Fraud Fighter ‘Bobbear’ to Hang Up His Cape

April 17, 2010
10 Comments

The owner and curator of bobbear.co.uk, a site that specializes in exposing Internet scams and phantom online companies, announced Saturday that he will be shuttering the site at the end of April.

Bobbear and its companion site bobbear.com, are creations of Bob Harrison, a 66-year-old U.K. resident who for the last four years has tirelessly chronicled and exposed a myriad of fraud and scam Web sites. The sites, which are well-indexed by Google and other search engines and receive about 2,000 hits per day, often are among the first results returned in a search for the names of fly-by-night corporations advertised in spam and aimed at swindling the unsuspecting or duping the unwitting.

Indeed, bobbear.co.uk has been extremely valuable resource to krebsonsecurity.com, which has used it to track the constant stream of new fraudulent corporations used to recruit so-called money mules, people lured into helping organized criminals launder money stolen through online banking theft.

In an interview with krebsonsecurity, Harrison said he’s been considering this move for some time now, and finally decided to quit the site for health and quality-of-life reasons.

“The wife says I spend about 15 hours a day on it, although it may not be quite that much,” joked the pseudonymous Harrison, speaking via phone from his home near Kent, about 50 miles outside of London. “Things are quite hard and health isn’t that good, so the time has come.”

An example of a money mule recruitment site exposed by bobbear.co.uk

Continue reading

iPack Exploit Kit Bites Windows Users

April 16, 2010
14 Comments

Not long ago, there were only a handful of serious so-called “exploit packs,” crimeware packages that make it easy for hackers to booby-trap Web sites with code that installs malicious software.

These days, however, it seems like we’re hearing about a new custom exploit kit every week. Part of the reason for this may be that more enterprising hackers are seeing the moneymaking potential of these offerings, which range from a few hundred dollars per kit to upwards of $10,000 per installation — depending on the features and plugins requested.

Take, for example, the iPack crimeware kit, an exploit pack that starts at around $500.

Continue reading

Advertisement

Java Patch Targets Latest Attacks

April 15, 2010
14 Comments

Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

Continue reading

Unpatched Java Exploit Spotted In-the-Wild

April 14, 2010
33 Comments

Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.

On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site.  Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.

As of this morning, songlyrics.com, a site that according to traffic analysis firm compete.com receives about 1.7 million visits each month, was loading code from assetmancomcareers.com, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for assetmancomcareers.com also serve:

spyeraser-security.com
spyeraser-trial.com
spyeraser-software.com

According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).

It’s unclear whether Oracle plans to change the behavior of this feature in Java. For now, if you have Java installed on your system (don’t know? click here), you might consider implementing one or both of the workarounds mentioned here in a SANS Internet Storm Center writeup on this.

Continue reading

Immunet: A Second Opinion Worth a Second Look

April 14, 2010
33 Comments

Security experts have long maintained that running two different anti-virus products on the same Windows machine is asking for trouble, because the programs inevitably will compete for resources and slow down or even crash the host PC.

But an upstart anti-virus company called Immunet Protect is hoping Windows users shrug off this conventional wisdom and embrace the dual anti-virus approach. Indeed, the company’s free product works largely by sharing data about virus detections from other anti-virus products already resident on the PCs of the Immunet user community.

Users can run Immunet alone, and many do: The program scans files using two types of threat profiles: specific definitions or fingerprints of known threats, and generic signatures that are more akin to looking for a specific malware modus operandi.

But what makes Immunet different from other anti-virus products is that it also incorporates detections for malware from other anti-virus products that may be resident on users’ machines. For example, each time someone’s PC in the Immunet user base encounters a virus, that threat is logged and flagged on a centralized server so that all Immunet users can be protected from that newly identified malware.

I’ve been running Immunet in tandem with Kaspersky Internet Security 2010 for the past three months, and have haven’t noticed any impact on system resources or stability issues. Immunet’s creators are especially proud of that last aspect of the program, and say it’s due to the fact that the program does most of its scanning and operations “in-the-cloud,” – that is, not on the user’s system. Immunet currently has about 133,000 active users, and that number changes constantly: Each time you reboot a system with it installed, chances are you will see a different – usually higher – number of users in the community.

I spoke recently with Immunet’s vice president of engineering, Alfred Huger, a former VP at Symantec Corp., and Adam O’Donnell, director of cloud engineering for the startup. That conversation — excerpts of which are included below — provides interesting insights into how the anti-virus industry operates, how consumers interact with these products, and how Immunet hopes to differentiate itself in already crowded field.

Continue reading

Adobe, Microsoft Push Security Upgrades

April 13, 2010
20 Comments

Software giants Adobe and Microsoft today each released software updates to fix critical security flaws in their products. In addition, Adobe is rolling out a new auto-updater tool that should make it easier for hundreds of millions of Adobe Reader users to more safely run one of the most frequently attacked software applications.

Continue reading

TrendMicro Toolbar + Long URL = Fail

April 12, 2010
24 Comments

Many anti-virus products — particularly the “Internet security suite” variety — now ship with various Web browser toolbars, plug-ins and add-ons designed to help protect the customer’s personal information and to detect malicious Web sites. Unfortunately, if designed poorly, these browser extras can actually lower the security posture of the user’s system by introducing safety and stability issues.

The last time I caught up with security researcher Alex Holden, he was showing me a nifty way to crash IE6 and prevent the user from easily reopening the badly outdated and insecure browser version ever again. Just the other day, Holden asked me to verify a crash he’d found that affects users who have Trend Micro Internet Security installed, which installs a security toolbar in both Internet Explorer and Mozilla-based browsers on Microsoft Windows.

The video here was made on a virgin install of Windows XP SP3, with the latest Firefox build and a brand new copy of Trend Micro Internet Security. Paste a really long URL into the address bar with the Trend toolbar enabled, and Firefox crashes every time. Do the same with the toolbar disabled, and the browser lets the Web site at whatever domain name you put in front of the garbage characters handle the bogus request as it should. This isn’t limited to Firefox: The same long URL crashes IE8 with the Trend toolbar enabled, although for some strange reason it fails to crash IE6. I didn’t attempt to test it against IE7.

Continue reading

Hundreds of WordPress Blogs Hit by ‘Networkads.net’ Hack

April 9, 2010
33 Comments

A large number of bloggers using WordPress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software.

According to multiple postings on the WordPress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address — “networkads.net/grep” — directly into the target site’s database, so that any attempts to access the hacked site redirects the visitor to networkads.net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the WordPress interface.

It’s not clear yet whether the point of compromise is a WordPress vulnerability (users of the latest, patched version appear to be most affected), a malicious WordPress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider.

Network Solutions spokeswoman Susan Wade said the company is investigating the attacks, and that the company believes the problem may be related to a rogue WordPress plugin. Wade added that the attacks weren’t limited to just Network Solutions customers (although the company hasn’t supplied the author with any evidence to support that claim yet).

Continue reading

ISP Privacy Proposal Draws Fire

April 7, 2010
34 Comments

A proposal to let Internet service providers conceal the contact information for their business customers is drawing fire from a number of experts in the security community, who say the change will make it harder to mitigate the threat from spam and malicious software.

The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses – later this month will consider a proposal to ease rules that require ISPs to publish address and phone number information for their business customers.

The idea has support from several ISPs that claim the current policy forces ISPs to effectively publish their customer lists.

“I operate in a very competitive business, and there are instances where I can show that my competitors have gone out and harvested customers’ contact information and used that to try to take those customers away,” said Aaron Wendel, chief technical officer at Kansas City based Wholesale Internet Inc., and the author of the proposal. “I have yet to find another private industry that is not government-related that requires you to make your customer lists publicly available on the Internet.”

Critics of the plan say it will only lead to litigation and confusion, while aiding spammers and other shady actors who obtain blocks of addresses by posing as legitimate businesses.

Continue reading

Computer Crooks Steal $100,000 from Ill. Town

April 6, 2010
32 Comments

A rash of home foreclosures and abandoned dwellings had already taken its toll on the tax revenue for the Village of Summit, a town of 10,000 just outside Chicago. Then, in March, computer crooks broke into the town’s online bank account, making off with nearly $100,000.

“As little as we are, $100,000 represents a good chunk of money, and it hurts,” said Judy Rivera, the town’s administrator. “We were already on a very lean budget, because the tax money just isn’t coming in.”

Summit is just the latest in a string of towns, cities, counties and municipalities across America that have seen their coffers cleaned out by organized thieves who specialize in looting online bank accounts. Recently, crooks stole $100,000 from the New Jersey township of Egg Harbor; $130,000 from a public water utility in Arkansas; $378,000 from a New York town; $160,000 from a Florida public library; $500,000 from a New York middle school district; $415,000 from a Kentucky county (this is far from a comprehensive list).

Continue reading