[SecurityRatty] tag: names

Nonviolent Activists Are Now Terrorists

Thu, 09 Oct 2008 09:07:17 +0000

Heard about this:

The Maryland State Police classified 53 nonviolent activists as terrorists and entered their names and personal information into state and federal databases that track terrorism suspects, the state police chief acknowledged yesterday.

Why did they do that?

Both Hutchins and Sheridan said the activists' names were entered into the state police database as terrorists partly because the software offered limited options for classifying entries.

I know that once we had this "either you're with us or with the terrorists" mentality, but don't you think that -- just maybe -- the software should allow for a little bit more nuance?

Fake Windows XP Activation Trojan Wants Your CVV2 Code

Mon, 06 Oct 2008 15:01:01 +0000

In a self-contradicting social engineering attempt, a malware author is offering to sale a (updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the fact that it claims "We will ask for your billing details, but your credit card will NOT be charged", is requesting and remotely uploading all the credit card details required for a successfully credit card theft.

Perhaps among the main reasons why such simplistic social engineering attempts never scaled in a "malicious economies of scale" approach, is because sophisticated crimeware kits capable of obtaining the very same data automatically, started leaking for everyone to start taking advantage of - including yesterday's cybercriminals using such DIY fake message builders.

Moreover, according to recently reseased survey results, end users cannot distinguish between fake popups and real ones, and on their way to continue doing what they were doing, click OK on that pesky warning message telling them that they're about to get infected with malware. Taking into consideration the fact that the popup windows the researchers used look like cheap creative compared to the average fake security software's layout high quality GUIs, it is perhaps worth restating your research questions with something in the lines of - What motivates end users to install an antivirus application going under the name of Super Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them that they're infected with 47 spyware cookies, or the fact that they ended up at the fake site while browsing their trusted web services?

The increase of rogue security software domains is happening due to the high payout affiliation based model, the standardized creative allowing the participants to come up with their own fake names if they want to, and due to the fact that the fake security threats scareware approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness of their legitimate security software.

Disk Containing Data on 17 Million T-Mobile Customers Missing, The Data Is For Sale

Mon, 06 Oct 2008 07:44:19 +0000

In 2006, 17 million German customer records were stolen from T-Mobile, a mobile network operator headquartered in Bonn, Germany. T-Mobile has admitted the incident where stolen customer records included names, addresses, phone numbers, dates of birth and email addresses. Silent about the data loss for more than two years, the company published its version of events [...]

AntiVirus XP ads on Google?

Fri, 03 Oct 2008 11:12:03 +0000

So, If I had clicked on this ad, and dnloaded this awful program and my puter was infected,,,,
Would Google be responsible?

clipped from www.2-spyware.com

Time for vengeance: AntiVirus XP distributors sued

Malware vendors hide well, however they do make mistakes. Distributors of Antivirus XP were bold enough and dumb enough to buy advertisements on Google Adwords! You get it right: someone looking for anti-virus software on Google search engine was offered Antivirus XP by official adds from Google. The scam was noticed pretty soon. Security experts all over the web guess that this mistake was the one that revealed names of AntivirusXP vendors. Victims of Antivirus XP can start celebrating as the distributors won’t get away easily.

"Scareware" Vendors Sued

Thu, 02 Oct 2008 03:03:09 +0000

This is good:

Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.
The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's company caused targeted PCs to pop up misleading security alerts about security threats on the victims' computers. The alerts warned users that their systems were "damaged and corrupted" and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95.

I would have thought that existing scam laws would be enough, but Washington state actually has a specific law about this sort of thing:

The lawsuits were filed under Washington's Computer Spyware Act, which among other things punishes individuals who prey on user concerns regarding spyware or other threats. Specifically, the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy, and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater.

MI6 Camera -- Including Secrets -- Sold on eBay

Wed, 01 Oct 2008 09:59:17 +0000

I wish I'd known:

A 28-year-old delivery man from the UK who bought a Nikon Coolpix camera for about $31 on eBay got more than he bargained for when the camera arrived with top secret information from the UK's MI6 organization.
Allegedly sold by one of the clandestine organization's agents, the camera contained named al-Qaeda cells, names, images of suspected terrorists and weapons, fingerprint information, and log-in details for the Secret Service's computer network, containing a "Top Secret" marking.

He turned the camera in to the police.

Microsoft and the Washington Attorney General Against Scareware Pushers

Mon, 29 Sep 2008 20:46:47 +0000

Washington state’s top law enforcement official has filed suit against a man accused of bombarding end users with misleading messages designed to trick them into buying software to fix PC problems that don’t exist. The complaint, filed in Washington state court by Attorney General Rob McKenna’s office, names James Reed McCreary IV of The Woodlands, Texas, [...]

Gambling Domains Seized by Kentucky

Sun, 28 Sep 2008 03:32:49 +0000

From reports, it appears that Kentucky Governor Steve Beshear has attempted to seize 141 gambling-related domain names under a state law that allows for seizure of items used for illegal gambling. It appears that the seizure order (click here for a copy of the initial order) was signed by a circuit judge, but later reports indicate that the judge is holding further hearings and seeking further arguments. A hearing will be held Oct. 7, according to TheDomains. See page 4 of the seizure order for a complete list of the 141 domains. Here are some of them:

123bingo.com
777dragon.com
indiancasino.com
jackpotcity.com
powerbet.com
crazypoker.com
vegaslucky.com

That sort of thing. According to DomainNameNews, several of the domains are for popular sites, including PokerStars.com, FullTiltPoker.com, BodogLife.com, GoldenPalace.com, Bet21.com, DoylesRoom.com and IndianCasino.com. It also reports that at least one registrar (Enom) has transferred domains pursuant to the order, including one whose registrant died of a heart attack this summer. The seizure order says that the domains are to be transferred by any registrar to a plaintiff's account at that registrar (the plaintiff being the Commonwealth of Kentucky), but that the domain names' configuration will be otherwise unchanged. This means that any gambling sites run on those domains or, for that matter, anything else on those domains, such as PPC ads, would remain functional. All things considered, this seems like simple-minded grandstanding without any good law behind it. The Constitution vests Congress with power to regulate interstate commerce, which the domain name market clearly is. In fact, these businesses are truly international. And it's a safe bet that none of the gambling companies or registrars operates in Kentucky, perhaps not even any of the domain name holders. That the state argues that residents of Kentucky engage in illegal gambling doesn't give the state jurisdiction. The Internet Commerce Association, a domainer lobby, has weighed in on the matter in opposition to the state's move.

250k of Harvested Hotmail Emails Go For?

Thu, 25 Sep 2008 08:13:08 +0000

$50 in this particular case, however, keeping in mind that the email harvester is anything but ethical, this very same database will be sold and re-sold more times than the original buyer would like to know about. Moreover, what someone is offering for sale, may in fact be already available as a value-added addition to a managed spamming service.

With metrics and quality assurance applied in a growing number of spam and phishing campaigns, filling in the niche of email harvesting by distinguishing between different types of obfuscated emails by releasing an easily embeddable module, was an anticipated move. What's to come? Spam and malware campaigns across social networks "as usual" will propagate faster thanks to the ongoing harvesting of usernames within social networks, that would later on get imported in Web 2.0 "marketing" tools targeting the high-trafficked sites and automatically spamming them.

From a spammer's perspective, geolocating these 250k emails could increase their selling prices since the buyers would be able to launch localized attacks with messages in the native languages of the receipts. Is the demand for quality email databases fueling the developments of this market segment, or are the spammers self-serving themselves and cashing-in by reselling what they've already abused a log time ago? That seems to be the case, since there's no way a buyer could verify the freshness of the harvested emails database and whether or not it has already been abused.

For the time being, we've got several developed and many other developing market segments within spamming and phishing as different markets with different players. On one hand are the legitimately looking spamming providers offering "direct marketing services" working with lone spammers who find a reliable business partner in the face of the spamming vendor whose customers drive both side's business models. On the other hand, you've got the spammers excelling in outsourcing the automatic account registration process, coming up with ways to build a spamming infrastructure -- already available as a module to integrate in managed spamming services -- using legitimate services as a provider of the infrastructure.

Despite that the arms race seems to be going on at several different fronts, spammers VS the industry and spammers VS spammers fighting for market share, the entire underground ecosystem is clearly allocating a lot of resources for research and development in order to ensure that they are always a step ahead of the industry.

Related posts:
Harvesting Youtube Usernames for Spamming
Thousands of IM Screen Names in the Wild
Automatic Email Harvesting 2.0
Dissecting a Managed Spamming Service
Managed Spamming Appliances - the Future of Spam
Inside an Email Harvester's Configuration File
Segmenting and Localizing Spam Campaigns
Shots from the Malicious Wild West - Sample Four

Two Copycat Web Malware Exploitation Kits in the Wild

Wed, 24 Sep 2008 10:28:37 +0000

We're slowly entering into "can you find the ten similarities" stage in respect to web malware exploitation kits, and their coders continuous supply of copycat malware kits under different names, taking advantage of different exploits combination. Copycat web malware exploitation kits are faddish, however, from a strategic perspective, releasing exploits kits like this one covered by Trustedsource, consisting entirely of PDF exploits, can greatly increase the exploitability level of Adobe vulnerabilities in general.

A similar web malware exploitation kit, once again using only Adobe related exploits is Zopa. Have you seen this layout before? That's the very same layout MPack and IcePack were using, were in the sense of cybercriminals preferring to use much mode modular alternatives these days. Ironically, Zopa is more expensive than MPack and IcePack, with the coder trying to cash-in on its biased exclusiveness and introduction stage buzz generated around it.

The second web malware exploitation kit is relying on a mix of exploits targeting patched vulnerabilities affecting IE, Firefox and Opera, with its authors asking for $50 for monthly updates, updates of what yet remains unknown. Both of these kits once again demonstrate the current mentality of the kit's coders having to do with -- thankfully -- zero innovation, fast cash and no long-term value.

However, modularity, convergence with traffic management kits, vertical integration with cybercrime services and bullet proof hosting providers, advanced metrics, evasive practices, improved OPSEC (operational security), and dedicated cybercrime campaign optimizing staff, are all in the works.

Related posts:
Web Based Botnet Command and Control Kit 2.0
DIY Botnet Kit Promising Eternal Updates
Pinch Vulnerable to Remotely Exploitable Flaw
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action