We continue to spot new cybercrime ecosystem propositions for spam-ready,
cybercrime-friendly SMTP (Simple Mail Transfer Protocol) targeting QA
(Quality Assurance) aware cybercriminals looking to gain access to dedicated mail servers with clean IP reputation,
ensuring that their campaigns will reach the recipient’s Inbox. Relying
on ‘in-house’ built infrastructure or direct outsourcing to bulletproof
hosting providers, these services continue empowering prospective
customers with managed, popular spam software compatible services,
potentially exposing millions of users to fraudulent or malicious email
campaigns.
Let’s discuss yet another managed service offering spam-ready SMTP
servers, and connect it to malicious campaigns that have directly
interacted with the same infrastructure it’s currently hosted on,
indicating that it’s already “in business”.
Sample screenshot of the inventory of harvested emails offered by the service:
Sample pricing scheme offered by the spam-ready managed SMTP service in Rubles, based on the number of emails to be delivered:
Sample screenshot of the pricing scheme for high-volume spam customers on a monthly/yearly basis in Rubles:
The Web site of the service currently responds to 92.53.125.90, with the same IP known to have been participating in a multiple malicious client-side exploits serving campaigns.
Not surprisingly, we can easily correlate malicious/spam activity
that’s been taking place through related domain that are known to have
been responding to the same IP (92.53.125.90) over the past couple of months.
Known to have responded to the same IP are also the following malicious/fraudulent domains:
1novishop.ru
2353333.ru
3-16.ru
a-kara.ru
aist-letit.ru
akpp-samara.ru
alekseikondratenko.ru
antonagafonov.com
apuzzle.ru
azmarketing.az
barguzin.su
bibcamvids.tmweb.ru
bigbakery.ru
black-panther.ru
blog-net.ru
bloody-knight.ru
bloodyfight.net
bpost.kz
budetsuper.ru
bumblebee.timeweb.ru
We’re also aware of the following malicious MD5s that are
known to have directly communicated with the same IP (92.53.125.90) over
the last couple of months:
MD5: 7803671e9968000944fd784710c1eefd
MD5: 3619a6ca52c100abce2c0bd8f8b47c4d
MD5: 2dcfa7175ca4585fe2fe5cd2e3df2e4c
MD5: d9d78697efae9f4ab91146926a4c6270
MD5: 86d5218dd28e13d3422d40a774996677
MD5: 437b9b83e1c9c5acabce191622090d57
MD5: 8c935280e432afe193b67de986389e84
MD5: 0ac8272b54dc0c42d62a2e570dde8ee7
MD5: d99399f600b2143167ac3891fa7c2c94
MD5: 1f6a6618d1a5d119f7ebb45f05e76066
MD5: 087cba21e1fdc739e0ff57528be02bcc
MD5: 774c7763a6a0f11628ee7360edb8780e
MD5: 21856c83167d364394beb83474379fea
MD5: af168e2d558167d85ee25afcb1fce46a
In particular the samples have phoned back to the following
URLs that are known to have responded to the same IP that the managed
SMTP spam service is currently hosted on:
zazaru.com (92.53.125.90)
ckynyagan.ru (92.53.125.90)
pravonapravo.com.ua (92.53.125.90)
ust-jugan.ru (92.53.125.90)
rp.fast-worlds.com (92.53.125.90)
xn—-7sbhbmbrhbip1ajtrecv1fxf.xn--p1ai (92.53.125.90)
srub68.ru (92.53.125.90)
bloodyfight.net (92.53.125.90)
All of these sample establish a UDP communication channel to the following C&C server: 208.115.109.53:8010
How is the actual spamming and acquisition of the spam-ready infrastructure taking place? Through compromised Web sites. Consider going through this assessment of the actual malware used in these campaign courtesy of the fine folks at Abuse.ch.
Information Security, Ethical Hacking, website Security, Database Security, IT Audit and Compliance, Security news, Programming, Linux and Security.
Tuesday, 8 October 2013
Skorpion smartphone charger lights up if your phone contains malware
Plugging your smartphone in to charge up
could soon offer an alert that you’ve contracted malware – with a new
charger that lights up when it detects malicious software.
Within two minutes, the Skorpion charger displays a red light if it
detects malware on any Android device. The device, produced by Kaprica Securityin collaboration with Belkin, will go on sale this year for $65.It could provide a “last line of defense” for companies against employees “bringing their own” infected devices into the workplace.
Gadget sites such as Gizmodo pointed out its similarity to the “Mactans” malicious charger unveiled at the Black Hat security conference in Las Vegas this year, which could infect iPhones with malware in under a minute.
Security apps such as ESET’s Mobile Security protect against malware, but Kaprica’s device may find a place in enterprises where many employees “bring their own devices”, and often refuse to have them audited by IT. An expert from security body ISACA estimated that around 30-40% of smart devices in any business “fly under the radar”.
Providing employees with chargers which warn IT administrators of threats could solve this problem. Kaprica aims to start selling the device to entertprises at around $65, according to the MIT Technology Review.
“IT admins can see at a glance what network threats have been detected on any scanned mobile devices,” Kaprica says, boasting that the system offers. “Easily adjustable notifications so that administrators can be made aware of compromises as quickly as possible.”
Speaking to MIT, Kaprica cofounder and CEO Doug Britton said that the Skorpion charger analyzes your phone’s operating system files directly, without “asking” the phone’s OS, which may allow it to root out deeply buried threats.
The scan begins as soon as the phone is plugged in, with a
“deep scan” complete within six minutes. Administrators are notified via
a dashboard if there are problems.
“In as little as 2 minutes you’ll know if your mobile
device has been infected with malware,” Kaprica says. ”In as little as 6
minutes, a deep scan reveals malicious changes to your OS.”
Speaking to the MIT Technology Review, Xuxian Jiang of North Carolina
State University said that the device might have limitations, as it
does not scan the phone while a user actually makes calls or uses apps –
actions which can deliver malware – and that there is no “silver
bullet” for all mobile malware.
Who goes there? Voice-recognizing biometrics are set to take off, claims Nuance exec
Writing for tech blog GigaOM, Beranek says, “The human voice is unique, much like a fingerprint. It’s also impossible to forget, unlike a PIN or password, and with us all the time, unlike a key fob security token.”
Beranek admits that voice identification is mainly deployed as part of automated voice response systems and contact centres – but claims that the increasing use of voice identification within those systems will pave the way for wider use of the technology.
Beranek says that voice biometrics will find increasing use in app security – due to customer familiarity with “voice assistants” such as Apple’s Siri.
Siri has been widely used in hacks against Apple devices, according to recent reports, some on We Live Security. But Siri does not use voice biometrics for security – and Beranek predicts this will be a growth area.
“When businesses extend voice biometrics to their mobile apps, they also take advantage of consumer familiarity with virtual personal assistants and other speech-controlled services that people have come to expect on their mobile devices,” Beranek says.
“ These services have helped to make consumers comfortable with the concept of asking their phone – rather than a person at the other end – for information. Combine the convenience and comfort with the proven security, and we quickly see why voice biometrics as an entry point to a mobile app could become an ideal solution.”
Beranek predicts an increasing use of the technology in web environments, and even to secure credit card transactions via phone.
Apple’s use of a fingerprint scanner on its new iPhone 5S has ignited a new debate over biometric security – not to mention some of the most laborious “hacks” ever invented.
Voice biometrics is just one system under discussion. Some researchers believe that systems which continuously monitor behaviors could be even more secure than those which rely on one simple “check”. One day, your smartphone might “recognise” you by the way you walk, the way your fingers tap on a touchscreen – or even simply where you go during the day.
But the idea of a password as a “key” that unlocks a device might soon seem antiquated – researchers around the world are investigating “implicit identification”, where the computer recognises you through your behavior, not by challenging you for a password. Business magazine Quartz describes such systems as “always on” security in an article here.
SilentSense, announced in the wake of iPhone 5, can identify a user within 10 taps of the touchscreen with 99% accuracy, according to Cheng Bo of the Illinois Institute of Technology. The system works with a smartphone’s gyroscope and accelerometer to identify users, and even takes account of their gait as they walk, according to New Scientist.
“While using mobile devices, most people may follow certain individual habits unconsciously. Running as a background service,SilentSense exploits the user’s app usage and interacting behavior with each app, and uses the motion sensors to measure the device’s reaction,” says Bo.
Waking Shark: Banks to face biggest cyber war game ever in UK
The simulation, Operation Waking Shark 2, has been scheduled for mid-November, according to sources quoted by the Daily Telegraph.
The test has been designed by an outside consultant and will be monitored by the Bank of England, the British Goverment’s Treasury and the Financial Conduct Authority.
The attack will simulate a “very severe” cyber attack on the stock markets, banks and payment providers – and will involve several thousand people.
In September, Scott Borg, chief of the U.S. Cyber Consequences Unit, said that he believed manipulation of the financial markets would be the next major target for cybercriminals, according to Computer World.
More than half of securities exchanges around the world faced cyber attacks last year, according to a paper released by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE).
“The number of high profile and critical ‘hits’ is also increasing,” says the IOSCO report.
“The report warns that underestimation of the severity of this emerging risk may lay open securities markets to a black swan event.”
A survey of 46 exchanges around the world found that 53% had faced cyber attacks – mostly disruptive in nature, rather than financially motivated, and mostly consisting of malware or DDoS attacks. Nearly all – 89% – of those surveyed agreed that cybercrime should be considered a systemic risk.
The report says, “This suggests a shift in motive for cybercrime in securities markets, away from financial gain and towards more destabilizing aims. It also distinguishes cybercrime in securities markets from traditional crimes against the financial sector e.g. fraud, theft.”
“While cybercrime in securities markets has not had systemic impacts so far, it is rapidly evolving in terms of actors, motives, complexity and frequency.”
The British Waking Shark tests follow a similar exercise conducted in 2011 – and mirror exercises conducted on Wall street, such as a simulated cyber attack with the Hollywood-esque title Quantum Dawn 2 bombarded the defenses of American banks on June 28 – in an exercise designed to test how Wall Street would endure a sustained cyber attack.
Organised by the trade organization Securities Industry and Financial Markets Association (SIFMA), the exercise was built to “test incident response, resolution and coordination processes for the financial services sector and the individual member firms to a street-wide cyber attack.”
Beware Android Malware! Threats Reach One Million Mark
October certainly is the month for scares; Trend
Micro's Security Intelligence Lab revealed that this past September
mobile threats reached the one million mark. This fulfills the security
software company's prediction in their second quarter roundup that the
number of malicious and high-risk Android apps would hit one million by
year-end. To put things in perspective, it took a decade for PC malware
to reach this number of threats.
The company's blog post revealed data from Trend Micro's Mobile App Reputation scanner that showed that the number of Android malware, including high-risk apps for the device, has been increasing steadily throughout the year. Seventy-five percent of these potentially dangerous apps perform malicious routines while the other twenty-five percent show suspicious routines including adware.
Top Threats
Trend Micro highlighted some of the top mobile malware threats to look out for, such as FAKEINST and OPFAKE. Both typically disguise themselves as legitimate apps to lure users into various scams. Malicious apps based on FAKEINST are also premium service abusers, sending unauthorized text messages to victims to register for costly services.
This malware family might sound familiar to you because it was involved in the fake Bad Piggies app incident where a rogue version of the Bad Piggies game was released on the Google Play store. OPFAKE malware leads users to open an .HTML file and asks them to download possibly malicious files.
Some of the leading high-risk apps include ARPUSH and LEADBLT, both of which are well-known adware and infostealers. High-risk apps collect device-related information like OS information and GPS location. Other threats to mobile devices include FAKEBANK and FAKETOKEN that can hack into users' banking accounts.
Few Use Protection
With all this in mind, it's surprising that about only 30 percent of all Android smart phones and tablets in the U.S. have security apps installed. Trend Micro advises Android mobile users to start taking security seriously as malware continues to rise over this particular userbase. It's a good idea to install Trend Micro Mobile Security or our Editors' Choice Bitdefender Mobile Security to start defending yourself against possible threats.
The company offers some additional advice to Android users to protect their devices. This includes treating any mobile device like a PC regarding security. You should download antivirus and security software and keep it up to date. Always be careful of what apps you're downloading. Look at what information the app asks to access, and read developer details and customer comments before downloading it. Be smart about what you decide to download onto any of your devices to limit the risk of malware and other threats.
The company's blog post revealed data from Trend Micro's Mobile App Reputation scanner that showed that the number of Android malware, including high-risk apps for the device, has been increasing steadily throughout the year. Seventy-five percent of these potentially dangerous apps perform malicious routines while the other twenty-five percent show suspicious routines including adware.
Top Threats
Trend Micro highlighted some of the top mobile malware threats to look out for, such as FAKEINST and OPFAKE. Both typically disguise themselves as legitimate apps to lure users into various scams. Malicious apps based on FAKEINST are also premium service abusers, sending unauthorized text messages to victims to register for costly services.
This malware family might sound familiar to you because it was involved in the fake Bad Piggies app incident where a rogue version of the Bad Piggies game was released on the Google Play store. OPFAKE malware leads users to open an .HTML file and asks them to download possibly malicious files.
Some of the leading high-risk apps include ARPUSH and LEADBLT, both of which are well-known adware and infostealers. High-risk apps collect device-related information like OS information and GPS location. Other threats to mobile devices include FAKEBANK and FAKETOKEN that can hack into users' banking accounts.
Few Use Protection
With all this in mind, it's surprising that about only 30 percent of all Android smart phones and tablets in the U.S. have security apps installed. Trend Micro advises Android mobile users to start taking security seriously as malware continues to rise over this particular userbase. It's a good idea to install Trend Micro Mobile Security or our Editors' Choice Bitdefender Mobile Security to start defending yourself against possible threats.
The company offers some additional advice to Android users to protect their devices. This includes treating any mobile device like a PC regarding security. You should download antivirus and security software and keep it up to date. Always be careful of what apps you're downloading. Look at what information the app asks to access, and read developer details and customer comments before downloading it. Be smart about what you decide to download onto any of your devices to limit the risk of malware and other threats.
No Simple Bug Bounty: Microsoft Rewards "Novel Exploitation Techniques"
Say you're a software publisher with a global
presence. A security hole in one of your products that lets bad guys
steal private information or remotely control a victim PC could have
far-reaching consequences. If someone discovered such a hole, you'd much
prefer they tell you about it than sell the information on the
cybercrime black market, right? "Bug bounty" programs aim to encourage
this kind of sharing by rewarding those discovering security holes with
cash, fame, or both, and they're more common than you may realize.
Bounties Abound
Yahoo's bug bounty program made news earlier this week. A group of Swiss researchers investigating the program started by hunting down three serious cross-site scripting bugs on Yahoo websites, security holes that could allow an attacker to take over a victim's Yahoo email account. (Finding those bugs took them about a day—scary!). After verifying the report, Yahoo offered $12.50 for each bug , redeemable for swag at the company store.
That reward seemed chintzy to many. The backlash from this report was significant enough that Yahoo announced a change, something they were already working on. The new bug bounty program will reward researchers who report a verified bug with cash, not swag, in an amount from $150 to $15,000, with the exact amount determined by a clear, predefined formula. The new program should be in place by the end of this month, but it's retroactive to July 1.
Think you've found a security hole that might be worth something? The bugcrowd website lists all current bug bounty programs, separating them into those that offer a reward, fame plus swag, just fame, or no reward. Click on the link for a given product or service to visit its reporting page.
Facebook, for example, offers a minimum bounty of $500, with no preset maximum. As of August, Facebook had paid out over a million dollars in such bounties..
Payouts from Google for verified bugs follow a well-defined table of values. These range from $100 for a common Web flaw on a low priority Google site to $20,000 for a remote code execution vulnerability in a highly sensitive service. In a nod to "leet-speak," some types come with a $1337 reward.
Microsoft Is Different[Note: I originally stated "Microsoft has paid researchers $100,000, sometimes more." In fact, Microsoft has not paid such a bounty yet, not since the Bluehat Prize. -njr]
Microsoft offers researchers $100,000, or even more, for work that enhances security, but it turns out the Microsoft program isn't precisely a bug bounty. Katie Moussouris, senior security strategist lead for Microsoft Trustworthy Computing, explained the difference.
"Microsoft's $100,000 Mitigation Bypass Bounty requires participants to submit truly novel exploitation techniques against our latest Windows platform," said Moussouris, "so that we can improve our platform-wide defenses. New exploitation techniques are more difficult to find than individual vulnerabilities and learning about them will help us protect customers against entire classes of attacks to improve security by leaps, rather than addressing one vulnerability at a time." She concluded, "We encourage researchers to read the guidelines of our bounty programs at www.microsoft.com/bountyprograms and send in their submissions to secure@microsoft.com."
A researcher who not only reports a new exploitation technique but also supplies ideas for defense may qualify for an additional $50,000 BlueHat Bonus. And remember, in 2012 Microsoft paid out over a quarter of a million to the winners of its BlueHat Prize contest.
It takes a lot of experience and a dollop of genius to qualify for Microsoft's reward. Security is often a cat-and-mouse game, ascriminals devise new attacks and defenders respond with new counters to those attacks. Coming up with new exploitation techniques (and defenses against them) before the bad guys do puts the defense in the lead. As a Windows user, I salute the recipients. Thanks, guys!
Bounties Abound
Yahoo's bug bounty program made news earlier this week. A group of Swiss researchers investigating the program started by hunting down three serious cross-site scripting bugs on Yahoo websites, security holes that could allow an attacker to take over a victim's Yahoo email account. (Finding those bugs took them about a day—scary!). After verifying the report, Yahoo offered $12.50 for each bug , redeemable for swag at the company store.
That reward seemed chintzy to many. The backlash from this report was significant enough that Yahoo announced a change, something they were already working on. The new bug bounty program will reward researchers who report a verified bug with cash, not swag, in an amount from $150 to $15,000, with the exact amount determined by a clear, predefined formula. The new program should be in place by the end of this month, but it's retroactive to July 1.
Think you've found a security hole that might be worth something? The bugcrowd website lists all current bug bounty programs, separating them into those that offer a reward, fame plus swag, just fame, or no reward. Click on the link for a given product or service to visit its reporting page.
Facebook, for example, offers a minimum bounty of $500, with no preset maximum. As of August, Facebook had paid out over a million dollars in such bounties..
Payouts from Google for verified bugs follow a well-defined table of values. These range from $100 for a common Web flaw on a low priority Google site to $20,000 for a remote code execution vulnerability in a highly sensitive service. In a nod to "leet-speak," some types come with a $1337 reward.
Microsoft Is Different[Note: I originally stated "Microsoft has paid researchers $100,000, sometimes more." In fact, Microsoft has not paid such a bounty yet, not since the Bluehat Prize. -njr]
Microsoft offers researchers $100,000, or even more, for work that enhances security, but it turns out the Microsoft program isn't precisely a bug bounty. Katie Moussouris, senior security strategist lead for Microsoft Trustworthy Computing, explained the difference.
"Microsoft's $100,000 Mitigation Bypass Bounty requires participants to submit truly novel exploitation techniques against our latest Windows platform," said Moussouris, "so that we can improve our platform-wide defenses. New exploitation techniques are more difficult to find than individual vulnerabilities and learning about them will help us protect customers against entire classes of attacks to improve security by leaps, rather than addressing one vulnerability at a time." She concluded, "We encourage researchers to read the guidelines of our bounty programs at www.microsoft.com/bountyprograms and send in their submissions to secure@microsoft.com."
A researcher who not only reports a new exploitation technique but also supplies ideas for defense may qualify for an additional $50,000 BlueHat Bonus. And remember, in 2012 Microsoft paid out over a quarter of a million to the winners of its BlueHat Prize contest.
It takes a lot of experience and a dollop of genius to qualify for Microsoft's reward. Security is often a cat-and-mouse game, ascriminals devise new attacks and defenders respond with new counters to those attacks. Coming up with new exploitation techniques (and defenses against them) before the bad guys do puts the defense in the lead. As a Windows user, I salute the recipients. Thanks, guys!
Internet of Things, new opportunities for hackers and cybercriminals
Internet of Things, a business growing at a compound annual rate of 7,9% that is a privileged target for hackers and cyber criminals.
The Internet of Things refers all objects in daily life equipped with identifiers that allow their automatic inventory. Tagging of the Internet of Things could be achieved with various technologies such as the RFID, NFC, digital watermarking, QR code and muck more.The diffusion of paradigm of the Internet of Things is sustained by phenomena like the improvement of connectivity infrastructure and by the massive introduction of technology in the environment that surround us, from our house to the ambitious project of smart cities.
IDC has given an economic estimation for the evolution of the market that is moving around the Internet of Things, technologies and services spending that generated global revenues of $4.8 trillion in 2012 and that will reach $8.9 trillion by 2020, growing at a compound annual rate (CAGR) of 7.9%.
IDC expects the installed base of the Internet of Things will be nearly 212 billion “things” globally by the end of 2020, around 14% of them will be “connected (autonomous) things” mainly driven by intelligent systems that will be deployed and will collect data across both consumer and enterprise applications.
This growth represents a serious challenge under the cyber security perspective, many researchers are evaluating the possibility to attack these objects or exploit them to compromise the surrounding environment.
At the security conference DerbyCon 3.0 2013, researcher Daniel Buentello made an interesting presentation titled “Weaponizing your coffee pot” showing the consequences of an attack against high-tech objects, like a common coffee pot, connected to the Internet of Things.
The computational capability of connected devices is comparable to the one of a minicomputers but with a substantial difference, in the majority of case these components aren’t protected by defense mechanisms.
If one of these intelligent objects is infected by a malware it could be recruited in a botnet architecture, no matter if hackers control a coffee pot or a smartTV.
Buentello highlighted that once a malware infected our domestic environment it could propagate itself trough Internet of Things, for example reaching the thermostat of our oven or our home server.
The researcher described in his presentation the coffee pot product, dubbed FrigidMore, which is connected to the internet and run a “java” scripts to control the coffee taste and to push notifications to user’s smartphone when coffee is ready.
Buentello analyzed the Nest thermostat that uses a WiFi interface for various operations such as the software updates.
“The Nest Learning Thermostat automatically updates its software over Wi-Fi whenever an update is released.”Cyber criminals could compromise the update process push out malware to all connected devices and recruit them a part of a botnet.
Buentello gave a shorter 15-minute version of “weaponizing your coffee pot” also at ToorCon Seattle 2013.
Internet of Things is considered a privileged target of cyber criminals, they will concentrate their efforts to attack so powerful objects. Home automation devices are easy to attack from hackers, search engine like Shodan are a mine of information to discover potential targets and gather info on their structure.
“Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody’s home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.” CEDIA IT Task force member Bjorn Jensen saidConcepts like smart homes and smart cities are fascinating but could hide dangerous pitfalls, despite today Internet of Things is a reality and the number of “intelligent” devices is rapidly increasing, the majority of them is totally unprotected and security for “home automation” is still in the stage of evolution.
Welcome progress, but remember that everything has its price, anything connected to the Internet is hackable.
Subscribe to:
Posts (Atom)