Malware purveyors are exploiting web vulnerabilities in appleinsider.com, lawyer.com, news.com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens.
The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites. That's something application security expert Mike Geide doesn't see often. As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected.
"What's interesting ... is the fact that it's embedding iframes to redirect people," Geide, who is a senior security researcher at Zscaler, told The Register. "Typically, cross-site scripting is just that - it embeds script tags so it will embed javascript to run."
The malicious links are blasted out on web forums and typically look something like:
hxxp://lawyers.com/find_a_lawyer/content_search/results.php?sCHRISTINA%AGUILERA%20ANOREXIC%20PICS%3C%2F%74%69%74%6C%65%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%2F%2F%61%73%6B%35%2E%65%75%3E
The last chunk of test is hexadecimal-encoded HTML that redirects users to ask5 .eu (a space has been added for your protection). A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem.
While it's not the most convincing attack we've ever seen, there's nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that's now circulating in the wild.
The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks.
More about the attack is available from the Zscaler blog here
Wednesday 16 December 2009
One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now.
By MG Siegler
TechCrunch.com
December 14, 2009
It's no secret that most people use the same password over and over
again for most of the services they sign up for. While it's obviously
convenient, this becomes a major problem if one of those services is
compromised. And that looks to be the case with RockYou, the social
network app maker.
Over the weekend, the security firm Imperva issued a warning to RockYou
that there was a serious SQL Injection flaw in their database. Such a
flaw could grant hackers access to the the service's entire list of user
names and passwords in the database, they warned. Imperva said that
after it notified RockYou about the flaw, it was apparently fixed over
the weekend. But that's not before at least one hacker gained access to
what they claim is all of the 32 million accounts. 32,603,388 to be
exact. The best part? The database included a full list of unprotected
plain text passwords. And email addresses. Wow.
The hacker has posted a sample of what they found. They have blanked out
the passwords for now, but warns, "Don't lie to your customers, or i
will publish everything." As far as we can tell, RockYou hasn't issued a
warning about this to its users yet. We've reached out to the company,
but have yet to hear back.
TechCrunch.com
December 14, 2009
It's no secret that most people use the same password over and over
again for most of the services they sign up for. While it's obviously
convenient, this becomes a major problem if one of those services is
compromised. And that looks to be the case with RockYou, the social
network app maker.
Over the weekend, the security firm Imperva issued a warning to RockYou
that there was a serious SQL Injection flaw in their database. Such a
flaw could grant hackers access to the the service's entire list of user
names and passwords in the database, they warned. Imperva said that
after it notified RockYou about the flaw, it was apparently fixed over
the weekend. But that's not before at least one hacker gained access to
what they claim is all of the 32 million accounts. 32,603,388 to be
exact. The best part? The database included a full list of unprotected
plain text passwords. And email addresses. Wow.
The hacker has posted a sample of what they found. They have blanked out
the passwords for now, but warns, "Don't lie to your customers, or i
will publish everything." As far as we can tell, RockYou hasn't issued a
warning about this to its users yet. We've reached out to the company,
but have yet to hear back.
Not another Stolen Laptop
BBC News
12 December 2009
An investigation is under way after a laptop containing secret data was
stolen from the Ministry of Defence.
It was taken from the ministry's headquarters in Whitehall, central
London in late November, along with a key used to decode encrypted
files.
A spokesman said an investigation by MoD police was ongoing.
Shadow defence cecretary Liam Fox said the theft was "extremely
worrying". The incident is the latest in a string of thefts involving
MoD laptops.
Figures from the department earlier this year showed that 28 had been
lost or stolen between 1 January and 11 May.
And last July, the MoD admitted that 658 of its laptops had been stolen
in the past four years.
12 December 2009
An investigation is under way after a laptop containing secret data was
stolen from the Ministry of Defence.
It was taken from the ministry's headquarters in Whitehall, central
London in late November, along with a key used to decode encrypted
files.
A spokesman said an investigation by MoD police was ongoing.
Shadow defence cecretary Liam Fox said the theft was "extremely
worrying". The incident is the latest in a string of thefts involving
MoD laptops.
Figures from the department earlier this year showed that 28 had been
lost or stolen between 1 January and 11 May.
And last July, the MoD admitted that 658 of its laptops had been stolen
in the past four years.
Bank's antifraud tactics stun security expert: How much do they know?
By Ellen Messmer
Network World
12/14/2009
Checking out of a Hilton hotel in London, security expert Roger Thompson
was told his Visa card had been declined due to suspicions it was
stolen, a situation that only got more disconcerting when he learned the
bank that issued the card had more personal information on him and his
family members than he ever imagined.
In a tale he relates in his blog, Thompson, chief research officer at
AVG, said he was compelled to answer questions on the phone from a
Wachovia Bank representative in its fraud-prevention division to prove
he was really Roger Thompson and not a credit-card thief checking out of
the London hotel. Mitigating Litigation Risk with Email Management
Tools: Download now
It turns out Thompson's Visa card was flagged and suspended because he
hadn't told the bank he was travelling overseas, a requirement he didn't
know the bank had. But the "scary bit" about it all, he says, is that
the bank fraud-prevention representative didn't just ask him to give the
correct answers to questions such as his mother's maiden name, which he
had provided to the bank for fraud detection purposes, but also a host
of other questions about his daughter-in-law that he had no idea it
knew.
"I was in shock," Thompson says about what he found out that Wachovia
Bank had stored "at their fingertips" related to his daughter-in-law --
information Thompson thinks the bank may have found out through
Facebook.
Network World
12/14/2009
Checking out of a Hilton hotel in London, security expert Roger Thompson
was told his Visa card had been declined due to suspicions it was
stolen, a situation that only got more disconcerting when he learned the
bank that issued the card had more personal information on him and his
family members than he ever imagined.
In a tale he relates in his blog, Thompson, chief research officer at
AVG, said he was compelled to answer questions on the phone from a
Wachovia Bank representative in its fraud-prevention division to prove
he was really Roger Thompson and not a credit-card thief checking out of
the London hotel. Mitigating Litigation Risk with Email Management
Tools: Download now
It turns out Thompson's Visa card was flagged and suspended because he
hadn't told the bank he was travelling overseas, a requirement he didn't
know the bank had. But the "scary bit" about it all, he says, is that
the bank fraud-prevention representative didn't just ask him to give the
correct answers to questions such as his mother's maiden name, which he
had provided to the bank for fraud detection purposes, but also a host
of other questions about his daughter-in-law that he had no idea it
knew.
"I was in shock," Thompson says about what he found out that Wachovia
Bank had stored "at their fingertips" related to his daughter-in-law --
information Thompson thinks the bank may have found out through
Facebook.
Subscribe to:
Posts (Atom)
