Malware

SPOTLIGHT ON SECURITY

Spammers Quick to Exploit eBay Breach

If you’re a spammer, big news like the recent breach of eBay’s computers is like striking oil in your back yard.

Perpetrators of unwanted email live for headline-grabbing events that they can use to separate gullible Web wanderers from their money, so the eBay breach is a perfect vehicle for the scammers, Cloudmark reported last week.

“We see this around security events like the eBay breach and natural disasters,” Cloudmark Threat Researcher Andrew Conway told TechNewsWorld.

“In some cases, they’ll take you to a malicious site that will try to convince you to install a Trojan on your system,” he said, “but this one is not that bad.”

The scam discovered by Cloudmark tries to scare recipients of the spam message into believing that their eBay credentials may be used to give them a criminal record.

“My name was used falsely in an arrest, and I didnt even Know it until I checked my public record,” one typical spam message reads.

White Pages Arrest Record

Gulls who follow the link in the spam are taken to an arrest record website called “Instantcheckmate.com.” When a target lands on the site, it tries to puff up its importance by reminding visitors through a popup screen that the site contains confidential information and has established a secure connection to the visitor’s computer.

Actually, the connection isn’t secure HTTPS, but plain, old insecure HTTP.

“So why would someone go to these lengths to try to make it look like the connection is secure rather than paying the (US)$70 or so it costs to buy a certificate and set up a genuinely secure connection?” Cloudmark asked in a company blog. “Could it be someone doesn’t want to have their real identity on file at the certificate authority?”

First-time visitors are given a free arrest record search, but that too is bogus.

“It will pretty much turn up anyone listed in the white pages in the United States, and tell you it has information on the person in its files,” Conway explained. “After you pay to see the data, you’ll see it’s not an arrest record at all. They just have a name and address on file from the white pages.”

Moreover, when a visitor agrees to pay for a search, that agreement contains fine print setting up a recurring monthly charge for the site.

“That’s a trick we see across various sorts of scams,” Conway said. “You’ll sign up for something without realizing it’s a monthly fee rather than a one-time fee.”

Find My Ransomware

Apple device owners in Australia received an unwelcome surprise in the early morning hours last week. Their iPhones sounded an alarm and displayed a message saying they were locked and wouldn’t be unlocked unless a ransom was paid to “Oleg Pliss.”

Apparently, the users’ iCloud accounts were being accessed, and the Find My iPhone feature was being used by the intruder to lock the phones remotely.

As it turned out, getting around the ransom demand was relatively easy for most users. If the iPhone had a pass code activated, the ransom screen could be bypassed, allowing users to log into their account and fix the problem. iPhones without pass codes could be reset by doing a return-to-factory-settings-reset via iTunes on a computer.

The account violators did not breach iCloud’s security, according to Apple, so that suggested the attack may have involved compromised user credentials.

“Many users tend to use the same credentials across multiple sites,” Grace Zeng, a security researcher at SilverSky, told TechNewsWorld.

“As iCloud/Apple IDs have to be registered to email addresses, chances are good that some passwords are the same as their email accounts,” she noted.

“It could be the case that one’s email address and password was leaked as a result of phishing or the recent retailer data breaches,” Zeng speculated, “and attackers were able to use this same credential to log on to iCloud.”

The Find My iPhone incident is just a prologue to things to come, said SilverSky CTO Andrew Jaquith.

“The bigger lesson here is that as consumers rely more and more on cloud services to manage their devices, automate their homes and consolidate their entertainment, thieves will increasingly target these services,” he told TechNewsWorld.

Breach Diary

  • May 27. U.S. Federal Trade Commission submits report to Congress calling for legislation to protect consumers from unbridled collection and sharing of their data by data brokers.
  • May 27. Jordan Lee Jones, the college student who discovered one major vulnerability in eBay two weeks ago, publicizes a second flaw that he says could be used to hijack users’ accounts.
  • May 27. Spotify disables its Android app and notifies users to upgrade to new app after discovering a data breach in a single user’s device.
  • May 27. Security software maker Avast takes support forum offline after it discovers data breach placing at risk some 400,000 user names, email addresses and encrypted passwords.
  • May 27. California Assembly approves and sends to Senate bill requiring retailers to notify customers of data breaches. Measure also makes mandatory provision of credit monitoring services to customers affected by a data breach.
  • May 27. Los Angeles County board of supervisors votes to require encryption of data on all county departments’ workstation hard drives. A similar requirement is already in place for laptops. Earlier this year, a theft of computers at a county health contractor’s office put at risk personal information on 342,000 patients.
  • May 27. Illinois state court rules parties in case involving the compromise of four million patient records on four laptops stolen from the Advocate Medical Group, of Downers Grove, Ill., cannot claim damages based solely on potential losses.
  • May 27. Chinese government releases report claiming U.S. has flagrantly breached international law through unscrupulous surveillance on Chinese government offices. Earlier this month, the U.S. indicted five members of the Chinese military for hacking U.S. companies to steal trade secrets.
  • May 28. Apple states that iCloud, its online storage service, was not compromised in series of attacks on Australian iPhone users through the company’s Find My iPhone service.
  • May 28. Institutional Shareholder Services, a proxy advisory firm, recommends Target shareholders replace seven of 10 members on retailer’s board of directors for not doing enough to ensure the chain’s information systems were fortified against security threats. In data breach during last year’s holiday season, payment card and personal information of 110 million customers was stolen by hackers.
  • May 28. ProMedica Bay Park Hospital in Ohio begins notifying 594 patients that their computer records were accessed without proper authorization by a former employee.
  • May 28. America First Credit Union in Utah begins notifying some 20,000 debit card users that their cards were involved in skimming scam.
  • May 28. SEC Consult reports Nice Recording eXpress, a communication interception program popular with law enforcement agencies, is riddled with weaknesses that can expose users to attacks that could compromise investigations and the security of their networks.
  • May 28. Microsoft launches myBulletins, a service that allows users to search for security bulletins for the company’s products that they use.
  • May 29. iSight Partners releases report detailing three-year cyber espionage campaign by Iran aimed at high-value targets in the United States and Israel.
  • May 29. Corey Kallenberg, a security researcher with Mitre, demonstrates how BIOS replacement UEFI can be hacked to facilitate cybersabotage of around half the computers that use the technology.
  • May 29. The Constitution Project releases paper making case for a “speical advocate” to represent citizens’ interest at FISA proceedings.
  • May 30. Bloomberg reports data security was breached at Monsanto’s Precision Planting unit placing at risk information on some 1,300 farmers.
  • May 30. ThreatPost reports that San Diego State University has begun informing an undisclosed number of current and former students in its Pre-College Institute that some of their personal information was placed at risk by a configuration error that allowed the database containing those records to be accessed by unauthorized parties.
  • May 30. Google releases form to comply with European court ruling allowing citizens to request certain information about them be omitted from search engine results.

Upcoming Security Events

  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 5. Portland SecureWorld. DoubleTree by Hilton, 1000 NE Multnomah, Porland, Ore. One Day Pass: $165; SecureWorld Plus, $545; exhibits and open sessions, $25.
  • June 6-7. B-Sides Asheville. Mojo Coworking, Asheville, NC. Fee: NA.
  • June 6-7. B-Sides Cape Town. Dimension Data, 2 Fir St., Cape Town, South Africa. Fee: NA.
  • June 10. Get Your Ducks in a Row. 1 p.m. ET. Webinar on Phase 2 HIPAA audits sponsored by IDexperts. Free with registration.
  • June 14. B-SidesCT. Quinnipiac University-York Hill Campus, Rocky Top Student Center, 305 Sherman Ave, Hamden, Conn. Fee: NA.
  • June 18. Cyber Security Brainstorm. Newseum, Washington, D.C. Registration: Government, free; through June 17, $495; June 18, $595.
  • June 20-21. Suits and Spooks New York City. Dream Downtown hotel, 355 West 16th St., New York City. Registration: Before May 6, $299; after May 6, $549.
  • June 21. B-Sides Charlotte. Sheraton Charlotte Airport Hotel, 3315 Scot Futrell Dr., Charlotte, NC. Free.
  • June 21-30. SANS Fire. Hilton Baltimore, 401 W. Pratt St., Baltimore. Courses: by April 30, $1,249-$4,695; by May 14, $1,249-$4,845; after May 14, $1,249-$5,095.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 27-28. B-Sides Manchester (UK). Reynold Building, Manchester University (M1 7JA). Free.
  • July 12. B-Sides Detroit. COBO Center, 1 Washington Blvd., Detroit. Free.
  • July 19. B-Sides Cleveland. B side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio. Free.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif. Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels