Old Alerts

[AplusWebMaster]

FYI...

- http://www.websense.com/securitylabs...hp?AlertID=822
November 19, 2007 - "Websense® Security Labs™ has discovered a new -email- attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ)... The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f. None of the major anti-virus vendors detected the malicious code..."
(Screenshot available at the URL above.)

--------------------------------------------
More...
- http://blog.washingtonpost.com/secur...eted_emai.html
November 19, 2007; 10:30 PM ET - "Another series of sophisticated e-mail attacks were launched over the past 24 hours, addressing recipients by name and warning of complaints filed against them and/or their company with the Justice Department -and- the Better Business Bureau. E-mail security firm MessageLabs said it spotted the spike in targeted e-mail attacks designed to look as though they were sent from the Better Business Bureau. The messages address recipients by name and list corresponding employer information both in the body of the e-mail and the subject line. The missives reference an attached "complaint," which is actually a screensaver file that harbors password-stealing software..."

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/39mtqc
November 20, 2007 (Computerworld) - "Monster.com took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFRAME attack and was being used to infect visitors with a multi-exploit attack kit. According to Internet records, the Russian Business Network (RBN) hacker network may be involved. Parts of the Monster Company Boulevard, which lets job hunters search for positions by company, were unavailable Monday; by evening, the entire section was dark. Most major American companies are represented on the site -- Google Inc.'s cache of the page that shows only those firms which begin with the letter "B", for example, included Banana Republic, Bank of America, Black & Decker, Boeing, Broadcom and Budget Car Rental. Job seekers who used Monster's by-company directory on Monday before the site was yanked were pounced on by Neosploit, an attack toolkit similar to the better-known Mpack, said Roger Thompson*, chief technology officer at Exploit Prevention Labs Inc... The injection of the malicious IFRAME code into the Monster.com site probably happened Monday, he added... "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500"... Monster.com last made security news in August, when the company admitted hackers had looted its database for weeks, perhaps months, then used that information to craft and send targeted e-mails that pitched money laundering jobs or tried to trick recipients into downloading malware. Monster.com was not available for comment Monday night."
* http://explabs.blogspot.com/2007/11/big-hack-today.html

[AplusWebMaster]

FYI...

Malicious Code: Tabasco state/Banamex email lure banker trojan
- http://www.websense.com/securitylabs...hp?AlertID=824
November 20, 2007 - "Websense® Security Labs™ has discovered -emails- that claim to solicit humanitarian support for flood victims in the state of Tabasco, Mexico. If users click an embedded link, they are prompted to download a banker Trojan horse, disguised as an HTML file. The file is displayed with the blue Internet Explorer icon. When a user opens the file, the Trojan horse modifies the hosts file to replace the legitimate Banamex with the IP address of a host controlled by the attacker. If users attempt to go to the Banamex site, they receive no visual indicators that they are not at a legitimate site. The phishing toolbars that were tested did not detect this fake site as a fraud. Neither the downloaded banker Trojan horse nor the subsequent executable that it drops (win32.exe) are detected as malicious by the 32 anti-virus products tested..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/39qspa
November 26, 2007 (Computerworld) - "...Safe-shopping tips. Here are a dozen to get you started:
* Shop with online merchants you know and trust.
* Order from secure Web sites, which can be identified by a locked padlock or unbroken key icon in your Web browser (unsecured sites may show an unlocked padlock or a broken key).
* Keep printouts of everything, including copies of your order; Web pages describing what you ordered; Web pages that tell the seller’s name, address and telephone number; and any e-mail confirmations you get. And make sure you add the date if it doesn’t automatically appear on the printouts.
* Use credit cards for online purchases, which will limit your loss to $50 if your credit is used without authorization. But it has to be a real credit card, not a debit or check card. You may want to use just one credit card for all online payments, to make it easier to detect wrongful charges.
* Don’t give out your Social Security number.
* Don’t give out unnecessary information.
* Don’t send your credit card number by e-mail.
* Don’t give out your passwords for e-commerce Web sites to anyone.
* Don’t give out your bank information; no one needs it for an online order.
* Double-check every Web site address.
* Don’t click on links within e-mails. Type in the Web site’s address yourself -- very carefully.
* Remember, if the deal seems too good to be true, it probably is.

You can also direct users to online sources of additional information, including the Better Business Bureau Web site ( www.bbbonline.org/OnlineShopTips ), the Privacy Rights Clearinghouse ( www.privacyrights.org/fs/fs23-shopping.htm ) and the Federal Trade Commission Web site ( www.ftc.gov/onlineshopping )..."

[AplusWebMaster]

FYI...

The 2008 Internet Security Trends Report from IronPort Systems estimates that 98 per cent of all email traffic is now spam.
- http://www.ironport.com/securitytrends/
Dec 04, 2007 - "Spam volume increased 100 percent, to more than 120 billion spam messages daily worldwide. That's about 20 spam messages per day for every man, woman and child on the planet.
TRENDS OVERVIEW
The overall trends in spam and malware can be characterized by a larger number of more targeted, stealthy and sophisticated attacks. Specific observations include:
> Spam has become more dangerous.
...In 2007, more than 83 percent of spam contained a URL to a rogue Web server that was frequently serving malware. In accordance with a trend towards the blending of different malware techniques, URL-based viruses increased 256 percent.
> The "Self Defending Bot Network" was introduced...
> Viruses no longer make headlines..."
(Full report and links available at the URL above.)

------------------------------------------------

F-Secure - Malware Grew by 100% during 2007
As much malware produced in 2007 as in the previous 20 years altogether
- http://www.f-secure.com/f-secure/pre...204_1_eng.html
Dec 4, 2007 - "In its 2007 data security summary, F-Secure reports of a steep increase in the amount of new malware detected during 2007. In fact the amount of cumulative malware detections doubled during the year, reaching the amount of half a million. This indicates that network criminals are producing new malware variants in bulk... The full 2007 Data Security Wrap-Up is available at http://www.f-secure.com/2007/2/ ... F-Secure predicts the increase in malware volume will continue in 2008. The criminals are successfully creating a network-based underground ecosystem, trading both malware development tools, skills, capabilities and resources ever more effectively. At the same time the reach of the law enforcement agencies remain limited in the global network domain..."

[AplusWebMaster]

FYI...

- http://www.informationweek.com/share...leID=204700531
Dec. 4, 2007 - "...Message Labs said following Thanksgiving that it was seeing holiday-themed spam coming across its infrastructure at a rate of about 300,000 an hour. Symantec security researcher Jitender Sarda documented* one such attack on Tuesday that uses e-cards. "These e-cards are purportedly sent from a legitimate source and try to lure the victim to click on the link to view the e-cards, which have underlying tricks to try and infect the computer," said Sarda in a blog post. "With the Xmas bells starting to ring, here is the first incidence where Xmas e-cards have started doing the rounds." While these e-cards may appear to come from a familiar brand name, the "From:" field is forged. And the spammer responsible, perhaps aware that e-cards have acquired an air of disrepute, has even gone so far as to include the phrase "(no worm, no virus)" in the e-card's text, as if such an assurance made the message safe. In fact, the link provided attempts to download a file named "sos385.tmp" which is itself a downloader that connects to the Internet and attempts to download other malicious files."
* http://preview.tinyurl.com/2u5z7n
(Symantec Security Response Weblog)
---------------------------------------

More Christmas Card Action
- http://www.f-secure.com/weblog/archives/00001330.html
December 5, 2007 - "We've just seen another fake Christmas card malware run... The links are masked and point to a fake Yahoo Greeting card site. Do note the fake URL (abuse messages have been sent about the site)... The site prompts the user to download malicious
macromedia-flashplayerupdate.exe (md5: 506744BF870B5B0E410087BD6F3EFD37). We detect this file as an Agent variant. It collects various types of information from the infected machine and sends it back to the malware author via a website."

(Screenshots available at the F-secure URL above.)

[AplusWebMaster]

FYI...

- http://www.websense.com/securitylabs...hp?AlertID=830
December 13, 2007 - "Websense® Security Labs™ has discovered a new -email- attack that uses a spoofed email claiming to be from the United States Department of Treasury. This is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have been tracking all of these attacks, and reporting them as they are discovered. The message claims that a complaint to the Department of Treasury has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan downloader with some backdoor capabilities. It is a ".pif" file with an MD5 of 9e19d23f27ebf9cfe1b9103066a3019e. It appears, however, that different versions of the Trojan are sent, based on the targeted recipient or company..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.us-cert.gov/current/#hp_h...enter_software
updated December 14, 2007 - "US-CERT is aware of a vulnerability affecting HP Info Center Software, which allows one-touch access to features on HP laptops. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands or to view or alter the system registry on affected systems. These reports also refer to publicly available exploit code for this vulnerability. HP has published an HP Quick Launch Buttons Critical Security Update* to address this issue. US-CERT encourages users to apply this update to mitigate this risk.
* ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

- http://preview.tinyurl.com/2jhrxc
(HP Customer Care)
Release Date: 2007-12-12
Version: 1.00 A
Description:
This package provides a critical security update for HP Quick Launch Buttons on the supported notebook models and operating systems. This patch removes a security vulnerability by disabling HP Info Center...
» sp38166.exe 1/1 (1.61M)

[AplusWebMaster]

FYI...

- http://www.itbusiness.ca/it/client/e...s.asp?id=46368
12/14/2007 - "...Since 1 December 2007, 114,891 new users have run Prevx CSI with rootkit-detection features enabled. Of those PCs, 1,678 had what Prevx describes as 'significant rootkit infections'. That equates to 1.46% or approximately one in 70 systems, which is almost 15 times higher than the one in 1,000 rootkit-infected PCs previously estimated by industry experts. In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14%, had one or more PCs harboring rootkit infections.
These stats don't take into account the fact that users who scan their PCs are more likely to have concerns about infections..."

> http://info.prevx.com/downloadcsi.asp
"822,006 people have already checked their PC with Prevx CSI free, 182,018 were infected..."

[AplusWebMaster]

FYI...

- http://www.gartner.com/it/page.jsp?id=565125
December 17, 2007 - "Phishing attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks, according to a survey by Gartner, Inc. The survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before. According to a survey of more than 4,500 online U.S. adults in August 2007 (which was representative of the online U.S. adult population) the attacks were more successful in 2007 than they were in the previous two years. Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005...
The average dollar loss per incident declined to $886 from $1,244 lost on average in 2006 (with a median loss of $200 in 2007), but because there were more victims, $3.2 billion was lost to phishing in 2007, according to surveyed consumers. There was a bit of relative good news, however; the amounts that consumers were able to recover also increased. Some 1.6 million adults recovered about 64 percent of their losses in 2007, up from the 54 percent that 1.5 million adults recovered in 2006.
PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly employ devious social engineering attacks, impersonating, for example, electronic greeting cards, charities and foreign businesses.
Thieves are increasingly stealing debit card and other bank account credentials to rob accounts — targeting areas where fraud detection is weaker than it is with credit card accounts. According to the survey, of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed)...
Phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30 percent of malware that lands on consumer desktops.
Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers..."