PhishBait

Many people still think of PDFs as being “risk-free.”  When the first Word and Excel viruses started appearing,  a lot of people turned to PDFs as a safe alternative.  But Adobe has packed a lot of functionality into PDFs over the years - turning it from a simple document publishing system to a full-blown application.

SC Magazine recently reported that the Federal Reserve Bank is being targeted in a new phishing campaign that is out to infect users’ machines with a PDF exploit.  The attacks attempt to take advantage of users who haven’t updated to the lastest version of Adobe Reader released on 4 November 2009.

Keeping updated on ALL your application software is vital.  Virus checkers and firewalls alone are never enough.

OpenWeb Developer’s Journal is reporting on Crimeware-as-a-Service (pun intended):

We have also found the emergence of server-side polymorphism or “Crimeware-as-a-Service (CaaS)” as described by the industry, in which the polymorphic engine does not reside within the virus code, but rather remotely on a server. There are two forms of server-side polymorphism that we know of today: the type that distributes mutated variations of malware into the wild in volume, and the type that incorporates PCs as part of a botnet in which specific bot variants can be mutated remotely via a command over HTTP.

The article is fairly dense, so lets try to translate a bit.  In the past, viruses carried their code with them - injecting it when the opportunity presented itself.  Much like a real virus.

Now, however, its more like mosquito - seeking vulnerabilities, evaluating the environment, finding the best victims, then passing on the computer equivalent of yellow fever or malaria.  Only in this case, the mosquito can taste the victim, then call home for whatever will infect this particular victim.

Anti-virus software does a poor job handling this kind of attack.  The best approach is host-based intrusion-prevention technologies, sort of like mosquito-netting for your server.  But no truly holistic solution exists for the home market.  The best defense is securing your network as well as your computer.

Information Week is reporting that Google apps such as Gmail are vulnerable to a frame injection attack that could be used to phish login credentials from Google users.

Adrian ‘pagvac’ Pastor, a security researcher with GNUCitizen.org, on Friday posted proof-of-concept code that can inject a third-party page — a fake login page in Pastor’s example — while the user’s browser address bar still displays the Google domain. This could dupe the user into entering login details.”The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTML filters or even break into the target server,” Pastor explained on the GNUCitizen site.

In a related blog post on Friday, security researcher Aviv Raff explained that Google is vulnerable to “a cross-domain Web-application sharing security design flaw.”

The vulnerability reportedly affects other applications beyond Gmail. According to Raff, applications in Google’s subdomains — maps.google.com, images.google.com, news.google.com, mail.google.com, and google.com — are affected. This means, for example, that Google Maps can be used to hijack Google, Google Mail, or Google Apps accounts.

Raff says he notified Google about the problem shortly after he identified it in April and that Google said the issue was being investigated.

The usual caveats here - first check our Cross-Site Scripting (XSS) Checklist, and then make sure you are up-to-date on your plug-ins.  In addition, remember to sign out of your Google account before generalized surfing.

If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.

Phishers (pronounced “fishers’) may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information. For example, you may see messages like:

---

“We recently purchased ABC Bank. Due to concerns for the safety and integrity of our new online banking customers, we have issued this warning message… Please follow the link below to renew your account information.”

---

“We recently acquired the mortgage on your home and are in the process of validating account information. Please click here to update and verify your information.”

---

“During our acquisition of XYZ Savings & Loan, we experienced a data breach. We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below to confirm your identity.”

---

The messages direct you to a website that looks like the actual site of your new financial institution or lender. But it isn’t. It’s a bogus site whose purpose is to trick you into divulging your personal information so the operators can steal your identity and run up bills or commit other crimes in your name.

The FTC suggests these tips to help you avoid getting hooked by a phishing scam:

• Don’t reply to an email or pop-up message that asks for personal or financial information, and don’t click on links in the message – even if it appears to be from your bank. Don’t cut and paste a link from the message into your Web browser, either. Phishers can make links look like they go one place, but actually redirect you to another.
• Some scammers call with a recorded message, or send an email that appears to be from an institution, and ask you to call a phone number to update your account. Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers are. To reach an institution you do business with, call the number on your financial statements.
• Use anti-virus and anti-spyware software, as well as a firewall, and update them regularly.
• Don’t email personal or financial information. Email is not a secure way to send sensitive information.
• Review your financial account statements as soon as you receive them to check for unauthorized charges.
• Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer’s security.
• Forward phishing emails to spam@uce.gov – and to the institution or company impersonated in the phishing email. You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
• If you’ve been scammed, visit the Federal Trade Commission’s Identity Theft website at ftc.gov/idtheft for important information on next steps to take.

For more tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information, visit www.OnGuardOnline.gov.

The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

Elinor Mills takes a peek behind the scenes of online fraud in this 25 September 2008 article on CNET.

Online fraudsters are coming up with more types of dangerous attacks and more sophisticated methods, says Uri Rivner, head of new technologies for RSA Consumer Solutions, which is owned by EMC.

Online fraud tools have price tags just like any other software. For example, the Mpack Infection Kit costs $700, a Dream BotBuilder costs $500, and at just $350, the Limbo Trojan is practically a steal, according to Rivner.

Beside the obvious steps you need to take to protect yourself from these script kiddies, Rivner reminds people to:

• Avoid putting sensitive information on social networks and beware of phishing attempts on those and game sites.

• Beware of “vishing” (voice-over-IP phishing) attacks in which an e-mail provides a phone number to call and then prompts the caller to provide personal information

In this 25 September 2008 article, ZDNet describes a new cross-browser threat:

it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

And its been found on all operating systems.

In fact, Adobe and Microsoft has been working with the folks that discovered the threat - who thought it serious enough to delay a technical presentation on it.

While the ZDNet article offers no practical defense, a follow-up suggests a possible protection option: Firefox + NoScript vs Clickjacking.  If you use FireFox, you need to use NoScript (and turning on Plugins|Forbid <IFRAME>).  None of the desktop security programs appear to have this exploit covered at this time.

Nothing like a disaster to bring out the best in people.  And the worst.  Luckily, Gustav did not do as much damage as many feared.

Leave the damage to the phishers, scammers, and frauds:

The Louisiana Attorney Gerneral’s Office Warns of Email Scam During Hurricane Gustav

The SANS Institute releases a list of potential scam sites recently registered; of course there are plenty of potential scam sites already parked and ready to go.

Make sure your contributions go to the people who need them!  Visit the Aidmatrix Network.

Back in the good old days, if you mistyped a web address, your browser would give you a nice “Server Not Found” message. But there is money to be made in typos, and ISPs like Earthlink can’t resist trying to sell that “not found” real estate.

PC World, in EarthLink Redirect Service Poses Security Risk, Expert Says, reports that”

A vulnerability in servers used by EarthLink to handle mistyped Web page requests may have allowed attackers to launch undetectable phishing attacks against any Internet site. . . Because of a bug in the software used to redirect users to these advertising and search pages, Kaminsky was able to get the pages to run his own JavaScript code. With the browser treating this code as if it were from a legitimate domain, Kaminsky was able to steal users’ cookies, create fake Web sites that appeared to be hosted on legitimate domains, and even log into certain Web sites without authorization.

If you catch your ISP doing this - complain!  But make sure that its the ISP’s doing.  Almost every typo under seven letters has ben registered by someone.  Check out: asdasd.com.

Slashdot reports that “Archive Formats Kill Antivirus Products.” Specially “fuzzed” archive files - including zip, tar, gz, and rar files - can disable and crash crash products from at least 40 vendors. Yes, that includes antivirus software.

Keep your security software updated, and don’t download any archive files from an untrusted source!

From: vnunet.com

Ransomware attacks target Symbian mobiles

Researchers have discovered malware which holds mobile phone data to ransom.The malware removes all sent and received text messages, and threatens to permanently cripple the handset unless users pay a fee.

Phishbait editors observe:

Phone-related attacks - both Symbian and Windows Handheld - can be spread via SMS / text messaging. So take care when responding to a message you don’t recognize.

Your mobile NEEDS anti-virus software as much as you regular PC does!