STE WILLIAMS

A Brit who distributed a Trojan horse that posed as a patch for popular shoot-em-up game Call of Duty has been jailed for 18 months.

Lewys Martin, 20, of Deal in Kent, used the malware to harvest bank login credentials, credit card details and internet passwords from the compromised Windows PCs of his victims. Martin then apparently laundered the credentials via underground cybercrime forums, earning $5 or less for every credential, directing proceeds of his criminal activity towards an offshore account in Costa Rica, funds which remain beyond the reach of UK police.

Martin’s activities might have gone undiscovered if not for his arrest during what police described as a drunken attempt to break into a local college and steal computer equipment. Police who raided his home discovered printouts of stolen credit card numbers and papers relating to a fraudulent bank loan, obtained under a false name.

The student was convicted last November but sentence was deferred to allow him to complete a university computer course. However, bail was revoked after Martin was caught with several other individuals trying to break into Walmer Science College in Deal.

He caused hundreds of pounds of damages in criminal damages during the bungled burglary, according to local reports.

Martin was prosecuted and subsequently convicted for three burglary and fraud charges, leading up to a sentence hearing this week when he was jailed for 18 months.

A court clerk at Canterbury Crown Court confirmed the terms of the sentencing this week, which following earlier guilty pleas on the specimen charges. Further fraud charges were taken into consideration in sentencing Martin to a substantial spell behind bars.

Gamers are a popular target for malware distributors. Much of this malign activity is directed at gamers in the Far East but Western shoot-em-up and role-playing fans are also at risk and ought to be wary of malware posing as gaming cracks and other common tricks, as explained in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/18/call_of_duty_vxer_jailed/

Security watchers are warning users about a new worm that spreads via Facebook’s instant messaging feature and also inserts itself under the guise of misleading messages on other social networking websites and IM services.

The malware typically arrives in the form of a private Facebook IM that points towards a malware-loaded website, using shortened links to disguise the true destination. Supposed images on these websites are actually malware-tainted .zip archives, harbouring a strain of malware dubbed Steckct-EVL by Trend Micro.

If opened the archive goes to work disabling security software on infected PCs before downloading a second strain of malware onto compromised Windows PCs. This secondary infection is designed to monitor victim’s activity on social networking websites. The secondary infection, dubbed Eboom-AC by Trend Micro, is designed to snoop into message-posting, the deletion of posted messages and the sending of private messages via websites including as Facebook, MySspace, Twitter, WordPress and Meebo.

The worm spreads in part by posting messages containing a link to a copy of itself on the websites it targets, which include Twitter and MySpace, as well as Facebook. The dodgy messages are also capable of spreading from infected machines onto Yahoo! and other mainstream IM networks.

Facebook worms have been seen before, most notorious the Koobface worm. The latest threat is nothing like as sophisticated or widespread, but still merits attention.

Trend Micro is working with Facebook to filter out malicious links from users’ feeds. The anti-virus firms warns that although infection rates remain low, Steckct-EVL remains a threat because both damage and distribution potential are high.

A write-up of the attack can be found in a blog post here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/21/facebook_im_spreads_worm/

Hacktivist group Anonymous continued its attacks on the Indian government and creative industries at the weekend by taking out the web sites of the national CERT and the country’s President in retaliation for widespread blocks on video and file sharing sites.

The group’s @opindia_revenge Twitter account documented the latest attacks, which also appeared to take offline the web site of film company and broadcaster Reliance Big Entertainment, and government portal india.gov.in.

All are now back online, having apparently been struck by a DDoS attack on Saturday or Sunday.

In a more unusual attack, the group also defaced the web site of an apparently innocent company – ABC Krishi Equipments – which makes agricultural machinery, in an apparent warning to the government.

“Government wouldn’t want this to happen on their website ryt? They shud know we are still watching,” the group tweeted.

The attacks were first heralded over a week ago in a YouTube message from the hacktivist group which called out the Department of Telecommunications for effectively ordering Internet Service Providers to block file-sharing sites in India.

In reality it was Chennai-based anti-piracy service provider Copyright Labs which won the injunction from the Supreme Court to stop sites which were allowing the illegal sharing of the Tamil movies 3 and Dhammu.

When implemented by the ISPs, however, the John Doe order also blocked several legitimate sites including Vimeo and Daily Motion.

The #OpIndia campaign is just the latest in a long line of high profile attacks on governments and big business which the group has accused of corruption, censorship or human rights abuses.

However, Anonymous was forced to deny responsibility for a separate attack on an Indian military web site labelled part of ‘Operation Kashmir’.

“We are not involved in attacking the web site of the Indian National Army,” it told Times of India. “We believe a country’s defence organisations should be left alone.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/21/india_anonymous_cert_ddos/

A Brit who distributed a Trojan horse that posed as a patch for popular shoot-em-up game Call of Duty has been jailed for 18 months.

Lewys Martin, 20, of Deal in Kent, used the malware to harvest bank login credentials, credit card details and internet passwords from the compromised Windows PCs of his victims. Martin then apparently laundered the credentials via underground cybercrime forums, earning $5 or less for every credential, directing proceeds of his criminal activity towards an offshore account in Costa Rica, funds which remain beyond the reach of UK police.

Martin’s activities might have gone undiscovered if not for his arrest during what police described as a drunken attempt to break into a local college and steal computer equipment. Police who raided Martin’s home discovered printouts of stolen credit card numbers and papers relating to a fraudulent bank loan, obtained under a false name.

The student was convicted last November but his sentence was deferred in order to allow Martin to complete a university computer course. However bail was revoked after Martin was caught with several other individuals trying to break into a Walmer Science College in Deal as part of a bungled attempt to steal computer equipment. He caused hundreds of pounds of damages in criminal damages during an attempt to steal computer kit, walkie-talkies and other gear, according to local reports.

Martin was prosecuted and subsequently convicted for three burglary and fraud charges, leading up to a sentence hearing this week when he was jailed for 18 months.

A court clerk at Canterbury Crown Court confirmed the terms of the sentencing this week, which following earlier guilty pleas on the specimen charges. Further fraud charges were taken into consideration in sentencing Martin to a substantial spell behind bars.

Gamers are a popular target for malware distributors. Much of this malign activity is directed at gamers in the Far East but Western shoot-em-up and role-playing fans are also at risk and ought to be wary of malware posing as gaming cracks and other common tricks, as explained in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/18/call_of_duty_vxer_jailed/

Details have emerged about the security fixes that came bundled with Apache OpenOffice 3.4.0, the latest version of the open-source productivity suite.

Apache OpenOffice 3.4.0, released last week, included fixes for three security vulnerabilities, all rated as “important”. The trio included an integer overflow error involving problems in handling embedded images and a memory overwrite bug connecting with importing WordPerfect files. Both of the flaws might be used as a means to inject hostile code onto vulnerable systems, providing hackers are able to trick prospective marks into opening booby-trapped files. The third vulnerability involves what would appear to be a less serious program crash bug involving the handling of malformed PowerPoint files.

Both OpenOffice.org 3.3 and the beta versions of 3.4 are affected by all three flaws, which get patched with Apache OpenOffice 3.4.0, the first release of the software under new management after Oracle handed over the project last year.

In related news, the Apache Software Foundation announced that downloads of the software had crossed the one million milestone since the release of the software. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/18/apache_openoffice_security_fixes/

The number of prosecutions under the UK’s computer hacking laws may have declined over recent years, according to the latest available government figures.

The number of prosecutions under the Computer Misuse Act came in a written Parliamentary answer by Crispin Blunt, prisons minister at the Ministry of Justice, in response to a question from Labour MP Madeleine Moon. The written answer – available via Hansard here – gives a breakdown by year and seriousness of offence for computer hacking offences dating between 2006 and 2010, the latest year for which figures are available.

There were 25 cases in which computer hacking featured as the main charge brought in 2006, a figure that has dropped more or less steadily to 10 prosecutions in 2010. There were 18 prosecutions in 2007 and 18 in 2008 before a slight spike to 19 in 2009 before the abrupt drop-off in 2010. Both prosecutions under Section One, the least serious category – which includes simple unauthorised access to a computer – and prosecutions under the more serious charges under the Computer Misuse Act declined. Section three offences cover the creation of computer viruses and (more recently) the instigation of denial of service attacks. Section Two offences cover unauthorised modification (computer hacking) as a part of some other crime.

A total of 18 serious offences were prosecuted in 2006 before a swift drop off to a level of between six and eight such prosecutions in the years 2008 to 2010, inclusive.

With such a small sample of less than 100 prosecutions it would be rash to read too much into the figures, especially since the stats only cover prosecutions where computer hacking offences were the principal offence under consideration by the courts. So if a suspect was convicted of banking fraud or phishing as well as computer misuse, and received a harsher sentence for the fraud, then the computer hacking prosecution would go unrecorded.

In addition the figures supplied provide no breakdown on the number of UK computer hacking prosecutions that actually resulted in a conviction. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/18/uk_hacking_prosecutions_decline/

Hacktivist collective Anonymous has turned its attention to India, taking down the web sites of the Supreme Court, the country’s two major political parties and several government sites in retaliation for a court injunction which led to the blocking of several video sharing and bit torrent sites.

The web sites of the Department of Telecoms, the IT ministry, the BJP and INC parties and the Supreme Court, among others, were all hit in time-honoured Anonymous tradition by DDoS attacks presumably made possible thanks to the group’s preferred weapon: the low orbit ion cannon.

The group first signalled its intent to launch #OpIndia in a YouTube message posted over a week ago, which said the following:

We have come to the conclusion that the Indian government has failed. It is time that we all rise and stand against the corrupt government. The Department of Telecommunications has ordered Internet Service Providers to block file-sharing sites in India. We cannot let this happen.

While some sites, such as those of the two parties and the Supreme Court, appear to be up and running again now, the Department of Telecoms and the Ministry of IT sites were still down at the time of writing.

Also down for ‘maintenance’ was the site of Copyright Labs, the Chennai-based anti-piracy firm which obtained the original John Doe injunction (via ArsTechnica) against sites such as Vimeo, DailyMotion and The Pirate Bay to prevent illegal sharing of local films Dammu and 3.

Interestingly, judging by Anon’s increasingly exasperated messages from its @opindia_revenge account, some India users were worried that the DDoS attack would cause permanent damage to said sites.

One such Tweet read: “We are not doing any permanent damage to the websites. We just want file sharing sites to be unblocked.”

Despite some predicting that the hacktivist group was on its knees after high profile arrests of alleged members last year, it has made something of a comeback of late, launching well publicised attacks on the Kremlin, Virgin Media and even the ICO. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/18/anonymous_ddos_india_sites/

Atlassian has warned of a critical security flaw in its Confluence product.

All versions of Confluence up to and including 4.1.9 are at risk, the company says, thanks to what it calls an “ XML parsing vulnerability” that could lead to “denial of service attacks against the Confluence server” or allow intruders to “read all local files readable to the system user under which Confluence runs.”

The fix for the problem is simple: upgrade to Confluence 4.2, a step the company says is necessary because the problem cannot be fixed with a mere patch.

If an upgrade is not feasible, Atlassian has posted a mitigation procedure, but warns the actions it recommends “will only limit the impact of the vulnerability … not mitigate it completely.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/18/atlassian_critical_confluence/

Social networking operators like Facebook and Twitter need to consider themselves much more vulnerable to attacks – not because they are more vulnerable or more attractive to criminals than previously, but because states are now actors in security threats.

According to Phillip Hallam-Barker, vice-president and principal scientist of Comodo Group, “The introduction of state actors means you now need to be serious about security if you’re doing social networking: the Facebooks, the Twitters, need to consider themselves targets of attack, because what they do is of interest to states.

“Because of events like the Arab Spring, decisions about the Internet are now being made at the very highest levels of government,” he said – reflected not only in state-driven attacks on security, but also in the emergence of international various “cyber” treaties, which only exist because the highest levels of government consider the issue worth top-level attention.

Hallam-Barker told AusCERT delegates, it’s clear that state interest in the Internet is growing – and that includes the incidence of state-based attacks of various kinds.

Since June 2010’s Stuxnet, he said, attacks that appear to emanate from states have been occurring with increasing frequency.

It’s not that “the sky is falling”, he said – after all, the problem of professional criminals crafting attacks on the Internet is at least 15 years old. “It’s us that we have a new threat actor on the horizon, and we need to be aware of them. We don’t need to panic, but we do need to consider state actors as a risk.”

The two code-signing certificates used in Stuxnet, for example, suggests that the key for the code-signed certificates was compromised and allows the signing of device drivers.

Closer to home for Hallam-Barker, when a breach of one of Comodo’s resellers occurred, an attacker was able to request the issue of nine certificates, only one of which the company had been known to have been retrieved.

However, such incidents – and the more-notorious DigiNotar disaster of 2011 – has shaken the certificate industry out of the complacency that it had developed, partly (he said) “because it has worked so well”.

“If the system had been breaking all the time over fifteen years, attacks like DigiNotar would never have succeeded.

Comodo is proposing a “trust broker” that can act as a curator of trust information (not only certificate information) to help provide more dependable information than a browser could collect for itself.

“Even though attacks are rare” when it is a state, “they are very consequential.” And while this means that the Internet’s trust infrastructure needs revision to cope with this, any new proposal “must meet all the requirements of the old”, as well as adding he ability to defend the trust infrastructure from state actors, he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/17/gov_hackers_to_hit_social_networks/

Surfers who see ads when they visit Wikipedia are likely infected with malware, the online encyclopedia warns.

Wikipedia relies on donations to fund its work, resisting the temptation to put ads on its pages. So internet users who see commercial ads when they visit the encyclopedia are been served content via cybercrime affiliates, a blog post by Wikipedia explains.

We never run ads on Wikipedia. Wikipedia is funded by more than a million donors, who give an average donation of less than 30 dollars. We run fundraising appeals, usually at the end of the year.

If you’re seeing advertisements for a for-profit industry (see screenshot for an example) or anything but our fundraiser, then your web browser has likely been infected with malware.

Wikipedia doesn’t warn over any specific malware but rather about the symptoms of click fraud, one of they more common ways that virus writers turn an illicit profit. The approach was used as the business model behind the infamous Flashback Trojan, which notoriously created a huge botnet on Mac machines until Apple belatedly patched the Java vulnerability that the malware had exploited. Cupertino released a clean-up tool earlier this week.

An updated analysis by Symantec, published on Wednesday, reveals that over a three-week period in April, the botnet displayed over 10 million ads on compromised computers. “Approximately 400,000 of those ads were clicked on, which would have netted the attackers $14,000 if they were able to collect it,” an anonymous Symantec researcher explains. “Many PPC providers employ anti-fraud measures and affiliate-verification processes before paying. Fortunately, the attackers in this instance appear to have been unable to complete the necessary steps to be paid.

“It is estimated the actual ad-clicking component of Flashback was only installed on about 10,000 of the more than 600,000 infected machines. In other words, utilising less than 2 per cent of the entire botnet the attackers were able to generate $14,000 in three weeks, meaning that if the attackers were able to use the entire botnet, they could potentially have earned millions of dollars a year,” Symantec adds. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/17/wikipedia_click_fraud_malware_warning/