[SecurityRatty] tag: victims

Best Western Hotel Online Booking Breached, 8 Million Victims In Personal Data Theft

Mon, 25 Aug 2008 09:57:47 +0000

Criminal gang has stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. Thursday night, an unknown hacker, possibly indian, successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it [...]

A Diverse Portfolio of Fake Security Software - Part Four

Mon, 25 Aug 2008 01:58:02 +0000

Thanks to the affiliate based business model that's driving the increase of fake security software and rogue codecs serving domains, the very same templates, but with different domain names, continue appearing in blackhat SEO, spam, and malicious doorways redirection campaigns.

Moreover, with the "time-to-market" of a fake security software decreasing due to the efficiency approach introduced in the form of tips for abuse-free hosting services provided by the "known suspects", and the freely available templates, we're slowly starting to see the upcoming peak of this approach.

In a true proactive spirit, the domains parked at 216.195.56.88 are all upcoming fake security software, to be introduced anytime soon.

fast-pc-scanner-online .com - (92.62.101.41; 91.203.92.48; 91.203.92.106; 58.65.238.171)
top-pc-scanner .com
buy-secure-protection .com
security-scan-pc .com
pc-scanner-online .com
viruses-scanonline .com
virus-scanonline .com
antivirus-scanonline .com
topvirusscan .com
virusbestscan .com
best-security-protection .com
infectionscanner .com
virusbestscanner .com
full-protection-now .com

Pwrantivirus .com - 91.208.0.246
vav-x-scanner .com
vav-scanner .com
scanner.vavscan .com
malware-scan .com
Scanner-Pwrantivirus .com
Xpertantivirus .com
Scanner-xpertantivirus .com

spyware-quickscan-2008 .com - (216.195.56.88)
virus-quickscan-2008 .com
spyware-quickscan-2009 .com
virus-quickscan-2009 .com
winmalwarecontrol .com
antispyware-quick-scan .com
virus-quick-scan .com
antivirus-quick-scan .com
winprivacytool .com

topantispyware2008 .com - (216.195.56.86)
cleanermaster .com - (216.195.56.85)
antivirus777 .com - (67.228.120.3)
pcsecuritynotice .com - (67.228.120.3)

Whereas the average Internet users are falling victims into this type of fraud, what I'm more concerned about is the large traffic the malicious domains receive in general due to all the different traffic acquisition tactics the people behind them apply. This anticipated traffic can then be greatly used as valuable metrics for the many other malicious ways in which it can be monetized.

Ironically, the participant in the affiliate program whose original objective was to drive traffic to the fake security software's site, may in fact start receiving so much traffic due to the combination of traffic acquisition tactics, that introducing client-side exploits courtesy of a third-party affiliate network, may in fact prove more profitable then the revenue sharing partnership with the rogue security software's vendor at the first place.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

Spam Victims Wont Go to Rehab, No No No

Wed, 20 Aug 2008 06:10:51 +0000

I was reading the Symantec State of Spam report for August and I thought this was funny and tragic– email spam targeting alcoholics and other users, and advertising rehab services. Users click the link allegedly for a rehab program, enter their personal information — and instead of getting help, they get scammed.

The report says:

July 2008 saw the emergence of rehab spam. Subject lines have included

- Get help today with Drug Rehab Info
- Overcome Alcoholism today
Spammers are constantly trying new tactics to try and coerce recipients into opening a
spam message so that they can obtain personal information from end users. In this particu-
lar example, they are trying to target individuals who are not in good health, in the hopes
that they will act on this spam message and give away their personal details.

Read the full August State of Spam report here.

Reputation Attacks: A Little Known Internet Threat

Mon, 18 Aug 2008 08:02:44 +0000

Reputation attacks target both individuals and companies, and their goal is to ruin the victims reputation. While attack techniques are varied, the consequences are often the same: a damaged reputati...

Digital Cash in Iraq

Mon, 11 Aug 2008 08:53:52 +0000

Smart cards have still never quite taken off across the US, and at this point its fair to wonder if they will or if they will be eclipsed by phones or some such, but smart cards sure are big outside the US. One of the most interesting applications is of course digital cash and transaction processing. Net1 UEPS (ticker: UEPS) out of South Africa appears to be the leader here having built a $1.2B business out of this model. there are lots of regions in the world where people are underbanked or unbanked altogether and where its dangerous to have too much cash. I blogged about this earlier on Beer, Shotguns and Digital Cash.

Now Net1 UEPS is in Iraq as well:

The first UEPS transaction was performed on Sunday, August 3, 2008, in Baghdad, Iraq, during the official launch of the UEPS smart card technology with the two state banks namely, Rafidain Bank and Rasheed Bank.

The official launch, attended by invitees from Rafidain Bank, Rasheed Bank, the Iraqi Government, War Victim Ministry and Martyrdom Ministry, demonstrated smart card registration, biometric enrolment and issuing of UEPS cards, offline loading of wage payments and government grants to the UEPS cards and dispensing of cash.

The pilot project involving 100,000 beneficiaries is now ready for implementation across selected bank branches and will enable the distribution and payment of government grants to war victims and martyrdom beneficiaries, as well as salary and wage distribution and payment to employees of the two state banks.

Brenda Stewart, Net1 Senior Vice President Sales and Marketing, said, "From the entire team at Net1, we congratulate the Iraqi consortium on this historic achievement and look forward to the successful implementation of the various projects already identified for implementation, as well as the projects currently in business development. Net1 is proud that the development of its core technology, from which it creates end-user products that satisfy the requirements of its customers, can change the way business is conducted leading to the improvement of people's lives. We share the belief of our Iraqi partners that our technology can play a fundamental role in the upliftment of the economy. The success of any technology should be measured, not only by the profits it generates for its inventors, suppliers and users, but also by the difference that it makes to the lives of people," Stewart concluded.

I think there are lessons to be learned here wrt data and message level security. Net1 UEPS is a good example a of system carrying valuable assets across hostile terrain, web security architecture can learn a lot from this model.

P.S. If you are a Joel Greenblatt geek - UEPS is a magic formula stock (meaning they make cash and are priced cheaply) last time I checked.

Beijing Olympics Lottery Phishers Verify Their Victims

Tue, 05 Aug 2008 18:49:26 +0000

Websense has recently discovered another rogue Beijing Olympics website, this time for fake ticket lottery. The Web site uses the hostname that is a clear typo-squat to the official Olympic Games Web site at beijing2008.cn. Benefiting from the hype around the purchasing of tickets for the Games, the social engineering tactic behind this scam is to [...]

Card Wars: The Phantom Menace

Tue, 05 Aug 2008 11:06:16 +0000

Just like George Lucas can’t help but return to his old projects, I have been returning to mine. After three years of stagnation, I am pleased to announce the re-launch of phantomwithdrawals.com, freshly re-vamped, updated and turned into a Wiki editable by the general public.

In fact, it’s not just great artists like Mr. Lucas and I starting up old projects, our honourable colleagues wearing the black hats have got the same idea. We have new victims reporting in, rumours abound of an auth system compromise at Citi, the Ombudsman is backlogged with months of disputed withdrawal cases, and some like Alain Job are even going to court.

One original contributor to the phantom case histories has just been hit by a second phantom withdrawal five years on and is chalking up another case in the files. While her new phantom is a bread-and-butter skim incident (a magstripe clone used in the far east), amongst this mass, true phantoms — the real mystery cases — are on the rise too. Two new victims with whom I have been corresponding very kindly offered to fund the hosting for the revamped site.

Let’s consider one of these mysteries. The McGaughey case has been reported in the media in Northern Ireland: dozens of withdrawals taking place over four weeks, totaling almost five thousand pounds, all within a ten mile radius of the McGaughey’s home. Summarised that way it looks like a classic first party fraud (couple short on cash withdraw money, then deny it later). But no-one in the family is short on cash, the McGaugheys look after their card details carefully, and have solid alibis at the time of many of the withdrawals, and the interlocking pattern of real and disputed withdrawals is such that any third party would have a hard time taking and returning the card (whether covertly or in collusion with the McGaugheys). No-one appears to have either the means or the motive.

Unusually the bank has been very cooperative, providing logs from their authorisation system (BASE24), including all of the cryptograms, input data and transaction parameters covering the affected transactions. Everything turns on the Application Transaction Counter (ATC), an on-card counter which increments with every transaction initiated. If an EMV chip can be fully cloned (secret keys and all), then it will have to submit an ATC value when transacting, and if used in parallel with the real card, it won’t be long before the same number pops up twice in the auth system, or large gaps in the sequence appear. The McGaughey’s ATC sequence appears to interlock perfectly: clearly the original card was used?

Of course logs can be misinterpreted (Badger) or even faked, auth systems may not work as expected, and customers may lie and cheat following all sorts of agendas; just around the corner the missing piece of the jigsaw may lie, which reveals the truth behind the case. And there is the totally separate matter of who should suffer the loss in the interim, whilst the truth remains unclear. Liability for disputed withdrawals is the most hotly contested issue of all.

phantomwithdrawals.com can’t do much more for the McGaugheys, but it can bear witness. Documenting the incidence of phantoms and the experiences of customers disputing them adds much needed transparency to the process, and helps researchers and experts seek out the really interesting cases.

Maybe we can lift the lid and discover the truth behind the “phantom menace” — everyone is united in that goal at least — but let’s also hope that Episode 2: Attack of the Clones has not yet started shooting!

Mike.

CyberAngels has a great piece on CyberBullying

Fri, 01 Aug 2008 11:39:42 +0000

If you’re a parent, take the time to read this great article, for your kids sake.
Then talk to them about it.
You remember how tough it was to be a kid when there was no Internet right?
Imagine being bulled with zeros and ones.

clipped from www.cyberangels.org

Cyberbullying

The feeling of anonymity on the web makes it a perfect playground for students to engage in cruel behavior. A study from the National Crime Prevention Council (NCPC) says that 43 percent of teens reported being victims of cyberbullying in the past year.

Strong Attractors

Thu, 31 Jul 2008 09:30:24 +0000

Dan Geer and Dan Conway examine the metrics of where attackers are, and where they seek out victims.

Safari At Risk of a Cookie Monster attack

Thu, 31 Jul 2008 07:57:54 +0000

There are reports of a new Apple Safari flaw, exploiting cookies in the browser. However, the vulnerability exploit hasn’t been seen in the wild and there’s as yet no response from Apple about the flaw. Here’s the potential damages -

An attacker who successfully exploits the vulnerability could perform a session fixation attack. This allows the attacker to pre-set the victim’s session ID and to use the fixed session ID for malicious activities.

An attack of this sort, known as “cross-site cooking,” might include tricking a user to log in through a malicious form, exploiting a cross-site scripting vulnerability or meta tag injection flaw, breaking into host in the target server’s domain, and network traffic alteration.

To learn more, read the full article.