Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Spam Report
Spam Report

American Express 'forgotten user ID' spam mail leads to BlackHole Exploit Kit

NSS Labs has spotted a phishing campaign targeting American Express customers. The phishing emails ask users if they have recently reset their password, or verified their user ID for their American Express Card account online.

“Did you recently verify your User ID or reset the password that you use to manage your American Express Card account online?” reads the malicious notification.

Unlike the normal phishing mails, the link in the mail leads to website that hosts a variant of the Blackhole exploit kit.

BlackHole Exploit kit exploits the known vulnerabilities in Java , Adobe reader and others. After successfully exploiting the vulnerability, The site installs Trojan downloader in the victim system.

Once the Trojan download has been installed, anything from fake security products to keystroke loggers to eavesdropping software can follow.
Read more »
Malware Report
iPhone Malware Malware Report

Find & Call : malicious iPhone App Found in Apple's iTunes Store


The recent report from Kaspersky on malicious iPhone app spreads like a wildfire on the Internet. Security experts were debating after Kaspersky Lab's Denis Maslennikov said that a Trojan horse - malicious software that pretends to be something innocuous - had gotten past Apple's famously tough App Store vetting process, which has never before let in real malware.

"The application is called 'Find and Call' and can be found in both the iOS Apple App Store and Android’s Google Play," Maslennikov wrote in a blog posting.

Find and Call, made by a Russian firm, claims to be an app that lets you make phone calls by simply typing in or clicking a contact's email address or social-network handle — admittedly a useful idea.

"In order to call somebody from your mobile phone, you can use an email address, a domain name, a profile address in a social network, etc., instead of a phone number just as easily," states the Find and Call official website.

But Maslennikov said Find and Call also copies a user's entire address book to its own servers, and sends out spam text messages to everyone in the address book imploring them to also install the app.

Screenshots of complaints by angry Russian users in the iOS App Store and Google Play, and Maslennikov's own screenshots of code within the app, support his assertion.

Nowhere in Find and Call's terms of use does it say that the app will copy your address book or send out text messages to your friends, Maslennikov said.

An email from Find and Call support staff to the Russian site AppleInsider.ru stated that the sending of "inviting SMS messages" was a "bug in process of fixing."

Sophos Labs' Vanja Svajcer had doubts about whether this behavior really was malicious, or just annoying.

"I'm not sure I 100 percent agree with Kaspersky that it is malware," Svajcer wrote on Sophos' Naked Security blog. "It would probably be more accurate to say that the 'Find and Call' app is 'spammy.'"

Both Google and Apple have removed the app from their websites.

According to softpedia report, Find and Call's creators have contacted AppInsider.ru and told them that the app is still in "beta-testing." The fact that SMSs are sent out to all the contacts is allegedly just a bug.
Read more »
Malware Report
Android Malwares Malware Report

Boxer SMS Trojan poses as Firefox for Android

Recently, Mozilla has launched Firefox 14 for devices that run an Android OS. Cyber-criminals turned the event to their advantage and started masquerading an SMS Trojan as the Firefox.

Security Researchers at GFI Lab ,spotted an Android application posing as the popular Web browser Firefox and is hosted on several Russian websites. The Android application files (.APK) users can download from them not only vary in file names but also in file sizes.

GFI VIPRE Mobile Security detects the malicious apps as Trojan.AndroidOS.Boxer.d.

The typical Boxer malware appears to be a legitimate app that users can download. Once installed, it loads a Rules page on the phone and asks users to accept it. The app then sends a premium SMS message to any of these numbers: 2855, 3855, 7151, or 8151. The Rules page discloses (in small text) that users will be billed for sending a premium SMS message. Boxer then directs users to the actual website where the legitimate app can be downloaded after claiming that it has successfully activated.

However, this particular variant doesn’t give any details regarding its true purpose. This variant sends the premium SMS message, “5975+3480758+x+a”, to the aforementioned numbers. Lastly, it loads google.com instead of directing users to the actual download site.

Researchers believe that this may be a tactic to make users think that the application is defective. They might download and install the fake software again, allowing Boxer to perform its malicious tasks more than once.

Read more »
Hackers Arrested
Cyber Crime Hackers Arrested

TriCk - The leader of the hacker group "TeaMp0isoN" pleads guilty

The leader of the hacker group "TeaMp0isoN" has pleaded guilty to stealing the address book details and other private data from former British Prime Minister Tony Blair in June of last year.

Junaid Hussain, also known as "TriCk", has now admitted to hacking into a Gmail email account belonging an advisor to Blair by the name of Katy Kay.

Hussain, 18, from Birmingham, said that he used an ID "Trick" to access the aide's account and steal confidential data including addresses, phone numbers and email addresses belonging to Blair, his wife, and sister-in-law Lyndsye Booth, as well as Members of Parliament (MPs) and Members of the House of Lords.

Ben Cooper, Hussain's lawyer, told the court that the offences had just been a prank.

After admitting to conspiracy and computer charges at London's Southwark Crown Court, Judge Peter Testar granted Hussain bail until sentencing later this month, advising him to be "under no illusions" that he may go to prison.

Hussain has also confessed to taking part in and leading members of the hacker group to attack the UK national Anti-Terrorist Hotline with hundreds of hoax phone calls.
Read more »
Malware Report
Banking Trojans Citadel Malware Report

Citadel Trojan is going off the Open Market

A spokesperson for the minds behind the Citadel Trojan said recently on an underground forum that the malware would no longer be publicly available, according to RSA.

According to RSA’s FraudAction Research Labs, a spokesperson for the creators of the Citadel Trojan declared on an underground forum after the recent release of the Trojan’s latest version (v1.3.4.5) that the software would no longer be publicly available and only existing customers would be able to receive upgrades.

Others who wish to purchase a new kit would have to get an existing customer to vouch for them. It remains to be seen if the developers will actually pull it off digital shelves, a spokesperson for EMC’s RSA security division told eWEEK July 2.

"While this could be a marketing stunt designed to create urgency and generate more sales, Citadel’s developers could also be seeing the need to slow down sales," RSA blog post reads.

“By selling less, they can keep the Trojan from being all too widely spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms. Additionally, more customers also means more support, more underground buzz, and eventually—as with Zeus, SpyEye, and Carberp—more cyber-crime arrests linked with using Citadel.”

Citadel is built on the source code of the notorious Zeus Trojan typically linked to the theft of banking credentials and fraud. In May, the Internet Crime Complaint Center (IC3), a multi-agency task force consisting of the FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance, warned that the Citadel platform was being used to deliver ransomware known as Reveton.

Today, Citadel is the most advanced crimeware tool money can buy, RSA said. Sold for $2,500, attackers can also purchase plug-ins for an average of $1,000 each.

"Malware developers working on criminal-popular projects like Citadel rightfully fear law enforcement. Their actions of developing, supporting and selling advanced crimeware makes them an accessory to the crimes which can easily get them indicted alongside their botmaster customers. The more popular the banking Trojan becomes, the more banks and merchants push to have its developers and bot masters behind bars."

"Looking to the surrounding cybercrime arena, history proves that malware coders know when to leave the room. To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon, and Ice IX’s GSS have never been arrested and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety."
Read more »
XSS Vulnerability
Vulnerability Web Application Vulnerability XSS Vulnerability

XSS vulnerability found in Microsoft.com

A security Researcher , Gambit, has discovered Cross site scripting vulnerability in Microsoft official website.

He found the vulnerability last month and reported the vulnerabilities to the Microsoft.

"Well last month I was looking around on MSN.com and Microsoft.com I found two XSS vulnerabilities, one in each domain.  I reported the vulnerabilities to the Microsoft security team and secured a spot on their acknowledgments page."Gambit said in his blog.


Microsoft listed his name in the 'Security Researcher Acknowledgments for Microsoft Online Services' page.

'asia.perf.glbdns.microsoft.com' page is vulnerable to XSS.  Researcher managed to execute the XSS code in the page.


POC: "asia.perf.glbdns.microsoft.com/files/top.php?domain=<script>alert(/Gambit/)</script>"
Read more »
Defaced Website
Anonymous Hackers Breaking News Defaced Website

#OpLiberation : Oak Creek Ranch School hacked by Anonymous


An Anonymous-affiliated hacker that goes by the name of Antidote (AnonAntidote) has taken credit for defacing the website of the Oak Creek Ranch School (ocrs.com), Arizona.

The breach is part of Operation Liberation, a campaign that aims to protest abuses that take place against teenagers in certain educational institutions.


“You make your money off the naive, the lazy and the misguided parents leading them to believe that you are helping their sons and daughters to be healed, educated and treated,” Antidote said.

“Putting in place point systems to buy necessities as well as privileges and providing punishment and abuse to those who wander stray of them. In reality this doesn’t treat or help them but instead lowers self-esteem. Simply expelling students that you can’t control while keeping the hard earned money given by the parents.”


The hacker also leaked the school’s mailing list, made of over 300 records, which may indicate that he had gained access to the organization’s databases.

Operation Liberation was launched back in August 2011 and has made a lot of victims since.

“For years, teenagers have had to suffer from countless years of torture and brainwashing in so called ‘troubled teen camps.’ These include camps like Cross Creek in Utah, and Paradise Cove in Samoa,” hacktivists said at the time.

“We will not stand for the abuse against these children, we will make sure all of the schools, and the sponsors who started these schools, the WWASP, will suffer consequences for their actions against the civil rights of the youth.”
Read more »
Vulnerability
BlackHole Exploit Vulnerability

0-day XML core services vulnerability(CVE-2012-1889) included in Blackhole exploit kit

A few weeks ago, we have published news related to vulnerability in Microsoft XML core services(CVE-2012-1889). The vulnerability is a true zero-day, being exploited in the wild, with no patch yet available from Microsoft.

Sophos researchers discovered that the exploit for this vulnerability has been added to the Blackhole exploit kit.


A new function has been added to the Blackhole exploit that targets CVE-2012-1889. The function used well-described heapspray techniques to deliver the shellcode, prior to exploiting the vulnerability in order that execution passes to that shellcode.

The shellcode is pretty straightforward, attempting to download the payload (a dll) from a remote server, writing it to the temp folder.
Read more »
Malware Report
Breaking News Malware Report

Mac and Windows Malware Campaign Targets Uyghur Activists


Researchers at Kaspersky Lab intercepted a Mac-based Trojan attack was targeting Uyghur human rights activists.

According Costin Raiu, Director of Kaspersky's Global Research and Analysis Team, the campaign uses malicious e-mails containing a JPEG photo and a Mac OS X app embedded in a ZIP file.

When recipient open the zip file, it will the malware installs itself on the Mac OS system system and then attempts to connect to a Command and Control (C&C) server and allow the attacker to run commands on the infected computer and access its files.

“The application is actually a new, mostly undetected version of the MaControl backdoor (Universal Binary), which supports both i386 and PowerPC Macs. We detect it as 'Backdoor.OSX.MaControl.b'," Raiu noted a in a blog post.

"The backdoor is quite flexible – its Command and Control servers are stored in a configuration block which has been appended at the end of the file, 0x214 bytes in size. The configuration block is obfuscated with a simple “substract 8” operation. " he added.

Researchers appear to have traced the C&C server to an IP address in China.

Similar to Kaspersky Lab's discovery, AlienVault Labs claims to have found another backdoor that targets windows users.

Transmitted through email, the attack also includes a zip file - along with a Winrar file. The file extracts a binary that goes on to copy itself but not before dropping a DLL file on the system. After its injected, the DLL file appears to help initiate Gh0st RAT, a well-known remote access tool. Gh0st RAT was served up by Amnesty international’s website just last month and has been used in other targeted attack campaigns in recent years.

Read more »
Breaking News
Breaking News

Stolen Laptop Puts 30,000 Texas Cancer Center Patients at Risk of identity theft

A laptop stolen from an employee at a Houston, Texas, cancer hospital has put as many as 30,000 patients at risk of identity theft.


The University of Texas MD Anderson Cancer Center issued a security advisory explaining that on April 30, an unencrypted laptop was stolen an MD Anderson faculty member’s home.

The faculty member notified the local police department. MD Anderson was alerted to the theft on May 1, and immediately began a thorough investigation to determine what information was contained on the laptop.

"We have confirmed that the laptop may have contained some of our patients' personal information, including patients' names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers," MD Anderson said.

MD Anderson is the second major cancer center in the U.S. to fall victim to a recent security breach; last week, Memorial Sloan-Kettering Cancer Center in New York began notifying patients that their medical records and Social Security numbers may have been compromised. In the past year, several hospitals and colleges, including Yale and Columbia University, have been hit by data breaches that put large populations of people at risk.

According to the Houston Business Journal, Social Security numbers for about one-third of the hospital's patients (about 10,000) were stored on the stolen MD Anderson laptop. The cancer treatment hospital said it has "no reason to believe" that the computer, which is still missing, "was stolen for the information that it contained." MD Anderson said police have launched a criminal investigation and are working to locate the laptop.

Read more »
Database Leaked
Breaking News Database Leaked

Trendmicro & Sykes Hacked by @OfficialComrade

One of the popular antivirus TrendMicro website has been hacked by @OfficialComrade (.c0mrade) and dumped a huge load of emails.

The attack which also effects Sykes, who which trendmicro appears to run support services through, has been effected as well. The attack was announced on .c0mrades twitter with the following message.

"Trendmicro & Sykes is a Global Business and Antivirus suite, we've targeted them due to their constant lash of pseudo-security." Hacker said in the pastebin.

 "Owning Trendmicro & Sykes wasn't a priority of ours. However, if it was, they would have dug their burial site sometime ago."

" Sliding towards more recent events, today is June 30th, 2012 and absurdly, I'm monotonous. Why? Because Nowadays, it seems as if everybody is widely concerned with notoriety. New 'groups' are emerging, more 'pigments' are being infiltrated by demented teenagers so they could feel better about themselves, etc. My demands are written on the palm of my hands; stop. You're a nuisance. Sliding back to the whole Trendmicro & Sykes testament, we don't want to be compete pricks, so for the companies' sake, we'll take baby steps on this one. We'll release every inch of their Email Database; Inbox, Drafts, Sent Items, Deleted Items, Attachments, and all content in all folders. You'll need a .dbx file viewer to see the content."

http://pastebin.com/EVSAXjz1
Read more »
Subscribe to: Comments (Atom)