This month, Fox Sports and NASA discovered that their Web sites were compromised. Web 2.0 widget-maker RockYou suffered a major security breach where it was discovered that RockYou failed to apply the simplest security best-practice: encrypting the password of their users. Twitter suffered a DNS hijacking, Amazon EC2 was used by the Zeus bot network, there were more Adobe PDF and browser vulnerabilities... read on for more.
A massive SQL injection attack compromised over 125,000 web pages. The pages contain a malicious iframe that attempts several exploits in order to install the Buzus trojan.
Two NASA-run Web sites were hacked due to SQL injection and XSS vulnerabilities.
A severe cache poisoning vulnerability was found in BIND 9 for users that have DNSSEC validation turned on. Security fixes have been released; there are no known active exploits.
Cisco released an advisory stating that buffer overflow vulnerabilities that could be used for remote code execution were found in Cisco's WebEx WRF player. They released a new version of WebEx that fixes the vulnerabilities.
Web 2 dot uh-oh
Users were briefly unable to access Twitter after it became the victim of a DNS hijacking attack.
Browsing for dirt
A new Adobe zero-day vulnerability (CVE-2009-4324) has been discovered and exploited with malicious intent. The zero-day hole, which affects Reader and Acrobat versions 9.2 and earlier, could crash the system and allow an attacker to take control of the computer. The malicious PDF files are distributed via an email attachment: when the attacker has lured the customer into opening the attachment, a malicious executable file is dropped and run on a fully patched system. The patch will be available on January 12, 2010 according to Adobe.
Adobe also released an security update for Adobe Flash Player version 10.0.32.18 and earlier. Seven vulnerabilities have been patched.
Microsoft Internet Explorer was given a cumulative security update (MS09-072) for various flaws, involving memory corruption and ActiveX. All of these could be used by malicious hackers to booby-trap Web sites that infect visitors - merely by accidentally loading the malicious Web site in the browser.
Mozilla shipped Firefox 3.5.6 to patch seven vulnerabilities, three of them critical. Mozilla is distributing the patches via the browser's built-in automatic update mechanism.
MicrosoftMicrosoft issued six bulletins with patches for a total of 12 vulnerabilities on Patch Tuesday, December 8th.. Three of them were rated “critical”. The most serious issues (MS09-072) affects all supported versions of Internet Explorer, including the newest IE 8 on Windows 7. Microsoft Internet Authentication Service update (MS09-071) patches fixed two potential flaws that could allow remote code execution if incorrect messages are received when Internet Authentication Service server is handling PEAP authentication attempts. The third critical bulletin (MS09-074) patched a security flaw in the Microsoft Office Project software which could allow remote code execution if a a specially crafted project file is opened.
Microsoft Office 2003 users who had protected their documents using the Rights Management Service (RMS) feature were locked out from their own documents from December 11th. The problem was down to an expired security certificate. There is a hotfix available now.
Hello ThreatSeeker. You've got Mail!This month, malicious hackers built their social-engineering campaign around 2 themes: (1) The H1N1 scare and (2) Facebook password reset confirmation. In the first tactic, spammers sent emails masquerading as the CDC (Center for Disease Control), calling recipients to "follow this link" for a "vaccination profile". The link leads to a fake CDC Web site where visitors may be infected. The email subject line changes: variations include "Governmental registration program on the H1N1 vaccination" and "Your personal vaccination profile".
The second tactic was an email purporting to be from Facebook (but it's really not - surprise, surprise) with a malware attachment. The email claims that the recipient's Facebook password has been reset for security reasons and that the recipient should open the attachment to find the new password. Riiight. Nobody opens attachments to get their new password (just don't). Victims would find themselves infected with the Bredolab Trojan Downloader.
Can people tell the difference between a real and fake Web site? A recent study discovered that about 45% of the time, people end up submitting their information to a phishing site.
In other news, proof that there is no honor among thieves: Phishers get their results of their labor stolen by other malicious hackers. See a video of thieves stealing from thieves (something dubbed the "Auto Whaler") in action.
After last being seen in 2007, MP3 spam campaigning was back again in December, leading to fake Canadian Pharmacy sites. Though the campaign lasted only for one day, over 500 million messages were seen - which comprised over 1.2% of the global spam volume for that period of time. A report suggests Cimbot botnet was in charge of this campaign, the same bot network that previously used image spam to advertise fake Pharmacy sites.
Security TrendsAccording to a note by the Internet Crime Complaint Center (IC3), the FBI is aware of losses in excess of $150 million due to fake/rogue antivirus software. Rogue AV is considered much more profitable than spam, because most people who do visit a spam site don't open their wallets, but rogue AV victims are more likely to pay to make the aggressive annoyance go away. Thus the "sale" conversion rate is much higher.
Malicious hackers are stepping up their game in growing their business, upping the ante by now becoming their own ISP. This makes it harder for security researchers to ask for take-downs from ISPs (since it's unlikely that the bad guys will simply comply). The black hats now have their own IP spaces and are setting up their own data centers.