Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Satnam Narang | 26 Mar 2014 08:37:40 GMT

In late January this year, eager fans purchased tickets for Coachella, an annual two-weekend, three-day music festival but were later targeted by scammers in a phishing campaign that persisted up till the end of February.

Front Gate Tickets, the company responsible for handling the festival’s ticketing had sent an email to ticket buyers at the end of February warning users on the phishing campaign stating:

“The phishing involved a fraudulent website designed to look like the login page for Coachella ticket buyers to access their Front Gate accounts, built in an attempt to capture username and password information.”

The email went on to explain that the phishing links were circulated on message boards and email campaigns, and that the perpetrators had harvested the email addresses of ticket buyers who posted them publicly on message...

Symantec Security Response | 25 Mar 2014 12:25:44 GMT

Microsoft posted a security advisory today for a newly discovered, unpatched vulnerability affecting Microsoft Word. An attacker could take advantage of the Microsoft Word Remote Memory Corruption Vulnerability (CVE-2014-1761) to gain remote access to the targeted computer. The advisory indicates that the vulnerability was exploited in limited, targeted attacks. 

Users should not only be cautious about opening unknown RTF documents, but they should also avoid previewing these files in Outlook, as doing so could let the attackers exploit the vulnerability. Be aware that the default viewer for RTF documents attached to emails in several versions of Outlook is Microsoft Word. 

While patches have not yet been made available, users can apply several workarounds to minimize the risk of exploitation. Microsoft...

Daniel Regalado | 24 Mar 2014 12:57:46 GMT


There is a growing chorus of voices calling for businesses and home users to upgrade existing Windows XP installations to newer versions of Windows, if not for the features, then at least for the improved security and support. ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP. With the looming end-of-life for Windows XP slated for April 8, 2014, the banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet. This risk is not hypothetical — it is already happening. Cybercriminals are targeting ATMs with increasingly sophisticated techniques. 

In late 2013, we...

Symantec Security Response | 20 Mar 2014 12:59:29 GMT

Last year, security reporter Brian Krebs discovered that a group of attackers managed to compromise multiple companies, steal sensitive customer data and sell the details through an online identity theft store known as SSNDOB. The attackers broke into the networks of a number of major consumer and business data aggregators as well as a software development firm. Krebs revealed that the attackers then put the stolen data for sale on SSNDOB, allowing their customers to buy personal details belonging to US and UK citizens.

Symantec looked into the attacks conducted by the group behind SSNDOB, who we call the Cyclosa gang. During our investigations, we managed to identify one of the owners of the service who claims in online forums to be Armand Arturovich Ayakimyan, a 24-year-old man from Abkhazia. As we looked further into this case, we learned how he started as a...

Kaoru Hayashi | 19 Mar 2014 12:58:54 GMT


Last November, we found an Internet of Things (IoT) worm named Linux.Darlloz. The worm targets computers running Intel x86 architectures. Not only that, but the worm also focuses on devices running the ARM, MIPS and PowerPC architectures, which are usually found on routers and set-top boxes. Since the initial discovery of Linux.Darlloz, we have found a new variant of the worm in mid-January. According to our analysis, the author of the worm continuously updates the code and adds new features, particularly focusing on making money with the worm.

By scanning the entire Internet IP address space in February, we found that there were more than 31,000 devices infected with Linux.Darlloz.

Coin mining
In addition, we have discovered the current...

Symantec Security Response | 18 Mar 2014 22:56:52 GMT

Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”. Since the campaign began in 2011, more than 25,000 Linux and Unix servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims. Targeted operating systems include OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET detection names):

  • Linux/Ebury – an OpenSSH backdoor used...
Nick Johnston | 13 Mar 2014 18:14:34 GMT

We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.

The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.

Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:


Figure. Google Docs phishing login page

The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in...

Symantec Security Response | 12 Mar 2014 11:16:35 GMT
On Tuesday, Microsoft released its security updates for Microsoft Patch Tuesday, which included the much needed update to address a zero-day vulnerability affecting Internet Explorer 9 and 10. The exploit for the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322) was originally used in targeted attacks, but it caught on among average cybercriminals. As a result, the exploit currently affects Internet users in general.
In this month’s Patch Tuesday, Microsoft covered another Internet Explorer zero-day vulnerability, which is being exploited in the wild. This flaw is known as the...
PraveenSingh | 11 Mar 2014 18:52:34 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing five bulletins covering a total of 23 vulnerabilities. Nineteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the March releases can be found here:

The following is a breakdown of the issues being addressed this...

Joji Hamada | 11 Mar 2014 15:22:59 GMT
A new spam campaign with an information-stealing malware attachment has been circulating since March 7, 2014. While spam emails are typically sent to many people, in this campaign, the spammer has limited their targets to administrators of online Japanese shopping sites.
The attacker may have targeted these recipients for various reasons. As most online stores provide contact details on their Web page, they become easy targets since their email addresses can be easily harvested by crawling sites. The attacker could also have targeted the recipients to get the companies’ account details in order to steal data maintained by the stores. The attacker may have also wanted to compromise the shopping sites in order to carry out further attacks against the store’s visitors.
The malware, detected as Infostealer.Ayufos, is a basic...