STE WILLIAMS

A firm that disguised Android malware as Angry Birds games has been fined £50,000 ($78,300) by UK premium-rate service regulator PhonepayPlus.

A1 Agregator posted mobile apps posing as smash-hit games, including Cut the Rope, on Android marketplaces and other outlets. Rather than offer free entertainment, the software silently sent out a text in order to receive a string of premium-rate messages, costing victims £5 per SMS. Users would have to uninstall the counterfeit apps from their phone to prevent further messages and charges.

The malicious code also covered up evidence of the message swapping which might have alerted punters to the whopping charges on their upcoming bills.

A total of 34 people, perhaps only a small percentage of those affected, complained to PhonepayPlus by the end of last year. In a ruling this month, the watchdog found A1 Agregator guilty of multiple breaches of its code of conduct and levied a fine of £50,000, estimated as the upper limit of the illicit profits made through the scam. A1 Agregator, which wasn’t even registered with PhonepayPlus at the time of its offence, must refund defrauded victims in full within three months, whether they’ve complained or not.

It is understood the firm trousered £27,850 ($43,600) from the scam.

A1 Agregator – which was “formerly reprimanded” over its behaviour – must also submit any other premium-rate services it develops to PhonepayPlus for approval over the next 12 months.

Premium-rate SMS scams account for 36.4 per cent of malware on smartphones, the second largest type after spyware, according to analysts Juniper Research.

And Carl Leonard, senior security research manager of EMEA at Websense, added: “Mobile apps are a powerful malware delivery technique as most users are willing to allow apps to do anything to get the desired functionality. Cyber criminals are beginning to use these malicious apps not only to make a quick buck but to also steal valuable data.”

“For example, a malicious app could access the data on your phone, or access all of your contacts. This is particularly bad news for businesses that allow bring your own device (BYOD) schemes but don’t have the right security to protect their mobile data,” he added.

Android virus evolution

Mobile malware scams first emerged in Russia and China several years ago. Fraudsters are beginning to turn to the West for victims, Kaspersky Lab warns.

“The mobile threat landscape is dominated by malware designed to run on Android – 65 per cent of all threats are aimed at this platform,” said David Emm, senior security researcher at Kaspersky. “The platform is popular, it’s easy to write apps for it and it’s easy to distribute them via Google Play – so it’s little wonder that cybercriminals are making use of Google Play, where malware masquerades as a legitimate app.”

“SMS Trojans, of the sort mentioned in the [PhonepayPlus] report, are currently the biggest category of mobile malware. And it’s important to understand that it’s not just a problem in Russia or China. Cybercriminals seek to make money from them across the globe, including here in the UK,” he concluded.

In the past mobile malware often offered a free application as bait. During installation, the Trojan would display some kind of decoy error message. This prompted victims to search for answers on web forums and elsewhere – which was the last thing scammers want because it could lead marks to the realisation that they’d been suckered.

More recently cybercrooks have begun offering a bait that actually works. A blog post by F-Secure, published with a helpful video, describes an unrelated case of a Trojan installing a working copy of Rovio’s Angry Birds Space as it compromises the phone. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/24/angry_birds_sms_scam_firm_fined/

Telstra has taken the unusual – in Australia – step of proactively announcing that a service has been compromised.

The carrier has announced that it’s reset the passwords of 35,000 users of its GameArena and Games Shop services, stating that “the sites, operated by a third party company, were victims of a hacking attack.”

The carrier states that “no financial or credit card details were kept on the sites”.

“Information that might have been obtained was limited to BigPond Games usernames, the email address used to join the site and the encrypted GameArena and Games Shop passwords of up to 35,000 customers,” the statement said.

Users’ BigPond Broadband passwords were not affected. Telstra will be contacting affected customers with their new passwords.

Last year, a third-party customer-service provider used by BigPond was taken offline after an exposure that resulted in around 60,000 password resets, while in January, customer data was posted to a cloud-based spreadsheet. In both cases, the data breach was the result of process failures rather than external attacks.

Perhaps because of the criticism it suffered in those two incidents, the carrier has taken the commendable decision both to disclose and to act quickly. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/23/game_arena_hacked/

Mobile security researchers are teaming up to share samples and data on malware targeting the Android platform.

The Android Malware Genome Project, spearheaded by Xuxian Jiang, a computer science researcher at North Carolina State University, aims to boost collaboration in defending against the growing menace of mobile malware targeting smartphones from the likes of HTC and Samsung which are based on Google’s mobile operating system platform.

The NC State team led by Xuxian was the first to identify dozens of Android malware programs, including DroidKungFu and GingerMaster.

The project is designed to facilitate the sharing of Android malware code between security researchers, along the same lines as the long-standing malware sample sharing projects already set up by Windows anti-virus software developers. The project has already collected more than 1,200 pieces of Android malware.

Xuxian explains that rapid access by security researchers to Android malware is needed because “our defence capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples”.

The project not only wants to enable the sharing of mobile malware samples but also to facilitate work to create a taxonomy of Android malware, with the aim of helping to create improved security defences, which the NC State team argue are currently falling well short of delivering effective protection.

In this project, we focus on the Android platform and aim to systematise or characterise existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads.

The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments in November, 2011, show that the best case detects 79.6 per cent of them while the worst case detects only 20.2 per cent in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Xuxian explained that the project was particularly targeted at academic researchers and was designed to supplement vendor-led efforts at mobile malware exchange and analysis.

“I am aware of some malware-exchanging programmes between these vendors, either for Windows-based malware or Android-based malware,” he told El Reg. “However, it seems hard for independent researchers or academic researchers to be involved.

“Great innovations can also come from research labs in academia. This is one main reason why we are promoting and sharing Android malware samples for research purposes. Also, notice that Android malware is still at the early stage and rapidly evolving. With this timing, the sharing becomes extremely important.”

The project was announced at IEEE Symposium on Security and Privacy in San Francisco on Tuesday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/23/android_malware_genome_project/

A cybercrook who established a 30 million computer strong botnet has been jailed for four years in Armenia.

Georgy Avanesov, 27, a Russian citizen of Armenian descent, had apparently been making a cool $125,000 a month renting out access to zombie drones in the infamous Bredolab botnet.

Other crooks used access to these compromised Windows PCs to either distribute spam, launch DDoS attacks or to mount scareware (fake anti-virus) scams. DDoS targets reportedly included Russian anti-virus firm Kaspersky Lab.

Bredolab, which disgorged more than 3 billion malicious emails a day at its peak, spread by planting malicious scripts on legitimate websites. These scripts used browsers exploits and the like to drop the zombie software onto the Windows PCs.

Components of the Bredolab malware were designed to steal usernames and passwords to FTP accounts, creating a means to plant malicious code onto more legitimate sites in the process, further multiplying the spread of infection.

Prospective marks were tricked into visiting compromised sites using spam emails with dodgy HTML attachments that posed as messages from the likes of Facebook, Skype and Amazon. Screenshots of infected email, along with commentary on the botnet and Avanesov’s prosecution, can be found in a blog post by Sophos here.

“It’s easy to see how such a large network of infected PCs was created, as people clicked on seemingly legitimate attachments and websites, oblivious to the infection that would go on to take control of their PC, and in some cases steal passwords and usernames,” commented Graham Cluley, a senior technology consultant at Sophos. “To prevent botnets such as this forming, it is critical that website administrators don’t let FTP software remember passwords, and that users are more cautious in the attachments they download.”

Avanesov’s downfall followed swiftly on the heels of the botnet takedown operation in October 2010.

Dutch police seized control of command control servers associated with the Bredolab botnet, using this access to display warning messages to users with compromised PCs. Days afterwards, Avanesov was arrested at Yerevan’s Zvartnots Airport in Armenia, shortly after he stepped off a late night flight from Moscow.

The 27-year-old is the first person in Armenia to be jailed for violation of Armenia’s computer crime laws. Local (English language) reports on Avanesov’s sentencing on Tuesday can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/23/bredolab_botmaster_jailed/

A British man jailed for a year after hacking into a private Facebook account targeted Justin Bieber’s actress-turned-singer girlfriend, it has emerged.

Gareth Crosskey, 21, of Lancing in West Sussex, was sentenced to 12 months behind bars by London’s Southwark Crown Court last week.

Crosskey had pleaded guilty to two computer crime offences relating to hacking into the private Facebook account of a then unnamed US victim. The breach was reported to the FBI who turned over the investigation to Scotland Yard’s Police Central e-Crime Unit after tracing the hack to the UK.

The target was Selena Gomez, the teenaged girlfriend of gerbil-faced pop icon Justin Bieber, the PA confirmed. Crosskey threatened to publish personal Facebook messages sent between between the lovestruck pair after gaining control of the actress’s profile.

The takeover of the account was carried out after Crosskey successfully posed as her step-father, tricking Facebook into granting him illicit access to Gomez’s account in the process. Brian Teefey, Gomez’s step-father and manager, was the administrator of her account.

Crosskey set up an email account “extremely similar to that of Selena Gomez’s administrators account details” in order to pull off the hack, according to prosecutor Corrine Bramwell, before requesting a password reset.

Bramwell said Crosskey (known online as Pkinjor or prokill) posted a video on YouTube proving he had illicit access to the account before boasting about the breakin of an underground forum, hackersforum.net, where he sought advice on what to do with the compromised account.

After taking control of Gomez’s account, Crosskey claimed to have downloaded copies of private emails. He subsequently touted these messages to celebrity magazines OK and Hollywood Life before approaching Teefey and threatening to release the juicy details.

“Her personal email shows what her fans might want to see. I’ve made a copy of every email between Justin Bieber and Selena Gomez and Selena Gomez and Demi Lovato. I think the paparazzi will have a field day,” Crosskey told Teefey.

Justin Bieber sucks

In addition, a message saying “Justin Bieber Sucks” was posted on Gomez’s Facebook fan page. Prosecutors allege that Crosskey was responsible for posting the message, which generated floods of hate mail from angry Bieber fans.

At the time of the hack in January 2011, the relationship between Gomez and Bieber was not publicly known.

Lawyers for Crosskey claimed he carried out the hack in order to expose Facebook’s security shortcomings, rather than as a prelude to extortion. Crosskey, who was working at burger chain McDonalds at the time of the escapade before starting a college course designing computer games, launched the attack after his own Facebook account was hacked.

Gareth Morgan, defending, said: “He did this after his own account was manipulated and hacked and, in order to demonstrate to the Facebook authorities the ease with which he was able to access Facebook accounts, he accessed through Mr Teefey’s email Selena Gomez’s account.”

Gomez was selected only because she was a celebrity, more or less at random, according to Morgan, who added that his client did not benefit financially from his wrongdoing.

These arguments failed to cut much ice when it came to sentencing. Judge John Price said: “You are clever with a computer and you hacked into the private part of somebody’s Facebook account – that somebody was a singer, a celebrity called Selena Gomez.”

“She had a Facebook account on which she has 6 million friends,” he add.

“They have permission to get into part of the account and you hacked into a private part by getting the private email password. You did that by posing as Brian Teefey, her step-father and manager and you did that, you said, to show Mark Zuckerberg that his security was inadequate.”

“People deserve privacy and should not their private correspondence by email made public. People are entitles to privacy even those who seek publicity,” the judge concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/23/jailed_facebook_brit_targeted_bieber_girlfriend/

India’s growing urban population is under concerted cyber attack as criminals increasingly focus advanced targeted techniques on small- and medium-sized businesses (SMBs) and look to exploit piecemeal security and low levels of awareness, according to the latest report from Symantec.

The security giant’s Internet Security Threat Report 17 paints the picture of a nation whose lack of information security know-how is being ruthlessly exploited.

It found that 25 per cent of bot infections are being reported in smaller cities such as Bhubaneshwar, Surat, Cochin and Jaipur, thanks in part because they have a large percentage of SMBs.

“Augmented by broadband penetration, smaller and emerging cities of India are exploring opportunities offered by the virtual world, in turn creating a new lucrative pool of targets for cyber criminals to exploit,” said Shantanu Ghosh, MD of India product operations, in a canned statement.

“Lack of awareness and low adoption of security measures makes these cities susceptible to cyber threats and warrants greater vigilance in protecting information assets.”

Advanced, targeted attacks are rising across the board – from 77 per day in 2010 to 82 per day by the end of 2011 – but especially against smaller organisations, with over half of such attacks hitting Indian SMBs last year.

These kinds of attack usually employ social engineering techniques to trick a user into following a malicious link or opening a malicious email attachment, thus triggering a malware download.

Typically, this bespoke malware will then jump around inside the corporate network, escalating privileges if necessary until it finds the data it is after.

Symantec said that SMBs are increasingly targeted by such attacks – traditionally the preserve of government and large private sector organisations – because they provide an easier, less well-defended route into the supply chain of a larger company.

In a similar way, non-execs in roles such as HR, sales or admin are usually targeted because they may be less alert to the dangers and are more used to getting unsolicited queries.

Interestingly, while the total number of attacks jumped by 81 per cent, with more than 5.5 billion blocked in the region last year, the number of new vulnerabilities discovered dropped by 20 per cent.

According to Symantec, this is a clear sign that the cyber crims are doing well enough exploiting existing vulnerabilities, with social networks an increasingly successful channel of infection.

As is the case all over the world, mobile threats were also highlighted as a risk to businesses and consumers, with mobile vulnerabilities rising 93 per cent in India last year, the report said.

Aside from the risks posed by financially motivated hackers, Indian organisations have also been battered over the years by Pakistani hacktivists.

The government in particular has had various sites defaced on numerous occasions, and was most recently DDoS-ed by online collective Anonymous. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/23/symantec_india_smb_threats/

Anonymous-affiliated hackers dropped a 1.7GB torrent of data allegedly onto file-sharing networks on Monday after hacking into the US Bureau of Justice Statistics.

The leaked files purportedly include “internal emails” as as well as other files supposedly culled from other compromised databases at the BJS, the US government agency that collates statistics on crimes in the US.

The release was part of a newly initiated Anonymous operation, dubbed Monday Mail Mayhem, and accompanied by a YouTube statement explaining that the release was geared towards “ending corruption”.

But the Department of Justice downplayed the significance of the security breach, saying it had not affected its main systems.

“The department is looking into the unauthorized access of a website server operated by the Bureau of Justice Statistics that contained data from their public website,” the DoJ said in a canned statement, Security Week reports. “The Bureau of Justice Statistics website has remained operational throughout this time. The department’s main website, justice.gov, was not affected.”

The hackers claimed in their video statement: “We are releasing data to spread information, to allow the people to be heard and to know the corruption in their government.”

Unusually part of the video is delivered by an initially unmasked man who dons a Guy Fawkes’ mask in the closing seconds of the clip.

A Twitter profile associated with the hack (@planethacks) told us that the BJS was targeted in order to “to discredit the American government, and to point out the lack of security” on its sites. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/22/anon_crime_stats_site_hack/

Social media posts which lure readers with the promise of illegal, amoral or forbidden products and services may become a cold war cyber weapon, according to Kaspersky Labs CEO Eugene Kaspersky.

Speaking to The Register in Sydney yesterday Kaspersky said the usual suspects – Duqu, Stuxnet, whatever happened in Estonia and the regular data deletions apparently plaguing Iran – are all jolly good examples of cyberwar in action, but require a concerted effort.

Easier-to-execute, attacks, he believes, will be fought through dodgy posts to social networks.

Kaspersky’s theory is that states will create handles on social networks that initially post information about illegal (dodgy downloads or drugs), amoral (smut) or forbidden products (drugs again) in order to attract an audience. Once followers or friends have been won, the feeds will turn to dispensing propaganda. Messages of this sort won’t be explicit, Kaspersky said, but will instead represent an attempt at mass manipulation.

“A post could say ‘New Zealanders just killed several Australians,’” he said, reflecting the Antipodean location of his meeting with The Register yesterday. The cumulative effect of such posts, he feels, could demoralise or agitate a population in ways that advance international political and/or military agendas.

“You poison them, and little by little and you will have a huge conflict between countries,” he says.

All of which sounds very plausible, except for the fact that New Zealand doesn’t need disinformation to demoralise Australia: that’s what the All Blacks are for. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/22/social_media_propaganda_war/

The US stock market regulator has charged an ex-Yahoo! exec and a pal with insider trading after the pair discussed a search engine partnership between Yahoo! and Microsoft.

The Securities and Exchange Commission (SEC) said Robert Kwok, who was Yahoo!’s senior director of business management, breached his duty to the company when he told Reema Shah, a mutual fund manager at a subsidiary of Ameriprise Financial, that the deal was on.

Shah had asked Kwok about the deal as rumours did the rounds in July 2009 that Microsoft and Yahoo! would team up; Kwok told her that the info was being kept under wraps at Yahoo! and only a few people knew.

Shah then told the mutual funds she managed to buy over 700,000 shares in Yahoo!, which were later sold for profits of around $389,000.

Kwok let on about the deal because, a year earlier, Shah had done the same for him: she tipped him off about an impending acquisition announcement between two companies that she knew about and he traded on his personal account on the tip. He only made off with a measly $4,754 however.

“Kwok and Shah played a game of you scratch my back and I’ll scratch yours,” Scott Friestad, associate director in the SEC’s Division of Enforcement, said in a canned statement.

“When corporate executives and mutual fund professionals misuse their access to confidential information, they undermine the integrity of our markets and violate the trust placed in them by investors.”

Both Kwok and Shah, who live in California, have agreed to settle the SEC’s charges of insider trading. A court will later decide how much of their ill-gotten gains they’ll have to pay back and what other fines they’ll face.

Under the settlements, Shah will be permanently banned from the securities industry, and Kwok will be permanently blocked from serving as an officer or director of a public company.

However, the pair are also in the dock for charges of conspiracy to commit securities fraud, which they pleaded guilty to and are awaiting sentencing.

Aside from the two specific cases in the insider trading charges, they had been exchanging tip-offs since they met in January 2008.

Kwok regularly gave Shah information on Yahoo!, such as whether its quarterly performance would meet analyst expectations and Shah would give him information she learned through her job so he could make personal investments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/22/sec_charges_former_yahoo_exec/

WHMCS, which provides billing and customer support tech to many web hosts, was comprehensively hacked on Monday and remains offline.

Hackers tricked WHMCS’s own hosting firm into handing over admin credentials to its servers. The group that carried out the hack, UGNazi, subsequently extracted the billing company’s database before deleting files, essentially trashing the server and leaving services unavailable in the process. The compromised server hosted WHCMS’s main website and supported customers’ installations of its technology.

UGNazi also gained access to WHMCS’s Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm’s customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack.

Card information was salted and hashed, but reports allege that the decryption key was stored in clear text in the root directory of WHCMS’s compromised server and also leaked. The billing firm warned that “credit card information although encrypted in the database may be at risk”. Password records, by contrast, ought to be safe but WHCMS still recommends a password refresh as a precaution.

Hacktivists justified the attack by making unsubstantiated accusations that WHMCS offered services to shady characters, via an update to WHMCS’s compromised Twitter feed:

Many websites use WHMCS for scams. You ignored our warnings. We spoke louder. We are watching; and will continue to be watching. #UGNazi

WHMCS was able to restore service on Monday night within hours of the attack – although the website has fallen offline again apparently to a distributed denial of service attack. WHMCS has yet to regain control of its Twitter feed.

The billing firm posted a blog post explained how the attack took place and apologised to its customers for the inconvenience cause by an interruption in their services. A spokesman wrote:

Following an initial investigation I can report that what occurred today was the result of a social engineering attack.

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.

We are immediately reviewing all of our hosting arrangements, and will be migrating to a new setup at the earliest opportunity.

WHMCS added that it had reported the breach on its systems to the FBI. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/22/whmcs_breach/