Tag archive for ‘Attack’

New Phishing and Malware Campaigns Use Ebola Virus Epidemic as Bait

by Alex - on Aug 18th 2014 - Comments Off

Security researchers have identified multiple malicious campaigns leveraging mostly fake news or reports about the Ebola virus, in order to deliver malware or steer users to phishing websites. A phishing operation caught by researchers deom Symantec impersonates a communication from CNN containing breaking news about the virus, luring the potential victim...

This Phony ‘Anonymous’ Site Was Set Up to Trap Ferguson Hacktivists

by Alex - on Aug 13th 2014 - Comments Off

As military police forces gather around Ferguson, trying to quell an angry, frustrated, and betrayed population, some people are taking their fight online. ‘OpFerguson’, being spear-headed by members of the hacktivism collective Anonymous, launched a couple of days ago. One site popped up that gave those wishing to voice their...

1,600+ Accounts for eBay’s StubHub Hacked in $1 Million (€743,000) Fraud

by Alex - on Jul 24th 2014 - Comments Off

Six individuals have been indicted in connection to a fraudulent scam that involved hacking into more than 1,600 StubHub accounts and purchasing electronic tickets to high-profile events, using the victims’ credit card.The fraud has been estimated to $1 million / €743,000, and the profit from selling the stolen tickets was then laundered...

17-Year-Old Behind Norway DDoS Attacks This Week

by Alex - on Jul 11th 2014 - Comments Off

On Thursday, the Norwegian police have arrested and charged a 17-year-old in connection to the recent massive distributed denial-of-service (DDoS) attacks directed at major financial institutions and other businesses in the country.

The teen, from the city of Bergen, on Norway’s west coast, claimed to be part of the hacktivist group Anonymous Norway, who, in a Twitter message, dismissed any connection to him or the DDoS incidents.

On the day of the attack, the teenager sent a letter to the media, claiming to be part of Anonymous and saying that “the motivation behind the current attacks and the next attacks in the future is to get the community to wake up. The number of major IT security attacks is increasing and there is nothing being done to prevent such events.”

Evidence that Anonymous Norway was not involved in the incidents is the fact that the boy joined the group’s Facebook page on the same day of the attack. Furthermore, the hacker outfit provided a Pastebin link in a new tweet, pointing to the identity of the perpetrator; they did not create the post, just scooped it up.

Initially, the youngster was charged with gross vandalism, which carries a maximum prison sentence of six years in Norway. However, since he has no record and is still a minor, this should be greatly reduced.

According to News in English, Frode Karlsen of the Bergen police told Norwegian Broadcasting that the authorities are taking the matter seriously because this sort of attack can have significant impacts on society, like individuals not being able to reach emergency services in case they needed help.

After his arrest, the teen cooperated in the investigation and clarified the nature of his actions. His defense lawyer stated that “he’s sorry for having caused all this and has laid his cards on the table.”

The DDoS attack, which occurred on Tuesday, was considered among the largest ever seen in Norway and leveraged the vulnerable “pingback” WordPress feature. Its increased significance is due to the fact that it targeted layers three (network) and four (transport) of the OSI model, as well as layer seven (application), at the same time.

Mitigating an application layer DDoS attack is not too easy, because the requests are directed at the application interface and mimic legitimate behavior, which makes filtering out the bad traffic more difficult.

The attack aimed at disrupting the online services of major financial institutions in Norway (Norges Bank, Sparebank 1, Storebrand, Gjensidige, Nordea, Danske Bank), as well as other business, like Scandinavian Airlines (SAS) and Norwegian Air. 

The website of the largest telecommunications company in Norway, Telenor, was also affected. 

Banker Trojan Bypasses SSL Mechanism

by Alex - on Jun 17th 2014 - Comments Off

Banker Trojan Bypasses SSL Mechanism 447005 2 Banker Trojan Bypasses SSL Mechanism

Security researchers appear to have bumped into a new remote access Trojan that manages to view encrypted traffic in plain text by routing the connection through the attacker’s domains.

Naming it Dyre or Dyreza, security researchers point out that the Trojan relies on browser hooking to intercept traffic and direct it to a command and control center owned by the attackers.

By using this technique, the victim is unaware that information is siphoned out to the cybercriminals and the session continues to appear as run through HTTPS.

Security researcher Ronnie Tokazowski from PhishMe says that as soon as the threat reaches the victim’s computer, it initiates communication with several IP addresses and when the conversation is established, it makes a request for a path to “/publickey/”, whose purpose is at the moment shrouded in mistery; then uses the GET request to receive the details about the operating system and what may be a command from the server.

What Tokazowski found when capturing the traffic for a simple search in Bing were two POST requests instead of one and the query was visible to the attacker. Simply put, the session could be hijacked; with the cookie in their hands, bad actors could log in as the user.

With traffic being controlled by them, cybercriminals can intercept user input to secure addresses, such as those for online banking, and view all the details in plain text. Stealing user credentials for financial websites is the obvious purpose of the malware.

“By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attackers page,” says Tokazowski.

According to Tokazowski, Dyre/Dyreza looks for queries to Bank of America, Citigroup, and the Royal Bank of Scotland. However, researchers at CSIS Security Group in Denmark discovered that Ulsterbank and Natwest are also among the targets.

Several of the command and control servers have been traced to Riga, Latvia, and accessing parts of the server showed that it had integrated a custom “money mule” panel.

CSIS notes that the malware is being delivered to the victims through spam campaigns but it can also reach its target via phishing, directing to pages that request Adobe Flash Player to be updated in order to reveal the promised content.

At the moment, multiple antivirus products are able to protect machines from being infected with the Dyre/Dyreza Trojan, despite the author’s efforts to avoid its detection and prevent analysis. 

Feedly and Evernote Servers Under DDoS Attack

by Alex - on Jun 12th 2014 - Comments Off

Feedly and Evernote Servers Under DDoS Attack 446329 2 Feedly and Evernote Servers Under DDoS Attack

In a post on the company’s blog, Feedly announces that their servers have suffered a distributed denial-of service (DDoS) attack.

An update was published a short while ago saying that the infrastructure is modified so that the online service is restored.

Using Twitter as communication channel, Evernote, the popular note-taking service that integrates with Feedly, informed their followers of a similar problem, but later on, the company managed to restore services, which are up and running at the moment.

Evernote did not publish other details about the attack, but Feedly informed that the purpose of the service disruption was money extortion.

“Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop,” the company says.

Security experts advise not to give in to ransom requests in order to discourage criminals from such practice; and this is exactly the action Feedly took, as their technicians worked to restore functionality of the service and cooperated with law enforcement to determine the group behind the attack.

“We refused to give in and are working with our network providers to mitigate the attack as best as we can,” says the initial blog post.

Users should not fear about personal details being compromised because the purpose of distributed denial-of-service is to bring down servers by bombarding them with useless data, which, at one point, can no longer be processed by the server.

However, such activities can disguise a different type of attack, as was the case with GameOver ZeuS botnet used by cybercriminals to distract victims from noticing a cyberheist.

[UPDATE, June 12]: Feedly made a new post on the company notifying users that the attack has been neutralized and that services are functional on all supported platforms. Updating all users (40 million) may take a few hours, though.

If you are still not able to access feedly.com it may be possible that the computer is caching an old DNS entry. Flushing the DNS solves the problem.

Flash! We’ve only got 336 hours to save the world from a powerful computer attack!

by Alex - on Jun 5th 2014 - Comments Off

fg panorama1 1024x576  Flash! We’ve only got 336 hours to save the world from a powerful computer attack!

Do we really have just two weeks before we’re hit by a powerful computer attack?

According to Britain’s National Crime Agency (NCA), internet users have a fortnight before the world’s nastiest cybercriminals will be ready to strike back after suffering a major setback this week.

On Monday, it was announced that the good guys in security had disrupted and disabled a global botnet and a ransomware scheme that the bad guys had been using to steal billions from businesses and consumers worldwide.

The international operation knocked out the servers used by hackers to control financial botnet GameOver Zeus and ransomware scheme cryptlocker. Meanwhile, Russian hacker Evgeniy Bogachev has been acccused of being the main ringleader behind the cybercrime operation and a warrant has been issued for his arrest.

Following the news, the NCA issued the advice that there is a “unique two-week opportunity” for the UK public to get their machines safe and secure from a powerful computer attack, but failed to explain exactly why.

What will happen in two weeks? Is the clock ticking down from 336 hours to a moment when all our computers will do something crazy?

I spoke to the NCA to find out more and a spokesman explained: “The operation has taken out one of the key botnets used by criminals and disrupted their time. The two-week guide is based on the likely time frame before they find their way around it”.

So basically, we have two weeks where the criminals are scurrying around getting their houses back in order where we can do things to our computers to make them safe without any potential interference.

More than 15,000 machines in the UK are believed to have been infected by GameOverZeus so it is of course important that they get rid of any infection and prevent themselves from future attacks. But I can’t help feeling that the NCA has caused a bit of a panic with its ‘two-week’ warning.

Yes, it is useful that we are regularly reminded to update anti-virus software, keep operating systems up to date, and use a secure firewall, but following on from eBay’s password changeand the recent Heartbleed bug, essentially telling the UK public that it is two weeks away from a cyber attack seems a strange approach.

It’s not just me that thinks this, according to security expert Graham Cluley, he’d rather the NCA was a bit clearer with its advice.

“What’s odd about the NCA’s ‘two week’ advice is that they don’t appear to have explained WHY people only have two weeks to take action”, says Cluley. “Notably, there is no reference to the two week deadline in any of the US’s pronouncements about GameOver Zeus, so there is a question mark over why the next 14 days are so essential for UK victims, but not apparently the rest of the world”.

“My guess is that the malware looks for new control servers every few weeks, and that although the authorities have disrupted some of the criminal infrastructure there will be an opportunity for the bad guys to send infected PCs new commands in the near future. I’d really like it if the message was a little clearer, if only to quash those of us who are fatigued by multiple cybersecurity warnings in the past”.

Good security should be followed at all times, but there’s the danger with sensational headlines that we may become ambivalent to future warnings.

How to stop Cryptolocker before the 2-weeks are up

by Alex - on Jun 5th 2014 - Comments Off

Law enforcement from around the world came together last week in an impressive sinkholing operation designed to disrupt two of the most troublesome pieces of malware on the planet: Gameover Zeus and cryptlocker. These two spent much of last winter tearing through computers around the world, encrypting all the files on the hard drive and demanding payment to restore them. The NCA has estimated that around 15,000 computers may currently be infected in the UK. Worldwide, it runs into the millions.

Over the weekend, police managed to sinkhole the entire Gameover Zeus botnet infrastructure, and seized control of Cryptolocker’s command-and-control servers. So great news for white hats everywhere. But then the UK’s National Cyber Crime Unit put out a perplexing piece of advice: users now have two weeks to protect themselves from these two cyber nasties. So what does that mean? Why two weeks? And what can you do to protect yourself?

Well, the answer is basically the same as it’s always been. There’s no special tool or patch that’ll keep you protected from Cryptolocker. It’s just pure, common-sense cyber security.

1. Keep Windows up to date

If you aren’t running Windows, stop right here. In fact, leave this article. Go read something else on ITProPortal, go wash the car or play with your kids. The two vicious botnets are only affecting Windows users, so this isn’t something you should worry about. There are still plenty of malware threats out there, though – so make sure to keep everything up to date anyway.

2. Watch your post box for warnings

Internet users in the UK who are thought to be infected will be receiving correspondence from their internet service provider (ISP) soon, warning them that they are at risk. This is pretty unprecedented, and

If you get one of these notices, you must act immediately.

“People should not only protect their computers, but also ensure that they back up their data regularly,” said security expert David Emm of Kaspersky. “This is particularly important in the case of ransomware. If you have a backup, even if you just manually drag-and-drop your files onto a USB drive, then you can avoid the need to pay the ransom if you do get infected with Cryptolocker.”

3. Perform proper security maintenance

GetSafeOnline.org has published a list of downloads it recommends to keep yourself protected.

Unfortunately, the massive demand for the service is causing the website to crash, and it’s been offline for about 24 hours now. Not very helpful, we know – but hopefully it’ll be up and running soon enough.

4. Use a password manager

Phishing gets a lot easier once the attacker has access to your personal data. Using long, complex passwords, and different passwords for each site you access will maximise your security on this front If you’re not feeling up to that, why not get a password manager?

5. Don’t open suspicious links

How many times do we have to tell you? Don’t open them! If you don’t know where an email came from, don’t open it. If you weren’t expecting an email from a colleague, don’t open it. If the message in the text is generic and could have come from anyone, don’t open it.

Don’t rely on hovering over the link to see the URL, either – hackers are becoming more and more sophisticated at spoofing legitimates URLs in order to infect you with malware. This is the single most common vector of attack, so protect yourself from fake emails, and you’ll be laughing.

Final advice

The FBI and NCA’s two-week window is a little bit of a vague guesstimate. They probably thought it would catch headlines (and it certainly has done that), but the message is always the same – make sure your antivirus software, and firewall, and everything else designed to protect you is up to date.