September 06, 2011

July 30, 2011
Barely one month old, all eyes, including those from cybercriminals, are on Google’s latest foray into the social network community, Google+, as predicted by experts from security software company Kaspersky Lab.

Kaspersky Lab expert Maria Namestnikova said in their June 2011 Kaspersky Lab Spam Report that there could be a surge of spam in the coming days that are linked to Google+ as indicated by spammers trying to exploit growing interest in the new social networking service.

Targeting Google+ is an obvious move considering that two social networks, Facebook and Habbo, have seen increases in phishing attacks for the month of June.

“We expect an increase in unsolicited emails exploiting the new Google social network. They will most likely contain both phishing links and malicious code,” says Maria Namestnikova, senior spam analyst at Kaspersky Lab.

Namestnikova said that in June, phishers again tuned in on Google, which posted a 2.5 percent share in all phishing emails. Google’s Orkut social networking service accounts for about 0.08 percent of all phishing traffic for this month. While this is a small figure, it already shows the potential of Google+ as a target for phishers.

Google+ integrates several existing Google services, as well as new ones. Since its creation last June 28 on a limited basis, the service has already reached 20 million users, according to comScore. [1]

Meanwhile, Kaspersky Lab reports that the rank among the targets of phishing emails for June remains unchanged. Among the top targets are PayPal (44.73%), eBay (9.54%), Habbo (8.54%), and Facebook (6.67%).

The most common type of phishing spam being sent is related to computer fraud, which accounts for 29% of all phishing traffic. Namestnikova warns that this means that the intention is to extort money from would-be victims. Some of these phishing emails also contained malicious codes.

Apart from computer fraud, phishing emails related to health-related services and products are the second leading cause of phishing traffic. This is followed by personal finances (12.1%), other goods and services (9.6%), and fake designer goods (5.3%).

Russia and the USA remained as countries where malicious software such as fake antivirus was detected most frequently in mail traffic. Russia was at the top with the amount of blocked emails with malicious attachments (14.16%), though this decreased slightly from the previous month. USA, which ranked second, reported 10.56% in mail traffic with fake antivirus. It also reported a very slight decrease of just 0.3 percentage points from the previous month.

Meanwhile, the top five malicious programs distributed via mail traffic in June 2011 were Trojan-Spy.HTML.Fraud.gen (7.6%), Email-Worm.Win32.Mydoom.m (6.21%), Trojan.HTML.Fraud.fc (3.62%), Email-Worm.Win32.Bagle.gt (2.99%), Packed.Multi.MultiPacked.gen (2.66%).

“As we have already mentioned in previous reports, Mydoom.m andNetSky.q are malicious programs whose only functions are to harvest email addresses and to send copies of themselves to these addresses. Bagle.gt is yet another mail worm, but with more sophisticated functionality: it not only collects email addresses and sends a copy of itself to all email addresses harvested from the victim’s machine but downloads malicious programs itself from Internet resources,” Namestnikova says.

Among the highlights of the Kaspersky Lab June 2011 Spam Report are news related to anti-spam campaigns and legislation. For instance, in June, the Japanese parliament passed an important law that makes the creation, distribution, purchase and storage of malicious programs as well as the distribution of pornographic spam a criminal offence. In Russia, notorious spammer Leonid Kuvayev attended a hearing on June 7 in which he was accused of sexual crimes against minors.

On June 23, pharmaceutical spammer Pavel Vrubelevsky, was arrested on 23 June at Sheremetyevo airport. Vrubelevsky is known as the one who ordered a distributed denial-of-service (DDOS) attack on the Russian e-payment system Assist in July 2010.

[1] From CNet. “Google+ hits 20 million mark in three weeks,” http://news.cnet.com/8301-1023_3-20081650-93/google-hits-20-million-mark-in-three-weeks/?part=rss&subj=news&tag=2547-1_3-0-20

July 22, 2011

Tumblr, one of the fastest rising microblogging service with millions of users worldwide, has been recently hit by what seems to be one of the most publicized phishing attacks the social network has seen so far.

The attack, which happened in a span of several days, followed the same phishing patterns by luring Tumblr users to input their login information into a link in order to access “something special,” which is actually a pornographic content.

Hijacked Tumblr accounts will then propagate the phishing attack and thus keep the cycle going. This attack has so far been the most serious for the microblogging service.

An expert from leading secure content and threat management solutions developer Kaspersky Lab said there’s “nothing new” in the Tumblr attack.

Kaspersky Lab expert Stefan Tanase said “phishing is a game of numbers so even though many users are aware of this threat, there still are some of them who fall victim to this old social engineering trick.”

“Therefore, even with just a low efficiency rate in terms of percentage, thousands of accounts can still be easily compromised by cybercriminals if the phishing page is seen by enough people, ” he said.

According to Kaspersky Lab, a typical phishing attack involves the cybercriminals distributing fake emails, purportedly originating from major online banking or social networking organizations.

These emails usually request users to provide their confidential data and contain links to fake websites that mimic genuine ones.

Users falling victim to such schemes discover that the cybercriminals have used their social networking accounts to distribute spam and has taken money from their online financial accounts. The cybercriminals may even try to extort money from users in return for control of their hijacked accounts.

Tanase states that anyone using social networking services, even microblogging services, will have to be just as vigilant in keeping their accounts safe as much as they are with their other online accounts. Tanase says that cybercriminals will make various attempts to trick people into giving up their personal information.

Various phishing attempts have been made on other microblogging sites, such as Twitter. In a report, Kaspersky Lab expert Dong Yan said China’s own very popular microblogging site Sina Weibo with currently about 140 million users, fell victim to a recent phishing scam where the Trojan.JS.Iframe.fz was found.

Tanase suggests some tips for users of microblogging sites to avoid becoming victims of phishing attacks; be sure to log in directly on the website by manually typing the address in the browser. Avoid clicking suspicious links that purport to direct to alleged legitimate sites.

He also recommends to always browse through a secure connection, in particular HTTPS and not HTTP. If possible, check on the SSL (secure sockets layer) certificate of the host one is logging in to (to help user find out if its host’s file has been modified or in the case of a DNS cache poisoning attack or if the router is compromised).

Tanase said phishing emails look very much like genuine ones so he advises users to check the email headers (the link in the email link) to confirm the source, as email addresses can be easily spoofed.

The Kaspersky expert says microblogging sites also use shortened URLs, which makes it even more difficult to know if a link is legitimate. Having an internet security application installed should be able to detect the veracity of these URLs.

Also, Tanase advises users to be wary of sessions in legitimate websites that suddenly log out then ask for log-in access again. These could have been started by attackers who use web application vulnerabilities or social engineering to redirect users through fake log-in gateways.

Tanase also encourages users to employ modern browsers and ensure that all installed software are updated. In addition, users must apply fully featured Internet security software to stay protected against malicious software.

“Not specific to the Tumblr phishing attack itself, but a good advice anyway: always remember that your bank will never ask for your credit card details, and generally be suspicious about online forms requesting too much sensitive information,” says Tanase.

Just recently, Kaspersky Lab has been granted a patent on a new, innovative phishing technology in Russia. Its technology determines if a domain name of a site corresponds with its IP address. This essentially blocks cybercriminals’ attempts to redirect unwary users to fake websites.

The patented phishing technology was developed by Kaspersky Lab experts Aleksey Malyshev and Timur Biyachuev.

July 14, 2011

Increasing competition among cybercriminals for a chunk of earnings from data theft is also pushing the boundaries of malicious software development. So far, the destructive TDSS botnet has continued to be a primary weapon used by cybercriminals. Kaspersky Lab, a leading developer of secure content and threat management solutions, raised the alarm as it discovers TDL-4, the latest variant of the TDSS botnet, which is found to be destructive and powerful enough to remain hidden among other botnets.

Kaspersy Lab said the latest TDSS botnet variant could compete in stealing data from infected computers and was developed to be unnoticed even by commercial antivirus applications. TLD-4 has so far been widely used in a variety of attacks on both individuals and businesses. According to an analysis made by Kaspersky Lab experts, at least 4.5 million computer worldwide were found to be infected in the first three months of 2011.

About US$250,000 is estimated to have been spent by cybercriminals on the creation of a botnet made up of American users. Kaspersky Lab experts Sergey Golovanov says the new botnet was undetectable for months. He added that the TDL-4 has been found to have new capabilities not seen in previous variants. These included the ability to have its own encryption method in communicating with other infected computers, the use of peer-to-peer networks in sending commands, and even create a proxy server functionality that could allow cybercriminals to have undetectable, unlimited Internet access through infected computers. Golovanov adds that in particular, TDL-4 can now delete around 20 of the most popular competing products on an infected machine, among them such widespread programs as Gbot, ZeuS, Optima and others. Golovanov also found out that TDSS itself installs on a PC around 30 utilities, including fake anti-virus programs and systems for both increasing advertising traffic and distributing spam. One of the most significant new additions to TDL-4 is the possibility to infect 64-bit operating systems. To control the botnet – besides the command servers – for the first time, the Kad public file exchange network is being used.
“Such is the tenacity of the TDL-4 that it can even destroy other competing applications. This means that cybercriminals are fighting among themselves to secure their positions in the lucrative and illegal underground industry, “ Golovanov says. Igor Sumenkov, another Kaspersky Lab expert who investigated the spread of TDL-4, says that the intensity of the competition is growing that cybercriminals are heavily investing in both technology and manpower in their nefarious business.

Sumenkov says another new function of TDL-4 is the possibility to open a proxy-server. Cybercriminals offer anonymous access services via infected computers, charging for such a service around US$100 per month.

He says TDL-4 is distributed mainly with the use of so-called partner programs and affiliates.

“The authors of the malware are not expanding the network of infected computers themselves; instead they pay third parties to do it. Depending on the particular terms and conditions, partners are paid from US$20 to US$200 for the installation of a thousand malicious programs,” according to Sumenkov. The Kaspersky Lab experts warn that the release of the TDL-4 is just an indication of the risks cybercriminals are willing to take just to earn from the misery of victims. “We don’t doubt that the development of TDSS will continue,” said Golovanov and Sumenkov. “Malware and botnets connecting infected computers will cause much unpleasantness – both for end-users and IT-security specialists. Active reworkings of TDL-4 code, rootkits for 64-bit systems, the launch of a new operating system, use of exploits from the Stuxnet arsenal, use of p2p technologies, proprietary “anti-virus” and much, much more make the TDSS malicious program one of the most technologically developed and most difficult to analyze,” they conclude.

July 5, 2011

The recent attack on the official website of Philippine Vice President Jejomar Binay could just be the start of more attacks on government websites.

Costin Raiu, Kaspersky Lab Global Research and Analysis Team Director, says the government must put in place their own defense strategies against attacks on government websites. They must also conduct security audits of their servers as soon as possible to identify potential vulnerabilities.

“First of all, it’s important to have an anti-DDoS (distributed denial-of-service) plan – be it from increasing the internet bandwidth to purchasing a specific anti-DDoS service plan,” Raiu says.

DDoS is done by overwhelming a target website with visits from different sources until the site crashes from handling too many visits.

Raiu adds that in case vulnerabilities are found, the websites’ servers must go offline temporarily to reduce damage.

“Past logs should be analyzed for previous probes which could have uncovered bugs than can now be exploited,” he says.

“Given the past incidents of this kind, it is expected that the attack will consist of a DDoS flood designed to bring down the server and make it unreachable. It’s possible the confidential information will be sought after, so the defense strategies would be multiple,” Raiu warns.

According to the Kaspersky expert, even with the best ways to protect websites, there could still be attacks that might get through. As such, Raiu says governments must have contingency plans in place to ensure continued operations of the websites.

“Of course, a highly sophisticated targeted attack will always succeed–this is why there should be mitigation steps as well as disaster recovery procedures–like backups, server replacement/relocation and redundancy,” Raui said.

Website hacking is one of the oldest forms of cybercrime. The defacement of a website is intended to insult the owners and sometimes as a hobby. Later, these attacks became a form of game for hacker groups.

When websites of government offices are defaced, the attackers are doing more than just a hobby; they may be sending out a message of disrespect and one goal is to show people that they are not protected by their government. The attacks could be in a form of website defacement though other techniques include DDoS.

Aside from the defacement of the official website of the Vice President, other government websites have also fallen victim to hackers. These include the Department of Labor and Employment (DOLE), Philippine Nuclear Research Institute (PNRI), and the Food and Drug Administration (FDA). Last year, the websites of the Technical Education and Skills Development Authority (TESDA), the Department of Interior and Local Government (DILG), and the Philippine Information Agency (PIA) were also hacked.

Similar attacks on Malaysia’s government websites were done by a group of hackers.