Sponsored by..

Tuesday 24 July 2007

Empireonline.com compromised


The popular movie site Empireonline.com was compromised this morning, with a rogue IFRAME - this was around 9am UK time this morning. The site now appears to be fixed.

The IFRAME connects to a page called g.htm on g.ignfile.cn which appears to be a malware server hosted on 61.151.239.13 in China. For obvious reasons, I'm not including a clickable link but see the screenshot of the source below:



g.htm loads a couple of IFRAMES and has a web counter.



014.htm has some nasty obfuscated javascript:



The other IFRAME is called imags1.htm, this leads to a compromised file on a server called sexbb888.com. It is likely that the server has been hijacked, and the site owners are unaware of the problem.



Both appear to be using variants of the MS07-017 vulnerability from April 2007, although the nature of the payload is uncertain.

In any case, the problem appears to be fixed and anyone with a fully patched system should have been protected. Still, it's a good example of how trusted sites can fall prey to malware pushers.

Friday 20 July 2007

Wheredidyoubuythat.com spam II

Another phish sent to the compromised Wheredidyoubuythat.com mailing list, again targetted to the UK. Again, no evidence to say that Wheredidyoubuythat.com is actually sending out these phishing emails, but they're being sent to an address ONLY ever used to buy from their web site.

Subject: Account Update
From: "Halifax Plc."
Date: Fri, July 20, 2007 6:58 am
To: *****************


Security
Center Advisory!





Dear
Customer

Halifax PLC. has been receiving complaints from our
customers for unauthorised use of the Halifax Online accounts. As a
result we are making an extra security check on all of our Customers
account in order to protect their information from theft and
fraud.


Due to this, you are requested to follow the
provided steps and confirm your Online Banking details for the
safety of your Accounts. Please Click Here To Start .


However, Failure to do so may result in
temporary account suspension. Please understand that this is a
security measure intended to help protect you and your account. We
apologize for any inconvenience.
Thanks for your
co-operation.

Fraud Prevention Unit
Security Center Advisory
Halifax PLC.






Please do not reply to
this e-mail. Mail sent to this address cannot be
answered.For assistance, log in to our account and
choose the "Help" link in the footer of any
page.

To receive email
notifications in plain text instead of HTML, update your preferences
here.

Thank you for using
Halifax!

Thursday 19 July 2007

Wheredidyoubuythat.com spam

Online gift shop Wheredidyoubuythat.com had its email database compromised a little while ago. I'm currently getting a spate of fraudulent emails sent to an address only used for Wheredidyoubuythat.com and nothing else. Although I don't believe that they are responsible for the fraudulent spam, equally as well they never responded to my report that they had a security breach. Approach that particular merchant with care.

The fraudsters are currently sending out UK-targetted spam to the addresses which indicates that they know full well where the harvested email addresses come from.

To: ***********
From: LloydsTSB Online Banking
Subject: Account Update

Dear Customer

Lloydstsb Bank has been receiving complaints from our customers for unauthorised use of the Lloydstsb Online accounts. As a result we are making an extra security check on all of our Customers account in order to protect their information from theft and fraud.


Due to this, you are requested to follow the provided steps and confirm your Online Banking details for the safety of your Accounts. Please Click Here To Start .


However, Failure to do so may result in temporary account suspension. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Thanks for your co-operation.

Fraud Prevention Unit
Legal Advisor
Lloydstsb Online Banking

Monday 16 July 2007

"Sup-Cables International Limited" scam

"Sup-Cables International Limited" is another money mule scam - the basic operation here is usually laundering stolen money or cashing fake cheques. There is no such company, and any company of a similar name will be unrelated to this fraud.

Note the reverse psychology used with lines such as "if anybody gets away with our money they will definitely get hold of such individual and will face the full wrath of the law".



Dear Sir/Madam,

Sup-Cables International Limited is a Latvian textile company.We
produce and distribute clothing materials such as batiks,assorted
fabrics and traditional costume worldwide.We have reached big sales
volume of textile materials in the U.S and now are trying to penetrate
the Europe market. Quite soon we will open representative offices or
authorized sales centers in Europe and therefore we are currently
looking for people who will assist us in establishing a new
distribution network there. The fact is that despite the Europe market
is new for us we already have regular clients also speaks for itself.

WHAT YOU NEED TO DO FOR US?
The international money transfer tax for legal entities (companies) in
Latvia is 25%,whereas for the individual it is only 7%.There is no
sense for us to work this way, while tax for international money
transfer made by a private individual is 7% That's why we need you! We
need agents to receive payment for our textiles ( in American express,
cashier and official checks) and to resend the money to us via Money
Gram or Western Union Money Transfer. This way we will save money
because of tax decreasing.

JOB DESCRIPTION?
1. Receive payment from Clients
2. Cash Payments at your Bank
3. Deduct 10%, which will be your percentage/pay on Payment processed.
4. Forward balance after deduction of percentage/pay to any of the
offices you will be contacted to send payment to/ or any of our
clients overseas (Payment is to be forwarded by Money Gram or Western
Union Money Transfer).

NOTE: All charges of the WESTERN UNION MONEY TRANSFER will be deducted
from the money, so you are rest assured that you wouldn't spend a dime
out of your personal money.

HOW MUCH WILL YOU EARN?
10% from each operation! For instance: you receive 4000 USD via checks
on our behalf. You will cash the money and keep 200 USD(5% from the
money you receive ) for yourself! At the beginning your commission
will equal 5%, though later it will increase up to 10%!

ADVANTAGES
You do not have to go out as you will work as an independent
contractor right from your home office. Your job is absolutely legal.
You can earn up to 3000-4000 USD monthly depending on time you will
spend for this job. You do not need any capital to start. You can do
the Work easily without leaving or affecting your present Job. The
employees who make efforts and work hard have a strong possibility to
become managers.
Anyway, our employees never leave us. But the problem we have is
trust, we have made arrangement with the FBI in Washington, that if
anybody gets away with our money they will definitely get hold of such
individual and
will face the full wrath of the law.

MAIN REQUIREMENTS
18 years or older,legally capable,Responsible ready to work 3-4 hours
per week.With PC knowledge e-mail and internet experience
(minimal).Please know that everything is absolutely legal.If you are
interested in our offer, please respond with the following details in
order for us to reach you:

# FULL NAME:..............
# CONTACT ADDRESS:..........
# PHONE NUMBERS:(Valid and Working)..........
# AGE:.............
# SEX:..............
# OCCUPATION:........
# MARRIAGE STATUS:.......
#YOUR BANK NAME:(only your bank name and nothing else)........

Thanks for your anticipated action. And we hope to hear back from you.

PETER HARRISON
(Director)

Wednesday 11 July 2007

MS07-039 clarification


Yesterday was Patch Tuesday, and amongst the usual load of vulnerabilities was MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) - however in this case Microsoft are a little vague about exactly which servers are impacted, referring only to "Active Directory Servers".

Well, what are Active Directory Servers? If you're running an AD environment then all servers are members servers of Active Directory. Does these mean that all servers needs patching, or is it restricted to Domain Controller (DC) and Global Catalog (GC) servers only? Patching DCs and GCs isn't too big a deal.. patching all servers for MS07-039 would be a nightmare.

One the clue is in Knowledgebase article 926122 which explains that this really is limited to servers performing the DC/GC role:

A hotfix was created to work around a problem in which the domain controller has to be restarted to let users renew their certificates. However, this hotfix let any user renew a certificate. This security update includes a hotfix to modify this behavior. After you install this security update, authentication is required for certificate renewal.

After you install this security update, only domain administrators and network administrators can renew certificates. Also, an administrator cannot delegate the right to renew certificates.

For such a critical vulnerability, Microsoft's wording is particularly vague. It does seem that it doesn't apply to member servers, but just to Domain Controllers (including Global Catalog servers, FSMO servers etc). These are critical servers, so you should patch them soon before the bad guys get to them.

Tuesday 10 July 2007

Another employment scam


Received a few of these from the faked name "Colin Scowcroft" (you can be assured that no person with that name is involved). It's clearly fraudulent, although the scammer is vague about the exact nature of the job. Typically this will be money laundering, processing fake or bogus cheques or laundering goods obtained from fraudulent online auctions.

Dear employee,
Our International Corporation is looking for new employees on various vacancies.
We suggest you financial Independence right now. Only our corporation can offer you
to gather a good
income in a short period of time. You do not need to invest any sum of money and we
do not ask you
to provide us with your bank account requisites! We are engaged in completely legal
activity and working
in our corporation you can achieve career growth at a permanent job. We are looking
for representatives from
any point of the world. Average earnings of our employee is 3450-4500$ per month,
but you can earn much more. Here is the top 10 of our representatives’ salaries:

Top 10 employees
Per month:
1. 45750 $
2. 42185 $
3. 38590 $
4. 25808 euro
5. 32000 $
6. 15700 GBP
7. 27200 $
8. 24300 $
9. 22750 $
10. 18730 $

It is easy to be in ours Top 10!
Everything is simple enough and it depends only of you.
We are waiting the creative approach and purposefulness from our employees. You can
work full time or part time.
You determine the schedule of you work at our corporation. We pay you for result.
The best regional representative becomes the head of regional office of our company
and receives a full social packet and bonus at a rate of 50 % from
his annual salary. Many of our employees have made excellent career, received full
financial independence and have embodied all their dreams in a reality less than in
2-3 years of working in our company.

The preference is given to employees with knowledge of foreign languages.
If you are interested in our offer please send us the following information:
1) Full name
2) Address of residing
3) Phone numbers
4) Languages
5) Part time job/Full time
Please send this information to our email: sockadverttadvert2k7[at]yahoo.com
Please specify in the subject line: Application for the local rep position. Number
100711

If you are not interested in our offer or you received this email by mistake please
reply with Unsubscribe
in subject line and specify all your emails addresses to unsubscribe44919 (at)
gmail.com.
We apologize In advance.

Yours faithfully,
Colin Scowcroft

Any legitimate job offer should already know most of your contact details, and it wouldn't use a Yahoo! email account. There's no detail on the company name or address, nature of the work, contact telephone number or anything else. Of course, some scammers do go the extra mile with a fake website and phone number, but not in this case.

Monday 9 July 2007

Google to acquire Postini for $625m

Big business, this spam thing. Google has just announced a $625m plan to buy Postini (more here). The deal is an outright cash purchase to be completed by end Q3 2007.

Postini is best know for its corporate spam filtering solution, but it is also active in the areas of instant messaging, compliance and mail archiving. These neatly complement Google's application rangen (especially for products like Gmail/Google Mail). It will also mean that Google will acquire some large Blue Chip corporations that have so far been outside its reach.