STE WILLIAMS

A new strain of cybercrime Trojan is targeting Facebook users by taking over their machines and shaking them down for cash.

Carberp, like its predecessors ZeuS and SpyEye, infects machines by tricking punters into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites.

A new configuration of the Carberp Trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer, can be considered something of an escalation.

The Carberp variant replaces any Facebook page the user navigates to with a fake page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page asks the mark for their first name, last name, email, date of birth, password and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account.

Trusteer warns the cash voucher attack is in some ways worse than credit card fraud, because with e-cash it is the account-holder, not the financial institution, who assumes the liability for fraudulent transactions.

Trusteer said it does not have any concrete data on how many people might have been hit by this particular attack. But it warns social networking users, particular those with e-cash accounts, to be wary of this particular scam and potential follow-up frauds along the same lines, which might easily trap the unwary.

Amit Klein, CTO at Trusteer, commented: “The fraud technique is quite effective. Keep in mind that the user gets an authentic-looking message in the context of a genuine, deliberate log-in to Facebook. We do know that this is exactly where users are most susceptible to divulging personal information and following additional instructions, as their trust in the content is maximal.”

The use of anti-debugging and rootkit techniques make Carberp Trojan difficult to detect, warns security consultancy Context Information Security. Context said: “Carberp is also part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.”

Context adds that Carberp, which creates a backdoor on infected machines, can be controlled from a central administrator control panel, allowing botnet herders to more easily mine stolen data.

Trusteer said it had reported the attack to Facebook, and shared malware samples prior to giving live with its blog, a day after Facebook boasted it had been free of the Koobface worm for more than nine months.

“I don’t think that this incident contradicts their “virus free” statement, since Carberp only infects the victim PCs without any modification of the victim’s profile in Facebook or any other alteration of the Facebook site,” Trusteer’s CTO told El Reg. “And to the best of our knowledge, Carberp does not propagate through Facebook.”

Trusteer published a blog post on Wednesday featuring screenshots of more details of the Carberp e-cash scam in action in a blog post ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/18/carberp_steals_e_cash_facebook/

Five suspected masterminds behind the infamous Koobface botnet have been unmasked in a move abetted by Facebook to put the heat on cyber-crimelords.

Koobface, one of the most sophisticated strains of malware developed to date, has been harassing users of Facebook (and to a lesser extent Twitter) for years. Typically the virus writes status updates on victims’ Facebook profiles to lure their friends into installing a video codec that is actually a copy of the malware. Once installed on fresh hosts, the virus posts more status updates, thus continuing the infection cycle.

Five suspected members of the Koobface gang were named by The New York Times on Tuesday – a week after security researcher Dancho Danchev publicly outed the team’s alleged lynchpin. The NYT reports that Facebook has plans to share more information about the group. It’s hoped public disclosure will send a message to the digital underground as well as making it harder for the named individuals and their organisations to operate.

All five suspects are Russians nationals resident in the St Petersburg area.

Facebook security boss Joe Sullivan wrote on the social networking site: “This NY Times article highlights how hard it is for police to take action against cross-border cyber criminals. Facebook fought back hard against this gang and was able to get them to stop attacking Facebook users. According to the story, they are still out there targeting other websites.”

Facebook carried out a takedown against the command-and-control system behind Koobface last March, which halted the spread of the worm across its site. However the malware’s gang continues to be active in abusing other websites, according to a statement published by the social network this week:

After more than 3 years and numerous hours of working closely with industry leaders, the security community, and law enforcement, we are pleased to announce that Facebook has been free of infections for over 9 months. Today, Koobface is still impacting other web properties and continues to threaten security for Internet users across the globe. While we have been able to keep Koobface off Facebook, we won’t declare victory against the virus until its authors are brought to justice. We feel it is the interest of everyone online to work with law enforcement and the larger security community to identify the gang and see the full force of law brought to bear against those who have made millions in ill-gotten gains. To this end, we will be sharing our intelligence with the rest of the online security community in the coming weeks in an effort to rid the Web of this virus forever.

The Facebook statement ends by linking to the NYT article to “find out more about Koobface” but does not itself name the five prime suspects of the case.

The crooks behind Koobface make their money from a combination of promoting scareware and raking in income from click fraud. Estimates of the gang’s earnings by various security researchers consistently run into the millions of dollars every year.

Danchev has been tracking the group’s activities for much of that time, becoming something of a nemesis to the gang controlling the botnet in the process. According to the researcher, one of his quarry recently made the mistake of using his personal email account to register a domain used by the Koobface worm’s command-and-control infrastructure.

Following clues down the rabbit hole

According to Danchev, this particular web address was registered using a Gmail account that was also used to advertise the sale of Egyptian Sphynx kittens in September 2007 under another name, along with a phone number. This number was then traced to an advert for a BMW.

The researcher alleges that the owner of that email account belongs to the Koobface gang, who refer to themselves as ‘Ali Baba and the 4’. He lists this bloke’s supposed postal address along with his email, Twitter, Flickr, ICQ and the Webmoney account details in a blog post. For good measure, Danchev also published a photograph of the accused man, a picture scraped from one of the suspect’s adverts.

“I’m still investigating the other members of the Koobface gang,” Danchev told El Reg. “[The alleged member] is the only one who made a simple mistake, allowing me to identify him personally.”


Similar investigative techniques were used by security blogger and former Washington Post reporter Brian Krebs, who outed the picture and personal details of the prime suspect in the Rustock botnet case last year.

Elsewhere Sophos released its own research into the Koobface gang, identifying the same alleged perpetrators as the NYT – Sophos has since updated its blog to remove the surnames of the accused, although their full names were given initially. SophosLabs malware expert Dirk Kollberg and independent researcher Jan Droemer compiled the dossier between October 2009 and February 2010, but the authorities requested that it be kept confidential at the time.

“The research involved scouring the internet, searching company records and taking advantage of schoolboy social networking errors made by the suspected criminals, their friends and family. We know the gang’s names, their phone numbers, where their office is, what they look like, what cars they drive, even their mobile phone numbers,” said Graham Cluley, senior technology consultant at Sophos. “Now we have to wait and see what, if any, action the authorities will take against the Koobface gang.”

The Register notes that none of the five men has been charged in connection to the Koobface case, and should be considered innocent until proven guilty. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/18/koobface_prime_suspect_outed/

The US Defense Department’s The National Security Agency (NSA) has released a security-hardened version of Google’s mobile OS, Android.

The spook-enhanced build of the operating system was released last week and is based on SELinux, also created by the National Security Agency. The inaugural release of the SE Android project focuses on limiting the scope for malicious or flawed apps to cause mischief, as explained in the project documentation:

Security Enhanced (SE) Android is a project to identify and address critical gaps in the security of Android. Initially, the SE Android project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the SE Android project is not limited to SELinux.

Links to SE Android source code and instructions on putting it together can be found on the project’s web page. The focus of the project is on damage limitation rather than prevention. The target audience of the project is clearly mobile developers, security experts or perhaps device manufacturers, and not regular Android smartphone users looking for a little extra privacy and security.

App support is low and if you don’t know what you are doing you might even end up with a bricked smartphone. The goals of the SE Android were first publicly outlined during a presentation [PDF] at last year’s Linux Security Summit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/17/security_hardened_android/

HMRC has missed a key deadline to create teams of cyber crime investigators and launch initiatives to counter the increased threat of web attacks on the authority’s systems and customers.

In its structural reform plan progress report (PDF) for December, HMRC says work on the project should have been completed by November 2011, but recruitment activity is still ongoing and the scheme will now not be completed until February.

However, some key posts have been filled and the supporting infrastructure is in place, according to the report.

The government has repeatedly said that it plans to address the lack of IT security experts in Whitehall and late last year published its cyber security strategy outlining how it plans to tackle the issue. It was revealed earlier this month that the government’s intelligence service GCHQ was offering retention payments to prevent technology experts leaving for big private firms.

Outlining HMRC’s progress on other IT projects, the report discloses that “work is ongoing” on the creation of a data link between the registrars and HMRC to facilitate customer claims and counter fraud. The work is due to be completed in June 2012.

HMRC is also working on the roll-out of an online registration wizard and tax dashboard for businesses by the end of April 2012, as well as launching the IT infrastructure for Real Time Information (RTI) during the same period. A campaign to align employer and HMRC data in order to support a smooth pilot and implement RTI data will happen by the end of April 2013, according to the document.

Other central government departments have also published their structural reform plans progress reports for December. The Department of Health reveals (PDF) that it has not yet completed its action to publish a plan and timetable to deliver greater patient control of records, which was scheduled to be completed by December.

“This action is dependent on the outcome of the NHS Future Forum’s further advice on information, published in January 2012, to inform the information strategy, which is to be published by April 2012. It is also linked with the broader cross government transparency agenda,” says the report.

The long awaited information strategy has been delayed a number of times since plans for an “information revolution” were first outlined in October 2010.

Separately, the Home Office reveals in its progress report (PDF) that it has not yet implemented the new immigration and asylum biometric system, which the government has said will strengthen its ability to control the entry of foreign nationals into the UK and identify those who pose a risk to Britain. The report discloses that this will now be done in February. IBM has a deal with the department to deliver the system.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/17/hmrc_misses_deadline/

GAME: Our website wasn’t hacked!

• 
• 
• 
• 

Leaked account login details are bogus, says chain

By John Leyden • Get more from this author

Posted in Enterprise Security, 17th January 2012 10:18 GMT

Free whitepaper – Smarter Networking for a smarter data centre

Video games purveyor GAME says it has not been hacked after reports yesterday claimed that the retail biz had suffered a security breach.

A list that purported to be 200 email addresses and unprotected clear text passwords from GAME was posted on Pastebin, sparking widely reported hacking fears on Monday.

However, after checking the leaked data, GAME said the information was bogus and issued a statement saying that it had no evidence of any breach to its database security:

At GAME we guard our customers’ details very carefully.

We have thoroughly investigated the hacking claims made today by the website Pastebin, and can confirm that they are entirely false. The published email addresses are not registered users of GAME.co.uk, and there has been no breach of our database security.

We would like to assure all our customers that their details are well protected, and advise anyone who has any questions to contact our customer services team via the website, our Facebook page or Twitter account.

We’ve no reason to doubt GAME’s statement, which raises questions on the motives of the prankster, who concocted the wad of login details and dumped them on Pastebin in the first place, and whether or not the data belongs to another site entirely. ®

Free whitepaper – 2011 Lippis Report

• 12 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/17/game_hack_denied/

Volunteers at this year’s Olympics should not “get involved in detailed discussion about the games online”, according to guildelines issued by organisers, a report says.

A spokesman for the London Organising Committee (LOCOG) told Out-Law.com that the volunteers, known as ‘Games Makers’, would be advised to go through official channels before commenting in the media, though they would not be forced to do so.

The spokesman rejected claims that the organisation had banned volunteers from making unapproved comments. He said LOCOG had issued the volunteers with “guidelines” about their interaction with the media and their use of social media during the Games with the intention of helping those inexperienced in media-handling from being “tricked”.

The guidelines include a “what to do and what not to do” section, according to a report by the BBC. Volunteers are told “not to disclose their location; not to post a picture or video of LOCOG backstage areas closed to the public; not to disclose breaking news about an athlete; not to tell their social network about a visiting VIP, eg an athlete, celebrity or dignitary; not to get involved in detailed discussion about the Games online,” the report said. The volunteers are allowed to ‘retweet’ official London 2012 messages, it said.

“We are encouraging the volunteers to speak to the media. We are not trying to control them or gag them. The majority of the media requests that the Games Makers get are for straightforward profile pieces which is fine, but there is going to be some media that will want to trick them in some way and we want to look after them as members of our workforce. The guidelines are about us helping them with their interaction with the media,” the spokesman said.

“As part of the workforce – and this would happen in other organisations – the line manager would have a word to say ‘you have done this’ and ‘be careful about how you are doing this’. We are not going to come down heavy-handed and throw them out,” he said.

The spokesman refused Out-Law.com’s request for a copy of the guidelines, stating that the material was only sent out to the volunteers. However, he said that some of the coverage about the guidelines issued had been “inaccurate”.

The LOCOG spokesman said the guidelines had been issued because there were “security elements” associated to the release of some Games-related information.

Up to 70,000 ‘Games Makers’ are expected to help in the operation of the London Olympic and Paralympic Games when they begin later this summer. New regulations setting out restrictions on the use of Olympic advertising and street trading around events came info force last month. There are also strict rules in place on the use of Olympic branding and other intellectual property.

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/17/olympics_guidelines/

Japanese space engineers have admitted one of their computers has been infected by a Trojan that may have leaked sensitive data, including system login information, to hackers.

The breach also exposed blueprints stored in the attacked terminal, according to a statement by the Japanese Aerospace Exploration Agency (JAXA). Information potentially divulged by the malware includes data related to the H-II cargo transfer vehicle that is used to ferry equipment to the International Space Station.

The infected computer was removed from the agency’s network as soon as a red flag was raised over its erratic behaviour last August. Subsequent analysis revealed evidence of a virus infection. The machine was “cleaned up” before it was returned to use.

The same computer began playing up again earlier this month. A subsequent – and more thorough – investigation revealed the presence of a different species of malware. Logs revealed that data was extracted from the compromised machine between early July 2011 and 11 August 2011, or around a month before malware infection was first detected.

Data exposed by the breach may have included emails, technical specifications and operational information as well as login credentials. The space agency has reset potentially exposed passwords while it continues to investigate the scope of the breach.

The attack on JAXA follows a run of similar cyber-assaults against the Japanese government and industrial giants. Last September Mitsubishi Heavy Industries acknowledged that it had become the victim of the most high-profile of these cyber-attacks. The Japanese parliament confirmed it had been hit by another assault in October. Both attacks were blamed on Chinese hackers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/17/japan_space_agency_malware_scare/

Online shoe and apparel outlet Zappos.com has apologised over a massive data breach that exposed the personal details of millions.

Up to 24 million customers of the Amazon subsidiary may have been affected by the breach, which exposed names, email addresses, addresses, phone numbers, and password hashes. Zappos stressed that credit card data was not exposed. Hackers may have been able to lift the last four digits of credit card numbers but nothing beyond this, according to the e-tailer.

Accounts or passwords maintained with parent firm Amazon.com are not affected by the problem.

At the time of writing on Monday morning, Zappos is blocking international traffic to its blog, so customers outside the US are unable to see chief exec Tony Hsieh’s explanation on how the breach happened, which was posted late on Sunday night.

Hsieh said hackers “gained access to parts of our internal network and systems” through one of the firm’s servers in Kentucky, The New York Times reports. Zappos has reset passwords and is in the process of notifying customers about the breach. In the aftermath of the data spillage, Zappos has suspended its telephone support operation, asking customers to contact it only via email.

Surfers who made the mistake of using the same account login credentials at Zappos and other sites would be advised to change their passwords pronto, Hsieh said. The breach can be expected to result in an increase of regular spam and is likely to spawn phishing attacks, so even more security-conscious users ought to be wary. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/16/zappo_breach/

Namesco customers are angry over the domain name and hosting firm’s handling of a security breach that exposed their credit card details.

A number of punters’ card details were leaked after hackers broke into Namesco’s systems. The web biz notified these customers as well as advising a larger number of its clients to reset their passwords as a precaution.

Namesco warned that users’ account administration email, account names, dates of birth, contact numbers and postal addresses may also have been exposed by the breach, adding: “we have no reason to believe your site administration or email passwords have been affected”.

The officially sanctioned warning email contained a link where users could reset their Namesco passwords – rather than advising users to log into the site directly. Even worse, the password reset URL users see when they place their mouse over the link is different to that provided in the text of the email, and not on the names.co.uk domain (it points towards http://t.dadacommunication.com/xxxx before redirecting to https://admin.names.co.uk/reminder1.php).

This is just the sort of thing you’d expect to see in a phishing email, causing two recipients of the email we’ve corresponded with initially discount the communication as an attempted scam before they contacted the firm directly.

Their initial doubts over the email are completely understandable, especially given it begin with the line: “This email is a genuine security communication from Namesco and contains important information about your credit card details; please do not treat this as SPAM” – just the sort of line a phishing email would peddle.

Namesco’s email has many of the characteristics of phishing emails the industry has been training users to ignore for years. In fact it’s so cack-handed that we expect it to be fodder for courses on how not to do security notifications for years to come.

We’ve personally heard from six Namesco customers who were notified about the breach. All are unimpressed by the firm’s handling of the incident and one is threatening to cancel his subscription.

Affected customers are less than pleased at being put through the inconvenience of cancelling their cards. It is some comfort that no fraud actually took place in either case. It also seems Namesco acted promptly, if somewhat ill-advisedly, after detecting a possible breach.

Namesco is one of UK’s largest public ISP and domain name register services, managing in excess of 1.5 million domains worldwide.

In a series of updates to the firm’s Twitter account, Namesco confirmed the breach and apologised to its clients. “Security breach detected, small number of customers affected contacted direct to take precautions, other customers are safe,” it said, adding “unauthorized 3rd party activity was detected dealt with immediately, security is paramount, those affected were contacted”.

Namesco’s marketing manager was not immediately available to take our calls when The Register rang to find out more about its handling of the incident. We’ll update this story as and when we hear more.

Update

Namesco has been in touch with The Reg to say: “Asking customers to cancel a payment card and change password was not a decision that was taken lightly, but we felt it critical to give customers the facts. We’re obviously very sorry if our email was mistaken as phishing, but we’d expect customers to doubt the contents of any email when the information directly relates to their personal data.

“We have already implemented new security enhancements that strengthen our network infrastructure against criminal activity of this nature and remain dedicated to providing a high level of service that puts our customers first.”

Next page: The full text of Namesco’s phish-like security warning:

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/13/namesco_phish_like_security_warning/

The Electronic Privacy Information Center (EPIC), as expected, has now written to the US Federal Trade Commission requesting that the watchdog investigates Google’s search business.

The move follows Mountain View’s decision to merge personal data collected via its social network Google+ with the company’s search engine, which so far has received a cool response from industry observers.

Indeed, the carefully constructed Chocolate Factory is starting to resemble a sweaty indoor confectionery market peddling cheap sweets to the masses.

“Google’s business practices raise concerns related to both competition and the implementation of the Commission’s consent order,” EPIC said, in reference to a recent privacy settlement Google reached with the FTC.

In the missive (PDF), the privacy group claimed that: “Google’s changes implicate concerns over whether the company prioritises its own content when returning search results.”

EPIC added: “Incorporating results from Google+ into ordinary search results allow Google to promote its own social network by leveraging its dominance in the search engine market.”

It asked the FTC to widen its ongoing investigation into Google’s biz practices to include the company’s recent tweak to its search estate.

By default, Google is opting everyone who uses its search engine into receiving “personal” results.

It’s a move that might grab the attention of the FTC as well as the antitrust arm of the European Commission, which is conducting a separate formal investigation into allegations that Google has abused its dominant position in online search by illegally favouring, or gaming, its own services.

Users who don’t want to see “personal results” pop up in Google search can switch it off here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/13/epic_letter_to_ftc_on_google_social_search/