Phishers Promote Indonesian Rock Star

In the month of January 2011 Symantec reported adult scams that targeted Indonesian Facebook users. These scams claimed to have an application in which users could view adult videos of Indonesian celebrities, taken from hidden cameras.

It seems that phishers are now using specific celebrities as bait for their phishing sites. This is unlike the previous Indonesian adult scams whose phishing pages gave the impression that the adult video would be of a random celebrity. In October 2011 phishers continued their adult scams on Facebook, but this time they chose the Indonesian rock star Ahmad Dhani in particular. Dhani is the frontman of the rock bands “Dewa 19” and “Ahmad Band”. The phishing site contained a photograph of Ahmad Dhani and Indonesian singer Dewi Persik. The Indonesian caption of the photograph translated: “To view videos of Ahmad Dhani recorded from CCTV cameras, please login below”. After users entered their Facebook login credentials, the phishing page redirected to a pornographic website. Of course, if users gave away their login credentials to the phishing site, phishers would have successully stolen their information for identity theft. The phishing site was hosted on a free Web hosting site.



Celebrities have been a common target in phishing attacks. In the past, we have seen Aishwarya Rai and Katrina Kaif used as phishing bait. Phishers are choosing celebrities with a large fan following because they perceive a larger audience will mean more duped users.

Internet users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up page or screen.
• When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
• Frequently update your security software, such as Norton Internet Security 2011, to protect you from online phishing.

Read More...

W32.Duqu: The Precursor to the Next Stuxnet

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.

One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011.

Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.

The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.

Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.

You can find additional details in our paper here. The research lab that originally found the sample has allowed us to share their initial report as an appendix. We expect to make further updates over the coming days.

Key points:

• Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
• The executables are designed to capture information such as keystrokes and system information.
• Current analysis shows no code related to industrial control systems, exploits, or self-replication.
• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
• The exfiltrated data may be used to enable a future Stuxnet-like attack.

Note: At press time we have recovered additional variants from an additional organization in Europe with a compilation time of October 17, 2011. These variants have not yet been analyzed. More information will follow.

Update [October 18, 2011] - Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer. Symantec revoked the customer certificate in question on October 14, 2011. Our investigation into the key’s usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware. At no time were Symantec’s roots and intermediate CAs at risk, nor were there any issues with any CA, intermediate, or other VeriSign or Thawte brands of certificates. Our investigation shows zero evidence of any risk to our systems; we used the correct processes to authenticate and issue the certificate in question to a legitimate customer in Taiwan. Read More...

Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

Summary: Symantec warns of a new high-end Trojan that’s “nearly identical to Stuxnet” but notes that the malware has a completely different goal.

[ UPDATE: McAfee says DuQu's main objective is espionage and targeted attacks against sites such as Certificate Authorities (CAs). ]

Researchers at Symantec have sounded an alarm for a new piece of malware with “striking similarities” to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran.

The new malware, identified as Duqu, is a highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.

[ Inside Stuxnet: Researcher drops new clues about origin of worm ]

“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” according to Symantec’s security response team.

Symantec said it got a copy of the in-the-wild malware from an unnamed research lab with strong international connections.

The company found that parts of Duqu are “nearly identical to Stuxnet” but noted that the malware has a completely different goal.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created after the last recovered Stuxnet file. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

The company said Stuxnet and Duqu shared the same modular structure, injection mechanisms, and a driver that is digitally signed with a compromised key.

[  Stuxnet: A possible attack scenario ]

Unlike Stuxnet, Symanted said the new malware does not contain any code related to industrial control systems.  It was built to be a  remote access Trojan (RAT) that does not self-replicate.

“The threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants,” the company warned.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.

One of the variant’s driver files was signed with a valid digital certificate expiring August 2, 2012. The digital certificate belongs to C-Media Electronics Incorporation, company with headquarter in Taipai, Taiwan. The certificate was revoked on October 14, 2011.

Symanted noted that Duqu uses HTTP and HTTPS to communicate to a command and control server which is currently operational.

Some more details on Duqu:

Through the command and control server the attackers were able to download additional executables, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.

The threat uses a custom command and control protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received.

Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.

Symantec’s researchers believe that the creators of Duqu had access to the source code of Stuxnet. 

A technical paper describing the similarities between Stuxnet and Duqu can be found here [PDF].

Read More...

DDoS and SQL injection are hot topics on hacking forums

Forums are the cornerstone of hacking, providing a venue for hackers to sell and exchange information

Distributed denial of service and SQL injection are the main types of attack discussed on hacking forums, according to new research from security vendor Imperva.

Underground discussion forums are an important piece in the cybercriminal ecosystem. They offer a place for hackers to sell and exchange information, software tools, exploits, services and other illegal goods.

[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. ]

"Forums are the cornerstone of hacking -- they are used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction," Imperva stressed.

The company's researchers have recently analyzed discussions going back several years from HackForums.net, one of the largest hacker forums with over 220,000 registered members. Their effort was aimed at determining the most common attack targets, what business trends can be observed, and what directions hackers are leaning toward.

As far as attack popularity goes, the analysts determined that DDoS was mentioned in 22 percent of discussions. SQL injection, a technique commonly used to compromise websites, is the second most frequently discussed attack method, being at the center of 19 percent of conversations.

Unsurprisingly, with a 16 percent discussion occurrence rate, spam is the third most favorite attack type according to Imperva's content analysis. That's probably because it is one of the primary methods of generating illegal income.

Zero-day exploits make up 10 percent of attack discussions on the forum, however, Microsoft's latest Security Intelligence Report (SIR) claims that this type of exploit is used in less than 1 percent of real-world compromises.

Forums are also an important learning tool for new hackers -- Imperva determined that up to a quarter of discussions fall into the beginner hacking category. Another 25 percent of conversations involved hacking tools and programs, while a fifth mentioned Web and forum hacking.

One trend observed by Imperva's researchers was that mobile hacking is increasingly popular. This is also reflected in real-world attack statistics and reports from other vendors. iPhone hacking in particular accounted for half of conversations on this topic.

Overall, discussions about hacking have increased more than 150 percent over the last four years. "We think the growth in hacker forum activity helps explain that, along with automated hacking, there are simply more hackers causing more breaches," Imperva concluded. Read More...

Free coffee from Starbucks and Tim Hortons? No, it's a Facebook scam

As of late things have been somewhat quiet on the Facebook scam front, but today we have seen a resurgence in free voucher scams targeting both Americans and Canadians.

A little more than a day ago a scam appeared purporting to be a free gift card for the famous Canadian coffee and doughnut shop Tim Hortons.

It asks you to like the page and to share it with your Facebook friends thanking Tim Hortons (or Timmies as it's known to some Canadians) for the free coffee.

It would appear scamming Canadians was not enough for the folks behind this scam and within a day they had branched out to include Starbucks fans.

The Starbucks fraud proclaims to be a give away to celebrate the 40th anniversary of the Seattle coffee giant.

It's a tried and true formula for con-artists to get your to share their scam with your friends, and then lead you to a website asking you to divulge personal information.

These scams begin with asking you for your email address with some standard legal verbiage about being 18 years old and a resident of -insert country here-. They then proceed to lead you to another form asking you to disclose sensitive personal information.

Unfortunately thousands of Facebook users have been spreading the message, helping these criminals propagate their fraud. Innocent people thinking they might share a great deal with their friends are being used to social engineer those same friends.

Steer clear of these frauds and warn your friends that not even a cup of coffee comes at no cost. While both Starbucks and Tim Hortons may be trustworthy brands and offer occasional specials, be sure to only participate in contests from their own websites or stores. Read More...