Romanian Immigrant Gets Eight-and-a-Half-Year Prison Sentence

A Minneapolis federal judge has sentenced Sergiu Daniel Popa, 23, from Shelby Township, Michigan, to eight and a half years in jail for running a phishing scheme, which lasted almost seven years and totaled $700,000 in losses.

Popa emigrated to U.S. from Romania and started his illegal online activities in June 2000, at the early age of 14. Following the next seven years, up to February 2007, he grew to be a dealer of stolen personal and financial information, who was fairly respected on the black market.

From his homes in New York and Michigan, the Romanian teenager orchestrated multiple phishing schemes, which targeted the customers of financial institutions such as Citibank, PayPal and SunTrust. By sending e-mails in the name of those organizations, Popa tricked his victims into inputting their banking and personal details into fake websites that he operated.

The phisher moved to Spain in 2007, where he was extradited back to the United States in June 2008. He subsequently pleaded guilty in October to one count of aggravated identity theft and the possession of unauthorized access devices. According to the plea agreement, his scams affected over 7,000 people, who suffered combined losses of around $700,000.

In addition to the scams, Popa is also said to have sold a phishing kit to other spammers, including documentation. A single file discovered on his Yahoo! account contained financial and personal information on 5,800 victims and the FBI reportedly found credit and identity card forging devices and materials at his house.

"Because there were so many victims who were hurt badly, the court believes the sentence is appropriate in order to protect the public," explained Judge John Tunheim for the local media. "There needs to be a deterrent to others who are trying similar crimes over the Internet," added.

"What's eyebrow-raising to me is just how young Popa was when he started his identity fraud escapade. […] In the old days (back in the late 1980s and 1990s), it wasn't unusual for virus writers to be in their teens but this is a much more serious offence than the attention-seeking kind of malware writing we saw in yesteryear," commented Graham Cluley, senior technology consultant at antivirus vendor Sophos. "I guess Popa will have plenty of time now to reflect upon the mistake he made following a life of crime, rather than finding some other avenue for his interest in computer technology," he concluded.


Source : softpedia


PC ERRORS?

SMS Ransomware for Sale on the Russian Black Market

The ransomware model is really taking off and becomes available even for the inexperienced cybercriminal, who lacks the coding skills to make his own malware. Security consultant and researcher Dancho Danchev is reporting that an SMS-based ransomware variant can be acquired for prices starting at $10.

Ransomware refers to malicious software that blocks access to certain functionality, files or the entire operating system and capitalizes on the user's desire to regain full control of his computer. Obviously, this is achieved through social engineering, which attempts to make the victim think that the application is actually his salvation and not his enemy.

Security researchers speculate that ransomware is the next step in the evolution of scareware (rogueware), malicious software that deceives users by scaring them into acquiring useless licenses, usually claiming that their computers are infected. Since the beginning of the year, we have reported of three new threats holding infected computers for ransom: FakeAlert-CO, also known as System Security 2009, the Brazilian Byte Clark and FileFix Pro 2009.

This latest piece of malware drops a file in the system32 folder and creates start-up registry entries for itself. Called SMSLock by experts, the malicious application runs at system boot and prevents the desktop from being displayed. Furthermore, it locks all windows and the task manager and blocks attempts of removing it.



The user is presented with an alert box, which claims that Microsoft has launched an anti-piracy initiative and that an SMS costing $1 must be sent to a special phone number in order to receive an unlock code. A customized variant, with the client's own SMS information is available for sale at only $10.

An additional $5 can be paid to get a custom version, which is not yet detected by the major antivirus engines. For more knowledgeable cybercrooks who want to make more advanced changes to the application, its source code is offered for $50.

"With the emerging localization on demand services offering translations for phishing, spam and malware campaigns into popular international languages, it wouldn't take long before the SMS ransomware starts targeting English-speaking users next to the hardcoded Russian speaking ones for the time being," warns Dancho Danchev

Source : softpedia

Check for Spyware www.fixadware.com

Check for malware www.removeerror.com

Check for registry errors www.malwaretool.com

The Telegraph Website Leaks Subscriber Information

Romanian grey-hat hacker Unu has hit the Daily Telegraph website for a second time in under three months and says that the impact of the new vulnerability he found is much more serious than last time. According to the hacker, the weakness allows for the execution of an SQL injection attack and the extraction of the plain-text passwords, as well as personal information, of millions of subscribers.

Details about this security breach have been published on the newly reformed HackersBlog vulnerability-reporting website. Unu, who used to be a HackersBlog member, when the outfit did more than just report such incidents, has made a habit of testing high-profile websites for similar bugs.

The Daily Telegraph has made the subject of his endeavors before, at the beginning of March, when we reported that a vulnerability in a section of the newspaper's website opened the door to over 700,000 e-mail addresses and account passwords. Paul Cheesbrough, chief information officer at Telegraph Media Group, noted at the time that this was a partner site.

The new Proof-of-Concept attack described by Unu leverages an SQLi vulnerability in stats.telegraph.co.uk in order to inject a shell on the web server. Once this is achieved, it's game over in terms of security, as the attacker has full access to all databases. To prove his point, the hacker has made several screenshots available.

Some of the information in the images, such as the poorly sanitized URL parameter or parts of compromised account details, is blotted to prevent ill-intent replication of the attack and to protect the privacy of The Telegraph subscribers. The sensitive user data that can be extracted includes, but is not limited to, full name, e-mail, full address, zip code, country and password in plain text.

Leaving aside the fact that such personal information represents a small fortune for identity thieves, the compromise of passwords alone can have far-reaching implications. Studies show that over 60% of users are re-employing their passwords over multiple accounts and many of them are even using a single one for all accounts.

At the time of writing this article, the vulnerable page was offline. The Telegraph staff are probably in the process of investigating the breach and taking the appropriate actions. However, while they're at it, here's an advice from us, HackersBlog and the vast majority of security professionals out there: Please stop storing passwords in plain text! Store salted hashes instead.


Source : softpedia


PC ERRORS?

Twitter's API Used to Create Worm via cross-web2.0 scripting

Respected security researcher Aviv Raff warns of a new type of web vulnerability, which he dubs "Cross-Web2.0 Scripting." According to him, a perfectly secure website can become insecure if a third-party web service using its API is vulnerable.

Much of the website interconnection and real-time information exchange that is so specific to the Web 2.0 model is achieved through the use of application programming interfaces, in short APIs. A Web Services API is a set of protocols, libraries, routines, which third-party applications can tap into in order to send or extract information.

Most Web 2.0 big players, such as Google, Facebook, etc., offer open APIs to developers. However, in this particular case, Aviv Raff uses Twitter's to demonstrate the concept, possibly because the micro-blogging platform has constantly been in the spotlight since the beginning of the year, due to numerous security incidents.

"Mikeyy wrote a twitter worm. It's old news, I know, and by now Twitter seem to fix all the known vulnerabilities on their website. But, let's say that there are no more XSS/CSRF/etc. vulnerabilities on Twitter.com. Does it mean that there will be no more twitter worms? Unfortunately, the answer to that question is no," the researcher says.

Mr. Raff claims that this is because of the Twitter API, but not so much the API itself, as the third-party websites that use it. He goes on to exemplify with twitpic.com, a service for sharing pictures on Twitter, which taps into the Twitter API in order to import someone's profile.

However, "While twitter.com (finally) sanitize and encode HTML tags in the twitter profile information (name, URL, bio, etc.), twitpic.com failed to do so and by that allowed injecting scripts to the twitpic user profile page. This is a very simple persistent XSS, which can be easily abused to hijack twitpic.com user accounts," the expert explains.

The API is also used to post messages back to Twitter on behalf of a user, whenever they post or comment on a picture from twitpic.com. Mr. Raff set up a fake profile on Twitpic and leveraged on the XSS flaw to create a successful Twitter worm. Any user logged into Twitpic who was visiting the rogue profile would have automatically posted Raff's message, with a link to the profile, on their own Twitter feed.

"Twitter are not alone in this mess. This 'Cross-Web2.0 Scripting' type of vulnerabilities can affect all other social networks," the security researcher notes. "If you are the owner of a service which provides an API, fixing your own website or application vulnerabilities might not be enough…," he concludes.

Source : softpedia

Check for Spyware www.fixadware.com

Check for malware www.removeerror.com

Check for registry errors www.malwaretool.com

McAfee Reveals the Riskiest Search Keywords

Given the increasing trend of cybercrooks using black-hat SEO techniques to push their malicious pages higher on search result pages, security researchers from global antivirus vendor McAfee decided to determine the most dangerous popular search keywords for 2008. According to their recently released report (PDF), combinations and variations of screensavers, lyrics and free have the highest risk rating.

In order to perform the study, McAfee chose 1,600 search keywords, popular amongst Internet users from the U.S., as well as other countries. Search results from five major engines, Google, Yahoo!, Live, AOL, and Ask, were analyzed using the company's SiteAdvisor product, which identifies malicious websites.

The keywords were grouped by categories and popularity in certain countries. Furthermore, search intelligence company Hitwise was contracted to generate popular variations for each popular keyword, which provided a much better insight into the risk factor of each category of keywords. McAfee researchers ranked keywords both by the number of malicious links found on the riskiest result page, and by their overall percentage spanning all results.

"The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word 'free' (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky," the experts conclude. On the other side of the barricade are medical terms and those related to economy, with a 4.0% and 3.5% maximum risk on a single page of results.

When it comes to keyword variations, the "screensavers" category was the winner with a maximum risk rating of 59.1% and an average of 34.4%, followed by "free games," with under half the danger level of the first, 24.7% maximum and 6.8% average.

The study also revealed some surprises. For example, "the phrase 'www google com' was searched approximately five million times on Google itself." Meanwhile, variations of "Viagra," a highly popular spam keyword, surprisingly scored very low in terms of risks.

Another strange, but nevertheless important, find was that, "Keywords popular in non-U.S. countries were significantly riskier than those popular in the United States. 14 countries had keyword lists that exposed users to a higher maximum risk than average, including the Czech Republic (14.2%) and Brazil (12.1%)." The researchers concluded that, "This could be early evidence of a troubling new trend of scammers targeting non-U.S. victims."


Source : softpedia


PC ERRORS?

LifeLock Banned from Placing Fraud Alerts

A California judge has banned LifeLock, a company offering identity theft protection services, from placing fraud alerts on its customers' credit profiles. The ruling comes after Experian, one of the three credit reporting bureaus in the U.S., has sued LifeLock, claiming that this practice was violating the Fair Credit Reporting Act (FCRA) and costing it money.

A fraud alert has the purpose of letting banks, retailers and other credit granters know that they should perform more serious checks before opening a credit or issuing a credit card in someone's name. A fraud alert usually requires the potential creditor to at least call the individual whose credit profile is tagged.

Under the FCRA, the option of placing a fraud alert on their credit file is offered at no cost to consumers. All someone has to do is contact one of the three credit reporting bureaus, Experian, TransUnion and Equifax. However, an alert of this sort expires after 90 days and has to be renewed, which is somewhat of an inconvenience for people who don't have time to do it themselves.

Arizona-based identity protection company LifeLock offers to place and renew fraud alerts on behalf of its customers for a fee of $10 per month, along with other services. However, Experian claims that, in the process of doing this, LifeLock has indirectly caused the credit reporting bureau to spend millions of dollars to process the alerts.

Judge Andrew Guilford of the Central District of California agreed and temporarily banned LifeLock from engaging in the practice until the full trial. "Congress expressly excused Experian and other credit reporting agencies from placing fraud alerts requested by companies like LifeLock. The court finds that this is a proper interpretation of the plain meaning of the statute," the ruling reads.

Judge Guilford considered that, even though the FCRA allowed third-parties to file fraud alerts on behalf on an individual, this did not include companies, but family members, legal guardians, or attorneys. Other companies, similar to LifeLock, as well as privacy specialists, generally disapproved of this decision.

"I can hire someone to do my taxes. There's a similar concept here. ...The idea that they are somehow protecting consumers with this ruling by making them do the work doesn't make sense," Todd David, LifeLock's CEO, comments for MSNBC. However, he is confident that this will not affect the company's customers, because the decision applies only to fraud alerts filed with Experian.

The Fair Credit Reporting Act requires credit reporting bureaus to share all records between each other, meaning that, if LifeLock will continue to file fraud alerts with TransUnion or Equifax, they will eventually also end up on Experian's records. Granted, in this case, the costs suffered by Experian will significantly be reduced.


Source : softpedia

Check for Spyware www.fixadware.com

Check for malware www.removeerror.com

Check for registry errors www.malwaretool.com

Multiple Visa Websites XSSed - The vulnerabilities could facilitate phishing attacks

Self-confessed ethical hacking outfit Team Elite has recently reported cross-site scripting (XSS) weaknesses in not one, but four different Visa websites. All of the vulnerabilities allowed attackers to prompt arbitrary JavaScript alerts.

The XSS vulnerabilities were reported by a grey-hat hacker calling himself Methodman, who previously discovered similar bugs in numerous high-profile websites. These latest flaws affected usa.visa.com, visacemea.com, visa.com.ua and visamiddleeast.com, and were found in the country selection form, which seems to be consistent over all of them.

A potential attacker could have exploited these bugs through URL manipulation, in order to force rogue JavaScript prompts with arbitrary content. Such a malformed link could have then been propagated through e-mail and used to launch a phishing campaign.

Being the company that operates the world's largest retail electronic payment network, Visa is also one of the biggest players in terms of developing security standards for the credit card payment industry. Back in October 2008, it issued a Data Security Alert regarding SQL injection vulnerabilities, in which it made several recommendations for mitigating this form of attacks.

The validation of all user input on web-based applications and adopting secure coding practices that include regular independent code reviews are just two of the recommendations made. Even though these referred to SQL injection attacks, they can also be applied to protect from cross-site scripting.

XSS is also caused by failure to properly sanitize user input in web forms and is a sub-category of Web code injection vulnerabilities. This incident stands to demonstrate the prevalence of such bugs, as even the companies that are most aware of them and possible mitigation solutions are affected.

However, Visa is not the only example of a security-aware company overlooking such flaws. Since the beginning of the year, it was revealed that websites belonging to some of the largest antivirus vendors were riddled with similar weaknesses.

"Visa Staff has been alerted about this and we hope they fix them quickly," Methodman wrote in his article on Team Elite's website. Visa can be congratulated, as it did not only fix all the reported problems in a timely manner, but also went a step further. Anyone trying Methodman's proof-of-concept exploit code now will receive a warning that reads, "The URL embedded in the link was not valid. If you suspect that this might be an attempt to get personal information from you, please see the Visa security section on protecting yourself from Phishing attempts by clicking here."


Source : softpedia


PC ERRORS?