By

www.tiscali.co.uk was hacked

According to information freely available, the website www.tiscali.co.uk has been hacked.

Primary Method: SQL Injection

Hazard to Humanity: Low

Date: March 15, 2009

Although hundreds of thousands of people login to this website, unless they’re using the same username and password for this site that they do for all their online activity; banking, bill paying, ebay, etc., then the actual risk is low. We gave this one a Low rating because it isn’t a site with financial information, but it is a very popular website.

Remediation and Preventative Measures: Properly sanitizing all data prior to inserting into database

By

www.telegraph.co.uk hacked

According to reports, the website for The Telegraph was hacked.

Primary Method: SQL Injection

Hazard to Humanity: Very Low

Date: March 6, 2009

Actually the site was: search.property.telegraph.co.uk and only the usernames and passwords of people who login to the site were exposed. As always, often times people use the same username and password for a variety of logins so an incident like this could grow bigger than just having someone post comments using a “hacked” username and password.

Remediation and Preventative Measures: Same as for all SQLi attacks – properly sanitizing all data submitted to a SQL database.

By

Bomb Threat SPAM

Cybercriminals are using cleverly crafted SPAM messages to get you to click on a link that supposedly takes you to a Reuter’s video of bomb blasts in your area.

I say cleverly crafted because the email will change based on where your IP address is. For instance, I received one with a subject line of, “Are you and your friends okay?”.

When I clicked on the link (yes as part of my research), I saw a webpage that showed the Reuter’s logo with, “Powerful explosion burst in Chicago this morning”. There’s a graphic to see the video with text below that reads, “At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Chicago. Authorities suggested that explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables.”

Scanning through our logs of SPAM for our clients using The Box, we’ve been able to see how the message refers to a different major nearby city depending on where the client receives their email.

The video will install some malware via a download. We’ve identified the trojan as a strain of Waled or Waledac depending on your AV.

Other subject lines we’ve seen are: “Take Care!”, “At least 18 killed in your city” (which is interesting as all the emails we’ve seen state that 12 have been killed), “I hope you are not in the city now”, “Bomb blast near you” and a host of others.

We’ve reported before on how clever cybercriminals are to use hype and fear as examples of social engineering to get people to want to click on their links. When clicked, systems become infected.

Cyber threats such as these will continue as long as they’re successful at hooking at least a few million people. Hackers are making good money through their craft and will not stop. Using extreme fear and directing visitors to infectious websites will always be a tactic they pull out every once in awhile. This will die down and then in another few months they’ll use some other alarmist strategy and infect some more computers.

That’s what they do.

By

Fake iTunes cards – next cybercriminal profit center

What if you were offered a $200 iTunes card for less than $5?

How about for $2.60?

Would you buy it?

Apparently cybercriminals based in China have cracked the algorithm used by Apple to generate legitimate iTune cards. This along with their stolen credit card data has become yet another revenue stream for the cyber-criminals.

What’s really amazing is that you can’t even buy a $200 gift card from Apple. Their denominations are: $15, $25 and $50.

This story originally broke here: http://outdustry.com/2009/03/10/the-chinese-itunes-gift-voucher-trick/ and a little investigation on our part revealed some interesting sites.

We’ve seen some “middle men” insert themselves in this tangled web of deceit. They actually buy the numbers from the original cybercriminals and then resell them to people they know, thus creating a wholesale/distributor type of business. Talk about an affiliate program that pays big dollars!

Some people are offering cards on various auction type websites. (I’m not mentioning any names but one of them rhymes with prepay)

Please know that buying and using these cards is illegal. We’re posting this so you know NOT to buy them and think they’re legit – they’re not.

What will they think of next?

I don’t know, but I’m sure we’ll see it soon.

By

Social Networks & Social Engineering – Twitter Round 2

Continuing on from Round 1, I decided to take a step further and show you exactly how susceptible you are to a socially engineered infection through Twitter. Actually it’s more an attack through TinyURL.com, but since Twitter automatically converts URLs in your Tweets (ugh!), it is an attack via Twitter.

For this example, let’s say that a hacker wants to construct a website that references some research on Harvard’s website. It would be on a topic that is of high interest at the moment.

First the hacker (cybercriminal) would use Google Trends (www.google.com/trends) to see what’s hot. As of today (03/02/2009) the list is as follows:

  • granville waiters
  • nyc doe
  • wavy tv 10
  • new york city department of education
  • dr. seuss birthday
  • opm.gov
  • wvec
  • nyc public school closings
  • nyc board of education
  • newport news public schools

These are the top 10.

Nothing in there that is really eye catching that covers a broad scope of people. I’ll use dr. seuss birthday.

Our cybercriminal would construct some basic information about how Harvard University has created this research paper detailing the events behind Dr. Seuss stories. Our cybercriminal needs to have something that already indicates some legitimacy and some validation. For this scenario I’m using Harvard University for 2 reasons; they already carry a huge credibility factor and they have a cross-site scripting (XSS) vulnerability that let’s me use their URL for redirection.

The cybercriminal would take the XSS URL and instead of redirecting the reader to another page inside of Harvard’s website, use it to redirect the unsuspecting reader to their malicious website.

Here is the original URL: http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=

By appending any URL we want to the end of the above string, it will look like we’re sending you to harvard.edu, however, this vulnerability will actually take you somewhere else.

For instance, if I wanted to send you to my website I would use:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=http://www.wewatchyourwebsite.com

Go ahead and click on that and you’ll see what I mean.

Now, that’s not too bad. I if showed you that link in an email or on my Twitter account, you might not see the end of the URL and just click on it to see what Harvard has to say about Dr. Seuss.

But remember that Twitter uses TinyURL.com which converts any long URLs into “tiny” URLs. Plugging that long URL into TinyURL.com’s website it gives me:

http://www.tinyurl.com/av46js

With TinyURL.com’s preview function I could see the exact URL of the above TinyURL. Maybe you’d see the redirection at the end and maybe not.

Now, our crafty cybercriminal knows that TinyURL.com has this preview function, so he (we’ll assume a male hacker) converts the URL of his malicious website to one you can’t recognize. This is called URL obfuscation (I love using that word).

This would take my URL of http://www.wewatchyourwebsite.com and convert it to: %68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

If you saw this by itself, hopefully you’d be suspicious and avoid the urge to click on it. However, when used at the backend of an already long URL, you might just throw caution into the wind and click away.

Our Harvard URL would become:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=%68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

Which when converted to a TinyURL.com would result in: http://tinyurl.com/bnq5ej

Go ahead and click on that to see what I mean. As of today, that XSS on Harvard’s site has not been fixed so it will load their frame, but inside will be our home page. Keep in mind that even with TinyURL.com’s preview function, you would only see the obfuscated URL with all the percent signs. This might give you a false sense of security and decide to trust your “gut” and go for it. That’s what the cybercriminal is hoping for.

Obviously our website isn’t going to infect your computer, however, if the redirection URL were to take you to the cybercriminals infectious webpage, you’d be infected and not even know it.

To recap, the purpose of this information is to show you the steps a cybercriminal would follow to use social engineering to spread their malware. They would use Google Trends to find a hot topic, they would use the credibility of some other site, Harvard in this example, they would use obfuscation to hide their work from people who know what to look for and they would use Twitter or some other social networking site to find as many people as they could.

As stated earlier, this isn’t so much a vulnerability of Twitter as it is with TinyURL.com, but since Twitter uses TinyURL.com, it does reflect back on them.

Any comments, questions or remarks? Please post them (unless it’s SPAM).