Category: Computer Security

Posted on
by

I just spotted a rather disturbing phishing message in (of all places) our abuse contact mailbox:

Subject: Fraud Prevention Measures

Dear customer!

Due to high fraud activity we constantly increasing security level both for online banking and card transactions. In order to update our records you are required to call MBNA Card Service number at 1-800-[removed] and update information on your MBNA card.

This is free of charge and would not affect any transactions with your card. Please note this is necessary to provide highest security level for all transactions with your card.

No HTML tricks. No links to fraudulent websites. Just a phone number.

I can only assume this is a response to high-profile inclusion of antiphishing features in Internet Explorer 7 and in Firefox 2. If there’s no website, there’s nothing for a web browser to check.

And of course by not using sneaky technical tricks in the message, it’s harder for tools like ClamAV, spam filters, or mail clients to detect.

Incidentally, does anyone else find it ironic that one of the most common phishing techniques is to exploit people’s fear of being phished?

Further reading: Anti-Phishing Working Group.

Posted on
by

Remember how LiveJournal, TypePad, and related sites were down the other day? The official line was that “Six Apart has been the victim of a sophisticated distributed denial of service attack.”

It turns out that the DDOS wasn’t aimed at 6A, LJ, or any other part of their network. It was aimed at Blue Security, an anti-spam company, who decided to re-route their web traffic to their blog—a blog hosted on TypePad. So instead of their own site going down, it took out Six Apart’s entire network of millions of bloggers.

Classy move, guys.

I do admire Six Apart’s restraint in not pointing fingers themselves. If it had been my site (though in a way, I suppose it was, since I’ve got an LJ blog, even if I don’t update it very often), I would have been royally pissed off.

Sure, Blue Security didn’t launch the attack—but they did choose where to redirect it. Maybe they thought Six Apart would be able to handle it. Maybe they thought the attackers were targeting them by IP and not domain name. Maybe they were panicked and didn’t think. Maybe they thought things through, but 6A got bitten by the now-all-too-familiar law of unintended consequences. They could easily have pointed their domain name at empty IP space, or to localhost. Redirecting it to a third party was less like deflecting a punch and more like the “Do it to Julia!” moment in 1984, or the classic joke, “I don’t have to outrun the bear, I only have to outrun you.”

(via Spamroll)

Update: Additional articles at Computer Business Review and at Netcraft, and a Slashdot story.

Update 2: According to Blue Security, the DDoS was not targeting their website by name, and the DDoS didn’t attack their blog until after they had already redirected the website. So it looks like it was less a case of them redirecting the attack and more a case of the attackers chasing them.

*Sigh* Must remember to collect all facts before engaging in righteous anger.

Update 3 (May 9): Apparently “all the facts” as reported by Blue Security don’t add up… (via Happy Software Prole)

Posted on
by

Last week I received a message offering a 30% discount on Norton Internet Security 2006. It claimed to be from Symantec, but the email address was at digitalriver.com, and all the links—including the ones that claimed to be at symantec.com—went to bluehornet.com.

Now 5 minutes of research turns up the facts that Symantec does work with Digital River and Digital River owns Blue Hornet. And it did go to the address I used to register Norton Antivirus last year. So it’s probably a legit offer.

But let’s think about this for a minute.

Assuming it’s legit, Symantec—a company that deals in internet security—is deliberately sending out offers via third-party domains, email and web servers. Depending on how security-conscious you are, they are either making their messages look suspicious or training users to ignore warning signs.

Or have you never seen spam offering enormous discounts on Norton products? Which generally turn out to be pirated. And I seem to recall—though I can’t find an article to back it up—that the bootleg copies are often infected themselves, or crippled in some way.

Given how many shady operators are out there, taking advantage of the big guys’ name recognition, you’d think the big guys would at least make some effort to make their own offerings look less, well, shady.

Posted on
by

The BBC has posted an interesting article on the US Military’s plans for Internet operations. But that’s not what I want to write about here. What I want to write about is this accompanying photo of Secretary of Defense Donald Rumsfeld:

AFP photo of Donald Rumsfeld holding his hands out.

The article mentions that messages put out for psychological operations in foreign markets are making their way back to American audiences. I’m not sure this photo qualifies as PsyOps, but I think it does qualify for a caption contest.*

Please post your suggestions in the comments.

(via Slashdot)

*OK, you won’t win anything, but with luck the other entries will make you laugh.

Posted on
by

Remember when the web was young, and email was just gaining popularity in the mainstream, and there was a slew of virus hoaxes like the Good Times Virus, or It Takes Guts to Say Jesus, or Elf Bowling?

Remember painstakingly explaining to people that no, your computer couldn’t get a virus just by reading an email, you had to click on an attachment? That images were safe to open? Remember when the worst people had to worry about from web pages was unwanted cookies? Getting a virus just from looking at a web page? Preposterous! And a virus that ran up your credit card? Ridiculous!

It’s sad to think that all those “ridiculous” things are now possible—in fact, they’re commonplace. Look back at that link up there. It’s Snopes’ page on computer virus warnings. Way back when, they were all bogus. These days, most of them are real.

So what’s next? Well, they keep talking about Internet-aware appliances, so a future virus probably could “recalibrate your refrigerator’s coolness setting so all your ice cream goes melty.”

Posted on
by

Worms of the future: someone on MySpace *ptui!* came up with an actual JavaScript worm using cross-site scripting exploits and XMLHTTPRequest. In 24 hours, the worm had forced 1 million users to add him to their friends lists.

Personally, MySpace bugs the heck out of me because it seems to have a culture that encourages embedding images from other sites. 18% of hits to hyperborea.org from other websites are from myspace. Admittedly that’s inflated by the fact that attempts to embed images from my Flash site redirect to the actual articles, so it’s probably more like 10%, but it’s still insane. Earlier this week I started blocking hits from MySpace to images posted on this blog, and I plan to do the same with the Flash images over the weekend. You like my photos? Great, link to my actual site! You like the scan I have of some movie logo? Great, copy it and upload it to your own site!

(via Slashdot)

Posted on
by

If you’ve been paying attention to computer security, you already know that spam, viruses, and organized crime have been in bed together for at least a year. The recently-discovered theft of 40 million credit card numbers [edit: originally linked to Yahoo News] illustrates this point clearly:

CardSystems was hit by a virus-like computer script that captured customer data for the purpose of fraud, [MasterCard spokeswoman] Gamsin said. She said she did not know how the script got into the system. The FBI was investigating. (emphasis added)

Given the current porous state of many networks and operating systems, and the general public’s attitude that catching a computer virus is as inevitable as catching a cold, I’d guess it got into the system the same way most spyware does. An email attachment squeaked by the filters. Someone installed a tool that claimed it would make their web access faster. Someone got a well-designed phish, followed the link, and got infected by a backdoor because their browser was behind on security patches. Someone brought a laptop home, plugged it into their insecure home network, and brought back a virus.

Sadly, I expect we’ll be seeing a lot more of this.

Update June 20: Netcraft is reporting that it was indeed lax computer security that did them in:

MasterCard International said it “worked with CardSystems to remediate the security vulnerabilities in the processor’s systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.” Officials at affected institutions were not specifying the vulnerability and exploit used to breach CardSystems’ security. (emphasis added)

Netcraft seems to think it was likely their website, which runs on Windows 2000 and IIS 5, and they go on to promote their own security consulting services. So it’s not entirely an unbiased look at the incident.