A widespread cyber attack that started 18 months ago has affected nearly 2,500 businesses and government agencies. Led by a Zeus variant, it infiltrates corporate and government networks and steals passwords, log on credentials, banking info and other confidential data.

The Zeus botnet has over 74,000 infected PCs under its control and is using them to carry out the attack. 10 federal agencies are among the victims and there is no telling just how much sensitive data the hackers have stolen. Security firm NetWitness did manage to intercept 75GB of stolen data, but there is likely much more out there.

“The botnet is still active and still actively being managed by the organized criminal activity behind it,” NetWitness CTO Tim Belcher told The Register. “Over the last month, we’ve seen it retask its (victim) members half a dozen times looking for different types of information.”

In a surprising twist, the firm discovered that the affected PCs were also infected with Waledec. This could mean there are two cybergangs working together or merely that a solitary gang is using more than one strain of malware to avoid detection.

Among the organizations attacked are Merck, Paramount Pictures, and Cardinal Health. All in all organizations in 196 countries around the world have been attacked. Rumors are swirling that even the Pentagon was hit, but they are declining to confirm any such breach.

There have recently been two publicized, high profile attacks on email marketing services.  The two services are Aweber and iContact, each confirming the attacks within about a month of each other.

These companies, and many others like them, provide email marketing services to websites and other online businesses.  Email marketing, when done properly, is a legitimate practice and is not spam although some people do not make the distinction between the two.

A legitimate email marketing service will require a subscriber to deliberately opt-in to a list, usually by sending them a confirmation email before they are added to a marketer’s email list.  This stops spammers from simply harvesting email addresses, importing them into one of these services, and starting to spam them.

This opt-in requirement, plus other measures, assures a high deliverability rate for the customers of the email marketing service because antispam systems on the receiving end can have a high level of confidence that the marketing messages are opt-in and not spam.

Among the more paranoid web users there is a tendency to use unique emails for each mailing list that they sign up to.  So if they were to sign up to ABC Corp’s mailing list, they would use paul_abc@somewhere.com, and then for XYZ Pty Ltd would use paul_xyz@somewhere.com.

This might seem like a lot of hassle to go to, generating unique email addresses for every list you subscribe to, but when the attacks on these companies occurred it was these people who noticed the problem first.  Suddenly their secret, unique addresses began receiving pharmaceutical spam emails.   Your average person who uses one single email address probably would not have noticed this additional spam.

Initial reports were sketchy but eventually first Aweber, and then later iContact determined that a data breach had occurred in their systems.  In both cases the outcome was the same – subscriber email addresses were compromised, but customer account and billing information was not. Continue reading Email Marketing Services Targetted by Hackers»

A new malware attack is lurking behind emails made to look like Outlook updates sent by Microsoft. The messages look authentic and include a link that looks like it points to update.microsoft.com but actually points to a malicious domain. If clicked the link activates a download which contains the Zbot Trojan. Zbot steals usernames, passwords and banking information and installs a rootkit that could allow a hacker access to any network the infected computer is attached to.

Zbot even contains a list of specific sites to monitor including Facebook, MySpace, Bank of America, Amazon, HSBC, Paypal, Blogger, and just about every bank you can think of. This Trojan means business. Once a user on an infected machine accesses one of the sites on the list, a built in keylogger is activated and records their information. The stolen information is then uploaded to a remote server.

Continue reading New Malware Attack Pretends to Be a Microsoft Update»

A large scale attack on UK government websites has been discovered. Hundreds of sites for schools, government offices, universities and more have been compromised to include links and other references to porn sites or shady pharmacies. The hacks were likely carried out via SQL injection attacks or cross site scripting and the sites were obviously chosen because users would not think twice about trusting them. Visitors who click through are either redirected to sites selling drugs such as Viagra or sites displaying hardcore porn. Some of the compromised sites attempt to download malware.

The most disturbing part of the attacks is that many of the sites belong to elementary schools and are visited by students. The hackers behind the attack apparently have no problem directing children to porn sites. Even the search results for these sites have been changed to refer to porn and shady pharmacies.

It’s not known who’s behind the attack and the UK government has not yet had any comment. One thing is sure however, and that’s that they need to take a serious look at the security and software on their sites. It’s poorly designed software and careless security (such as not disabling unused FTP logins) that lead to these types of attacks. Experts warn that it’s possible that people who are infected by compromised sites may begin to file lawsuits against them for negligence.

However I’m not sure that’s the way to go-after all it is up to each of us to properly secure our computers and use up to date anti-virus software!

Donors to Minnesota Senator Norm Coleman’s campaign reacted angrily to the news that his campaign website hosted a completely unprotected datebase that contained their names, addresses, credit card numbers, and 3 digit security codes. The breach was revealed by the site Wikileaks.org and the Minnesota Independent. Wikileaks sent an email out to the donors, warning them their information had been compromised. It appears Coleman, who is fighting with Democrat Al Franken for the states hotly contested Senate seat, was made aware of the breach in January but never made a statement nor contacted his donors. TheHill.com says it made contact with the campaign, who finally aknowledged the breach and is encouraging them to cancel their credit cards.

 

          Campaign spokesman Cullen Sheehan wrote in an email to supporters that that there was no “evidence that our database was downloaded by any unauthorized party,” but he doesn’t dispute the possibility that security has been breached. Several IT professionals interviewed by the Minnesota Independent in late January revealed they had downloaded the database, which was not password protected. This fact seems to contradict Sheehan’s report about findings by federal authorities looking into the case. They “did not find evidence that our database was downloaded by any unauthorized party.”

Um, Mr. Sheehan? Unless you gave Wikileaks.org permission to download it and post parts of it on its website, or those IT professionals,  it sounds to me like it was downloaded by several unauthorized parties. Ignorance at its best.  The good news is there have been no reports of fraudulent credit card activity linked to the breach.

The U.S. Department of Defense was hit with a severe malware attack this week. The attack, which originated in Russia, was targeted at the networks in the department’s Central Command, which oversees the U.S.’s involvement in Iraq and Afghanistan. DOD sources say at least one highly classified network was compromised. According to the Los Angeles Times, the malware has been around awhile:

          The invasive software, known as agent.btz, has circulated among non-governmental U.S. computers for months. But only recently has it affected the Pentagon’s networks. It is not clear whether the version responsible for the cyber-intrusion of classified networks is the same as the one affecting other computer systems.

The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the flash drives.

Continue reading Malware Attack Hits Defense Department»

Spammers are again attacking Microsoft’s CAPTCHA system and so far have a 10-15% success rate. They’re using automated bots to defeat the system, which was revised and revamped after it was attacked successfully earlier this year. Experts have found that the process involves three stages. First, instructions are sent from a host machine to one on its botnet. The infected machine then begins to attempt to crack the CAPTCHA system, and then the bot uses the successfully created Live Hotmail accounts to send large amounts of spam.

Services like Live Hotmail and GMail have become favored targets for spammers and phishers because of the DomainKeys and Domain Key Identified Mail email authentication they use, which lets a sender’s reputation determine email delivery. The more reputable the sender, the less likely mail from them will end up in a spam filter or blacklist. The messages and senders are authenticated with a digital signature and private key. The server receiving the message decrypts the signature with a key obtained thtough the DNS of the sender’s domain (hence the name DomainKeys) to determine if it matches the email message. Once the message and sender are determined to be authentic, the sender’s reputation is used to decide the delivery status. Senders with bad reputations or messages with missing or fake signatures stand a very strong chance of being rejected while those from reputable senders and good signatures are usually delivered. While most ISPs haven’t adopted this technology yet, many web based email providers and services have, including Yahoo, GMail, Ebay, and Paypal. Continue reading Spammers Once Again Attacking Microsoft’s CAPTCHA»

Federal authorities in New Orleans have indicted a Brazilian man on charges he was planning to sell a botnet he created to a Dutch spammer. Prosecutors say 35 year old Leni de Abreu Neto created a botnet of over 100,000 compromised computers and was in negotiations to sell it to Nordin Nasari of The Netherlands, a spammer who wrote the virus Neto used to take control of the computers in his botnet. Nasari agreed to purchase the entire operation for $36,800. While Nasari s being prosecuted by Dutch authorities, Neto faces charges here in the U.S. and is facing up to 5 years in prison and a fine of up to a half million dollars. Continue reading Man Charged in Plot to Sell Botnet to Spammer»

A security vendor in the UK has discovered a new trojan. Called Limbo 2, it is designed to steal information from financial institutions and banks. Jacques Erasmus, director of malware research at Prevx says it may be the most sophisticated Trojan ever. The Trojan’s power lies in it’s stealth characteristics. It is able to bypass anti-virus software thanks to it’s own cryptor that obfuscates it.

Continue reading The Ultimate Trojan?»

The Marshall Islands’ National Telecommunications Authority was hit by a spam attack that managed to shut down email service for the islands. The NTA is the sole ISP for the region, and is reporting that the constant flood of spam acted like a DDoS attack. It’s been over 24hours and email service has still not been restored.

          “The government-owned National Telecommunications Authority (NTA) was hit with a sudden four-fold increase in incoming email, which it described as an attack by “zombie computers”, said an NTA spokesman. While NTA customers could send and receive emails to each other through the local system, virtually no non-NTA emails had been received since Monday, impacting local businesses, banks and government offices.”

This attack was a vivid illustration of why a country having a sole ISP is a very bad idea. It makes it very easy to wreck havoc on a county’s Internet infrastructure, and with so many vital services and businesses relying heavily on that infrastructure, a spam or hacker attack could be catastrophic. Not only is a sole ISP a security nightmare, but it also makes it quite likely to be affected by corruption and censorship, as we’ve seen recently in Burma and China.

The NTA has no estimate on when their service will be fully restored.