Source: Internet Security Alliance Daily Brief
Bank of America site appears fixed after 6th day. October 6, Associated Press – Bank of America customers had problems accessing their accounts for 6 days. After the site appeared back to normal October 5, the bank blamed the troubles on a system upgrade. The head of online and mobile banking at Bank of America said the slowness and time-outs customers experienced were the result of a “multi-year project” to upgrade its online banking platform. He said testing of certain features and high traffic at the end of the month also contributed to the delays. When the problems first surfaced September 30, he said the bank cast a “wide net” and worked with law enforcement officials to quickly rule out the possibility of third-party interference. In the meantime, the bank said publicly September 30 and afterward that it does not break out causes for Web site problems. The delays meant some customers who normally bank online had to go to branches or ATMs to access their accounts. The head of online and mobile banking said the company was about 60 percent through the upgrade, and did not rule out the possibility of site problems in the future. Bank of America customers also had difficulty accessing their accounts in January and March, and the firm again blamed routine system upgrades.
Police: man steals $100K using skimmer on local ATMs. October 5, KMGH 7 Denver – Boulder County, Colorado, sheriff’s deputies October 5 released a picture of a man they said has stolen more than $100,000. Deputies said the man put a skimming device on an ATM to get bank account information. He took more than $11,000 from one person’s account, deputies said. As deputies investigated, they said they found other incidents throughout the Denver metropolitan area involving the same man. Some skimmers, like the thief in this case, put a device over the card slot of an ATM, which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user’s PIN at the same time, deputies said.
Stanford Hospital patient data breach is detailed. October 5, New York Times – The New York Times reported October 5 that hospital and contractors confirmed the private medical data for nearly 20,000 emergency room patients at California’s Stanford Hospital were exposed to public view for nearly a year because a billing contractor’s marketing agent sent the electronic spreadsheet to a job prospect as part of a skills test. The applicant then sought help by unwittingly posting the confidential data on a tutoring Web site. In an e-mail sent to a victim of the breach, the contractor and president of Multi-Specialty Collection Services in Los Angeles explained his marketing vendor had received the data directly from Stanford Hospital, converted it to a new spreadsheet and then forwarded it to a woman he was considering for a short-term job. The position was with Corcino & Associates, and the applicant apparently was challenged to convert the spreadsheet — which included names, admission dates, diagnosis codes and billing charges — into a bar graph and charts. Not knowing she had been given real patient data, the applicant posted it as an attachment to a request for help on studentoffortune.com, which allows students to solicit paid assistance with their work. First posted September 9, 2010, the spreadsheet remained on the site until a patient discovered it August 22 and notified Stanford.
Zeus trojan hides in chamber of commerce emails. October 6, Softpedia – Business owners might easily fall for the latest e-mails that seem to be coming from the U.S. Chamber of Commerce, announcing their intention of helping the victim. What users do not know is the note’s attachment actually contains bank-account stealing trojan Zeus. According to AppRiver, the logo in the message’s header and its footer’s content are taken from the legitimate Web site of the U.S. Chamber of Commerce. As with most malware campaigns, the message is written with a big blue font, revealing vague information that would arouse someone’s curiosity. An attachment contains a malicious element that opens a backdoor, giving miscreants access to the device. It then aims to download other aggressive software. Finally, it tries to connect two domains, jokeins(dot)com and agrofond(dot)com, from which it requests a start.exe file that contains Zeus. The trojan takes over the operation and makes a miuf.exe process that creates a keylogger that launches periodic pings to different domains in the effort of receiving further instructions. The piece of malware also sends out UDP packages to announce other components of its presence.
Facebook scammers exploit Steve Jobs’ death. October 6, The Register – Facebook scammers are exploiting news of the death of Apple’s founder as a theme for survey scams. The users targeted by the scam are told an unnamed firm is giving away 50 iPads in memory of the deceased. Applicants are invited to complete an online survey to “qualify” for the prize. The offer is entirely bogus. Even so, more than 15,000 people have already clicked through to the bogus survey site, net security firm Sophos reported.
Attack on Apache server exposes firewalls, routers and more. October 6, The Register – Maintainers of the open-source Apache Web server warned their HTTP daemon is vulnerable to exploits that expose internal servers to remote attackers who embed special commands in Web site addresses. The weakness in 1.3 and all 2.x versions of the Apache HTTP Server can be exploited only under certain conditions. For one, they must be running in reverse proxy mode, a setting often used to perform load balancing or to separate static content from dynamic content. And even then, internal systems are susceptible to unauthorized access only when certain types of reverse proxy rewrite rules are used. Nonetheless, the vulnerable reverse proxy configurations are common enough that Apache maintainers issued an advisory October 5 recommending users examine systems to make sure they are not at risk. “When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests,” the advisory stated. “The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL.” The vulnerability was reported by Context Information Security. Researchers said the weakness can be exploited to gain unauthorized access to a highly sensitive DMZ, or “demilitarized zone” resources inside an organization that should be available only to validated users.
Android malware under blog control says Trend Micro. October 6, The Register – Trend Micro has found a Chinese Android malware that operates partly under the command and control of a blog. The ANDROIDOS_ANSERVERBOT(dot)A malware is disguised as an e-book reader offered on a third-party Chinese app store. It uses two command and control (C&C) servers, one of them served out of a blog with encrypted posts. Posts to the blog identify the URL of the primary C&C server. This presumably gives the malware’s makers a way to move their C&C server around to avoid detection. The blog also hosts new copies of ANDROIDOS_ANASERVERBOT(dot)A which are downloaded when the software connects. The security company also notes that upon installation, the supposed e-book reader asks for an unreasonable number of permissions — should the user allow installation after reading the permission requests, the malware can access network settings and the Internet, control a device’s vibration alert, disable key locks, make calls, read low-level logfiles, read and write contact details, restart apps, wake the device, and use SMS. Targeted at Chinese users, the app also disables security software from Qihoo360 and Tencent, among others.
Drive-by download attack on Facebook used malicious ads. October 5, IDG News Service – Antivirus vendor Trend Micro has detected a drive-by download attack on Facebook that used malicious advertisements to infect users with malware. “We encountered an infection chain, wherein the user is led from a page within Facebook to a couple of ad sites, and then finally to a page that hosts exploits,”the company’s security researchers warned October 4. “When we traced the connection between the ad sites and Facebook, we found the ad providers were affiliated with a certain Facebook application. We checked on the said app, and found that it is indeed, ad-supported.” Such “Malvertising” attacks are usually the result of lax background screening practices by ad networks or sale teams. Attackers impersonate legitimate advertisers to get ads approved and later swap them with malicious code. Facebook also dealt with this form of abuse in the past, but in those cases the ads were used to display fake security alerts that led to scareware. Malvertisements that bundle drive-by download exploits for vulnerabilities in popular browser plug-ins, or even the browser itself, are much more dangerous since they do not require any user interaction. In this case, users were directed to a page that loaded Java and ActiveX exploits, but while the attacked ActiveX vulnerability was patched in 2006, the Java ones were more recent, dating from 2010.
Malware using white lists, forgery, kernel attacks to stay alive. October 5, threatpost – Rootkit programs are increasingly mimicking antivirus programs: adopting self-protection features and application whitelists to maintain control over the systems they control, according to a presentation at the annual Virus Bulletin Conference. A research scientist at McAfee told an audience of antivirus researchers that self-protection features have become common in many leading families of rootkits such as the TDSS and TDL4 rootkit. Application white lists that allow only applications approved by the rootkit authors to run are used to disable hostile programs, while built-in monitoring features to shut down anti-malware programs and prevent critical malware components from being disabled have also been observed in newer generation rootkits. The research scientist said McAfee researchers are increasingly finding evidence of attempts to kill antivirus and anti-rootkit drivers using attacks at the kernel level of an infected system. While malware attempts to shut down antivirus programs within the user mode environment have been well documented, kernel mode attacks to snuff out AV programs are a newer development, and much harder to thwart, he said.
FCC tells retailers to stop selling mobile phone jammers. October 5, IDG News Service – The Federal Communications Commission (FCC) has issued warnings to 20 online retailers selling illegal mobile phone jammers, GPS jammers, Wi-Fi jammers, and other signal jamming devices, the agency said October 5. The sale and use of devices that jam the signals of authorized radio communications are illegal in the United States, the FCC said in its enforcement action. The agency will “vigorously” prosecute violations going forward, it said in a press release. “Jamming devices pose significant risks to public safety and can have unintended and sometimes dangerous consequences for consumers and first responders,” the chief of the FCC’s enforcement bureau said in a statement. Jammers, sometimes used in classrooms, theaters and churches, are prohibited because they can prevent individuals from contacting police and fire departments or family members during an emergency, the FCC said. The 20 retailers were marketing more than 200 jamming devices, the FCC said. Among the jammers being sold were GPS blockers for vehicles, high-tech signal blockers with remote control capabilities, and jammers disguised as paintings and cigarette packs, the agency said. The FCC ordered each online retailer to immediately stop marketing signal-jamming devices in the United States. If a retailer gets a second citation from the FCC, it could face fines ranging from $16,000 to $112,500, with a separate penalty possible for each device sold or each day a device is marketed, the agency said. Additional violations could result in the seizure of equipment and prison time, the FCC said.