[SecurityRatty] tag: recruitment

BusinessWeek Online Content Hit By SQL Injection, A Total Of 721 Scripts Attempted To Infect Visitors

Mon, 15 Sep 2008 18:25:40 +0000

Malicious hackers have broken into several sections of BusinessWeek.com and as a result the content has been infected by Mal/Badsrc-C via SQL injection. The infected pages are related to to jobs and recruitment. Currently hundreds of pages on BusinessWeek.com are being rigged with malicious JavaScript pointing to third-party servers. Visitors to the site execute the script, [...]

Summarizing July's Threatscape

Fri, 01 Aug 2008 12:08:24 +0000

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

Mon, 28 Jul 2008 23:29:54 +0000

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.

Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.

That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

Murky until now? I can barely see in the room due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.

The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :

"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"

What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.

Related posts:
Storm Worm Hosting Pharmaceutical Scams
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

Money Mule Recruiters use ASProx's Fast Fluxing Services

Fri, 18 Jul 2008 02:23:49 +0000

Just consider this scheme for a second. A well known money mule recruitment site Cash Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also providing hosting services for several hundred domains used on the last wave of SQL injection attacks. Ironically, the money mule recruitment site is sharing IPs with many of them. Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; catdbw.mobi; cdrpoex.com etc. ) anyway?

"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a secure, fast, and inexpensive means of sending money from the UK to offline recipients worldwide. Recipients do not require a bank account or Internet connection to receive funds. We have teamed with select local disbursement partners to provide a convenient, secure, and cost-effective means of sending money to family, friends and business partners abroad. The basic requirements to send money/transfer money are:

1) Senders must have Internet access and a bank account or credit/debit card to transfer money. However, recipients do not require either a bank account or Internet connection.

2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution partner instantly, or, in most countries, money can be delivered to the recipient in a matter of hours.

3) Our local agents will call your recipient (during local business hours) to provide additional details, including: forms of identification required, hours of operation, and other locations. The sender will also receive an email confirmation with transaction details and tracking information."

The fast-flux infrastructure they're currently using is also providing services to domains that are currently used, or have been used in previous SQL injection attacks. Some info on the current DNS servers used in the fast-flux :

ns10.cashtransfers.tk
ns11.cashtransfers.tk
ns1.cashtransfers.tk
ns12.cashtransfers.tk
ns2.cashtransfers.tk
ns13.cashtransfers.tk
ns3.cashtransfers.tk
ns14.cashtransfers.tk
ns4.cashtransfers.tk
ns15.cashtransfers.tk
ns5.cashtransfers.tk
ns16.cashtransfers.tk
ns6.cashtransfers.tk
ns17.cashtransfers.tk
ns7.cashtransfers.tk
ns8.cashtransfers.tk

With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, scammers, spammers, phishers and malware authors are only starting to experiment with the potential abuses of such an underground ecosystem build on the foundations of compromises hosts.

Related posts:
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Fast Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Spam
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Fake Porn Sites Serving Malware - Part Two

Mon, 07 Jul 2008 23:24:00 +0000

What we've go here is the same malware gang using the very same malicious ISP among the ones you rarely see in any report, continuing to crunch out domain redirectors using the same templates for fake porn sites. And since some of the fake sites are actual redirectors, periodically revisting them leads to more fake codecs and even more actionable intelligence into the nature of their practices, and which are the ISPs proving them with hosting services for several consecutive years.

The main redirector in this campaign popular-adult.com is also responding to :

basic-adult .com
business-adult .com
center-adult .com
comp-adult .com
compadult .com
controladult .com
cruiseporn .com
drive-adult .com
ebony-adult-video .com

ebony-pornmovie .com

ebony-video-xxx .com
engine-adult .com
fat-adult-video .com
fat-pornmovie .com
fat-video-xxx .com
global-adult .com
inc-adult .com
name-adult .com
nameadult .com
other-adult .com
partadult .com
pleasureadult .com
porn-abc .com
porn-contact .com
porn-global .net
porn-go .net
porn-group .net
porn-party .net
porn-play .net
porn-plus .net
porn-power .net
porn-room .net
pornabout .com
porndrive .net
pornhelp .net
pornname .net
pornstar-adult-video .com
pornstar-pornmovie .com
pornstar-video-xxx .com
room-adult .com
scan-adult .com
seek-adult .com
u-adult .com

The secondary redirectors going out of popular-adult.com :

pornname .net/ted/382634557/1/
porn-abc .com/ike/1666520193/1/
pornhelp .net/dense/876421348/1/
porn-play .net/cristina/1970565499/1/
porn-global .net/percival/330780624/1/
porn-contact .com/cisse/854714304/1/
porn-play .net/honora/888715608/1/
pornname .net/deidre/1964468519/1/
pornhelp .net/pip/1977382266/1/
porndrive .net/shelton/767217618/1/
pornhelp .net/mat/354381578/1/
pornabout .com/tobe/1436617289/1/
porn-go .net/samson/7633197/1/
porn-contact .com/teresa/409084583/1/
porn-party .net/basil/1305549820/1/
porn-contact .com/ed/1067772053/1/
porn-contact .com/frish/1287341391/1/
pornname .net/mariah/53967973/1/
pornname .net/jacobus/291129748/1/
porn-plus .net/beverly/2122167311/1/
porn-party .net/lulu/917088357/1/
pornabout .com/boetius/1991451664/1/
cruiseporn .com/padde/1296397392/1/
porn-power .net/arch/334137732/1/
cruiseporn .com/meta/377489795/1/
porn-room .net/lynette/1518855371/1/
porn-play .net/link/1975737157/1/
hporn-global .net/vin/1241430020/1/
porndrive .net/dunk/1245242641/1/
porn-go .net/louisa/1685718172/1/
pornhelp .net/dunk/1859215260/1/
porn-contact .com/celia/1805798677/1/
porn-play .net/anabelle/987641695/1/
porn-room .net/rille/815076192/1/
pornabout.com/hodge/1040019816/1/
porn-abc .com/claes/1130748100/1/
pornabout .com/frederick/1987458246/1/
porn-go .net/fredde/1153431432/1/
porn-party .net/felicity/705720374/1/
porndrive .net/ginne/1183690031/1/
porn-group .net/kimberle/706468800/1/
porn-room .net/helen/565953612/1/
porn-party .net/arche/1387111363/1/
porn-contact .com/kingston/232354071/1/
pornhelp .net/mima/1024064014/1/
porn-power .net/gretchen/152347961/1/
porn-contact .com/ophelia/840853119/1/
porn-play .net/eleanor/88926029/1/
porn-power .net/bella/1712681771/1/
porn-global .net/melchizedek/1823498218/1/
pornabout .com/gabbe/1478560492/1/
porn-party .net/obedience/1540587230/1/
porndrive .net/rod/1177331120/1/
porn-play .net/gee/1314369182/1/
pornname .net/phineas/975226015/1/
porn-global .net/reynold/131075998/1/
porndrive .net/bat/1542809624/1/
porn-global .net/hans/400396810/1/
porn-contact .com/mock/1738069316/1/
porn-plus .net/tryphosia/354085313/1/
porn-room .net/bazaleel/1417267786/1/
porn-contact .com/joyce/353938308/1/
porn-power .net/laine/780004499/1/
pornhelp .net/mille/988856007/1/
cruiseporn .com/dare/258399427/1/
porn-global .net/nat/2039108680/1/
pornname .net/eudora/2132399934/1/
porn-go .net/ana/277211595/1/
pornhelp .net/auge/1990287956/1/
porn-contact .com/danial/1195423348/1/
porn-abc .com/teresa/1787982397/1/
porn-go .net/lawrence/1575543567/1/
porn-go .net/sherre/1066718744/1/
porn-contact .com/jack/657185819/1/
porn-abc .com/manda/216390544/1/
porn-party .net/chuck/1533427157/1/
porndrive .net/lucille/215841052/1/
cruiseporn .com/rodney/1024994863/1/
pornname .net/sheldon/669324635/1/
porn-global .net/janet/1677642355/1/
porn-global .net/basil/635902337/1/
porn-party .net/adela/980553444/1/
cruiseporn .com/charles/2038221862/1/
pornabout .com/sid/644600064/1/
porn-abc .com/eloise/1882289515/1/
porndrive .net/bryant/724023427/1/
porn-party .net/bonne/305120344/1/
porn-play .net/susan/826151266/1/
porn-room .net/sheila/439221958/1/
porn-go .net/valere/1498454342/1/
porn-contact .com/asenath/1036530205/1/
porn-plus .net/marcus/51947065/1/
porn-party .net/bridgit/518065759/1/
porn-plus.net/shawn/1427002427/1/
cruiseporn.com/alicia/1252994155/1/
porn-abc.com/arminda/975985679/1/
porn-party.net/lionel/929052416/1/
porn-contact .com/ande/1755833202/1/
porn-power .net/cyrus/732691977/1/
aboutadultsex .com/heloise/1008109638/1/
adultzoneworld .com/barne/506956701/1/
superporncity .com/roberta/1239682918/1/
pornhelp .net/eurydice/1944564451/1/
theadultpost .com/volodia/543769984/1/
porn-play .net/bird/760635633/1/
coolbestporn .com/bradford/578099145/1/
porn-plus .net/delilah/465854735/1/
porn-power .net/pheney/698426424/1/
porn-party .net/cristina/940229631/1/
porn-party .net/justin/1913395886/1/
porn-contact .com/lotte/1794233444/1/
porn-party .net/nowell/850070721/1/
worldbestadult .com/parthenia/1858633626/1/
funpornsite .com/patience/188018581/1/
adultsexpro .com/isse/1981168802/1/
adultsexpro .com/isabelle/683364151/1/
porndrive .net/erne/906935790/1/
porn-power .net/delpha/178727494/1/
porn-plus .net/chesley/1261676752/1/
porn-plus .net/selina/11889629/1/
porntimeguide .com/arnold/1555784224/1/
aboutadultsex .com/doug/1975246767/1/
porn-global .net/clum/1615653087/1/
funxxxporn .com/kym/739810260/1/
porn-plus .net/roxane/2022633909/1/
worldbestadult .com/vicke/955775101/1/
porn-play .net/jane/1396714471/1/
pornname .net/nicole/1695768032/1/
adultvideodot .com/bela/96070992/1/
porn-room .net/carre/1310194786/1/
adultsexpro .com/azubah/141802741/1/
theadulteye .com/pheney/1077328499/1/
porn-party .net/chick/1522449297/1/
aboutadultsex .com/elbert/1300176621/1/
findadultsex .com/lorre/2057361400/1/
teenporntop .com/aristotle/901956477/1/
coolbestporn .com/bartel/94175118/1/
porn-plus .net/deanne/70540201/1/
coolbestporn .com/appe/1679745028/1/
findadultsex .com/asaph/1439353641/1/
pornxxxfilm .com/tone/904077420/1/
funxxxporn .com/india/476477713/1/
adultvideodot .com/ed/879863981/1/
bestpriceporn .com/babbe/1457040435/1/
superliveporn .com/russell/56570486/1/

More fake porn video sites using similar site templates, and using the same redirection infrastructure :

porntubev20 .com
clearpornurlssite .com
mypornmovies .net
getyourfreemovie .com
tubescollection .com
free-best-porn .com/videos/
pornmovieshare .com
clipslab .com
mybestvideosite .com
avwav .com

The fake codecs download locations in this campaign :

aviutility .com
18x-adult2008 .com
2008x-adult-2008 .com
best-codec .com
hq-codec .net
mpegsystem .com
bestsoft-ware08 .com

The registrant and hosting provider :

Cernel Inc, Legal Department (support@cernel.net)
23404 W. Lyons Ave #223, Santa Clarita, Ca,91321
US, Tel. +1.6613470577

Historically, the same gang has been using the same hosting provider for many other fake codecs, which remain parked on the same netblock in a standby mode :

Fire-ticket .com - 64.28.184.162
Fire-codec .com - 64.28.184.163
Light-ticket .com - 64.28.184.163
Braketicket .com - 64.28.184.164
Mooncodec .net - 64.28.184.164
Light-codec .com - 64.28.184.165
Turbo-ticket .com - 64.28.184.165
Space-codec .com - 64.28.184.166
Ultra-ticket .com - 64.28.184.166
Brakecodec .com - 64.28.184.167
Demo-ticket .com - 64.28.184.167
Demoticket .net - 64.28.184.168
Hq-ticket .com - 64.28.184.168
Turbo-codec .com - 64.28.184.168
Hqticket .com - 64.28.184.169
End-ticket .com - 64.28.184.169
Nitro-codec .com - 64.28.184.169
Hqticket .net - 64.28.184.170
Clean-ticket .com - 64.28.184.170
Red-codec .com - 64.28.184.170
Black-codec .com - 64.28.184.171
Viva-ticket .com - 64.28.184.171
Niceticket .net - 64.28.184.171
Endticket .com - 64.28.184.172
Ultra-codec .com - 64.28.184.172
Wot-ticket .com - 64.28.184.172
Mega-codec .net - 64.28.184.173
Storm-ticket .com - 64.28.184.173
Megaz-ticket .com - 64.28.184.174
Vipcodec .net - 64.28.184.174
Democodec .net - 64.28.184.175
Giga-ticket .com - 64.28.184.175
Demo-codec .net - 64.28.184.176
Uin-ticket .com - 64.28.184.176
Hopeticket .com - 64.28.184.177
Hq-codec .net - 64.28.184.177
Best-codec .com - 64.28.184.178
Hope-ticket .com - 64.28.184.178
Endcodec .net - 64.28.184.179
Zero-ticket .com - 64.28.184.179
End-codec .net - 64.28.184.180
Pop-ticket .com - 64.28.184.180
Cleancodec .net - 64.28.184.181
Yupticket .com - 64.28.184.181

The deeper you go the more interesting it gets, malware command and controls located on the same network, fake banks, money mule recruitment sites, pharmaceutical scams and spam hosting - they or their customers if they are to forward the responsibility are definitely multitasking.

Related posts:
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

Security Briefing: June 23rd

Mon, 23 Jun 2008 06:39:10 +0000

Not bad. I actually managed to get a good night sleep.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

Google and Wildcard Domains | GNUCITIZEN
Trojan plays anti-China games for hacking | The Economic Times
Villains Getting Smarter: Are We, Too? | Korea Times
Agency Sees Theft Risk for ID Card in Medicare | NY Times
Universities urged to tighten computer security | The Arizona Daily Star
Organised e-crime targets students for recruitment | ZDNet UK
Time to dismount the hamster security wheel of pain | The Regsiter
New security awareness posters aid the battle | Cambridge Network

Tags: News, Daily Links, Security Blog, Information Security, Security News

Slow removal of child sexual abuse image websites

Wed, 11 Jun 2008 10:02:32 +0000

On Friday last week The Guardian ran a story on an upcoming research paper by Tyler Moore and myself which will be presented at the WEIS conference later this month. We had determined that child sexual abuse image websites were removed from the Internet far slower than any other category of content we looked at, excepting illegal pharmacies hosted on fast-flux networks; and we’re unsure if anyone is seriously trying to remove them at all!

It is perhaps timely that this week three large ISPs in the USA have announced that they have decided to block access to child sexual abuse image newsgroups on Usenet and remove sites hosting this material from their servers. This was initially inaccurately reported so as to imply the installation of blocking systems for other people’s websites; which is unlikely to be especially effective, and may even provide an “oracle” by which the people who seek illegal material can locate new websites to visit.

Our new paper, “The Impact of Incentives on Notice and Take-Down”, examines a number of different types of wicked Internet content and discusses how effective people are at getting the material removed by serving notices upon the website owners who host it. We have a number of interesting results, but perhaps the most striking is that although phishing websites impersonating banks are generally removed in a couple of hours, the mean lifetime for a website hosting child abuse images is almost a month and even the median (the time by which half of the sites are removed) is 12 days.

We believe that the reason that the child abuse image websites are removed so slowly is that the Internet Watch Foundation (IWF), who collate a list of illegal sites, is only prepared to talk directly with the hosting ISPs within the UK. If the site is hosted abroad (which is now 99.8% of all sites) the IWF informs the UK police, who pass the message on to law enforcement in the relevant country, and that clearly leads to considerable delays. Furthermore, the same parochial attitude appears to be taken by similar organisations in other countries.

The IWF are a member of INHOPE, an association of child sexual abuse image reporting hotline organisations operating in 29 countries, and the IWF will also pass reports to the appropriate INHOPE members. However, in the US, which hosts around half of all the illegal sites, IWF tell us that NCMEC the hotline operator there will only pass on notices to their members — and that means that American ISPs do not get a timely notice.

We think it is the close involvement with the police, who have to operate within a particular jurisdiction, which leads the IWF to believe that they would be “treading on other people’s toes” if they contacted ISPs outside the UK. I assume that this is why I was firmly told in an email this week that they “are not permitted or authorised to issue notices to takedown content to anyone outside the UK”. Indeed, this echoed in a letter to The Guardian today by John Carr who says “The IWF cannot issue a notice to a Polish or Irish internet service provider”.

We don’t think there is some magical international permission given to the people who try to take down any of the other types of content we studied — from phishing, to fake escrow sites, to illegal pharmacies. It only seems to be INHOPE members, dealing with child sexual abuse images, who are not prepared to make an attempt!

Besides this issue, we have a number of other interesting results in the paper (so do read it!) For example we looked at “mule recruitment websites” — with job adverts for payment processors who will be conned into handling the proceeds of phishing scams in the belief that they’re handling payments for legitimate companies. These sites are only taken down by volunteer (amateur) efforts — since they don’t attack any particular bank, but the whole industry, no particular bank is prepared to put in any effort to remove them. Unsurprisingly, their average lifetime is 13 days (mean 8 days) — far longer than the phishing websites — which is not good news for gullible consumers.

DPC urges Jobs.ie customers to be wary

Mon, 31 Mar 2008 09:43:58 +0000

The Data Protection Commissioner's (DPC) office has urged those affected by last week's security breach at recruitment website Jobs.ie to be on their guard.

Irish jobs site compromised and personal information accessed

Mon, 31 Mar 2008 06:13:21 +0000

Technorati Tag: Security Breach

Date Reported:
3/27/08

Organization:
Jobs.ie

Contractor/Consultant/Branch:
None

Victims:
Job seekers and applicants

Number Affected:
Unknown

Types of Data:
Information contained on CVs (or resumes) often times including names, addresses, email addresses, phone numbers, job histories and other personal information.

Breach Description:
"A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database."

Reference URL:
Jobs.ie Important Notice
SiliconRepublic
The Irish Times
ElectricNews.net Ltd.

Report Credit:
Jobs.ie

Response:
From the online sources cited above:

A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database.
[Evan] Hacked?

It is understood that the hackers used an illegally obtained log-in and password given to employers who are registered with Jobs.ie to access the job applications area of the site. They then downloaded personal information from CVs submitted, along with job applications.
[Evan] How do you suppose that the "hackers" came into the possession of a log-in and password? Did they get it from a stolen laptop or other piece of equipment? Did they get it from someone's Post-It note? Did they socially engineer a legitimate user? Let's suppose that the "hackers" obtained the log-in through social engineering, or a social engineering type of attack. When most people think of a "hack" they think of some sophisticated and sleuthy high-tech intrusion. Although these "hacks" do exist, this is not how most criminals access confidential information without authorization. Many intrusions take place through relatively easy exploits such as convincing someone to give you their password (i.e. social engineering, phishing, etc.).

Several CVs were downloaded before Jobs.ie was alerted. While the company has not yet given exact figures on the number of its members who had private data stolen, it says an investigation is now under way
[Evan] Social engineering attacks are typically very difficult to prevent AND detect. Monitoring "legitimate" username and password access to data and looking for patterns of possible abuse is a sophisticated science and the amount of collected information can be enormous. It is usually easy to detect common network and host-based technical attacks because the patterns of traffic and commands differ from what would be considered "normal". Social engineering attacks can and often do go unnoticed.

Most of the stolen information relates to archive CVs rather than those of people now looking for jobs.

All site members whose CV was downloaded illegally were contacted immediately by Jobs.ie and alerted to the hacking
[Evan] Kudos to Jobs.ie for doing the right thing. Immediate notification is excellent.

The email stated: "Unfortunately your CV was one of the records taken. I understand and apologise for the concern this will cause you and I want to assure you that we are taking steps to prevent this happening again."

The email, signed by Huw Taylor, general manager of Jobs.ie, goes on to warn those whose personal data has been compromised to "exercise extra caution while conducting online activity".

It warns users of the possibility of being contacted by someone claiming to be a reputable company and asking for personal details or banking information.

Brian Honan of online security consultancy BH Consulting says on his firm’s official blog that there are no mandatory breach disclosure laws in Ireland and that Jobs.ie should be "commended for coming clean about the incident" and doing so within 24 hours of the breach.
[Evan] I agree with Brian.

Contrary to media reports, the DPC told ENN that, as of Monday morning, it had yet to be formally contacted in relation to the matter. The DPC said that the nature of the potential data lost was a cause for concern.

An IT professional who’s CV was one of those downloaded from Jobs.ie told siliconrepublic.com: "The worst that could happen is identity theft. It depends how much information you have on your CV too, some people are really foolish and put on PPS numbers and all sorts. Stealing CVs can be really handy for guessing or resetting peoples passwords."
[Evan] I wonder if this is a misquote. "The worst that could happen is identity theft."

Because most people would include an email address and mobile phone number on their CV, he said that as well as phishing or identity theft, there was also a risk of spamming.

Anthony Gibbons, another affected Jobs.ie member, said to siliconrepublic.com: "This is far more significant than the loss of encrypted personal data from the blood services."

"The fact that this information was illegally gathered increases the possibility of it being illegally used. This would include seeking personal loans and credit cards, identity theft, seeking false ID such as a driving licence or birth certificate, and identity cloning."

"Most people are reasonably aware about the dangers associated with unsolicited e-mails but they might be more inclined to be more responsive to someone who rang them claiming to be from their bank,"

Victims of the security breach who contacted The Irish Times said they had "grave concerns" in relation to their exposure to identity theft.

A dedicated 24 hour customer helpline has been set up to deal with any further questions or concerns you may have. Please call +353 (0)1 680 8699 or email info@jobs.ie

Commentary:
It is unlikely that a criminal could use the information obtained in this attack for identity theft, directly. The information could be used to glean further information from the victims, which in turn could lead to identity theft. The criminals gained information that wasn't meant for general public consumption. If I were a victim, I would be much more vigilant and on alert.

Past Breaches:
"Jobs.ie, one of the State's largest recruitment sites, said it had never before had such a breach."

New Air Force Recruitment Campaign Touts Fledgling 'Cyber Command'

Wed, 27 Feb 2008 21:00:00 +0000

A 30-second TV spot aims to excite would-be recruits by showing Air Force cyber warriors handily defeating a hacker targeting the Pentagon.