Près de 160 000 ordinateurs ont été infectés par MPack selon PandaLabs - Publi-News
Un exploit détecté par NanoScan (http://www.pandasoftware.fr/infectedornot/), l'analyseur en ligne de Panda Software, a mis PandaLabs sur la trace de MPack. Ce programme est utilisé pour télécharger des malwares sur des ordinateurs distants en exploitant plusieurs vulnérabilités. MPack a déjà été utilisé à plusieurs reprises. PandaLabs a eu accès à plusieurs versions dont une qui a servi à infecter 160 000 ordinateurs.
Ces données proviennent du module de statistiques inclus dans l'application. Les cyber-criminels peuvent ainsi savoir combien d'ordinateurs ont été infectés et consulter les données concernant les ordinateurs attaqués, en les regroupant par système d'exploitation ou par navigateur. Ils disposent également de statistiques sur l'efficacité des infections par région géographique.MPack est vendu sur les forums en ligne pour 700 $ environ. Les créateurs offrent un an de support gratuit avec chaque version. "MPack offre les mêmes types de services que des programmes licites, par exemple, des mises à jour. Les mises à jour de MPack sont de nouvelles versions de l'application comprenant de nouveaux exploits pour profiter des dernières vulnérabilités découvertes. Une nouvelle mise à jour est disponible tous les mois en moyenne et coûte entre 50 et 150 $.", explique Luis Corrons, le directeur technique de PandaLabs.Pour 300 $, les clients peuvent obtenir DreamDownloader en supplément. Ce deuxième outil sert à créer des chevaux de Troie de type "Downloader" (qui servent à télécharger d'autres malwares). DreamDownloader fonctionne de la façon suivante. Le pirate donne à DreamDownloader l'adresse à laquelle est hébergé le malware (un cheval de Troie, un ver, une mise à jour de malware, etc.) et l'utilitaire génère automatiquement un exécutable pour le télécharger."Ces deux outils sont complémentaires. Le premier permet d'infecter les ordinateurs avec le malware de son choix. Le deuxième permet de créer le malware, conçu pour télécharger d'autres codes malicieux.", ajoute Luis Corrons.
Attaques de MPack
MPack infecte les ordinateurs discrètement. Les cyber-criminels utilisent diverses techniques afin que les utilisateurs exécutent le code malicieux. Dans le cas des serveurs Web, les piratent ajoutent généralement dans les pages une balise de type iframe (non visible par l’utilisateur) qui charge la page sur laquelle MPack est installé.
Ils utilisent parfois le même site piraté pour héberger MPack ou d'autres malwares. Les cyber-criminels hébergent les malwares sur des serveurs tiers pour éviter que l'on ne retrouve leurs traces.
Une autre technique d'infection utilisée est l'insertion sur les pages Web de mots clés souvent recherchés. De cette façon, lorsque les pages sont indexées par les moteurs de recherche, les utilisateurs qui recherchent ces mots-clés peuvent se retrouver sur la page contenant MPack et se faire infecter.
Une autre technique est d'acheter des domaines avec des noms proches de ceux de sites web renommés, par exemple "gookle", en référence au fameux navigateur Internet Google. Les utilisateurs qui se trompent seulement d'un caractère en entrant le nom du navigateur peuvent ainsi se faire infecter.
Enfin, le spam est un autre moyen utilisé par les pirates. Les messages de spam contiennent un lien et utilisent des techniques d'ingénierie sociale pour inciter les utilisateurs à cliquer dessus.
Une fois parvenu sur l'ordinateur, l'exploit s'exécute et recueille des données sur l'ordinateur infecté : navigateur, système d'exploitation, etc. Ces informations sont ensuite envoyées à un serveur sur lequel elles sont stockées.
PandaLabs a publié une étude complète sur MPack (en anglais), elle est accessible à l'adresse http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf.
Panda Software met à la disposition des utilisateurs qui souhaitent vérifier si leur ordinateur a été infecté par ces menaces ou par d'autres codes malicieux, ses analyseurs gratuits en ligne, la bêta de NanoScan ou TotalScan, à l'adresse : http://www.pandasoftware.fr/infectedornot/.
Depuis 1990, la mission de PandaLabs est d’analyser les nouvelles menaces le plus rapidement possible pour assurer une totale sécurité à nos clients. Plusieurs équipes, spécialisées dans chaque type spécifique de malware (virus, vers, chevaux de Troie, logiciels espions, phishing, spam, rootkits, etc.) travaillent 24 heures sur 24 et 7 jours sur 7 pour offrir une garantie maximale. Pour cela, elles s’appuient sur les Technologies TruPrevent™, un véritable système global d’alertes, basé sur des sondes distribuées stratégiquement et qui permettent de neutraliser les nouvelles menaces et de les envoyer au plus tôt à PandaLabs pour analyse. Selon AvTest.org, PandaLabs est le laboratoire de virus qui offre des mises à jour complètes dans les délais les plus brefs. Plus d’informations à l’adresse www.pandasoftware.com/pandalabs et sur le blog de PandaLabs :
http://blogs.pandasoftware.com/blogs/pandalabs/.
mercredi 30 mai 2007
mardi 29 mai 2007
Logiciel pour déjouer les fraudeurs
Logiciel pour déjouer les fraudeurs
Parmi tous les risques sécuritaires sur internet figure le détournement de mot de passe.
Key Scrambler est une extension pour Firefox qui intervient quand on se trouve sur une page qui requiert une authentification (vers un compte bancaire, par exemple).
Chaque caractère frappé est crypté entre le clavier et le navigateur. Scramble signifie “brouiller” en anglais.
Il existe une version libre et une version pro (25 dollars).
Parmi tous les risques sécuritaires sur internet figure le détournement de mot de passe.
Key Scrambler est une extension pour Firefox qui intervient quand on se trouve sur une page qui requiert une authentification (vers un compte bancaire, par exemple).
Chaque caractère frappé est crypté entre le clavier et le navigateur. Scramble signifie “brouiller” en anglais.
Il existe une version libre et une version pro (25 dollars).
lundi 28 mai 2007
Phishers Use Call Forwarding to Mask Fraud
Phishers Use Call Forwarding to Mask Fraud
Phishers Use Call Forwarding to Mask Fraud
A phishing attack uncovered by SecureWorks tries to entice victims into forwarding their telephone calls in order to thwart out-of-band authentication by banks.
Researchers at SecureWorks have uncovered a new type of phishing attack that tries to trick victims into forwarding their telephone calls to the attacker to thwart attempts by a bank to detect fraud.
The attack, found by the Atlanta-based security vendor this week, begins with an e-mail sent from the phisher telling the potential victim their bank needs to verify their phone number immediately, and their account will be suspended if they do not confirm the number. The victim is told to confirm their number by dialing *72 and then another number, effectively forwarding their calls to the phisher's telephone.
After going through this process, the victim is asked in the e-mail to update their personal information, such as bank account and Social Security numbers. If the victim's bank calls to question an unusual transaction while the calls are being forwarded, the phisher need only confirm the illegal transaction is legitimate, SecureWorks researcher Don Jackson wrote on the company's Web site.
In an interview with eWeek, Jackson said these types of attacks are currently not widespread, but may become so in the future as more banks use out-of-band authentication - such as telephone calls - to check the validity of suspicious transactions.
He cautioned against trusting e-mails that request the recipient give up personal information.
"If they are asking you to do something, you should call your financial institution," Jackson said.
Phishers Use Call Forwarding to Mask Fraud
A phishing attack uncovered by SecureWorks tries to entice victims into forwarding their telephone calls in order to thwart out-of-band authentication by banks.
Researchers at SecureWorks have uncovered a new type of phishing attack that tries to trick victims into forwarding their telephone calls to the attacker to thwart attempts by a bank to detect fraud.
The attack, found by the Atlanta-based security vendor this week, begins with an e-mail sent from the phisher telling the potential victim their bank needs to verify their phone number immediately, and their account will be suspended if they do not confirm the number. The victim is told to confirm their number by dialing *72 and then another number, effectively forwarding their calls to the phisher's telephone.
After going through this process, the victim is asked in the e-mail to update their personal information, such as bank account and Social Security numbers. If the victim's bank calls to question an unusual transaction while the calls are being forwarded, the phisher need only confirm the illegal transaction is legitimate, SecureWorks researcher Don Jackson wrote on the company's Web site.
In an interview with eWeek, Jackson said these types of attacks are currently not widespread, but may become so in the future as more banks use out-of-band authentication - such as telephone calls - to check the validity of suspicious transactions.
He cautioned against trusting e-mails that request the recipient give up personal information.
"If they are asking you to do something, you should call your financial institution," Jackson said.
mercredi 23 mai 2007
Michigan Man Charged for Using Free WiFi
Michigan Man Charged for Using Free WiFi
May 22, 2007 5:45 PM PDT
Michigan man dodges prison in theft of Wi-Fi
Posted by Steven Musil
A Michigan man who used a coffee shop's unsecured Wi-Fi to check his e-mail from his car could have faced up to five years in prison, according to local TV station WOOD. But it seems few in the village of Sparta, Mich., were aware that using an unsecured Wi-Fi connection without the owner's permission--a practice known as piggybacking--was a felony.
Each day around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car and--without actually entering the coffee shop--check his e-mail and surf the Net. His ritual raised the suspicions of Police Chief Andrew Milanowski, who approached him and asked what he was doing. Peterson, probably not realizing that his actions constituted a crime, freely admitted what he was doing.
"I knew that the Union Street had Wi-Fi. I just went down and checked my e-mail and didn't see a problem with that," Peterson told a WOOD reporter.
Milanowski didn't immediately cite or arrest Peterson, mostly because he wasn't certain a crime had been committed. "I had a feeling a law was being broken," the chief said. Milanowski did some research and found Michigan's "Fraudulent access to computers, computer systems, and computer networks" law, a felony punishable by five years in prison and a $10,000 fine.
Milanowski, who eventually swore out a warrant for Peterson, doesn't believe Milanowski knew he was breaking the law. "In my opinion, probably not. Most people probably don't."
Indeed, neither did Donna May, the owner of the Union Street Cafe. "I didn't know it was really illegal, either," she told the TV station. "If he would have come in (to the coffee shop), it would have been fine."
But apparently prosecutors were more than aware of the 1979 law, which was revised in 2000 to include protections for Wi-Fi networks.
"This is the first time that we've actually charged it," Kent County Assistant Prosecutor Lynn Hopkins said, adding that "we'd been hoping to dodge this bullet for a while."
However, Peterson won't be going to prison for piggybacking. Because he has no prior record, Peterson will have to pay a $400 fine, do 40 hours of community service and enroll in the county's diversion program.
May 22, 2007 5:45 PM PDT
Michigan man dodges prison in theft of Wi-Fi
Posted by Steven Musil
A Michigan man who used a coffee shop's unsecured Wi-Fi to check his e-mail from his car could have faced up to five years in prison, according to local TV station WOOD. But it seems few in the village of Sparta, Mich., were aware that using an unsecured Wi-Fi connection without the owner's permission--a practice known as piggybacking--was a felony.
Each day around lunch time, Sam Peterson would drive to the Union Street Cafe, park his car and--without actually entering the coffee shop--check his e-mail and surf the Net. His ritual raised the suspicions of Police Chief Andrew Milanowski, who approached him and asked what he was doing. Peterson, probably not realizing that his actions constituted a crime, freely admitted what he was doing.
"I knew that the Union Street had Wi-Fi. I just went down and checked my e-mail and didn't see a problem with that," Peterson told a WOOD reporter.
Milanowski didn't immediately cite or arrest Peterson, mostly because he wasn't certain a crime had been committed. "I had a feeling a law was being broken," the chief said. Milanowski did some research and found Michigan's "Fraudulent access to computers, computer systems, and computer networks" law, a felony punishable by five years in prison and a $10,000 fine.
Milanowski, who eventually swore out a warrant for Peterson, doesn't believe Milanowski knew he was breaking the law. "In my opinion, probably not. Most people probably don't."
Indeed, neither did Donna May, the owner of the Union Street Cafe. "I didn't know it was really illegal, either," she told the TV station. "If he would have come in (to the coffee shop), it would have been fine."
But apparently prosecutors were more than aware of the 1979 law, which was revised in 2000 to include protections for Wi-Fi networks.
"This is the first time that we've actually charged it," Kent County Assistant Prosecutor Lynn Hopkins said, adding that "we'd been hoping to dodge this bullet for a while."
However, Peterson won't be going to prison for piggybacking. Because he has no prior record, Peterson will have to pay a $400 fine, do 40 hours of community service and enroll in the county's diversion program.
mardi 22 mai 2007
Telegraph website targeted in mystery attack by hackers
Telegraph website targeted in mystery attack by hackers
The Daily Telegraph website has been the victim of a mystery and
destructive attack by hackers that has blocked access to the site over
the last 24 hours.
The paper confirmed that its site had been the victim of a 'distributed
denial of service attack' (DDoS), and that many readers had not been
able to log on since yesterday morning.
A third party team of experts was still working to return systems to
normal, following what the paper described as "an act of vandalism".
"With these things it's always difficult to know what might be behind
it," a Telegraph spokeswoman said.
The paper had not received any threats demanding that particular stories
be removed, the spokeswoman said, but a "revenge attack" was one of the
possible explanations cited by security experts.
"The nature of these attacks is that they come from multiple sources,"
the paper's digital editor, Edward Roussel, told mediaguardian.co.uk.
"We have had them in the past but they have never succeeded in toppling
the website. This particular one was stronger than anything we have
experienced," Mr Roussel said.
A "denial of service" attacks occurs when hundreds of thousands of
computers are directed to log onto a particular site simultaneously,
causing it to crash under the weight of requests.
The computers owners' are unusually unuaware they are participating in
the attack, their machines having been co-opted by an e-mail or
internet-based worm sent via a network known as a 'botnet'.
"Newspaper sites are often the target of politically motivated attacks,"
William Beer, a director of security practice at Symantec, said.
"In Italy a law was passed recently in relation to peer to peer
software, and we saw a lot of internet-based threats directed at
newspapers that were favourable to the new regulation," he said.
Paul Vlissidis, an expert at NCC, another security firm, said that there
were ways of guarding against DDoS attacks, for instance by installing a
router which sits 'in front of' a website and monitors incoming traffic.
If the router senses a pattern in attempted visits, for instance that
the volume is unusually large for a certain time, the requests can be
directed elsewhere - "down a kind of cyber black hole," Mr Vlissidis
said.
The attack comes less than a week after Estonia accused Russia of being
behind a similar attempt to bring down various of its central websites
and paralyse its infrastructure.
Estonian officials said that they had traced the internet protocol (IP)
addresses responsible for the attacks to Russian authorities, prompting
allegations that Russia had declared 'cyber-war' against its Baltic
neighbour.
Last year a Department of Trade and Industry report found that more than
50 per cent of businesses had suffered "a premeditated and malicious"
security incident in the past twelve months.
For large businesses, the average cost of the worst such incident was as
much as 130,000, the report said.
Tide of denial
In February hackers, possibly based in South Korea, attempted to bring
down at least the of the 13 computers which help manage global internet
traffic, including one operated by the US Department of Defence (DoD). A
DoD official was quoted at the time as saying: "We have to be able to
respond (to this type of threat)."
Last year three Russian citizens were sentenced to eight years each for
extorting money from several British gambling websites. The trio were
accused of receiving $4 million from sites they threatened with DDoS
attacks, and when one site refused to pay a demand for $10,000, it was
targeted and and brought down, reportedly costing it $200,000 a day.
In 2004 several bookmakers, including Paddy Power and Blue Square were
subject to DDoS attacks at the time of the Cheltenham horse races.
Extortionists contacted Blue Square, ordering that it pay 7,000 in order
that the attack be stopped.
The security firm Symantec last year estimated that the number DDoS has
risen by 51 per cent since 2005, and detected an average of 1,402
attacks a day.
The Daily Telegraph website has been the victim of a mystery and
destructive attack by hackers that has blocked access to the site over
the last 24 hours.
The paper confirmed that its site had been the victim of a 'distributed
denial of service attack' (DDoS), and that many readers had not been
able to log on since yesterday morning.
A third party team of experts was still working to return systems to
normal, following what the paper described as "an act of vandalism".
"With these things it's always difficult to know what might be behind
it," a Telegraph spokeswoman said.
The paper had not received any threats demanding that particular stories
be removed, the spokeswoman said, but a "revenge attack" was one of the
possible explanations cited by security experts.
"The nature of these attacks is that they come from multiple sources,"
the paper's digital editor, Edward Roussel, told mediaguardian.co.uk.
"We have had them in the past but they have never succeeded in toppling
the website. This particular one was stronger than anything we have
experienced," Mr Roussel said.
A "denial of service" attacks occurs when hundreds of thousands of
computers are directed to log onto a particular site simultaneously,
causing it to crash under the weight of requests.
The computers owners' are unusually unuaware they are participating in
the attack, their machines having been co-opted by an e-mail or
internet-based worm sent via a network known as a 'botnet'.
"Newspaper sites are often the target of politically motivated attacks,"
William Beer, a director of security practice at Symantec, said.
"In Italy a law was passed recently in relation to peer to peer
software, and we saw a lot of internet-based threats directed at
newspapers that were favourable to the new regulation," he said.
Paul Vlissidis, an expert at NCC, another security firm, said that there
were ways of guarding against DDoS attacks, for instance by installing a
router which sits 'in front of' a website and monitors incoming traffic.
If the router senses a pattern in attempted visits, for instance that
the volume is unusually large for a certain time, the requests can be
directed elsewhere - "down a kind of cyber black hole," Mr Vlissidis
said.
The attack comes less than a week after Estonia accused Russia of being
behind a similar attempt to bring down various of its central websites
and paralyse its infrastructure.
Estonian officials said that they had traced the internet protocol (IP)
addresses responsible for the attacks to Russian authorities, prompting
allegations that Russia had declared 'cyber-war' against its Baltic
neighbour.
Last year a Department of Trade and Industry report found that more than
50 per cent of businesses had suffered "a premeditated and malicious"
security incident in the past twelve months.
For large businesses, the average cost of the worst such incident was as
much as 130,000, the report said.
Tide of denial
In February hackers, possibly based in South Korea, attempted to bring
down at least the of the 13 computers which help manage global internet
traffic, including one operated by the US Department of Defence (DoD). A
DoD official was quoted at the time as saying: "We have to be able to
respond (to this type of threat)."
Last year three Russian citizens were sentenced to eight years each for
extorting money from several British gambling websites. The trio were
accused of receiving $4 million from sites they threatened with DDoS
attacks, and when one site refused to pay a demand for $10,000, it was
targeted and and brought down, reportedly costing it $200,000 a day.
In 2004 several bookmakers, including Paddy Power and Blue Square were
subject to DDoS attacks at the time of the Cheltenham horse races.
Extortionists contacted Blue Square, ordering that it pay 7,000 in order
that the attack be stopped.
The security firm Symantec last year estimated that the number DDoS has
risen by 51 per cent since 2005, and detected an average of 1,402
attacks a day.
Symantec Updates Cause Chaos in China
Symantec Updates Cause Chaos in China
A signature update to Symantec Corp.'s antivirus software crippled thousands of Chinese PCs Friday when the security software mistook two critical Windows .dll files for malware.
According to numerous blog entries from Chinese computer users, a virus-signature database seeded yesterday mistook two system files of a Chinese edition of Windows XP Service Pack 2 as a Trojan horse that Symantec dubbed "Backdoor.Haxdoor." The antivirus software -- Norton AntiVirus, for example, or the antivirus component of the Norton 360 or Norton Internet Security suites -- then quarantined the netapi32.dll and lsasrv.dll files.
"With these files removed, Windows XP will no longer start up, and even the system Safe Mode no longer functions," said one user writing to the Alt.comp.anti-virus newsgroup this morning.
Late Friday, China time, the Chinese Internet Security Response Team (CISRT) posted an alert on its English-language blog. "It's a terrible day for lots of Chinese users (especially Enterprise Users) who use Norton products today," CISRT said. Other reports claimed that more than 7,000 users had already contacted Rising Antivirus International Pty, asked for help on how they could recover their PCs. On the Chinese security company's home page, its threat gauge was rated at red late Friday, the highest ranking this year.
In an e-mailed statement, Symantec acknowledged the signature update bug and said it re-released a new update late Thursday, U.S. time.
The Cupertino, Calif.-based security vendor also said that only Simplified Chinese versions of Windows XP SP2 that have been patched with a Microsoft Corp. fix from November 2006 were affected.
If the PC hasn't been rebooted, users can grab the revised signature update to fix the problem, said Symantec. But if Windows was restarted after the flawed update, the user will have a much harder row to hoe. Because the bad signature update removed the two .dll files, Windows won't boot -- it ends in a so-called blue screen of death, said CISRT -- and so there's no way to retrieve the new signature or to restore from a backup.
"Customers impacted by this issue following reboot of an affected system can return their system(s) to the previous state through use of the Windows recovery console," Symantec said. XP's recovery console is a command-line-driven tool that gives limited access to the PC and its hard drive. Users writing on online forums recommended that users copy the two .dll files from their Windows restore CD to the hard drive.
A likely snafu in that scenario, however, is that many Chinese users don't have a restore CD because they're running pirated copies of Windows.
"Norton this time has made a very serious mistake," the Chinese-language Sogou news site said [translation by Babelfish -- eds.].
"All the main news channel in China has reported this since 6 in the morning ECT +8, but symantec keeps silence," someone identified as "Ink" said on the Wilders Security Forum.
Other antivirus companies have gone through similar fiascos. In March, users blamed Microsoft's Windows Live OneCare for deleting Outlook e-mail files, although the company denied that the security service was at fault. More than two years ago, Trend Micro Inc. distributed a flawed virus-definition file that slowed thousands of PCs to a crawl. Three months later, the antivirus vendor said that the incident had run up $8.2 million in direct costs to the company.
A signature update to Symantec Corp.'s antivirus software crippled thousands of Chinese PCs Friday when the security software mistook two critical Windows .dll files for malware.
According to numerous blog entries from Chinese computer users, a virus-signature database seeded yesterday mistook two system files of a Chinese edition of Windows XP Service Pack 2 as a Trojan horse that Symantec dubbed "Backdoor.Haxdoor." The antivirus software -- Norton AntiVirus, for example, or the antivirus component of the Norton 360 or Norton Internet Security suites -- then quarantined the netapi32.dll and lsasrv.dll files.
"With these files removed, Windows XP will no longer start up, and even the system Safe Mode no longer functions," said one user writing to the Alt.comp.anti-virus newsgroup this morning.
Late Friday, China time, the Chinese Internet Security Response Team (CISRT) posted an alert on its English-language blog. "It's a terrible day for lots of Chinese users (especially Enterprise Users) who use Norton products today," CISRT said. Other reports claimed that more than 7,000 users had already contacted Rising Antivirus International Pty, asked for help on how they could recover their PCs. On the Chinese security company's home page, its threat gauge was rated at red late Friday, the highest ranking this year.
In an e-mailed statement, Symantec acknowledged the signature update bug and said it re-released a new update late Thursday, U.S. time.
The Cupertino, Calif.-based security vendor also said that only Simplified Chinese versions of Windows XP SP2 that have been patched with a Microsoft Corp. fix from November 2006 were affected.
If the PC hasn't been rebooted, users can grab the revised signature update to fix the problem, said Symantec. But if Windows was restarted after the flawed update, the user will have a much harder row to hoe. Because the bad signature update removed the two .dll files, Windows won't boot -- it ends in a so-called blue screen of death, said CISRT -- and so there's no way to retrieve the new signature or to restore from a backup.
"Customers impacted by this issue following reboot of an affected system can return their system(s) to the previous state through use of the Windows recovery console," Symantec said. XP's recovery console is a command-line-driven tool that gives limited access to the PC and its hard drive. Users writing on online forums recommended that users copy the two .dll files from their Windows restore CD to the hard drive.
A likely snafu in that scenario, however, is that many Chinese users don't have a restore CD because they're running pirated copies of Windows.
"Norton this time has made a very serious mistake," the Chinese-language Sogou news site said [translation by Babelfish -- eds.].
"All the main news channel in China has reported this since 6 in the morning ECT +8, but symantec keeps silence," someone identified as "Ink" said on the Wilders Security Forum.
Other antivirus companies have gone through similar fiascos. In March, users blamed Microsoft's Windows Live OneCare for deleting Outlook e-mail files, although the company denied that the security service was at fault. More than two years ago, Trend Micro Inc. distributed a flawed virus-definition file that slowed thousands of PCs to a crawl. Three months later, the antivirus vendor said that the incident had run up $8.2 million in direct costs to the company.
MS Word exploit generator circulating?
MS Word exploit generator circulating?
Managed security services firm MessageLabs is reporting a surge in targeted malware attacks against a known Microsoft Word code-execution vulnerability, suggesting that an exploit generator kit may be circulating online.
Microsoft OfficeIn its monthly threat intelligence report, MessageLabs said Microsoft Word was the most common exploit vector in April 2007 with a noticeable spike in attacks using Word documents that contain the SmartTag bug patched with Microsoft’s MS07-027 bulletin.
From the report:
"These attacks increased dramatically since March 2007 from four attacks going to four single recipients to 66 attacks going to 273 recipients in April."
“On first sight, it appears that more than one hacker ring is using this Microsoft Word exploit, and so an exploit generator kit might exist, although this has not yet been found,” said Alex Shipp, senior anti-virus technologist at MessageLabs.
The report said a Taiwanese crime ring called “Task Briefing” continued its use of Microsoft Office exploits during April, launching spear-phishing attacks with PowerPoint documents embedded in e-mails.
"The ring made six attacks this month, sending 61 emails accounting for 10 percent of all targeted e-mails in April, the longest of which lasted 45 hours. In March, the same gang sent 151 emails accounting for more than 20 percent of targeted attacks."
MessageLabs said it also intercepted one additional attack using the same PowerPoint exploit (patched with MS07-028) but originating from an IP address in China. This second attack was targeting 14 Japanese e-mail addresses, suggesting that there may be a second criminal ring in operation.
During April 2007, MessageLabs said it intercepted 595 e-mails in 249 separate targeted attacks aimed at 192 different organizations. Of these, 180 were one-on-one targeted attacks aimed at a specific organization.
MessageLabs did not identify any of the targets but it is well-known that some of these MS Office zero-days are being aimed at U.S. government agencies. A spate of PowerPoint attacks last year was also linked to corporate espionage.
Overall, the April numbers show a slight drop in targeted attacks compared to the previous month. In March, MessageLabs stopped 716 e-mails in 249 targeted attacks against 263 different domains. These domains belonged to 216 different organizations.
The company said 84% of the attacks used Microsoft Office exploits (PowerPoint and Word) .
"The majority of attacks still comprise one e-mail to one individual, but the number of attacks has risen since last year when it was just 1 or 2 per day. Utilizing several exploits in a single malicious file, a typical attack will download a further component from a website under the control of the attackers that will give them remote access to the compromised computer, including access to confidential and potentially sensitive intellectual property."
Managed security services firm MessageLabs is reporting a surge in targeted malware attacks against a known Microsoft Word code-execution vulnerability, suggesting that an exploit generator kit may be circulating online.
Microsoft OfficeIn its monthly threat intelligence report, MessageLabs said Microsoft Word was the most common exploit vector in April 2007 with a noticeable spike in attacks using Word documents that contain the SmartTag bug patched with Microsoft’s MS07-027 bulletin.
From the report:
"These attacks increased dramatically since March 2007 from four attacks going to four single recipients to 66 attacks going to 273 recipients in April."
“On first sight, it appears that more than one hacker ring is using this Microsoft Word exploit, and so an exploit generator kit might exist, although this has not yet been found,” said Alex Shipp, senior anti-virus technologist at MessageLabs.
The report said a Taiwanese crime ring called “Task Briefing” continued its use of Microsoft Office exploits during April, launching spear-phishing attacks with PowerPoint documents embedded in e-mails.
"The ring made six attacks this month, sending 61 emails accounting for 10 percent of all targeted e-mails in April, the longest of which lasted 45 hours. In March, the same gang sent 151 emails accounting for more than 20 percent of targeted attacks."
MessageLabs said it also intercepted one additional attack using the same PowerPoint exploit (patched with MS07-028) but originating from an IP address in China. This second attack was targeting 14 Japanese e-mail addresses, suggesting that there may be a second criminal ring in operation.
During April 2007, MessageLabs said it intercepted 595 e-mails in 249 separate targeted attacks aimed at 192 different organizations. Of these, 180 were one-on-one targeted attacks aimed at a specific organization.
MessageLabs did not identify any of the targets but it is well-known that some of these MS Office zero-days are being aimed at U.S. government agencies. A spate of PowerPoint attacks last year was also linked to corporate espionage.
Overall, the April numbers show a slight drop in targeted attacks compared to the previous month. In March, MessageLabs stopped 716 e-mails in 249 targeted attacks against 263 different domains. These domains belonged to 216 different organizations.
The company said 84% of the attacks used Microsoft Office exploits (PowerPoint and Word) .
"The majority of attacks still comprise one e-mail to one individual, but the number of attacks has risen since last year when it was just 1 or 2 per day. Utilizing several exploits in a single malicious file, a typical attack will download a further component from a website under the control of the attackers that will give them remote access to the compromised computer, including access to confidential and potentially sensitive intellectual property."
Software pirate to pay $205,000 fine for illegal eBay sales
Software pirate to pay $205,000 fine for illegal eBay sales
May 22, 2007 (Computerworld) -- A software pirate who sold illegal copies of Symantec Corp. software on the online auction site eBay Inc. has agreed to pay a $205,000 fine.
In an announcement today, the Software & Information Industry Association (SIIA) trade group, which filed suit in the case on behalf of Symantec -- a SIIA member -- said the defendant has also agreed to assist authorities in identifying the parties who actually made and distributed the illegal software that was sold.
Keith Kupferschmid, senior vice president of intellectual property for the Washington-based SIIA, said the name and location of the defendant is being kept secret under the terms of the settlement.
"We give a certain level of confidentiality in order for us to get additional information," Kupferschmid said. The lawsuit, Symantec et al. v. Chan (a pseudonym) et al., was one of several civil cases brought by the SIIA. Several cases are still pending, as are several criminal cases being brought by the FBI, he said.
The case was originally filed in U.S. District Court in the Central District of California as part of the SIIA's Auction Litigation Program, which was started to monitor online auction sites for illegal software sales and file related lawsuits on behalf of member vendors.
Some 90% of the software sold on auction sites such as eBay is counterfeit, according to studies, Kupferschmid said.
The $205,000 settlement is in excess of the amount the unnamed software pirate made through the sales of the software.
In the lawsuit, the SIIA charged the defendant with infringing on Symantec's copyrights and trademarks in such titles as Norton PartitionMagic, Norton AntiVirus, pcAnywhere and Norton SystemWorks, as well as illegally reselling OEM, unbundled and counterfeit software.
The SIIA says it represents more than 800 members, including software and information companies.
May 22, 2007 (Computerworld) -- A software pirate who sold illegal copies of Symantec Corp. software on the online auction site eBay Inc. has agreed to pay a $205,000 fine.
In an announcement today, the Software & Information Industry Association (SIIA) trade group, which filed suit in the case on behalf of Symantec -- a SIIA member -- said the defendant has also agreed to assist authorities in identifying the parties who actually made and distributed the illegal software that was sold.
Keith Kupferschmid, senior vice president of intellectual property for the Washington-based SIIA, said the name and location of the defendant is being kept secret under the terms of the settlement.
"We give a certain level of confidentiality in order for us to get additional information," Kupferschmid said. The lawsuit, Symantec et al. v. Chan (a pseudonym) et al., was one of several civil cases brought by the SIIA. Several cases are still pending, as are several criminal cases being brought by the FBI, he said.
The case was originally filed in U.S. District Court in the Central District of California as part of the SIIA's Auction Litigation Program, which was started to monitor online auction sites for illegal software sales and file related lawsuits on behalf of member vendors.
Some 90% of the software sold on auction sites such as eBay is counterfeit, according to studies, Kupferschmid said.
The $205,000 settlement is in excess of the amount the unnamed software pirate made through the sales of the software.
In the lawsuit, the SIIA charged the defendant with infringing on Symantec's copyrights and trademarks in such titles as Norton PartitionMagic, Norton AntiVirus, pcAnywhere and Norton SystemWorks, as well as illegally reselling OEM, unbundled and counterfeit software.
The SIIA says it represents more than 800 members, including software and information companies.
lundi 14 mai 2007
FSA fines BNP Paribas £350,000 for anti-fraud failures
http://finextra.com/fullstory.asp?id=16914
French investment bank BNP Paribas has been fined £350,000 by the UK's Financial Services Authority for systems and control failures at its London-based private banking unit that allowed a senior manager to steal £1.4 million from client accounts.
The employee, who worked at BNP Paribas Private Bank, managed to transfer the cash haul out of client accounts in 13 separate fraudulent transactions between February 2002 and March 2005 using forged signatures and instructions and by falsifying change of address documents.
During its investigation, the FSA found that a flaw in the bank's IT system allowed the senior employee to by-pass normal middle office processes, which meant that basic authorisation and signatory checks were not carried out on internal cash transfers between different customer accounts.
Furthermore, BNPP Private Bank did not have an effective review process for transactions over £10,000 from clients' accounts. The regulator also found that the bank's procedures were not clear about the role of senior management in checking significant transfers prior to payment.
Margaret Cole, FSA director of enforcement, comments: "BNPP Private Bank's failures exposed clients' accounts to the risk of fraud. This is unacceptable particularly with the overall increase in awareness around fraud and client money risks. Senior management must make sure their firms have robust systems and controls to reduce the risk of them being used to commit financial crime."
The bank also failed to improve its procedures for monitoring large transactions or carry out remedial action on a timely basis, says the FSA, despite being aware that some procedures required improvement as a result of an examination of its anti-money laundering systems and controls in August 2002.
The FSA says this is the first time a private bank has been fined for weaknesses in anti-fraud systems but warns that it is "raising its game" against firms with lax controls.
"This is a warning to other firms that we are raising our game in this area and expect them to follow suit. We will not hesitate to take action against any firm found wanting," says Cole.
French investment bank BNP Paribas has been fined £350,000 by the UK's Financial Services Authority for systems and control failures at its London-based private banking unit that allowed a senior manager to steal £1.4 million from client accounts.
The employee, who worked at BNP Paribas Private Bank, managed to transfer the cash haul out of client accounts in 13 separate fraudulent transactions between February 2002 and March 2005 using forged signatures and instructions and by falsifying change of address documents.
During its investigation, the FSA found that a flaw in the bank's IT system allowed the senior employee to by-pass normal middle office processes, which meant that basic authorisation and signatory checks were not carried out on internal cash transfers between different customer accounts.
Furthermore, BNPP Private Bank did not have an effective review process for transactions over £10,000 from clients' accounts. The regulator also found that the bank's procedures were not clear about the role of senior management in checking significant transfers prior to payment.
Margaret Cole, FSA director of enforcement, comments: "BNPP Private Bank's failures exposed clients' accounts to the risk of fraud. This is unacceptable particularly with the overall increase in awareness around fraud and client money risks. Senior management must make sure their firms have robust systems and controls to reduce the risk of them being used to commit financial crime."
The bank also failed to improve its procedures for monitoring large transactions or carry out remedial action on a timely basis, says the FSA, despite being aware that some procedures required improvement as a result of an examination of its anti-money laundering systems and controls in August 2002.
The FSA says this is the first time a private bank has been fined for weaknesses in anti-fraud systems but warns that it is "raising its game" against firms with lax controls.
"This is a warning to other firms that we are raising our game in this area and expect them to follow suit. We will not hesitate to take action against any firm found wanting," says Cole.
jeudi 10 mai 2007
La France se dote d'un piège à spam national
http://www.01net.com/article/348505.html
Regroupés au sein de l'association Signal Spam, autorités publiques et organisations professionnelles du monde d'Internet lancent une plate-forme gratuite de lutte contre le spam.
Karine Solovieff , 01net., le 10/05/2007 à 19h11
Avec Signal-spam.fr, les internautes français disposent depuis ce jeudi 10 mai d'un nouvel outil de lutte contre les e-mails non sollicités. Les tristement célèbres « spams », ou pourriels, qui envahissent les boîtes aux lettres électroniques. Comme son nom l'indique, ce site permet de signaler facilement, depuis son logiciel de messagerie, la réception de ces néfastes e-mails à des organismes publics et privés.
A l'origine de Signal-spam.fr, il y a une association éponyme, qui regroupe les membres du groupe de travail sur la lutte contre le spam, mis en place en 2004 par la Direction du développement des médias (DDM), qui dépend du Premier ministre. On y retrouve une liste imposante d'acteurs concernés de près ou de loin par la Toile en France, comme, entre autres, l'Association des fournisseurs d'accès à Internet (AFA), la Fédération des entreprises de ventes à distance (Fevad) et le Syndicat national de la communication directe et, côté autorités publiques, la Cnil et la Direction centrale de la police judiciaire. « C'est la première fois au monde que l'on réunit autant d'acteurs sur un projet de lutte contre le spam », affirme Francis Bouvier, chef de projet au sein de l'association Signal Spam.
La démarche est gratuite, une simple inscription sur le site suffit. Le fonctionnement de Signal-spam.fr a été simplifié au maximum. Lors de la réception d'un pourriel, un internaute a deux possibilités. Première solution : faire un copier-coller du message complet dans un formulaire disponible en ligne. Deuxième solution : installer l'une des extensions pour les logiciels de courrier électronique Microsoft Outlook ou Mozilla Thunderbird. Il suffit alors de cliquer sur un bouton pour que le spam soit automatiquement transmis à l'association. Des extensions pour navigateurs sont en projet, afin que cette fonction soit disponible pour les webmails.
Une expérience semblable avait déjà été tentée en 2002 par la Cnil. La Commission avait ouvert une adresse e-mail, à laquelle les internautes étaient invités à transmettre les pourriels reçus dans le but de dresser une sorte de cartographie du spam. L'expérience avait tourné court, la Cnil avait été dépassée par son succès.
Un million d'e-mails peuvent être traités par jour
« Signal-spam.fr a été dimensionné pour être capable de traiter un million d'e-mails par jour, rassure Francis Bouvier. Et contrairement à l'expérience de la Cnil, les e-mails seront analysés. »
Pour cela, plusieurs outils ont été développés. Un premier étudiera automatiquement les informations techniques contenus dans l'en-tête de l'e-mail pour retracer son origine. Le cas échéant, un fournisseur d'accès français sera alerté que le compte d'un de ses abonnés est utilisé pour envoyer des pourriels. Un système d'empreinte des messages et des URL permettra également de détecter, derrière des centaines d'e-mails, l'origine de la campagne de spam.
Enfin, une équipe se penchera également sur le contenu des e-mails, pour débusquer les arnaques ou les fraudes, qui sont légion dans ces messages. « S'il y a danger, nous transmettrons l'information au service concerné que cela soit la DGCCRF ou la police judiciaire », indique Francis Bouvier. Les modalités pratiques de ce transfert sont cependant encore en préparation. L'internaute sera tenu au courant des suites données à son signalement.
Le financement de l'association Signal Spam est réparti à égalité entre la DDM et les acteurs professionnels. En 2006, son budget de fonctionnement était de 200 000 euros.
Regroupés au sein de l'association Signal Spam, autorités publiques et organisations professionnelles du monde d'Internet lancent une plate-forme gratuite de lutte contre le spam.
Karine Solovieff , 01net., le 10/05/2007 à 19h11
Avec Signal-spam.fr, les internautes français disposent depuis ce jeudi 10 mai d'un nouvel outil de lutte contre les e-mails non sollicités. Les tristement célèbres « spams », ou pourriels, qui envahissent les boîtes aux lettres électroniques. Comme son nom l'indique, ce site permet de signaler facilement, depuis son logiciel de messagerie, la réception de ces néfastes e-mails à des organismes publics et privés.
A l'origine de Signal-spam.fr, il y a une association éponyme, qui regroupe les membres du groupe de travail sur la lutte contre le spam, mis en place en 2004 par la Direction du développement des médias (DDM), qui dépend du Premier ministre. On y retrouve une liste imposante d'acteurs concernés de près ou de loin par la Toile en France, comme, entre autres, l'Association des fournisseurs d'accès à Internet (AFA), la Fédération des entreprises de ventes à distance (Fevad) et le Syndicat national de la communication directe et, côté autorités publiques, la Cnil et la Direction centrale de la police judiciaire. « C'est la première fois au monde que l'on réunit autant d'acteurs sur un projet de lutte contre le spam », affirme Francis Bouvier, chef de projet au sein de l'association Signal Spam.
La démarche est gratuite, une simple inscription sur le site suffit. Le fonctionnement de Signal-spam.fr a été simplifié au maximum. Lors de la réception d'un pourriel, un internaute a deux possibilités. Première solution : faire un copier-coller du message complet dans un formulaire disponible en ligne. Deuxième solution : installer l'une des extensions pour les logiciels de courrier électronique Microsoft Outlook ou Mozilla Thunderbird. Il suffit alors de cliquer sur un bouton pour que le spam soit automatiquement transmis à l'association. Des extensions pour navigateurs sont en projet, afin que cette fonction soit disponible pour les webmails.
Une expérience semblable avait déjà été tentée en 2002 par la Cnil. La Commission avait ouvert une adresse e-mail, à laquelle les internautes étaient invités à transmettre les pourriels reçus dans le but de dresser une sorte de cartographie du spam. L'expérience avait tourné court, la Cnil avait été dépassée par son succès.
Un million d'e-mails peuvent être traités par jour
« Signal-spam.fr a été dimensionné pour être capable de traiter un million d'e-mails par jour, rassure Francis Bouvier. Et contrairement à l'expérience de la Cnil, les e-mails seront analysés. »
Pour cela, plusieurs outils ont été développés. Un premier étudiera automatiquement les informations techniques contenus dans l'en-tête de l'e-mail pour retracer son origine. Le cas échéant, un fournisseur d'accès français sera alerté que le compte d'un de ses abonnés est utilisé pour envoyer des pourriels. Un système d'empreinte des messages et des URL permettra également de détecter, derrière des centaines d'e-mails, l'origine de la campagne de spam.
Enfin, une équipe se penchera également sur le contenu des e-mails, pour débusquer les arnaques ou les fraudes, qui sont légion dans ces messages. « S'il y a danger, nous transmettrons l'information au service concerné que cela soit la DGCCRF ou la police judiciaire », indique Francis Bouvier. Les modalités pratiques de ce transfert sont cependant encore en préparation. L'internaute sera tenu au courant des suites données à son signalement.
Le financement de l'association Signal Spam est réparti à égalité entre la DDM et les acteurs professionnels. En 2006, son budget de fonctionnement était de 200 000 euros.
mercredi 9 mai 2007
Firms hit rivals with web attacks
http://news.bbc.co.uk/2/hi/technology/6623673.stm
By Mark Ward
Technology Correspondent, BBC News website
Croupier dealing cards, BBC
Gambling sites were targeted in denial of service attacks
Legitimate businesses are turning to cyber criminals to help them cripple rival websites, say security experts.
The rise in industrial sabotage comes as some suggest cyber criminals are turning away from using web-based attack tools in extortion rackets.
Experts suspect this is because of the risks involved in mounting such an attack on a web shop or retailer.
Instead the tools, usually hijacked home computers, are being used to pump out junk e-mail.
Cash call
Often these hijacked PCs, known as bots, are used for "Distributed Denial of Service" (DDoS) attacks that attempt to knock a site or server offline by bombarding it with huge amounts of data.
Online gambling sites were among the first to be threatened with DDoS attacks if they did not hand over significant sums of cash.
In a recent entry on the Symantec Security Response blog, Yazan Gable said the company had seen a "pretty sharp decline" in the number of attacks that try to extort cash.
Mr Gable said this was because extortion attacks were no longer profitable because knocking a website offline via DDoS was "loud and risky".
Many of those controlling the networks of bot computers have now started using them to send out spam which was just as lucrative and a lot less risky, said Mr Gable.
But Paul Sop, chief technology officer at Prolexic which helps victims cope with DDoS attacks, said they were proving as popular as ever.
Network cables, BBC
DDoS attacks try to flood servers with too much data
"We've seen more DDoS attacks in the last few months than we have ever seen," he said.
The decline could just be part of the arms race between criminals and security firms.
"When the gangs feel the pincers coming in they change their strategy," he said.
There was no reason to think the decline was because such attacks were no longer profitable. Not least, he said, because only in 20% of cases do attacks stop once a victim has made a payment.
"Once they have you hooked they'll keep going," he said, "it can get up to some pretty serious numbers."
Mr Sop said the number of extortion-based attacks had declined a little but this had been more than made up for by companies using them to batter rivals.
"We are seeing a lot of anti-competitive behaviour," he said.
Mr Sop added that many more Asian targets were being hit by DDoS attacks - a region in which Symantec did not historically have a big presence.
In Asia, he said, DDoS attacks were proving very popular with unscrupulous firms keen to get ahead of their rivals.
"The really frightening thing is you can buy access to a botnet for a small amount of money and you can have you competitor down for a long time," he said.
In one case that Prolexic helped with a firm was battered for four months by a rival using a botnet owned by a criminal gang.
"It's a great use of funds to destroy your competitor," he said.
By Mark Ward
Technology Correspondent, BBC News website
Croupier dealing cards, BBC
Gambling sites were targeted in denial of service attacks
Legitimate businesses are turning to cyber criminals to help them cripple rival websites, say security experts.
The rise in industrial sabotage comes as some suggest cyber criminals are turning away from using web-based attack tools in extortion rackets.
Experts suspect this is because of the risks involved in mounting such an attack on a web shop or retailer.
Instead the tools, usually hijacked home computers, are being used to pump out junk e-mail.
Cash call
Often these hijacked PCs, known as bots, are used for "Distributed Denial of Service" (DDoS) attacks that attempt to knock a site or server offline by bombarding it with huge amounts of data.
Online gambling sites were among the first to be threatened with DDoS attacks if they did not hand over significant sums of cash.
In a recent entry on the Symantec Security Response blog, Yazan Gable said the company had seen a "pretty sharp decline" in the number of attacks that try to extort cash.
Mr Gable said this was because extortion attacks were no longer profitable because knocking a website offline via DDoS was "loud and risky".
Many of those controlling the networks of bot computers have now started using them to send out spam which was just as lucrative and a lot less risky, said Mr Gable.
But Paul Sop, chief technology officer at Prolexic which helps victims cope with DDoS attacks, said they were proving as popular as ever.
Network cables, BBC
DDoS attacks try to flood servers with too much data
"We've seen more DDoS attacks in the last few months than we have ever seen," he said.
The decline could just be part of the arms race between criminals and security firms.
"When the gangs feel the pincers coming in they change their strategy," he said.
There was no reason to think the decline was because such attacks were no longer profitable. Not least, he said, because only in 20% of cases do attacks stop once a victim has made a payment.
"Once they have you hooked they'll keep going," he said, "it can get up to some pretty serious numbers."
Mr Sop said the number of extortion-based attacks had declined a little but this had been more than made up for by companies using them to batter rivals.
"We are seeing a lot of anti-competitive behaviour," he said.
Mr Sop added that many more Asian targets were being hit by DDoS attacks - a region in which Symantec did not historically have a big presence.
In Asia, he said, DDoS attacks were proving very popular with unscrupulous firms keen to get ahead of their rivals.
"The really frightening thing is you can buy access to a botnet for a small amount of money and you can have you competitor down for a long time," he said.
In one case that Prolexic helped with a firm was battered for four months by a rival using a botnet owned by a criminal gang.
"It's a great use of funds to destroy your competitor," he said.
Phishing Social Networking Sites
http://ha.ckers.org/blog/20070508/phishing-social-networking-sites/
Okay, I had a lot of fun with this post. No new news here, but I was able to talk to someone who was willing to sit down and write out some thoughts from a phisher’s perspective. The phisher goes by the name “lithium” and agreed to answer a number of questions that have been on my mind for a while now. Huge thanks to him, as I think a lot of this is valuable information to the community at large, These are his words - unmodified:
How would you describe yourself? Age? Did you go to school? Interests?
Determined is the best word to describe myself. I’m 18 years young. Yes, I went to school. I left after high school. My interests are mma (mixed martial arts); fitness and last but not least..The internet!
How did you get your start in phishing? How did you get interested in it?
The typical scam mail that my parents kept recieving in their inbox. They were very poorly done! Yet in general they worked. So, I knew automatically I could come up with more efficient methods and have a far greater outcome.
How long have you been phishing?
I’ve been pishing since I turned 14. So thats, Nearly 5 years.
Do you have any idea how many people’s identities you’ve stolen so far?
Way over 20 million. Social networking worms really hit it off for me! I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through.
Did you need to forge any particular relationships with other people/groups to get started?
No, When I started I went solo. Alot of groups came to me asking if I wanted in, I declined.
What types of sites make the best phishing sites?
Social networking sites, Any site that involves teenagers ranging from 14 years old upwards.
What are the steps you take to set up a phishing site?
I try find a domain name that would best suite the current target. Try find a few similarities which would make my site more realistic. Then, Register it! I then find a reliable anonymouse host. (Offshore are the most reliable) Although, I do tend to use compromised hosting accounts.
Secondly, I view the page source. Then I alter the source code to post the forms information to my pishing site.
Thirdly, I create a php file which will POST the current forms information to a text file on my server. I use the same php file with every site, Just minor alterations are needed since it’s mearly a few lines of php code.
How many people do you typically phish per site you post?
That all depends on the size of the website (the ammount of users) Usually, I pish 30k a day.
How do you monetize the identities and how much does that net you?
Social networking sites, Make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers. All in all, I make 3k to 4k a day. I only pish 3-4 days a week. Depends on how much time I invest, The more time I invest the greater the outcome.
Are there any costs associated with phishing?
Yes there are costs. A dedicated server, VPN, Network encryption software and time.
What sort of hardware/software do you need to do this? Anything special (phishing kits, etc…)? What kind of internet connection do you use?
For MOST social networking sites, I use a program called MyChanger. You can find it on this website - www.myownchanger.com - This makes pishing so much faster on social networking sites. Everything is automated! messaging/bulletins/comments/profile modifications it’s great. Other than that, I get ALOT of custom programs built to suite my needs from freelance developers. My internet connection isn’t anything fancy, A stanard 1mb adsl line.
How do you keep yourself safe from being caught?
I use VPN’s, Dedicated servers, Proxies and my network traffic is
encrypted. All payments are made through egold.
Are there any anti-phishing deterrents (tools or technology) that make life as a phisher harder?
Oh sure, There are many things that make pishing harder. But since Internet Explorer 7 and firefox 2 have implemented an antiphishing protection, Those two cause the most irritation.
Do you forsee any changes to the phishing industry that are worthy of note?
No.
Anything else you’d like to share/last words?
Lazy web developers are the reason I’m still around pishing.
Pretty telling on the current state of affairs, I’d say. The first interesting point I took from this were that IE7 and FF2 were actually a somewhat okay deterrent. From the looks of it, it hasn’t made much of a dent - only changed the tactics that phishers use. I suppose we could have guessed that since there is n o lack of phishing emails in our inboxes, still I found it somewhat surprising that it was making a dent. I actually predicted that it would before IE7.0 launched, but I lost a bit of hope afterwards. Interesting nonetheless.
The second is that the password is used in more than one place 50% of the time - we already knew that but it’s interesting to hear it from a phisher’s perspective on how that’s actually useful to help monetize the attack. A huge thanks to lithium who allowed me to post all of his words. Does it make you re-think that MySpace profile you set up?
Okay, I had a lot of fun with this post. No new news here, but I was able to talk to someone who was willing to sit down and write out some thoughts from a phisher’s perspective. The phisher goes by the name “lithium” and agreed to answer a number of questions that have been on my mind for a while now. Huge thanks to him, as I think a lot of this is valuable information to the community at large, These are his words - unmodified:
How would you describe yourself? Age? Did you go to school? Interests?
Determined is the best word to describe myself. I’m 18 years young. Yes, I went to school. I left after high school. My interests are mma (mixed martial arts); fitness and last but not least..The internet!
How did you get your start in phishing? How did you get interested in it?
The typical scam mail that my parents kept recieving in their inbox. They were very poorly done! Yet in general they worked. So, I knew automatically I could come up with more efficient methods and have a far greater outcome.
How long have you been phishing?
I’ve been pishing since I turned 14. So thats, Nearly 5 years.
Do you have any idea how many people’s identities you’ve stolen so far?
Way over 20 million. Social networking worms really hit it off for me! I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through.
Did you need to forge any particular relationships with other people/groups to get started?
No, When I started I went solo. Alot of groups came to me asking if I wanted in, I declined.
What types of sites make the best phishing sites?
Social networking sites, Any site that involves teenagers ranging from 14 years old upwards.
What are the steps you take to set up a phishing site?
I try find a domain name that would best suite the current target. Try find a few similarities which would make my site more realistic. Then, Register it! I then find a reliable anonymouse host. (Offshore are the most reliable) Although, I do tend to use compromised hosting accounts.
Secondly, I view the page source. Then I alter the source code to post the forms information to my pishing site.
Thirdly, I create a php file which will POST the current forms information to a text file on my server. I use the same php file with every site, Just minor alterations are needed since it’s mearly a few lines of php code.
How many people do you typically phish per site you post?
That all depends on the size of the website (the ammount of users) Usually, I pish 30k a day.
How do you monetize the identities and how much does that net you?
Social networking sites, Make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers. All in all, I make 3k to 4k a day. I only pish 3-4 days a week. Depends on how much time I invest, The more time I invest the greater the outcome.
Are there any costs associated with phishing?
Yes there are costs. A dedicated server, VPN, Network encryption software and time.
What sort of hardware/software do you need to do this? Anything special (phishing kits, etc…)? What kind of internet connection do you use?
For MOST social networking sites, I use a program called MyChanger. You can find it on this website - www.myownchanger.com - This makes pishing so much faster on social networking sites. Everything is automated! messaging/bulletins/comments/profile modifications it’s great. Other than that, I get ALOT of custom programs built to suite my needs from freelance developers. My internet connection isn’t anything fancy, A stanard 1mb adsl line.
How do you keep yourself safe from being caught?
I use VPN’s, Dedicated servers, Proxies and my network traffic is
encrypted. All payments are made through egold.
Are there any anti-phishing deterrents (tools or technology) that make life as a phisher harder?
Oh sure, There are many things that make pishing harder. But since Internet Explorer 7 and firefox 2 have implemented an antiphishing protection, Those two cause the most irritation.
Do you forsee any changes to the phishing industry that are worthy of note?
No.
Anything else you’d like to share/last words?
Lazy web developers are the reason I’m still around pishing.
Pretty telling on the current state of affairs, I’d say. The first interesting point I took from this were that IE7 and FF2 were actually a somewhat okay deterrent. From the looks of it, it hasn’t made much of a dent - only changed the tactics that phishers use. I suppose we could have guessed that since there is n o lack of phishing emails in our inboxes, still I found it somewhat surprising that it was making a dent. I actually predicted that it would before IE7.0 launched, but I lost a bit of hope afterwards. Interesting nonetheless.
The second is that the password is used in more than one place 50% of the time - we already knew that but it’s interesting to hear it from a phisher’s perspective on how that’s actually useful to help monetize the attack. A huge thanks to lithium who allowed me to post all of his words. Does it make you re-think that MySpace profile you set up?
Gulf Bank warns customers against SMS 'Phishing'
http://www.kuwaittimes.net/read_news.php?newsid=MTczOTUxMjI0Ng==
Published Date: May 09, 2007
KUWAIT: Gulf Bank is warning all customers to be aware of SMS 'phishing', a fraudulent use of SMS mobile phone text messaging which may be designed to obtain confidential bank details illegally.
Gulf Bank has been alerted to a recent case in which customers of another bank received SMS text messages telling them they had won prizes and inviting them to contact their nearest branch.
Gulf Bank urges all customers to exercise extreme caution when receiving SMS text or email messages. These messages may be an attempt to obtain customers' personal account details Should you receive a suspicious message, please contact Gulf Bank immediately on 805805.
It is Gulf Bank's policy not to request account numbers, PIN codes or other confidential customer information via SMS.
'Phishing' is a crime that affects the banking industry around the world. Gulf Bank places the highest priority on protecting confidential account details and has issued this alert in the interests of customer security.
Published Date: May 09, 2007
KUWAIT: Gulf Bank is warning all customers to be aware of SMS 'phishing', a fraudulent use of SMS mobile phone text messaging which may be designed to obtain confidential bank details illegally.
Gulf Bank has been alerted to a recent case in which customers of another bank received SMS text messages telling them they had won prizes and inviting them to contact their nearest branch.
Gulf Bank urges all customers to exercise extreme caution when receiving SMS text or email messages. These messages may be an attempt to obtain customers' personal account details Should you receive a suspicious message, please contact Gulf Bank immediately on 805805.
It is Gulf Bank's policy not to request account numbers, PIN codes or other confidential customer information via SMS.
'Phishing' is a crime that affects the banking industry around the world. Gulf Bank places the highest priority on protecting confidential account details and has issued this alert in the interests of customer security.
vendredi 4 mai 2007
Paiement électronique - A la recherche d’un écosystème
http://www.nouveleconomiste.fr/1386/1386-paiement-electronique.html
Le geste paraît aussi simple que payant : sortir son téléphone portable pour régler de menus achats, bien plus facilement qu’avec quelques pièces de monnaie ou sa carte bleue. Ce n’est plus de la prospective. A peine de l’anticipation : dans quelques mois cette facilité sera à la portée des consommateurs français comme elle l’est déjà dans l’empire du Soleil-Levant. Au Japon, ce ne sont plus des produits digitaux mais des produits physiques ou des services qui se vendent le mieux grâce au mobile depuis 2005. Produits de marque ou DVD, le total du marché s’élève à 1,5 milliard d’euros par an. “On approche son téléphone d’une borne, on tape son code, et le paiement est réalisé en toute sécurité”, explique François Loos, ministre délégué à l’Industrie. Cette opération simplissime met en jeu des acteurs aux intérêts parfois peu convergents : les opérateurs de télécoms et les banques quand il s’agit de trouver une clé de répartition aux nouveaux revenus de cette manne téléphonique.
“L’arrivée du sans-contact”
Comme dans toute guerre, il y a un fait déclencheur, “l’arrivée du sans-contact”, souligne Jacques Sénéca, président d’Eurosmart et de Gemalto pour l’Europe. Grâce à une puce NFC (Near Field Communication), le téléphone mobile se mue en carte bancaire communiquant par radio avec un terminal de paiement, éloigné de quelques centimètres. Ce scénario est en test à Strasbourg, auprès de centaines d’utilisateurs et de commerçants : l’application de débit du Crédit Mutuel est placée sur la carte SIM des opérateurs NRJ Mobile et SFR.
Dans la foulée, se sont réunis autour d’une table le Crédit Mutuel, la BNP, les trois opérateurs cellulaires hexagonaux et les deux leaders internationaux des services de paiement, MasterCard et Visa, afin de définir les standards sécuritaires de l’application bancaire dans la carte SIM. Cela ne règle pas l’essentiel, le futur modèle économique. Comment l’opérateur sera-t-il rémunéré ? Loyer pour la mise à disposition d’espace sur la carte SIM ? Pourcentage sur le paiement ? Rémunération au téléchargement, au SMS, via le trafic supplémentaire généré ? “Le coût pour le consommateur sera exactement le même que pour une carte bancaire”, révèle Bernard Sadun du Crédit Mutuel, qui ne voit qu’un changement de support. “Au Japon il existe un système de commission au profit de l’opérateur lié à la consommation de crédit, mais le procédé reste opaque. L’opérateur gagne surtout un élément de rétention du client”, déclare Patrice Nordey, responsable du développement du Département Asie de l’Atelier.fr BNP-Paribas, qui souligne l’entente plus aisée au Japon : “ les opérateurs n’utilisent pas la carte SIM comme carte à puce pouvant stocker des données. Elle ne sert qu’à héberger l’application de paiement d’une seule banque.” Chaque banque fournit sa carte SIM, incompatible avec les autres, ce qui ressemble plus à un portemonnaie électronique. Les accords entre deux acteurs sont plus aisés. La volonté française d’un paiement universel est nouvelle : l’utilisateur peut via son portable payer ses achats, quelle que soit sa banque, à condition que le commerçant dispose d’une borne. Cela suppose une nouvelle répartition financière. “Le pourcentage sur les transactions n’est pas exclu, surtout si la solution réduit les risques pour les banques”, explique-t-on chez Bouygues Telecom comme le note Jean-Pierre Blettner dans 01 Réseaux. Position qu’en revanche le Crédit Mutuel écarte : “le paiement ne fait pas appel à la fonction téléphone.”
L’entente cordiale forcée
Devant tant de gourmandise, les banques pourraient gérer leur propre composant de sécurité dans le mobile. L’Américain SanDisk propose ainsi la carte de mémoire Trusted Flash embarquant une application bancaire dans le mobile, et “dont un pilote sera expérimenté en 2007 en Asie”, rappelle Pascal Caillon, en charge des contenus chez SanDisk. Les établissements financiers ont toutefois un handicap : ils ont du mal à assurer le service après-vente de matériel informatique, comme l’a démontré l’expérience Cyber-Comm, système de sécurisation des paiements sur Internet. L’introduction d’Eurochèque et de la carte EC direct ont échoué en France, tout comme le porte-monnaie électronique Monéo. Enfin, même si l’application bancaire est téléchargée dans un composant indépendant, “c’est tout de même la carte SIM qui arbitre les accès à la puce NFC pour communiquer vers l’extérieur”, indique Pascal Caillon. Dès lors, les opérateurs sont en position de force. Pourraient-ils s’affranchir des banques, en créant leur propre établissement de paiement ? Ils s’appuieraient sur le nouvel espace unique des paiements en euros (SEPA) qui harmonise les transferts financiers euros entre les pays membres (virements, prélèvements, CB) afin qu’un paiement transfrontalier soit traité avec la même rapidité et sécurité qu’un paiement domestique. L’expertise des banques en matière de moyens de paiements et de gestion du risque les en dissuade. Les opérateurs ne souhaitent pas entrer seuls dans des logiques de confidentialité et de sécurité d’un domaine “qui sera le prochain terrain de jeu des pirates mobiles en 2007”, d’après Bob Egan dans un rapport de TowerGroup Research.
L’enjeu du post-paiement
Le prépaiement – porte-monnaie électronique avec un compte courant déjà débité – s’est un peu développé en France sur des niches comme les parcmètres. Concernant le post-paiement – ligne de crédit que l’on peut dépasser – François Loos évoque une “possible généralisation à l’ensemble du pays d’ici à 2009”... à condition que “les acteurs s’accordent sur un écosystème dans lequel chacun s’y retrouve”, clame-t-on chez SFR. Toutefois les experts d’ABI Research recommandent aux opérateurs de ne pas se focaliser sur les paiements : le mobile servira à d’autres applications sur lesquelles ils pourront percevoir une rétribution. “Les clients attendent plusieurs produits sur leur mobile, comme plusieurs cartes de paiement dans leur portefeuille. Ils veulent aussi de la billetterie de transport, de spectacle, des cartes d’accès ou de fidélité”, souligne-t-on chez Orange. Chaque émetteur de carte doit pouvoir placer son application sur la carte SIM. Ceci vient tempérer les discussions qui s’annoncent mouvementées.
Le geste paraît aussi simple que payant : sortir son téléphone portable pour régler de menus achats, bien plus facilement qu’avec quelques pièces de monnaie ou sa carte bleue. Ce n’est plus de la prospective. A peine de l’anticipation : dans quelques mois cette facilité sera à la portée des consommateurs français comme elle l’est déjà dans l’empire du Soleil-Levant. Au Japon, ce ne sont plus des produits digitaux mais des produits physiques ou des services qui se vendent le mieux grâce au mobile depuis 2005. Produits de marque ou DVD, le total du marché s’élève à 1,5 milliard d’euros par an. “On approche son téléphone d’une borne, on tape son code, et le paiement est réalisé en toute sécurité”, explique François Loos, ministre délégué à l’Industrie. Cette opération simplissime met en jeu des acteurs aux intérêts parfois peu convergents : les opérateurs de télécoms et les banques quand il s’agit de trouver une clé de répartition aux nouveaux revenus de cette manne téléphonique.
“L’arrivée du sans-contact”
Comme dans toute guerre, il y a un fait déclencheur, “l’arrivée du sans-contact”, souligne Jacques Sénéca, président d’Eurosmart et de Gemalto pour l’Europe. Grâce à une puce NFC (Near Field Communication), le téléphone mobile se mue en carte bancaire communiquant par radio avec un terminal de paiement, éloigné de quelques centimètres. Ce scénario est en test à Strasbourg, auprès de centaines d’utilisateurs et de commerçants : l’application de débit du Crédit Mutuel est placée sur la carte SIM des opérateurs NRJ Mobile et SFR.
Dans la foulée, se sont réunis autour d’une table le Crédit Mutuel, la BNP, les trois opérateurs cellulaires hexagonaux et les deux leaders internationaux des services de paiement, MasterCard et Visa, afin de définir les standards sécuritaires de l’application bancaire dans la carte SIM. Cela ne règle pas l’essentiel, le futur modèle économique. Comment l’opérateur sera-t-il rémunéré ? Loyer pour la mise à disposition d’espace sur la carte SIM ? Pourcentage sur le paiement ? Rémunération au téléchargement, au SMS, via le trafic supplémentaire généré ? “Le coût pour le consommateur sera exactement le même que pour une carte bancaire”, révèle Bernard Sadun du Crédit Mutuel, qui ne voit qu’un changement de support. “Au Japon il existe un système de commission au profit de l’opérateur lié à la consommation de crédit, mais le procédé reste opaque. L’opérateur gagne surtout un élément de rétention du client”, déclare Patrice Nordey, responsable du développement du Département Asie de l’Atelier.fr BNP-Paribas, qui souligne l’entente plus aisée au Japon : “ les opérateurs n’utilisent pas la carte SIM comme carte à puce pouvant stocker des données. Elle ne sert qu’à héberger l’application de paiement d’une seule banque.” Chaque banque fournit sa carte SIM, incompatible avec les autres, ce qui ressemble plus à un portemonnaie électronique. Les accords entre deux acteurs sont plus aisés. La volonté française d’un paiement universel est nouvelle : l’utilisateur peut via son portable payer ses achats, quelle que soit sa banque, à condition que le commerçant dispose d’une borne. Cela suppose une nouvelle répartition financière. “Le pourcentage sur les transactions n’est pas exclu, surtout si la solution réduit les risques pour les banques”, explique-t-on chez Bouygues Telecom comme le note Jean-Pierre Blettner dans 01 Réseaux. Position qu’en revanche le Crédit Mutuel écarte : “le paiement ne fait pas appel à la fonction téléphone.”
L’entente cordiale forcée
Devant tant de gourmandise, les banques pourraient gérer leur propre composant de sécurité dans le mobile. L’Américain SanDisk propose ainsi la carte de mémoire Trusted Flash embarquant une application bancaire dans le mobile, et “dont un pilote sera expérimenté en 2007 en Asie”, rappelle Pascal Caillon, en charge des contenus chez SanDisk. Les établissements financiers ont toutefois un handicap : ils ont du mal à assurer le service après-vente de matériel informatique, comme l’a démontré l’expérience Cyber-Comm, système de sécurisation des paiements sur Internet. L’introduction d’Eurochèque et de la carte EC direct ont échoué en France, tout comme le porte-monnaie électronique Monéo. Enfin, même si l’application bancaire est téléchargée dans un composant indépendant, “c’est tout de même la carte SIM qui arbitre les accès à la puce NFC pour communiquer vers l’extérieur”, indique Pascal Caillon. Dès lors, les opérateurs sont en position de force. Pourraient-ils s’affranchir des banques, en créant leur propre établissement de paiement ? Ils s’appuieraient sur le nouvel espace unique des paiements en euros (SEPA) qui harmonise les transferts financiers euros entre les pays membres (virements, prélèvements, CB) afin qu’un paiement transfrontalier soit traité avec la même rapidité et sécurité qu’un paiement domestique. L’expertise des banques en matière de moyens de paiements et de gestion du risque les en dissuade. Les opérateurs ne souhaitent pas entrer seuls dans des logiques de confidentialité et de sécurité d’un domaine “qui sera le prochain terrain de jeu des pirates mobiles en 2007”, d’après Bob Egan dans un rapport de TowerGroup Research.
L’enjeu du post-paiement
Le prépaiement – porte-monnaie électronique avec un compte courant déjà débité – s’est un peu développé en France sur des niches comme les parcmètres. Concernant le post-paiement – ligne de crédit que l’on peut dépasser – François Loos évoque une “possible généralisation à l’ensemble du pays d’ici à 2009”... à condition que “les acteurs s’accordent sur un écosystème dans lequel chacun s’y retrouve”, clame-t-on chez SFR. Toutefois les experts d’ABI Research recommandent aux opérateurs de ne pas se focaliser sur les paiements : le mobile servira à d’autres applications sur lesquelles ils pourront percevoir une rétribution. “Les clients attendent plusieurs produits sur leur mobile, comme plusieurs cartes de paiement dans leur portefeuille. Ils veulent aussi de la billetterie de transport, de spectacle, des cartes d’accès ou de fidélité”, souligne-t-on chez Orange. Chaque émetteur de carte doit pouvoir placer son application sur la carte SIM. Ceci vient tempérer les discussions qui s’annoncent mouvementées.
SecureWorks Uncovers $2 Million Russian Hacker Scheme
http://www.secureworks.com/research/newsletter/2007/04/
In January 2007 the SecureWorks Security Research Group discovered a new trojan that searches for and captures credentials used by several Internet banking and e-commerce websites. The trojan, named Gozi, is able to forward captured credentials to an online database where they were being sold to the highest bidder. While researching Gozi, the SecureWorks Security Research Group uncovered a cache of stolen information holding over 10,000 account records containing everything from online banking user credentials to patient healthcare information and even employee login information for confidential government and law enforcement applications. Further investigation revealed that this data was being offered for sale by Russian hackers for an amount totaling over $2 million. The records retrieved included account numbers and passwords from customers of many top global banks and financial services companies, top US retailers and leading online retailers. SecureWorks is working with the affected organizations and federal law enforcement officials as well as other security groups such as FIRST and CERT to address the Gozi threat.
Gozi is a state-of-the-art, modularized trojan spread through Internet Explorer browser exploits, and it went undetected for weeks by many anti-virus vendors. Many home PCs were infected by Gozi while users were visiting popular community forums for hobbies, online games, etc. Gozi then retrieved the users' credentials when they later logged into their banking, retail, or employers' applications. These credentials were forwarded to an online storefront where they were offered for sale.
The trojan was designed to capture any data entered into websites relying on SSL (Secure Sockets Layer) to protect confidential information. Most Internet banking, online retail, and corporate intranets utilize SSL to encrypt communications from their customers. We also discovered that components of Gozi were purposely designed to circumvent the multi-factor authentication protections of specific large financial institutions. These protections met and exceeded those mandated by the FFIEC. SecureWorks briefed these financial institutions on Gozi's activities so they can be on the lookout for any fraudulent activity.
How to Protect Against Gozi
PCs on corporate networks can be infected if not well-protected. Security administrators should:
1. Enable heuristic detection as part of your anti-virus systems. This will increase the rate of false positives, so it should be done cautiously and with consideration as to how it can impact your operations.
2. Make sure your IPS is configured to detect and block Gozi and similar threats.
3. Ensure that your anti-virus vendor has a signature for the Gozi trojan then make sure all your computing systems are patched and current with the latest anti-virus protections.
4. If you use a managed security services partner to protect your systems, make sure that they have implemented countermeasures specific to Gozi and its variants. Clients relying on SecureWorks' iSensorP?P Network Intrusion Prevention Service were protected from day one.
A full analysis of the Gozi threat is available at http://www.secureworks.com/research/threats/gozi/.
In January 2007 the SecureWorks Security Research Group discovered a new trojan that searches for and captures credentials used by several Internet banking and e-commerce websites. The trojan, named Gozi, is able to forward captured credentials to an online database where they were being sold to the highest bidder. While researching Gozi, the SecureWorks Security Research Group uncovered a cache of stolen information holding over 10,000 account records containing everything from online banking user credentials to patient healthcare information and even employee login information for confidential government and law enforcement applications. Further investigation revealed that this data was being offered for sale by Russian hackers for an amount totaling over $2 million. The records retrieved included account numbers and passwords from customers of many top global banks and financial services companies, top US retailers and leading online retailers. SecureWorks is working with the affected organizations and federal law enforcement officials as well as other security groups such as FIRST and CERT to address the Gozi threat.
Gozi is a state-of-the-art, modularized trojan spread through Internet Explorer browser exploits, and it went undetected for weeks by many anti-virus vendors. Many home PCs were infected by Gozi while users were visiting popular community forums for hobbies, online games, etc. Gozi then retrieved the users' credentials when they later logged into their banking, retail, or employers' applications. These credentials were forwarded to an online storefront where they were offered for sale.
The trojan was designed to capture any data entered into websites relying on SSL (Secure Sockets Layer) to protect confidential information. Most Internet banking, online retail, and corporate intranets utilize SSL to encrypt communications from their customers. We also discovered that components of Gozi were purposely designed to circumvent the multi-factor authentication protections of specific large financial institutions. These protections met and exceeded those mandated by the FFIEC. SecureWorks briefed these financial institutions on Gozi's activities so they can be on the lookout for any fraudulent activity.
How to Protect Against Gozi
PCs on corporate networks can be infected if not well-protected. Security administrators should:
1. Enable heuristic detection as part of your anti-virus systems. This will increase the rate of false positives, so it should be done cautiously and with consideration as to how it can impact your operations.
2. Make sure your IPS is configured to detect and block Gozi and similar threats.
3. Ensure that your anti-virus vendor has a signature for the Gozi trojan then make sure all your computing systems are patched and current with the latest anti-virus protections.
4. If you use a managed security services partner to protect your systems, make sure that they have implemented countermeasures specific to Gozi and its variants. Clients relying on SecureWorks' iSensorP?P Network Intrusion Prevention Service were protected from day one.
A full analysis of the Gozi threat is available at http://www.secureworks.com/research/threats/gozi/.
Russia calls for an end of Whois in Dot RU
http://blog.domaintools.com/2007/05/russia-calls-for-an-end-of-whois-in-dot-ru/
My Russian may be a little bit broken so forgive the translation, I have attempted to read the Russian newspaper where they reported this story first. But appearently Russia is trying to remove whois on their .RU domain names. Here is the translated story.
Information on the ownership of Russian sites in the coming months may be totally secret. The most popular international blast zone. Com has long earned the willingness of owners to maintain Internet sites incognito. Under the Personal Data, which entered into force on January 30, 2007, the written consent of every person to the inclusion of personal data in public facilities. Some organizations have been suspended for bringing his public bases in line with the law until January 2008 or January 2010. According to the Russian Research Institute of public networks (RosNIIROS, Focal Point domain. Ru), in late 2006. In Runete there were more than 700,000 sites belonging to nearly 329,000 owners.
Currently online RosNIIROSa (www.ripn.net) on the WhoIs contact name and contact telephone owner of a site in the cloud. For example, you can find out what famous site compromat.ru owns Sergei Gorshkov. But that may not always be the case. According to the head of Public Relations Ru-Center (the largest domain registrar Runete) Andrei Vorobiev, RosNIIROS together with the domain registrars are now discussing how to give site owners a choice-run or not public access to your personal data.
According to him, the base WhoIs RosNIIROS should be brought into line with the law only by January 1, 2010. But Russian registrars want to give site owners the opportunity to hide themselves within a few months, explains Vorobiev. He said that in the public domain registrars will retain only the e-mail address owner of the site, because it could not obtain any personal information about the person.
Russia is not the first country to safeguarding personal data owners. The American organization ICANN, which maintains a register domain of Dot Com, now requires the owners to disclose the name and phone number for the WhoIs. However, according to Vorobiev, some companies to pay to register sites anonymously, as they apply them on, and then the real owner operates the site.
ICANN representative in the CIS Veni Markovski said “Vedomosti” that the principles of the base WhoIs should consider July 30 a member of the ICANN organization supporting domain names GNSO, which are attended by representatives of various countries. According to him, Russia should work more actively in the GNSO.
However, all wishing to remain anonymous can still call her real name or phone number, said renowned Paul Gross. According to him, nor RosNIIROS, or ICANN does not check the accuracy of these data.
My Russian may be a little bit broken so forgive the translation, I have attempted to read the Russian newspaper where they reported this story first. But appearently Russia is trying to remove whois on their .RU domain names. Here is the translated story.
Information on the ownership of Russian sites in the coming months may be totally secret. The most popular international blast zone. Com has long earned the willingness of owners to maintain Internet sites incognito. Under the Personal Data, which entered into force on January 30, 2007, the written consent of every person to the inclusion of personal data in public facilities. Some organizations have been suspended for bringing his public bases in line with the law until January 2008 or January 2010. According to the Russian Research Institute of public networks (RosNIIROS, Focal Point domain. Ru), in late 2006. In Runete there were more than 700,000 sites belonging to nearly 329,000 owners.
Currently online RosNIIROSa (www.ripn.net) on the WhoIs contact name and contact telephone owner of a site in the cloud. For example, you can find out what famous site compromat.ru owns Sergei Gorshkov. But that may not always be the case. According to the head of Public Relations Ru-Center (the largest domain registrar Runete) Andrei Vorobiev, RosNIIROS together with the domain registrars are now discussing how to give site owners a choice-run or not public access to your personal data.
According to him, the base WhoIs RosNIIROS should be brought into line with the law only by January 1, 2010. But Russian registrars want to give site owners the opportunity to hide themselves within a few months, explains Vorobiev. He said that in the public domain registrars will retain only the e-mail address owner of the site, because it could not obtain any personal information about the person.
Russia is not the first country to safeguarding personal data owners. The American organization ICANN, which maintains a register domain of Dot Com, now requires the owners to disclose the name and phone number for the WhoIs. However, according to Vorobiev, some companies to pay to register sites anonymously, as they apply them on, and then the real owner operates the site.
ICANN representative in the CIS Veni Markovski said “Vedomosti” that the principles of the base WhoIs should consider July 30 a member of the ICANN organization supporting domain names GNSO, which are attended by representatives of various countries. According to him, Russia should work more actively in the GNSO.
However, all wishing to remain anonymous can still call her real name or phone number, said renowned Paul Gross. According to him, nor RosNIIROS, or ICANN does not check the accuracy of these data.
Russian nationals conspired to steal IDs, indictment says
http://www.pe.com/ap_news/California/CA_BRF_NorCal_Identity_Theft_285833C.shtml
The Associated Press
SACRAMENTO
Four Russian citizens, three of whom were in the U.S. on temporary work visas, conspired to steal personal information and used it buy computers, jewelry, clothing and other merchandise, federal prosecutors said Tuesday.
The U.S. attorney's office in Sacramento unsealed the indictment after three of the men were arrested in Baltimore last month. The fourth, Aleksey Chugaev, 24, is believed to be a fugitive in southern Russia, prosecutors said.
Roman Karelov, 18, and Oleg V. Umarov, 20, were ordered held without bail during an appearance Monday in federal court in Sacramento. Radik E. Nizamov, 21, is being transported to Sacramento from Baltimore, where all three were living temporarily at the time of their April 13 arrest, prosecutors said.
The indictment alleges that Chugaev ran the operation from Russia, using the others to steal identities and credit information. He then used the information to withdraw cash in Russia and buy merchandise in the U.S. that was then shipped overseas, according to the indictment.
Umarov's attorney, Donald Dorfman, said his client is innocent. Umarov and his girlfriend, who was named in an earlier complaint but not the indictment, were swept up because they were living in the same Baltimore home as the other Russian nationals, he said.
Attorney Bruce Locke, who represents Karelov, declined comment. Nizamov will be assigned an attorney after he arrives in California.
Karelov, Umarov and Nizamov were in the country on work visas that had expired by the time of their arrest, prosecutors said.
All four men are charged with conspiracy to commit mail and wire fraud, credit card fraud and interstate transportation of stolen goods. Chugaev, Karelov and Nizamov also are charged with wire fraud, while Chugaev is charged with mail fraud and identity theft.
Published: Tuesday, May 1, 2007 17:07 PDT
The Associated Press
SACRAMENTO
Four Russian citizens, three of whom were in the U.S. on temporary work visas, conspired to steal personal information and used it buy computers, jewelry, clothing and other merchandise, federal prosecutors said Tuesday.
The U.S. attorney's office in Sacramento unsealed the indictment after three of the men were arrested in Baltimore last month. The fourth, Aleksey Chugaev, 24, is believed to be a fugitive in southern Russia, prosecutors said.
Roman Karelov, 18, and Oleg V. Umarov, 20, were ordered held without bail during an appearance Monday in federal court in Sacramento. Radik E. Nizamov, 21, is being transported to Sacramento from Baltimore, where all three were living temporarily at the time of their April 13 arrest, prosecutors said.
The indictment alleges that Chugaev ran the operation from Russia, using the others to steal identities and credit information. He then used the information to withdraw cash in Russia and buy merchandise in the U.S. that was then shipped overseas, according to the indictment.
Umarov's attorney, Donald Dorfman, said his client is innocent. Umarov and his girlfriend, who was named in an earlier complaint but not the indictment, were swept up because they were living in the same Baltimore home as the other Russian nationals, he said.
Attorney Bruce Locke, who represents Karelov, declined comment. Nizamov will be assigned an attorney after he arrives in California.
Karelov, Umarov and Nizamov were in the country on work visas that had expired by the time of their arrest, prosecutors said.
All four men are charged with conspiracy to commit mail and wire fraud, credit card fraud and interstate transportation of stolen goods. Chugaev, Karelov and Nizamov also are charged with wire fraud, while Chugaev is charged with mail fraud and identity theft.
Published: Tuesday, May 1, 2007 17:07 PDT
mercredi 2 mai 2007
Un contrat d'assurance pour surfer l'esprit tranquille - 01net
Un contrat d'assurance pour surfer l'esprit tranquille - 01net: "Un contrat d'assurance pour surfer l'esprit tranquille
01net - 27 avr 2007
Un contrat d'assurance pour surfer l'esprit tranquille
Le groupe April va proposer une nouvelle garantie pour assurer les internautes contre la fraude en ligne, les aléas de l'e-commerce et les dommages causés à leur ordinateur.
Philippe Crouzillacq , 01net., le 27/04/2007 à 14h04
Et si l'avenir de l'assurance se trouvait sur le Web ? Dans un pays où 46 % des foyers disposent désormais d'un accès à Internet et où le commerce en ligne a enregistré en 2006 la venue de plus de 3 millions de nouveaux clients, le marché s'annonce prometteur. April Solutions, un groupe spécialisé dans la conception, la gestion et la distribution de solutions d'assurance dommage grand public, semble avoir saisi tout l'intérêt de la situation.
Le groupe va commercialiser grâce à des accords passés avec des FAI, des sites d'e-commerce et des distributeurs informatiques, une assurance « Pack Internet ». Le produit est alléchant. Malheureusement, le groupe April n'ayant pas souhaité nous communiquer les conditions générales de vente et le détail de ce contrat, nous ne pouvons ici qu'en évoquer les grandes lignes.
S'assurer contre le phishing et les connexions surtaxées
Pour 4,90 euros par mois (58,80 euros par an), l'internaute pourra, en théorie du moins, bénéficier d'une garantie matériel sur son équipement informatique (PC, périphériques) de moins de cinq ans. Cette disposition se limite cependant aux sinistres couverts par l'assurance multirisque habitation (vol, incendie, etc.) déjà souscrite par l'assuré et vient en complément de l'indemnisation de celle-ci (avec un maximum de 2 000 euros par an et par sinistre).
Le « Pack Internet » d'April comprend aussi une protection juridique dans les cas de litiges sur Internet. Cela concerne les achats effectués en ligne (garantie « bonne livraison ») et la fraude, comme l'usurpation d'identité (phishing) ainsi que les escroqueries au dialer (connexions surtaxées à l'insu des internautes). Un dispositif auquel vient s'ajouter une protection juridique qui permet à l'assuré de se faire assister par téléphone en cas de conflit avec un cybermarchand et de se faire rembourser les frais de justice (à hauteur de 20 000 euros par sinistre).
Enfin, l'assuré peut compter sur une hot line d'assistance technique pour toute question relative à l'utilisation d'Internet, sans plus de précision de la part d'April... En cas d'attaque de virus, l'assurance prendra en charge tous les frais liés à la réparation de l'ordinateur (déplacement d'un technicien, pièces et main d'oeuvre).
En pratique, si la solution paraît séduisante, le consommateur ne devra pas pour autant s'engager à l'aveuglette. Une lecture attentive de ce type de contrat s'impose, car, comme disent les Anglo-Saxons, « le diable se cache dans les détails ».
01net - 27 avr 2007
Un contrat d'assurance pour surfer l'esprit tranquille
Le groupe April va proposer une nouvelle garantie pour assurer les internautes contre la fraude en ligne, les aléas de l'e-commerce et les dommages causés à leur ordinateur.
Philippe Crouzillacq , 01net., le 27/04/2007 à 14h04
Et si l'avenir de l'assurance se trouvait sur le Web ? Dans un pays où 46 % des foyers disposent désormais d'un accès à Internet et où le commerce en ligne a enregistré en 2006 la venue de plus de 3 millions de nouveaux clients, le marché s'annonce prometteur. April Solutions, un groupe spécialisé dans la conception, la gestion et la distribution de solutions d'assurance dommage grand public, semble avoir saisi tout l'intérêt de la situation.
Le groupe va commercialiser grâce à des accords passés avec des FAI, des sites d'e-commerce et des distributeurs informatiques, une assurance « Pack Internet ». Le produit est alléchant. Malheureusement, le groupe April n'ayant pas souhaité nous communiquer les conditions générales de vente et le détail de ce contrat, nous ne pouvons ici qu'en évoquer les grandes lignes.
S'assurer contre le phishing et les connexions surtaxées
Pour 4,90 euros par mois (58,80 euros par an), l'internaute pourra, en théorie du moins, bénéficier d'une garantie matériel sur son équipement informatique (PC, périphériques) de moins de cinq ans. Cette disposition se limite cependant aux sinistres couverts par l'assurance multirisque habitation (vol, incendie, etc.) déjà souscrite par l'assuré et vient en complément de l'indemnisation de celle-ci (avec un maximum de 2 000 euros par an et par sinistre).
Le « Pack Internet » d'April comprend aussi une protection juridique dans les cas de litiges sur Internet. Cela concerne les achats effectués en ligne (garantie « bonne livraison ») et la fraude, comme l'usurpation d'identité (phishing) ainsi que les escroqueries au dialer (connexions surtaxées à l'insu des internautes). Un dispositif auquel vient s'ajouter une protection juridique qui permet à l'assuré de se faire assister par téléphone en cas de conflit avec un cybermarchand et de se faire rembourser les frais de justice (à hauteur de 20 000 euros par sinistre).
Enfin, l'assuré peut compter sur une hot line d'assistance technique pour toute question relative à l'utilisation d'Internet, sans plus de précision de la part d'April... En cas d'attaque de virus, l'assurance prendra en charge tous les frais liés à la réparation de l'ordinateur (déplacement d'un technicien, pièces et main d'oeuvre).
En pratique, si la solution paraît séduisante, le consommateur ne devra pas pour autant s'engager à l'aveuglette. Une lecture attentive de ce type de contrat s'impose, car, comme disent les Anglo-Saxons, « le diable se cache dans les détails ».
La cybercriminalité progresse en Suisse
http://www.boursorama.com/international/detail_actu_intern.phtml?&news=4144968
Espionnage économique, usurpation d'identité et vol de données sont en recrudescence en Suisse sur Internet. Les méthodes sont de plus en plus raffinées et les cybercriminels n'hésitent pas à recruter des personnes naïves pour en faire leurs complices. L'être humain est le maillon faible, constate la Centrale d'enregistrement et d'analyse pour la sûreté de l'information (Melani) dans son rapport du 2e semestre 2006 publié lundi.
"L'année dernière, un jugement pour soustraction et destruction de données a été rendu pour la première fois en Suisse", a relevé lundi l'Office fédéral de la police (fedpol). Dans cette affaire, un informaticien de la société de chronométrage Datasport avait utilisé un maliciel ("malware") pour espionner ses concurrents suisses. Le cybercriminel se serait ainsi procuré 27.000 fichiers sensibles. En outre, il effaçait les demandes d'offres du système informatique de ses concurrents, de telle façon que ces entreprises ne les recevaient jamais.
Le rapport dénonce en particulier les attaques "d'ingénierie sociale" qui utilisent la serviabilité, la bonne foi ou le manque de sûreté des personnes pour accéder à des données confidentielles ou conduire la victime à effectuer certaines actions spécifiques. Les cybercriminels envoient par exemple un virus afin de prendre le contrôle d'un grand nombre d'ordinateurs. Ils créent alors un "réseau de zombies" qui effectuent à leur insu des opérations illégales, envoient des pourriels ("spams") ou attaquent d'autres ordinateurs.
La création de banques suisses fictives ou de faux portails Internet est en vogue également. En août dernier, la banque Migros avait été obligée d'interrompre les paiements via Internet à la suite d'un "hameçonnage" ("phishing"), qui consiste à tromper les utilisateurs pour les amener à communiquer leurs coordonnées bancaires ou personnelles.
Plus pernicieuse est l'affaire du pseudo-institut financier Porex, qui recrutait des "agents financiers". La personne recrutée devait simplement se faire envoyer des sommes sur son compte et les reverser sur un troisième compte. Elle pouvait prélever au passage une commission allant jusqu'à 10% du montant transféré. "Or, quiconque acceptait l'offre se rendait coupable de complicité de blanchiment d'argent", a constaté fedpol, car l'argent provenait de comptes pillés par hameçonnage.
"Le marché de la cybercriminalité est entré dans une phase de consolidation", ont constaté les experts fédéraux. Les segments les plus lucratifs sont ainsi systématiquement exploités et le professionnalisme tend à s'imposer, alors que les ramifications internationales s'étendent. Et avec des systèmes d'exploitation de plus en plus sûrs techniquement, "l'être humain est le maillon faible auquel s'intéressent les pirates", a mis en garde fedpol. AP
Espionnage économique, usurpation d'identité et vol de données sont en recrudescence en Suisse sur Internet. Les méthodes sont de plus en plus raffinées et les cybercriminels n'hésitent pas à recruter des personnes naïves pour en faire leurs complices. L'être humain est le maillon faible, constate la Centrale d'enregistrement et d'analyse pour la sûreté de l'information (Melani) dans son rapport du 2e semestre 2006 publié lundi.
"L'année dernière, un jugement pour soustraction et destruction de données a été rendu pour la première fois en Suisse", a relevé lundi l'Office fédéral de la police (fedpol). Dans cette affaire, un informaticien de la société de chronométrage Datasport avait utilisé un maliciel ("malware") pour espionner ses concurrents suisses. Le cybercriminel se serait ainsi procuré 27.000 fichiers sensibles. En outre, il effaçait les demandes d'offres du système informatique de ses concurrents, de telle façon que ces entreprises ne les recevaient jamais.
Le rapport dénonce en particulier les attaques "d'ingénierie sociale" qui utilisent la serviabilité, la bonne foi ou le manque de sûreté des personnes pour accéder à des données confidentielles ou conduire la victime à effectuer certaines actions spécifiques. Les cybercriminels envoient par exemple un virus afin de prendre le contrôle d'un grand nombre d'ordinateurs. Ils créent alors un "réseau de zombies" qui effectuent à leur insu des opérations illégales, envoient des pourriels ("spams") ou attaquent d'autres ordinateurs.
La création de banques suisses fictives ou de faux portails Internet est en vogue également. En août dernier, la banque Migros avait été obligée d'interrompre les paiements via Internet à la suite d'un "hameçonnage" ("phishing"), qui consiste à tromper les utilisateurs pour les amener à communiquer leurs coordonnées bancaires ou personnelles.
Plus pernicieuse est l'affaire du pseudo-institut financier Porex, qui recrutait des "agents financiers". La personne recrutée devait simplement se faire envoyer des sommes sur son compte et les reverser sur un troisième compte. Elle pouvait prélever au passage une commission allant jusqu'à 10% du montant transféré. "Or, quiconque acceptait l'offre se rendait coupable de complicité de blanchiment d'argent", a constaté fedpol, car l'argent provenait de comptes pillés par hameçonnage.
"Le marché de la cybercriminalité est entré dans une phase de consolidation", ont constaté les experts fédéraux. Les segments les plus lucratifs sont ainsi systématiquement exploités et le professionnalisme tend à s'imposer, alors que les ramifications internationales s'étendent. Et avec des systèmes d'exploitation de plus en plus sûrs techniquement, "l'être humain est le maillon faible auquel s'intéressent les pirates", a mis en garde fedpol. AP
Inscription à :
Articles (Atom)