Independent research reports from several different internet security firms are warning about the increased level of technology, sophistication, and organization that criminals are employing in their endeavors to steal, defraud, extort, and otherwise scam individuals and corporate entities for their money. Today’s hacker wannabe doesn’t even have to be particularly skilled technologically. He just has to be willing and able to cough up the money for a good crimeware kit, which can cost upwards of $3000.00 depending on the capabilities desired.

According to Symantec, 3 phishing kits were responsible for over 40 percent of the phishing attacks they observed during a recent 6 month interval. These kits come complete with sample phishing web sites and email messages, and their availability on the black market can be linked to the 53 percent increase in the number of phishing attacks observed during that same period.

Other crimeware kits such as MPack combine multiple attack types, exploiting both web server and client vulnerabilities. Additionally, kits are available that allow criminals to customize Trojans in order to target specific sectors or agencies. Finjan is reporting that these crimeware Trojan kits create new binary files with each use, making signature-based detection extremely difficult. These kits are also capable of generating Command and Control modules for remote control of distributed Trojans, in effect creating botnets.

These kits show all the traits of professionally developed software suites, utilizing the latest web 2.0 programming technologies. This has resulted in skyrocketing infections within the most popular web 2.0 sites, including social networks and P2P file-sharing sites. In fact, according to Websense, 60 percent of the most popular sites on the internet either hosted crimeware, or linked to malicious websites which hosted crimeware during the first 6 months of 2008. Various MySpace hacks for example allowed criminals to view private profiles and capture logon details, enabling the hackers to use the hacked accounts to send spam or host malware.

One of the newest kits available to hackers was discovered by Panda Security in June. It converts traditional Trojans into worms. This means that once a machine is infected with the Trojan, other computers sharing the same network could be infected without the users opening an infected email attachment or visiting a malicious site. Such hybrids spread much more quickly than the original Trojans from which they’re created.

Crimeware kits are distributed to potential buyers, who use private chat facilities to negotiate and consummate the transactions. Sites which host torrent trackers also index many hacking toolkits. Of course, the illegal gangs and cybercriminals have their own distribution and management channels. These organizations seem very much like a cross between modern high-tech business enterprises and mafia-style organized crime. The top managerial tier does not engage directly in hacking activities, but directs middle management layers which control the distribution of crimeware and crimeware kits to lower tiers. These lower tiers are the actual hackers collecting the stolen data, identities, credit card numbers, etc. They also control the botnets which are used to launch attacks, send spam, and expand their networks.

The growing sophistication of crimeware (and the ease with which it can now be developed and deployed), the increased use of blended attacks involving multiple attack vectors, and the continual refinement of the criminal organizations behind cybercrime are all symptoms of the trend away from malware created for glory or anarchistic destruction and toward crimeware geared for stealth and profit.

Sophisticated kits generate custom trojans for stealing data and conscripting into C & C networks (botnets). — Finjan Web Security Trends Report Q2 2008.

Author: Christopher

(1 votes, average: 5.00 out of 5)

 Loading ...

Spammers continue to refine their methods in an effort to stay ahead of security measures.  At the same time, the profit motivations behind spam are expanding.  Previously, the main reason for sending out spam was to sell something.  Spam is now increasingly part of a “blended” attack, which is a sophisticated coordination of a variety of techniques designed to breach the security of targeted systems, steal data, and take control of the compromised systems by adding them to botnets.

In many cases, the actual malicious code is delivered when a user visits a compromised website which is capable of infecting the user’s computer.  Because of this, security vendors are stepping up their marketing efforts to sell web security devices and software.  The fact is that the majority of these infections occur when a user follows a link received in a spam message.  Security Labs reports that 65 percent of spam contains malicious URLs leading either to compromised web sites or to sites that are created by spammers and fraudsters.

Trend Micro recently reported on targeted attacks on CEOs that began with spam emails.  These emails appeared to contain links to court documents related to subpoena actions.  The links actually led to fake websites, where users were prompted to install browser plug-ins in order to view the files.  The “plug-in” was actually a Trojan which secretly connected to other malicious sites and installed yet more malicious software.

Another recent example was the wave of attacks from the Storm botnet, which consisted of spam emails claiming that the U.S. had invaded Iran.  This message appeared to link to websites where video footage would show some 20,000 U.S. soldiers launching world war three.  The site showed what appeared to be an embedded video player, but clicking on the player button resulted in the execution of malicious code that installed a Trojan on the user’s computer.

Author: Christopher

(1 votes, average: 5.00 out of 5)

 Loading ...

As Dan Kaminsky recently demonstrated at the Black Hat conference in Las Vegas, the DNS security flaw presents a serious vulnerability.  In case there was previously any doubt, he showed just how dangerous to internal networks and the internet at large it is to run un-patched DNS servers.  Even with the patch, the exploit is still possible, just extremely difficult.

The vulnerabilities are not limited to the web, but affect every type of internet service and traffic, including IM, telnet, email, and usenet.  Every protocol uses DNS servers to locate and communicate with between servers and client computers.  Even HTTPS (web sites using SSL – Secure Sockets Layer) would be affected because the Certificate Authorities who authenticate the certificates rely on DNS.  Note that all major CAs have patched their DNS servers, but of course many sites use self-signed certificates.

Some services have already fallen prey to this exploit, with AT&T being the first publicized victim.  Actually, the victims were the people whose requests were directed to a bogus Google search site because of an un-patched AT&T DNS server.  Fortunately, the bogus site only hosted code to auto-click the adsense advertisements, creating extra revenue for the perpetrators.  It could have been worse, if for example the site had been created to infect visitors with drive-by infections or inducements to download crimeware.

The picture is not completely bleak.  Thanks in part to Kaminsky’s presentation, more organizations are taking the threat seriously and patching their servers.  Also, any SSH-based connections which had been made at least once prior to the exploit would warn users if new connection attempts were made to bogus sites, because of the way SSH keeps digital fingerprints of remote hosts.  So Secure Shell, sftp, scp, and SSH-based VPNs would at least warn users about the change in fingerprints, or deny the connection altogether, depending on the local configuration.

For anyone wishing to know whether or not the DNS server he or she is using has been patched, Dan has published an online DNS checker on his blog at http://www.doxpara.com/.

Author: Christopher

(2 votes, average: 5.00 out of 5)

 Loading ...

Symantec’s Monthly State of Spam report for March showed an increase in bounced messages that found spammers forging sent email addresses and using them in the “From” header of their own Spam messages.

Reminiscent of Backscatter, spammers are taking advantage of mail transfer agents configured to send back a list of failed email recipient addresses, an explanation of the cause of failure, and a copy of the original email. This opens a window for Spam attacks, as anti-spam filters do not block most “failed email” replies. Since spammers forge the sender’s address, this mail is going to be received by people who have nothing to do with the Spam.

Corporate networks will feel the greatest burden of the increased attacks. Using increased bandwidth and an increase of unwanted Spam messages in users’ inboxes will result in lost productivity. Networks are encouraged to configure mail transfer agents to not send back a copy of the original failed messages and require signatures for outgoing emails.

Author: Christopher

(1 votes, average: 5.00 out of 5)

 Loading ...

Almost 300,000 web sites hosted with Internet Information Services are infected with a new malicious malware according to PandaLabs. By injecting SQL code in all pages hosted on the same IIS server, this vulnerability allows hackers to inject SQL code and redirect the visitor to a malicious site. The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the information found on the scan.

If your site is hosted with Internet Information Services it is highly recommended you check to see if your site is compromised. To check if your site is compromised, search your source code for the following IFRAME reference: “<script src=http://www.nihaorr1.com/1.js>”. If this IFRAME reference is found, remove them immediately and notify your IIS admin right away.

Author: Christopher

(1 votes, average: 5.00 out of 5)

 Loading ...

Lifeblood – Memphis, TN
Over 320,000 blood donor records missing and assumed stolen.

Tenet Healthcare Corporation – Dallas, TX
An ex-employee was confirmed to have stolen 37,000 records with patient names and personal information.

Long Island University – Brookville, NY
30,000 tax records are considered compromised because of defective mailers with missing adhesive on one side.

Source: Privacy Rights Clearinghouse

Author: Christopher

(No Ratings Yet)

 Loading ...