[SecurityRatty] tag: anti-spyware

Technology Tales from Thailand: KBank Fraud Management

Wed, 20 Aug 2008 03:16:51 +0000

In The Magical ATM Card and SMS Message in Thailand we talked about booking flights and securely paying using a SMS PayCode and ATM transfer, avoiding the possibility of on-line credit card fraud; and in Keyloggers: Why Banks Need Two-Factor Authentication I described how KBank uses SMS-based one-time-passwords (OTP) to authenticate transactions.

In addition to the above services, KBank offers a service that permits users to receive an SMS message that details any change in account balance and/or point-of-sale (POS) transaction with your debit card. I really like this service and the feeling of security knowing when, where and by how much my balance changes or my debit card is used in a transaction. The KBank POS SMS notification is so fast that when I present my card to a merchant I normally receive an SMS message detailing the transaction before the merchant returns for my signature. (There is an unfortunate lag in the balance change notification that can run minutes to hours behind real-time, but the POS VISA debit card notification is real-time).

As the story goes, I should have been using my KBank card and account a few weeks ago and not my US-based VISA debit dard. Why?

My US-based VISA debit card was cloned sometime on or before August 8th. I am really careful with this card, so I was surprised the magnetic strip was cloned at a POS merchant. The fraudster made 7 fraudulent transactions beginning on August 8th for a total of around $2500 USD, mostly on August 11th, before I discovered the fraudulent transactions viewing my account on-line.

This would not have happened with KBank SMS-based transaction notification services.

The first transaction with my cloned VISA debit card was less than $50 USD (I assume the fraudster was “testing the water”). If I was using my KBank card, I would have received an immediate SMS message detailing a POS transaction in Bangkok when I was physically far away from Bangkok in Chiang Mai. I could have immediately called the bank (or logged in) and blocked the debit card, limiting potential losses to the bank or the merchant to one fraudulent transaction, not seven.

In addition, KBank offers what they call a Web-Shopping VISA card, where you can go into your on-line account (verified by SMS OTP as mentioned) and request a VISA debit card number (with expiration date, CCV etc). You set the limit from 0 to 500,000 THB (Thai Baht) per day; and you can login to your account and change this anytime (authenticating your transaction with another SMS-based OTP). You can also block or cancel this number anytime and apply for another one.

I am amazed that in Thailand I receive much better anti-fraud prevention and detection services than with banks in the US. I know of no bank or brokerage in the US that offers the same quality of service and security as KBank in Thailand.

A Diverse Portfolio of Fake Security Software - Part Two

Mon, 18 Aug 2008 21:51:48 +0000

With scammers continuing to introduce new typosquatted domains promoting well known brands of rogue security software that is most often found at the far end of a malware campaign, exposing yet another diverse portfolio of last week's introduced domains is what follows.

Naturally, in between taking advantage of the usual hosting services, most of the domains remain parked at the same IPs, this centralization makes it easier to locate them all, then having to go through several misconfigured malicious doorways that will anyway expose the portfolio.

antivirus2008t-pro .com - (91.203.92.64; 78.157.142.7)
antivirus2008pro-download1 .com
antivirus2008pro-download2 .com
scanner.antivir64 .com
antivirus2008t-pro .com
antivirus-2008y-pro .com

systemscanner2009 .com - (89.18.189.44; 208.88.53.114)
xpdownloadserver .com
global-advers .com
xpantivirus .com
updatesantivirus .com
windows-scannernv .com

ratemyblog1 .com - 208.88.53.114
windows-scanner2009 .com
systemscanner2009 .com
antivirus-database .com
antivirus2009professional .com
antivirus-2009pro .com
antivirus2009-scanner .com
global-advers .com
drivemedirect .com
windows-scannernv .com

webscweb-scannerfree .com - (58.65.238.106; 208.88.53.180)
freebmwx3 .com
mytube4 .com
beginner2009 .com
webscweb-scannerfree .com
antivirus2009-software .com
antivirus-database .com
purchase-anti .com

onlinescannerxp .com
virus-onlinescanner .com
spywareonlinescanner .com
xponlinescanner .com
virus-securityscanner .com
virus-securityscanner .com
webscannerfreever .com
blazervips .com
global-advers .com
xpantivirus .com
drivemedirect .com
windows-scannernv .com

mytube4 .com - 58.65.238.106
beginner2009 .com
webscweb-scannerfree .com
securityscannerfree .com
xpcleaner-online .com
streamhotvideo .com
xpcleanerpro .com
onlinescannerxp .com
online-xpcleaner .com
antispyguard-scanner .com
virus-onlinescanner .com
microsoft.browsersecuritycenter .com
fastupdateserver .com
blazervips .com
xpantivirus .com
drivemedirect .com
fastwebway .com
xpantivirussecurity .com
wordpress.firm .in
megacodec .biz
mcprivate .biz

internet-defense2009 .com - 84.16.252.73
myfreespace3 .com
greatvideo3 .com
internet-defense2009 .com
windows-defense .com
3gigabytes .com
teledisons .com
updatesantivirus .com
update-direct .com
xp-protectsoft .com

top-pc-scanner .com - (91.203.92.50; 92.62.101.43)
nortonsoft .com - (91.186.11.5)
powerantivirus-2009 .com - (91.208.0.233)
powerantivirus2009 .com - (91.208.0.233)
pwrantivirus .com - (91.208.0.231)
xp-guard .com - (92.62.101.35)
xpertantivirus .com - (91.208.0.230)
internetscanner2009 .com - (89.149.229.168)

Where's the business model here? Where it's always been, upon installation of the rogue security software, the malware campaigner earns up to 40% revenue from the rogue security software's vendor.

Related posts:
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd

Malicious Adobe Flash Ads Hit High-Profile Websites

Mon, 18 Aug 2008 19:17:04 +0000

According to a post on the Bluetack Internet Security Solutions site, Newsweek.com is suspected of running rogue banner advertisements that try to trick visitors into installing fraudulent anti-malware programs. Newsweek.com is one of several high-profile websites accused of exposing its readers to dangerous ads. The malicious ads have been appearing on Newsweek’s website via feeds that [...]

Anti-Georgia spammers building new botnet

Thu, 14 Aug 2008 20:00:00 +0000

Hackers targeting Georgia in the midst of its conflict with Russia have started sending out a new batch of malicious spam messages, apparently with the aim of building a new botnet network of remote-controlled computers.

Data Mining to Detect Pump-and-Dump Scams

Thu, 14 Aug 2008 02:10:34 +0000

I don't know any of the details, but this seems like a good use of data mining:

Mr Tancredi said Verisign's fraud detection kit would help "decrease the time between the attack being launched and the brokerage being able to respond".
Before now, he said, brokerages relied on counter measures such as restrictive stock trading or analysis packages that only spotted a problem when money had gone.

Verisign's software is a module that brokers can add to their in-house trading system that alerts anti-fraud teams to look more closely at trades that exhibit certain behaviour patterns.

"What this self-learning behavioural engine does is look at the different attributes of the event, not necessarily about the computer or where you are logging on from but about the actual transaction, the trade, the amount of the trade," said Mr Tancredi.

"For example have you liquidated all of your assets in stock that you own in order to buy one penny stock?" he said. "Another example is when a customer who normally trades tech stock on Nasdaq all of a sudden trades a penny stock that has to do with health care and is placing a trade four times more than normal."

This is a good use of data mining because, as I said previously:

Data mining works best when there's a well-defined profile you're searching for, a reasonable number of attacks per year, and a low cost of false alarms.

Another news article here.

CNN Custom Alerts Spam

Sun, 10 Aug 2008 13:28:40 +0000

In general, my anti-spam filters and tools are pretty effective. So when I start to see something like this....

....it's obvious that a huge spam wave is underway. These are, of course, related to the fake CNN Spam from a few days ago. Here, the emails take the form of "custom alerts":

Click to Enlarge

I've seen two types of this mail - one links to a genuine CNN article from the headline text (with the smaller link underneath leading to an infection site), the other simply links to the infection site from both clickable links. As before, deleting these Emails is the best course of action. Interestingly, the format of these mails might not be working to the spammers advantage. Lots of people I've talked to who had one of these mails sent through simply deleted them without a second thought, thinking it was merely something on the real CNN they thought they'd signed up to and didn't actually want.

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.

Proactive Education: Remedying the 'Strain' of Compliance

Thu, 07 Aug 2008 20:00:00 +0000

A recent survey confirmed that internal threats continue to grow and to represent a challenge to organizations' security postures. It revealed that, in scans of 100,000 PCs and servers in many industries: 12% of infected computers had a missing or disabled anti-virus program, 10.7% had unauthorized personal storage such as USB sticks or external hard drives, 9.1% had unauthorized peer-to-peer (P2P) applications installed, 8.5% had a missing 3rd party desktop agent, 2.6% had unprotected shared folders, 2.2% had unauthorized remote control software, and 2% had missing Microsoft service packs. These results continue to resonate with the conclusions of the CSI FBI survey that reported in 2007 that internal threats have now outpaced viruses in terms of risk to organizations...

Mac users are advised not to use Safari by Consumer Reports

Wed, 06 Aug 2008 18:26:29 +0000

According to this year’s State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. Consumer Reports [...]

More ways to protect yourself from phishing

Tue, 05 Aug 2008 20:00:00 +0000

In my recent Editors' Notes post on Consumer Reports' recommendation that Mac users dump Safari because the Apple browser lacks the anti-phishing tools of Firefox and Opera, I focused on behavioral changes one can make that minimize the risks of phishing attempts. I didn't, however, discuss a relatively simple configuration change you can make to your Mac that will give you a real anti-phishing tool--in Safari or any other browser you might want to use.