Phishing Google AdWords

Customers of Google AdWords, and even some that are not, have been the target of a phishing scam that has continued throughout April with fervor. Normally this had been a tactic that used to be reserved for your banking site, but as of late the authors of these phishing scams have really begun to find other indirect routes in order to drain your savings.
The scam emails arrived in inboxes with subject lines such as: “Please re-submit your payment information.”
“Account Reactivation”
“Please Update Your Billing Information”
“Your Account with Google AdWords”
“Your AdWords Google Account is stoped.”
“Your ads in this account are not running”
The emails themselves are all very similar and don’t have the misspellings that the subject lines have. They claim that your Google ads will cease to run unless your billing information is updated soon. A link in the emails appear to direct you to http://adwords.google.com/select/login, however if you hover your mouse pointer over the link, you’ll notice that they actually send you to various domains hosted on a fast flux network in China that look more like this: http://www.adwords.google.com.serga01.cn/select/Login, adding the “adwords.google.com.” as a sub domain in order to make the actual destination appear to be Google.
AppRiver continues to block all of these attacks

Time to Renew Those Fake Certificates

To add insult to injury, a group that has been dubbed the Rock Phish gang, infamous for creating easy to use phishing “kits” for sale on the black market, has begun to bundle a Trojan horse virus, named Zeus, that will double the odds of success for the criminals. Their kits can already infect many vulnerable websites and inject them with fake phishing pages at the click of a button. Now however, the kit will also send out emails claiming to be a digital certificate for your banking site. A digital certificate is meant to establish credentials between the two parties when handling sensitive business online, a means of security. Instead, installing this “certificate” will install the Zeus Trojan, which is also designed to steal account information. After installation, the fake email will direct you to the phishing website where the attackers can gain even more information from the victims.

Add "419er" to Your Friend's List?

419 scammers have found a new way to reach their targets recently. They've moved to using the ever popular social networking sites to spread their tragic tales of wealth and misfortune. Utilizing sites such as LinkedIn and MySpace, these fraudsters are setting up fake profiles of themselves and spamming your inboxes with mail from barristers alerting you to the fact that you are due a 40% cut of $30 million dollars because some wealthy guy died and there's no one else to give the money to, wow, what are the odds?! Then, of course, they'll end up informing you that they just need a simple processing fee of two grand to transfer the funds to you, which will require your account information.
This is actually a pretty good idea on their parts as setting up a profile on these sites doesn't require any sort of check to make sure you are who you say you are, and having a profile may make some of these people appear to be more genuine. Also, they can send email through the site all day long without worrying about any of them being caught as spam. That ups the odds that some poor person is gonna fall for their scheme. Though, I'm not sure how successful they're gonna be on MySpace or Facebook, unless there are a lot of 14 year olds that have access to their parents bank accounts. I'm not saying only 14 years have MySpace accounts, I'm just sayin'. You just took me out of your top 8, didn't you?

Th3 p@S$w0rd !$...

So today I'm gonna talk about some basics, and that is making a password. Many people have very poor password selection and usage. Not only do they select things like their favorite color, or their favorite food as their password, but many people only have one for every one of their accounts. That's bad news! Once they have a hold of that one, they then have control over all of your critical information, and money. Many password crackers use a technique known as the dictionary attack, which simply uses libraries(dictionaries) full of words that it will go through one a time, and in different combinations in order to keep making guesses at your password until it finds one that is correct. This technique is preferred to others as it is often effective and doesn't take nearly as long as what's known as a brute force attack which goes through every possible letter, number, and punctuation combination until it finds the right one. Not very efficient considering it could take the world's fastest computer around 500 years to properly guess a 14 character password. Shorter ones are obviously much faster to brute force crack. Anyway, here are a couple things to think about when you're choosing a password.

Making a Strong Password

The first step in making a secure password is to think length. For each character or symbol you add to it, its security rises exponentially. I would never select a password of less than 7 characters.

Next I would want it appear as nothing more than a random string of characters to someone else that may see it with a good mix of letters, upper case, and lower case, numbers, and punctuation from all over the keyboard avoiding sequential or repeating instances.

One good method is to use look alike characters in substitution for other letters in your password, such as @ for ‘a’, $ for‘s’, 1 for ‘I’, zeroes for ‘o’, or the like. There is a risk when only using this technique in an attempt to obfuscate your password, as many password guesser programs are well equipped to be aware of these rather simple substitutions and try them themselves. Therefore if you’re still using common words as a basis for your password, such as “cH0c0!@t3” for the word “chocolate” you may not be any more secure.

A good trick is a nice long acronym or partial words from a phrase to throw off any sort of dictionary based attack. Take a nice long sentence that you’ll remember such as “I hate making up new passwords” and turn it into “!h8MunP@$s” .

Password Management

Another strong password usage habit is to never use the same one twice. You surely wouldn’t want to use the same password for your banking account information that you’d use for your MySpace or Facebook account, you may as well just send me your money, feel free to email me for how to make out the check.

Once you realize you’re using 13 different programs a day that require log-ins and passwords, you’ll begin to realize that remembering which password goes with what will get pretty tedious. That’s where a password manager would come into play.

Password managers remember all of your passwords and log-ins for you. In addition, they make them secure by encrypting them either on your machine or off by running from a USB device. In addition, many claim to be keylogger proof by utilizes an on screen sign in so you won’t have to physically use your keyboard at key moments.

Even though it’s been near impossible to make anything 100% secure, by utilizing multi-layered security practices, beginning with your password, you will make it much harder for anyone to get a hold of your private data and information.

Vladuz Arrested!

Infamous eBay hacker, Vladuz was arrested yesterday morning in Romania. After Romanian police were finally able to trace an IP to him, they raided his apartment at 6 a.m. yesterday morning. In an attempt to destroy evidence he threw three laptops out of his 6th floor apartment window as the raid began.
Vladuz has been on quite a stint over several years often posing as an eBay admin in their forums, and gaining access to many of eBay's servers that contained just enough information to keep him dangerous. He made big news when he publicly posted names, account information, and credit card numbers for hundreds of eBay users in the public eBay forums. eBay maintains the stance that he had far less access than he had claimed to have saying that they customer information he did obtain was through elaborate phishing campaigns, and not through information contained on eBay's internal servers. Here is a posting I wrote about him back in October of last year just after he had briefly broken into one of eBay's externally visible servers and temporarily suspended accounts for many eBay users--->here it is, and here is the official arrest press release ---> here that is.

You've Been Served

No, not in a gritty abandoned warehouse dance competition, but with a subpoena! Not the newest in concept, but clever in technique, there is a new phishing scheme hitting corporate inboxes this week.
These emails are directed towards corporate executives with identity theft in mind. Each email is addressed to the recipient by name, including the name of their business and telephone number. It is purported to be a subpoena ordering the recipient to appear in court due to allegations brought up against them that were filed in a California court. The email includes a link to view the subpoena. Once clicked, the link directs their web browser to a page claiming that they are required to download an add-on in order to view the document. Those who agreed were shown a .Pdf document resembling a lawsuit filed in a California district court. They were also given the gift of malware designed to log all banking activity of the victim. Once the victim accessed their or their corporate bank accounts, the cyber-crooks would be able to quickly withdraw as much money as possible.
The code used in this attack is nothing more than a cut and paste job of several different exploits that can be found around the interweb. Clearly these attackers, who were traced back to Romania, were no master programmers, more like business majors as they were smart about how the money is handled after it was stolen. The money instead of being pulled out and sent to a singular location was routed through many different accounts to avoid easily canceling out all of the transactions, and each attack was designed to happen quickly, in a day's time.
"That's the real long term danger here, because in each attack they get between 200 and a thousand victims, and all of [the victims] have some level of access to corporate data," quotes Matt Richard, director of rapid response for iDefense. "How the crooks are going to use it and what they're going to do with it is the big danger."

Portable Malware

Remember back in the day when you used to have to trick a friend into loading your crudely written Blue Screen of Death (or BSoD) virus by writing Zork on the 5.25" label? That was good stuff. Too bad malware has moved from just a bunch of pranks served up by the l33t h4x0rs as a lesson to the noobs out there to a thieving crime ring. That kinda ruined it for everybody.
In many of the past years, malware authors' infection vectors relied mainly on the internet and email as a means of getting their payload onto a victim's machine. Recently, since several reports of big companies somehow pre-packaging malware on their digital devices, it has become a concern that these malware writers have found a new-ish way to deliver their virii.
Portable media, especially USB sticks have become a very popular way to spread malware. Whether it be by pre-packaged infection, or by an internet source seeking out portable media on the victim's machine once they have been infected, the autorun feature of many of these devices creates an issue in regards to malware that we'll surely be seeing more about.
According to EFYtimes, USB distributed malware accounted for 10.3% of all malware that was detected in the month of March. That's a pretty big number, relatively speaking. The fact that most people don't think of their USB drives as a dangerous place, this percentage certainly has the potential to grow.

Unleash the Kraken

As some of you may have already heard, there is a new heavyweight botnet on the scene, and it's being dubbed "Kraken". Dambala researchers, a start-up anti-botnet group out of Georgia Tech, has been doing most of the productive research on Kraken. They state that they have evidence of Kraken being around 400,000 PCs strong. That's a lot of spam! They also state that Kraken is still undetectable by 80% of the industry "evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis"
Unlike the Storm Worm which basically pioneered the Peer to Peer communication technique for botnets, Kraken uses the old C&C technique, but with a twist. This botnet uses dynamic DNS in order to communicate and receive commands. This is done to avoid losing an entire botnet if the original command computer is taken offline. The bots are instructed to communicate with a particular domain name instead of a static IP.
The biggest twist in this set-up is if one of Kraken's domain names is shut down, and a bot can't find it to communicate, it is programmed to find a new one on the fly, by using an encryption routine built into the code. A routine that Damballa claims to have decoded. Now they know which dynamic DNS names that will be used in the future to control the botnet. They can then go reserve those dynamic DNS names ahead of time, and when the botnet gets around to using them, all of the bots will eventually report to servers Damballa controls. At this point they have created "sinkholes" where the bots will communicate with their computers for analysis, but they will not talk back.

S.P.A.M. Experiment

I just read about an interesting experiment being put on by my friends over at McAfee. They call it the S.P.A.M. Experiment where they've signed up volunteers from all over the world, sent them new laptops, and encouraged them to do everything they've told people not to do in the past, welcome spam and the evil websites they're attached to. They're out to prove exactly how ruthless and evil these cybercriminals are.
The participants are blogging daily about their own experiences, and it's only a day old and they're already, go figure, receiving what they've set out for. This experiment could prove to be pretty interesting with some malware infections in many of their futures. I'll give them 3 days before the first infection. Check it out ---> S.P.A.M. Experiment

Backscatter

Understanding Internet Clutter and Congestion Part 2
Welcome back to part 2 of my several part series on things that confuse, annoy and wipe out system resources. Today I wanted to explain the silent killer of resources, and still current issue known as "Backscatter".

In an attempt to make sure their spam reaches as many inboxes as possible, spammers are currently utilizing a very large botnet to send out massive amounts of this annoying unsolicited email. This is nothing new, in itself, however this time there is a twist. The spam email even though originally sent out by the spammers (botnets) themselves, are actually being delivered by somewhat innocent domains via deflection or what’s known as “backscatter”.

Once upon a time, it used to be pretty safe, and dare I say a courtesy to return a message to a sender who may have accidentally made a typo in the recipient’s email address, or just plain got it wrong, to say “Sorry I couldn’t find that user.” These messages are called NDRs for Non-Delivery Receipts.

However, times have changed and mail servers have to be leaner and meaner. Imagine if you will how these NDRs might behave in the face of a typical spammer's dictionary attack. A dictionary attack is when you attempt to use brute-force through a sequence of plausible strings (in this case, e-mail addresses) that have a chance of matching. Spammers (and viruses) will often use this technique to spam a domain by simply trying to deliver mail over and over to every conceivable username on a domain. The problem this creates with respect to NDRs from a receiving mail server is twofold:

Resource/Bandwidth utilization -- simply put, it takes a lot of resources to handle these completely illegitimate messages. Aside from the fact that they are spam, they are for users that don't even exist. The mail server is forced to accept, queue, process, and re-deliver a message in response to every single message.

More importantly, spammers and viruses are rarely so polite as to actually include a legitimate sender’s e-mail address. Instead, they are using forged email addresses from legitimate domains to appear as though they had sent the original email. So when a mail server that is configured to return NDRs to invalid users receives spam, it does the spammer a favor by delivering the same piece of spam again to the forged return address. This is the definition of “backscatter”, and it is a big problem. This has another benefit for the spammer. It masks the sending IP of the original spam thereby prolonging the life of the botnet.

Solution – This can be prevented fairly easily by mail server administrators everywhere by simply configuring your mail server to reject mail for unknown users right off the bat at the SMTP “RCPT TO” command, rather than accepting, queuing and generating NDRs. Any modern mail server will allow you to configure it in this way. It’s win – win situation for everyone.

Here is another great article on backscatter:

http://www.spamresource.com/2007/02/backscatter-what-is-it-how-do-i-stop-it.html

As well as a great list of resources in order to configure your mail server:

http://www.spamlinks.net/prevent-secure-backscatter.htm#reject