24 hour Live Contact Line 301.501.0356
Popular websites, blogs and ad networks are fast becoming the preferred means of cybercriminals, identity thieves, and hackers to steal consumer information and distribute malicious content.
The most common attacks today are made possible by Web site / server hacks, against which publishers, with the exception of their off-site links, are probably best protected, and by user-contributed content, advertising and cross-site widgets.
However, virtually none of these Web sites or advertising companies has an effective means to uncover and identify the “drive-by” downloads, malicious software, and other fraudulent content that infect their properties through the plethora of user-contributed pages and the stream of advertising that is added to their sites on a daily basis.
In May, digital advertising technology company, the Rubicon Project, revealed some insight into emerging industry trends and market shifts that occurred in the first quarter of 2010 in its Online Advertising Market Report series.
The report showed that with the continued growth in online advertising, there is also an increasing trend in online threats through “malvertising,” a growing method used to distribute malware via advertising tags served through an unsuspecting publisher’s Web site, blog comments, forums and other forms of user generated content, allowing cybercriminals to create content that used to carry out a wide range of malicious attacks.
Google, in response to the increasing level of threats, setup Anti-Malvertising.com, a Web site they call an “Investigative Research Engine.” The site, setup in June 2009, checks a variety of independent, third party sites that track possible attempts to distribute malware through advertising and serve as a resource to educating Internet users, ad network operators and publishers about the problems. Google also employs a “Head of Anti-Malvertising,” Eric Davis, who has been in the role since 2008.
“For publishers, advertising is about making money, but malicious ads change the equation. Publishers need better solutions to protect their customers from malvertising and the potential for malicious content on their Web sites,” noted Rob Lipschutz, co-founder and CEO of SiteScout, a company acquired by the Rubicon Project in May 2010 that helps protect publishers against malicious ads and other dangerous Web content. “The advertising ecosystem faces a stiff challenge and the problem is widespread and found in both direct advertising as well as more distributed ad networks. New ad formats also make the problem increasingly complex.”
Many of the digital ad serving platforms being used today were developed over a decade ago and not designed to cope with today’s massive volume of transactions from buyers and sellers around the world, creating a constant stream of new vulnerabilities in the system.
Advertisers and agencies often utilize “third party ad tags”, allowing them to control and monitor their ads which removing the ability for publishers to be able to control what ads are served. With larger publishers, ad networks and exchanges having thousands of different ad tags running at any given time, monitoring all campaigns and creative being served is a challenge. These disparate systems have had no universal quality control because nothing is tied together, driving the need for automation and technology innovation to eradicate the vulnerabilities of this process.
The need is clear for a solution aimed at publishers and advertising companies, the producers of content, rather than end-users, that provides visibility and advanced protection against the new kinds of attacks to prevent direct loss of revenue or risk to brand (leads to loss of revenue). In January, the Rubicon Project launched Rubicon Security, its first foray into protection against malware attacks on publisher customers’ sites. Combined with the acquisition of SiteScout, the Rubicon Project has established a comprehensive solution to help combat malvertising within its platform.
Dasient, another company that protects businesses from web-based malware attacks, provides a Web Anti-Malware (WAM) service that can automatically identify and quarantine malware on websites, helping businesses avoid losses of traffic, reputation, and revenue.
The issue of malware will only increase as a key risk to publishers’ advertising businesses – and to the consumers driving those businesses – in the months ahead.
HTC on Tuesday confirmed a gaping vulnerability in its Android phones that could be exploited by a third-party to steal personal information from users.
The company said it was not aware of any customers yet impacted by the flaw, but that it was “diligently” working on a fix.
“Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it,” the statement said.
The flaw, affecting several HTC Android smartphone models, was discovered by researcher Trevor Eckhart, who alerted the company about it on Sept. 24 and received no response for five days before going public with the issue on Friday, according to the blog AndroidPolice, which first reported the news.
The bug stems from a recently added program, HTCLoggers.apk, which logs large amounts of information from the phones, according to Eckhart. The program enables any third-party app that requests permission to connect to the web to easily access data that has been logged. This information includes user accounts, email addresses, GPS locations, SMS data, phone numbers and system logs.
HTC Android phones, including the EVO 3D, EVO 4G and Thunderbolt, among others, are affected, Eckhart said.
In its statement, HTC advised customers to “use caution when downloading, using, installing and updating applications from untrusted sources.”
Cybercriminals and other villains intent on stealing all manner of personal and government data are bombarding federal government agencies.
Over the past 5 years, the number of incidents reported by federal agencies to US-CERT (United States Computer Emergency Readiness Team) has increased from 5,503 incidents in fiscal year 2006 to 41,776 incidents in fiscal year 2010 —
including a more than tripling of the volume of malicious software since 2009 — an increase of over 650%, according to a Government Accountability Office security report out this week.
US-CERT aggregates and disseminates cybersecurity information to improve warning and response to incidents, increase coordination of response information, reduce vulnerabilities, and enhance prevention and protection, the GAO added.
“Reported attacks and unintentional incidents involving federal systems and critical infrastructure systems demonstrate that a serious attack could be devastating. Agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices,” the GAO stated.
The good news is perhaps that according to US-CERT, the growth in the gross number of incidents is attributable, at least in part, to agencies improving detection of security incidents on their respective networks, and then possibly implementing appropriate responsive and preventative countermeasures, the GAO stated.
Agencies reported the following types of incidents are occurring frequently:
Facebook is adding a Websense Web link blacklist service to its arsenal of defenses designed to protect users from clicking on links that lead to sites hosting malware.
The social-networking site will be using Websense ThreatSeeker Cloud service, which warns people when they click on a link on Facebook that could be malicious, the companies announced today. Facebook will start rolling out the service today.
The partnership follows one that Facebook announced in May with the free Web of Trust safe surfing service. Facebook also has its own blacklist. The larger the pool of blacklists the better the chances users will be protected from malware, basically.
When users click on a link, the online blacklist databases are checked to see if the link is flagged. If the link is deemed unsafe, users will see a warning and be given the option of ignoring the alert, returning to the previous page, or getting more information.
Computerworld – Security firms today warned Mac users of a new Trojan horse that masquerades as a PDF
The malware, which was spotted by U.K.-based Sophos and Finnish antivirus vendor F-Secure, uses a technique long practiced by Windows attackers.
“This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a ‘.pdf.exe’ extension and an accompanying PDF icon,” said F-Secure today.
That practice relies on what is called the “double extension” trick: adding the characters “.pdf” to the filename to disguise an executable file.
The Mac malware uses a two-step process, composed of a Trojan “dropper” utility that downloads a second element, a Trojan “backdoor” that then connects to a remote server controlled by the attacker, using that communications channel
to send information gleaned from the infected Mac and receiving additional instructions from the hacker.
Because it doesn’t exploit a vulnerability in Mac OS X — or any other software — the malware instead must dupe users into downloading and opening the seemingly-innocuous PDF document, which is actually an executable.
Once run, the dropper downloads the second-stage backdoor and opens a Chinese-language PDF. F-Secure said that the PDF was another sleight-of-hand trick: “[The dropper component] drops a PDF file in the /tmp folder, then opens it to distract the user from noticing any other activity occurring,” the company said in a description of the attack.
Both Sophos and F-Secure noted that the malware doesn’t work reliably, and currently can’t connect to the command-and-control (C&C) server because the latter isn’t fully functional.
Mac malware is typically crude in comparison with what targets Windows PCs.
Because the C&C server is not yet operational and since it found samples of the Trojans on VirusTotal — a free service that runs malware against a host of antivirus engines — F-Secure speculated that the malware is still in the
Although Apple’s Mac OS X includes a bare-bones antivirus detector, it has not been updated to detect the just-noticed Trojan dropper or backdoor. Checks of several Computerworld Macs running Lion, for instance, found that Apple last updated its detector on Aug. 9.
Mac users had their biggest malware scare earlier this year, when a series of fake security programs, dubbed “scareware,” were aimed at them.
Several antivirus companies, including Sophos, F-Secure and Intego, offer security software for the Mac.
Adobe Systems Inc. has issued a critical Flash Player security update, repairing six vulnerabilities and at least one flaw being actively targeted by cybercriminals in an email attack.
The flaw, an Adobe Flash Player cross-site scripting (XSS) vulnerability, could be used against a user once they are tricked into visiting a malicious website, Adobe said. The critical update affects all versions of Adobe Flash Player running on Windows, Macintosh, Linux and Solaris, as well as the mobile version for Google Android devices.
“These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in its security advisory, issued Wednesday.
Adobe recommends users upgrade to Adobe Flash Player 10.3.183.10 or Adobe Flash Player for Android 10.3.186.7. The update fixes a variety of errors that could cause the browser to crash, allow information disclosure and enable attackers to execute code.
At least one of the flaws, a memory corruption vulnerability, was discovered by security researchers at Fortinet Inc. Danish vulnerability clearinghouse Secunia gave the Adobe Flash Player security update a “highly critical” rating. “Certain unspecified input is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site,” Secunia said in its advisory.
The latest social engineering trick to get victims to open malicious email attachments accuses them of being spammers and threatens to sue them if they don’t stop.
It’s all in an attempt to get targets to open up the zip attachment by telling them it contains evidence of their spamming. Actually it’s an .exe file that infects the machine but displays like a document, according to the Websense Security Labs Blog.
The attachment installs a downloader Trojan that copies itself to the system path so it executes when the system boots up. It connects to remote servers to download specific exploit files. The blog says the current attacks could contain other variants of the Trojan as attachments.
The new attack cropped up Monday in WebSense’s ThreatSeeker network that gathers data about malicious email campaigns. The emails are dressed up to look like they come from real businesses that is upset because the recipient has been spamming them. “The emails even formally claims that legal action will be taken because of the spam you have sent,” says the blog.
The blog includes an image containing the text of one such email: “Hello. Your email is sending spam messages! If you don’t stop sending spam, we will be impelled to sue you! We’ve attached a scanned copy of the document assembled by our security service to this letter. Please carefully read through the document and stop sending spam messages. This is the final warning!
Subject lines include “You are sending ad messages”, “We are going to sue you”, “This is the final warning”, “We’ve sent you a copy of a complaint” and “A message from our security service”.
A mammoth army of infected computers is being assembled, but it’s unclear yet what purpose they will be put to.
Wave after wave of malicious email attachments has been sent out since August, and with average success rates for such mailings, millions of machines could be compromised, says Internet security firm Commtouch.
Once infected, the computers can be loaded with additional malware that can perform a range of activities, including spamming, participating in DDoS attacks, stealing bank credentials and compromising email and social-network accounts, according to an upcoming Commtouch blog post.
But what this botnet will do remains a mystery. “The purpose of this vast computing force is still not clear,” the blog says.
Since a record peak of 25 billion malicious attachments to emails being sent on a single day in mid-August, email-attached malware has peaked five times since, each spike smaller than the one before, says Commtouch. The company predicted this pattern in August just after the highest peak.
Each peak represents a surge in a particular scam used to dupe victims into opening the attack attachments. The first wave consisted mainly of phony notices from UPS or FedEx that a package has been misrouted. The second, called the Map of Love, is a PDF that purports to be a map of interesting destinations worldwide. The third is a false notice of an altered charge for a hotel room, the blog post says.
User forums indicate that the malware campaigns worked, with many users opening the attachments. While it doesn’t have estimates of the number of machines compromised, Commtouch says that such campaigns have linear success, so the more attachments sent, the more opened.
If the purpose of the assembled botnet is to send spam, it hasn’t had an impact on overall spam traffic, which has actually been trending a bit downward, Commtouch says.
Reported on Yahoo News on September 7th 2011:
Cybercrime claimed 431 million adult victims last year and cost $114 billion, according to a report published Wednesday.
The Norton Cybercrime Report 2011 said over 74 million people in the United States were cybercrime victims last year, suffering $32 billion in direct financial losses.
Cybercrime cost China around $25 billion, Brazil $15 billion and India $4 billion in the past 12 months, said the report from computer security firm Symantec, maker of the Norton anti-virus software.
According to the report, more than two-thirds of online adults — 69 percent — have been victims of cybercrime at some point in their lives, resulting in more than one million cybercrime victims a day.
Cybercrime rates were even higher in China and South Africa. Eighty-five percent of Chinese respondents to the Norton survey and 84 percent of South Africans said they have been victims of cybercrime.
The report found a growing threat from cybercrime on mobile phones.
Ten percent of adults online have experienced cybercrime on their mobile phones and the number of reported new mobile operating system vulnerabilities increased from 115 in 2009 to 163 in 2010.
“There is a serious disconnect in how people view the threat of cybercrime,” said Adam Palmer, Norton lead cybersecurity advisor. “Cybercrime is much more prevalent than people realize.
“Over the past 12 months, three times as many adults surveyed have suffered from online crime versus offline crime, yet less than a third of respondents think they are more likely to become a victim of cybercrime than physical world crime in the next year,” Palmer said.
For the survey, interviews were conducted with nearly 20,000 people in 24 countries, Symantec said.
The Morto A worm is having continued success despite its reliance on a list of lame passwords to take over victim machines.
In order for the worm to be effective, the administrative password for a machine under attack has to be one of 37 of the worst passwords ever (see below) that it carries in a weak brute-force library.
Yet the worm, which takes over control of remote computers by guessing the password for Microsoft Remote Desktop, continues to spread, according to security watchdogs.
Once attackers gain control of machines they can be used for denial of service attacks, according to a Microsoft alert about the worm.
In addition targeting only the lowest hanging fruit, Morto A is notable for being a rare Internet worm, says Mikko Hypponen, chief research officer for F-Secure, in a blog post.
He says it is groundbreaking in that it attacks via remote desktop protocol, something he hasn’t seen before. Once a machine is infected, it scans port 3389 (RDP) on its subnet, seeking other machines with Remote Desktop Connection enabled. It tries its list of passwords, Microsoft says, and when it is successful, shuts down processes associated with security products.
An easy way to discover that machines on a network are infected is to monitor for bursts of port 3389 activity, Microsoft says.
These are the passwords Morto A uses: *1234, 0, 111, 123, 369, 1111, 12345, 111111, 123123, 123321, 123456, 168168, 520520, 654321, 666666, 888888, 1234567, 12345678, 123456789, 1234567890, !@#$%^, %u%, %u%12, 1234qwer, 1q2w3e, 1qaz2wsx, aaa, abc123, abcd1234, admin, admin123, letmein, pass, password, server, test and user.