Revisiting the Eleonore Exploit Kit

May 24, 2010

Not long after I launched this blog, I wrote about the damage wrought by the Eleonore Exploit Kit, an increasingly prevalent commercial hacking tool that makes it easy for criminals to booby-trap Web sites with malicious software. That post generated tremendous public interest because it offered a peek at the statistics page that normally only the criminals operating these kits get to see. I’m revisiting this topic again because I managed to have a look at another live Eleonore exploit pack panel, and the data seem to reinforce a previous observation: Today’s attackers care less about the browser you use and more about whether your third-party browser add-ons and plugins are out-of-date and exploitable.

Hacked and malicious sites retrofitted with kits like Eleonore have become more common of late: In a report issued this week, Web security firm Zscaler found that roughly 5 percent of the browser exploits they identified during the first quarter of this year were tied to hacked or malicious sites that criminals had outfitted with some version of Eleonore.

Like most exploit kits, Eleonore is designed to invisibly probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software. The hacker’s end of the kit is a Web-based interface that features detailed stats on the percentage of visitors to the booby-trapped site(s) that are successfully attacked, and which software vulnerabilities were most successful in leading to the installation of the hacker’s malware.

This particular Eleonore kit — which is currently stitched into several live adult Web sites — comes with at least a half-dozen browser exploits, including three that target Internet Explorer flaws, two that attack Java bugs, and one that targets a range of Adobe PDF Reader vulnerabilities. According to this kit’s stats page, the malicious adult sites manage to infect roughly every one in ten visitors.

As we can see from the landing page pictured above, Windows XP users represent by far the largest group of users hitting these poisoned porn sites.

Once again, Eleonore shows just how heavily Java flaws are now being used to infect computers (the above graphic shows the number of successful malware installations or “loads” per exploit). The last time I reviewed a working Eleonore admin panel, we saw that Java flaws were the second most reliable exploits. This time around, Java was the biggest source infections. In the Eleonore kit I wrote about earlier this year, some 34 percent of the systems that were successfully exploited were attacked via a Java flaw. In this installation, four out of every ten victims who were hacked were compromised because of they were running an outdated version of Java.

Continue reading

ReclaimPrivacy.org: Facebook Privacy 101

May 20, 2010

If you’ve been watching the slow motion train wreck that is Facebook.com‘s recent effort to revamp its privacy promises, you may be wondering where to start making sense of the dizzying array of privacy options offered by the world’s largest online social network. Fortunately, developers are starting to release free new tools so that you don’t need to read a statement longer than the U.S. Constitution or earn a masters degree in Facebook privacy in order to get started.

Reclaimprivacy.org hosts an easy-to-use, open source tool that can help Facebook users very quickly determine what types of information they are sharing with the rest of the world. To use it, visit reclaimprivacy.org and drag the “bookmarklet” over into your bookmarks area. Then log in to facebook.com, and browse to your privacy settings page. Then, click the bookmark and it will run a series of Javascript commands that produce a report showing your various privacy settings, and suggest ways to strengthen weaker settings.

Continue reading

Advertisement

Apple Ships Java Security Update

May 20, 2010

Apple has pushed out an update that fixes at least 30 security vulnerabilities in its version of Java for Mac OS X systems.

The patch appears to fix a flaw in Java that Oracle shipped more than a month ago that attackers were using to install malicious software on Microsoft Windows systems.

Updates are available for Mac OS X v10.5.8 and Mac OS X v10.6.3 or later, via Apple Downloads or Software Update. The new release brings Java on the Mac to the current version, Java 6 Update 20.

Fraud Bazaar Carders.cc Hacked

May 18, 2010

Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.

The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.

A third file — which includes what appear to be Internet addresses assigned to the various Carders.cc users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file — which is accompanied by an ASCII art picture of a cat — includes an oblique reference to the party apparently responsible for the Carders.cc site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group.

Continue reading

Following the Money, Part II

May 18, 2010

A leading Russian politician has accused a prominent Moscow businessman of running an international spam and online pharmacy operation while serving as an anti-spam adviser to the Russian government. Russian investigators now say they plan to create a special task force to look into the allegations.

In an open letter to investigators at the Ministry of Internal Affairs (MVD) of the Russian Federation, Ilya V. Ponomarev, a deputy of the Russian State Duma’s Hi-Tech Development Subcommittee, in March called for a criminal inquiry into the activities of one Pavel Vrublevsky, an individual I interviewed last year in an investigative report on rogue security software (a translated PDF version of Ponomarev’s letter is here).

Vrublevsky is founder and general director of ChronoPay, an online payment processor widely accepted in Russia to handle a number of domestic transactions, including payment for Russian airline and lottery tickets. ChronoPay also specializes in handling “high risk” online merchants, such as pharmacy, adult and Internet gaming sites. Last year, The Washington Post published a story I wrote that showed Chronopay was processing payments for a large number of sites pushing rogue anti-virus products, or “scareware.”

According to Ponomarev, Vrublevsky also is known online as “Redeye,” and is the creator of Crutop.nu, a large adult Webmaster forum that the U.S. Federal Trade Commission last year said was a place “where criminals share techniques and strategies with one another,” and a Russian language Web site “that features a variety of discussion forums that focus on making money from spam.”

In his letter to A.V. Anichin, the deputy minister and chief of the Russian MVD Investigations Committee, Ponomarev said the primary analysis of Vrublevsky’s activities shows the extent of the problem which escapes attention of law-enforcement bodies.

“They include trade in pornography on the Internet that contains scenes of cruel violence, real rape, zoophilia, etc. (etu-cash.com, cash.pornocruto.es), unlawful banking business focused on laundering of money generated by a range of criminal activities in order to escape taxes using fethard.biz and acceptance of payments for illegal sale of music files mp3 which violates author’s rights of performers and illegal trade in drug-containing and controlled prescribed drastic preparations via on-line chemistry networks (rx-promotion.com, spampromo.com), and illegal mass spam distribution all over the world, as well as sale of malicious software under the guise of anti-virus software.”

Ponomarev notes that Vrublevsky is a key member of the anti-spam working group of the Ministry of Telecom and Mass Communication. Ponomarev also said that the MVD had instituted a criminal investigation into Vrublevsky in 2007, only to abandon the case when the chief investigator quit and reportedly went to work for Vrublevsky.

“We have here a merger between a criminal element and the government power which is unacceptable and inadmissible in any civilized society,” Ponomarev wrote.

Continue reading

Teach a Man to Phish…

May 17, 2010

Phishing may not be the most sophisticated form of cyber crime, but it can be a lucrative trade for those who decide to make it their day jobs. Indeed, data secretly collected from an international phishing operation over  18 months suggests that criminals who pursue a career in phishing can reap millions of dollars a year, even if they only manage to snag just a few victims per scam.

Phishers often set up their fraudulent sites using ready-made “phish kits” — collections of HTML, text and images that mimic the content found at major banks and e-commerce sites. Typically, phishers stitch the kits into the fabric of hacked, legitimate sites, which they then outfit with a “backdoor” that allows them to get back into the site at any time.

About a year and a half ago, investigators at Charleston, S.C. based PhishLabs found that one particular backdoor that showed up time and again in phishing attacks referenced an image at a domain name that was about to expire. When that domain finally came up for grabs, PhishLabs registered it, hoping that they could use it to keep tabs on new phishing sites being set up with the same kit.

The trick worked: PhishLabs collected data on visits to the site for roughly 15 months, and tracked some 1,767 Web sites that were hacked and seeded with the phishing kit that tried to pull content from the domain that PhishLabs had scooped up.

PhishLabs  determined that most of the phishing sites were likely set up by a single person — a man in Lagos, Nigeria that PhishLabs estimates was responsible for about 1,100 of the phishing sites the company tracked over the 15 month experiment.

Continue reading

Stolen Laptop Exposes Personal Data on 207,000 Army Reservists

May 13, 2010

A laptop stolen from a government contractor last month contained names, addresses and Social Security numbers of more than 207,000 U.S. Army reservists, Krebsonsecurity.com has learned.

The U.S. Army Reserve Command began alerting affected reservists on May 7 via e-mail. Col. Jonathan Dahms, chief public affairs for the Army Reserve, said the personal data was contained on a CD-Rom in a laptop that was stolen from the Morrow, Ga. offices of Serco Inc., a government contractor based in Reston, Va.

The laptop was one of three stolen from the Serco offices, but it was the only one that contained sensitive personal information, Dahms said.

Serco held the data on reservists as part of its contract with the U.S. Army’s Family and Morale, Welfare and Recreation division. As a result, Dahms said, some of the data on the missing laptop may belong to dependents and spouses of U.S. Army reservists.

Continue reading

Phished Brands Seize on Teachable Moments

May 12, 2010

Not long ago, most companies whose brands were being abused in phishing scams focused their efforts mainly on shuttering the counterfeit sites as quickly as possible. These days, an increasing number of phished brands are not only disabling the sites, but also seizing on the opportunity to teach would-be victims how to spot future scams.

Instead of simply dismantling a phishing site and leaving the potential phishing victims with a “Site not found” error, some frequent targets of phishing sites are setting up redirects to phishing education pages.

For the past 20 months, Jason Hong, assistant professor of computer science at Carnegie Mellon University‘s Human Computer Interaction Institute, has been measuring referrals from phishing sites to an education page set up by the Anti-Phishing Working Group (APWG), an industry consortium. Hong said the site now receives close to 25,000 referrals per month from phishing sites that brand owners have modified.

The redirect process works like this: The brand owner or company whose customers are targeted by the phishing site verifies it as a scam site, and then the site’s ISP, hosting provider or domain registrar will redirect the phishing site to the APWG education page.

Continue reading

Microsoft, Adobe Push Critical Security Updates

May 12, 2010

Microsoft Corp. and Adobe Systems each released security updates on Tuesday. Microsoft issued two “critical” patches that address one security flaw apiece, while Adobe’s patches fix a whole mess of serious vulnerabilities in its software.

One of the critical updates pushed by Microsoft fixes a flaw in Outlook Express, Windows Mail and Windows Live Mail. On older versions of Windows (Windows XP for example) Outlook Express is installed by default, while Windows Mail and Windows Live Mail generally require users to affirmatively download and install the program.

The other MS patch addresses a vulnerability in Microsoft Office, but the problem may turn out to be more complex down the road for some users. The trouble is that the vulnerable component, Microsoft Visual Basic for Applications is used not only by Microsoft Office products, but it’s also a component that is potentially installed by many third-party software apps built to work with Windows.

Continue reading

FBI Promises Action Against Money Mules

May 11, 2010

The FBI’s top anti-cyber crime official today said the agency is planning a law enforcement action against so-called “money mules,” individuals willingly or unwittingly roped into helping organized computer crooks launder money stolen through online banking fraud.

Patrick Carney, acting chief of the FBI’s cyber criminal section, said mules are an integral component of an international crime wave that is costing U.S. banks and companies hundreds of millions of dollars. He said the agency hopes the enforcement action will help spread awareness that money mules are helping to perpetrate crimes.

“We want to make sure that public understands this is illegal activity and one of the best ways we can think of to give that message is to have some prosecutions,” Carney said at a Federal Deposit Insurance Corporation (FDIC) symposium in Arlington, Va. today on combating commercial payments fraud. “We realize it’s not going to make the problem go away, but it should help raise awareness and send a signal.”

Continue reading