Posts Tagged: google


26
Jun 13

How Much is Your Gmail Worth?

If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground.

My Gmail was priced at $28.90.

My Gmail was priced at $28.90.

The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeper’s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure that’s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.

In a blog post earlier this month titled The Value of a Hacked Email Account, I noted that many people do not realize how much they have invested in their email account until that account is in the hands of cyber crooks. That post quoted prices from one seller in the cybercrime underground who buys compromised accounts, such as hacked iTunes accounts for $8, or credentials to Groupon.com for $5, for example.

Chris Kanich, assistant professor at UIC’s computer science department and principal organizer of the project, said Cloudsweeper’s pricing model is built on prices collected from multiple sellers across multiple underground forums and services. I ran one of my Gmail accounts through Cloudsweeper, and it determined my account would be worth approximately $28.90 to bad guys. While this is not a Gmail account I use every day, I was surprised at how many third party services I had signed up for using it over the years. According to Cloudsweeper, bad guys with access to my account could also hijack my accounts at Amazon, Apple, Groupon, Hulu, NeweggPaypal, Skype, UPlay and Yahoo, to name a few.

Cloudsweeper uses the Open Authentication (OAuth2) protocol to connect to your Gmail account and search through messages. OAuth is an open standard for online authorization, and using it with Cloudsweeper does not require you to type in your password as long as you are already logged into the Gmail account that you’d like scanned. Cloudsweeper doesn’t keep your credentials, and it forgets about your visit and inbox after you log out of the service, or within 60 minutes of inactivity.

PLAIN TEXT OFFENDERS

Prior to performing a scan, the service asks users if they wish to participate in a study, which Kanich said gathers and securely stores non-personally identifiable information about Cloudsweeper users who opt-in. That data includes how many types of accounts each user has tied to their Gmail. The study also draws on data from the second core feature of Cloudsweeper: The ability to discover and then redact or encrypt passwords that various services may send to users in plain text.

Continue reading →


25
Jun 13

Web Badness Knows No Bounds

If your strategy for remaining safe and secure online is mainly to avoid visiting dodgy Web sites, it’s time to consider a new approach. Data released today by Google serves as a welcome reminder that drive-by malware attacks are far more likely to come from hacked, legitimate Web sites than from sites set up by attackers to intentionally host and distribute malicious software.

Today, Google released a truckload of data from its Safe Browsing program, which flags and warns users about more than 10,000 suspicious and malicious Web sites each day. The information clearly shows that gone are the days when folks could avoid giving their computers a nasty little rash simply by staying out of the Internet’s red-light districts (networks with large aggregations of porn and piracy sites, for example).

Hacked, malicious Web sites far exceed malware sites constructed by attackers. Source: Google

Hacked, malicious Web sites far exceed malware sites constructed by attackers. Source: Google

At the same time, some places on the Internet clearly are far more dangerous than others, Google’s data sets show. Have a look at the following graphic, which lists the most hostile Internet providers in the United States (the U.S. is currently responsible for just 2 percent of the world’s malicious sites, Google says).

Concentrations of hacked and malicious sites at U.S. Internet providers.Source: Google

Concentrations of hacked and malicious sites at U.S. Internet providers.Source: Google

The most malicious U.S. network listed by Google — a data center run by a company in New York called Pilosoft — is no stranger to lists charting the top sources of badness online. Pilosoft figured prominently in Operation Ghost Click, a U.S. Justice Department takedown targeting the DNS Changer botnet, which had a significant portion of its operations based at Pilosoft. Google says it has scanned 13 percent of Pilosoft’s network, and found that more than half of the sites it scanned were malicious.

Other top badness concentrations have a history of courting malware purveyors. Ask Google’s report to display the most densely malicious ISPs regardless of country and you’ll notice some interesting names float to the top of the list. Among them, Santrex Internet Services, is a well-known offshore bulletproof hosting provider based in the Seychelles.

Some networks are completely overrun with malicious sites, and some actively seek out this condition.

Some networks are completely overrun with malicious sites, and some actively seek out this condition.

Of course, more mainstream networks and ISPs also are constantly battling malicious sites within their borders.  It’s worth noting that 22 percent of the sites hosted at one section of the network run by major ISP Comcast (AS20214)  are malicious, according to Google, although the company says it has scanned only 4 percent of this portion Comcast’s network so far. Google’s data is broken down by “autonomous system” (AS) numbers — which are basically a numerical way of keeping track of networks — and a large ISP may control numerous ASes.

Several other Comcast ASes are listed in the first few pages of Google’s index of U.S.-based badness. To be fair, Comcast is the nation’s largest cable Internet provider, so it’s perhaps unsurprising that it hosts so many compromised sites. However, Comcast’s largest competitor in the United States — Verizon — doesn’t appear until page 19 of Google’s results (with 5 percent of scanned sites malicious and 5 percent of the network scanned).

Continue reading →


14
Jun 13

Iranian Elections Bring Lull in Bank Attacks

For nearly nine months, hacker groups thought to be based in Iran have been launching large-scale cyberattacks designed to knock U.S. bank Websites offline. But those assaults have subsided over the past few weeks as Iranian hacker groups have begun turning their attention toward domestic targets, launching sophisticated phishing attacks against fellow citizens leading up to today’s presidential election there.

Phishing email targeting Iranians. Source: Google.

Phishing email targeting Iranians. Source: Google.

Since September 2012, nearly 50 U.S. financial institutions have been targeted in over 200 distributed denial of service (DDoS) attacks, according to the U.S. Department of Homeland Security. A Middle Eastern hacking collective known as the Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the assaults, and U.S. intelligence officials have repeatedly blamed the attacks on hacker groups backed by the Iranian government.

But roughly three weeks ago, experts began noticing that the attacks had mysteriously stopped.

“We haven’t seen anything for about three weeks now,” said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry coalition that disseminates data about cyber threats to member financial institutions. “It’s not clear why [the attacks stopped], but there are a lot of things going on in Iran right now, particularly the presidential elections.”

Meanwhile, data collected by Google suggests that the attackers are focusing their skills and firepower internally, perhaps to gather intelligence about groups and individuals supporting specific candidates running for Iran’s presidential seat. In a blog post published this week, Google said that it is tracking a “significant jump” in the overall volume of phishing activity in and around Iran.

Continue reading →


11
Jun 13

Adobe, Microsoft Patch Flash, Windows

Patch Tuesday is again upon us: Adobe today issued updates for Flash Player and AIR, fixing the same critical vulnerability in both products. Microsoft‘s patch bundle of five updates addresses 23 vulnerabilities in Windows, Internet Explorer, and Office, including one bug that is already being actively exploited.

crackedwinA majority of the vulnerabilities fixed in Microsoft’s June patch batch — 19 of them — are addressed in a cumulative update for Internet Explorer (MS13-047). The other fix that Microsoft called specific attention to is MS13-051, which tackles a flaw in Office that “could allow remote code execution if a user opens a specially crafted Office document..or previews or opens a specially crafted email message in Outlook while using Microsoft Word as the email reader.”

This Office flaw, which is present in the latest versions of Office 2003 and Microsoft Office for Mac 2011, is already being exploited in targeted attacks, Microsoft said. According to the company’s advisory, this vulnerability was reported by Google. These attacks fit the profile of previous zer0-day incidents, which use targeted email lures and previously unknown vulnerabilities to break into high-value targets.

“When Google encounters flaws that exploit users’ computers, even when the flaws are in other companies’ software, we take strong action to mitigate those attacks,” a Google spokesperson said in response to a request for comment. “Based on the exploit and the way it has been utilized by attackers, we strongly believe the attacks to be associated with a nation-state organization.”

Adobe’s Flash and AIR updates also fix a critical bug that was reported by Google’s security team, although Adobe says it is not aware of any exploits or attacks in the wild against the vulnerability address in its update. The latest Flash version is 11.7.700.224 for Windows and 11.7.700.225 for Mac OS X.  This link will tell you which version of Flash your browser has installed. IE10 and Chrome should auto-update their versions of Flash. If your version of Chrome is not yet updated to v. 11.7.700.225, you may just need to restart the browser.

Continue reading →


27
Feb 13

Flash Player Update Fixes Zero-Day Flaws

Adobe has released an emergency update for its Flash Player software that fixes three critical vulnerabilities, two of which the company warns are actively being exploited to compromise systems.

brokenflash-aIn an advisory, Adobe said two of the bugs quashed in this update (CVE-2013-0643 and CVE-2013-0648) are being used by attackers to target Firefox users. The company noted that the attacks are designed to trick users into clicking a link which redirects to a Web site serving malicious Flash content.

Readers can be forgiven for feeling patch fatigue with Flash: This is the third security update that Adobe has shipped for Flash in the last month. On Feb. 12, Adobe released a patch to plug at least 17 security holes in Flash. On Feb. 7, Adobe rushed out an update to fix two other flaws that attackers were already exploiting to break into vulnerable computers.

Continue reading →


12
Feb 13

Fat Patch Tuesday

Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework.

winiconFive of the 12 patches Microsoft released today earned its most dire “critical” label, meaning these updates fix vulnerabilities that attackers or malware could exploit to seize complete control over a PC with no help from users.

Thirteen of the 57 bugs squashed in Microsoft’s patch batch address issues with Internet Explorer; other critical patches fix problems in the Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining critical patch fixes a flaw that is present only on Windows XP systems.

Updates are available via Windows Update or from Automatic Update. A note about applying these Windows patches: Today’s batch includes an update for .NET, which in my experience should be applied separately. In nearly every case where I’ve experienced problems updating Windows, a huge .NET patch somehow gummed up the works. Consider applying the rest of the patches first, rebooting, and then installing the .NET update, if your system requires it.

And for the second time in a week, Adobe has released an update for its Flash Player software. This one addresses at least 17  distinct vulnerabilities; unlike last week’s emergency Flash Update, this one thankfully doesn’t address flaws that are already actively being exploited, according to Adobe. Check the graphic below for the most recent version that includes the updates relevant to your operating system. This link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Continue reading →


11
Feb 13

Yahoo! Pushing Java Version Released in 2008

At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.

sitebuilderYahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.

SiteBuilder requires Java, but the version of Java that Yahoo!  bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.

But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.

Continue reading →


7
Feb 13

Microsoft, Symantec Hijack ‘Bamital’ Botnet

Microsoft and Symantec said Wednesday that they have teamed up to seize control over the “Bamital” botnet, a multi-million dollar crime machine that used malicious software to hijack search results. The two companies are now using that control to alert hundreds of thousands of users whose PCs remain infected with the malware.

bamitalThe tech firms said their research shows that in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google.

Users of machines infected with Bamital are likely to see a Web page like the one pictured at right the next time they search for something online. That’s because Microsoft convinced a judge at the U.S. District Court for the Eastern District of Virginia to give it control over the infrastructure that Bamital used to coordinate the search hijacking activities of host PCs.

On Wednesday, technicians working on behalf of both Microsoft and Symantec raided data centers at Leaseweb USA in Manassas, Va., and ISPrime in Weekawken, New Jersey, accompanied by U.S. federal marshals. The two companies are now using the botnet’s control channels to communicate with infected PCs and to notify affected users.

According to Microsoft’s lawsuit, Bamital is most often installed via drive-by downloads, which use exploit kits stitched into hacked and malicious Web sites. Microsoft said the bad guys behind the botnet exclusively used the Phoenix Exploit Kit, a malware tool that uses vulnerabilities in Web browsers to silently install malware.

Bamital alters the organic search results on the host machine, redirecting victims away from sites as indexed by the major search providers toward pages that provide advertising and referral commissions to affiliate marketers. Redmond included several examples in its petition to the court, such as when a victim with Bamital searches for Microsoft Halo, and upon clicking the top link in the results is taken to a completely different set of search engine results.

Microsoft employees (left) at  ISPrime, a hosting facility in New Jersey.

Microsoft employees (left) at ISPrime, a hosting facility in New Jersey.

Microsoft said Bamital also orders infected systems to participate in “click fraud,” or to generate automated Internet traffic by instructing those computers — without the owner’s knowledge or intervention — to connect to any Web site chosen by the botmasters. Meanwhile, the owner of the infected computer – even if they were sitting at the computer – would not see the hidden browser.

It’s not hard to see why threats like Bamital are so prevalent: An estimated $12.7 billion was spent on Internet advertising in 2012, and click fraud is taking a huge bite out of the expected returns. Microsoft’s own research indicates that 22 percent of all ad-clicks are fraudulent.

Continue reading →


15
Jan 13

Spam Volumes: Past & Present, Global & Local

Last week, National Public Radio aired a story on my Pharma Wars series, which chronicles an epic battle between men who ran two competing cybercrime empires that used spam to pimp online pharmacy sites. As I was working with the NPR reporter on the story, I was struck by how much spam has decreased over the past couple of years.

Below is a graphic that’s based on spam data collected by Symantec‘s MessageLabs. It shows that global spam volumes fell and spiked fairly regularly, from highs of 6 trillion messages sent per month to just below 1 trillion. I produced this graph based on Symantec’s raw spam data.

gsv07-12

Some of the points on the graph where spam volumes fall precipitously roughly coincide with major disruptive events, such as the disconnection of rogue ISPs McColo Corp. and 3FN, as well as targeted takedowns against major spam botnets, including Bredolab, Rustock and Grum. Obviously, this graph shows a correlation to those events, not a direct causation; there may well have been other events other than those mentioned that caused decreases in junk email volumes worldwide. Nevertheless, it is clear that the closure of the SpamIt affiliate program in the fall of 2010 marked the beginning of a steep and steady decline of spam volumes that persists to this day.

Of course, spam volumes are relative, depending on where you live and which providers you rely on for email and connections to the larger Internet. As I was putting together these charts, I also asked for spam data from Cloudmark, a San Francisco-based email security firm. Their data (shown in the graphs below) paint a very interesting picture of the difference in percentage of email that is spam coming from users of the top three email services: The spam percentages were Yahoo! (22%), Microsoft (11%) and  Google (6%).

WebMailSpamCloudmark

Continue reading →


3
Jan 13

Turkish Registrar Enabled Phishers to Spoof Google

Google and Microsoft today began warning users about active phishing attacks against Google’s online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a Turkish domain registrar.

In a blog post published today, Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain.

“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority,” wrote Adam Langley, a Google software engineer. “Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”

Langley said that Google responded by Chrome on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors. “TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors.”

Separately, Microsoft has issued an advisory with a bit more detail, saying it is aware of active attacks using one of the fraudulent digital certificates issued by TURKTRUST Inc.

“This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows,” the software giant warned. Continue reading →