October 2008 Archives

Blog Trouble Part 2

| | Comments (1)
Okay, I've spent more than enough time trying (and failing) to resurrect Vitalsecurity.org. Here's the current state of play:

It seems despite my best efforts over the last week or so that Vitalsecurity.org has died a horrible death. I'm still not up on all the details, but (as a general recap of previous problems) - every now and again when I'd publish a new post, a few older ones would vanish. I could never work it out, but on one occasion (in 2007, I think) I posted a new article, and it overwrote every single entry on the site and duplicated itself hundreds of times.

That was not a good day.

However, this past week has been far worse, both in terms of severity and also what it means for the site in general. When I first set the site up,every page was a standalone piece of HTML that had to be edited manually. Yeah, that's pretty stupid. So I went with the first blogging tool I could find - Blogger.com - but quickly realised for whatever reason it wouldn't work properly if it sat on the root directory of the site. Instead, the actual blog and its contents were stuffed inside a folder inside another folder. I'm not sure if this is common practice for Blogger blogs, but it doesn't seem to be. At any rate, that combined with a number of privacy services I offer for those that need them (along with an unrelated database or two running in the background) meant that the site itself was never too stable in terms of everything falling apart and (sure enough) last week the entire thing disintegrated.

Thousands of image files went screwy, folders vanished, blog entries overwrote themselves, stuff ended up in entirely the wrong places. In addition to that, this broke some of the privacy services and totally killed one of the databases too.

I do have a backup of the site, but I'm not hugely concerned about that - the privacy services and databases (I know I keep referring to these, but I'm not going to go into details) are far more important. The long and the short of it is, if I put the site back, the whole thing is likely to fall to pieces again - and I really can't be bothered with the hassle of wasting what may well end up being a week or more of time sorting it all out every time it happens.

I'm informed that the best solution would be to host the site elsewhere, but because of the hosting deal I have, I don't think I'm able to kill off the hosting while being allowed to keep the domain - if one gets flushed, both get flushed. Then I think I have to scramble to repurchase the domain before someone else grabs it (actually, I'm not 100% sure on that - I think it might go into a grace period where I get first crack at it).

Even so, once all THAT is done and dusted, I still have to find a different blogging system, learn about it, learn how to install it, install the thing then try and upload an entire website based around a rather odd installation of Blogger.com, making it "fit" the new blogging system I eventually select. I imagine this would involve reorganising piles of folders, contents, html, images and who-knows-what-else and reordering it all for the new file structure required by Wordpress, MT or insert-bloging-tool-of-choice-here.

That is going to take an age, and I'm not sure there are enough hours in the day, night, month or year for that sort of thing anymore. In summary, Vital is probably going to be offline for quite some time, if not permanently. I have considered various options - from starting over to inviting guest bloggers, but whatever option I choose, it's still going to involve a lot of time and effort on my part overlooking everything and making sure everything is as it should be, both in terms of content and stability. By the same token, being free of having to produce anything up to 60+ blog posts across two sites per month opens up more time for research, which is fine by me.

In conclusion, then, all of my security writing will be on SPG for the foreseeable future. If I can get Vital up and running eventually, I will do - but it's not going to be for a while...

Blog Trouble Part 1

| | Comments (0)
For some reason, a number of older posts here have switched themselves to "Draft" mode, and I'm having some problems flipping them back to "Live". It's being looked at though...

A Temporary Redirect...

| | Comments (0)
If you were expecting to see Vitalsecurity.org when you typed in the domain, don't worry - there's some routine maintenance going on, so for the moment you'll be forwarded here. This has given me some breathing space to restart the aborted redesign from earlier in the year - the recent "Chrome" webcomic sucked up 26GB in one day, a good part of which was down to some needlessly image heavy templates on my part.

With that in mind, I'm looking into some fresh designs so it might look a little bit different next week...
If you see this message appear on your phone:

phone1.jpg


phone2.jpg


You may want to ignore it. The reason? It convinces the victim they have a parcel "awaiting delivery", then encourages them to ring an Austrian number. Once connected, an automated system asks the victim to enter their number, but then repeats it back to the victim with numbers intentionally incorrect. At that point, the victim wastes time and effort going round in circles with a system designed to beat them every time.

As you can imagine, that's going to make someone a fair amount of money.

Currently being sent to random people via a long list of disposable mobile phones (that always go to voicemail or an engaged tone if you ring them), this text message says:

!!Urgent!! Large Parcel Awaiting Delivery Please Call Now on +43820899510 For Delivery Tomorrow Regards International Parcel Deliveries

There's not too much information online about this yet, but what we do know is

1) Victim is sent the text message from a disposable mobile phone.
2) The victim is presented with an Austrian phone number to call with regards "delivery".
3) The victim then phones the number and bad things apparently happen to their bill.

Let's take a look at some quotes from people who called the number - I'm going to bold a few sections that confirm the system pretends to get the victims number wrong, and that this could cost you some serious money:

"Coincidentally I was expecting a delivery. I called it but hung up after a couple of minutes. An automated answering service will prompt for you to enter your phone number after that it will repeat it back to you but get the number wrong (usually one of the number wrong i.e '5' instead of '7'), I just hope I hadn't given anything away to this very dubious SMS."

"Got exactly the same text message 4th Oct 19.45pm to ring this Austrian number.  Tried ringing it and it takes you through an automated recording to giving you delivery numbers and taking your mobile number to arrange delivery in the next two days.  Asks for preferred delivery times."

"I stupidly called the number and followed a series of voice prompts to arrange delivery. Cost me almost ?15.00 ($26) on my mobile. I just pray nothing else happens to me or my family because of this. I am normally very aware re scams but my main focus has been on emails, didn't realise you could get scammed via text messages too. Should have known better cos wasn't really expecting any parcels, but as I have a lot of family all over the world thought maybe it was a surprise gift..talk about being had big time!!!"

"I've been had. I called it several times. It asks you to put your mobile number in and then repeats the number incorrectly. I was waiting for a delivery."


A clever tactic, I'm sure you'll agree. Remember, if you're expecting a delivery - never trust random messages sent to your phone, especially if they don't share the name of the company that's delivering your parcel.

Of course, most delivery companies don't use "!!" at the start of their text messages either (though I am told that this is a method used to scroll messages on the front of clam-shell phones, but that's another gimmick altogether...)
After yesterday's influx of Twitter spam, I couldn't help but notice that the freshly suspended accounts all looked like this:

twitcanx113.gif
Click to Enlarge

This is a huge improvement. Why? Well, previously when a rogue Twitter page was suspended it looked like this:

twitcanx111.gif
Click to Enlarge

The problem with that was although the Twitter messages containing rogue weblinks were now gone, any URLs placed into the Profile description bar on the right were still clickable.

This was, as you might imagine, not a good thing.

Replacing the entire content of a suspended profile is a welcome step in the right direction for Twitter. One small problem - though the profile content may now be entirely inaccessible, the suspended profiles are still viewable in Profile Search. Because of this, if you happen to come across an already suspended profile that harboured infection links in the Profile description....

twitcanx0.jpg

....you can still reach the infection pages via the search option. Hopefully Twitter will find a way to scrub the infection link profiles from the search feature, too.

All in all, a good move to combat the increasing amounts of rogue profiles clogging up Twitter - and kudos to them on waving the Banhammer at so many spam profiles overnight. Quite the bloodbath, from the looks of things...
All I've seen on Twitter this morning are comments regarding the absolute bombardment by Spammers promoting anything and everything they can think of (including porno sites). I had one follow me earlier too, which is unusual because I don't tend to get many spam followers (feel free to add me on Twitter, by the way).

The sites promoted are everything from ringtones and dating portals to porno, social networking sites and car insurance adverts.

Looks like someone bought Little Jimmy his first Spamming set as an early Christmas present...
While investigating an unrelated case of Phishing yesterday, we came across the biggest haul of stolen EBay logins we've ever seen.

How big?

Well, here's a screenshot of the "Word Count" from the document the details are stored in:

logins.gif

Each line is taken up by a single EBay Username, Password and EMail account.

Unfortunately, there are 5,534 of them and they're spread across 121 pages. Here's a random screenshot of page 113, each page containing roughly 46 usernames apiece:

page11.gif
Click to Enlarge

Quite a lot of the accounts don't exist or are no longer registered users, but there's enough live accounts in there for this to be something of a worry (there also don't appear to be any duplicates, which is unusual for a collection this big). At first glance, it's hard to say exactly where the data has come from or how new / old some of it is (it's apparently been passed around various file download sites over the past week or two), though a massive "roll-up" of stolen accounts from various Phishers seems most likely.

Most of the live accounts we saw look like this:

ebay1.jpg

These would be newly registered users, or users with low feedback scores because they don't tend to use EBay that much. These are prime targets for Phishers, because they're more likely to be fooled by fake logins.

Another worry is that many new / inexperienced users on EBay use the same login details for Paypal, so there's the possibility of being able to access two sets of accounts from the same data. I should mention, it's not just new EBayers that can be caught out by these kinds of scams - there were quite a few high scoring EBayers in the stolen logins too.

A source tells me that hackers attempting to use these logins claim some have been "locked out" (presumably logging in on an account from an unfamiliar IP address is triggering EBay Security checks) though my source also tells me there are people bragging about there being "A lot of goodies" still in the list.

We've notified EBay, and had the data removed from the web where possible (a hat tip to Google for assisting in the removal of some cached data from their search engine). Hopefully EBay will act quickly on the information they've been provided and assist those unfortunate enough to have been Phished.

We're noticing quite a lot of these appearing in mailboxes at the moment, all .cn and .kr domains. Here's a few more (that are currently confirmed as live) for your blocklists:

adwords.google.com.qsoil.cn/select/Login
adwords.google.com.apoim.cn/select/Login
adwords.google.com.kfion.cn/select/Login
adwords.google.com.tverdo.cn/select/Login
adwords.google.com.agrod.cn/select/Login

ottoggi.co.kr/bbs/data/schedule/1194604617/redirect.google.com
kilsangsa.or.kr/zero/data/buddha/1223246866/https/portal.google.com/www.adwords.google.com/select/Login.htm

Unsurprisingly, the .cn domains are all registered to "Mr Gfdthy", the same individual that owns the mehdo.cn domain. At least one of the Korean domains appears to be a legitimate website that's been hacked and had the phish page uploaded by the hacker, and so might not be part of the "main" campaign that's currently ongoing.

Google AdWords Phish

| | Comments (0)
Time to clear out the mailbox - wait, what's this?

adw1.jpg

That's interesting, considering I don't have an AdWords account.

adw2.jpg
Click to Enlarge

Of course, if I did have an account I might be tempted by their fake website:

aw3.jpg
Click to Enlarge

As fake websites go, it's quite pretty (but that's more down to Google than the scammers).

Steer clear of this website:

adwords.google.com.mehdo.cn/select/Login/

The Whois details are unsurprisingly useless:

aw4.jpg

The Administrative EMail is apparently used for another 320 domains, which is probably not a good sign...

Smash And Grab

| | Comments (0)
Ever wondered how people put together huge wordlists made up of things like Usernames from forums as part of their cracking arsenal? Here's a program that does just that. Simply select the kind of forum you want to leech from (vBulletin, IPB or phpBB), enter the details of the target forum and fire up this thing:

l11.gif


The program will take the required amount of usernames from the forum, and the hacker is then able to integrate those usernames into an increasingly large dictionary for their cracking tools.

Anyone remember when this sort of thing used to take a while?

No, me neither...
Clearly, there's been too much Batman on here lately.

I suppose we could always even things up a little with a screenshot of this DDoS tool:

jokerdos.jpg
Click to Enlarge

Those crazy kids...

Habbo Hotel Fakeout

| | Comments (0)
Here's a fake "Habbo Hotel" Login frontend, designed to be combined with an infection file of choice then sent to an unsuspecting user:

hablog.png

If you're a Habbo Hotel user and see this appear in your mailbox (or a "friend" offers you it on a forum), just say no. It's highly likely it'll come with an unpleasant surprise...
Here, our unfriendly neighbourhood Phisher is attempting to play on the fear of a security breach:

Attention all Apex ACH System Customers!

We inform you that on October 7, 2008 a partial loss of data took place in our database. Due to this problem urgent request to take the procedure of account verification. Verification form is located here:

[URL Removed].org

However, failure to confirm your records may result in account suspension.
This is an automated message. Please do not reply.


Best to ignore this kind of EMail, methinks...
This is PINsentry.

This is a PINsentry Phish currently doing the rounds:

Introducing PINsentry for Online Banking

To help protect your account from Online fraud, we are changing the
security for Barclays Online Banking and you will need to upgrade to
PINsentry.

PINsentry upgrade - information by email
We will send you information on PINsentry and details of any cards being
issued or upgraded by email.
Please insert your details in the attachment below.

Barclays Bank PLC is authorised and regulated by the Financial Services Authority


This is the form that comes with the EMail:


pinsentry1.jpg
Click to Enlarge

Note that it asks you for absolutely everything, including your telephone banking passcode. Barclays Bank do NOT send these kinds of EMails to their customers, so be on your guard...
Shockmemes have become a big deal in hacking circles recently, and whether its catching out priests with Meatspin or leaving a nice surprise on phished Myspace pages, everybody wants a piece of the action. Well, the use of Shockmemes in hacking and cracking circles takes another plunge into the world of bleeding eyeballs and crying children the World over with this latest infection. Currently doing the rounds on the "Let's ruin your day" circuit, this bundle of joy (once run by the unsuspecting Windows end-user) will make your previously beautiful and clutter free desktop....

lemon1.jpg
Click to Enlarge

....look like this:

lemon00.gif
Click to Enlarge

Oh my, is that 40+ copies of Lemonparty on your desktop? I think it is.

In addition to your new favourite desktop image, you'll find that the author of this file wants you to see more of Lemonparty.

A whole lot more, as it turns out. Within minutes, your desktop will look like this:

lemonallz.jpg
Click to Enlarge

Whoops.

Your entire PC has been taken over by endless respawning images of three old guys having the best time of their lives in a hotel room. If you reboot the PC, they'll come straight back. If you go into task manager and kill the process that keeps creating duplicate images, your desktop will be clean for about ten seconds...then they'll come straight back.Your PC will slow down to a crawl, making it even harder to go looking for the hidden files that keep the party going.

Even trying to get screenshots of the files involved was nearly impossible due to the images insistence on hogging every square inch of your monitors real estate. As a matter of fact, when I asked my colleague to grab a shot of the file responsible for bringing the desktop hijacks back to life each time what should pop up but...

lemonlol.jpg
Click to Enlarge

This is one party you just can't stop.

We detect this as LemonLover. And this is quite possibly the funniest thing I have ever written about.

Additional Research: Chris Mannon, Senior Threat Researcher

There's a lot of security companies on Twitter these days. BitDefender, TrendMicro, Kaspersky, FaceTime, F-Secure and more besides - plus all the researchers and independent security people who have their own Twitter accounts. That's a whole lot of people yammering on about security, and pretty much all tastes are accounted for.

However, as with all new(ish) sites - if you don't snap up your personalised domain extension, someone is going to grab it before you get there. Earlier today, I was looking for some security companies on Twitter and saw this:

nod32.jpg

Very peculiar. If you visit the profile, it's already been suspended.

nod2.jpg

The account only sent out the one message before the plug was pulled. There are two possibilities here:

1) The scammer registered the "nod32antivirus" username on Twitter to try and get money from ESET in return for the nod32antivirus username on Twitter, which is about as poorly thought out a plan as it sounds.

2) The message refers to the sale of the website listed in the single Twitter message, though the way it's worded (and the fact that this person randomly decided to register nod32antivirus as their username) would tend to make this rather unlikely. Either way, Twitter thought there was something sufficiently strange here to suspend the account.

I EMailed the site owner anyway, and have so far had no reply. If I actually get a response, I'll update the entry...

Hackjob

| | Comments (0)
whoops.jpg
Click to Enlarge

I'm pretty sure this technology services website isn't supposed to say "Yes, Demian is gay and cannot wag the tail" underneath the nice animated graphic. Time to contact the site owner, methinks...
I see all sorts of weird and wonderful things on EBay. Today I'm going to take a look at various hacking sales, and also a bunch of Myspace related "offers". As you probably already guessed, most of this is borderline dubious enough for it to be plastered with notices to EBay about how they "Comply with the Terms & Conditions". With that out of the way, let's dive right in...

bay1.gif
Click to Enlarge

There seem to be quite a lot of these on sale at the moment - Myspace accounts with high friend counts and low profile IDs. As the blurb says for this one:

"This is a myspace account with a low digit id number and lots of friends everything will be email to you ,i cant give you the url cause of safety reason".


Yes, for "safety reasons". Nothing to do with selling accounts being against the T&C of Myspace, honest. Here's another one:

bay2.gif
Click to Enlarge

In all cases, these sales seem to be by new EBay users with zero feedback. Would you trust them? I certainly wouldn't. Here's an interesting one for the "Buy it now" price of $25:

bay3.gif
Click to Enlarge

That's an inventive way of making money, isn't it? Of course, it's easily abused too. Do people really hand over their logins for things to random people on EBay? Really? Wow.

Another method of making money via EBay in relation to Myspace is offering to increase the play count for musicians, through a combination of manual plays and automated software. Here's one:

bay4.gif
Click to Enlarge

From the text (Bold added by me):

"As a free extra we will also up your page views to make it reflect your plays. this way you dont have over a million plays and only 20 views. that would look bad. so we will up both at the same time and help you climb the myspace charts. 

We are here to get you to the top of the myspace charts. We give you 100% natural plays and they look real too. We don't just play one song over and over, we play them and with our software, it's untraceable so you can't get caught."


Nice.

However, there's so many to choose from...

bay5.gif
Click to Enlarge

This time round, the blurb is as follows:

"many sellers claim to have made the software/script/program.
many of sellers claim to have rights to these items.
many of sellers claim the HITS are unique.
but what most sellers don't tell you is amidst the lies,is...
WHAT THEY'RE SELLING WILL GET YOUR ACCOUNT DELETED!!

it also comes with PROXY capabilities to avoid deletion.and make HITS UNIQUE."


I love how twitchy and on edge most of these listings seem, like they think they're going to get busted at any second. Now, it's time to switch attention and see what's up for grabs in the realm of hacking and cracking:

bay6.gif


Click to Enlarge

Well, that's....blatant. Nice that you buy one, get one free though. His description of the hacking tools on offer is hilarious:

"guys!! i've been buying hacking software in diffrent places,online etc...

and check this out me and my family went to Germany for vication last week ,and i went to internet CAFE to check my ebay,...in then  theres one dude come up  to me and asked if i wanna buy hacking software,, and i said ok let me see it, and he show me some programs and its verry cool uneek progz..i mean its the best software ive ever SEEN..AND I HEARD GERMAN MAKES CRAZY PROGZ! THATS WHY I TRUST HIM.

THERES A 69  PROGZ THAT I HAVINT TRYED YET..COZ I DONT EVEN KNOW HOW TO USE IT"


...um.

bay7.gif
Click to Enlarge

This guy takes the "This is for educational purposes only" approach, and claims everything on offer is distributed under the "Freedom of Information Act". Then you scroll down and see him talking about learning to "spy on people with secret keyloggers" and you wonder about people's freedom to not be hijacked by stupid tools like these.

Finally, here's one seller that gives a shoutout to some pals:

bay8.gif
Click to Enlarge

Surprisingly, EBay isn't awash with content such as the above. Probably just as well...
You're a leet scriptkiddy and you just hijacked a Myspace profile. Do you

A) Experience remorse and hand the login back to its rightful owner
B) Feel like too much of a wimp to simply give it back, but pretend you "found some logins" and get into your victims good books
C) Insert a piece of custom-made HTML that overlays the entire profile with a fullscreen blast of Meatspin.com?

spincode.jpg
Click to Enlarge

...yeah, we know what option they're going to pick.

Sure enough, visit a hacked profile containing the code (and you're not going to know it's hacked until you've actually hit the page) and...

spinning.jpg
Click to Enlarge

It's interesting how much shock memes are used in hack attacks nowadays - on the bright side, I managed to create what may well be the worlds first Safe For Work screenshot of Meatspin. Admittedly most of it is blanked out, but hey - it only took me six spins to do it...
In this post, we look at yet another way for overenthusiastic hackers to infect their own PC:

ppv.jpg

"This is a free software so if you bought this, go get your money back". Nice of them, though seeing as it's related to this thing you might want to worry more about your AV Scanner than somebody selling you it (which is really just adding insult to injury).
Hot on the heels of this writeup comes another example of a particular technique favoured by 419 Scammers at the moment. It follows a familiar pattern - someone has their EMail account hijacked, and then all of their contacts will find this in their Inbox shortly afterwards:

Hello,
I am sorry I didn't inform you about my traveling to Africa for a program called Empowering Youth to Fight Racism,HIV/AIDS,and Lack of Education,the program is taking place in three major countries in Africa which are Ghana,Togoland and Nigeria,I am presently in Lagos Nigeria.
 
I misplaced my wallet on my way to the hotel where i lodged my wallet which contains my money,and other valuable things were kept.I will like you to assist me with a soft loan urgently with the sum of $3,400 US Dollars to sort-out my hotel bills and get myself back home.
 
I will appreciate whatever you can afford, i 'll pay you back as soon as i return.
Kindly look for any western union and use this informations below to send me whatever you can afford.

Name : <Redacted>
Address : <Redacted>
Zip code: <Redacted>
State :Lagos
Country :Nigeria
Test Question :To who?
Answer :
Amount send $:?

Once you have it sent, please send me the money transfer control number,with details used in sending it. I await to read from you.


The EMail content is practically identical to the last one with only a few minor alterations. The recipient was naturally suspicious (especially over the fact that their skills with the English language had suddenly taken a turn for the worse) and asked if it was really their contact sending them this mail. The reply was as follows:

Thanks for geting back to me i really appreciate your mail this massage is from me.what i need you to do for me is that just lend me some money when i get back i will pay you back and explain everythings to you ok

Perhaps given the concern over their contact losing all grasp of their native tongue, sending back a missive lacking in spelling, punctuation and basic sentence structure wasn't the smartest of moves.

Happily, our intepid investigator was able to confirm with the victim that yes, they had been hacked and as far as I'm aware nobody lost any money to these scammers. Thanks to Jeanette at Mother Hen Productions for sending this over!
I know this isn't a particularly new gimmick, but this is the first time I've ever had a RR spam message sent my way, so here it is in all its spammy glory:

rrspam.jpg

Funnily enough, I got quite a few of these mails after that one. Here's another:

rrs2.jpg

Using a mail client such as Thunderbird can help prevent you from ringing the spammers bell, so to speak.

This is a particularly disturbing scam that's been passed my way, courtesy of reader MTGarden.

The scammers in question hacked a colleagues EMail account, then sent out a request for money to the people on the hacked accounts contact list, claiming they were overseas and without cash. The EMail looked like this:

Hi,
I am sorry I didn't inform you about my traveling to Europe for a
program called Empowering Youth to Fight Racism,HIV/AIDS,and Lack of
Education,the program is taking place in three major countries in Europe
which are Czech Republic,Scotland and England,I am presently in
England,London.

I misplaced my wallet on my way to the hotel where my money,and other
valuable things were kept.I will like you to assist me with a soft loan
urgently with the sum of ?2000 British Pounds to sort-out my hotel bills
and get myself back home.
I will appreciate whatever you can afford, I'II pay you back as soon as
i return.Kindly look for any western union and use this informations
below to send me whatever you can afford.

Name : <redacted>
Address :<redacted>
Zip code: <redacted>
State : <redacted>
Country :<redacted>
Test Question :To who?
Answer :<name removed>
Amount send ?:2000

Once you have it sent, please send me the money transfer control
number,with details used in sending it.
I await to read from you.


....yikes. All you'd need is one or two non-tech savvy people (relatives would obviously work best here) on the contact list and you'd quickly have a large problem on your hands. If you have anyone like that on your contact list - and most of us do - it might be worth letting them know about this scam. As a sidenote, I should add that the person in question regained control of their EMail account and no money was sent to the scammers.

Be on your guard...

About this Archive

This page is an archive of entries from October 2008 listed from newest to oldest.

September 2008 is the previous archive.

November 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.