Softpedia News - Incidents

Web Host Hack Results in Mass Defacement

Softpedia News (Lucian Constantin) — Sat, 28 Nov 2009 11:36:00 GMT

Customers of an UK-based web host called Daily Internet Services, had their websites defaced by hackers, who replaced their index pages with an image featuring Tux, the Linux penguin mascot. The company has restored the affected pages from back-ups and is currently investigating the attack.

Daily Internet Services issued a warning regarding this incident, which was marked with "high severity," Thursday at 09:52 am. "We have received reports this morning of a small number of customer websites having their index or start page replaced with an image and in some cases text as well," the company announced.

Subsequent investigations revealed that this was a mass-defacement attack, where all pages with "index" in their name, such as index.html, index.htm or index.php, have been replaced. A restoration process from back-ups was initiated at 10:45 am and completed by 09:00 pm on Thursday evening.

A website defacement implies replacing the original content with text or images produced by the attacker in order to make a statement, send a message, or take credit for the hack. In this case, the affected pages were replaced with an image depicting Tux in three different positions, with his hands over his eyes, ears and mouth respectively.

The images is inspired from the famous "three wise monkeys" pictogr... (read more)

Symantec Online Store Hacked

Softpedia News (Lucian Constantin) — Mon, 23 Nov 2009 11:51:00 GMT

A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a blind SQL injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQLi attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

The content of the pcd.symantec.com website is written in Japanese, but from what we could determine, it serves a product called Norton PC Doctor. Accessing most of the website's sections requires authentication, and in order to exploit the blind SQLi vulnerability, the hacker had to use a few specialized tools. The Web server appears to be running Windows Server 2000 a... (read more)

IQ Quiz Mobile Scam Hits Twitter

Softpedia News (Lucian Constantin) — Fri, 13 Nov 2009 15:12:00 GMT

Security researchers warn of a shady IQ test being promoted on Twitter via the Direct Messages feature. This is actually a scam that tries to trick people into subscribing to a useless mobile service for $9.99 per month.

According to threat analysts from Trend Micro, this latest spam campaign is being instrumented from compromised Twitter accounts. "The accounts are used to send out Direct Messages to the followers of the users who own the compromised accounts," the researchers note.

These private messages try to convince users into taking an IQ test by visiting the included link. Once on the dubious page, the user indeed has the ability to take such a test, however, there's a catch. At the end, they are asked for their mobile phone number, allegedly in order to receive the results.

"Though the real motive for this scheme is unclear, we believe that this was set up to gather mobile numbers from unknowing users to become potential targets for SMS spam or other mobile-related attack," JM Hipolito, technical communications specialist at Trend, writes. Things are actually pretty clear if you read the fine print on the website, which makes it clear that "This is an auto renewing subscription service that will continue until canceled […]" and that it is "Available for $9.909 per month charged on your wireless... (read more)

Attack Hits Swedish Signals Intelligence Agency's Website

Softpedia News (Lucian Constantin) — Fri, 6 Nov 2009 09:41:00 GMT

The website of the Swedish National Defence Radio Establishment (Forsvarets Radioanstalt) has been the target of a prolonged denial of service attack this week. There is some speculation that the incident was caused to protest to the agency's new role of intercepting and monitoring Internet traffic passing through Sweden.

Forsvarets Radioanstalt (FRA) is an intelligence agency of the Swedish government, subordinated to the country's Ministry of Defence. It was official established in 1942 and its primary role was radio signal interception and monitoring.

In June 2008, the Swedish Parliament passed anti-terrorism legislation allowing FRA to coduct warrantless wiretapping of telephone and Internet communications that crosses Swedish borders. This includes all international Internet traffic that passes through Sweden, such as Russia's. The law went into effect at the beginning of January but the actual monitoring started last month.

The DoS attack on FRA's website began on Monday evening and according to a report from the Pingdom uptime monitoring service, extended well into Tuesday and Wednesday. This type of attack involves overloading a server with bogus requests until it is unable to process legit ones.

The total downtime suffered was of almost 29 hours, but according to an... (read more)

Cyberspies Infiltrate the Swiss Foreign Ministry

Softpedia News (Lucian Constantin) — Mon, 2 Nov 2009 14:45:00 GMT

The Swiss Federal Department of Foreign Affairs (FDFA) has been the target of cyber-espionage. According to an official press release, government IT specialists have located a piece of malware on the network that was specifically designed to steal information and remain undetected.

The Federal Department of Foreign Affairs is Switzerland's governmental body in charge with maintaining the country's foreign relations. As a depository state of the Geneva Conventions and home to many international organizations, Switzerland plays an important and active role on the international politics scene.

"On 22 October 2009 IT specialists from the FDFA in conjunction with Microsoft discovered that the FDFA had been the target of a professional virus attack. The hackers, whose identities are as yet unknown, made use of special software during the attack to gain access to the Department’s IT infrastructure and acquire information," an official announcement reads.

It is also noted that the spying software was specifically designed to generate as little network activity and traffic as possible in order to hide its presence. Investigations are still underway to determine if the IT systems have been damaged in any way.

Following the discovery, as a precautionary measure, the FDFA computer network has been disconnected from the Internet. Specialized per... (read more)

P2P Leak Exposes Ethics Committee Investigations

Softpedia News (Lucian Constantin) — Mon, 2 Nov 2009 11:28:00 GMT

A confidential report from the Committee on Standards of Official Conduct of the United States House of Representatives was leaked on peer-to-peer file sharing networks. The document contained details about the investigations of thirty house members and some of their aides.

The Committee on Standards of Official Conduct, also known as the Ethics Committee, conducts investigations into possible violations of the ethical code. The work of this committee is often surrounded in a veil of secrecy, as the nature of these investigations and their status are kept confidential.

A 22-page document called "Committee on Standards Weekly Summary Report" came into the possession of the Washington Post last week. According to the publication, the report reveals the status of investigations into the conduct of 19 lawmakers.

It is also mentioned that the actions of 14 other house members are under review by the Office of Congressional Ethics. The names of New York Representative Charles Rangel and California Representatives Maxine Waters and Laura Richardson, are disclosed in the document.

At first, the incident sparked speculation that the Committee's computer systems might have been compromised. However, an official statement released to the media last Thursday points to an accidental leak caused b... (read more)

DDoS Attacks Cripple Swedish Police Website

Softpedia News (Lucian Constantin) — Sat, 31 Oct 2009 11:08:00 GMT

Two distributed denial of service (DDoS) attacks have rendered the website of the Swedish police and many others inaccessible for several hours. The results of the preliminary investigation suggest that the platform of a media IT development company was specifically targeted.

The first attack started on Thursday morning and seriously affected the network of a hosting provider called Basefarm. The intended target was a web development company called Adeprimo, owning and serving the biggest group of daily newspapers in Sweden.

"Under normal conditions a relatively high-traffic website receives about 800 requests per second. During the attack against Adeprimo we registered up to 400,000 requests per second. As a consequence part of Basefarm's network infrastructure went down and the required traffic for a number of our customers didn't get through," Sara Murby Forste, Basefarm's managing director, explained.

The company managed to limit collateral damage rather quickly, but around forty sites depending on Adeprimo's platform remained offline until noon. These included the websites of many local newspapers published by the Stampen Group, Eskilstuna Group, Nya Lidkopings Tidning, and the Mittmedia Group.

Basefarm's technical manager Stefan Mansby noted that the malicious traffic originated fro... (read more)

OpenDNS Blocks Ebay.co.uk as Phishing Site

Softpedia News (Lucian Constantin) — Fri, 30 Oct 2009 15:24:00 GMT

Internet users resolving DNS requests through the OpenDNS were not able to access pages on the Ebay UK website yesterday. The problem was caused by a bogus entry in the phishing filter used by the service.

The reports started flowing in around last night, when many users trying to access any page starting with http://cgi.ebay.co.uk received a "Phishing Site Blocked" error. "Phishing is a fraudulent attempt to get you to provide personal information under false pretenses. We prevented you from loading this page as part of our safer, faster, and smarter DNS service. […] Powered by OpenDNS," the message read.

The problem lasted for about one hour, during which time some users expressed their frustration at not being able to bid on the products they wanted. Some people have figured out on their own how to add exceptions to the site blocking feature or disable the phishing filter entirely.

But even if the step by step solution, which required a registered account, was posted in the support forums, there were users who pointed out that they never heard of OpenDNS before this incident and did not sign up willingly for their service.

Daniel Gifford, the community manager of OpenDNS, eventually announced that they "removed what appeared to be a questionable sub-domain of ebay.co.uk from [th... (read more)

Malvertizement Infects Gizmodo Visitors with Scareware

Softpedia News (Lucian Constantin) — Wed, 28 Oct 2009 10:50:00 GMT

A malicious ad that silently infected visitors with scareware has made its way on Gizmodo. The incident was the result of a successful social engineering attack directed at the ad sales team of Gawker Media, the site's owner.

Gizmodo is a popular technology blog owned by Gawker Media, an online media company covering news on multiple topics through a series of dedicated websites. The company's revenue is mainly obtained from selling online advertising on its network.

"Guys, I'm really sorry but we had some malware running on our site in ad boxes for a little while last week on Suzuki ads. They somehow fooled our ad sales team through an elaborate scam," Gizmodo editor Brian Lam announced yesterday. "It's taken care of now, and only a few people should have been affected, but this isn't something we take lightly as writers, editors and tech geeks," he added.

According to The Business Insider, which published the e-mail correspondence between Gawker and the attackers, the scam was indeed well instrumented and complex in nature. After reading the back and forth emails, one thing is clear – the scammer, whoever he or she was, was well versed in online advertising sales.

"They have intimate knowledge of online ad sales, including terms like eCPM, roadblocking, RON, IAB... (read more)

Australian Atheists Under Attack

Softpedia News (Lucian Constantin) — Thu, 22 Oct 2009 09:02:00 GMT

The websites of the Atheist Foundation of Australia (AFA) and the Global Atheist Convention have been the target of a Distributed Denial of Service (DDoS) attack two days ago. As a result, the websites were knocked offline for extended periods of time and their owners had to change the hosting provider.

Denial of service has long been one of the weapons of choice for hacktivists, whether they support or protest against an event. Notable examples include the Iranian DDoS mob who attacked governmental websites during the last election scandal, or the Anonymous attacks against the Church of Scientology.

These attacks are instrumented by sending an unusually large number of fake data packets to a server until it uses up all its resources trying to process them and becomes unresponsive. Doing this from a big number of IPs is called a "distributed" denial of service attack and is lot harder to repel without affecting the target.

This is what happened during the recent attack against the Atheist Foundation of Australia and the Global Atheist Convention websites, forcing their respective hosting providers to cut them off the Internet, in order to protect other customers. The sites became unresponsive at about 5:20 p.m. local time on October 20 and were not restored until well into the next day.

"Thi... (read more)

Kanye West Car Crash Rumor Exploited to Push Malware

Softpedia News (Lucian Constantin) — Wed, 21 Oct 2009 13:48:00 GMT

A fake report that Kanye West died in a bizarre car crash in Los Angeles made its way onto the net yesterday evening sending hoards of users googling and twittering about it. Cybercrooks reacted promptly by hijacking search results on the subject and pushing scareware.

The bogus report was apparently the work of 4chan's /b/ board, the birthplace of lolcats, as well as other popular Internet memes and hoaxes. The hacktivist group Anonymous is also believed to have originated there. The members of this board are notoriously known for being Internet trolls and have picked on celebrities before.

The rumor spread fast on social networking websites and soon enough, Kanye West's fake death became a trending topic on Twitter and the top search keyword on Google. And, as usual, cybercrooks jumped at the occasion to leverage the growing public interest and distribute some more rogueware.

For this purpose, the fraudsters used what has become one of their favorite tools in recent times – search result poisoning. Security experts warn that these criminal gangs have mastered the search engine optimization (BHSEO) techniques up to the point where they can get a malicious link to appear in Google top ten search results for specific keyphrases within hours.

"Clicking on the link will take y... (read more)

Payroll Processor Hacked Twice in a Single Month

Softpedia News (Lucian Constantin) — Mon, 19 Oct 2009 14:07:00 GMT

The online system of a large U.S. payroll processing company was attacked by hackers for the second time in a few weeks. Stolen credentials were used to create fake employees for companies in an attempt to siphon out funds out of their accounts.

Onlineemployer.com, an online system belonging to PayChoice, one of the largest payroll processors in U.S., was taken offline due to a security breach last Thursday. The attack occurred on October 14 and was the second of its kind in less than a month.

At the end of September, we reported that PayChoice was hit by cybercriminals who managed to steal customer names, email addresses, login IDs and partial passwords. The company announced that computer forensic experts were called in to investigate the incident.

Subsequently, some of the 125,000 organizations and business partners that use the company's online system to process payrolls have reportedly received phishing emails. The messages advertised a link allegedly pointing to a PayChoice-sanctioned browser toolbar.

The Web page actually contained an exploit cocktail that attempted to infect computers with an information stealing trojan. In order to make the scheme more credible, the attackers incorporated the stolen account information into the phishing emails.

It seems that last ... (read more)

Cyberattack Targets Polish Government Systems

Softpedia News (Lucian Constantin) — Thu, 15 Oct 2009 14:03:00 GMT

Local Polish media reports that the country's government network was the target of an organized cyberattack back in September. The authorities are reluctant to disclose details about the incident, but apparently the attack originated in Russia.

According to the Polish Rzeczpospolita (The Republic) newspaper, the cyberattack occurred around September 17, the anniversary of the Invasion of Poland, which marked the start of World Word II. At the same time, the Russian Prime Minister Vladimir Putin was visiting the Polish Westerplatte peninsula, where the first WWII battle occurred.

Colonel Pawel Bialek, the deputy chief of Poland's internal security agency Agencja Bezpieczenstwa Wewnetrznego (ABW), told Rzeczpospolita that the attacks targeted the servers of several unnamed government agencies. He also pointed out that the assaults were blocked thanks to the agency's cyberpatrol who detected the suspicious traffic.

ABW has a specialized division that monitors and protects the networks and websites of over fifty government institutions. And even though it refused to release any additional details about the incident, saying it’s a matter of national security, it stressed that such attacks are rarely successful.

In addition, the Polish government's Computer Emergency Response Team (CERT... (read more)

Secure .SE Zone Goes Down Due to Missing Dot

Softpedia News (Lucian Constantin) — Wed, 14 Oct 2009 10:15:00 GMT

The Internet in Sweden broke down on Monday for at least one hour because of an error introduced during a routine maintenance update of the .se zone. Internet service providers had to manually flush the cache of their DNS servers in order to restore proper functionality.

Around 21:45 on Monday, Internet users from across the world stopped being able to access domain names ending in .se, the country code top-level domain for Sweden. The .se registry counts almost 905,000 domain names and is operated by the Internet Infrastructure Foundation (.SE), which was the first TLD maintainer in the world to offer DNSSEC services.

Pingdom, a Sweden-based company that provides website performance and monitoring, reports on its blog that the error actually consisted of a dot character not being added by the update script. "We have spoken to a number of industry insiders and what happened is that when updating the data, the script did not add a terminating '.' to the DNS records in the .se zone. That trailing dot is necessary in the settings for DNS to understand that '.se' is the top-level domain. It is a seemingly small detail, but without it, the whole DNS lookup chain broke down," the company explains.

The problem was theoretically resolved in about an hour, as the Internet Infrastructure Foundation rolled out... (read more)

More Lists with Stolen Email Account Credentials Uncovered

Softpedia News (Lucian Constantin) — Wed, 7 Oct 2009 13:39:00 GMT

The BBC claims to have located a list containing 20,000 webmail login credentials on the same website where similar information about 10,000 Hotmail accounts was recently leaked. In addition, Google announced that it found a separate document containing email logins obtained through an industry-wide phishing attack.

Two days ago, the Neowin technology blog reported that a list of 10,000 Windows Live Hotmail logins and passwords were posted on text-sharing website Pastebin. Microsoft confirmed the incident and proceeded to secure the compromised accounts.

The BBC reporters scoured the Pastebin website for similar lists of stolen credentials and found another document containing usernames and password for 20,000 webmail accounts. This time, the accounts were not only from Hotmail, but also Gmail, Yahoo! Mail and AOL. A few ISP e-mails belonging to Comcast and Earthlink customers were on the list as well.

A Google spokesperson told BBC that fewer than 500 Gmail accounts were compromised and that their passwords had since been reset. Both Microsoft and Google said that the lists were likely the result of phishing attacks. This theory is also supported by an Acunetix security researcher who analyzed the leaked Hotmail passwords.

The Google representative also noted that the comp... (read more)

Amazon-Hosted Code Repository Service Repeatedly Attacked

Softpedia News (Lucian Constantin) — Tue, 6 Oct 2009 13:00:00 GMT

The Bitbucket development project hosting service went down for long periods during the weekend and on Monday morning because of several powerful Distributed Denial of Service (DDoS) attacks directed at its EC2-powered infrastructure. Part of the reason why the downtimes were so serious was Amazon's tech support, who failed to rapidly acknowledge that a network problem was ongoing.

Bitbucket was designed for developers looking to host and maintain their projects. It uses the Mercurial collaborative version control system and runs on Amazon's Elastic Compute Cloud (EC2) infrastructure. Amazon's EBS persistent storage solution is also used to store databases, logfiles, and repositories.

According to Jesper Nohr, the owner of the company behind Bitbucket, the site began experiencing problems during Friday evening, when everything slowed down almost to a halt. Requests from the website on EC2 to the data stored on EBS were going through at a very slow rate. "We were getting less throughput than you can pull off of a 1.44MB floppy," Nohr writes in a blog post describing the incident.

After upgrading to the "Gold" support plan to get the issue resolved faster, an Amazon representative told the Bitbucket team that it was a normal EBS performance variation. After several hours of going back an... (read more)

Major Payroll Processing Provider Breached

Softpedia News (Lucian Constantin) — Fri, 2 Oct 2009 12:42:00 GMT

The breach of an online payroll processing system belonging to a large provider called PayChoice has surfaced after its customers have started receiving targeted malware distribution attacks via email. The attackers are looking to infect the company's clients with an information-stealing trojan after they only succeeded in retrieving incomplete passwords from the database.

The Washington Post reports that PayChoice, a payroll processing provider based in Morrestown, New Jersey, has suffered a security breach on its online system called “Online Employer.” The total number of organizations using PayChoice's services, either directly or through its partners, is around 125,000.

After discovering the breach on September 23, the company immediately shut down the onlineemployer.com website. The extent of the breach is yet to be determined, as contracted computer forensics experts are still analyzing the affected servers. Law enforcement agencies have also been notified and have launched an investigation into the incident.

What's certain at the moment is that the attackers walked off with at least customer names, email addresses, login IDs and incomplete passwords. These pieces of information were later used to launch highly targeted attacks against the company's clients.

The rogue em... (read more)

UK Foreign Currency Exchange Service Leaks Sensitive Data

Softpedia News (Lucian Constantin) — Tue, 29 Sep 2009 12:04:00 GMT

Multiple vulnerabilities discovered in the website of a UK-based company called OnlineFX, which conducts foreign exchange services, can be exploited to extract highly sensitive data from the underlying database. Credit card details and customer information are possibly compromised.

According to its own website, OnlineFX is a financial company based in central London and offers foreign currency exchange at low rates, bank money transfers to over 70 countries, as well as IT, marketing and corporate services. The onlinefx.co.uk flaws were disclosed by Romanian grey hat hacker Unu, who specializes in finding SQL injection vulnerabilities in high-profile websites.

The hacker notes that a poorly secured parameter allows executing SQL queries in the database. However, because the database server is MSSQL, the results of the queries are not displayed in the browser window. This type of attack is known as a “blind SQL injection” and requires special tools to exploit.

Unu used a specialized penetration testing application called Pangolin, developed by a Chinese security firm to see inside the database. According to the screenshots he published, the web server is running on Windows Server 2000 with a Microsoft SQL Server 2000 backend. Using the permissions obtained by exploitation of ... (read more)

XSS Worm Hits Reddit

Softpedia News (Lucian Constantin) — Tue, 29 Sep 2009 09:44:00 GMT

Reddit was hit yesterday by an out of control XSS worm, which someone launched as a proof of concept. The website administrators moved swiftly to stop the attack and inform the public, thus earning the appreciation of the security community.

Reddit is a social news and social bookmarking website that allows users to post, vote and comment on links to arbitrary content from the Internet. The platform is developed in Python and since June 2008, its code is freely available as an open source project.

The XSS worm was released on Reddit on Sunday night and continued to spread during early Monday morning. The attack was blocked by 10:34 am on Monday and the administration announced that "We had a bug in reddit that allowed someone to start a comment bomb."

The worm exploited two different bugs discovered independently by two users going by the online handle of Empirical and Tolkad. The first allowed creating a malformed link, that when visited allowed the execution of JavaScript code forcing a logged in user to post replies to all comments on a page. "The first bug wasn't really a bug, but a feature of markdown that we hadn't removed. This feature allowed one to specify a variable for replacement later on," Jeremy Edberg, senior product developer at Reddit, explained.

The second issue was a programming logic weaknes... (read more)

Flash-Based Social Networking Worm Rampages on LiveJournal

Softpedia News (Lucian Constantin) — Thu, 24 Sep 2009 13:42:00 GMT

Users of the LiveJournal blogging platform were the target of a malicious attack on Tuesday, when a social networking worm that spread by simply viewing an infected post was released on the website. The malware stole email addresses and made private blog entries accessible to everyone.

The LiveJournal staff has posted a detailed announcement describing the attack, which is said to have only lasted for less than two hours. As a result, the ability to embed video files into blog entries has been suspended, but has since been restored for a few trusted services such as YouTube.

The social networking worm propagated through an embedded flash video that used the allowScriptAccess parameter to trigger a cross-site scripting condition. According to Adobe, "When AllowScriptAccess is 'always,' the SWF file can communicate with the HTML page in which it is embedded even when the SWF file is from a different domain than the HTML page."

Upon viewing an already infected posting, the exploit proceeded to compromising the account of the visitor by adding the malicious code to their latest entry, resetting its icon and metadata, as well as setting its security to public so that it could be viewed by everyone. Additionally, the email address registered with the account was recorded and possibly u... (read more)

Over $500,000 Stolen from Construction Firm's Bank Account

Softpedia News (Lucian Constantin) — Thu, 24 Sep 2009 09:45:00 GMT

New cases of fraudulent banking transfers that affect companies and organizations across the U.S. continue to be uncovered. A new incident involves a Maine-based company called Patco Construction, whose account was emptied of over $500,000 by Eastern European cybercrooks.

The Washington Post reports that Patco's online banking credentials were stolen and then used to initiate batches of fraudulent transfers from its account to over thirty individuals with whom the company never had any previous business. Separate series of transfers were performed on a daily basis from May 7 until May 14 and totaled to around $588,000.

The company successfully recovered $243,000, but is missing the rest and the bank refuses to cover the loss. Under the law, business customers are treated differently from private persons when it comes to fraud. While regular consumers have 60 days to report fraudulent activity to their bank and will generally get reimbursed, businesses only have 24 hours to do it and without any guarantee that they will see their money back.

Financial institutions are, however, required by regulations to protect all of their customers' assets, business or otherwise, by enforcing "commercially reasonable security procedures." Patco feels that Ocean Bank failed to meet this obli... (read more)

Hardware Manufacturer Serves Malware-Infected Drivers

Softpedia News (Lucian Constantin) — Tue, 22 Sep 2009 12:11:00 GMT

A security researcher reported that the driver files available for download on the website of a gaming hardware manufacturer called Razer were infected with malware. Upon being notified of the issue, the company took its entire support website offline and started an investigation.

The problem was discovered by Trend Micro's Solutions Architect, Rik Ferguson, who warns on his blog that, "The support website at gaming hardware manufacturer Razer has been compromised to distribute malware." Razer is a company based in Carlsbad, California, which describes itself as "a worldwide leader in terms of professional gaming peripherals."

Its products range from mice and keyboards to surfaces and accessories designed for professional gamers. In order for the operating systems to support the enhanced functionality of these devices, the company provides drivers and special pieces of software through its website. However, according to the Trend Micro security researcher, "A large amount of the device drivers offered for download at the Razer support site were infected with a Trojan."

The trojan acts as a dropper/installer for another piece of malware detected by Trend as WORM.ASPXOR.AB, which is dropped in the system directory. At the time of the discovery, this piece of malware had been detected b... (read more)

Denial of Service Attack Hits Justin.tv

Softpedia News (Lucian Constantin) — Mon, 21 Sep 2009 13:38:00 GMT

Multiple users reported connection problems on Justin.tv during the weekend. The live video streaming website's administration announced that the intermittent downtime was caused by a sustained distributed denial of service (DDoS) attack against its servers.

The problems started sometime on Saturday morning and, at 1:52 PM, Justin.tv's Caleb Elston released a statement on the website's official blog. "We apologize for the intermittent downtime we have been experiencing today. Our network has been flooded with malicious requests which prevents legitimate requests from getting through. This is a classic DDOS attack," he explained.

Such attacks are performed by sending a very large number of bogus packets to a server during a short period of time. The server attempts to process these requests until it eventually runs out of resources and becomes unresponsive. Any legitimate request that is received after that critical point will be dropped or timed out.

With enough resources, it is possible to keep a server under a denial of service condition for hours or days at a time. The "distributed" part in DDoS refers to the fact that the attack does not originate from a single IP, which would be trivial to block, but from thousands of addresses.

In Justin.tv's case, the pro... (read more)

The Clampi Banking Trojan Targets U.S. Schools

Softpedia News (Lucian Constantin) — Tue, 15 Sep 2009 09:46:00 GMT

U.S. public and private schools alike should be in alert as the cybercriminal gang behind the Clampi Trojan has been targeting such institutions recently and walked away with impressive amounts of money. Security researchers say it is one of the most sophisticated and successful online banking fraud operations.

The complex Clampi trojan is known under several different names, including Ligats, Ilomo or Rscan. Its purpose is to steal online banking credentials from compromised systems; however, the attacks involving it are much more sophisticated and widespread, using fake companies and recruitment websites to hire money mules.

The recent versions of the trojan can propagate across internal Windows networks by using a tool called PsExec and stolen domain administrator credentials. PsExec is a legit utility developed by Microsoft, which is generally used by admins to execute processes on remote computers. The presence of this tool on computers that are not authorized to have it installed should raise red flags and generally points to a Clampi infection.

The Washington Post reports that in addition to the incident at the Western Beaver School District, from where cybercrooks stole a total of $704,610 in 74 fraudulent electronic transfers, several other schools have reported similar attacks. Western B... (read more)

New York Times Website Hit by Malvertizement

Softpedia News (Lucian Constantin) — Mon, 14 Sep 2009 08:49:00 GMT

The media and advertising team of the New York Times website is currently trying to track down and remove a malicious advertisement promoting scareware. Users are advised to ignore any alerts that warn them of being infected with malware and offering an antivirus solution.

Users started reporting anomalies when visiting the New York Times website since at least Sunday morning. People were apparently seeing a fake virus scan and then they were being redirected to a page offering a rogue antivirus product. Some have reported that the malvertizement completely locked their browser preventing them from the window.

"Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser," a note posted on the New York Times website reads.

According to Rick Ferguson, solutions architect at Trend Micro, the rogueware promoted by the malicious ad was the same one recently pushed through black hat search engine optimization (BHSEO) campaigns, such as the 9/11 one. "In this particular example, the malicious site and... (read more)

RBS WorldPay Websites Riddled with Security Holes

Softpedia News (Lucian Constantin) — Sat, 12 Sep 2009 08:26:00 GMT

RBS WorldPay is currently banging heads with a grey hat hacker over the seriousness of SQL injection vulnerabilities that he discovered on its websites. Meanwhile, another web developer exposed a cross-site scripting weakness in a site belonging to the company in order to prove that its efforts to mitigate XSS are not only inefficient, but also misguided.

A prominent grey hat hacker calling himself Unu, who has made a habit of revealing SQL injection vulnerabilities in high profile websites since the beginning of this year, is contesting RBS WorldPay's assertion that a recent flaw he reported could have not been used to access sensitive information.

On September 10, the Romanian hacker published an article on his blog accompanied by partially blotted screen shots, documenting a proof-of-concept SQL injection attack against a website belonging to RBS WorldPay. The hacker noted that he had full access to the database through the vulnerable website, but also remotely because a MySQL user was not password-protected and was not restricted to any specific host, which is a major security oversight.

The company maintained that the database in question contained dummy data and was only used for a test site. Upset with this response, Unu dug further and revealed a new SQLi in a different website belongi... (read more)

Commuters' Website Puts Military Personnel in Danger

Softpedia News (Catalin Cimpanu) — Fri, 11 Sep 2009 07:26:00 GMT

RideMatch.info, a website used by several California-based companies and transportation boards to match commuters on similar routes, has been exposed by a security expert as being vulnerable to massive SQL injections that will result in the disclosure of user personal data, CyberInsecure reports. Among the companies that use this service there were some US military bases that could have all their personnel's commuting info exposed on the web.

Actively engaged in several conflicts around the Globe, the US Military found itself in a sensitive situation if an abundance of accurate and detailed information regarding home addresses, pick-up times, pick-up locations, working hours, working addresses, financial information, employee ID and more could find their way on the web.

It is not known whether the activity of these military bases was changed thanks to this possible leak, but for sure someone in the HQ is perspiring about the personnel's safety for the upcoming days.

The website is currently under the supervision of five Southern California Transportation Boards (Los Angeles, San Bernandino, Riverside County, Orange County and Ventura County), which use it as a “match-making” service to maximize transportation vehicle usage in daily commutes.

The person that cracked th... (read more)

Web Worm Targets Older WordPress Versions

Softpedia News (Lucian Constantin) — Tue, 8 Sep 2009 08:56:00 GMT

A Web worm that spreads by exploiting a vulnerability in older versions of WordPress has put the blogosphere in alert mode. Once it compromises a vulnerable installation, the worm begins to taint older blog entries with malicious links and, in some cases, it can even destroy data.

Reports of hacked, WordPress-powered blogs started flowing in since late last week, and there seems to be some tell-tale signs of a possible compromise. According to Lorelee's blog about blogging, this worm modifies the structure of WordPress pretty permalinks to something like example.com/category/post-title/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/. "The keywords are 'eval' and 'base64_decode,'" she points out.

The vulnerability exploited by this worm allows it to create a secondary, hidden Administrator account. Therefore, seeing something like "Administrator (2)" in the user list is a good indication that something has gone terribly wrong. Other names that don't belong there can also point to a compromise.

"This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users' page, attempts to ... (read more)

Hacked: ING Belgium, Dexia and HSBC France Websites

Softpedia News (Lucian Constantin) — Sat, 5 Sep 2009 10:05:00 GMT

Websites belonging to several large European banks, such as ING, Dexia and HSBC, have been hacked through SQL injection. These proof-of-concept attacks reveal poor security practices on behalf of institutions that people entrust with their life savings.

The security issues have been discovered by Romanian self-confessed grey hat hacker "Unu," who has received a fair amount of media attention this year due to the high-profile nature of his targets. Some of his recent discoveries include SQL injection vulnerabilities in websites belonging to the UK Parliament, Yahoo!, The Telegraph or Orange France.

The first reported vulnerability was discovered on the ING Belgium Giftshop website. A PHP script accepting unsanitized parameters, allowing executing unauthorized SQL queries in the database by manipulating the URL. The absolute path of the website's root directory is E:\ING\GOTO18\ROOT\HTML\giftshop\, suggesting the host computer is running a version of Microsoft Windows.

According to the hacker, the passwords for all accounts on the website, including the administrative ones, are stored in plain text. Meanwhile, the personal information of registered users, such as full name and e-mail address, can be accessed. Unu also notes that it might be possible to upload a PHP... (read more)

UK Parliament Website Hacked

Softpedia News (Lucian Constantin) — Mon, 31 Aug 2009 11:02:00 GMT

A hacker broke into the database of the UK Parliament website by exploiting an SQL injection vulnerability. The incident reveals very poor and questionable password security practices on behalf of the website administration.

The security hole on parliament.uk was discovered by a Romanian greyhat hacker going by the online handle of "Unu," who has made a habit of testing high profile websites for similar bugs. Unu's "hit list" so far includes the websites of large antivirus vendors Kaspersky, BitDefender, F-Secure, Symantec, renowned newspapers, such as The International Herald Tribute and The Telegraph or big ISPs, like British Telecom, Tiscali and Orange France or, more recently, Yahoo! Local.

According to Unu, the vulnerability is located in a php script used on the lifepeeragesact.parliament.uk section, which fails to properly sanitize parameters being passed through. This allows a potential attacker to execute SQL queries directly into the database easily by manipulating the URL.

The screen shots published by Unu reveal that the Web server is running on Debian 4.0 (Etch) Linux with a MySQL 5.0.32 database backend. The website's database is called parliament_live; fortunately, it cannot be accessed directly from a remote host.

What is more disconcerting though is what a peak into the database table h... (read more)