Security Response: Showing posts tagged with Security Response

Symantec has observed a sudden rise in phishing on Indian brands recently. The number of phishing URLs  on Indian brands in the first two weeks of August was nearly 2% of all phishing attacks. In the past, the usual average was typically 0.5%. This means that the rise has grown four fold in just two weeks.

The geo-location of each phishing site was examined and it was observed that none were in India. But, it is likely that at least some of the phishers involved are in India since the confidential data stolen can be used for specific Indian needs. For instance, there are several websites dedicated to the purchasing of Indian goods and articles, which accept net banking payments only from a given list of Indian bank accounts. Hence, the attackers may be employing every means of masking their location by creating their website elsewhere and not on Indian servers.

There were five brands targeted that were all in the banking sector for the given time period. Among...

Did I just say that? Usually security researchers hate obfuscation. But I say, let them obfuscate more!

Obfuscation is a loosely defined term, but it basically refers to a method of concealing your exploit code to avoid detection. Attackers employ various techniques and methodologies to achieve obfuscation. Some techniques are very clever and take even the most seasoned security researcher by surprise. In most cases, attackers try to obfuscate their exploit by stretching the limits of the language or protocol they are using. Some take advantage of the detection engine limitations as well.

Today many detection engines parse files and network streams to detect vulnerabilities and odd behavior by using pattern-matching algorithms. However, in many cases the detection logic used has some limitations and assumptions built in. Some limitations stem from the architecture of the detection engine, and some stem from the risk of a false positive. In this cat and mouse game,...

In the past, we have seen spammers use election content in their spam campaigns. So, it comes as no surprise to see spam messages with a catchy subject relating to an upcoming political event. We have observed spammers sending out messages instructing recipients on how to “make money fast” with a subject line referring to the upcoming Lower House election in Japan, which will be held on Aug 30, 2009.

A message guides users to a website where it is said that they can obtain free information on how to make money fast with summer horse racing. However, after a recipient enters their email address for registration they will not receive profitable information but instead a message that has a link for a definitive registration to provide personal information. It is unknown whether the recipients will receive free information after providing their personal data.

Although there is no correlation between an election and summer horse racing, spammers lure people to...

Symantec Security Response has found a new threat that spreads through Renren.com, which is a very popular Social Networking Site in China ala Facebook. The threat comes in a form of a Flash video, which pretends to be a famous Pink Floyd promotional video clip "Wish you were here."

Viewing the Flash video results in concealed JavaScript being executed while the video is playing.

The video is hosted on a legitimate site. The threat exploits an authentication cookie of a currently logged-in user in order to send out the same link (for the Flash file) to users on the Friends list.

We detect this malicious XSS threat as...

Spammers continue to take advantage of the Internet tools and applications Google provides for free. In the past we have encountered spammers abusing Google Group Pages, Google Maps, Google Search, and Google Docs to host spam content. Recently spammers have started using Google Translate. Google Translate is an excellent tool that enables users to translate any text, Web page, or document, and convert the native text to the specified language requested.

With recent medication spam offer attacks, spammers have discovered a way to exploit the use of Google Translate. Here is one example:

1. Hijacked URL directory space from a legit domain. In this example they used www.ipanel.tv with the directory path www.ipanel.tv/images/news/news.htm to use as a redirect to host the intended spam domain...

We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware.

The movie “Obsessed” was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.—along with the movie’s name, of course. So, a search phrase such as “obsessed movie online free full video” would yield results similar to the following:

The first search result we received was from digg.com. The digg.com page that was listed is flooded with the keywords related to movie:

...

It seems someone has it in for Delphi. Or at least older Delphi environments and programs compiled using them. As has been reported, there is a threat on the loose that targets Delphi development environments, specifically versions 4 through 7.

To provide some brief background, Delphi is a software development environment for Microsoft Windows applications. Using Pascal as its underlying language, Delphi came into being when Windows 3.1 was first released along with the introduction of the graphical user interface (GUI).

According to Wikipedia, Delphi 7 was released in August 2002 and became the standard version used by Delphi developers. Delphi 7 was the last free version released, which probably explains why it is still actively used today. Delphi is mainly used for the development of desktop and enterprise database applications, but it is a general-purpose software development tool suitable for most software projects including Web applications. It is a popular...