Skip to content

Social Attack on Gamers Leads to a Drive-By Diab-load

2012-08-17

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A Rube Goldberg-esque confidence scheme to infect computers with malware, targeting players of the popular online game Diablo III, has resulted in the alleged theft of a number of high-ranking players’ rare armor and other loot, as well as complaints to the game’s operator, Blizzard.

We found out about the scam in Blizzard’s own forums — the battle.net message board where players of several of Blizzard’s games hang out, share information, talk trash, and trade. What grabbed my attention was the detail with which people described the execution of the scam itself, which involved both technology and a gentle social grooming technique, in which the alleged scam artist befriends his target in the course of the attack.

Here’s how several alleged victims described the con: They teamed up with a random, friendly, affable, and capable player, who helped them fight through some tough battles. Afterward, the stranger and victim exchanged Skype contact information, and proceeded to text chat over that service. In the course of the text chat, the stranger and victim discuss armor and weapon loadouts, and send one another links to screenshots of their various characters taken from within the game, posted to various free image hosting services. Only, one of those links was not like the others: The target eventually received a link from the stranger to a page that appears, at first glance, to be just another hosted image, but instead pointed to a purpose-built, bespoke replica of an ImageShack page, hosting a malicious Java JAR application, instead of a photo.

That was just the beginning of what turned out to be a surprisingly complex, but also (by the time I got to it) devastatingly broken, infection process.

Read more…

ChapCrack’s Lesson: Computing Power Overwhelms Weak Crypto

2012-08-03

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Some of the biggest news that came out of DEFCON 20 was coverage of Moxie Marlinspike’s latest evisceration of MS-CHAPv2 with his new tool, ChapCrack. Most papers about weaknesses in MS-CHAPv2 date back to 1999; It was, at the time, Microsoft’s “updated” version of their original challenge/response system for authentication, and remains widely in use.

What makes the story interesting, to me, comes down to two things: Moxie’s announcement that, for $200, his CloudCracker service will provide customers with keys that can decrypt MS-CHAPv2 traffic; And ChapCrack itself, a python tool that automates the extraction of the readily available cipher text, plain text, and key material from an MS-CHAPv2 exchange, and with CloudCracker’s help, decode it.

The availability of cloud computing resources not only make this possible, it’s practically a bargain. And now that we have a formula to crack CHAPv2, its usefulness will degrade rapidly. As sufficient computing power trickles down into smaller devices, there might even be an App for that, someday.

Read more…

Self-Inflicted DNS, SSL Hijack Targets Less-Than-Ethical iPhone Users

2012-07-25

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Joe Levy, Solera Networks’ CTO, stumbled upon a social engineering scam, targeted at users of iOS or OS X, at about the same time last week as did a Russian blog and several news sites. As a result, Apple is struggling to get security in its in-app purchases working again.

In this instance, victims are asked to download and install bogus SSL certificates, including a fake Verisign CA certificate — bypassing several warnings in the process — and to modify their own DNS settings to point to servers under the control of an unknown third party. There is no technological bypass at work here: This is an entirely self-inflicted malady that comes about as a result of users making changes affecting the security of their own devices without understanding the consequences of those changes.

The person who operates the Web site referenced in the tweet, in-appstore.com, makes a convincing case for a victim to modify their own DNS settings and install two bogus SSL certificates: ZonD80, also known as Alexey Borodin, promises people who do this that they will be able to bypass Apple’s in-app purchasing through iTunes, and obtain (normally for-pay) additional content at no cost, if you just install the certs and hijack your own DNS. On the Web site, you’ll also find handy, step by step instructions to, among other things, install a VeriSign CA certificate, which Borodin can use to generate new SSL certificates for any Web site he chooses.

But the problem here is that this is a bigger issue than merely stealing in-app purchases (though, as of July 16th, it appears that it is still possible to do so). The more long term, significant threat here is not the abuse of Apple’s store, but the potential for users to easily (and in a hard to detect way) leak or lose control of sensitive personal information.

Read more…

Persistent Worm Fires Hotel Reservation Spam Volleys at UK Emails

2012-07-20

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A self-perpetuating campaign to spam malware via email attachments has been rotating through the customary social engineering messages — mainly variations of the shipping confirmation scam — but switched gears to a new campaign using a fake hotel reservation confirmation email last week. The new scam presents the victim with a message purportedly from Priceline subsidiary booking.com, informing the recipient that “We have received a reservation for your hotel” — yes, you. Didn’t you know you owned or operated a hotel? Well, you do now, apparently, and when the guests arrive, Mr. Fawlty, don’t mention the war.

Like the earlier Trojan samples retrieved from this campaign — executables, wrapped in Zip files — that have trickled into my Darknet mailboxes over the past month, the hotel reservation malware hooks itself to wuauclt.exe, the Windows Update client application, a legitimate component of the operating system. Also like the earlier samples, this one receives its instructions from the same command-and-control server, loadmetoday.com, hosted (as I write this) in Russia by McHost.

The server hosting this CnC domain, at IP address 178.208.91.28, hosts one other domain, verisignme.com. Normally, I’m not inclined to assume the worst from a correlation such as this — I’ll wait until I’ve seen the domain engage in malicious activities — but the suspicious name gives me pause about the registrant’s motives.

Well, that and the fact that both domains are supposedly registered to Jimmy Carter, and I just don’t have a lot of confidence that the 39th President of the United States is behind shenanigans of this magnitude: The Trojan brought down other bot clients that, in turn, connected to their own CnC servers and retrieved still more payloads, including SMTP spamming tools.

Read more…

Ransomware Debuts New Java Exploit, Sends Victims Running for MoneyPak Cards

2012-07-10

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Green Dot MoneyPak FBI Your PC if Blocked ransomware screenA ransomware campaign running in the US, possibly an update to the Citadel scam publicized by the FBI last week, is infecting computers with a Trojan that does what ransomware does best: It makes a convincing case that the victim must pay the criminals in order to release the locked-down PC from the grip of the malware.

Luckily for victims, the malware itself is incredibly easy to defeat — at least for now (I’ll get to that near the end of the post). But the scam is much more elaborate than the screens-filled-with-text that earlier generation ransomware Trojans typically presented to the victim. And it appears that the exploit kit being used to deliver the malware is, in fact, exploiting a vulnerability in Java patched only last month.

The infection spreads by means of the Blackhole exploit kit, which pushes the ransomware Trojan down to the computer’s browser cache, then executes it. Once the Trojan executes, it immediately kills all running processes — including Explorer — and replaces the desktop with a stern-looking warning. The warning says it originates from the FBI, but this one came from a server located in the local ransomware criminals’ field office in St. Petersburg, Russia.

The warning message claims it originates from an intrusion prevention system based in a data center called GTS Central Europe. GTS is, in fact, a real ISP, but they don’t send warnings like this to people. The program uses an IP address lookup to populate a field that presents the victim with his or her own IP address, as well as the geolocation of that address. Ultimately it’s merely a gimmick, and not a particularly clever one at that.

Read more…

Travel Tips to Protect Your Gear and Data

2012-07-06

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s summer, which means a lot of us are on the road both for work and pleasure. I also have to take a lot more short business trips than I used to, and as a security geek, I seem to be perpetually carting around a pile of gadgets and devices, both for fun and to work. Someone recently asked me for some tips about what to do to keep devices and data safe while on the road, and I summarized a few tips, which I have expanded here.

Before You Go

Install any available security fixes, updates, and/or patches. Download and install all available critical OS updates before you leave home (preferably, before you back up the hard drive). But don’t stop there: If you use a third party browser, such as Firefox or Opera, be sure to grab the latest versions of those. Don’t forget to update things like Java, Flash, and the Acrobat Reader: applications often abused by exploit kits and used to deliver malware to unsuspecting computer users. Finally, check for security updates to other software, such as an office suite, an IM client, or chat programs like Skype. If your office lets you use a VPN to create secure connections, it’s a good idea to install the appropriate VPN software — and test it — before you leave.

While I was on the road on my last international trip, the Internet Crime Complaints Center published a somewhat vague warning about using hotel internet connections abroad. The gist of the story is that some international travelers were being presented with bogus “software update” popups while using the hotel’s wireless broadband, and finding themselves infected with malware as a result. There have been reports for several years about business travelers returning from abroad and finding that malware had been installed surreptitiously on their laptop when it was left unattended. Configure a boot password in BIOS, and disabling the laptop from being able to boot from a removable media device (such as an optical disc or USB drive), may prevent some of those tricks from succeeding.

Read more…

Your HP ScanJet Document Ain’t What It Seems

2012-06-06

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Spam circulating over the weekend claiming to originate from a corporate scanner is – you guessed it – malicious. Just another brick in the social engineering wall. It’s not really much of a brick, either. The attachment is an HTML file, and it supposedly came from “Marin” using a Hewlett-Packard HP Officejet 7371P, with a return address of robot@craigslist.org and a really long, really fake “Device” code.

Mail systems seem to be getting quicker to react to these kinds of spam messages. One example of the message to the right, forwarded to me by Joe Levy, our CTO, vanished into thin air before I’d managed to retrieve the message’s malicious payload. The system seemed to recognize some pattern in the message (a few minutes after it arrived) and, apparently, excised the message from all inboxes on the server. Fortunately, it’s the kind of unwanted message that also has a tendency to appear in our spam collection points, where it isn’t subject to summary execution.

Under examination, the message’s payload appears to be a chunk of HTML code, obfuscated using Javascript. It was a funky obfuscation method: the page is one giant array of numbers, delimited with a dash, so it looks like nothing at all if you view the page in a browser with scripting turned off. If one were to open the file in a browser with scripting enabled, on the other hand, the script runs, decoding the rest of the instructions on the fly. I took a third approach.

Read more…