Friday, 15 November 2013

White Hats for Hire Find Software Bugs

 

Companies that lack the resources to run their own bug bounty programs may want to consider a bug bounty as a service program

If you pay peanuts, you get monkeys. It's an old expression, and it's one that Yahoo! appears to be heeding. Instead of rewarding security researchers who reported bugs in its applications with T-shirts and other corporate swag, the company announced that from Oct. 31 it is offering bounties of between $150 and $15,000 to people who bring new, unique or high-risk bugs to its attention.
In support of its bug bounty program, Yahoo! promises to review any application bugs submitted within a few hours, 365 days a year, 24 hours a day. The issues will be validated by a security team and the submitter contacted within 14 days.
Yahoo! is not a pioneer in this field: Many large companies including Facebook, Google, AT&T, and Microsoft offer similar programs. Bug bounty programs like these require a big commitment. They need both financial and human resources to review and validate bugs within a few hours, and there's no telling how many bug reports will come in on a given day.

Benefits of Bug Bounty Programs

Yet they are a highly effective - and cost effective - way of bringing bugs to light. A penetration test or security audit will normally cost a substantial fixed sum, offer the expertise of a limited number of security experts, and ultimately catch a limited number of bugs during the period that the test or audit is carried out.
Emergence of Ethernet Fabric Will Push Users to Rethink Their Data Center Physical Switch Networks

A bug bounty program, on the other hand, works on a more efficient "pay per bug" basis. A huge number of potential experts can contribute, and since it's open ended there's no limit to the bugs that may be found. And as software is updated, bounty hunters can spot and eliminate new bugs.
That also means there's no limit to the amount of money that may be paid out in bounties -- although if a company like Yahoo! decides they no longer wish to spend money on bounties, they can simply close the program.
But what if your company doesn't have the resources -- either the staff or the expertise -- to run a big bounty program like Yahoo!'s?

Bug Bounty on a Budget

It turns out that this needn't be a problem, thanks to a number of startups around the world that are beginning to offer bug bounty programs as a service. These companies include Denmark-based CrowdCurity, Australia's Bugwolf and two U.S. companies,  Synack and Bugcrowd.
The concept is exciting venture capitalists. Synack recently secured $1.5 million in seed funding from investors including Kleiner Perkins, while Bugcrowd raised $1.6 million from ICON Venture Partners, Paladin Capital Group and Square Peg Capital.
Each company works in a slightly different way, but as an example BugWolf will recruit or crowdsource security experts from around the word, vet them and organize them in to teams of about 10 people. Then, for a fixed fee of typically between $5,000 and $20,000, they will unleash these white hat hacker teams on your Web or mobile application, validate the bugs that they find, and distribute bounties to team members according to how many bugs they find and how significant they are.
"Our programs typically run for two or three days, and at the end we go back to the customer with a detailed report on the bugs that have been found, along with screenshots or screencasts," says Ash Conway, Bugwolf's CEO. "Normally the customer is quite taken aback about the volume and quality of bugs that we find."
Conway does not believe that bug bounty programs are a complete alternative to more traditional security testing measures. "We see ourselves as complementary to the penetration testing process," he says. "We can accelerate the testing cycle from weeks to days, but I don't think we'll ever remove the need for traditional penetration testing."

White Hats, Black Hearts?

An obvious question: How do you know the white hat hackers employed by a company like BugWolf really are white hats? What if they find bugs and keep quiet about them, preferring to sell them to someone else, or to come back another day to exploit them?
In Bugwolf's case that's not an issue, as the type of applications being tested are Web or mobile apps that already can be accessed by anyone. But what about the testing of more sensitive back-end applications?
Jay Kaplan, CEO of Synack, says that knowing the participants is key. "Our testers are highly trusted, and they go through our vetting process. We know who they are, and we keep the community small. We use security researchers and engineers from China, Bangalore, in fact from all over the world -- but if our customers are not comfortable with that, then we can offer people exclusively from the U.S."
Synack is also developed a testing "platform," so all bounty hunters will connect to the system through a VPN via Synack so the company can identify its own testers. "We will differentiate them from real attackers, and we can monitor them and take rudimentary measures to make sure nothing malicious is going on."
But Kaplan adds that ultimately it comes down to a matter of trust and reputation - just as it does when a company employs consultants or penetration testers to carry out a security assessment.
Synack's approach differs from Bugwolf's in that its engagements are much longer. "We run pilot scopes for about 90 days, but we hope our customers keep their programs running in perpetuity, as they are constantly adding new code to their platforms," Kaplan says. That makes Synack more similar to the type of ongoing bug bounty programs that Yahoo! or Facebook run, but it also means the programs are effectively open ended in terms of bounty budgets.
Kaplan doesn't believe that this is a problem, especially for larger companies. "If we uncover very critical vulnerabilities, then customers are happy to pay for them," he says.

Bug Bounty as a Service: Buying Advice

If you are considering using a bug bounty program as a service, here are some good questions to ask potential vendors:
  • Duration: How long will the bug hunting program last?
  • Vetting: What vetting procedures are carried out to ensure that bounty hunters are security experts and have good reputations?
  • Quantity: How many eyeballs will scrutinize your apps?
  • Monitoring: Do bounty hunters participate though a controlled testing platform? Does the platform allow for monitoring or measures such as throttling to prevent service disruption if required?
  • Budget: Will the program be a fixed budget or an open-ended one?
  • Reporting: What sort of bug reports and other documentation is provided, either on an ongoing basis or at the conclusion of the test?

Lee: Asean must work together to combat cyber threats

ASEAN nations must cooperate to strengthen their defences against hackers, which threatened several member states in the past two weeks, said Prime Minister Lee Hsien Loong
“We must not condone such malicious and harmful behaviour,” he said, at the opening of the13th Asean Telecommunications and Information Technology Ministers Meeting (Telmin) yesterday. The annual meeting promotes regional cooperation in infocomm efforts to strengthen regional economies and social development.
Hackers compromised websites in Thailand, Philippines and Singapore over the past two weeks. Malaysia and Indonesia were also targets.
“We must strengthen our defences and cooperate to deal with these common threats,” he said.
Singapore has arrested some of the people suspected in connection to the hacking incidents in Singapore. Condemning these acts as a crime, Lee said: “It is not a prank when someone hacks websites and intrudes into computer systems ... At a minimum it inconveniences the public, but potentially it has much graver consequences; it can damage infrastructure and endanger lives.”
This happens when the electricity grid or a hospital management system fails to work. He also urged citizens to speak up against such acts, and express their disapproval of those responsible, or others who have supported the perpetrators.
In his opening address, Lee also touched on the need for Asean countries to “accelerate” the harmonisation of airwaves in the 700MHz band, currently used for TV broadcasting, so they can be recycled for mobile broadband purposes.
By agreeing on a common spectrum, regional mobile roaming can take place with minimal signal interference along coast lines.
So far, four out of eight Asean member nations – Brunei, Indonesia, Malaysia and Singapore – have committed to the plan to use the 700MHz spectrum, expected to be freed up when the switch from analogue to digital TV broadcasting takes place over the next few years. — The Straits Times / Asia News Network

Know Your Enemy: Tracking A Rapidly Evolving APT Actor

Between Oct. 24–25 FireEye detected two spear-phishing attacks attributed to a threat actor we have previously dubbed admin@338.[1] The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance, and economic policy. These two attacks utilized different malware families and demonstrate an ability to quickly adapt techniques, tactics, and procedures (TTPs).
Investor Guide and Contact List Lure
On Friday Oct. 25, 2013, FireEye detected an attempted targeted campaign against the following:
  • The Central Bank of a Western European government
  • An International organization involved in trade, economic, and financial policy
  • A U.S.-based think tank
  • A high-ranking government official for a country in the Far East
This spear-phish email, shown in Figure 1, contained a malicious Word document attachment that exploited the CVE-2012-0158 vulnerability.
admin338-phish
Figure 1: Spear-phish email used in a recent admin@338 attack
The malicious Word document had the following properties:
  • File: Investor Relations Contacts.doc
  • MD5: 875767086897e90fb47a021b45e161b2
Upon opening the file, a malicious executable with the MD5 hash value of c5d8b7c8e2f50b171840e071f8a079b6 is then written to C:\Windows\wmiserver.exe and subsequently executed. This executable is a variant of the Bozok RAT, which was configured to connect to its command–and-control (CnC) server at microsoft.mrbasic.com and www.microsoft.mrbasic.com with the Bozok connection password of “wwwst@Admin”. We observed the domain microsoft.mrbasic.com resolving to 58.64.153.157 on Oct. 26, 2013.
Bozok RAT Capabilities and Behavior
Bozok, like many other popular RATs, is freely available [2]. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.
Unlike SS-RAT, Bozok is still actively maintained, with two new updates released in October that fixed some bugs and added language support for Spanish, Arabic, Bulgarian, Polish, and French. These and other improvements have made Bozok intuitive and easy to use. As shown in Figure 2, it features an easy-to-navigate graphical user interface that enables operators to point and click their way through the entrenchment, lateral movement, and exfiltration process.
bozok-gui
Figure 2: The Bozok interface

Once an endpoint is infected with Bozok, the attacker can do the following:
  • Upload and download files to and from the target’s machine
  • Launch and kill processes
  • Modify the registry
  • Grab stored passwords
Attackers can also use the Bozok graphical user interface to run arbitrary shell commands on the target machines, as shown in Figure 3.
bozok-rat-shell
Figure 3: Running shell commands with Bozok.
A DLL plugin — which can be downloaded and loaded through the Bozok GUI control panel onto the infected endpoint — extends the RAT’s functionality with the following commands:
  • StartVNC
  • StopVNC
  • StartWebcam
  • StopWebcam
  • SendCamList
  • IsWebcam
  • DeleteKeylog
  • GetKeylog
  • StopKeylog
  • QueryScreen
Bozok stores its configuration parameters in the resource section of the executable file. The parameters are contained in a PE manifest called “CFG”. The configuration for the Bozok variant from the current attack (wmiserver.exe c5d8b7c8e2f50b171840e071f8a079b6) is shown in Figure 4.
bozok-config
Figure 4: Bozok PE manifest
The following parameters are stored in this manifest:
ID = aubok
Mutex = 801JsYqFulHpg
Filename = wmiserver.exe
Startup Entry Name = wmiupdate
Plugin filename = ext.dat
Connection password = wwwst@Admin
Connection port = 80
Connection servers = www.microsoft.mrbasic.com, microsoft.mrbasic.com


These parameters are configured at the build time of the RAT. The mutex is randomly generated at the build time of the RAT and is used to ensure that only one copy of the malware is running on a targeted machine.
Upon initial infection, Bozok emits the outgoing initial network beacon traffic shown in Figure 5.
bozok-pcap
Figure 5: Bozok beacon traffic
The beacon contains the length of the packet in little-endian format between the offsets 04. The following data follows this in a wide-string format with a pipe separator as follows:
LengthofData | Hostname | Username| ID | LocaleInfo | OS Version | RAT Version | 0 | 2 | ConnectionPassword | IdleTime | ActiveWindowName
The beacon also contains a hardcoded connection password “wwwst@Admin” in the beacon, which is used to authenticate when connecting to its GUI control panel.
Attribution
We have attributed this attack to the admin@338 actor that we described in our report Poison Ivy: Assessing Damage and Extracting Intelligence [3]. The admin@338 actor has also used the same “wwwst@Admin” string as a password in previously observed Poison Ivy samples used in targeted attacks. For example, the file SnowdenBook.doc (MD5: d40f50d37d51f6cd92e98c4da4e066ff) dropped a Poison Ivy sample that used “wwwst@Admin” as a password.
Additionally, the CnC IP of 58.64.153.157, used by the Bozok variant (MD5: c5d8b7c8e2f50b171840e071f8a079b6) dropped by the Investor Relations Contacts.doc lure has also hosted a number of other CnC domains linked to the admin@338 actor. On Oct. 27, 2013 we observed the following known admin@338 domains resolving to 58.64.153.157:
consilium.dnset.com
consilium.dynssl.com
consilium.proxydns.com
dnscache.lookin.at
ecnet.rr.nu
european.athersite.com
hq.dsmtp.com
hq.dynssl.com
ipsecupdate.byinter.net
itagov.byinter.net
microsoft.acmetoy.com
microsoft.dhcp.biz
microsoft.dynssl.com
microsoft.ftpserver.biz
microsoft.instanthq.com
microsoft.isasecret.com
microsoft.lookin.at
microsoft.proxydns.com
microsoft.wikaba.com
microsofta.byinter.net
microsoftb.byinter.net
phpdns.myredirect.us
sslupdate.byinter.net
svchost.lookin.at
svchost.passas.us
teamware.rr.nu
webserver.dynssl.com
webserver.fartit.com
webserver.freetcp.com
www.consilium.dnset.com
www.consilium.dynssl.com
www.consilium.proxydns.com
www.hq.dsmtp.com
www.hq.dynssl.com
www.microsoft.acmetoy.com
www.microsoft.dhcp.biz
www.microsoft.dsmtp.com
www.microsoft.dynssl.com
www.microsoft.instanthq.com
www.microsoft.isasecret.com
www.microsoft.proxydns.com
www.microsoft.wikaba.com
www.svchost.ddns.info
www.svchost.dyndns.pro
www.svchost.dynssl.com
www.verizon.dynssl.com
www.verizon.itemdb.com
www.verizon.proxydns.com
www.webserver.dynssl.com
www.webserver.fartit.com
www.webserver.freetcp.com
We previously detected the same admin@338 actor using the Bozok RAT on Jan. 6, 2013. In this attack, the admin@338 actor emailed the malicious spreadsheet EcoMissionList.xls (MD5: f10e89c194742a9ad98efbf1650084f3) to the same international organization involved in trade, economic, and financial policy targeted by the more recent Investor Relations Contacts.doc lure (MD5: 875767086897e90fb47a021b45e161b2). The malicious EcoMissionList.xls spreadsheet dropped a Bozok variant with an MD5 of a45d3564d1fa27161b33712f035a5962. This Bozok implant connected to CnC servers at www.microsoftupdate.dynssl.com with the password of “gwxpass”. A previous admin@338 Poison Ivy sample (MD5: d22e974b348be44dde5566267250ff0e) was configured with the similar password “gwx@338”.
Investor Relations Contacts-AsiaPacific Lure
During our investigation of the most recent Bozok sample within Investor Relations Contacts.doc, we discovered a related attack that occurred on Oct. 24, 2013 — one day before the wave of Bozok-fueled spear phishes. This attack also utilized spear phishing as a delivery mechanism by sending the following malicious document to the same U.S.-based think tank targeted by admin@338 with the Bozok RAT on Oct. 25:
  • File: Investor Relations Contacts-AsiaPacific.doc
  • MD5: c6de1ca261662aca6b8a782075a8671f
The malicious document dropped an implant with the MD5 f7fb380f2b0c22c12f605ce9b4b162f2 to C:\Documents and Settings\admin\Application Data\svchost.exe. We detect this implant as Backdoor.APT.FakeWinHTTPHelper. This sample connected to CnC servers at www.dpmc.dynssl.com and www.dataupdate.dynssl.com.
The domain www.dpmc.dynssl.com resolved to Oct. 24, 2013, and www.dataupdate.dynssl.com resolved to 58.64.153.157 on Oct. 21, 2013.
Though the Oct. 24 attack did not use the Bozok RAT, it is likely that the admin@338 actor was also responsible for this attempted intrusion for the following reasons:
  • We have previously observed the admin@338 actor use Backdoor.APT.FakeWinHTTPHelper in targeted attacks.
  • The same 58.64.153.157 IP address was used in both attacks.
  • The same US-based think-tank was targeted in both attacks.
Conclusions
These consecutive incidents, Backdoor.APT.FakeWinHTTPHelper on Oct. 24 and Bozok RAT on Oct. 25, demonstrate that the admin@338 actor has the ability to rapidly alter TTPs. Further, the admin@338 actor can integrate publicly available RATs such as Poison Ivy and Bozok as well as custom RATs such as Backdoor.APT.FakeWinHTTPHelper into their arsenal. Organizations must be prepared to defend themselves from this wide array of attacks.
Footnotes:
[1] For more on admin@338, see our previous blog entry on Poision Ivy at  http://www.fireeye.com/blog/technical/targeted-attack/2013/08/pivy-assessing-damage-and-extracting-intel.html
[2] http://ss-rat.blogspot.com/
[3] This report is available at http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf

Six Degrees of Separation: Why Your Data is More Valuable than You Think

When discussing data security, I often hear statements shrugging off potential threats:
  • “We aren’t a bank — there’s nothing to steal.”
  • “Everything we have is public record.”
  • “Our projects are so big nobody would benefit from stealing the contracts. Only one company is big enough to take it.”
These statements show a clear lack of recognition of the end-goals and the techniques, tactics and procedures (TTPs) used by the modern threat actor.
Lets take a moment to consider what the value of any piece of data might be to the organized and technically advanced teams of people who orchestrate global cyber attack campaigns. The least obvious data snippets could help these groups infiltrate your network.
And the goal of the threat actor could be any number of things — financial or otherwise. Cybercrime is not exclusively a “for-profit” business, Hacktivism, for example, remains a serious problem in many parts of the world.
Play the six degrees of separation game with your own LinkedIn account, Facebook account, or address book. Six connections from your Facebook profile to, say, the CEO of a global company isn’t difficult to imagine. And it’s safe to say that, in your address book, you are six or fewer hops away from your office’s network administrator. The possibilities are endless. Those natural connections could all be stepping stones in the cyber attacker’s path to the ultimate target.

Sweat the details

The smallest details can help a cybercriminal fabricate a more believable email or more effective social engineering tactic to help in an attack. Having a signature with the right phone numbers at the bottom of an email could make the difference between a phishing email being opened or reported as malicious.
Examples include:
  • An address book from a system that includes the organizational structure of a team, giving threat actors a whole group of people to target
  • Internal company URLs from your address book that provides a network map or information on the types of systems being used
All of these pieces of information can be used by cyber attackers to build a virtual dossier of targets: a profile of how they interact, interconnect, communicate, and behave.

Your data can be used in ways you never expect

The art of reconnaissance is alive and well and it is regularly being exploited to the maximum by threat actors large and small. Those serious about stealing information or wreaking havoc do not always smash their way into networks and systems with brute force. Instead, they are stealthy, ingenious — and more than happy to play the waiting game to get to the information they seek.
The immediate business risk posed by losing information must play a large part in the security equation. Assuming that you’re safe because the content of your PCs or database offers no obvious financial gain overlooks the real reasons that many organizations or networks are infiltrated and exploited.
Cyber attackers understand precisely how valuable your data is. You should, too.

FBI: Cyber-attacks surpassing terrorism as major domestic threat

FBI Director James Comey testifies before the Senate Homeland Security Committee hearing on "Threats to the Homeland", on Capitol Hill in Washington November 14, 2013. (Reuters / Yuri Gripas)
Cyber-attacks are increasingly becoming the primary threat against the United States, according to the head of the FBI.
During his first testimony as the new FBI director, James Comey told Congress on Thursday that while the threat of traditional terrorist strikes inside the United States is now lower than it was before 2001, the potential threat from cyber-attacks continues to rise.
“That’s where the bad guys will go,” Comey said, as quoted by the Guardian. “There are no safe neighborhoods. All of us are neighbors [online].”
Comey’s comments were echoed by Rand Beers, the acting secretary for the Department of Homeland Security, and Matt Olsen, the director of the National Counterterrorism Center, both of whom also testified before the Senate Homeland Security and Government Affairs Committee.
The three officials agreed that while the potential for an attack on the scale of 9/11 is more likely to occur overseas, Congress should be wary of rolling back surveillance programs like the one employed by the National Security Agency. Over the next decade, cyber-attacks are likely to become the primary domestic threat, they said.
The officials added that any changes to the US surveillance program should be on the “margins,” and not directly affect the agencies’ “core capabilities.”
In fact, Beers and Comey both pushed Congress to expand the government’s power to gain access to data held by privately owned companies, with Beers suggesting that new legislation grant corporations liability protection for sharing sensitive information with federal agencies.
According to the Guardian, at least one senator, Tom Coburn (R-Okla.), expressed concern over the suggestion, saying that companies should have the chance to willingly cooperate with the government before being told to hand over data.
In 2008, the US passed legislation protecting telecommunications companies and internet providers helping the government conduct warrantless surveillance from privacy lawsuits.
USA Today reported that the officials noted how difficult it is to detect self-radicalized terrorists, and that Americans are urged to report something suspicious when they see it.
"The challenge of the home-grown violent extremist is that [the person] really doesn't hit all the trip wires,'' Olsen said.

How to Recognize and Avoid Phishing Emails and Links

phishing
SecurityWatch.--- "We talk about phishing a lot on SecurityWatch. While we regularly warn readers to not fall for phishing scams, it got us thinking: how many people know how to recognize a phishing scam?
Phishing is a serious problem. Statistics from RSA claim there were 445,000 phishing sites in 2012, double what was found in 2011. It is safe to assume that 2013 will show another increase, said Corey Nachreiner, a director of security strategy at WatchGuard. Kaspersky Lab found that scammers pretended to be from major companies such as Apple, Yahoo, Google, Amazon, eBay, Twitter, Instagram, and Skype to trick users into clicking on a malicious link as part of a wide-spread spam campaign in the third quarter.
"Phishing has really blown up," Nachreiner said.
The problem is that it is getting harder and harder to recognize a phishing attack. Ten years ago, most phishing scams were fairly easy to recognize. In most cases, the emails and sites looked fake, or there was something that was just "off." That is no longer the case, as cyber-criminals are paying attention to what the real versions of the emails and sites look like, and making sure their creations closely mimic the original, Nachreiner said. The criminals frequently use the same images and logo as the company they are impersonating and adopt similar language. They also frequently use similar layouts and templates, so that at first glance, these emails and sites look real.
Here are some tips on how to avoid going to such sites in the first place.
Who Is It Sent To?
Check who the email has been sent to. Are lots of other users included in the cc: or to: fields that you don't recognize? Most retailers use applications such as Mailchimp, so you will rarely see who else is on the mailing list. If you do see other addresses, it's worth being a little careful and skeptical.
Perhaps the email has been sent to several people all within the same organization or with the same domain. This should be a red flag, especially if you see addresses for webmaster or administrator. This is an indication that the sender is just trying a whole range of addresses in hopes of getting someone to click on the link. If you see a work-related email (say someone claiming to be a job applicant or a potential client), and the sender also sent it to your company's webmaster address, odds are it's not an email you need to see. Forward it to your IT department.
Never Click on Links
Users should never click on links in their emails, especially if it is an email they didn't request. Don't click on a link from DHL or other shipping delivery services. Don't click on a link claiming to be from Amazon or LinkedIn. "Just manually type the URL to the site you need to go to, and look for the information directly on the site," Nachreiner recommended.
If the email is telling you about a shipment delivered, or even more commonly, an error with a shipment (that you don't know about), go to the shipper's Website directly and enter the tracking information there. If it is a special shopping deal, see if you can find mention of the sale on the site, usually under "New Offers" or something similar.
Hover Over LinksWhat if you have to click on that link? Maybe that email is offering a sales promotion only for people who are on the mailing list and can't be found on the Website. Or it's your favorite buddy on Twitter with something you really need to see. One quick way to check whether it is safe to click is to hover over the link with your mouse. Don't click, just wait to see what the full URL is. A box should appear under the mouse, or at the bottom of your browser or mail application. Criminals can easily type paypal.com on the body of the email, but actually point you to a fakedomain.net address. Hovering over the link lets you look at where the link is actually taking you.
For example, you may think this link is going to http://pcmag.com, but it's actually going to take you to our sister site, Computer Shopper.
If the domain is showing up as an IP address or some other name, that is a big give away, Nachreiner said. "Companies like to use words, not numbers, in their domain names," Nachreiner said.
Read the Domain Carefully
Read the domain name carefully, because many criminals like to use misspelled names, such as paypl.com, ctibank.com, and event factbook.com. At first glance, they look correct, but are just there to trap the unwary.
Another trick scammers use is to create a really long URL, with the name of the company being spoofed somewhere in the link. So something like blah.ru/lots/of/words/andthen/paypal.com may trick users into thinking it is a PayPal-affiliated site. Another variation is to create a subdomain such as ebay.com.blah.com.
Verify LinksPerhaps you've hovered over the links, read the URL, and it still looks legit. Or maybe the URL from Twitter is using a URL shortening service such as bit.ly, t.co, etc, so hovering doesn't help. You can cut-and-paste that link into getlinkinfo.com, a site that follows the link for you and tells you all the redirects. With getlinkinfo.com, you can confirm that yes, this email really is showing you special offers for Amazon customers and is not an attempt to steal your Amazon credentials.
If getlinkinfo.com returns a long list of URLs, "that should up your suspicion meter," Nachreiner said, since that is a sign you are bouncing around multiple sites before you see the actual Website. They may be marketing-related or potentially be trying to serve up malware.
Sucuri offers SiteCheck (http://sitecheck.sucuri.net/scanner/), a free Website malware scanner that checks to make sure the site you are going to is not infected. If you aren't sure about a specific link, you can copy-and-paste the link into the box on the site and click on the "Scan Website" button. It will scan the site and let you know if there's any malware lurking.
If it is a bit.ly link, you can also use the "preview" function. If you type in the shortened bit.ly URL in your browser window and add a "+" at the end, you can see who created the link, what site it is pointing to, and other statistics about the link. It's a nifty way to check these short links.
Think Smart
"In a lot of cases, you are going to know where you are going just by hovering over the link," Nachreiner said. "For other cases, these services can be helpful."
The best way to make sure you don't get phished is to not visit a phishing site at all. If you enter your login credentials or your sensitive information into a site and hit enter, the damage is already done. At that point, you have to change your passwords and contact your banks. The best time to stop a phishing attack is before you even get to the site."

Cracked.com Had Malware; Clean Up Your Computer Now!

Cracked blocked If you've visited popular humor website Cracked.com over the last few days, it's possible you may have been hit by a drive-by-download attack, according to researchers at Barracuda Labs. Scan your computer right away!
A researcher discovered on Nov. 10 that Cracked.com was hosting a drive-by download which delivered malware to site visitors with vulnerable systems, Barracuda Networks researchers Daniel Peck and Paul Royal wrote on the Barracuda Labs blog. It appears the attackers may have had access to the site as early as Nov. 4.
A drive-by-download occurs when malicious code on the Web page targets vulnerabilities in the software running on a user's computer. Unlike other Web-based attacks which require a user to click on a link or open a file, a drive-by can download malware or execute commands without any user action. The user is infected just by visiting the page.
A site administrator on Cracked.com posted to the user forums indicating the problem has been resolved as of Tuesday evening. "Yeah we stopped getting complaints about it and Google took us off the malware warning list or whatever was triggering it. Is anybody else getting it again?"
Barracuda's Peck confirmed to SecurityWatch that the site was not currently compromised, but said that after looking into past issues with Cracked.com, these kinds of attacks "appear to be a recurring problem for them."
Details of the AttackIn this case, malicious JavaScript code on Cracked.com would request a malicious page from a different site owned by the attackers called crackedcdm.com. At this point, the attack page uses "a blend of malicious PDF, Java, and HTML/JavaScript files" to try to compromise the browser. Once the browser is compromised, the malware downloads and installs itself. At the time of publication, 24 out of 47 major antivirus vendors detect the malware, according to VirusTotal.
The only indication the user has that something may be wrong is by noticing that the Java plugin has launched and a message appears that system is low on memory.
Barracuda Labs warns that the "thousands of visitors" may have been exposed to the attack. Statistics collected by Alexa ranks Cracked.com as the 289th most popular site in the United States, and 654th in the world.
Peck said that initial findings indicate the attackers were using techniques and exploits similar to what is found in the Nuclear Exploit Pack. Many of the antivirus vendors also appear to be detecting the malware as part of the Androm botnet, he noted.
Trusted Site
If you visited Cracked.com in the past 10 days, update your antivirus signatures and scan your machines right away. It appears several of the major antivirus suites, including Kaspersky Lab, F-Secure, Trend Micro, Symantec, McAfee, and BitDefender, updated their signatures today to detect this malware, according to VirusTotal.
Also make sure you are staying on top of the updates for popularly targeted software, such as Adobe Reader, Java, and your Web browser, since these drive-by download depend on your having unpatched software. Many Web browsers, such as Google Chrome, also display big red warning screens about malware being detected on the site. If you are receiving a malware warning from your security software or browser, take it seriously and don't access the site. That funny article will keep.
It appears from looking at the Cracked.com forum postings that many people saw the warning and clicked the "Proceed" button anyway to get to the site. Don't do that!
The fact that Cracked.com doesn't proactively alert site visitors about these incidents, or provide remediation steps to clean up the systems "tends to indicate that Cracked.com should be avoided if you're concerned with malware," Barracuda Labs concluded in its post.

Safer cyber-shopping! 12 tips for a happier Holiday Season

In Holiday Season 2013 we expect to see yet another year-on-year increase in the percentage of holiday shopping that happens online.
Naturally, that means more scammers will be looking to do some shopping of their own, at your expense. This might involve using your credit card and bank account to fund their gift-buying, or perhaps capturing and selling your personal information so they have some extra holiday cash.
Here are some tips that Cameron Camp and other ESET researchers have put together to help savvy cyber-shoppers avoid getting scammed while hunting for the best holiday deals online.
Clean up before you shop
Like the tune-up your car might be getting before a long drive to deliver holiday gifts to relatives, your laptop may need a little attention before going online for some power shopping. Give it some love, and improved protection, by updating and patching your browser, helper apps like plug-ins – and it might be worth checking to see there aren’t any bad ones in there, a trick cybercriminals have been employing this year, as per this We Live Security report. Patch  your operating system and anti-malware suite too, before you shop – will help you avoid malware infections and scams, and keep you running smoothly throughout the season.
If you don’t recognize a shopping site, be careful
Buy from websites that have established a reputation for doing what they say, providing accurate descriptions of merchandise and delivering it in good shape and on time (user reviews can be good for this). If it’s this season’s must-have, you can bet cybercriminals will know that too – and this year, they have become increasingly adept at targeting scams on the dates people expect a new product – as reported by We Live Security here. When you’re getting down to the wire with shipping deadlines, the last thing you need is a less-than-stellar online retailer delivering gifts late, or mixing up orders among your friends and relatives, which could be worse than no gifts at all.
Logging into lots of sites? Don’t use your “real” password
Earlier this year, four out of five internet users admitted to being “locked” out of websites due to lost or forgotten passwords - and shopping binges can tempt you to reuse the same one, as you log in to site after site. Don’t. If you are reusing a password – make sure it’s a “throwaway”, ie one unrelated to the important passwords you use for email, or for your bank. For good measure, why not use a throwaway email address as well, to cut down on promo emails after the holidays end.
If that price sounds insane, be wary

If it looks too good to be true, it probably is.It might be very tempting, but avoid following links that offer goods, services, or gift cards at impossibly cheap prices. They are just too risky. Even links that arrive as SMS messages – often offering 24-hour discounts, can be scams, as We Live Security reports here. Not all discount vendors are scammers, but ask yourself if the promised savings are worth the gamble (or use Google to search for the offer and/or vendor to see what others are saying).
Make sure it’s secure – and ideally, shop from a PC, not a phone
When you are in the ordering process on a website, check to make sure it is using SSL, the standard in secure transactions – often shown by browsers as a little lock symbol. If that isn’t there, check the URL. You should be able to see https or shttp in front of the web address instead of http. It’s far easier to do these checks on a PC, rather than smartphone or tablet browsers, so it’s worth sitting down, even if it is an impulse buy. Using SSL encrypts the exchange of information, such as your credit card, so eavesdroppers cannot read it. When in doubt, a quick search in Google for the word “scam” or “fraud” along with the site name should tell you if that site has a history of problems.
Be wary of deals that “expire tomorrow”
Watch out for URGENT deals that arrive in unsolicited email or purport to be from friends on social networking sites. This sort of scam appears everywhere – even on Pinterest, as We Live Security reported here. Exercise extra caution if the message uses broken English (or whatever your native language might be) or if it doesn’t seem quite right for some reason. If you think the deal is real, open a browser and type the name of the website directly into the address bar. This will keep you from getting swept away by scam links to fake websites built by cyber crooks that harvest your information and spirit it off to the underworld (the black market in stolen identity data).
Don’t shop at leaky hotspots
If you need to do any shopping over WiFi, at home or at a hotspot, make sure it is secure (look for the lock symbol in the WiFi connection dialog) – and in general, avoid shopping  via public hotspots if at all possible. You’re far safer using your 3G or 4G phone as a hotspot, as our detailed guide to safe browsing tells you here – and a little extra on your data bill is small change next to someone going wild on your credit card. The last thing you want is someone snatching your personal details out of thin air as you transmit them from your laptop (or smartphone or tablet).
Buying the latest gadget? Make sure it’s child-safe
Many gadgets already have built-in controls which can help you protect children from adult content – as detailed in our guide to family web use here. Be sure they’re in place before children run off with their new gifts. Apple’s iOS for iPhone, iPod touch and iPad contain a range of settings to restrict access based on age – including the ability to block in-app purchases, which can protect against “bill shock” if children buy extras within games. Amazon’s Kindle Fire devices have a particularly impressive range of child protection options. Windows 8 PC also has upgraded security controls for parents – visit the Family Safety area. It can monitor internet use and deliver reports each week on where they’ve been surfing. Be sure to know which of your children’s gadgets CAN go online – most games consoles can. Consoles such as Xbox and Nintendo DS have parental controls, which block children from inappropriate content. Use them – many parents don’t.
Use a credit card  
If you get scammed and try to get your money back you may have better luck with credit card transactions versus debit cards – credit cards often offer guarantees against fraud, whereas debit cards don’t. Many vendors, whether at the mall or online, prefer debit cards because the transaction is cheaper for them.  That’s not your problem when holiday shopping. Credit cards can put an extra layer of protection in between you and the bad guys.
Too much information? Be afraid
Some malware is able to add questions to forms you use online, so if a shopping website is asking for Too Much Information relative to your purchase, like wanting your Social Security Number to complete a simple order for flowers, abandon the transaction and run an anti-malware scan right away.
Don’t expect money for answering questions
There are legitimate website satisfaction surveys, but when a window pops up promising you large amounts of cash or a $1,000 gift card just for answering a question like “Coke or Pepsi?” close it and move on (and do NOT enter your cellphone number, unless you are prepared to pay for premium services you never ordered). Scammers like to circulate these amazing offers via social media, too. ESET’s Social Media Scanner offers a quick, free way to check out links – or read our guide to spotting scams here.
Stay awake after the holidays
When New Year lull sets in, there’s a tendency to avoid looking at the credit card statements arriving by mail (or email). Maybe you were hoping that you didn’t spend as much as you THINK you may have. But if you got scammed, that statement may be the first sign, so at least skim the statement to see if there are any transactions you don’t recognize. For example, if you have never been to Russia and don’t know anyone who lives on the outskirts of Moscow, it’s a safe bet that any wire transfers or shipments of computer gear to the region are fraudulent, and the sooner you act, the more likely you are to recover your money.
Follow these simple tips and you should sleep a little better during the holiday shopping season. Remember, things will show up on your computer, as they do in life, that seem too good to be true. The holiday shopping season on the internet is no different. Caution may sound boring, but it can pay off. After all, if you feel you don’t have enough time to get your shopping done, you certainly don’t have time to start shopping all over if you do get scammed.

Dropbox rolls out secure business service

Dropbox logo
Cloud storage firm Dropbox has made a play for the business market, rolling out a new work-orientated service that it claims will offer administrators full control over stored data.
The new Dropbox for Business service was announced in a company blog post and is designed to make it easier for end users and IT managers to manage work and personal files. It claims to do this by letting users connect their work and personal Dropbox accounts.
"On one hand, people wanted to access their personal stuff at work; meanwhile, IT admins wanted to keep company data separate and free of personal files. Both needs were real, but people had to choose between two Dropboxes," read the post.
"We thought about this from scratch and designed a solution we're excited to share: connecting your personal Dropbox to your Dropbox for Business account. This will give you a personal Dropbox and a work Dropbox on all of your devices, so you'll never have to choose between them. It'll be like having your house keys and your work keycard on the same keychain."
In a follow-up post Dropbox's head of Product, Business and Mobile, Ilya Fushman, explained that the linked accounts will let users have full control of their personal files, while simultaneously letting administrators manage work data.
"With your new Dropbox for Business account, you can know exactly what's happening to corporate data, take action if something goes wrong and easily continue your business when employees move on. Most importantly, you can do all of this without putting your corporate data at risk," read the post.
"Each Dropbox will be properly labelled for personal or work, and come with its own password, contacts, settings and files."
The business service will also offer administrators increased visibility of what data is being shared, remote wipe powers and the ability to control access rights to files stored on the account.
The release follows widespread criticism of Dropbox security protocols. The service has suffered several data breaches over the past few years. F-Secure web reputation service expert Christine Bejerasco listed the popularity and insecure nature of services such as Dropbox as a key reason for the ongoing renaissance in malware development and distribution.