SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

Spamvertised.. campaign serving scareware

FYI...

Spamvertised.. campaign serving scareware
- http://ddanchev.blogspot.com/2011/04/spamvertised-reqest-rejected-campaign.html
April 12, 2011 - "A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.
Sample subject: Reqest rejected (SP?)
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe
Detection rate:
- http://www.virustotal.com/file-scan...84caa5e5a5407a689926050a061d67b932-1302746736
File name: EX-38463.pdf.exe
Submission date: 2011-04-14 02:05:36 (UTC)
Current status: finished
Result: 35/41 (85.4%)
... Upon execution downloads hdjfskh .net/ pusk .exe - 208.43.90.48...
Detection rate:
- http://www.virustotal.com/file-scan...9dbd30e3d1e07d788b45aac0d6cf61e83c-1302681312
File name: VRB.EXE.Muestra EliStartPage v23.03
Submission date: 2011-04-13 07:55:12 (UTC)
Current status: finished
Result: 19/42 (45.2%)

Phones back..."

(More detail at the ddanchev.blogspot URL above.)

 

[AplusWebMaster]

Fraud - intuit TurboTax e-mails ...

FYI...

Fraud - intuit TurboTax e-mails...
- http://security.intuit.com/alert.php?a=29
04/15/2011 - "... fraudulent email (copy shown at the URL above)...
What we won't do
- We will -never- send you an email with a "software update" or "software download" attachment.
- We will -never- send you an email asking you for login or password information to be sent to us.
- We will -never- ask you for your banking information or credit card information in an email. We will -never- ask you for confidential information about your employees in an email.
What we'll do
- We will provide you with instructions on how to stay current with your Intuit product, and we will provide you with information on how to securely download an update from your computer.
- If we need you to update your account information, we will request that you do so by logging into your account..."

:sad:

 

[AplusWebMaster]

Another Facebook scam...

FYI...

Facebook scam "My Top 10 stalkers"...
- http://community.websense.com/blogs...kers-targets-users-in-specific-countries.aspx
19 Apr 2011 - "A new spam campaign, similar to campaigns we have seen in the past, is spreading on Facebook... It works by creating an album - “My Top 10 stalkers” - with the description "Check who views your profile @," followed by a bit.ly URL-shortened link. It then automatically uploads a photo to the app and tries to mark all the user's friends in the photo... The bit.ly link redirects the user to a page that uses JavaScript to determine the geographical location of the computer based on its IP address. Depending on the location, the page then redirects users located in specific targeted countries to the Facebook App in an attempt to further spread the infected link. The campaign is targeted at Facebook users in the United States, Canada, United Kingdom (including a specific target for Great Britain), Saudi Arabia, Norway, Germany, Spain, Slovenia, Ireland, and United Arab Emirates... Regardless of whether the JavaScript redirects the browser to the Facebook app because of its origin, all users are ultimately redirected to a scam page that tries to lure them into completing several fake surveys. Hackers use this method to try to collect personal information such as the user's home address, e-mail address, or phone number... If the user tries to navigate away from the page or close the browser, a message appears asking them to stay and complete a "SPAM-free market research survey to gain access to this special content." Special it may sound, but it is definitely not spam-free! As always, if a page forces you to Like, Share, or install an application in order to view it, DON'T..."
(Screenshots available at the URL above.)

 

[AplusWebMaster]

TDL rookit bypasses security on x64 Vista/Win7

FYI...

TDL rookit bypasses security on x64 Vista/Win7
- http://www.informationweek.com/news/security/vulnerabilities/229402086?printer_friendly=this-page
April 22, 2011 - "The malware state of the art continues to improve. In particular, the latest version of the TDL rootkit family - aka Olmarik, TDSS, Alureon - contains sophisticated mechanisms for bypassing security features built into 64-bit versions of Microsoft Windows Vista and Windows 7, and can download additional, standalone malware applications. The fourth version of the TDL malware first appeared* in August 2010 and contained sophisticated new techniques for defeating security measures... TDL4 can "load its kernel-mode driver on systems with an enforced kernel-mode code signing policy," meaning the 64-bit versions of Vista and Windows 7. At that point, the malware can hook directly into the Windows operating system... Since the fourth version of TDL first appeared, it's undergone numerous, incremental revisions. For example, in March 2011, a new version of TDL4 appeared that - after infecting a PC - installs the standalone Glupteba.D malware**, which can then download and execute other pieces of malware... no matter the security defense, such as driver signing, a way to defeat it can be found..."
* http://www.informationweek.com/news/security/vulnerabilities/228300365?printer_friendly=this-page

** http://resources.infosecinstitute.com/tdss4-part-1/
April 19, 2011

 

[AplusWebMaster]

SPAM - malicious e-mail msgs...

FYI...

Virus Outbreak In Progress...
- http://www.ironport.com/toc/
April 25, 2011

- http://tools.cisco.com/security/cen...currentPage=1&sortOrder=d&pageNo=1&sortType=d

Fake Microsoft Live Messenger Download Link E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23009
Fake Purchase Receipt E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23008
Malicious Program Download E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23007
Fake Malware Threat Notification E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23006
Fake UPS Shipment Error E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=19743
Malicious Video Link E-mail Messages - April 25, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=21895

Fake CNO Guidance Attachment E-mail Messages - April 21, 2011
- http://tools.cisco.com/security/center/viewAlert.x?alertId=22996
Malicious Photo Attachment E-mail Messages - April 22, 2011 ...
- http://tools.cisco.com/security/center/viewAlert.x?alertId=23003

:fear:

 

[AplusWebMaster]

Spamvertised "Successfull Order..." leads to scareware

FYI...

Spamvertised "Successfull Order..." leads to scareware
- http://ddanchev.blogspot.com/2011/04/spamvertised-successfull-order-977132.html
April 28, 2011 - "A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving purposes.
Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.
Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address. You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc”...
Sample attachments: Order_details.zip ...
Detection rates...
* http://www.virustotal.com/file-scan...644ff8e549a0a83632faa19cd43e02b904-1303915483
File name: Order details.exe
Submission date: 2011-04-27 14:44:43 (UTC)
Result: 24/40 (60.0%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...644ff8e549a0a83632faa19cd43e02b904-1303987793
File name: 1
Submission date: 2011-04-28 10:49:53 (UTC)
Result: 34/42 (81.0%)

>>> Upon execution phones back to: kkojjors.net/f/g.php - 95.64.9.15...
variantov.com/pusk.exe - 94.63.149.26...
** http://www.virustotal.com/file-scan...1064e760bdaa90a36595b9780be54a5a05-1303916125
File name: pusk.exe
Submission date: 2011-04-27 14:55:25 (UTC)
Result: 4/41 (9.8%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...1064e760bdaa90a36595b9780be54a5a05-1303939887
File name: hew.exe.VIR
Submission date: 2011-04-27 21:31:27 (UTC)
Result: 11/41 (26.8%)

 

[AplusWebMaster]

Malicious SPAM on the rise...

FYI...

Malicious SPAM on the rise...
- http://labs.m86security.com/2011/04/malicious-spam-on-the-increase-again/
April 29, 2011 - "... our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising*, although still not as high as the peaks we saw mid last year... After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam... Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc. The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments... In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others... The attachment is a Trojan that aims to seed the Asprox bot executable in the infected host, which is then used for spamming purposes..."
* http://labs.m86security.com/wp-content/uploads/2011/04/maliciousSpam.png

 

[AplusWebMaster]

Facebook Scam... leads to Adware

FYI...

Facebook Scam... leads to Adware
- http://labs.m86security.com/2011/05...news-iphone-5-first-exposure-leads-to-adware/
May 1, 2011 - "... we observed a new type of scam, this one leveraging Facebook’s new social plugin for websites that allow for comments. This is being exploited by scammers to get their rogue websites visible on users’ news feeds... There are various flavors of the scam making the rounds. However, the newest one to make the rounds focuses on a familiar Apple product: the iPhone. With rumors circulating about the iPhone 5, loyal Apple followers are drawn to the various news articles that cover these stories... The report claims to be from Wired News and has one of those headlines that is used to lure a user into clicking on the link... Once a user clicks on the link, they are -redirected- to a random .info site. There have been over 10 of these in circulation for this particular scam. Before the user can click on anything, they are asked to answer a CAPTCHA-like verification form... Unlike most Facebook scams of late, at the end of this rainbow, there is no survey scam. Instead, the users are prompted to download an executable file. The executable file is videogameboxinstaller.exe and it is dubious in nature, as it it downloads other pieces of software... PageRage notes in its terms above that it will display ads to the end user. Sounds like Adware? Four antivirus vendors agree*, flagging this as Adware.Yontoo... "
* http://www.virustotal.com/file-scan...dab63c7fbf92ba92e6c1e49a877c462b4a-1304294930
File name: pagerage.exe
Submission date: 2011-05-02 00:08:50 (UTC)
Result: 4/41 (9.8%)

 

[AplusWebMaster]

Goal.com serving malware

FYI...

Goal.com serving malware
- http://blog.armorize.com/2011/05/goalcom-serving-malware.html
5.02.2011 - "Goal.com receives 232,116 unique visitors per day according to compete.com, 215,989 according to checksitetraffic.com, and ranks 379 globally on alexa.com. Recently between April 27th to 28th, it was detected by HackAlert to be actively serving malware (drive-by downloads). From what we've observed, we believe the attacker has a way into goal.com's system and was only testing during this time. This is our technical report.
Summary
A. From what we've collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com's content.
B. During this time we've observed different malicious scripts injected into goal.com, leading us to believe that this isn't a one-time mass SQL injection attempt. We've also not found the injected content to appear in other websites.
C. The malicious domains include:
1. pxcz .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
2. opofy7puti .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
3. justatest .cz .cc, which is neither being flagged by any antivirus blacklist nor by Google SafeBrowsing.
> This further suggests that this is an attack targeted at goal.com
D. Duration was between April 27th to 28th. The attacker seemed to be testing their injections and was picked up by our scanners.
E. Browser exploits used during this "test-drive" included: CVE-2010-1423 (Java), CVE-2010-1885 (MS help center HCP), CVE-2009-0927 (PDF), and CVE-2006-0003 (MS MDAC).
F. The g01pack exploit pack was being used. It includes a fake admin page which is used as a honeynet for security researchers--to allow the attacker to observe who is studying their malicious domains.
G. The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection.
H. Malware served was packed with UPX and modifies setupapi.dll and sfcfiles.dat. When we first submitted it to VirusTotal, 4 out of 41 antivirus vendors were able to flag it.
I. The malware connects to the following domains:
1. testurl .ipq .co:80 (in UK), which again, is neither flagged by any antivirus blacklist nor by Google SafeBrowsing
2. 74.125.47.99 :80 (US), which reverses back to coldgold .co .uk, and which again, isn't blacklisted by any, including Google SafeBrowsing.
Details:
3. banderlog .org, not flagged by antivirus / Google SafeBrowsing, but has some records on clean-mx.de..."

(More detail and screenshots available at the blog.armorize URL above.)

:fear::fear:

 

[AplusWebMaster]

SPAM - Osama dead pics

FYI...

Osama alive scam - Twitter
- http://www.theregister.co.uk/2011/05/24/osama_alive_twitter_scam/
24 May 2011
___

Osama RTF Exploit
- http://www.f-secure.com/weblog/archives/00002154.html
May 5, 2011
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3333
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3334
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3335
CVSS v2 Base Score: 9.3 (HIGH)
- http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx
• V2.1 (April 12, 2011): Announced that the security update for Microsoft Office 2004 for Mac (KB2505924) offered in MS11-021, MS11-022, and MS11-023 also addresses the vulnerabilities described in this security bulletin.
- http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx
> CVE-2011-0097, CVE-2011-0098, CVE-2011-0101, CVE-2011-0103, CVE-2011-0104, CVE-2011-0105, CVE-2011-0978, CVE-2011-0979, CVE-2011-0980
- http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx
> CVE-2011-0655
- http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx
> CVE-2011-0107, CVE-2011-0977
___

SPAM - Osama dead pics
- http://www.symantec.com/connect/blo...attacks-flourish-following-news-osama-s-death
3 May 2011 - "The first spam using the news of Osama Bin Laden’s death was seen in the wild within three hours of the event—Symantec reported this spam activity along with other spam samples in a blog entitled “Osama Dead” is No Longer a Hoax. As anticipated, we started observing a rise in malicious and phishing attacks... The links in this spam email dump Downloader onto the victim’s machine, which in turn downloads the actual malware. Further analysis of these attacks shows that most of the malicious attacks have originated from Brazil, Europe, and the U.S... Spammers are making an effort to not only push the messages into users’ inboxes, but also getting them to open and install the executable payload... The phishing site shows an auto-running Bin Laden related video in an iframe and asks the user to click on a link to download a “complete” video. Clicking on that link forces the download of an .exe file..."

- http://community.websense.com/blogs...quot-real-quot-osama-bin-laden-dead-pics.aspx
04 May 2011 03:26 PM - "Messages inviting users to see the "real photos" of Osama Bin Laden's remains made the rounds in the email realm today, in addition to the Facebook scams and malware recently spread via Twitter abusing the same topic... Clicking on the provided link prompts the user to download a file called FOTOS.Terroris.zip, which is fairly detected by AV engines*."
* http://www.virustotal.com/file-scan...40043f72c12ec0da4697dd162f86b16b1a-1304596429
File name: Fotos.exe.vir
Submission date: 2011-05-05 11:53:49 (UTC)
Result: 30/42 (71.4%)

- http://www.us-cert.gov/current/#osama_bin_laden_s_death
May 2, 2011
___

Osama malware scams spread to Facebook
- http://www.theregister.co.uk/2011/05/03/osama_malware_scams/
3 May 2011

:fear::fear:

 

[AplusWebMaster]

Goal.com serving malware - updated

FYI...

Goal.com serving malware - updated...
- http://blog.armorize.com/2011/05/goalcom-serving-malware.html
Updates - "... The chain of infection is:
1. goal .com, includes iframe to pxcz .cz .cc
2. pxcz.cz.cc iframes to justatest .cz .cc
3. justatest .cz .cc runs the exploit pack g01pack, serves exploits based on visitor's browser type
4. exploit compromises browser, downloads malware from justatest .cz .cc
5. malware links to testurl .ipq .co (UK), 74.125.47.99 :80 (US, coldgold .co .uk), and banderlog .org...
> A unique feature of this exploit pack is the inclusion of a fake admin / stats page. This page supports common id / password combinations like admin / admin to trick security researchers into believing that they've obtained access to the exploit pack's admin page... Once logged in, the researcher is presented with a fake infection stats page. In reality, this allows the attacker to gain insights into who has identified the malicious domain, and is conducting investigation...
The exploit codes were well mutated. We don't mean well "obfuscated," because in addition to obfuscation, the primitive form of the exploit itself has been mutated well so as to avoid detection..."
___

Goal.com spreading malware again: "Security Shield" fake anti-virus
- http://blog.armorize.com/2011/05/goalcom-spreading-malware-again.html
5.17.2011

:fear::fear:

 

[AplusWebMaster]

New bank trojan - "Sunspot" ...

FYI...

New bank trojan - "Sunspot"...
- http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform
11 May 2011 - "... identified a little known Windows malware platform that has been in circulation for some time, but was never previously recognized for its financial fraud capabilities. We named it Sunspot. It is currently targeting North American financial institutions and has already achieved SpyEye and Zeus–like infection rates in some regions. There are confirmed fraud losses associated with Sunspot, so the threat is real... In addition to Sunspot, Trusteer alone also has discovered several malware platforms over the past 18 months including Silon, OddJob and several others. Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts. Once installed, it targets Internet Explorer and Firefox browsers. This is a very modern malware platform with sophisticated fraud capabilities... According to a Virus Total analysis, only nine of 42 anti-virus programs tested, or 21%, currently detect Sunspot. It can carry out man-in-the-browser attacks including web injections, page grabbing, key-logging and screen shooting (which captures screenshots of the mouse vicinity as a user types his/her password on a virtual keyboard)... We traced the Sunspot Command and Control Server (C&C) hostname to a domain registered in Russia. Once installed, Sunspot is started either by "rundll32.exe" via HKCU\Software\Microsoft\Windows\CurrentVersion\Run or via HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components. It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox). Inside the browser it hooks several Wininet/NSPR4/user32 functions for web injections, page grabbing and key-logging... The take away for financial institutions from Sunspot remains the same. A layered security approach that combines server-side and client-side zero day attack protection is the most effective way to protect users against crime ware, since anti-virus programs are lagging way behind in their ability to detect these programs."

 

[AplusWebMaster]

Multiple Facebook scams...

FYI...

Multiple Facebook scams...
- http://www.theregister.co.uk/2011/05/12/facebook_spam_prevention_scam/
12 May 2011 - "... junk messages on Facebook is been used to bait a new scam doing the rounds on the social network. Prospective marks in receipt of the fraudulent messages are invited to "verify" their account in order to "prevent spam". Recipients who respond to the message by clicking on a link end up sharing it on their wall as well as spreading highly obfuscated JavaScript... A full write-up of the scam, including images of the offending messaging, can be found in a blog post by Sophos here*..."
* http://nakedsecurity.sophos.com/201...am-scam-on-facebook-does-exactly-the-opposite
May 12, 2011

- http://www.f-secure.com/weblog/archives/00002157.html
May 12, 2011

- http://isc.sans.edu/diary.html?storyid=10870
Last Updated: 2011-05-12 08:38:17 UTC
- http://blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/

:fear::fear:

 

[AplusWebMaster]

Win7/Vista e-mail malware - unicode tricks ...

FYI...

Win7/Vista e-mail malware - unicode tricks...
- http://www.theinquirer.net/inquirer...malware-camouflaged-unicode-filename-trickery
May 13 2011 - "... Windows PC users have been warned about malware Trojans that camouflage malicious executable files using a fancy unicode trick*. Unicode is a computing industry standard that provides a unique number for every character you use, no matter what system you are using. With malicious trickery, criminals have worked out how to fiddle with unicode so that some characters in a Windows filename can be reversed. Security firm Norman* found malicious email attachments that appeared on the surface to have filenames with standard alphabetical characters, with unicode-capable viewers seeing nothing out of the ordinary. However, if you look at the file from a command prompt, it shows that the last bit of the filename has actually been reversed, and that this seemingly innocuous emailed file is actually an executable.
Norman tested other filenames, and found that the same unicode trick allowed files to hide the fact that they were executable in the email client Lotus Notes. The firm said that any filename could hide extensions like PDF and EXE using the trick.
The firm said that the issue only affects Windows Vista and Windows 7 users, as Windows XP users have to install support for right-to-left languages in order to be vulnerable..."
* http://norman.com/security_center/security_center_archive/2011/rtlo_unicode_hole

 

[AplusWebMaster]

Geek.com hacked with an exploit kit

FYI...

Geek.com hacked with an exploit kit
- http://research.zscaler.com/2011/05/geekcom-hacked-with-exploit-kit.html
May 15, 2011 - "... The attack vector remains the same, namely injecting a malicious HTML Iframe or script tag into the legitimate pages... the malicious Iframe is injected at the bottom of the page... -redirects- victims to a malicious website hosting an exploit kit. Once you visit, heavily obfuscated JavaScript is returned which will target various known vulnerabilities..."
(Screenshots and more detail available at the URL above.)

- http://www.theregister.co.uk/2011/05/17/geek_dot_com_infected/

:fear:

 

[AplusWebMaster]

Criminals trading in Twitter ...

FYI...

Criminals trading in Twitter ...
- http://www.f-secure.com/weblog/archives/00002159.html
May 18, 2011 - "Surely nobody would sell stolen credit cards on Twitter? Except they do... he seems to sell credit card info, most likely collected with keyloggers from infected home computers. The prices of stolen credit cards range from $2 to $20, depending on the country where they were stolen from... if you'd rather not use stolen credit cards yourself, you can have him buy you iPhones, iPads and laptops with stolen credit cards and ship them to you. In practice, the thief will log into an online store, then purchase an iPad as a gift purchase, giving your address as the delivery address and paying for the good with a stolen credit card. An iPad bought like this goes for $150... But keyloggers collect more than credit cards. They also record passwords when you log into online services. So this vendor is also selling access to other people's online bank accounts. An account with a balance of $28,000 sells for $1,000... to prove he really has the goods, the vendor posts "demo" information. Which basically is personal information of handful of victims, including names, home addresses, credit card numbers and passwords...
The accounts shown above* have been reported to relevant authorities."
* (Screenshots and more detail at the f-secure URL above.)

:sad:

 

[AplusWebMaster]

Fraudsters suck $1.4B from Airlines

FYI...

Fraudsters suck $1.4 Billion from Airlines
- http://www.securityweek.com/fraudsters-suck-14-billion-airlines
May 18, 2011 - "According to recent survey findings coming from CyberSource*, a Visa company, airlines lost an estimated $1.4 billion due to online payment fraud in 2010. But with so many security checks that come along with air travel, how is this possible? A typical fraud scenario in the airline industry plays out like this:
1. A fraudster illegally obtains credit card data;
2. The fraudster obtains the name, address, and other appropriate information for a genuine customer interested in buying "discount" tickets;
3. The fraudster buys the ticket in the innocent person's name, using the stolen credit card number;
4. The fraudster delivers ticket to the customer and receives payment typically in cash..."
* http://www.cybersource.com/news_and_events/view.php?page_id=1900
May 18, 2011

... Meanwhile, the TSA "security" groping and fondling continues...

:sad:

 

[AplusWebMaster]

SpyEye attack on Verizon ...

FYI...

SpyEye attack on Verizon...
- http://www.trusteer.com/blog/spyeye-attack-verizon-exposes-pci-shortcomings
May 18, 2011 - "We recently discovered a configuration of the SpyEye Trojan targeting Verizon’s online billing page and attempting to steal payment card information. The attack took place between May 7th and 13th. SpyEye uses a technique called “HTML injection” to modify the pages presented in the victim’s browser, in this particular case the injected HTML is used to capture the following credit card related data. The attack is transparent to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica webpage that requests this information. Since the user has logged on and has navigated to the familiar billing page they have no reason to suspect this request for payment information is fraudulent... it continues a financial malware trend we have been tracking in recent weeks: a shift away from stealing usernames and passwords to stealing payment and credit card data... this practice allows criminals to commit card non present fraud on the Internet, and also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot be traced back to a specific computer. Whether it’s on consumer machines, call center computers, or point of sale systems, attackers are targeting endpoints to steal readily available payment card data. This trend is exposing a major shortcoming in the Payment Card Industry Data Security Standard (PCI-DSS), which only requires endpoints to be running anti-virus software. As we have seen, anti-virus software is unable to effectively defend against zero day attacks..."
(More detail availalbe at the trusteer URL above.)

:fear:

 

[AplusWebMaster]

Fake Apple store order notifications...

FYI...

Fake Apple store order notifications...
- http://community.websense.com/blogs.../19/an-apple-a-day-promotes-wikipharmacy.aspx
19 May 2011 - "Fake Apple Store Order Notifications have been making rounds for months now. The volume of this particular spam campaign is not as astonishing as other past campaigns. It is actually the exact opposite of those massive outbreaks that distribute hundreds of thousands of spam emails for a few hours and suddenly -stop- the next day. Typically, the email contains a link that -redirects- users to a very familiar pharmacy spam site. These links either belong to compromised sites or newly registered domains... Today, we noticed the same fake Apple Store email redirecting users to a different, relatively new pharmacy spam web template. The new template channels a wikipedia feel to it and is cleverly titled "WikiPharmacy". Looking deeper into the IP where this domain is hosted, we learned that it caters to over 24,000 other domains. These domains were all used in pharmacy spam campaigns at one point."
(Screenshots available at the websense URL above.)

- http://sunbeltblog.blogspot.com/2011/05/dear-apple-store-customer.html
May 20, 2011

 

[AplusWebMaster]

PHP file injections ...

FYI...

PHP file injections - osCommerce malware: Cannot redeclare corelibrarieshandler
- http://blog.sucuri.net/2011/05/oscommerce-malware-cannot-redeclare-corelibrarieshandler.html
May 19, 2011 - "...for the last few days we started to see many of those osCommerce sites that were hacked, generating errors when trying to access them:
... Fatal error: Cannot redeclare corelibrarieshandler() ..
And according to Google, there is probably about 10k pages with this type of error. So what is going on? It seems that the attackers tried to inject more -malware- into sites, but made a mistake... at the top of every PHP file... Which instead of doing what they planned, caused all the sites to fail with this error “Fatal error: Cannot redeclare corelibrarieshandler() (previously declared in…”. Very annoying for both sides involved. To clean it up, you have to remove that piece of code from the top of every PHP file and properly secure osCommerce..."

:sad: