To quote Senior Threat Researcher Christopher Boyd: “While cybercriminals are not picky about their choice of victims, their choice of tactics is anything but haphazard.”

You can read more about the January VIPRE Report, Cybercriminals Cast a Wide Net in January, Targeting a Broad Range of Victims, here.

Jovi Umawing

This popular:

Click to Enlarge

20,000+ views so far.

The program promises all sorts of Xbox freebies – 1 month of Xbox Live, 12 months if you’re feeling particularly greedy and 1600 to 4000 free Microsoft points. Of course, everything goes without a hitch in the Youtube video: we see the program boot up, the user selects his target – 1600 MS points – and hits the “Generate Code” button. After a short while, we see a “Hooray, it worked” type message and the person in the video is presented with a code.

Click to Enlarge

They then cut and paste it into the Microsoft “Redeem points code” website and are given 1600 free Microsoft points because this program is a miracle of coding.

Click to Enlarge

However.

I’m rather suspicious where programs such as these are concerned, and maybe – just maybe – somebody decided to make a fake Xbox code generator, bought a 1600 Microsoft points code legitimately and redeemed it for their “It works, honest” Youtube video on the basis that they knew they’d nab a whole bunch of people jumping through monetised hoops to claw their money back.

I know, I know. It’s a long shot, but stay with me on this one.

Once the user downloads the file, this is what greets them in the zip:

The program requires the latest version of .Net to be installed, so once the user downloads that and fires up the generator this is what they’ll see:

The program has become “severely overused”, so now you need a password to “stop the leechers”. And how do we do that?

Click to Enlarge

Well, there’s a surprise – a survey (note that the Youtube video promises “no surveys” in the title). We’ll ignore the fact that the top entry asks “Are you dumb? Find out now” and go take a look at the code while pretending we nabbed the password and continued to the next step.

Click to Enlarge

“Error, retrying. The packaged file seems to be corrupted or cannot load. Redownload the database? (This will fix the error)” There’s a link. I wonder what it does?

Click to Enlarge

Oh. Right. Another survey. Does the creator of this program expect you to fill in a survey / sign up to a ringtone service not once but twice? Absolutely.

Is it worth downloading this program, filling in some of those offers and trying it out?

Absolutely not.

Christopher Boyd

click to enlarge

Email details are as follows:

Subject: Please verify your tax information ASAP.
Message body:
Good afternoon,

With a view to agree that exact data is being kept up on our systems, as well as to be able to give you better quality of service; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or TIN, that is specified on your account does not correspond to the data on file with the Social Security Administration.

In order to verify the information of your account, please enter the secure section.

Regards,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Clicking the link leads readers to download a Blackhole exploit.

Our friends at Sophos found a variant of this phishing email.

This is not the first time that online criminals have taken advantage of the U.S. tax season. In light of phishers banking on brands as a part of their social engineering ploy, legitimate companies such as Intuit Inc. does not normally send out emails of this nature. In fact, Intuit Inc. have made it a point to make clear to their clients what they will do and what they will not do in the context of sending out emails. Intuit clients are wise to take note of this point under the “What we’ll do” section: If we need you to update your account information, we will request that you do so by logging into your account.

It is important that you, dear Reader, are familiar with how your service providers conduct their services and how they respond to online threats that target them. Equally, these providers must be responsible in informing you of the latest threats affecting you and their brand and provide ways on how you can protect yourselves from such threats.

Jovi Umawing (Thanks, Robert)

We’ve compiled this list to share with you, so that you too can benefit from all the wisdom and sage advice you can find on these blogs. From best practices to how-to articles, to coverage on the security news that matters most, these 15 blogs are the go-to source for security information.

1. Network Security Blog – Martin McKeay has been blogging his views on security, privacy and anything else that catches his attention since August, 2003. His blog includes topics such as security in the cloud, firewall, hacking, malware, social networking, privacy, risk, testing and several other interesting security related posts.

2. TaoSecurity – Chief Security Officer for Mandiant, Richard Bejtlich, shares his knowledge and covers digital security and the practices of network security monitoring, intrusion detection, and incident response in his blog.

3. KrebsonSecurity – Brian Krebs came onto the security scene in 2001 after being hacked himself. Taking a very intense and personal interest in security, he’s become one of the most well-known names in information security, covering topics including the latest threats, security updates, data breaches, and cyber justice.

4. Andrew Hay – Andrew Hay is a Senior Security Analyst at 451 Research, and serves on the GIAC Advisory Board. A CISSP with four SANS certifications and a veritable alphabet of other security certifications to his name, his blog covers log management, compliance, firewalls, and more.

5. Amrit Williams Blog – This CTO of Quantivo by way of BigFix and IBM covers security topics including cloud computing, cybercrime, virtualization, and more. Williams’s writing is as entertaining as it is informative.

6. W. Mark Brooks –   A Principal Advisor for Security and Compliance at EMC, Brooks’ blog focuses on compliance and ethics, information security strategies, intellectual property, process and more.

7. The AShimmy Blog – Alan Shimmy is the founder and managing partner of The CISO Group, and frequently speaks at government conferences. His podcasts include some of the industry’s best and brightest, and his blog covers a broader range of security topics than practically any other blog on this list. Reading Shimmy is like having a conversation with a wise friend who has written hundreds of posts full of knowledge.

8. IT Security Expert – Dave Whitelegg’s blog focuses on spam, botnets, identity theft and more, targeting the home user and the SMB market. His posts are easy to read and are the sort you can send to your friends when they want to read something targeted to a less technical audience.

9. Jon’s Network – Jon’s Network says it targets IT directors and network administrators, but its appeal is much broader with that. It’s a great place to pick up quick tips on a wide variety of security topics, and to get pointers to other great reads you might otherwise miss.

10. The New School of Information Security – Inspired by the security book that carries the same name, this blog keeps true to the spirit of the book and includes regular posts from several contributing authors. Together they focus on cloud security, data breaches, risk management, and other related topics.

11. Schneier on Security – Bruce Schneier is probably the most widely recognized name on this list, and for good reason. Blogging since 2004, Schneier has made a name for himself in the information security field, and he’s not afraid to share his opinions, no matter how controversial they may seem. You’ll come for the op eds, but you’ll subscribe for the entertaining and enlightening content.

12. Troy Hunt’s Blog – Hunt is a software architect, and his coverage of security issues related to software, databases, and coding shows it. His passion for security is probably one of the reasons he was awarded MVP status by Microsoft, and his writing is as entertaining as it is informative.

13. Kevin Townsend – Townsend’s byline is “Security centric issues, news and rants – and other things” and that sums up his blog better than most bylines we’ve seen. The rants are fun, the issues are informative, and the news summaries are another great way to catch things you might otherwise have missed.

14. Lenny Zeltser on Information Security – A SANS Institute instructor and senior faculty member, and Director at NCR Corporation, Zeltser’s blog focuses on malware and its involvement in breaches worldwide. One of his best recurring posts is his weekly summary of the best security reads of the week.

15. Dan Kaminsky’s Blog – You probably know Kaminsky from his work with securing DNS. His blog frequently gets far deeper into the technical weeds than most, but his ability to explain things clearly is a gift he shares generously, and his coverage of vulnerabilities in all aspects of networking helps you really understand the issues and implications.

So there you have it – 15 of the best security blogs on the web. Pay them all a visit, add them to your RSS feeds, and watch as your security IQ goes up by several points a week. And once you’re at it, you can also look for the latest news on online threats, social engineering ploys, and noteworthy scams on our GFI Labs.

But before you click away to do some heavy security reading, leave a comment and share your favorite security blogs so that we can add them to the list!

click to enlarge

The message goes: PLEASE READ CAREFULLY

This message is for every Girl Who Goes to college or office alone. If u find any child carrying on road showing his/her address n asking u to take him/her to that address,take that child to police station n plz don’t take it to that address . IT IS A NEW WAY GANGS TO STEAL, RAPE, and KIDNAP GIRLS . plz circulate to all .don’t feel shy to copy This as ur status .

OUR ONE MESSAGE MAY SAVE A GIRL

This Facebook wall post has been live in public since Q4 of last year, so before it picks up steam and encourage more sharing within the platform, please do realize, dear Reader, that this is a hoax—all fake, from the image to the story behind this message.

Variations of this hoax have been circulating the Internet for years. Would you believe that the lure tactic—about children being used to lead women to their prey—might have stemed from an urban legend set in World War II decades ago?

Helping people on Facebook by sharing things that you deem important is a good cause; however, spreading hoaxes such as this one can only lead people to needless worrying and panic. That said, I implore you not to share this further, within Facebook and outside it. Before you click “Share”, research.

Also, please do not be alarmed (much less believe) if you see something like this on the Internet:

click to enlarge

Jovi Umawing (Hat tip: Facecrooks.com)

“The resurrection highlights the difficulty of permanently severing botnets from the Internet.” writes Dan Goodin of Ars Technica. “Because Kelihos used peer-to-peer technology, it was disrupted—or “sinkholed,” in takedown parlance—by seeding the network with machines that caused their peers to take orders from benign channels under the control of white hats. The takedown process never actually removed the underlying malware from infected machines, making it possible for the attackers to one day regain control of them.”

You can read more about it here. Take note of the Update section at the end of the article.

Related article:

• The Microsoft-Kelihos Tango Continues

Update (02/07/2012): After reports of Kelihos being “alive and well again” went at large, Microsoft wrote a blog to clarify the matter. They have now observed that a new malware variant of the Kelihos bot is being distributed to create a new botnet. Continuous observations on Kelihos-infected machines and analysis of samples of this new bot have determined that the original Kelihos botnet is not being reused by their herders.

Jovi Umawing

Click to Enlarge

It’s a typical “Get free Steam games by giving us your login” site, distracting users by asking them to select the games they think they’re going to receive for free. It also goes one step further by claiming that 490, 682, 111 people “Already get gift”. If visitors to the website have Steam Guard enabled, they advise those users to “just turn off Steam Guard” which is up there with the author of some Malware advising somebody to turn off their security tools before running fakefile.exe.

Never turn off Steam Guard. If someone manages to grab your Steam login credentials, they’ll still need to access your email to input the one time use code into the Steam application to steal your account. Steam Guard is such a big deal where protecting accounts is concerned that in a recent Christmas competition one of the reward objectives was enabling Steam Guard protection.

Anyway, this is supposed to be the funny part. You know how sometimes a scam website will try to convince you that what they’re offering up is the real deal? Well, this is what passes for the truth, the whole truth and nothing but the truth in fake free games land:

Amazing. I smell a meme in the making…

Christopher Boyd

The average IT admin needs to be concerned about a wide range of security threats, such as the prospect of a security breach and denial of service (DOS) attacks. In this post we shall look at five steps admins need to take to protect their Exchange Server deployments from security attacks.

1. Be persistent about security updates

Ensuring that important patches and security updates are applied in a timely fashion is a must when it comes to protecting an Exchange Server from security breaches.  On the downside, if done manually, the installation of a security update can be a time-consuming affair for larger deployments due to the need to take systems offline. David Kelleher touches on this in his post where he suggests the best practices for running server patch management.

On the other hand, the judicious use of virtualization can minimize downtime by allowing administrators to easily test new updates before an actual rollout.  And assuming that mailbox databases are stored on a SAN, the option exists to perform a rollback should catastrophic problems surface at a later stage. Of course, other benefits such as higher scalability and rapid disaster recovery apply.  Indeed, virtualization vendor VMware has put together some nice pages on using Exchange Server with virtualization.

2. Maintain separation using firewall

The creation of server roles in Exchange Server has served to greatly alleviate the challenges of protecting a general purpose email server against external attacks.  Regardless, it would be foolhardy not to place an Edge Transport Server behind properly configured firewalls, preferably within a DMZ.

The concept is simple: to reduce the attack profile by allowing only essential services to be exposed to the Internet.  This is the same philosophy that Microsoft applied to its upcoming Windows Server 8 operating system where the software vendor removed the GUI from the basic base Server Core installation so as to reduce security risks to an absolute minimum.

And while we’re on the topic of narrowing the attack profile of an Exchange Server, it makes sense to tweak things on the network front such as the disabling of HTTP (allowing only HTTPS), as well as ensuring that default digital certificates are not used on Internet-facing server roles.

3. Protecting against DoS attacks

The hard truth is that there is really no easy way to defend against DOS attacks without huge investments to acquire the requisite expertise and to bolster one’s underlying infrastructure capabilities. For most companies faced with a determined and competent attacker, the only viable solution would be to seek the assistance of a DDoS mitigation vendor.

Fortunately, there are a number of tricks that an administrator can employ to foil the occasional troublemakers.  On an Exchange 2010 Transport Server, for example, the Set-TransportServer cmdlet can be used to modify the default control message processing rates, SMTP connection rates and SMTP session time-out values. Moreover, the Set-ReceiveConnector cmdlet can be used to configure inactivity timeouts, maximum number of connections and allowable SMTP protocol connection errors.

Finally, the Set-POPSettings and Set-IMAPSettings cmdlets can be used to configure parameters related to POP and IMAP.  The last two are particularly useful for organizations that don’t implement VPN security but allow users to download their emails from external networks. Ram Mohan’s post on how to defend against DDoS attacks touches on generic techniques further.

4. Have external parties conduct penetration tests

The simplest way to know what hackers are thinking would be to hire someone who can reason in the same way and then task them with finding ways to break into your system.  It is an acceptable practice these days to hire penetration testing engineers, also known as ‘white hats’, to find weak spots in a company’s IT setup.

5. Protecting against zero-day vulnerabilities

By definition, zero-day vulnerabilities are not detectable with current antimalware defenses. It is therefore unfortunate that an increasing number of attacks have been shown to utilize novel exploits.  One possible way of defending against zero-day vulnerabilities would be to install antimalware defenses known as whitelisting software. While nothing is absolute, the use of whitelisting software should offer a level of additional protection against the execution of ‘helper’ software such as RAT (Remote Administration Tool) commonly installed to facilitate hackers’ entry into a compromised server.

Following these five steps may not guarantee ultimate protection, but it will definitely mean you are making the best out of the technologies and methods available to protect your Exchange Server.

Click to Enlarge

The Tumblr user is promised “2 free Southwest tickets” via a fake “Tumblr Staff Blog”, and everyone affected has this written underneath the image file:

“Just printed out my tickets to California!! WoooHoo!!! heres the link!!!”

The link in question will take you to various offers depending on which region the end-user is located in, but this would be the ideal match:

Click to Enlarge

 As before, the end-user is required to fill in “two reward offers from each of the silver and gold page options and nine reward offers from the platinum reward page and refer three friends to do the same”.

Good luck with that.

Tumblr users should avoid any and all instances where an “Adult Verification” popup asks for login credentials, and removing popups from their own compromised Tumblrs can be done by following these simple steps.

Christopher Boyd

]]> http://www.gfi.com/blog/tumblr-staff-blog-fakeouts-continue/feed/ 0 http://www.gfi.com/blog/2012-the-end-of-the-world-as-we-know-it/?utm_source=rss&utm_medium=rss&utm_campaign=2012-the-end-of-the-world-as-we-know-it http://www.gfi.com/blog/2012-the-end-of-the-world-as-we-know-it/#comments Fri, 27 Jan 2012 15:00:15 +0000 David Attard http://www.gfi.com/blog/?p=8031 December 12, 2012 – the day that’s fated to be the ‘end of the world’. Humbug? Whatever your opinion on the Mayan prophecies, there are more important causes for concern this year that should get you brooding – particularly in the world of cybercrime.

So let’s take a look at a few predictions which are more likely to hit the mark:

1. Social Networks

Social networks are malware creators’ field of opportunity. Why? Think about it, social media users share information (sometimes too personal) with their ‘friends’ and click on their friend’s posts and links without the slightest suspicion that that link might be malicious. They don’t see the link; they see who posted it and associate it with him/her – a friend they trust. This is just what hackers want – victims delivered on a silver platter. There are various methods of stealing social networking logins, gain access and then use these trusted profiles to send spam email and share other malicious content. We’ve already seen this happen in 2011 with the Ramnit virus which was used to steal 45,000 passwords, and it will surely be used more often. Social network details will be sold in the online blackmarket, and will become a much sought after resource leading to more and more attacks.

On the same lines, celebrity Twitter accounts will also become lucrative targets. With millions of followers, a compromised account could result in millions of victims in a few hours. Lady Gaga was the notorious target in 2011. Who will it be in 2012?

2. Social Engineering

Highly targeted social engineering will remain hackers’ top method of attack. Malware creators will design new and highly targeted techniques which will win them their victims’ trust and guide them into giving the information they’re after. We can expect variants of existing techniques to flourish as well.

3. Mobile Malware

What about your mobile device? With so many smart phones around (especially in the business sphere – where people are using these phones to check their work mail even when outside the office), this is a brilliant opportunity for malicious individuals to get information from their victims. And to add insult to injury, few mobile users are aware of the threats. They tend to install any app without reviewing permissions or the small print (or lack of it), making it so easy for rogue apps to make it onto their device. There’s definitely going to be more news of adware, spyware and other malware targeting mobile devices this year!

4. Topical News

And once we’re at it, the end of the world predictions (and with it, the Mayan calendar), the London Olympics, the elections in the US, and any other major events will definitely be used to spread more malicious attacks.

How can you prevent these threats from turning 2012 into a year that will mark the end of the world for your business?

The first and most important step is to educate your employees. You can invest in the best security software and control most of what goes on in your infrastructure, but what about what happens outside work? Who is going to stop an employee from giving out confidential information to malicious sites whilst working from home? Your employees need to understand the danger and they need to know how to distinguish phishing and malicious mail from genuine email, malicious URLs and downloads from the real thing and so on.

One way to educate employees is for the IT department and Human Resources to work together to create an acceptable usage policy which employees can refer to. Not only will this document clearly state what is acceptable or not, but it will help employees to understand what threats exist and how their actions can cause problems for the company and for themselves.

The next step: do not believe that every employee is going to follow policy to the letter or do everything right. You need to complement education with an investment in the right security tools. Even the most cautious of employees can be misled by websites that appear to be genuine. Protect your corporate network by investing in good web monitoring, web filtering and web security solutions; suggest to your employees to invest in a good anti-virus solution for their phones; and if those phones are sanctioned by the company, make sure you have the tools in place to implement security and protect the network. Also invest in a comprehensive email security solution.

Are you seeing any other forms of cybercrime making the headlines this year? Leave us a comment and let us know!