Tuesday, September 28, 2010

Fake LinkedIn Emails Deliver Online Bank Theft Trojan Horse

KrebsOnSecurity reports that a "major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan," a well-known Trojan horse used in online bank thefts.

Krebs continues: "The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com. ... On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS."

This spam campaign is another illustration of how cybercriminals use social engineering to get users to take action (in this case clicking a link in an email) that bypasses normal defenses. As a general rule, it's a good idea to refuse to click on email links unless the sender is known to you. And even when you know the sender, you still must develop a new kind of "common sense" that recognizes the dangers associated with the Internet.

Monday, September 20, 2010

Security update available for Critical 0-Day Vulnerability in Adobe Flash Player

Adobe has released a security update to the Flash vulnerability we reported last week (Adobe Issues Security Advisory for Critical 0-Day Flash Player Vulnerability).

Adobe recommends all users of Adobe Flash Player 10.1.82.76 and earlier versions upgrade to the newest version 10.1.85.3 by downloading it from the Adobe Flash Player Download Center or by installing it via the auto-update mechanism within the product when prompted.

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Friday, September 17, 2010

Interpol Says Cybercrime is "World's Most Dangerous Criminal Threat"

Concerned with the growing threat from an estimated $105-billion-dollar illegal business, 300 top law enforcement officials from 56 countries met in Hong King for the first ever national police anti-cybercrime conference.

Ronald K. Noble, secretary general of the Interpol, told the assembled law enforcement officials that "considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face."

More on this story is available from Yahoo News.

Monday, September 13, 2010

Adobe Issues Security Advisory for Critical 0-Day Flash Player Vulnerability

Adobe has announced a critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability (CVE-2010-2884) could allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows.

As attacks exploiting this vulnerability are likely to get by anti-virus and anti-malware defenses, users should consider installing advanced intrusion-prevention technology capable of blocking 0-day attacks.

Wednesday, September 8, 2010

Cybercriminals Exploit New 0-Day Adobe Acrobat/Reader Vulnerability

Adobe has announced that a critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX. The vulnerability is also present in Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

The vulnerability (CVE-2010-2883) could allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

Users are advised to take extra precautions in opening Adobe PDF files. As attacks exploiting this vulnerability are likely to get by anti-virus and anti-malware defenses, users should consider installing advanced intrusion-prevention technology capable of blocking 0-day attacks.

Saturday, September 4, 2010

What's More Powerful than a Strong Password?

Keyloggers are computer programs that capture every keystroke a user types. This includes user-ids and passwords to sensitive information, like a user's online bank account. When used by cybercriminals, these captured keystrokes are secretly transmitted back to the cybercriminal for their own dishonest use.

It was a keylogger that enabled cybercriminals to steal $400,000 from Village View Escrow last March. (See our blog post: e-Banking Bandits Target Title and Escrow Companies.) Most, if not all, of the online bank theft stories we've covered involve a keylogger used to steal online bank credentials.
 
There are several ways users can get their computers infected by a malicious keylogger. They are often surreptitiously installed as part of a virus or malware attack. Inadequately protected web sites can infect visitors with a keylogger. (See our blog post from April: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August: Network Solutions Once Again Serves Up Malware.) There are even physical keyloggers that can be installed on a user's workstation.

There are three specific things you need to pay attention to keep a malicious keylogger off your workstation.
  1. Diligently keep your workstation updated with security fixes. This includes your operating system (Windows or Apple), your application programs (like Adobe reader), and your browser add-ons (like Flash).
  2. Keep your anti-virus anti-malware up to date, Consider a modern intrusion prevention system able to counter the attacks that get by your anti-malware defenses.
  3. Be very suspicious of emails, particularly those containing attachments. If the email is not from someone you know and is not something you expect, then treat it the same way you would treat a suspicious package you discover ticking in an airport bathroom.
Today's New York Times has an up-to-date overview of some new thinking about password security: A Strong Password Isn’t the Strongest Security.

Apple's Ping Service for iTunes Hijacked by Scammers and Spammers

The good news is that iPhone 10 fixes a number of security vulnerabilities. The bad news is that Apple failed to pay enough attention to the security of its new Ping service, designed as a social network of iPhone users. Anti-malware developer Sophos is reporting that the service has been hit with a barrage of scams and spam messages in the days since the launch.

Friday, September 3, 2010

Cyberthieves Steal Nearly $1,000,000 from University of Virginia

KrebsOnSecurity reports that cyberthieves stole nearly $1,000,000 from a satellite campus of The University of Virginia. Krebs writes that sources familiar with the case had told him that thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

In an update published by the student newspaper, a University spokesperson said the money was stolen on August 25 but has since been recovered.