hi guys, as you know, i follow p2p very closely, and see many marketing
and opt-out scams.

the lastest one is these two texts. i think it’s pretty neat that the bad
guys seed p2p like this!

this…:

top 10 home based jobs – genuine opportunities
i. surveys2 (more…)

as can be seen in the quoted message below –

so, here we go. real-life uses for vulnerabilities.

below is an example of just one “drop-zone” server in the united states, which has “600 financial companies and banks”.

several gigs of data.

how do these things work?
(more…)

Firefox version 2.0 is officially out now.

Mozilla Foundation has introduced a new Phishing Protection page at the same time:

Firefox 2 contains a built-in Phishing Protection feature that warns you of suspected Web forgeries, and offers to take you directly to a search page so you can find the real Web site you were looking for. You can test the Phishing Protection feature by browsing to this test site.

Page Known Vulnerabilities in Mozilla Products will be likely updated shortly too.

It appears that the most of localized builds are available.

Update 26th Oct: There was no security fixes included this time.

how many times have you received an email offering “work from home” or 75k a year? these are money mule recruitment emails.

a money mule is much like a drugs mule. the mule facilitates the transfer of the money as a middle-man. if say, an eastern european mobster wants to get the money he stole from a bank account in the us by the means of phishing, he’d have to somehow transfer that money.

the money mule would get the money, keep a small percentage and send the rest via the anonymous western union, laundering it.

today was the first time we observed a money mule recruitment happening on instant messaging.

be careful on what you believe, no matter if via email, the phone or im.

gadi evron,
ge@beyondsecurity.com.

the second internet security operations and intelligence (isoi) da workshop will take place on the 25th and 26th of january, 2007. it will be hosted by the microsoft corporation, in redmond wa. an after-party dinner will be hosted by trendmicro.

this workshop’s main topic is botmaster operational tactics – the use of vulnerabilities and 0day exploits in the wild. (by spyware, phishing and botnets for their businesses).
secondary subjects include ddos, phishing and general botnet subjects.
(more…)

apparently, this guy spammed himself and referred to a wikipedia article he created to give himself credibility.

cute!

phishing by wikipedia? the admins will probably notice this soon and remove it, but if this becomes as common-place as comment spam has, i am not sure they can handle the over-head. this is about money, and the bad guys make a lot.

it’s also possible this is a joe job on someone real.

update:
the entry in wikipedia appears to be about a real person related to organized crime. i wonder why he of all people was chosen to be used in this scam?

hello dear friend!!!
from:
vladimir ivanov (vladimir ivanov)
to:
alexdu4@bellsouth.net
date:
today 18:11:52
(more…)

exploit code is available:
http://www.milw0rm.com/exploits/2440

sans diary:
http://isc.sans.org/diary.php?storyid=1742

and this is so massively exploited, it makes vml look cute. there’s a rootkit, some other malware, and haxdor! (a phishing trojan horse)

thanks to roger thompson at explabs.com for first reporting it.
(more…)

i just opened this discussion on the phishing mailing list. you are all invited to join in.

as i often comment, it is funny to me (not really but hold on) when people scream about this or that organization losing a laptop with 20k identities. what’s 20k?

obviously that is important, and speaks volumes of corporate security and of privacy issues. still, it is insignificant in a laughable fashion when compared to what’s being stolen daily online.

every day, millions of online identities and website credentials are lost. millions. every day. (more…)

this is from /. today. the author happened upon a phishing site with an open directory index. he proceeded to find the phisher’s database, where he analyzed passwords that were there for myspace.

although somewhat problematic statistically, his results are very interesting:

http://cyber-knowledge.net/blog/2006/09/16/analyzing-20000-myspace-passwords/

gadi evron,
ge@beyondsecurity.com.

While tracking webspammers, I’ve seen more and more use of redirects from whatever webservice the spammers can utilize. That includes Blogspot, free phpBB forum sites, Plone, and even hacked websites.

Basically, whatever they can use, they will.

We’re getting used to free services being used for redirects, but when they start turning our own websites against us, it’s time to wake up. (more…)

the public phishing discussion mailing list is now active:
http://www.whitestar.linuxbox.org/mailman/listinfo/phishing

gadi evron,
ge@beyondsecurity.com.

from eric farraro’s software.dev blog:

yesterday i mentioned that i had discovered an exploit in a little known service from a major web company. it turns out that that exploit is in a little known service called ‘google public service search’. this service is meant for universities or other non-profit organizations to add a ‘google’ search to their website. it differs from the other free google site search in that it allows you to customize the header and footer of the search results page. it’s interesting to note that the code for your header and footer is actually hosted by google, on their server.

meaning, you can embed your own code there. ’nuff said. this went full disclosure on the guy’s blog, but google has already seen it and took care of it, as the site now returns a 403 when you attempt to reach it.

still, google has yet to fix their open redirectors, which are being publicly used for phishing users for a very long time now. that is not a very easy problem to solve, but we haven’t seen any committment from google to solve it, either. (more…)

dd had a nice post today by halvar on an atm fraud:
http://home.hamptonroads.com/stories/story.cfm?story=110889&ran=223062

according to a nathan landon who provided with more details:

they showed it on the news here in virginia. they have security camera footage of the guy who they believe is the perpetrator trying to pull out $250 and getting $1000. he did this twice apparently. he doesn’t look like the “engineer” type. they reported that he was able to turn on the glitch through a series of entered numbers. doubtful he knew what he was doing otherwise he could have turned it off between attempts. (more…)

This case needs more investigation.

Viruslist.com reports about the case where

…the phisher included not only the email of the intended victim, but also the postal address.

Sample case and image via Kaspersky Viruslist blog.

The IP address listed at the sample message is 81.190.253.29. I don’t know is this a working hyperlink at message, but the owner information is the following:

netname: MULTIMEDIA-POLSKA-9
descr: Multimedia Polska Sp. z o.o.
descr: Cable TV Provider
descr: Gdynia
country: PL (Poland)

The HTML e-mail message lists the current address of Mr/Mrs Igor XXXX to Moscow. Post office number is included too.
How reliable this method would be? Is the purpose of phisher to provide IP address related to unsuccessful access from another country (to be more effective) or something else?
Even in small Finland;-) we have seen two attacks collecting e-mail addresses wtih scripts. Phishers can collect databases about this information and combine it with workstation IP address gathered, but again, how reliable this is?

The ongoing Barclays case is very wide and phishers are trying several methods now.

The number of unique phishing sites detected by Anti-Phishing Working Group (APWG) in July is more than 14,000. Yes, the number is highest in APWG’s history.

The exact number is 14,191, when there was ‘only’ 10,147 sites in June and less than 12,000 in May.

The number of phishing reports received by the group is 23,670, in July again. Numbers from July are the newest available.

This is a count of unique phishing email reports received by the APWG from the public and its research partners.

says the report. There was about 28,500 reports in June, lists the report.

Phishing Activity Trends Report from July ’06 is located at
www.antiphishing.org/reports/apwg_report_july_2006.pdf
[PDF of nine pages].

How is this possible? The answer is that the number of servers (or home computers) per attack is increasing all the time.

We can also read that brands and legitimate entities hijacked by phishing attacks was 154 in July ’06, the number is highest in APWG’s history, again.

The average living time before killing phishing sites is 4.8 days (that’s too long!). The longest time online within the period is 31 days (very difficult to believe, but that’s true).

Very interesting reading!

in the latest edition of the virus bulletin magazine (september 2006), a featured article on botnets called “the world of botnets” by dr. alan solomon and myself was published.

all copyright to this article belongs to virus bulletin. virus bulletin is an ads-free professional magazine mostly read in the anti virus world.

we are allowed to share the article with you on our blogs or company websites, providing the above reference to the vb journal is added with a copyright notice.

you can find the article here.

we would love to hear comments and input!

gadi evron,
ge@beyondsecurity.com.