Adobe Flash Exploit in the Wild

What has become a new trend in online infection, the massive SQL injection, it has now led to the deliverance of a brand new zero-day exploit involving Adobe Flash Player. IPs associated with recent waves of these SQL attacks have been linked to the sites serving up the Flash exploits, thereby linking the sources, Danco Danchev writes.
The exploit affects Adobe Flash Player version 9.0.124.0 and earlier, which is all of them. It redirects browsers to a site hosted in China where malware is downloaded and installed. Adobe is aware of the problem, but has yet to send out a patch or a report, but I'm sure it'll be here soon. In the meantime, it would appear that most of the major AV companies have rules in place to block these infected sites. Even so, it may be a good idea to turn off flash in your browsers until a patch is released as any legitimate site could quite possibly be infected at some point, you know, better safe than sorry. It's easy enough to configure IE to disable flash, in Firefox, you will need to get something such as "FlashBlock", or "NoScript" as an add-on for the Mozilla browser. The latter, will also allow you to disable other scripts fed to you through your browser such as Javascript and Java, as well as Flash.

Spear Phishing Campaigns Pose as the Gov't (again)

Just last month we saw a spear phishing campaign come through that was disguised as a subpoena to appear in a California court over what was eluded to as poor business practices. Now, as of a day or two ago, these phisherman have a new campaign posing as the US Tax Court targeting individuals, and even "other" governmental organizations. These fake "Notice of Deficiency" emails are being personalized for their targets. They are addressed specifically to an individual whose names appears again in the body of the petition as the respondent.The email, as usual, contains a link to a supposed U.S. Tax Court or sometimes an IRS website where you can view details of your case. If you're using any browser other than Internet Explorer, you will be given a notice that the site can only be viewed with IE, and you will be given a real link to Microsoft so you can download it, and come back and try again.

Once you reach the site with Explorer, the site attempts to install "security certificates", because you wanna be safe, right?!These certs actually turn out to be the malware, and much like the subpoena run, they turn out to be keylogging software which will efficiently begin stealing your critical information, or hopefully in their eyes, your business' banking info.
Like last time, AppRiver caught these early, so you can continue breathing easy.

More Arrests in Romania

There has always been a problem dealing with international cybercrime, and it usually deals with the inability to work with other countries for one reason or another. Whether the countries in which the crime originates don't have laws against cybercrime, or poor relations with the US, or even if the government is harboring the criminals in some sort of way, it has always been a difficult task bringing the criminals to some sort of justice. You can definitely compound that problem if several countries are involved!
Luckily that has begun to change, at least a little. If you recall, recently the hacker that was a thorn on eBay's side, Vladuz, was arrested in his apartment in Romania, and with more help from Romanian authorities, a large cybercrime ring was taken down recently.
Before cybercrime became a giant organized underground mafioso business, it was done in basements often by individuals, and not groups. All that has changed, as you'll realize reading this description of how the illegal business worked out for the recently arrested.

According to the indictment, the Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack. Once directed to a bogus site, victims were then prompted at those sites to enter access device and personal information. The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet chat messages. The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys. Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point-of-sale terminals that the cashiers had determined permitted the highest withdrawal limits. A portion of the proceeds was then wired to the supplier who had provided the access-device information.

The process has definitely become more elaborate, and a lot more frightening, but at least the authorites involved here are beginning to put a dent in it. I wish them luck.

MySpam Goes to Court (sorta)

The online social networking community MySpace was apparently fed up with all of the spam that was winding up on user pages and inboxes. Representatives from MySpace found out who was sending a majority of it, and took them to court. The guilty party, Sanford Wallace and Walter Rines ended up losing and were given the largest fine in CAN-SPAM history when they didn't even bother showing up for court.
The two were accused of setting up fraudulent accounts, and/or stealing existing ones to spam out over 700,000 instances of spam selling ringtones and porn, not at the same time of course. It is estimated that the two made around $500,000. I hope they had a chance to enjoy it, because the US District Court for the Central District of California ordered the two to pay $300 per click plus damages amounting to around $234 million! Oops, that could be a problem for them, unless of course Sanford "Spamford" Wallace has been saving his pennies from his other sketchy activities to cover the bill.
In the early '90's Wallace had a brush or two with the law for junk faxing where he cut his teeth. He later started a company based in Philadelphia known as "Cyber Promotions", a heavy hitter on the spam scene. He then graduated onto such exciting court appearances as Cyber Promotions v. AOL, Cyber Promotions v. CompuServe, and Cyber Promotions v. Earthlink to name a few. I'm sure mom's so proud.
I'm guessing he's likely cashing in his chips, and leaving the country to start over, if he hasn't already. Hopefully authorities have already planned for that, and have their collective eyes on both of them.
appriver

Storm Loves You

The Storm Worm has made its monthly appearance, you'll be happy to know. Starting yesterday, the worm which is now in its second year began serving up simple emails with links to infected sites. The emails all had a theme of love with subject lines such as:
Magic Power of Love,
When Love Comes Knocking,
Love You,
With Love,
My Heart Beats Just for You,
Poem of Love,
as well as several more. Seems like it may be using some left overs from February. The body of the emails were similar in that they contained a one liner about something deep and heart-felt, and a link to an IP where the malware is kept.
There is a difference in this campaign. The Storm team decided to use sites infected with iframe injections to deliver the payload this time. iFrame infection has gotten pretty popular this year, and this is the first time Storm has used it to my knowledge. This type of infection was first made popular by the underground mass exploit tool MPack, and involves attacking websites that use both MySQL on its back end, and PHP on the front. The exploit is automated, and takes along with it a list website admin account credentials, which are quite possibly obtained on the blackmarket, and/or other MySQL exploits in order to get in through the website's database. It then injects the iframe into the website. The iframe itself is invisible, but instead acts as a sort of placeholder for code that forces the victim to unknowingly download the malware when they visit the infected site. These sites, since they are meant for other non-malicious purposes allow the infection to take place without suspicion.
Coincidentally the malware being used this time is an executable by the name of "iloveyou.exe", so sweet.
You'll be happy to know that AppRiver loves you too, so we've decided to go ahead and block this new band of Storm(s).

Debian Vulnerability Update

Users have begun to post helpful scripts in order to test your Debian system for weak keys. Here's one.
Also make sure to check out HD Moore's work to plug the holes-->here.

Major Linux Vulnerability Now Available

It would appear that if you're running a server that is running either the Debian or Ubuntu distributions of Linux, you'll need to hurry up and renew all of its crypto keys and certificates. On Tuesday the team behind Debian announced the vulnerability and released a patch, however your keys and certificates will need to be regenerated as the others were easily brute forced in what would only take an hour or two tops.
"All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied," the advisory states.
The problem in the unpatched version greatly reduced the number of possible keys generated by the OpenSSL code, and even though the problem was with the OpenSSL code, that same code is used to generate the keys for other programs such as, OpenSSH, OpenVPN, and SSL certificates.
Resigning these keys may be a little time consumong as you'll have to go through the entire process again, and quite possibly, pay for them all again.

Gmail's Open Relay

The Information Security Research Team (INSERT) has discovered a little security flaw in Gmail which allows for the open relaying of spam through their own SMTP system. Essentially, it allows the spam senders to bypass major black and whitelists, Gmails' 500-address limit, and the ability to forge all fields within the email by simply tricking Gmail's SMTP servers into acting as an open relay.
It would seem that major free email providers, such as Hotmail and Yahoo give special treatment to email that routes through Gmail's mail servers. This allows every piece of mail that is simply pushed through Gmail, no matter of where the forgeries, or non-forgeries say they come from to be unhindered, and delivered directly to inboxes.
The exact method that is used has obviously not been disclosed, but a man-in-the-middle type attack has been mentioned. INSERT has contacted Google about this flaw, and I'm assuming they will likely close this one up pretty quick, so spammers should enjoy this one while it lasts.

More Fake Digital Certificates

Always pioneers in their fields, malware authors have begun to use the lure of security to infect victims. The first attack in this manner came through a couple of weeks ago claiming to be from Coamerica bank. It arrived as an email claiming that you needed to renew your digital certificate with them before it expired. The link in the email would instead download and install the Zeus Trojan.
This week they began sending out emails claiming to be from Merrill Lynch announcing that their online business center is implementing changes that will make your transactions exponentially more secure. The email includes a link to what's supposed to be the new Merrill Lynch business portal. Once you navigate to the bad site, which is well crafted, you'll see a good amount of information on the new "changes", your system requirements, and a colorful array of browser and PDA icons at the bottom. You will also see three links, two that supposedly direct you towards information, and a third for you to download your new extra super safe "E-Certificate". I found, however, that it wasn't really necessary to click on any of the links, as the trojan download begins automatically just by visiting the site. It is slightly delayed, I'm assuming that's to allow you to read a little bit of the page without startling you with an in your face download.
This is a new wave of attacks from the old Rock Phish gang. These guys became infamous when they first hit the scene last year by distributing easy to use phishing "kits". These kits would, with a couple of clicks of the mouse, and some very minor configuring, quickly infect tons of exploitable websites with their well copied fake bank login screens. Back then they would simply spam out emails directing you to their sites, now with Rock Phish v.2, the kits feature the Zeus Trojan that's designed to steal critical information as well as direct victims to the infected site where you can volunteer your banking information.
Don't fear, though, AppRiver actively searches for and blocks links to phishing sites, as well as these phishing emails. Just remember never to begin a banking session with a response to an email. Always close everything, and go directly to your bank's site and look for a secure connection indication. These fake "digital certificates" certainly attempt to feign security, but your bank will never ask you to install software in order to use your account.

P2P Malware Still on the Rise

McAfee has been reporting over the past couple of days about how more and more PCs are being infected due to the overwhelming amount of malware posing as actual media on peer to peer networks. This certainly isn't anything new, P2P networks such as Limewire, or Kazaa have been an easy spot to distribute malware for a very long time now. It's a simple concept really, just let them come to you, an ambush tactic.
The distributors of this malware simply make their trojans appear to be what you're looking for by titling the virus whatever search term you happen to be looking for. This particular trojan that McAfee is reporting on fails to run as the media it pretends to be, instead prompts you to open or save the file PlayMP3.exe. From there it starts to pose as a sort of media organizer/player, but in fact has no functionality in that sense. It instead was meant install adware onto the victim's PC. Once your browser is restarted you'll notice a new banner at the top thanking you for installing their product.
P2P networks are in general, a not very safe place, and not to mention include a lot of illegal media. It's also very possible for someone with some creative search techniques to get some pretty critical information through these places, as a lot of people out there have theirs misconfigured, and end up sharing more than they mean to, or even know about. This is an easy one, I'd recommend just staying away from these sites for safety reasons as well as the legality issues.

Cuidado, Achtung: Faux Stimulus!

Well, I'm sure most of us saw this coming the moment we heard they were on their way. The economic stimulus checks issued by the IRS, began being sent out this month, and with it, here come the fake ones. Emails began arriving this morning claiming to be from the IRS that provide a link to claim your stimulus check. Everyone knows that these checks will be sent to you without having to answer an email, right? Ok, good, I'll continue. Here's what the emails look like, they've gotten pretty good at making them look official.

Once you click on the link, they'll take you a site that also looks kind of official, except for the redirect you'll notice in your browser's address bar as you arrive. Here you'll see the online form with a couple of radio buttons where you input your filing status, and your pre-determined stimulus refund amount, which is always $1500. Hmmm, I thought these were going to be in $600 dollar increments, oh well.

Ok finally when you move on from this page, the scammers stop playing around, and get down to business. They just need a little info in order to transfer the money to your account. No, not the routing number or account number, they want your credit card info, the name of your bank, and even your ATM PIN number.

These sites do look good overall, enough to possibly fool some people, but with a little common internet savvy, you'll be able to avoid these kinds of scams. Also, once again, I must add that AppRiver is currently blocking all of these attacks.