Fake jobs: jobbworld .com, yourjobb .com, canada-newjob .com, netherlandjobb .com...
FYI...
Fake jobs: jobbworld .com and yourjobb .com
- http://blog.dynamoo.com/2011/10/fake...urjobbcom.html
23 October 2011 - "Two new domains being used to recruit for fake jobs, which actually turn out to be illegal activities such as money laundering.
jobbworld .com
yourjobb .com
This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address..."
Fake jobs: canada-newjob .com, netherlandjobb .com and newjobrecruit .com
- http://blog.dynamoo.com/2011/10/fake...newjobcom.html
20 October 2011 - "Another bunch of domains being used to peddle fake jobs:
canada-newjob .com
netherlandjobb .com
newjobrecruit .com
These domains form part of this long running scam. You may find that the emails appear to come from your own email address..."
:mad::mad:
Mass SQL Injection attack hits 1 million sites
FYI...
Mass SQL Injection attack hits 1 million sites
- http://www.darkreading.com/taxonomy/...e/id/231901236
Oct 19, 2011 - "A mass-injection attack similar to the highly publicized LizaMoon attacks this past spring has infected more than 1 million ASP.NET Web pages, Armorize researchers said*... According to database security experts, the SQL injection technique used in this attack depends on the same sloppy misconfiguration of website servers and back-end databases that led to LizaMoon's infiltration. "This is very similar to LizaMoon," says Wayne Huang, CEO of Armorize, who, with his team, first reported of an injected script dropped on ASP.NET websites that load an iFrame to initiate browser-based drive-by download exploits on visitor browsers to the site. Initial reports by Armorize showed that 180,000 Web pages had been hit* by the offending script, but Huang told Dark Reading that a Google search resulted in returns for more than 1 million Web pages containing the injected code..."
* http://blog.armorize.com/2011/10/htt...infection.html
"... The scripts causes the visiting browser to load an iframe first from www3 .strongdefenseiz .in and then from www 2.safetosecurity .rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser... if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc). This wave of mass injection incident is targeting ASP ASP.NET websites..."
> https://www.virustotal.com/file-scan...7aa-1319203779
File name: file-2979089_
Submission date: 2011-10-21 13:29:39 (UTC)
Result: 30/42 (71.4%)
___
Dissecting the Ongoing Mass SQL Injection Attack
- http://ddanchev.blogspot.com/2011/10...injection.html
Oct 20, 2011
- https://encrypted.google.com/ ...
Oct. 25, 2011 - "... about 1,610,000 results..."
:mad::fear::mad:
Targeted malware attack shows how Fast Fingerprinting works
FYI...
Targeted malware attack shows how Fast Fingerprinting works
- http://nakedsecurity.sophos.com/2011...rinting-works/
October 24, 2011 - "... technology is helping anti-virus researchers detect malicious Microsoft Office files, by examining if they fail to confirm to the OLE2 file format specification... two differences between the new malware sample and previous ones are:
- The case of the Workbook stream had been changed to workbook...
- Previous incarnations had contained the unicode string "HP LaserJet" at offset 0x638 and the new version has had the first four characters "HP L" overwritten with nulls.
At the time of analysis, detection of this malware by other vendors wasn't very good... according to VirusTotal, detection has improved*. If your computer wasn't updated with Microsoft's MS09-067** security patch, then the cybercriminal could have installed the Mal/Gyplit-A malware onto your PC."
* https://www.virustotal.com/file-scan...241-1319198077
File name: e6d3bf9d5ba93ec6444612f819029e52942100f7.bin
Submission date: 2011-10-21 11:54:37 (UTC)
Result: 17/43 (39.5%)
Microsoft Office Excel ...
** http://www.microsoft.com/technet/sec.../MS09-067.mspx
:fear::mad:
URL shorteners actively circumvent spam filters
FYI...
URL shorteners actively circumvent spam filters
Bulk Registrars, URL Shorteners, Dynamic DNS Providers
- http://www.malwaredomains.com/wordpress/?p=2147
October 27th, 2011 - "We’ve been maintaining lists of Bulk Registrars, Dynamic DNS Providers, and URL Shorteners...
http://www.malwaredomains.com/wordpress/?p=1991
We just added a new list of “unverified” URL Shorteners here: http://mirror1.malwaredomains.com/fi...unverified.txt
We’ll be going through the URLs and adding them to the main list once they have been verified. If anyone wishes to help in this effort, please let us know."
- http://www.digitaltrends.com/web/spa...to-hide-links/
October 25, 2011 - "According to new information from researchers at Symantec, a group of spammers have created a group of 87 spam-friendly, public URL shortening services and are actively using them to circumvent spam filters on popular sites. Using URL shortening scripts that are free and open source, the spammers are churning spam through the service..."
:sad::fear:
“ce.ms” free domains... host malicious code
FYI...
“ce.ms” free domains... host malicious code
* http://research.zscaler.com/2011/10/...g-used-to.html
October 27, 2011 - "...it appears that attackers are leveraging free “.ce.ms” domains. Likewise, we have identified a number of .ce.ms domains exploiting various known client side vulnerabilities. Here are a few of the URL’s being used:
hxxp ://27glshegbslijels .ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp ://hhhjjjjj111111 .ce.ms/main.php?page=423b262d0a1a9f70
hxxp ://00000000000000 .ce.ms/main.php?page=423b262d0a1a9f70
hxxp ://24sjegohmjosee .ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp ://44444444444444444 .ce.ms/main.php?page=423b262d0a1a9f70
The aforementioned domains suggest that random domain names are being registered to host these attacks. Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines... Attackers keep registering different random domains to spread their attacks, often targeting free registration services. Due to obfuscation used by the attackers, security solutions relying on regular expressions designed to match known patterns can often be evaded due to the code being spread of over numerous lines..."
- http://sunbeltblog.blogspot.com/2011...-now-cems.html
October 30, 2011 - "... Late last week, our friends at Zscaler* discovered that cyberciminals have now moved to hosting their wares on "ce.ms" domains (.ms being the top-level domain for Montserrat, an island in the West Indies). A simple Google search led me to several forums and personal blog posts as early as June of this year complaining about getting fake AVs from such sites, with the Zscaler discovery looking much more complex..."
:mad::fear:
The Market for stolen credit cards data...
FYI...
The Market for stolen credit cards data...
- http://ddanchev.blogspot.com/2011/10...dit-cards.html
October 31, 2011 - "What's the average price for a stolen credit card? How are prices shaped within the cybercrime ecosystem? Can we talk about price discrimination within the underground marketplace? Just how easy is to purchase stolen credit cards known as dumps or full dumps, nowadays?... the market for stolen credit cards data... 20 currently active and responding gateways for processing of fraudulently obtained financial data.
Key summary points:
• Tens of thousands of stolen credit cards a.k.a. dumps and full dumps offered for sale in a DIY market fashion
• The majority of the carding sites are hosted in the Ukraine and the Netherlands...
• Four domains are using Yahoo accounts and one using Live.com account for domain registration...
• Several of the fraudulent gateways offered proxies-as-a-service, allowing cybercriminals to hide their real IPs by using the malware infected hosts as stepping stones.
The dynamics of the cybercrime ecosystem share the same similarities with that of a legitimate marketplace. From seller and buyers, to bargain hunters, escrow agents, resellers and vendors specializing in a specific market segment, all the market participants remains active throughout the entire purchasing process. With ZeuS and SpyEye crimeware infections proliferating, it's shouldn't be surprising that the average price for a stolen credit card is decreasing. With massive dumps of credit card details in the hands of cybercriminals, obtained through ATM skimming and crimeware botnets, the marketplace is getting over-crowded with trusted propositions for stolen credit card details..."
(More detail at the ddanchev URL above.)
More here:
- https://krebsonsecurity.com/2011/10/...nto-hot-stuff/
October 31st, 2011
___
- http://www.businessinsider.com/bewar...-score-2011-11
Nov. 1, 2011
:mad::mad:
New cyber attack targets chemical firms: Symantec
FYI...
New cyber attack targets chemical firms: Symantec
- http://www.reuters.com/article/2011/...79U4K920111031
Oct 31, 2011 - "At least 48 chemical and defense companies were victims of a coordinated cyber attack that has been traced to a man in China, according to a new report from security firm Symantec... Computers belonging to these companies were infected with malicious software known as "PoisonIvy", which was used to steal information such as design documents, formulas and details on manufacturing processes... The cyber campaign ran from late July through mid-September..."
"Nitro" attacks
- http://www.symantec.com/content/en/u...ro_attacks.pdf
> http://www.h-online.com/security/new...ew=zoom;zoom=1
:mad::mad:
Duqu: status - 0-Day Exploit
FYI...
Duqu: status - 0-Day Exploit
- http://www.symantec.com/connect/w32-...ro-day-exploit
Nov. 1, 2011 - "... an installer has recently been recovered due to the great work done by the team at CrySyS. The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries...
Key updates...
• An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
• Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
• Six possible organizations in eight countries have confirmed infections
• A new C&C server (77.241.93.160) hosted in Belgium was discovered and has been shutdown..."
(More detail at the symantec URL above.)
Graphic:
- http://www.symantec.com/connect/site.../duqu_flow.png
:mad: