1. eBay.co.uk listing redirecting bidders to exploit kit

AVG analysts have discovered an ebay.co.uk auction listing that is redirecting bidders to a Blackhole exploit kit.

Is “Private number” really private? Apparently not…

This week, the AVG Mobilation™ research team found a new PUP (Potential Unwanted Program) named ‘441 Israel’ targeting Israeli users.

After our Security research team reported this to Google, it suspended the developer and removed the application.

The finding and analysis was done with the help of an independent security researcher named Avri Schneider.

Details:

The application was available to download from Google Play (called ‘Android Market’ till recently) and allows the reverse lookup of Israeli phone numbers.

“under-the-hood”, the application utilizes the above mentioned web-service to do its queries.

The application requires the user to grant it access to the user’s contact list, as well as access to the internet, upon installation of the application.

Once installed, the application harvests all contacts of the user, and sends them over FTP to a server hosted in Houston, Texas, USA by ‘GoDaddy’.

The data sent by the application, in addition to contact lists of the user, includes the IMEI number of the android device – and is stored on the server’s database to allow listing of a particular devices contact list.

The same server acts as an HTTP server, accepting queries from the application to perform reverse lookup requests.

For example here we can see the info he tries to get out of the device:

In addition to the fact that the application does not inform its user  that it issending the user’s entire contact list to the server, there is the issue of the server’s security practices employed in protecting this private data.

The FTP credentials used to authenticate the application before uploading a user’s private contact list – are hard-coded in the application’s binary – easily extracted.

The same FTP credentials have read and write access to the entire server side source tree, allowing the download of the entire database stored on the server.

The server includes an administration management interface, and allows the administrator (author of the application) to search/add/edit/remove entries from the database.

The source tree on the server included database dumps in the form of .sql files, of the various database tables, including the users table (holding the login credentials for administrator user).

The records could include personal information, for example, banks and ATM related information, entrance and car alarm codes, passwords, police and governmental records and more.

The information can be used social engineering targeted attacks and for other malicious purposes.

The exploit

Used environment: Windows XP SP3 with Adobe Acrobat 9.4.6

This U3D memory corruption vulnerability (CVE-2011-2462) could cause an application crash and potentially allow an attacker to take control of the affected system. After the malicious PDF file is opened, new process pretty.exe (this file is changed all the times.) is created. We can see this information from the process explorer:

We’ve looked at the importance of “Patch Updates” recently and focused on Microsoft’s Patch Tuesday, when Microsoftprovides users with often very essential updates to its Windows operating systems. When serious flaws or security loopholes open up, they need to be patched with remedial software code and the update process for most users is quite automated and comparatively simple.

But it is important to note here that patching goes beyond Microsoft and beyond operating systems.
For companies who employ a formal IT manager role, the process of engineering patch detection into regular systems management is crucial. Patch detection should also be linked, from a process perspective, to patch distribution. Itsounds obvious, but there is little worth in identifying security vulnerabilities if they are not subsequently mitigated against.

For businesses looking to deploy what might be classified as an “end-to-end solution” that will comprehensively look after vulnerability and patch management, there are certain provisos and caveats to be aware of.
For small to medium sized businesses without a full time IT manager, there are lessons in security best practice here that are still universally relevant.

AVG analysts spotted a script-injection hack on web site of the District of Columbia, USA. The malicious change to the Web page takes visitors to a variety of malicious downloads.

The USA capital Washington is in the District of Columbia. The intruders put script on the page that lists the D.C. “Directory of Agencies and Services.”

AVG has notified the US-CERT of the intruder attack.

.gov website District of Columbia website

This week, the AVG Mobilation™ research team found new malware named ‘Crazy vampire’ in China.

The application is malicious modified version of a calendar application in which the developer added malicious code, changed the name, icon, sign, and UI.

The aim of the malware is to target Chinese users and get them to upgrade to the Premium service of the infected application.

1.  Email messages impersonating LinkedIn correspondence used as lure to Blackhole sites

What’s the story?

The FBI last week issued warning of a new phishing scam known as “Gameover”. Should the malware gain access to your PC, it can steal usernames, passwords and even circumvent user authentication on banking web pages.

The FBI said it has seen an increase in the use of Gameover, which is an email phishing scheme using the names of prominent government financial institutions — the National Automated Clearing House Association (NACHA), the Federal Reserve Bank or the Federal Deposit Insurance Corporation (FDIC).

The FBI says Gameover is a more recent variant of the Zeus malware, which was created several years ago and was designed to specifically harvest banking information.

Who is affected?

Given that the scam is perpetrated via email, anyone could fall foul of this scheme.

Here’s how the FBI describes the scam: “Typically, you receive an unsolicited e-mail from NACHA, the Federal Reserve, or the FDIC telling you that there’s a problem with your bank account or a recent ACH transaction. (ACH stands for Automated Clearing House, a network for a wide variety of financial transactions in the U.S.) The sender has included a link in the e-mail for you that will supposedly help you resolve whatever the issue is. Unfortunately, the link goes to a phony website, and once you’re there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information.”

How do I stay safe?

Make sure you do not fall prey to a phishing scam like this with AVG’s top three tips to staying safe.

• Too Good To Be True

In these days of New Year sales it is tempting to open up an offer that seems too good to be true. More often than not, these “incredible offers” aren’t legit and you should exercise caution when investigating.

• Trust Your Instinct

If you receive an email claiming you’ve paid nearly $300 for a flight that you’re unaware of, chances are that you haven’t. These tricks play on your insecurities, be confident in your actions online.

• Get Protected

Getting a basic level of internet security can help protect you from phishing attacks and fraudsters by warning you when you are going to an unsafe site. AVG’s Linkscanner™ technology does this before you land on the page so that you are aware of the threat prior to exposure.

Related articles

• BBB: Top scams of 2011 (seattlepi.com)
• How to Boost Your Phishing Scam Detection Skills [Security] (lifehacker.com)

A convicted murderer has had his appeal for a retrial granted after the record of his trial, stored by the court stenographer, was apparently destroyed by a malware infection.

The convicted party, Randy Chaviano, 26, appealed against his 2009 conviction in a Florida court for shooting Charles Acosta during an alleged drug deal and when the Appeal Court discovered that almost no records of the trial still existed and the judge had no choice but to annul the conviction and order a retrial., the judge the struck down the conviction and ordered a retrial.

The court stenographer, present in 2009, was responsible for recording the minutes of trial but had accidentally deleted the manually taken primary records, and then to compound the issue, the electronic backup stored at a PC was also destroyed by malware.

“The overturning of a murder conviction always means terrible pain for the victim’s family and frustration for prosecutors and police officers,” Ed Griffith of the Miami-Dade Attorney’s Office was reported as saying.

“Overturning a murder conviction because of a court reporter’s problem creates a brand new level of pain and frustration,” he said.

Although data can be recovered from damaged or infected harddrives, authorities and specialised services have been unable to extract the necessary information.

With countless smartphones, tablets and other gadgets having appeared under Christmas trees, now is a good time for their new owners to think about what happens if they were to lose their new gadgets and how to protect the data they store on their devices.

AVG’s latest research* called Lost in Transit gives some helpful pointers as to what happens to gadgets and devices once they have been lost or stolen.

Our research, carried out by Research Now, questioned 5,000 people in 11 countries and looks at how people lose their gadgets. It reveals that smartphone theft is more frequently opportunistic, with thieves taking the phones while owners aren’t paying attention.

But when a thief does get their hands on your smartphone they are most likely to simply sell it on.

The story for tablets however is different. Unlike smartphones, tablets are still relatively new and have a novelty factor that phones don’t.

As a result, if someone gets their hands on your tablet the chances of them having a good look through it, accessing your data and using it is 28%, compared with just 9% for smartphones and 13% for laptops.

Once thieves do start accessing the data on your device, the consequences can be unpleasant.

Our research shows that in four in 10 (41%) cases where the data on a device was used against the owner, personal information was accessed.

In over one in three (36%) instances, bank details were stolen, while 37% had their passwords stolen.

Most worryingly, if they are able to, a lot of thieves will even post from your social media profiles. Where the thieves accessed and used the data, 39% of victims fell victim to social media status-jacking.