Wednesday, 27 June 2007

RSA says "no technological solution to phishing"

"Uriel Maimon, senior researcher in the office of the chief technology officer at RSA, said that technology solutions could never provide a cure for phishing and online fraud because technical fixes could always be subverted. Such measures also depend on the end user to operate and, as such, are vulnerable to error or incompetence."
Maimon also rejects "education" as "possibly the least effective method of stopping phishing." His preferred approach: law enforcement, and lots of it.

Friday, 22 June 2007

Pump and Dumpers try PDFs

Source: Sophos
Sophos reports that they've now seen pump and dump spam using PDF attachments instead of images. Pump and dump spam was an early adopter of text-as-images, and this technique may be picked up by other spammers, such as the job scam crowd. It's not too hard to extract plain text from a PDF, but obfuscation techniques are possible.

Thursday, 21 June 2007

McAfee Avert Labs reviews their 2007 predictions

Source: McAfee Avert Labs Blog
Having made a customary list of ten predictions for the coming year six months ago, the researchers at Avert Labs have done a bit of a reality check to see how well they are faring so far in 2007. The safe bets have proved safe: "Password-stealing web sites are on the rise", "Identity theft and data loss will continue to be a public issue", "Vulnerabilities will continue to cause concern." Not so obvious but predicted correctly: "Parasitic malware will make a comeback." Seemed a safe bet, but didn't really eventuate: "Spam, particularly image spam, is on the increase", "The use of bots will increase." Completely wrong: "Mobile phone attacks will become more prevalent."

Wednesday, 20 June 2007

10,000 websites compromised with malware links

Source: The Register and
On the order of 10,000 websites have been invisibly modified with IFRAME links to a site hosting an exploit package called "MPack". It's not currently known how the mass defacement was effected. None of the exploits employed by this particular MPack installation are zero-day flaws. "MPack" is a general browser-exploit service coded in PHP, similar to "Web Attacker" which is written in Perl.

111 suspected "419" scammers arrested in Amsterdam

Source: AFP (via Yahoo!)
Police in Amsterdam arrested 111 West Africans on Saturday, June 16th, for being in the Netherlands illegally. Those arrested are now under further investigation as suspected Internet fraudsters. Eight of those arrested were carrying false papers, and have been prosecuted. The others were detained and then released unless there were any extra charges against them. Dutch police believe over 2,000 Internet fraudsters are active in the country.

Wednesday, 13 June 2007

10 reasons why the Black Hats have us outgunned

More like a basic introduction to the marketplace of cybercrime services than a list of ten reasons.

Saturday, 9 June 2007

Most phishing sites are kit-based

Source: Frequency X Blog
Gunter Ollmann of IBM points out that simple counts of the number of phishing incidents are now skewed by the widespread use of "phishing kits" which make it trivial to set up multiple phishing sites on a single host. For example, of the mere 3,544 new phishing sites identified by the X-Force researchers in the week prior to this report, 3,256 were associated with phishing kits (>90%). Further, the kit-based sites mapped to 100 registered domains (compared to the 288 non-kit sites that used 276 domains).

Friday, 8 June 2007

Anti-spam services under attack

Source: Usenet (
Spamhaus, SURBL, and URIBL are presently the target of a DDoS attack, allegedly the work of the same group responsible for the DDoS attacks against BlueSecurity last year. The attack is being produced by a botnet running malware known as "Storm", which was widely distributed as an attachment to spam in January this year.

Wednesday, 6 June 2007

Web Exploits Getting Stealthy

Finjan security's latest "Web Security Trends Report" notes an increase in stealth techniques being used by sites hosting browser exploits. To avoid analysis, the site only sends malicious code once per IP address.
On a related matter, this interesting post to Slashdot talks about a stealth technique that malware distributors are using to avoid detection when using ads as a distribution vector.