Virus Information News

[First]  [Previous] |    150     151     152     153     154     155     156     157     158     159    | [Next]  [Last] of 172 page(s)

Spammers aren't Tinkerbell; Identity Theft Takes the Disney Magic Out of the Magic Kingdom

blog.commtouch.com

April 27, 2010

Scammers aren't above using the most trusted brands to con you out of money. This scam allows spammers to whistle while they work - all the way to the bank. This time, they are offering "free" Disneyland tickets.

The email explains that the free tickets you signed up for a few months ago were shipped to the wrong address. It directs you to a URL requesting your name, address, and many other personal details. Once you submit these you are informed that your information is being processed (it sure is...). Of course, you don't get the tickets, and they do get a vacation, thanks to your trust in the Disney brand.

Warning! Massive Number of Godaddy Wordpress Blogs Hacked This Weekend

blogcastfm.com

by Srinivas Rao

April 26, 2010

I want to warn you guys about a massive exploit that has hit a large number of Godaddy Hosted WordPress Blogs this weekend

This hack appears to redirect visitors upon arrival from Google and attempts to install malware on their computers. When I was visiting the site directly, whether logged in or as an Admin, even if I could see the malicious script in my view-source window I did not have any issues and it did not redirect me. This means your site could be hacked and infected and you may be unaware.

Finding Remote Vulnerabilities in a Trojan

f-secure.com

April 21, 2010

Many of our readers are familiar with Poison Ivy, a Remote Access Trojan that is often used in various attacks - especially in targeted espionage attacks. More information on such RAT applications can be found from this blog post.

Now, we just learned about a new research paper by Andrzej Dereszowski of Signal11. Andrzej was investigating a targeted attack case and discovered that Poison Ivy was used to steal data from the target. This got him thinking about the fact that lots of researchers do fuzzing and try to find vulnerabilities from Internet Explorer or Adobe PDF Reader - why not try to find vulnerabilities from Poison Ivy? And then he did exactly this, uncovering a remote code execution vulnerability from Poison Ivy, making it possible for the victim to attack back at his attacker.

Scareware Links Redirecting to CNN.com

f-secure.com

by Sean

April 19, 2010

Many Rogue SEO attack sites will only work if the referrer is from a Google query.

If the URL is visited from other source, the potential victim, will be directed away from the scareware. So where is it that the bad guys are currently forwarding non-Google visitors? CNN.com. This video demonstrates with a recent Google trend:

Apache Project Servers Infiltrated Via XSS Bug, Passwords Compromised

WHIR Web Hosting Industry News

April 14, 2010

Hackers gained access to a server used by the Apache Software Foundation (www.apache.org) to keep track of software bugs in an attack that exploited a cross-site scripting bug.

According to an incident report from Apache.org, hackers using a compromised Slicehost server opened a new issue, containing a URL that redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting attack crafted to steal the session cookie from the user logged-in to JIRA. Several administators clicked on the link, compromising their sessions. Meanwhile, the attackers started a brute force attack against the JIRA login.jsp running thorough hundreds of thousands of password combinations. A day later, one of these attempts was successful, giving the hacker administrator privileges on a JIRA account. They used this account to disable notifications for a project, and to change the path used to upload attachments. They created several new issues and uploaded attachments to them -- including JSP files that gave them backdoor access to the system, and a JSP file that was used to browse and copy the file system, creating copies of many users' home directories and various files. On the morning of April 9, the attackers had installed a JAR file that would collect and save all passwords upon login. The attacker then sent password reset mails from JIRA to members of the Apache Infrastructure team, who, thinking that JIRA had encountered an innocent bug, logged in using the temporary password sent in the mail, then changed the passwords on their accounts back to their usual passwords. Because one of the recovered passwords had been the same as a local user account on brutus.apache.org, which the attacker used to gain full root access to the machine that hosted the Apache installs of JIRA, Confluence, and Bugzilla. With root access to brutus.apache.org the attackers found several users that had cached subversion authentication credentials, using them to log into the main shell server, minotaur.apache.org.

Google CEO: 'We're now paranoid' about security

news.cnet.com

April 12, 2010

Following attacks on Google late last year that led to its decision to change its policy on China, the company accelerated plans to move to Web-based computers. Read this blog post by Tom Krazit on Relevant Results.

Google learned some hard security lessons after it was attacked late last year by hackers, CEO Eric Schmidt said Monday. "Google is now particularly paranoid about that," Schmidt said during a question-and-answer session following Google's Atmosphere 2010 conference before about 400 CIOs. After the company learned that some of its intellectual property was stolen during an attack that originated from inside China, it began locking down its systems to a greater degree and accelerated plans to move to Web-based systems like Chrome OS netbooks. The attacks took advantage of a flaw in Internet Explorer 6 that was quickly patched, although the damage had been done. More than 30 U.S. companies were believed to be targeted by the attacks, but Google was one of the few that publicly identified itself as a victim because "we decided we had to tell people as a warning," Schmidt said. He declined to get into the specifics of how the attackers penetrated Google's security but said the attackers broke into a single system with the outdated browser and were then able to take "a series of steps" to wreak wider havoc. Google tightened its external defenses and moved quickly to update all the software within its walls following the deconstruction of the attack.

Hundreds of WordPress Blogs and Sites Recover From Networkads.net Attack

WHIR Web Hosting Industry News

April 12, 2010

As users prepare for version three of the popular open-source blogging platform WordPress, many of those using WordPress had their site or blog hacked, redirecting visitors to a page that attempts to install malicious software.

According to a Friday report from security expert Brian Krebs, after surveying multiple postings on WordPress forums and blogs, the attack appears not to modify or create files, but instead inject the web address "networkads.net/grep" directly into the target site's database, redirecting visitors to networkads.net. Also, due to this attack method, site owners locked out of the WordPress interface for their blogs. If the forum posts were any indication, nearly WordPress user affected reported Network Solutions as their current hosting provider, although the company claims not only Network Solutions customers were affected. Shashi Bellamkonda, Network Solutions' head of social media, noted in a Sunday blog entry that the WordPress issue has been fixed. Though he doesn't identify the root cause the issue, he writes that it has been addressed, and most sites have been fixed. In solving the problem, we have had to change database passwords for WordPress. Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes. It remains unclear whether the point of compromise is a WordPress vulnerability, a malicious WordPress plugin, or if it has to do with a common service provider. As a precaution, Network Solutions is urging customers using WordPress to log into their account and change their administrative passwords, and delete all administrative access accounts they do not recognize.

ICPP Copyright Foundation is Fake

f-secure.com

April 12, 2010

There's a new extortion trojan in circulation. This one attempts to steal victims' money by bullying them to pay a "pre-trial settlement" to cover a "Copyright holder fine".

The victim is informed that an "Antipiracy foundation scanner" has found illegal torrents from the system. If he won't pay $400 (via a credit card transaction), he might face jail time and huge fines. And the warnings will not go away. They will reappear every time the user reboots his system. All of this is completely fake. There is no "ICPP Foundation", and the messages will appear even if the system contains no illegal material whatsoever. Most importantly: Refuse to pay money to these clowns! If people pay them, the problem will only grow bigger.

Malware Extorts Cash From BitTorrent Users

torrentfreak.com

April 11, 2010

A new type of malware is riding the wave of file-sharing pre-settlement letters by infecting BitTorrent users' machines and then demanding payments in order to make imaginary lawsuits go away. ICPP Foundation try to give the impression they are RIAA and M

ICCP Foundation claims to be an international company operating out of Switzerland. They say they are “committed to promoting the cultural and economic benefits of copyright” while assisting their partners to fight “copyright theft around the world”. In fact what they really do is operate a scam to extort money from BitTorrent users. Right at this moment we are unsure of the exact route of infection, but somehow malware (probably in either fake file or attached virus form) is displaying a “copyright violation alert” on the victim’s screen, locking it, and redirecting users to the ICPP site where they are told they have been caught infringing copyright.

Rogue AV Localization Fail

f-secure.com

April 9, 2010

...five rogue scanning UIs hosted from a single URL, [one] only needed to refresh our browser. All of our screenshots were taken from a computer running Linux.

The first one called itself AntivirusPlus and wanted its victim to Erase infected. Next, we refreshed, and there was another version of AntivirusPlus (red & white emblem) asking the victim to Protect now. Refreshing again, and it became XPert Antivirus (again with red & white emblem). But then back to AntivirusPlus on the next refresh, this time with a friendly 7 on the left side and an option to Turn on.

[First]  [Previous] |    150     151     152     153     154     155     156     157     158     159    | [Next]  [Last] of 172 page(s)