Zeus Variant Targets Cloud-Based Payroll Service

          With critical business services migrating to the cloud, service providers have become a prime target for cybercriminals. In the latest example of financial malware targeting enterprises, we have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses.

          The researchers have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payroll services web page (https://clients.powerpay.ca/powerpay/Logon*) when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system.
 
          The financial losses associated with this type of attack can be significant. In August of last year, Cyberthieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports an employee at MECA was victimized by a phishing e-mail and infected with malware that stole access credentials to the organization’s payroll system. With valid credentials, the cyberthieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA's bank account which they sent to the fraudsters.

          We expect to see increased cybercriminal activity using this type of fraud scheme for the following reasons:
1) Targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual consumers.

2) By stealing the login credentials belonging to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules before raising any red flags. Using these valid credentials fraudsters can also access personal, corporate and financial data without the need to hack into systems, while leaving very little evidence that malicious access is occurring.

3) By targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their backend financial assets.

4) Cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g. Zeus)

          Unfortunately, traditional antivirus security mechanisms are largely unable to protect corporate users from becoming infected with Zeus. That’s because attacks like this one are surgical in nature and use targeted reconnaissance combined with signature detection evasion techniques to get a foothold inside corporate computers.

          A better alternative for protecting sensitive cloud payroll, treasury, and other financial applications is to prevent malware from getting onto the endpoint in the first place. This requires a layered approach to security that looks for specific Crime Logic footprints, not signatures, to prevent malware on an infected machine from stealing login credentials.

          For example, Prevent malware from installing on a machine and secure communication between the computer and cloud service provider website to prevent common attack methods like HTML injection keylogging and screen capturing from grabbing data. Protect other web-based applications like VPNs, CRM, and collaboration systems that can be exploited by malware to steal user credentials and breach an enterprise’s security perimeter completely undetected.

Read More

Shocking Statistics From The Latest Internet Threat Report

Anti malware company Symantec released its threat report for 2011 on Monday. The statistics are as follows:-

A.      Religious and ideological sites have triple the average number of threats per infected sites that pornographic Web sites contain.

B.      Top 10 categories of most infected Web sites:

1.       Blogs

2.       Web communications

3.       Religious websites

4.       Personally hosted sites

5.       Business sites

6.       Shopping education

7.       Automative themed sites

8.       Health and medicine sites

9.       Porn sites

C.      3/4 spam messages were pharma themed. ¼ spam messages were Sex and dating-themed.

D.      Spam volumes dropped by around 20 billion messages year over year, to an average of 75% of all e-mail last year, compared with 88.5% in 2010.

E.       U.S. was the top source of every category of malicious activity.

F.       India leads in creation of malware and the use of spam zombies. (I am proud of it.) ;-)

G.     Around 13% of bot activity originated in the U.S. and around 34% of Web based attacks. Close to half of all phishing Web sites were based in the U.S.

H.      China saw a steep drop in malicious activity by about 10%. 

I.        Reports of vulnerabilities in industrial control and SCADA systems rose from 15 in 2010 to 129 in 2011.

Read More

Skype IP address Vulnerability may not be so new

          Skype is warning users following the launch of a site devoted to harvesting user IP addresses.The Skype IP-Finder site allowed third-parties to see a user's last known IP address by simply typing in a user name.

 

          A script has been uploaded to Github that offers these options. According to the page, it can be used to lookup IP addresses of online Skype accounts, and return both the remote and the local IP of that account on a website.

          The script is available. You need to just enter the user name of a Skype user, fill out the captcha, and click the search button to initiate the lookup. You will receive the user’s remote IP and port, as well as the local IP and port.

          Adrian Asher, director of product Security, Skype “We are investigating reports of a new tool that captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.” The proof of concept is fairly simple. All an attacker needs to do is download a special Skype variant and alter a few registry keys to enable debug-log file creation.When adding a Skype contact, before sending the actual request, the victim’s information card can be viewed. At this point, the log file records the user’s IP address.

          The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online. Services like Whois will then give some other details on the city, country, internet provider and/or the internal IP-address of the target.

          This particular flaw was discussed in a paper presented by an international team of researchers in November at the Internet Measurement Conference 2011 in Berlin.

          There is currently no way of protecting yourself against the lookup of the IP address, other than not logging in to Skype when the software is not needed. The only other option would be the use of a virtual private network or proxy to hide the IP address from users who look it up.

Read More

Is $10,000 per day from Google Ads less for the Flashback malware Creator?

          In a recent analysis of the business model behind the Flashback Trojan, Symantec security researchers reported that the main objective of the malware is revenue generation through an ad-clicking component. Security researchers at Symantec are estimating that the cyber-crimibals behind the Flashback Mac OS X botnet may have raked in about $10,000 a day.

           Dr. Web, the Russian security firm that firm discovered the massive Flashback botnet last month, has provided new data on the number of Macs still infected with the software. The results show that while close to 460,000 machines remain infected, the botnet is shrinking at a rate of close to a hundred thousand machines a week as Mac users get around to downloading Apple’s tool for disinfecting their machines or installing antivirus.

           When an infected user conducts a Google search, Google will return its normal search results. Flashback waits for someone to click on an ad, and once this happens the user is silently directed to another, irrelevant ad that generates revenue for the attackers. As a result, Google doesn't know someone has clicked into its client's ad, and the client never knows its ad wasn't delivered. Ultimately, Google's advertising clients are paying for Flashback's attackers to host ads on Google.

Story Posted on Symantec’s blog:

          The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click . (Google never receives the intended ad click.)

          The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to a malicious server.

Hackers tricked Mac users into downloading the virus by disguising it as an update to Adobe Flash video viewing software.

Read More

New zero day exploit in Oracle Database

     Oracle has recommended workarounds for a zero-day Oracle Database flaw that was not fixed in the company's April critical patch update. Oracle issued a security alert for Oracle TNS Poison, the vulnerability, disclosed by researcher Joxean Koret after he mistakenly thought it had been fixed by Oracle, allows an attacker to hijack the information exchanged between clients and databases.

Koret originally reported the vulnerability to Oracle in 2008, four years ago! and said he was surprised to see it had been fixed in Oracle’s most recent Critical Patch Update without any acknowledgment of his work.

”This vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database,” the company warned. 

“This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as 'TNS Listener Poison Attack' affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied”, Oracle wrote.

A TNS Listener feature known as remote registration dates back to at least 1999 with version 8i of the Oracle Database. By sending a simple query to the service, an attacker can hijack connections legitimate users have already established with the database without the need of a password or other authentication. From then on, data traveling between legitimate users and the server pass through the connection set up by the attacker.

Oracle released a critical update for versions 10g and 11g database products fixing this vulnerability.

Read More