March 7, 2011

This Month in the Threat Webscape - February 2011


Month of February


Major Hits

Two major compromises affected the UK in February. Web sites for BBC - 6 Music and BBC Radio - 1xtra were compromised and were serving a malicious iFrame to the Phoenix exploit kit. In addition, AutoTrader, eBay, the London Stock Exchange, Myvue, and many other high-profile locations were hosting ads from an ad provider called Unanimis. This Malvertising campaign occurred over a weekend, and thus did not affect as many people as it might have during work days. The advertisement had an iFrame to another exploit kit that used attachs similar to the Black Hole exploit kit

Night Dragon attacks were also active.  Night Dragon targets U.S. oil, gas, and petrochemical companies. It steals proprietary and confidential information from executives, by using a combination of social engineering, Remote Administration Tools (RATs), and SQL injection attacks to gain access to external and internal hosts inside companies. It is believed that the attackers are based in China, which may be why the class of attacks is called Night Dragon. 

A leaderless and anarchical Internet group, Anonymous, declared war against HBGary Federal when their head of security services said he had uncovered and planned to release the identities of Anonymous’ leaders using social networking sites. Anonymous broke into HBGary Federal’s systems and released their internal confidential information. Whoops. 

Several thousands of small businesses and personal sites felt victim to an error of the U.S. Department of Homeland Security and Department of Justice. These Departments announced the seizure of several domains that were involved in the distribution of child pornography. In addition to closing those domains, they managed to shut down a popular shared domain that belongs to a free DNS provider - which resulted in disconnecting of other 84,000 web sites - subdomains of mooo.com. After the incident, several thousand site owners were able to witness a banner with a message stating that advertisement and distribution of child pornography is illegal.  

Researchers discovered a way of accessing passwords stored on iPhone and iPad. The method involves physical access to the device and takes no more than 6 minutes - enough time to carry out this procedure on stolen or unattended devices. 

Gambling addiction did not benefit the Hacker who has admitted stealing $12m worth of gaming chips. The hacker has transfered 400 billion gaming chips into his fake Facebook account after gaining unauthorized access into servers of a game developer Zynga, by posing as one of the site administrators.  Ashley Mitchell was trying to sell his illegal gain for about £180,000.

A major incident happened with Australian cosmetics retailer Lush - hackers managed to access and steal the company's entire customers database along with customers' credit card details. The company had not been aware of the vulnerablility, caused by not keeping the Web site updated, and could not identify for how long this security breach had been happening.  

Two major online dating sites, PlentyOfFish.com and eHarmony, got hacked, and the personal and password information of their users were believed to be exposed. Ethical and legal questions were raised regarding the companys' compensation toward such third-party security alerts.

A high-profile victim of malware attacks this month was Nasdaq. According to Nasdaq, there was no evidence that customer information had been exposed by breach. Investigations continue to assess whether the earlier anomalies in the stock market last summer were caused by stock exchange subversion activities.


Web 2 dot uh oh

A couple of Facebook security holes were discovered in February. First was an authentication flaw that allows a malicious Web site to disguise itself as other legitimate sites. This happens only when a malicious Web site is visited while the user is logged into Facebook. Second is yet another saga of clickjacking attacks, this time targetting Italian, Japanese, and Cyrillic audiences. Promises of interesting and perhaps controversial videos led Facebook users into clicking the "Like" button.

It's always interesting to see who viewed your Facebook profile. This statement is proven true as this scam is used over and over again to seduce users into adding shady applications that promise to do this, but instead lead to survey scams. You don't even have to be a developer to carry out these survey scams, because these are usually built using a pre-defined toolkit for only $25 or even less.

Something you know and something you have are the secret ingredients to Google's 2-factor authentication process, which hopes that any attempt to break into Google accounts would be next to impossible. This should serve well those users with weak passwords, because a required one-time password will be sent via text message or voice call whenever a user enters his or her password. This feature will be available to all of Google's free online services. 

Data war between Facebook and Google is the headline towards the end of February. Updates of Google's Nexus S Android phone will no longer appear as if Facebook contacts are integrated with its Android Contacts app. Until Facebook introduces an API similar to Gmail, this standoff has yet to be concluded. 


Browser and friends

Adobe delivered a group of patches in the early part of February. Although not the top threat source, PDF exploit is still a favorite of cyber criminals. In the security update for Adobe Reader and Acrobat, 29 vulnerabilities have been fixed, 23 of which could cause the application to crash and potentially allow an attacker to take control of the affected system. Meanwhile, 13 vulnerabilities have been patched for Adobe Flash Player and 21 vulnerabilities have been patched for Adobe Shockwave Player.

As the most targeted application by exploit, Java has a security update this month. Oracle patched 21 Java security holes; 19 of these vulnerabilities may be remotely exploitable.

Google has updated Chrome to 9.0.597.107 with 19 vulnerabilities fixed.

Also drawing attention is that Pwn2Own 2011 will be held in March in Vancouver. The conference will reward the hacker who successfully hacks IE, Safari, Firefox, or Chrome on a 64-bit system running the latest version of either OS X or Windows 7. Chrome was the only one that survivedast year; who will be the survivor this year?



On Patch Tuesday In February, Microsoft released twelve secruity bulletins. Three of them have a maximum severity rating of Critical. The first one MS11-003 resolves four vulnerabilities in Internet Explorer that could allow remote code execution when a user visits the specially crafted Web page. The second one MS11-006 is a patch for a newly released vulnerability (CVE-2010-3970) last month in Windows Shell Graphics Processing.  The last critical update MS11-007 resolved a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The other nine bulletins are rated “important”. The whole patch can be applied to the Microsoft Windows operating system, the Internet Explorer browser, the Microsoft Office productivity suite, Visual Studio, and IIS. However, the recently disclosed cross-site scripting vulnerability in MHTML was still not fixed in February. 

In addition to the twelve security updates, Microsoft also released an important but non-security advisory (967940) related to Windows Autorun. The update provided a live package to restrict AutoPlay functionality to only CD and DVD media, in order to help protect customers from attacks involving the execution of arbitrary code by Autorun when a USB flash drive is inserted, with network shares, and with other non-CD media containing a file system with an Autorun.inf file.

In the middle of February a new vulnerability was discovered exploiting an SMB component of Windows. MS SRD quickly posted a blog on this vulnerablity stating that remote exploited code execution is unavailable.

At the end of February, Microsoft published a security advisory (24918888) to remind customers to be aware of an update to the Microsoft Malware Protection Engine. This is a privately reported vulnerability that could allow elevation of privileges if the Microsoft Malware Protection Engine scans a system just after an attacker who has valid login credentials and is using a specially crafted registry key. However, the vulnerability could not be exploited by anonymous users.


Hello ThreatSeeker. You've got mail!

A recap of the past month kicks off with a noticeable increase in spam, as well as spammers going green, having recycled templates or made modifications to slightly older campaigns, in order to present these with a more current theme or touch, offering a convincing effect to all who read them.

This was followed with the repeat offender the Magic blue pill with its mystical attributes, just in time for the Valentines Day rush. This again was aligned almost perfectly with the season to stock up for couples planning romantic getaways. Spammers prove time and time again that they are very much in touch with hot trends and what is current. 

Last, but by no means least, we have the use of social engineering techniques to lure the unsuspecting user into clicking on a provided link within an email. The email message titled "The refreshed site of our company", was not seen in high volumes but was quite an interesting find all the same, because there were common characteristics with malicious style compromises crossing over into the spam domain. This then begs the question: could there be a direct correlation between the two? 






Security Trends

Tippingpoint released 22 not patched vulnerabilities from different vendors. Tippingpoint is the operator of the "Zero Day Initiative" bug bounty program. They announced that they would release details 180 days after they become aware of a bug, even if the vendor has not yet released a patch. 

Spam image pages have been swapped for scam alerts on imageshack.us. Imageshack said they were able to find over 300 scam images uploaded to their services and were able to replace them with an alert image within an hour of their being reported. 

Suspicious companies were started to pay writers money to embed spyware into mobile applications. Mobile users typically have less control of their devices than PC users; therefore more care should be taken when you install applications onto mobile devices. 

Visa has relaxed its regulatory rules so that European high street merchants who capture at least three-quarters of their take through EMV-enabled chip-and-PIN terminals will no longer have to pass Payment Card Industry Data Security Standard (PCI DSS) audits every year.


This month's roundup contributors:
Artem Gololobov
Ping Yan
Grace Timcang
Ulysses Wang
Xue Yang
Amon Sanniez
Lei Li


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.