Using a spin of bogus emails that were circulating last week, combined with the recent news of additional banks failing, malware authors are generating new emails claiming to be from the FDIC. The “alert” claims that the user’s bank has failed and suggests checking the deposit insurance coverage using a specially crafted web link. Of course, the link does not go where it pretends to.
The FDIC posted their own FDIC “alert” on the subject.
In an article found here, Google voice mail was said to be searchable by a major “security flaw”. By entering site:https://www.google.com/voice/fm/*, it was said that voicemails were available in a Google search results format. They were from random Google Voice accounts. “Clicking on each revealed not only the audio file and the transcript of the call, but it also listed the callers name and phone number…” For those unfamiliar with Google voice, you can read about it here. Google has always been a target of privacy advocates. It would make sense that this would not make them happy.
Supposedly, the story is that the messages were posted a “public”, but that the crawler wasn’t suppose to reach them. On the Google Voice Blog, Google points out that of millions of voicemails, only 31 made it to the public search engine. That’s a good point, but I’m not sure the posters of the 31 messages would agree. This is the kind of thing that concerns many about Google and their services.
Google has since decided that even if the poster makes the link to messages public, the will not be indexed/searchable.
It is important to realize that when using services on the internet, one has to weigh the risk of disclosure with the benefits of the service(s). Google (and others) has many services that are “free”. In the case of Google, many of them are listed as “beta”.
For a couple days, emails have been circulating claiming to be from an administrator (or department) from domains. In the last two days, they have changed. The message claims that the a security upgrade on a mailbox was applied and that a download is “apply”
the settings. The link is very official looking as it has the domain name (your domain, i.e., gmail.com) in the visible portion of the link. However, in the actual code of the link, it is pointing to somewhere else.
The link downloads a file called settings-file.exe or settings_file2.exe. These are virus infectors that have been linked to a variant of zbot. Among other things, the instructions from the infection can (and will) change on the fly as further updates can be downloaded without the user’s knowledge. Additionally, the infection records keystrokes to collect usernames and passwords of web sites. The stolen data is then uploaded to a remote location where the data is sure to be used.
Pictures from Trendmicro:
For more information, refer to
http://blog.trendmicro.com/tailor-made-zbot-spam-campaign-targets-various-companies/
Get them all. There will be some from Microsoft and Adobe/Arcobat at the least. These are all important ones. Microsoft is addressing 34 vulnerabilities in Windows, Internet Explorer, Office, Silverlight, Forefront, Development tools, and SQL Server.
These are huge bulletin releases as they patch several exploits for Remote Code Execution, Spoofing, Denial of Service and Elevation of Privileges.
The Adobe/Acrobat patch is for a zero-day vulnerability that was discussed a week ago by us.
For the Adobe patch, you should see a notification in your system tray that there is an update. The Microsoft ones will appear as Windows updates. If you leave your speakers turned up at night and your PC turned on, you might want to turn the speakers down; lest you hear the Windows Start up wave in the middle of the night (like I did a couple nights ago).
There has been an explosion of phishing emails of late. One that comes to mind is a slight modification of the IRS one that was seen in mailboxes last month. This new one claims to be from the United Kingdom HM Revenue and Customs (HMRC).
Many were said to be from “HM and Customs” with an email address of no-reply@hmrc.gov.uk. The message instructs the user to review his/her tax statement a website. A link is provided that has been said to download an exe file. The link also contains an email tag that may be for reporting back to the malware authors who got and clicked on the email. If you clicked, expect more phishing emails and spam.
According to the PhiskTank, numerous others are being reported as well. They are popping up in numerous domains. Many of the ones that we looked at were running PHP. Perhaps there is some vulnerability is being exploited to generate these sites.
In the last two days, we’ve seen over 700 of them (attempts) in one location. There is no sign of this letting up for a few days. And the messages had different sizes, so it appears they are making changes.
The odd thing is that US users are being targeted as well. I had to Google HMRC.
Version 3.12 was released. It has both bug and feature changes. As an iPhone user, I find one particular one to be very useful. Recently, a fleet of iPhones I manage have been freezing up or dropping from the network. Fixing the condition required a reboot of the iPhone. This is said to now be fixed in this release. Another cool feature is that iPhones can now MMS. If someone would have bet me early on that iPhones could not MMS, I would have lost.
Anyway, this update has some important updates. Get it when you have some time. It takes a bit; especially on a corporate network.
According to ISC, they have received reports of AT&T subscribers getting a text/SMS message claiming there is a problem with their account, and instructing them to call a number ending in 7649 to resolve their account issues. The purpose is to provide credit card information on a voice prompt system.
It is worthy to note that the credit card information is trying to verify the transaction. ISC further reports that they have received information that subscribers on other carriers (like Sprint/Nextel and T-Mobile) have also reported similar attacks.
These kinds of attacks are way overdue. The shier number of makes these kinds of attacks very lucrative. The danger is the speed in which charges can be applied. This specific contact is being brought down, but be sure that others will be popping up elsewhere.
Adobe’s Product Security Incident Response Team announced a critical vulnerability in Adobe Reader and Acrobat products v9.1.3 on Windows, Macintosh and UNIX operating systems. That vulnerability is being exploited in limited targeted attacks on Windows systems. This can change at any minute.
Adobe plans to release its fix in their regularly scheduled patching cycle, which is October 13th, 2009. Adobe is also working with Anti-Virus vendors. Hopefully new definitions will be released before the patch release (5 fays away).
This most recent event marks a disturbing trend in Adobe vulnerabilities and exploits. It would appear that PDFs are the attach surface of choice.
Contrary to emails that you may be receiving (I saw one today), cell phone numbers are NOT being released to telemarketers, AND you do not need to register your cell phone number with the Do Not Call list. The age old scam is circulating again…soon to come to a mailbox near you. The FCC has always prohibited the use of autodialers to call cell phones WITHOUT THE OWNER’S CONSENT. Those words are very important.
The FCC recently released another statement in this regard. You can find the new release here: http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-293502A1.pdf. It is titled “NO TRUTH TO RUMOR THAT CELL PHONE NUMBERS WILL BE MADE AVAILABLE TO TELEMARKETERS”
IN 2005, the Federal Trade Commission also posted on the subject here: http://www.ftc.gov/opa/2005/04/dnc.shtm. In 2007, they posted another worded a little differently here: http://www.ftc.gov/opa/2007/02/dnccellphones.shtm.
As a reminder, scam/rumor/misleading emails almost always encourage the reader to “forward this to all your friends”, quote a source like Microsoft, IBM, a news source, or Snopes. They will also often reference a link. I can’t remember any credible notification asking the reader to forward the email to all their friends.
Don’t add to the noise on the internet. Don’t forward these.
It has been reported that thousands of Windows Hotmail (Live) credentials have been compromised. It seems these were the result of a phishing attack. CHANGE YOUR PASSWORDS NOW. Windows Live credentials are used for several MS functions, including Hotmail. The exposed credentials have been posted on the internet for use by others. If your account has been compromised, Microsoft has made provisions for you to regain control of your account at https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1.
Comments on the breach can be found at: http://isc.sans.org/diary.html?storyid=7276.
OSG: Bits, Bytes and Packets 