A Year In Security

| | Comments (3)
2009 has seen some incredibly diverse and creative attacks - shall we take one last look the scams, hijacks and infections that particularly caught our eye?

January: If someone told you people will pay good money to have a third party create a Botnet designed to DDoS gamers out of Xbox console sessions, you might have wondered what exactly they were talking about. However, this technique (which has remained off radar for quite some time) finally went mainstream with every second script kiddy trying to work out how to do it via endless Youtube tutorials and "What am I doing wrong" posts on hacking forums.

Attacks on games and gamers have been a constant thread in research this year, as scammers realise there's a fair amount of money invested in gaming profiles - and those profiles can be bought and sold, just like any other stolen account. Attacks on consoles provide a bit of a headache for office network admins, who may well be jumping on the "put a net connected console in the office rec room and leave it to its own devices" bandwagon. Not a good idea...

February: Taking the idea of valued gaming accounts one step further, Erik Larkin of PC World explored the attacks on Steam account holders via phishing techniques. Steam accounts can have hundreds (or in some cases thousands) of dollars invested in them, and regular seasonal sales tend to send profits through the roof. Indeed, there's a heavy collection of "ten free games in exchange for your login" phish pages in circulation at the moment. Don't be fooled!

April: You can never be too careful with downloads, as this story readily illustrated. An instant messaging password stealer (that could disguise itself as Yahoo Messenger, Live Messenger or Skype) turned up on Download.com, a trusted source of legit downloads. Rogue elements will sadly always slip through somewhere, but full credit to CNET for removing the offending program quickly.

June: A program surfaced claiming to be a mail bombing extravaganza that would smite all of your enemies. The catch? You had to give them your own email address to use it.

We've seen many, many programs that attempt to punk out people in the hacking / cracking communities and while the majority of those files tend to stay on hacking forums some do occasionally creep outside into the daylight.

July: Oh dear. Targeting twelve year old kids? There's lame - then there's this. Popular social networking / gaming site Neopets came under attack from individuals who decided to offer kids "magical paintbrushes" for their Neopet in return for running an executable file. Of course, those files would be Trojans, password stealers and various other nasties in disguise. Taking advantage of a young child's desire to obtain rare ingame items - then break their computer - is one of the lowest attempts at being "a hacker" we can think of.

There was also a look at Xbox Gamerscore hacking - a technique used by people who want to artificially inflate statistics related to a gaming account then sell it on.

Did we mention the Megan Fox fake sex tape yet? No? Well, here it is (an article about it, anyway). Celebrities will always be used as low hanging fruit as a means for people to infect themselves or fill in surveys and Megan is no exception where that is concerned.

August: Here we arrived at what seems to have been a phishing page linked to from a legit Facebook application URL. There was also this infection, designed to overwrite all the images on your PC with the word "Hacked".  The Facebook attack was fairly inventive, though we haven't seen a repeat performance so that's good news.

September:  Twilight fever. This was always going to be sucked into various scams and sure enough, just before New Moon came out in cinemas sites such as Youtube had videos on them promoting "online versions" of the film. Sure enough, all you got for your trouble was Zango installers and empty pages.

Can't have an end of year summary without a mention of Zango!

October: This particular file hit the streets a little while after Google Wave invites were no longer the hot topic of debate which probably helped to lessen the impact. A fake Google Wave invite generator most certainly did not generate passwords of any kind, but did seem to be a likely candidate for harvesting email passwords. Clever.

We also talked about Gamers Under Fire at SecTor 2009, a security conference held in Canada. You can take in all the conference presentations here - they're well worth checking out.

November: Ah, Facebook applications. Sometimes you get rogue ones - other times, you get scams like this where no applications exist. Someone had the idea of putting together a fake program that claimed to exploit a genuine application by revealing who-said-what about you. Of course, this was all nonsense and the program infected your PC with a horrible file of the attacker's choosing. A simple but effective attack technique.

December:  We'd been writing about various fake "work from home with Google" scams all year long, and it was nice to see some of them finally being tickled with the legal stick. Long may it continue.

We wound up the year with ZBot, in the form of a fake "Your VISA account has been compromised, download this file to see what's been going on" alert.

A wide-ranging set of attacks then, and a good indication (as if any were needed) that social networks, popular culture, videogames and the lives of celebrities will be targets for Botnets, exploits, scams, get rich quick schemes and every fake program you can think of well into 2010. It will be interesting to see how many 2.0 sites maintain a robust privacy policy (if such a thing is even possible) in the face of potential earnings from ad revenue, and how easy (or difficult) those policies will make it for those who want to use that data for nefarious purposes.


Thanks for all your hard work down the years, Chris - sorry to see you leave Facetime but thank you for the informative entries and keeping us up to date with the latest scams and attacks!

I guess this is the end for the spywareguide blog?

Wishing you a happy new year, I'm sure whoever snaps you up will be very glad they did so!

Hey! Thanks for your kind words, appreciated.

It's a little strange to be waving goodbye to the SPG blog after so long, but I hope you enjoyed it and got some useful information from the blog entries. At this point in time, I don't know what plans there are for the blog - sorry about that.

I'm not sure what I'll be doing next, but you can keep up with me over at Vitalsecurity.org for the time being.

Thanks again, and thanks to everyone for reading these past few years - it's been a lot of fun.

Chris Boyd, aka Paperghost.

Wait, you're leaving?

That makes no sense at all :\

That makes you and brian krebs so far, probably with more to come.

well, that just sucks. sorry to see you go, your contributions here have been immense. best wishes for the future, i have a feeling we'll be seeing a lot more of you before long.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on December 31, 2009 6:43 PM.

Youtube Comment Bot Spams In Waves was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.