking, a Google Video user is taken to a single redirection point (porncowboys .net/continue.php), then to a well known adult site abused by cybercriminals where the user is told that “Your Flash Version is too old. Your browser cannot play this file. Click “OK” to download and install update for Flash Video Player” and the malware is served if he or she’s tricked into it.

This is yet another twist on this old and obviously effective means of attack. If you are searching for videos on Google, or any other forum, and get redirected, you know better by now than to install a new Flash version, don't you!

Bulletins posted 1/29/2009

Trojan Attack Masquerades As Airline E-Ticket Notice
Security researchers have spotted a new attack designed to fool users into thinking that airline tickets have been purchased with their credit cards.

The attack, which was first spotted as an email from Northwest Airlines, and subsequently as a message from United Airlines, is a realistic-looking "receipt" that contains an attachment bearing the name Your_ETicket.zip or eTicket.zip, according to researchers at security vendor Sophos.

The idea is to fool the unwitting user into clicking on the attachment to get more information on who purchased it, according to Graham Cluley, a researcher at Sophos. "The file doesn't contain a genuine electronic ticket, of course, and your credit card has not been charged," he says. "The hackers are hoping that you will be so affronted at being charged for an airline flight that you haven't booked that you will open the attachment without thinking."

Users who click on the e-ticket file trigger the download of Troj/Agent-IPS, a data-stealing Trojan horse.

The airline ticket disguise isn't new, Cluley notes. A similar scam was detected early last month, and a broader scam took place in the middle of last year. Cluley warns users who receive the messages to keep their cool.

"Although it's understandable that you might panic into thinking that your credit card has been debited without your permission for a flight you don't want or need, you should be cynical enough to smell this for what it is -- a dirty, rotten scam designed to infect your personal computer," Cluley says.

Online Hotel Booking Fraud
A well-organized online fraud is scamming over 71,000 travelers each month as they book rooms online at some of America's best known hotel chains, including Hyatt, Clarion, TraveLodge, Comfort Inn, Red Roof, EconoLodge, Super 8, Ramada, Days Inn, and Wyndham, according to an exclusive report by FraudTip.com.

Findings released for the first time this morning show that the Internet scam combines advanced online advertising, bogus hotel locators, third-party reservation systems, and Internet browser crimeware to redirect hotel guest traffic to fake versions of well-known hotel chain websites.

The scam casts a big net and is evolving daily, reports FraudTip.com. Affected properties include hotels and suites, budget motels, airport hotels, luxury hotels, resorts, and casinos. Hardest hit are Super 8 Motels, Days Inn, and Ramada, which are owned by Wyndham Worldwide in Parsippany, New Jersey, the world's largest hotel chain. A total of over 50,000 travelers seeking out these hotels are redirected to the bogus sites each month.

Be careful if you are booking hotels online. It might be smarter and more secure to simply call their 1-800 number to insure you are talking to the actual hotel booking services.

Google Video Search Results Poisoned to Serve Malware
Cybercriminals are constantly looking for new ways to acquire traffic by enjoying the clean reputation of each and every Web 2.0 property, from LinkedIn, Bebo, Picasa and ImageShack, to Twitter.

During the last couple of days, a single group involved in a countless number of blackhat campaigns across the Web, started massively targeting Google Video with a campaign that has already managed to hijack approximately 400,000 search queries in order to trick users into visiting a bogus and malware serving adult web site.

Upon clicking, a Google Video user is taken to a single redirection point (porncowboys .net/continue.php), then to a well known adult site abused by cybercriminals where the user is told that “Your Flash Version is too old. Your browser cannot play this file. Click “OK” to download and install update for Flash Video Player” and the malware is served if he or she’s tricked into it.

This is yet another twist on this old and obviously effective means of attack. If you are searching for videos on Google, or any other forum, and get redirected, you know better by now than to install a new Flash version, don't you!

Bulletins posted 1/28/2009

Valentines Day Worm
As we predicted a couple of weeks ago, PandaLabs, Panda Security malware analysis and detection laboratory, announced on January 27 that it has detected a new variant of the Waledac Storm worm, the Waledac.C worm, which is using Valentines Day as bait to spread itself to as many computers as possible.

As is usually the case in this type of attack, Waledac C spreads by email trying to pass itself off as a greeting card sent for Valentine’s Day to the targeted user. The email message includes a link to download the card. However, if the user clicks the link and accepts the subsequent file download they will actually be letting the Waledac.C worm into their computer.

These malicious files have Valentine’s Day-related romantic names such as: youandme.exe onlyyou.exe you.exe meandyou.exe. Once it has infected the computer, the worm uses the affected user’s email to send out spam. To do this, it collects all the email addresses stored on the user’s computer, and sends them an email message like the one above in order to trick other users into downloading the malware strain.

Don't be fooled by these eCard scams. If someone really loves you, they'll send you a REAL card and some flowers! (Chocolate never hurts, either!)

Malware Targeting Users of Pirated Software for Mac
Users of pirated software have a new headache to worry about. For the second time in less than two weeks, malware targeting Mac computers has surfaced on the Web. According to an advisory from Intego, OSX.Trojan.iServices.B is a variant of the iServices Trojan the company found recently targeting pirated copies of iWork 2009.

This time, the malware has its sights set on versions of Adobe Photoshop CS4 downloaded via BitTorrent trackers and other sites containing links to pirated software. “The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serializes the program,” Intego’s advisory reads. As of January 25, nearly 5,000 are believed to have downloaded the Trojan, according to the advisory. After downloading this version of Photoshop, users will run the crack application to be able to use it, the advisory continues. The crack application extracts an executable from its data and installs a backdoor in /var/tmp/, which is not deleted when the computer is restarted.

Now, this should be obvious to all of you astute and security concious readers - but just in case... DOWNLOADING PIRATED SOFTWARE IS ILLEGAL AND DANGEROUS!! DON'T DO IT!

Hackers Exploit Obama Site to Spread Malware
A social networking site operated by the 2008 Barack Obama presidential campaign is serving up malware to unwary visitors a full week after the tactic was reported, a security researcher said on January 26.

MyBarackObama.com, still active after the recent inauguration of the U.S. President, is being used by hackers trying to dupe users into downloading a Trojan horse, said the vice president of security research at Websense Inc. The criminals have set up bogus accounts and used them to create blogs. When a user reaches one of the fake blogs, a YouTube-like video window is displayed; clicking on that video frame takes the user to a malicious Web site packed with pornography. If the user clicks to view the porn, a message pops up claiming a video codec must be downloaded and installed.

The executable file is no codec, but rather a Trojan horse that hijacks the PC. The cybercrooks do not just try to grab people browsing through MyBarackObama.com, he added; rather, they are actively polluting search engines with the URLs of their bogus blog accounts in an attempt to take advantage of MyBarackObama.com’s reputation and popularity.

There is a lot of excitement about our new President, but don't let that lead you into temptation or bad practices.

Text Message Scams Target Yakima Valley Credit Union Customers
Tens of thousands of people nationwide have received suspicious text messages asking for individuals banking information. The most recent incident involves the Yakima Valley Credit Union.

The messages state that the recipient’s bank account has been closed due to unusual activity, and asks the individual to call a phone number with bank information. The Yakima Valley Credit Union has been busy fielding calls from concerned customers. The Chief Executive Officer (CEO) and president fielded calls from across the state. The credit union has reported the scam to several agencies including the Federal Bureau of Investigation, the local police, and the National Credit Union Administration and posted an alert on its Web site to remind customers that the credit union will never contact customers for sensitive information.

The CEO said most people have not fallen for the scam, but for the few people who have, the credit union has managed to intervene and prevent any money from being stolen from them.

As noted in the past, these types of attacks are becoming more prevalent and this one is close to home. Be aware and be careful.

Special Bulletin posted 1/27/2009

Hackers Steal Details of 4.5 Million in Attack on Monster.com Jobs Site
The personal details of millions of job seekers have been stolen in a very large data theft case.

Monster Worldwide Inc. is advising its users to change their passwords after data, including e-mail addresses, names and phone numbers, was stolen from its database.

The break-in comes just as the swelling ranks of the unemployed are turning to sites such as Monster.com to look for work. The company disclosed on its Web site that it recently learned that its database had been illegally accessed. Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity and, in some cases, users' states of residence.

The information does not include resumes or Social Security numbers, which Monster.com said it does not collect. Monster.com posted the warning about the breach on January 23 morning and does not plan to send e-mails to users about the issue, said a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on January 23. USAJobs.com, the U.S. government Web site for federal jobs, is hosted by Monster.com and was also subject to the data theft. USAJobs.com also posted a warning about the breach.