October 2009 Archives

colon_bt.jpg

Lots of companies now use Twitter as a form of customer support / PR, but in the wake of the latest Twitter Phish run involving, er, colon cleansing...the account for BTCare (British Telecom) seems to have fallen victim to the same scam.

What particularly alarms me here is that no sooner than the BT account has been notified and cleaned up, it's back to what they normally do which involves - wait for it - resolving customer support issues by sending (and asking for) information related to customer accounts via Direct Message!
btaccountask.jpg

Wait, your account was apparently compromised not so long ago and now you're back to asking for account details via Direct Messages on Twitter?

No, no, no. Although the above message is probably legit, I really don't think firing information related to telephone accounts should be done via a third party system such as Twitter, especially when you've just been phished - not exactly a Ben Stiller circle of trust going on here, is it?

Frankly, they're lucky the account hijacker was only interested in sending out colon cleansing messages - I'd hate to think what kind of information could have been sitting in their Direct Message tray...

Phishing For Dummies

| | Comments (0)
phishingforskiddies.jpg

...the best part is, there's a three page thread on one forum promoting this EXE stuffed to bursting point with people saying "thank you" for the download.

Har-de-har.
Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer "Hacked Facebook and Photobucket accounts" for a price:

hackedfbaccts1.jpg

The site the image links to is called...well, see for yourself.

Wait...what?, originally uploaded by Paperghost.

Yes, the site is actually called "Hackedsluts.com" and claims to offer up an endless series of images from "hacked" accounts including Myspace, Photobucket and Facebook in return for a monthly fee. Or, as they like to put it:

As porn site marketing campaigns go this one is certainly, uh, different.

"Every day we prowl Facebook, Photobucket, Myspace and a ton of others....then we let our team of hackers do their thing"...

Account hacked!, originally uploaded by Paperghost.

Just to force the message home, hovering over any image will pop up some text on top of the picture:

hackedfbaccts5.jpg

Just when you think they can't possibly get any creepier or salacious, the final image at the bottom of the first set actually looks like this:


Extreme, originally uploaded by Paperghost

...yep, we'll throw in dubious claims of hacked accounts / stolen images AND we'll lob in a blood splattered "Too extreme" banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

Are the images actually stolen? It's doubtful; in all probability the bulk of the content (if not all of it) is made up of stock pornographic content. But simply claiming they've been plundering images from supposedly hacked accounts on Facebook, Myspace and all the rest of them for financial gain blows my mind, is an amazingly dubious piece of non-ethical marketing and is surely a fast track to a day in court.

You would hope...
(Huge thanks to Baz of Malwarecrawler.com, who provided the Vkontakte.ru screenshots, translations and helped me to make the connection between a number of rogue blogs I'd been looking at recently and a particularly nasty Vkontakte scam that I had no idea existed until yesterday).

Now that we've got that bit out of the way, your first question may well be "What is Vkontakte"?

Well, it's billed as the Russian Facebook and seems to be pretty popular (45 million users as of October 09). With that amount of users, it seems that the usual "build it, and they will come" rule applies to scammers, phishers and malware authors as we shall see.

What's Happening?

You know how on Facebook you get those wonderful Koobface worms that post links to fake videos, and if you run the file you end up with infections galore and a bunch of messages posted to the walls of your friends?

This is a similar scenario, with messages (which may or may not be automated) posted to Vkontakte pages which lead to malicious downloads - many of which will do horrible things to your computer if given the chance including account theft, Trojans and desktop lockouts.

Here is a sample message posted to a typical Vkontakte page:

Vkontakte Fake Exploit Message, originally uploaded by Paperghost.

It says that there is a "mega hole" in Vkontakte which allows you to see private profiles. Click the link, and you're redirected to one of a chain of Blogspot blogs which look like this:


Vkontakte Scam Blog, originally uploaded by Paperghost.


Here is the translation, courtesy of my new pal Baz:

Page title: Mega hole in Vkontakte!

How to get full access to a private Vkontakte profile and how to defend your profile


This hack will be fixed at any moment, so use it before it is too late!

Everything is very simple.

1. Download the program <link> <mirror>

2. Run it

3. Enter the id of the profile you want to get access to.

Finding the id is very simple, just go to the persons (profile) page and at the top there will be something that looks like: http://vkontakte.ru/id******

4. Afterwards, you will have full access to the profile of the person whose id you have entered.

If you have any doubts, just check the program with antivirus and convince yourself that everything is in order.

If the first program didn't work, here is the second: <link>


Depending on the payload, you may end up with Trojans, Rootkits, worms and / or other assorted junk deposited on your PC with a strong emphasis on SMS scamming. We'll take a look at some of those momentarily, but I should mention a particular spamming technique that Baz spotted which seems to be getting past whatever spam filters Vkontakte has in place.

On Facebook you've probably seen the graffiti wall application, which allows you to draw an endless series of humorous body parts on the wall of your choice.  Vkontakte has a similar (if not identical) application, and it looks like the scammers are pasting their "massive hole" messages onto that which neatly sidesteps spam filters.

Vkontakte Graffiti Spam, originally uploaded by Paperghost.

"ahahahaha!!! s*it!! I got access to your profile via vkon-fire.msk.ru"

Pretty smart.

What do the files do?



Vkontakte Scam Infection Files, originally uploaded by Paperghost.

Here's a bunch of scan results, feel free to browse through and be glad none of them were dropped onto your computer. In general, the files claim to attempt contacting the Vkontakte servers, then "fail" with a nice fake error message; meanwhile (...you know the drill...) a wide variety of junk is inserted onto the PC behind the scenes and your login vanishes into the wide blue yonder.

The messages posted to the Vkontakte site may or may not be automated; none of the files tested display any sign of worm related shenanigans. A big part of this scam is a phishy Hosts file hijack:


Vkontakte Scam Hosts file hijack, originally uploaded by Paperghost.

Something to note where the Hosts file hijack is concerned - they'll swipe your login details and potentially direct you to the following fake login, complete with SMS activation code:

Vkontakte SMS Message, originally uploaded by Paperghost.

Yes, they'll take your login and your money too. However, I want to wrap up with this particularly eye watering file:

Vkontakte SMS Lockout File, originally uploaded by Paperghost.

"Activate"? Whatever does it activate, I hear you cry? Well...


...ouch. It claims you're running an unlicensed version of Windows, and won't give you your desktop back until you cough up a random amount of cash via SMS.

All in all, a nasty collection of exploits and scammery - if you know anyone who uses Vkontakte, feel free to give them a heads up and avoid any random messages promising access to secret profiles / images / leprechauns.
If you still don't have a Google Wave invite, you may want to be aware of the following while trying everything you can to obtain one.

We're seeing quite a few programs being circulated in relation to Google Wave at the moment - some originate from script kiddy forums, others hail from parts unknown.

In both cases, these programs all claim to automatically generate a Google Wave invite.

Here's an example of one such program lurching out of a leet hax site that's already flagging up on Virustotal with a low detection rate; very nice it looks too, lifting the content from this page here.

gwave1.jpg
Click to Enlarge

Of more concern, however, is something that's been popping up on numerous forums over the last week or two in the form of what is likely XRumer assisted spamming. In each case, this person pops up on a site and claims to have been a longtime user, before offering up a program that will (of course) double up as a means of making some quick money while giving you all the Google Wave invites you could possibly want:

gwave2.gif
Click to Enlarge

Humorously - or not, as the case may be - the spammer hasn't quite got the hang of this yet because if you look at the supposedly reassuring "Virus scan" results they managed to leave in scan results that claim the file is infected!

Whoops. Anyway, the download location looks even more suspicious when you're taken to a site that contains text files of the forum spam listed above, spam related keywords and an XRumer instruction manual.

gwave3.gif

Fire up the program, and you're presented with this:

gwave4.gif
Click to Enlarge

Note that it asks for an email address and password, which is highly dubious - worst case scenario, end users could unthinkingly send a current email / password combination into the wide blue yonder with no idea who is at the other end. Should you hit the "Generate Invite" button, the program promptly crashes...a favourite ploy of programs that claim to give you the Earth and everthing in it, but suffer a last minute technical hitch while they get up to mischief in the background.

Should you take a quick look at the real VirusTotal scan results, it's clear there are some strange things afoot with 12 out of 41 security vendors detecting this program as a threat.

gwave5.gif
Click to Enlarge

While I haven't had nearly as much time examining this file as I'd like, all of the above is more than enough to have me strongly advise against downloading / running this program - or indeed, any of the tools currently in circulation claiming to get you quick access to Google Wave.

Patience is most definitely a virtue, and it might just be a PC saver too...
thejihadhotline.jpg

Don't panic, mad bombers aren't giving you courtesy calls.

It seems this number:

08456021111

...is some sort of BT operated SMS service, however there seem to have been some issues with it in the past and it seems likely the same thing is happening now. According to some random people on the internet, calling 0800 587 5252 and then choosing options 1 and 5 seems to block this "service". Of course, you could leave it alone and be the recipient of humour mines such as the following...

"With finger on the cancel call button it was pressed as soon as I heard Irish prosti.."


Oh dear.
Not so long ago, I wrote about a site called megasecuredownload.com, which faked a bunch of AV scans so you'd download their file, run it and have yourself a very bad day.

There's another site currently being promoted on video sharing sites such as Youtube, aimed squarely at owners of Playstation 3 consoles.

As ever, it's a case of "something for nothing". They're pimping Playstation network $20 generator programs that look like this:

psnfakezgenz1.jpg
Click to Enlarge

The site this time around is safetransferonline.com, and looks identical to the site covered here (complete with fake "this program is safe" AV results):

Megasecuredownload.com, originally uploaded by Paperghost.

You definitely won't end up with anything as awesome as a free money generating program, so feel free to stick this one on your ever growing blocklist...
Worth noting that people are still reporting Direct Messages of a "do not click" variety coming through on Twitter, all of which lead to Very Bad Things (TM) depending on what nefarious campaign happens to be doing the rounds at any given time.

Should anybody send you a DM that mentions humorous things taking place in videos - like this one, for example:

dmroguetwitterlinkz1.jpg

...you should avoid it like the plague. Otherwise, you're in for some phishing fun which is surely a contradiction in terms.

Targeted Spam Ahoy

| | Comments (0)
ftspamz1.jpg
Click to Enlarge

We're currently seeing a lot of reasonably clever targeted spam, which claims to be from the admins of your mailing service, customer / technical support etc with a rather convincing "we've updated your settings, click here to apply" blurb below it. Quite a few people at FaceTime had one (or more!) drop into their mailbox last night and today, and it's definitely doing the rounds. None of the links I've seen so far appear to be live, but if you hover over the live link in the mail you'll see domains like

nerrasssu.eu
oikkkkuy.eu
nerrasssp.co.uk
nerrassso.eu

As every domain I've seen so far appears to be offline I've no idea if these are attempted phish attacks or involve malware, but you might want to let people in your office know that these things are floating around. You'd be surprised how many smart people will happily trust a mail like this and click, click, click away...

/ Update - these domains are related to the Zeus Trojan, and should be treated with caution. Thanks to Kurt Wismer for the heads up.


mw2dontgetbanned.jpg

All XBox owners have a list of most recently played games set against their profile. As you might have guessed, every game has a unique ID assigned to it so Halo 3 doesn't accidentally show up as The Amazing Adventures of My Little Pony.

Well, like most other things related to the console it can be hexed, modded and generally given a bit of a fiddling. I've seen a few furtive mentions of this in the backroom areas of certain leet forums, so this might not even be doing the rounds yet. But hey, a little advance warning never hurt anyone.

Let's take a look at the scam, it's a pretty clever one.

1) Phisher tampers with their data and makes it look like Modern Warfare 2 - which isn't out until November - shows up in their recent games list. Note the big number "2" in the below image, complete with handy red box just so you know exactly which icon I'm on about.

fakemodernz010.jpg

2) Phisher then trawls around various forums and websites touting access to the "Modern Warfare 2 Beta" - and of COURSE it exists and they have played it, because it wouldn't be in their recent games list if they hadn't. Right?

3) Phisher then asks you for your login details in order to "gain access". All that's actually going to happen is you lose your account to a scumbag.

I've already seen quite a few accounts (including the one above) hit with various degrees of banhammer for altering their recent games list, so hopefully that'll kill a few phishes off before they're even launched. In the meantime, know this: there is currently NO beta planned for this game, and in all probability there won't be one.

Don't be suckered in!



If you're curious about the content of the talks at SecTor 2009, all you need to do is go here and wade through the various files on offer. I particularly enjoyed "The GhostNet Story" - Nart Villeneuve, "Towards a more secure online banking... " - Nick Owen, "Cloudification" - Christofer Hoff and "A day in the life of a hacker..." - Adam Laurie (Major Malfunction). Those last two aren't available yet though, which sucks.

You should definitely check it all out, there's some great content in there.

SecTor 2009 Wrapup

| | Comments (0)
Last week, I spoke at SecTor 2009, on a subject near and dear to my heart: people messing around with videogame consoles in various horrible ways. Before I go any further, I want to say this - in terms of looking after people who turn up to speak, SecTor wins first prize. It might not sound like much, but it is extremely nice to have some dude waiting for you in a pre-paid car to take you to the hotel from the airport at 1AM when your plane has been delayed for seven or eight hours (cockpit windows fell out, or were about to. Long story).

So, large and appreciative hat tip to the organisers. They looked after me and stuffed me with food and I can't ask for anything more than that. You can also see a collection of photographs here. Some of them are even in focus.

As far as my talk goes - hoo boy. Talking about exploiting videogamers always seems to be a touchy subject, as gamers seem to lock themselves into a protective bubble, dismissing everything with "Nothing to worry about, it's only phishing".

Once it's put into a box like that - sorry man, lights out. Whatever gaming network you're talking about is "safe". No "hacking" is taking place. The "only" way someone can get your login - argh, the assumption that the ONLY thing bad people are looking to do on gaming networks is steal your login! - is by convincing you to put your information into a phishing page or handing it over. While the phishing side of things is accurate - nobody is going to get anything unless you GIVE them it, save for when they try to social engineer support staff - there are many, many steps along the way that involve all manner of hexing, hacking and getting around security systems on the console which lead to that phish being more convincing than it should be.

When it gets to that stage, the people who provide you with that gaming network need to sit up and take notice, because it is most certainly NOT just "about phishing". While gamers obsess over being "safe" in their account-not-phished world, the entirety of their gaming network had drowning in a sea of DDoS attacks, network spam and other junk clogging up their intertubes.

Also: this has been on Slashdot and a bunch of other places, and without having seen the talk (and going off the condensed coverage the talk has had) people are either misreading what went down, or going on about things I never mentioned at all (one guy is talking about "compromised XBox consoles being part of a DDoS Botnet" - what?)

It wasn't just about phishing. I showed some pretty pictures of the tools people use to tamper with files. There were paid-for DDoS Botnets, designed to kick people out of games. How about people messing with files so they could get things for free that the rest of us pay for. There was an examination of people getting around swear filters in a manner that allowed them to impersonate videogame developers. And so on.

Everything in my talk boiled down to one of three areas:

1. People who manage to run open source operating systems and old videogame consoles on an XBox360.

2. People who hex edit files in order to gain some advantage, in order to get things for free that everyone else pays for, to gain the upper hand in a game or to make some money when they come to sell their account on the black markets. Or, you know, EBay.

3. People who wheel out all kinds of malicious activities - DDoS, chat spam, phishing and social engineering - in order to give you a bad hair day. Again, winning the game might be the priority - but there are many other reasons. In the same way that it isn't just about stealing logins, it isn't just about winning games either. Many scams flying around the XBox Live network are nothing more than plain old harassment, bugging you for no good reason, flooding your inbox for the purposes of hilarity.....etc.

The main areas I explored were 2 and 3 - and wrapped up in both of those are two basic ideas: hack yourself, and hack others.

Let's be clear here, because people get way too wrapped up on the word "hack" where consoles are concerned. Spoon fed the idea that consoles are "secure", many people will dismiss any and all activity as "mere phishing". Yes, the ultimate goal for most malicious individuals in console land is to grab your account. Yes, the final roll of the dice when your number comes up (usually) relies on you handing over information to your attacker.

But in the process of obtaining that data, the attacker may well have blended software modding, file hexing and system exploitation to achieve that final headshot. They start with hacking something, and end with phishing. There IS hacking taking place, and it's really irrelevant if the hacking portion comes at the start or the end of the process - all that matters is they gain control of an account. They are hacking the software, the games, getting around the numerous security protocols designed to stop tampering and also using these same techniques to obtain items for free that regular users have to pay for.

I don't know about you, but it certainly sounds to me like someone is hacking something.

 I expand on this a little here, but feel free to keep rolling.

Key areas of console exploitation that I covered in my talk (loosely in the realm of points 1 & 2 above) were:

1) Artificially inflating your Gamerscore, either for kudos from your peers or financial gain by selling on high scoring accounts on various black market sites. If you can bump your own score easily, you don't have to get your feet dirty with that horrible phishing business.

2) Phishing accounts, particularly those with credit cards attached or - of course - those with high gamerscores. Phishes can (of course) be everything from the basic fake webpage, to lame messages sent across the XBox Live messaging system, or those wonderful fake points generator programs. Phishing has become a lot more sophisticated, and nowadays most phishing throw in some file tampering to make the phish more realistic. Speaking of which...

3) Hex editing data created on your console in order to cheat at games, unlock various things you'd otherwise have to pay for (which in many cases ties back to Gamerscore hacking) or perform malicious acts that often form one of the rungs in the phishing ladder. This is a perfect example. As I've said elsewhere, temporarily changing your gamertag in order to assume the identity of a game developer listed on gamerscore rank sites and phish another user is, I think, a pretty smart example of maliciously altering programming in ways it was never meant to be altered, as well as getting around a supposedly rock solid authentication system and throwing in a neat social engineering twist into the bargain.

4) People just want to have fun. And by "fun", I mean "fill up your gaming network with so much junk and rubbish that the whole thing eventually crumples in a heap and starts to cry". I covered Friend Request Spammers, DDoS attacks and a couple of other things such as lag switches that you buy from online stores and glue onto your controller but time was against me. I wanted to also explore things like chain letters (that require you to waste time by inserting a specific game disk to view them!) and other weird / not-so-wonderful items of strangeness, but I guess those will keep for another time.

Why are we at risk?

1) Modern console design is geared towards interactivity, and something working with everything else whether you want it to or not. You can get online with your console via ICS and a hole in the back of your PC, you can wirelessly use Windows Media Center with your XBox, and you can - crucially - take your removable XBox Hard Drive (geared towards digital downloads and eventually buying bigger drives) and use a Microsoft supplied USB wire and plug it into a PC, view all the files on it then start hexing many of them if you're that way inclined.

I'm not quite sure how someone at MS didn't think people wouldn't immediately plug these HDDs into computers and start looking around, but putting features onto gaming consoles that make them resemble mini PCs also makes them rather exploitable. The same features, the same functionality, the same funny shaped holes in the back of them and it all starts to go a bit pear shaped.

2) Dedicated pretexting groups on forums who will happily spend all day phoning Microsoft support reps in attempts to social engineer them into giving them your data. It seems after a number of incidents MS has tightened up in this area; however, people still complain that this has happened to them and these SE groups still exist. Some currently hijack accounts and give tutorials on how to keep them once stolen, which is, uh, a nice touch. I guess.

3) The huge obsession with promoting your gamerscore - an arbitrary numerical value assigned to achievements you earn in a game - as an amazingly cool thing. Witness this guy having a huge hissy fit about me daring to complain about it.

The flipside is that these scores single people out as targets for phishing, social engineering and general abuse. Limited privacy features mean you can only hide your most recently played games and achievements - pointless - but you CAN'T hide your gamerscore.

A common technique for social engineers is to simply go to one of the many sites that provide this data, such as the official XBox forums and make a running total of anybody with a score between 20,000 or 30,000 (or more) on the basis that those accounts will have unlocked more things in the game, or have a higher ranking, or have more shiny blinky things for you to play with.

Remember the "impersonate a game developer" scam I mentioned earlier? Many of the people trying that scam out would potentially have just gone to a site listing game developer Gamertags under "Celebrities" - like here - then writing down their names for future use.

You can bet a lot of people on that list don't know about the scams that are out there, despite them being game developers. Are we painting a big target on people that really should be a little more anonymous? I would argue we might be - phished game developer accounts would no doubt be able to fool a ton of starstuck game fans.

And we really should have the option to hide the Gamerscore, "celebrity" or not, should we choose to do so.

Conclusion


It's not all bad - Microsoft do ban lots of accounts for cheating and tampering, but I'm not kidding when I say the problem is long since out of control - jump onto Youtube or any other site, and there more cheating / hacking / modding videos there than you could ever hope to wade through in one lifetime. For all intents and purposes, we're all stuck with this until a real solution is found.

As for me, I'm going back to playing on my Atari 7800, where the only danger is that the ancient wiring might blow out and burn down my house.
This is a step above the usual phish attempt we see here, with a number of bits and pieces that build up a pretty convincing fake website. As you probably guessed from the title, the phish involves the upcoming juggernaut that is Call of Duty: Modern Warfare 2, and the endless desire some people have to take part in a beta.

The URL to avoid is

freemw2beta36.tk

and the page itself is hosted at

freemwbeta36.t35.com

Want to take a look? Sure you do.


Modern Warfare 2 Beta Phish, originally uploaded by Paperghost.

What does this phish do that sets it a way above other phish attempts? Well, for starters it looks quite professional. Top left, they use the kind of info splash you normally see on an official XBox page. On the right, there's a media section with screenshots you can actually click into. Might not sound like much, but most phishes like this one don't have anything clickable in that whatsoever. Bottom left, they've embedded a real Youtube video that you can watch to your hearts content. Right at the bottom of the page, they've included a copyright notice - something else phishers tend to lose in translation.

All in all, pretty convincing.

The only real flaw with this phish is that there is currently NO public beta planned, and it's highly unlikely there will ever be one. Don't get suckered into handing over your Windows Live ID, as no good will come of it.
There seems to be a fair bit of spam floating around trying to direct end-users to

midnight-online.tv

which is a website stuffed full of  Halloween style imagery.

Midnight TV - Fakery Ahoy, originally uploaded by Paperghost.

The promise of "free online House MD episodes" is no doubt an alluring one to fans of the show used to hunting down episodes online:

fakehouse00.jpg

Unfortunately for them, there are no episodes - only computer related doom and awfulness in the form of...well, take a look at the installer URL and see if you can guess what it gives you (hint: it isn't the promised codec):

fakehouse22.jpg

"pcvirusscan2"? This isn't going to be one of those fake antivirus programs, is it?...

Total Security - Rogue AV
, originally uploaded by Paperghost.

Oh.

Here's a post on a security forum from one victim:

"It downloaded "Total Security" instead of the episode and said I had all sorts of viruses and needed to purchase it."

...avoid.

About this Archive

This page is an archive of entries from October 2009 listed from newest to oldest.

September 2009 is the previous archive.

November 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.