Criminals have co-opted a column I wrote last week about ZeuS Trojan attacks targeted at government and military systems: Scam artists are now spamming out messages that include the first few paragraphs of that story in a bid to trick recipients into downloading the very same Trojan, disguised as a Microsoft security update.
Hat tip to security firm Sophos for spotting this vaguely elliptical attack. It is sometimes said tongue-in-cheek that plagiarism is the sincerest form of flattery, but I wish these crooks would find some other way of expressing their admiration.
The thing is, these sorts of copycat scams also serve as as a sort of token reputation attack, a sly dig that is often aimed at security researchers. For example, Jeffrey Carr, the author of the recent book Inside Cyber Warfare and a frequent publisher of information on the sources of large scale cyber assaults, told me that a similar spam campaign a few days ago that mimicked the targeted .mil and .gov Zeus attacks was made to look like it came from his e-mail address. Carr said the campaign that abused his name probably was in response to his recent blog post about the .mil and .gov attacks.
There are indications that the system crashes and the dreaded blue screen of death (BSoD) that many Microsoft Windows users reported suffering after installing this week’s batch of security updates may be caused at least in part by malware infestations on the affected machines.
Patrick W. Barnes, a systems administrator at Cat-man-du, a technology services firm in Amarillo, Texas, said at least three different customers came into his shop with the same blue screen of death after installing Tuesday’s patches on their systems. Barnes said that on closer inspection, he found that each had been previously infected with a rootkit, a set of tools sometimes installed by malware that are designed to hide the presence of the infection on the host system.
Adobe Systems Inc. today released an updated version of its Flash Player software to fix two critical security holes in the ubiquitous Web browser plugin. Adobe also issued a security update for its Air software, a central component of several widely-used Web applications, such as Tweetdeck.
The Flash update brings the newest, patched version of Flash to v. 10.0.45.2, and applies to all supported platforms, including Windows, Mac and Linux installations. Visit this link to find out what version of Flash you have. The latest update is available from this link.
If you use Windows XP and haven’t yet updated your system with the applicable security updates that Microsoft issued Tuesday, you might want to hold off for a bit. Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond.
The problem seems to be affecting only some XP systems. This thread on a Microsoft.com answers forum seems to include a fix that works. However, the fix requires users to have their XP install CD handy (in a practice that should be outlawed, many computer makers get away with shipping systems without an install/reinstall disc)
According to the support forum threads I’ve seen on this, affected users noticed the problem on the reboot following the installation of Tuesday’s patch batch. The folks who complained of the bootup problem said the BSOD error page is accompanied by the message “PAGE_FAULT_IN_NONPAGED_AREA”.
If you’re experiencing the above-described problems after installing Tuesday’s bundle of updates, follow these steps, which a number of affected users have said seem to fix the problem:
Microsoft today released a baker’s dozen of software updates to fix twice as many vulnerabilities in its various Windows operating systems and other software. Translation: If you use any supported version of Windows, it’s time once again to update your PC.
Five of the 13 update bundles Redmond issued today earned a rating of “critical,” meaning Microsoft considers these flaws so serious that attackers could exploit them to seize control over vulnerable systems just by getting users to visit a hacked or malicious Web site.
A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.
Experi-Metal sells metal stampings, trim moldings and specialty items.
The lawsuit, filed by Experi-Metal Inc. (EMI), in Sterling Heights, Mich., charges that Dallas-based Comerica Bank effectively groomed its customers to become phishing victims by routinely sending them e-mail messages that asked recipients to click a link to update the bank’s security technology. The company also alleges that Comerica’s security protections for customers are not commercially reasonable, because the phishing scam routed around the bank’s 2-factor authentication system.
According to a complaint EMI filed in December with a Michigan circuit court, for many years Comerica used “digital certificates” for authenticating online banking customers. Digital certificates are the browser-based counterparts to ATM cards, and many banks require customers to include the bank’s cryptographically signed digital certificate in their browser before the bank’s online system will allow users access.
Once a year from 2000 to 2008, Comerica sent emails to EMI and other customers directing them to click on a link in the email, and then log in at the resulting Web site in order to renew the digital certificate that Comerica required.
Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.
According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses. Continue reading →
Hackers broke into computer systems at a Massachusetts chapter of the United Way last month and attempted to make off with more than $150,000 from one of the nation’s largest charities.
Patricia Latimore, chief financial officer at the United Way of Massachusetts Bay and Merrimac Valley, said unknown attackers tried to initiate a number of bogus financial transfers out of the organization’s bank account, but that the United Way was able to work with its bank to block or reverse the unauthorized transfers.
“We were able to pretty much capture things as they were happening,” Latimore said. “Fortunately, we saw it on the day that it occurred.”
The intruders attempted to send more than $110,000 in unauthorized payroll transfers to at least a dozen individuals across the United States who had no prior business with the United Way chapter. At least one large wire transfer was attempted, for nearly $40,000, to a 32-year-old man in New York.
This past week, I was reminded of a conversation I had with an ethical hacker I met at the annual Defcon security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant and reliable trick I’ve seen to crash the Internet Explorer 6 Web browser.
If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):
Easily the most-viewed post at krebsonsecurity.com so far has been the entry on a cleverly disguised ATM skimmer found attached to a Citibank ATM in California in late December. Last week, I had a chance to chat with Rick Doten, chief scientist at Lockheed Martin‘s Center for Cyber Security Innovation. Doten has built an impressive slide deck on ATM fraud attacks, and pictured below are some of the more interesting images he uses in his presentations.
According to Doten, the U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day. Card skimming, where the fraudster affixes a bogus card reader on top of the real reader, accounts for more than 80 percent of ATM fraud, Doten said.
Click the individual images below for an enlarged version.
An ATM skimmer that fits over the card insert slot
An ATM skimmer panel that fits directly on top of the real ATM
Image at left shows a PIN capture device overlay. The image on the right shows the actual card skimmer attached (right edge)
A closeup of the ATM card skimmer removed from the face of the ATM
Some ATMs are in building lobbies that require visitors to swipe their ATM card at the door. This device was found attached to the reader at a lobby entry. This ATM door skimmer was originally flush with the device. The skimmer and the real reader have been pulled away from the face to better show the two devices.
ATM PIN capture overlay device pulled back to reveal the legitimate PIN entry pad.
A brochure rack was outfitted with a spy camera to record PINs in conjunction wtih a skimmer.
By the end of 2004, 70 percent of all new ATMs shipped worldwide were Windows-based, according to Lockheed’s Rick Doten
A Diebold spokesperson estimates that 90 percent of Diebold’s global shipments are now Windows-based ATMs — Rick Doten
Have you seen:
Would You Have Spotted This ATM Fraud?…The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.