Video Screencast Help
Security Response
Showing posts for May of 2010
Showing posts in English
Samir_Patil | 27 May 2010 17:35:10 GMT

The 2010 FIFA World Cup kicks off on June 11th in South Africa. As 32 countries warm up for this esteemed international soccer event, cyber criminals are getting busier, too.

So far, Symantec has observed scam, phishing, and malicious attachment spam related to the 2010 FIFA World Cup. Of these, 419-scam messages stand out as major contributors. Below are two examples of typical 419-spam related to the FIFA World Cup:

In many of the phishing samples spammers are targeting the Visa brand, which is one of the six global FIFA partners. Visa announced a “Go Fans” promotion offer in which card holders get the chance to win a trip to South Africa to experience the 2010 World Cup matches. Aware of the fan frenzy involved with watching live World Cup...

Eoin Ward | 26 May 2010 18:31:14 GMT

In previous blogs, Symantec has highlighted threats that steal user data. We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck.

This particular database server we uncovered seems very much to be the heart of the operation—part of a distributed password checker aimed at Chinese gaming websites. The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games....

Mathew Maniyara | 25 May 2010 19:50:15 GMT

In May 2010, a phishing site was observed to be spoofing a credit union that provides financial services to members of the U.S. Defense Department and their family members. The defense forces covered by the credit union include the Army, Marine Corps, Navy, and Air Force. The services are provided to their customers even after they retire from the armed forces or join some other organization. Further, those who have joined the credit union can have the membership services extend to their family members. The brand has now grown to serve millions of customers across the U.S.

The phishing site states that the customer’s login has been locked because of several failed login attempts. The page further states that the customer needs to fill in a form with certain sensitive information to unlock the login. The sensitive information includes social security number, credit card details, date of birth, mother’s maiden name, and details of the account’s joint owner....

Mathew Maniyara | 24 May 2010 22:55:12 GMT

In May 2010, a phishing website was observed to be spoofing a leading, legitimate brand that provides online file transfer services. These services help people to send, receive, or host files of large sizes. Email messages typically have a limitation in the size of file that can be attached, and so online file transfer is often utilized as an alternative for sending large files. For an online file transfer, customers need to enter the recipient’s email address, select the required file, and click “send.” Upon sending, the recipients receive a notification containing a URL, from which the file can be downloaded. The legitimate brand offers the service free of cost for files within a certain size limit and requires a paid account for larger files.

In the past, there have been several phishing attacks on brands that provide file hosting. However, this is the first instance of phishing a brand that provides file transfers in addition to file hosting.


Marco Ceccon | 21 May 2010 19:30:24 GMT

IT Governance, Risk, and Compliance: A method of analysis based on the Symantec Response Assessment Module (RAM)

Part I of this blog series introduced the concepts of IT governance, risk, and compliance (GRC). To quote:

“In recent times, companies, organizations, and consulting firms from various sectors have started to address the great issues that lie at the base of IT. These issues are governance, risk management, and compliance. Every organization should be able to transform these problems into opportunities to continually improve IT. In practice, everyone realizes that these three issues are related.”

Here I will continue to expand on GRC issues by touching on phases 1.2.1: Design and 1.2.2: Build.

1.2.1    Phase 1: Design

In the Design phase, datacenter security analysis begins and a...

Mathew Maniyara | 19 May 2010 09:23:24 GMT

Symantec has recently observed phishing attacks on a leading brand that provides investment and brokerage services. The brand is primarily into brokerage but also offers other various services to customers, such as investment research, mutual funds, bond trading, mortgages, and so on. Customers can register on the brand’s legitimate website by providing certain confidential information, including a social security number and brokerage account number.

The phishing websites in this case were observed to be spoofing the legitimate brand’s main login page. After login credentials were entered into the phishing site, the fraudulent page stated that the customer’s records were missing or found to be incorrect. The phishing site further stated that the customer was required to resubmit his or her information (social security number, brokerage account number, etc.) to correct any errors. Prior to the collection of this information, the fraudulent page asked the...

Mathew Maniyara | 17 May 2010 22:39:07 GMT

For the past month or so Symantec has been observing phishing websites that are spoofing a leading brand that provides prepaid debit card services to U.S. citizens. Legitimate prepaid debit cards help people to make purchases, pay bills, shop online, etc. without the need of a bank account. These services are beneficial to those who do not have the income to maintain a minimum balance in a bank account. The fraudulent websites were created to target a large population of low- to mid-income citizens in the USA who prefer prepaid debit cards.

The phishing website that attacked the legitimate brand states that the user’s “account has been limited.” The user is prompted to update his or her confidential information, such as login credentials and debit card details, in order to re-activate the account. After the credentials are entered, the phishing site provides a message that...

Peter Coogan | 14 May 2010 18:04:36 GMT

A recent blog from our colleagues at Sunbelt highlighted a new Trojan botnet creator tool called "TwitterNet Builder." Symantec has detection in place for this threat as Trojan.Twebot. As the name suggests, the builder is closely linked to Twitter, using a Twitter account to issue command-and-control instructions to the Trojans created by the builder. When building Trojan.Twebot, the user is able to supply a public Twitter account for Trojan.Twebot to follow. Because Trojan.Twebot does not try to obfuscate commands on Twitter, it will not be difficult for Twitter security staff to find and close accounts abusing their service in this way. It’s worth noting that issuing commands via Twitter accounts is nothing new and Symantec...

khaley | 14 May 2010 12:41:18 GMT

Last week I wrote about The Ghosts of Facebook; Facebook accounts whose owner didn’t appear to be a real person (in this case someone named Chong Loris). I got quite a bit of reaction to the blog. Some people registered with real concerns. Others wondered what the fuss was all about. In other words, was I truly shocked that some people are not who they say they are on Facebook?

I must admit I felt a little bit like Claude Rains in Casablanca. At one point in the classic Humphrey Bogart movie he shuts down Rick’s Café, saying he is “Shocked, shocked to find that gambling is going on at this establishment.” At that moment he is interrupted by an employee and given his winnings from the roulette table.

So no, I’m not shocked about phony Facebook accounts. And there are a few scenarios where it’s not a big deal. Certainly a violation of Facebook policy, but not...

Nicolas Falliere | 14 May 2010 09:31:24 GMT

As discussed in a previous blog entry, Sality-infected computers become part of a peer-to-peer (P2P) botnet. This botnet is used by peers to exchange lists of URLs pointing to malicious software, which Sality will decrypt, download and install.

Though the peer-to-peer protocol used by Sality is custom, we can reverse-engineer the malware binary to determine the P2P packet format, as well as protocol rules and features. Traffic analysis can be used to facilitate or guide a white box approach. Eventually, writing a working P2P client and/or server can be used to validate the analysis.

I decided to create a rogue P2P client that would join the Sality botnet and crawl it, in order to estimate its size.

Let’s do a quick reminder of what the P2P protocol offers:

  • A peer can ask another peer for its list of URLs.
  • A peer can send its list of URLs to...