Category Archives: Phishing

‘Operation Hangover’ hackers exploit latest Windows zero-day

The unpatched vulnerability in Windows that Microsoft acknowledged on Tuesday has been used by a known Indian hacker group responsible for earlier “Operation Hangover” attacks, security company Symantec said yesterday.

The gang behind Operation Hangover is believed to be based in India, and the bulk of the first round of cyber-espionage attacks, which were discovered in May, were aimed at its neighbor and long-time adversary Pakistan.

“After analyzing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover,” Symantec said in a blog, referring to the newest campaign that relies on the Microsoft zero-day vulnerability to hijack and infect Windows PCs.

Microsoft issued a security alert Tuesday, saying that a vulnerability in the TIFF image-format parsing component of Windows was being exploited in attacks aimed at targets in the Middle East and South Asia, the latter region representing countries like India and Pakistan.

The attacks Symantec captured used malicious Word documents attached to emails with subject headings such as “Illegal Authorization for Funds Transfer” and “Problem with Credit September 26th 2013.”

It was the first time that the Hangover group has used a zero-day vulnerability in its attacks, Symantec said.

Researcher Haifei Li of security company McAfee was the first to find and report the unpatched bug to Microsoft. The Redmond, Wash., company’s security team was alerted of the vulnerability Oct. 31.

According to Li, the exploit uses multiple XML objects to “spray the heap memory,” a decade-and-more technique to uncover sections of memory suitable for use by the actual attack code.

“It is worth [noting] that this heap-spraying in Office via ActiveX objects is a new exploitation trick which we [haven’t] seen before,” Li wrote earlier this week.

Microsoft’s own researchers confirmed the ActiveX-based head-spray tactic in a detailed description published on its Security Research & Defense blog Tuesday.

Retrieved from ComputerWorld

New malware variant suggests cybercriminals targeting SAP users

A new variant of a Trojan program that targets online banking accounts also contains code to search if infected computers have SAP client applications installed, suggesting that attackers might target SAP systems in the future.

The malware was discovered a few weeks ago by Russian antivirus company Doctor Web, which shared it with researchers from ERPScan, a developer of security monitoring products for SAP systems.

“We’ve analyzed the malware and all it does right now is to check which systems have SAP applications installed,” said Alexander Polyakov, chief technology officer at ERPScan. “However, this might be the beginning for future attacks.”

When malware does this type of reconnaissance to see if particular software is installed, the attackers either plan to sell access to those infected computers to other cybercriminals interested in exploiting that software or they intend to exploit it themselves at a later time, the researcher said.

Polyakov presented the risks of such attacks and others against SAP systems at the RSA Europe security conference in Amsterdam on Thursday.

To his knowledge, this is the first piece of malware targeting SAP client software that wasn’t created as a proof-of-concept by researchers, but by real cybercriminals.

SAP client applications running on workstations have configuration files that can be easily read and contain the IP addresses of the SAP servers they connect to. Attackers can also hook into the application processes and sniff SAP user passwords, or read them from configuration files and GUI automation scripts, Polyakov said.

There’s a lot that attackers can do with access to SAP servers. Depending on what permissions the stolen credentials have, they can steal customer information and trade secrets or they can steal money from the company by setting up and approving rogue payments or changing the bank account of existing customers to redirect future payments to their account, he added.

There are efforts in some enterprise environments to limit permissions for SAP users based on their duties, but those are big and complex projects. In practice most companies allow their SAP users to do almost everything or more than what they’re supposed to, Polyakov said.

Even if some stolen user credentials don’t give attackers the access they want, there are default administrative credentials that many companies never change or forget to change on some instances of their development systems that have snapshots of the company data, the researcher said.

With access to SAP client software, attackers could steal sensitive data like financial information, corporate secrets, customer lists or human resources information and sell it to competitors. They could also launch denial-of-service attacks against a company’s SAP servers to disrupt its business operations and cause financial damage, Polyakov said.

SAP customers are usually very large enterprises. There are almost 250,000 companies using SAP products in the world, including over 80 percent of those on the Forbes 500 list, according to Polyakov.

If timed correctly, some attacks could even influence the company’s stock and would allow the attackers to profit on the stock market, according to Polyakov.

Dr. Web detects the new malware variant as part of the Trojan.Ibank family, but this is likely a generic alias, he said. “My colleagues said that this is a new modification of a known banking Trojan, but it’s not one of the very popular ones like ZeuS or SpyEye.”

However, malware is not the only threat to SAP customers. ERPScan discovered a critical unauthenticated remote code execution vulnerability in SAProuter, an application that acts as a proxy between internal SAP systems and the Internet.

A patch for this vulnerability was released six months ago, but ERPScan found that out of 5,000 SAProuters accessible from the Internet, only 15 percent currently have the patch, Polyakov said. If you get access to a company’s SAProuter, you’re inside the network and you can do the same things you can when you have access to a SAP workstation, he said.

Retrieved from ComputerWorld


33Mail now helps you beat spammers by responding anonymously via email aliases


It’s been almost two years since we last caught up with 33Mail, the online service that helps you beat email spam by giving you disposable email addresses.

Just to recap, 33Mail provides ‘alias’ email addresses for users to include in online forms or anywhere they feel giving out a real address may attract unsolicited emails further down the line. While 33Mail does redirect all ‘alias’ emails to your real address, one of the ‘flaws’ thus far has been if you choose to respond to an email you receive, there was no way to continue to conceal your true email address. This has now been remedied.

33Mail: Hide from spammers

33Mail recently rolled out a much-needed update to its interface (33Mail “puts practicality way ahead of beauty” we noted in our previous coverage), but it’s the anonymous email replies feature that’s perhaps the most notable development.

In a nutshell, it means users can now communicate back-and-forth with anyone – it could be related to an advert they placed for a new room-mate, an old bike they’re trying to sell through the classifieds or, indeed, any company they believe could place them on a marketing list.

Once you’ve signed up for a 33Mail account, you can drag a bookmarklet to your browser and it will automatically create an alias for you specific to the website you’re on. The format defaults to:

a 33Mail now helps you beat spammers by responding anonymously via email aliases

But the beauty of 33Mail is you can decide on any alias you want, and the first time someone responds to it by email, the address is created. So, say you’re looking for someone to fill your spare room, you can just pluck something like ‘’ out of thin air and place it in your ad – you don’t have to physically create anything.

For the time-being, anonymous replies are still technically in beta and it’s free for all users, though it seems likely that this will eventually only be available to premium users.

Free users get a 10MB monthly bandwidth limit, which equates to around 500 emails a month. Premium users, however, pay $12 a year and get a 50MB monthly bandwidth limit and the option to buy customized domain names.

For now, anyone can enable the anonymous reply setting via ‘Account Info’, where they can also set any name for the recipient to see when they respond – this could be their real name, a made-up name or whatever they want.

b 520x237 33Mail now helps you beat spammers by responding anonymously via email aliases

The more sites you sign-up to using a 33Mail alias, the more will be displayed in your dashboard, and you can block any address at any point simply by hitting the ‘block’ button.

c2 520x192 33Mail now helps you beat spammers by responding anonymously via email aliases

When you receive an email to an alias, 33Mail relays it through to your real address, and when you reply it looks as though it’s being sent from your real address too, but 33Mail works its magic to hide it from the recipient.

It’s a great idea for sure, one that’s similar in concept to SquadMail, which is a little bit like Dropbox for email, in that it lets you create and share temporary (or permanent) email folders, each with their own unique SquadMail-branded email handle.

33Mail says it now forwards almost 250,000 emails per month to its users, though of course this gives no indication as to the popularity of the service on the whole. That said, we’re told that it’s adding around 1,000 new users each month.

The new 33Mail is available to use on the Web now.

Retrieved from The Next Web

Google Says It’s Seeing A Significant Jump In Phishing Attempts In Iran Ahead Of Elections


Google says it’s seeing a massive increase in email-based phishing campaigns that originate within Iran and target Iranian users. These attacks, Google says, started about three weeks ago and the company believes that they are politically motivated. Iran’s next election is scheduled for Friday and this “significant jump” in phishing activity in the region started about three weeks ago.

Google says the campaign targets the accounts of “tens of thousands” of Iranian users and the group behind it appears to be the same that also targeted Iranian users in September 2011. Back in 2011, the company told all of its users in Iran to ensure that their accounts weren’t compromised after hackers compromised the Dutch SSL certificate authority DigiNotar.

As Google notes, though, this time the attack is far simpler and just sends users to a fake Google sign-in page in order to steal usernames and passwords. What exactly the attackers planned to do with this information remains unclear.

Retrieved from Tech Crunch

Newest Phish Caught!

Newest Phishing Alert

Mail Administrator []
Sent: Sunday, May 19, 2013 10:23 AM
Subject: Your Mailbox Has Exceeded The Set Quota/Limit Read To Reset

Dear User,

Your mailbox is currently running 99.7% of its Quota limit of 100%. You might not be able to send or receive email until you have updated your mailbox account. To update your mailbox account
Failure to validate your account may result to loss of important information in your mailbox or cause limited access to it We are sincerely sorry for any inconvenience this might cause you; we tend to serve you better.

Click Here to upgrade your account

Failure to validate your account may result to loss of important information in your mailbox or cause limited access to it We are sincerely sorry for any inconvenience this might cause you; we tend to serve you better.

Newest Phish Caught!

Newest Phishing Alert- check out the below scam to stay secure!

—–Original Message—–

From: Gray Banks []
Sent: Wednesday, May 08, 2013 11:27 PM
Subject: Request Quote Needed

Dear sales,

We needed price quote for Grundfos SQ Solar Pump , Please Quote me the Price and Delivery Lead time to your Location for Customer Pick up. We needed these order as soon as possible to complete the project.

Grundfos SQFlex 11 SQF-2 Pump

Grundfos SQFlex 6 SQF-2 Pump

Grunfos  SQFlex 6 SQF-3 Pump

Let me Know which one is ready for  Shipment , So we can purchase from you


Thank  you
Gray Banks
Sale rep

Phishing Websites Reach All-time High

The number of phishing websites detected reached an all-time high earlier this year, a sign that making fake websites spoofing real ones is still a lucrative trade for cybercriminals.

In its latest report, the Anti-Phishing Working Group (APWG) said 56,859 phishing sites were detected in February, beating the previous record high in August 2009 by nearly 1 percent. APWG is a nonprofit consortium composed of banks, security vendors and others with a stake in tracking cybercrime trends.

Phishing sites are websites that look nearly identical to the legitimate ones and often mimic known brands. Leveraging the trust users put in the legitimate companies, cybercriminals succeed in tricking victims into divulging logins, passwords and other sensitive information.

The APWG noted in its report that the increase in the number of phishing websites was in part due to new technology that it began using earlier this year to detect fraudulent sites.

More than 38 percent of the fake websites were related to financial services, according to the APWG’s report. The second most spoofed market vertical was payment services, followed by retail and other service sites. The sites spoofed 392 brands, also a new record.

“All manner of commerce is transacted online today and in that are opportunities for new and provocative scams, leveraging some part of the customer-enterprise relationship that is unique to the domain,” said Peter Cassidy, secretary general of the APWG. “People are tougher to fool with phishing, but they still can be in the hands of a creative scam artisan.”

The U.S. hosted the most fake sites. About half of the phishing sites for the first quarter of 2012 used some form of a brand in their URL, which often tricks people.

On the bright side, though, phishing sites are being taken down faster than ever due to better security technologies. But “the problem is a lot of campaign schemes are built around deployment of lots of landing websites for a single campaign to complicate the work of putting down the attacks,” Cassidy said.

Retrieved form PC World

Megaupload Pushes for Dismissal of Indictment

Lawyers for Megaupload filed another motion on Wednesday asking a federal court to dismiss its criminal case, continuing its argument that the company can’t be served a summons since it was headquartered outside the U.S.

Megaupload wants the U.S. District Court in the Eastern District of Virginia to hear oral arguments on its request for dismissal of the charges, which the Department of Justice (DOJ) opposes. A court date for oral arguments is set for July 27.

DOJ attorneys argued in a response released Tuesday it was “unprecedented and unjust” that Megaupload could not be served since it “purposefully avoided establishing an office in the United States.” The file-sharing site is accused of encouraging users to upload material under copyright, earning upwards of US$175 million in advertising and subscription fees, the DOJ alleges.

Founder Kim Dotcom and six others were indicted in January on criminal copyright violations and fraud along with two companies, Megaupload and Vestor Limited.

Individuals located outside the U.S. can be served a criminal summons, but Megaupload’s lawyers contend a corporation cannot be served. It is not clear what the impact of a dismissal against Megaupload as a corporate entity would have on the case.

The closely watched court battle took a surprising turn earlier this week when a New Zealand judge recused himself from further extradition hearings involving Kim Dotcom and his colleagues.

North Shore District Court Judge David Harvey was reported to have made a comment referring to the U.S. as an “enemy” during copyright and trade talks last week at the NetHui Internet conference held in Auckland. The extradition hearing, planned for August, has been rescheduled for March 2013.

Dotcom, known for his prolific activity on Twitter, wrote on the social networking service earlier this month that he would voluntarily go to the U.S. for trial if the DOJ released funds frozen when he was arrested. Dotcom has said he has been unable to pay his legal fees.

Retrieved form PCWorld