Hacking & Security
Security is an essential part of a web application and should be taken into consideration from the first stage of the development process. A website couldn’t ever be secure enough unless you would undertake necessary security initiatives to protect the web server from all breaches, because hackers can easily penetrate a web mechanism by exploiting […]
The mobile encryption app NQ Vault has been in the news for bad reasons. Mobile encryption apps are commonly used to prevent access to sensitive data on the phone (such as images, videos, documents and so on). These encryption apps usually offer a vault with your desired password. You can push any secret files to […]
Oh, how procrastination gets all of us! April 15th is the U.S. tax deadline and it looks like most of us will be coming down to the wire on declaring our taxes and holding our collective breath in expectation of that sweet, sweet refund. Sadly, our malware writing friends are aware of this and their discipline has proven far superior. Knowing that many are on the lookout for emails from the Internal Revenue Service concerning pending refunds, criminals have crafted some of their own:
The attachment is actually a Trojan-Downloader.MsWord.Agent malware, built by the same group behind the recent LogMeIn malicious campaign described here.
The infection scheme is very similar to the aforementioned, however, the threat actor has moved on from abusing Pastebin entries and has instead hacked a Web server in China to host the instructions script file. This file as well as the download URL are also encoded in Base64 and the resulting payload is actually ransomware.
URLs embedded in the malicious macros leading to a Base64 encoded instructions script file and the payload URL below
Instructions files with the URL to the ransomware payload
The malicious ransomware payload is detected by Kaspersky Anti-Virus as Trojan-Ransom.Win32.Foreign.mfbg
Due to the reliance on the IRS branding, this particular malicious campaign is mostly focused on US citizens and permanent residents of the USA.
Prosecutors say they have evidence indicating the former head of computer security for a state lottery association tampered with lottery computers prior to him buying a ticket that won a $14.3 million jackpot, according to a media report.
Eddie Raymond Tipton, 51, may have inserted a thumbdrive into a highly locked-down computer that's supposed to generate the random numbers used to determine lottery winners, The Des Moines Register reported, citing court documents filed by prosecutors. At the time, Tipton was the information security director of the Multi-State Lottery Association, and he was later videotaped purchasing a Hot Lotto ticket that went on to fetch the winning $14.3 million payout.
In court documents filed last week, prosecutors said there is evidence to support the theory Tipton used his privileged position inside the lottery association to enter a locked room that housed the random number generating computers and infect them with software that allowed him to control the winning numbers. The room was enclosed in glass, could only be entered by two people at a time, and was monitored by a video camera. To prevent outside attacks, the computers aren't connected to the Internet. Prosecutors said Tipton entered the so-called draw room on November 20, 2010, ostensibly to change the time on the computers. The cameras on that date recorded only one second per minute rather than running continuously like normal.
As people become more aware of the threat of targeted "phishing" attacks via e-mail and social media, malware-armed attackers are turning to new ways to target specific victims where they least expect it—by exploiting the legitimate websites they frequent and assume to be secure. Last week, Swiss security firm High-Tech Bridge disclosed that the Web store of a corporate customer had been used to deliver a targeted attack against a specific site visitor. The attackers were also able to retrieve the store's customer database, which they may have used to search for desirable targets.
The attack exploited a current and patched version of osCommerce Online Merchant (version 2.3.4, released last June), a common Web store content management system used by a number of high-profile companies—including Canonical's Ubuntu Shop. The attacker inserted malicious PHP script that provided a backdoor into the site and could be configured to check users' IP addresses and login credentials for specific targets as they visit the site. Once a desired target is detected, the script attempts to download malware to the victim from another site. The attacker can then remotely delete the backdoor and altered PHP files and replace them with the original by connecting to the script with a "?del" parameter added to its URL.
The backdoor script is labeled as "osCommerce 2.x.x universal pwner by Piht0z," and it's just that: a generic PHP-based backdoor for osCommerce sites. According to Ilia Kolochenko, High-Tech Bridge's CEO, there have been similar cases of targeted attacks on users of e-commerce sites before, but "it's the first time we see a universal backdoor for a large e-commerce platform," he said in a blog post about the discovery. "This means that hackers started using this vector on a regular basis to achieve their goals."