Home Google

A Closer Look at Spyware Apps Distributed by Google

Phone apps and SDK’s

Software Developer kits (SDKs) are used to help developers quickly code their apps with advertising in mind. This way, they can receive advertising payments from their apps. Until recently, Google didn’t allow any changes to SDKs once they were checked into the play store. Enter Chinese SDK creator Lgexin.

Sneaky Lgexin SDK

Lgexin is responsible for more than 500 android apps in the Google Play store being corrupted. Previously they were not able to alter their SDK once it went to market, due to Google’s strict guidelines around SDK implementation. Their workaround for this was to get approval from the dev owner in order to make some small updates to the SDK package and re-submit it into the Google Play store. These small changes were masked and encrypted to try and hide the phone call tracing functionality that was being inserted.

What is the threat?

Lgexin could do whatever they like with the call data they would receive from users of their SDK applications. This call data could be sold to other companies for telemetry purposes or even to the government for global call tracking. Some of the apps include weather apps, teen related games, photo editors, radio and even some fitness apps. With over 100 million downloads of just one of these apps, Lgexin put a lot of people’s privacy and data at risk.

One of the most downloaded apps was called “Lucky Cash- Earn Free Money”, which would prompt the user with a fake google prompt to allow full access to the phone’s call functionality. Millions of users could have unknowingly granted this access. The plugin is called a “phonestatelistener” and can capture the time of the call, the state of the call and the calling number. The data is then sent encrypted to Lgexin’s API for purposes which remain unknown.

What can I do?

From a user perspective, whenever downloading an app from the app store, you should be prompted with any and all permissions that the application will need from your phone in order to operate. This is where common sense needs to come in. First, do you even need or want the app? Do the permissions requested seem reasonable for the app? i.e. does this calculator app really need access to your contact list or pictures? Once you download an app, you shouldn’t be prompted by the play store via pop up for additional permissions. Lastly, be sure to review your apps on occasion and uninstall any that you are no longer using.

Even following the suggestions above is no guarantee. Lgexin has put trusted downloads in a new light and serves as a reminder that you can no longer trust an app based primarily on the number of downloads it has.

Google scam – Part 2

Image representing Google as depicted in Crunc...
Image via CrunchBase
Those of us who deal in IT security have the
luxury of being able to ignore the typical scam unless it impacts our network,
family member or close friend. These scams are generally not all that
technically interesting and frankly, it’s easy to feel like such scams are
beneath us somehow.
Many of us have been using computers since before
the rise of the internet, and being computer and internet literate we are more
than capable of distinguishing a scam with ease, unfortunately there are also many
who aren’t.
To a large segment of the population, the
internet is just as mystifying as a good magic show.  They can see the set pieces and the effects,
but can’t quite grasp what goes on in the background.  They’re not idiots for being conned, they are
victims; victims because they didn’t have the knowledge to see through the scam.
  
Recently my friend, a fellow entrepreneur who
I’ll refer to as Jocelyn, found she faced a high pressure telemarketing scam
based on Google listings.
Having just opened her business last summer, every
day she faces a long list of calls to make, bills to pay, appointments to keep and
the last thing she has time for is to know all the details of how Google
listings and SEO work.
Here’s a breakdown of how the scam unfolded:
September
  • Business Registry Center (BRC) contacts
    Jocelyn and she explains she’s not interested.
  • Being telemarketers they’re very persistent
    and advanced their tactics detailing Jocelyn’s business who suffer and close if
    she doesn’t accept their offer to ensure her business is registered and promoted on Google Local
    Business listings. BRC keeps calling to pressure with more stats and ‘facts’ to validate their claims.
October
  • Jocelyn checks out the BRC website at businessregisterycenter.com
    and is taken in by initial appearances that seem legitimate. The text is well
    written and they seem to know what they are talking about.
  • Jocelyn decides to accept the offer to
    receive the BRC information package and take more time to review their offering.
  • Business Registry issues the information
    package with an invoice.
  • The BRC package arrives that includes a cardstock
    folder with Shutterstock images on it, a one-page letter explaining how important Google Local Business Listing is and
    the invoice.
  • Jocelyn immediately called Business Registry
    Center to ask about the invoice and explaining there must be some
    misunderstanding as she only requested the information package and did not agree to the services. The agent advises Jocelyn that when she agreed to send
    her the package it was her verbal agreement to the service package and that
    they had the conversation recorded.
November to January 
  • For two months Business Call Registry
    calls non-stop. Almost every day and escalating at the end to eight or 10 times a day, often while Jocelyn was with a
    client. The calls became progressively aggressive threatening to send her to debt collector
    and destroying her credit rating. Believing the lies Jocelyn sends in her credit card
    number with the invoice.
January
  • Jocelyn consults friends and immediately
    calls her credit card company to cancel the transaction.
 February 
  • Following up with due diligence the credit
    card company contacts BRC about the cancellation of the transaction. RBC does not respond to the inquiry by the
    credit card company. Jocelyn is completely reimbursed by her credit card company.
  • Jocelyn details the scam to me and I then
    investigate you can see details from my findings on my earlier blog here.
  • Wanting to protect others I work with
    Jocelyn to contact Montreal Police Department, because the physical location of RBC is in Montreal, Quebec. Montreal police
    advise that this must be followed up with Ottawa Police Department.
  • Ottawa Police Department informs us that
    because the money was reimbursed there is no fraud and no charges can be laid.
  • Concerned that others might fall victim we
    contact local news teams and work with the media and social media to make others aware of this scam.

These people are preying on those who lack specialized knowledge, nothing else. They are thieves, and should be dealt with as such.  They may as well have skimmed her debit card or grabbed the cash from her register.

We can’t stop the scammers from ripping people off.  Like cockroaches, they will scurry off and set up elsewhere as soon as they can.  That doesn’t mean that we shouldn’t stop them at every opportunity.

I welcome your thoughts and comments on how we can resolve these annoying scam artists. 

Enhanced by Zemanta

Google Places for Business Scam

Business Registry Center, with a post office box in Montreal, is calling businesses and non-profits offering to list them with Google Local Business Listings, now known as Google Places Business.  For the listing that is free with Google, they are charging $499.  A rip-off perhaps, but maybe not too bad?  It gets worse.

CBC News Story
CBC News Video

www.businessregistrycenter.com
Telephone: +1-888-416-7472

Address:
6228 Saint Jacques, 
Suite 417, 
Montreal, QC H4B 1T6

From the user agreement found on their site:
 Although never mentioned in any of the phone calls, the user agreement states that you are signing up for two years of service at the spectacular rate of over $5, 500.00.  The user agreement is apparently binding, even if you’ve never been to their site to read it.

You authorize them to charge any card that “they are aware or become aware of”.
In case you don’t follow their terms or even threaten to do so:

So what do you get for your $5,500.00? Well, pretty much what you get for free with Google.

The earliest activity I can find dates back to September of 2012.  Here is one of the dozens of complaints on 800notes.com.  It seems they finally moved from disks to the cloud. http://800notes.com/Phone.aspx/1-888-774-9902

And finally, what I can only assume is a sister site at www.onlineregistrycenter.com.  Different theme, but the content is identical.  
This “office” is located at a UPS store in MN.  

Telephone: +1-888-311-0262
Fax: +1-866-929-0748
Address:
1043 Grand Avenue, 
Suite 145, 
Saint Paul, MN 55105.

90 Minutes to Privacy

In light of this being National Data Privacy Day for the U.S. and Canada, here are eight tips to create safe, online personal security habits. 
Previously we covered best practices when working with passwords,
ensuring your software is up to date, and that you’re working with a decent
anti-virus solution, get ready to start the timer and do what you’ve been
meaning to do for years.
Image representing Google as depicted in Crunc...
Image via CrunchBase
Reconnoiter – 15 Minutes
The first step in securing your privacy is to
find out just what is out there for the world to see.  If you’ve never Googled yourself, now is the
time.  Google searche to check on:
1.   
your name
2.   
your name + your city
3.   
your name + your employer  
4.   
your phone number
5.   
your address
6.   
your email addresses
7.   
screen names
8.   
gamer tags 
Google
search anything that you’ve ever used to identify yourself.  Don’t forget
to do an image search while you’re at it.
You might be surprised to find that your dating
profile, gaming history, forum posts, site memberships, comments, pics from the
office party, etc. are easily uncovered.
Now find out what Google knows about you here
Turn off your Google search history here.  
Get your credit report.  You should know what’s on there, and it’s
easy and free to request it.  Look for
anything suspicious or incorrect and contact the agency immediately if anything
is amiss.

You don’t need to pay for the upgraded service, there is no charge to receive your credit report.

Canada – Equifax [PDF]
              – Transunion

USA – Equifax/Transunion/Experian

Call your doctor and get a copy of your medical
history.  Most people have details about
every oil change they’ve ever paid for but have no clue about their own health
records.
Depending on where you live, you’ve got the
right to access different information that is on file about you.  Insurance companies, payroll companies,
social services, etc. should all supply you with what they know about you.
 Shrink
your footprint – 20 minutes
Haven’t used a Groupon in 6 months but still
getting spammed daily?  Sign up for 5
different streaming radio services but only use Songza? Find your true love but
still have profiles on dating sites? Now is the time to delete any accounts
that you no longer use.  It’s a pain, but
it only takes a minute.  If your myspace
page is still sparkling and blaring music out there, just put it out of its
misery.  As an added bonus, your inbox
will thank you.
Can’t remember all the crap you’ve signed up
for?
Look through your spam folder.
Check your purse or wallet for points cards,
rewards cards, coupons, etc.
Location services – Maybe you love Google’s
location aware search results, but there is no need for most apps to know where
you are.  Similarly, nobody needs the GPS
coordinates of the party you were at last night.  If the app doesn’t need to know where you are
to work, then turn it off.
Delete –
10 minutes
Take ten minutes to go through the files and
folders on your computer.  Delete
anything and everything you can.  Be
merciless.
Tighten
your social media belt – 10 minutes
Adjust your privacy settings.  Facebook is the big transgressor here, but be
sure to check your LinkedIn, Twitter, Foursquare, Pinterest, etc. as well.  Even if you don’t care, your contacts might.
Your privacy settings on sites like Facebook and
LinkedIn don’t only affect you.  Take the
time to make sure that you’re not sharing any data about your friends with
people that you don’t have today.  Why
let strangers creep all of your contacts on LinkedIn and share friend’s data
with third party developers on Facebook?
Go on a
friend diet – 10 minutes
Prune your lists of friends:  Facebook, LinkedIn, Google+, Skype, MSN, ICQ,
AIM, IRC, etc.  If you haven’t talked to
them in the last year, you probably never will. 
If you need to look them up, you can always do so. 
Go on an
app diet – 10 minutes
Look through the apps on your phone.  If you haven’t used it in a month, uninstall
it.  No matter how many times you tell
yourself otherwise, you are never going to use Google Sky.  Bored with Fruit Ninja? Downloaded Layar just
to show off your phone?  Get rid of
them.  You can always install them again
later, even the ones you’ve paid for. 
The same goes for any facebook apps you may be annoying
your friends with.  Ditch them.  Nobody cares about your farm or what you just
played in Words With Friends.
 Create an
alias – 10 minutes
Not just a username, make a whole person.  First name, last name, email address,
birthday, pet.  When you need to sign up
for something non-critical, use your alias. 
If they don’t need your real name, don’t give it to them.  With the birthday/email/pet, you should even
be able to recover your password if you forget it.  Now is your chance to have the supercool name
that you always wanted.  Hello, Mr. Mike
McCool.
Lockdown
– 5 minutes
Make sure you use lockscreens on your phone,
tablet, computer, etc. Set them to lock after 2 minutes.  No exceptions. 
Install Prey or similar tool on your devices
just in case. preyproject.org
Sign out of everything you log into, whether
it’s a site, a program or a computer.
Tell us how you did with the 90 Minute to Privacy Plan. Did it take more or less than 90 minutes? 

Enhanced by Zemanta

The Intern’s Security Practices Part 1: Passwords

Being the newest addition to the Defence
Intelligence team and having recently been introduced to the world of security,
I’ve been learning some best practices and adjusting my Internet usage habits.
Over the past few weeks I’ve learned that some of my habits, especially when it
comes to passwords, could use some improvement.
We decided to survey a class of first year
public relations students at Algonquin College, in Ottawa, to see how my
practices compared to theirs. The majority of the class is female with an
average age of 21.
We found that 90 per cent of the students
use the same password for multiple accounts. Personally I use different types
of passwords for different types of accounts. I use the same passwords for
social media accounts, another password for my e-mail, and a separate one for
my online banking. I find it difficult to use a different password for
everything because I use a lot of social media sites.
“It’s interesting that this generation has
been called digital natives yet their security practices are very poor. By
using the same password on multiple accounts they are trading their personal
information and security for convenience,” says Keith Murphy the CEO of Defence
Intelligence.

Fifteen per cent of the students said they
change their passwords frequently. For the next survey we will need to define
how often ‘frequently’ is. I only change my passwords if the site prompts me to
or I need to reset my password because I forgot it. I was surprised that 77 per
cent of the students use passwords that have more than eight characters. I tend
to use the minimal allowable amount of characters when I create passwords. I
think that the school’s password standard is seven characters, which could be
why some students are using longer passwords.
With only 45 per cent recording their
passwords in a safe place I’m not surprised that their passwords are changed
often. I’ve trouble finding a place to store passwords. When I discussed this
with Murphy, he said that the best practices were to use encrypted storage or
to write them down. He also recommended to avoid saving passwords in the
browser and on your computer.  The
following article from lifehacker
is very helpful outlining some common mistakes and best practices.  You can also see our tips here.
The following chart shows the type of
characters the students are using to create their passwords:
I’m not surprised that the majority of the
students use upper and lowercases, those are fairly common. What surprises me
is that there is a significant drop when it comes to the use of numbers,
special characters, and punctuation. I didn’t start using special characters
and numbers until Google, Apple, and other sites started showing you the
strength of your password.
In the next blog post we will discuss the
survey results concerning the use of links and security software. 

By Sarah Raphael

Enhanced by Zemanta

Cyber Security Made Easy – Part 2

Image representing Google as depicted in Crunc...
Image via CrunchBase

There
is encouraging news on the horizon for those in the professional security
field. A recently published survey by NCSA and APWG confirms a shift in
attitude towards online security. Not only are people taking it seriously, but
they also view it as their personal responsibility and welcome the opportunity
to learn more. Below are a few key statistics from the survey.

  • 96
    percent of Americans feel a personal responsibility to be safer and more secure
    online.
  • 93
    percent believe their online actions can protect not only friends and family
    but also help to make the Web safer for everyone around the world.
  • 60
    percent believe that much of the online safety and security falls under their
    own personal control, and consistent with those feelings, 90 percent said they
    want to learn more about keeping safer on the Internet

Making
it easier to educate those 90 percent, here’s our overview on how to safely
search the Internet.

What
could possibly go wrong when searching online with a popular search engine? As
with everything if you do it absent-mindedly and click on the first item that
comes up you might end up with more than just the answer to your search, you
might end up with an infected computer.

You
should be able to answer yes to each of the questions below if not then don’t
click on the link.

  1. Is the text that shows up in the preview for the page grammatically correct?
  2. Is the domain a name that you recognize?
  3. Does the domain of the link end with a country tag that has a history of NOT being associated with malware?For
    the complete list of country abbreviations you can source on Wikipedia
  4. Does
    the domain name and the text describing the page seem logical? 
Warning:
don’t click on a link just because it piques your interest because it seems
such a random response to your search. 

Mark Twain
Cover of Mark Twain

Top tips from Google include:

  1. Simple one or two word searches give you the broadest results.
  2. Use common terms for example instead of my head hurts use headache.
  3. Use quotation marks around your search for an exact search. For example searching for “Samuel Clemmens” will not include results for Samuel Langhorne Clemens or Mark Twain.

The
best and easiest advice to give is limit your searching to trusted sites, not
search engines. If you always get your news from three places, go to those
places first when looking for news. If you usually rely on Wikipedia for your
facts, go to Wikipedia and search there. Find some safe zones that you know and
trust and stick to them. It’s when you stray and explore that you can get lost.

Our next blog in this series we’ll look at using WiFi
Enhanced by Zemanta

Private Discussion

User privacy is of major concern to just about everyone, because just about everyone needs some level of privacy. Google, with its massive user following and array of product offerings, has a huge responsibility to keep their users’ data confidential and safe. The Google Buzz bungle is an example of how Google’s handling of private user information doesn’t always live up to expectations.

Privacy/Data/Information commissioners from 10 countries sent a joint letter to Google CEO Eric Schmidt on April 20, expressing their concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

The letter made various statements like Google Buzz “betrayed a disappointing disregard for fundamental privacy norms and laws” and that “launching a product in “beta” form is not a substitute for ensuring that new services comply with fair information principles before they are introduced.” Also included were suggested principles to be used by Google to ensure user privacy, such as “collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service” and “ensuring that all personal data is adequately protected.”

While the letter seems well intentioned, its message is a bit late to the stage. U.S. congressmen John Barrow penned his own joint letter to the Federal Trade Commission at the end of March over the same Buzz/privacy issues. Congressman Barrow’s letter cites the Electronic Privacy Information Center’s (EPIC) previously filed complaint “alleging that Google Buzz violates federal privacy law.”  In a manner of public response, Google issued a letter to the Federal Trade Commission regarding their policies on information privacy. In this ten page letter, Google shared their efforts to “develop products that reflect strong privacy standards and practices.” They also stated their support for “strong industry commitments to ensure transparency, user control, and security in Internet services for consumers” as well as “strengthened protections from government intrusion.”

To demonstrate a small history of various government “intrusion”, Google created the government requests page (http://www.google.com/governmentrequests/). The page maps out content removal requests and user data requests made by government agencies for the second half of 2009.  The leaders in user data requests are Brazil (3663), the U.S. (3580), the U.K. (1166) and India (1061).

 

Also displayed through this map is the inclusion of  every country who signed the privacy letter to Google. Government agencies from France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain, Canada and the United Kingdom all scolded Google for inadvertently disclosing  personal user information, but prodded them for the same information months earlier.

Though data protection departments may not be the ones who made the requests, government is often looked at as a collective entity, causing some to consider these actions as hypocrisy. In the FAQ for the government requests page, Google says “the statistics primarily cover requests in criminal matters.”  Does this justify cooperation from Google? When is it okay to abandon privacy for the sake of law enforcement? I don’t know. It is a difficult balance for Google and world governments in protecting both privacy and national laws.

The Electronic Communications Privacy Act (ECPA) is a key part of finding this balance. Find out more:
www.digitaldueprocess.org

If you want to see what Google has on you, start with:
www.google.com/dashboard

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

Buzz Words

Neil Armstrong & Buzz AldrinImage by cliff1066™ via FlickrGoogle Buzz is definitely the buzz word of the week and, in this industry, has been quickly put under the microscope. As a result, a cross-site scripting vulnerability was already discovered and fixed in the mobile version of the buzz utility. I’m sure close examination will continue to reveal additional security or operational flaws in Buzz, but security minded folks were not the only active critics of the social networking tool from Google.

Initial users were upset by Buzz’s default “all inclusive” settings. These automatic features included adding yourself as a follower of those you most contact through email or chat, (allowing them to automatically follow you as well), displaying all users involved in the follow-fest on your Google Profile, and instant sharing of activity on your other Google sites like Picasa and Reader. Providing easy display of a lot of information to potentially a lot of people, all of these features raised a lot of concern over privacy issues. In addition, new Buzzers were disappointed with the difficulty in finding settings options regarding these features, most while trying desperately to disable them.

While some may not be all that concerned, instant exposure of this information to user contacts without giving expressed permission has been more than disappointing. Some social circles are meant to be separated. Facebook users have been forced to explore this friends and family cross communication fiasco due to multi-generational interest in the social networking world. For many users this is uncomfortable at best.

Complete testing before release may have prevented the scramble for alterations that Google is now the middle of, but the feasible protection of online privacy is the real issue here. In our efforts to connect with the world, can we expect to keep secrets or achieve selective and exclusive information sharing? When we type something into our network connected devices, can we blame anyone but ourselves when that information spreads beyond the originally intended parties?

Anonymity while on the internet is becoming progressively harder to maintain. With photo tagging and friends who gossip across Facebook, even people who never participate in social networking sites have an online profile, in a sense. While reluctant or non users are losing control over just how much the online world can find out about them, self surveillance is now commonplace. We’ve become comfortable with sharing information about ourselves and living and working online, making us vulnerable to attack over the internet and in the physical world. If the Buzzing is getting a little too close you could be in danger of getting stung.

For those interested in de-Buzzing, the links below can guide you through the process:

http://news.cnet.com/8301-17939_109-10451703-2.html
http://securitylabs.websense.com/content/Blogs/3553.aspx

For those sticking with it:

http://gmailblog.blogspot.com/2010/02/new-buzz-start-up-experience-based-on.html
http://gmailblog.blogspot.com/2010/02/5-buzz-tips.html

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

RUmblar

PepsiImage by elmada via FlickrGumblar, the massive iframe injection attack that made and sustained front page security news in early 2009, appears to still be going strong. Only slightly altered in its approach, the ongoing attack is still injecting malicious domains into sites on a fairly large scale, each site having the intention of spreading malware to the end user.

Gumblar domains were previously injected into iframes of otherwise benign sites using stolen FTP credentials. The new domains are likely still injected using stolen credentials but are now using obfuscated scripts to generate a formulaic Russian domain. The obfuscated scripts are appended to javascript files and html files within script tags and create rather lengthy domain names.

The second level domains for these are plentiful. Amazingly, the following list is incomplete and will likely remain so with the constant generation of new redirection domains:

18-plus.ru bluejackmusic.ru mozg-testing.ru thegiftsale.ru
airseasite.ru blueseaguide.ru mozgilla.ru thelaceweb.ru
allnewface.ru brownbagbar.ru musicboxpro.ru thelifetag.ru
allpropro.ru brynetka.ru mygreatsale.ru themobisite.ru
ampsguide.ru carswebnet.ru newhavenparks.ru thetruehelp.ru
authentictype.ru cobalttrueblue.ru newlifeworld.ru toplinemarine.ru
avattop.ru cometruestar.ru pastanotherlife.ru truelifefamily.ru
b-i-o-v.ru counterbest.ru recentmexico.ru urlnext.ru
battop.ru cyberprotech.ru red-wolf.ru videosaleonline.ru
beeeo.ru easylifedirect.ru saletradeonline.ru viewhomesale.ru
before-this-life.ru easytabletennis.ru seasilvercoop.ru votrelib.ru
beofree.ru ezpoh.ru shoozi.ru warbest.ru
bestage.ru funwebmail.ru simplehomelink.ru webdesktopnet.ru
bestbio.ru gametopsite.ru simpleworldhouse.ru weblessnet.ru
bestbondsite.ru genuinecolors.ru sitesages.ru webnetenglish.ru
bestseasilver.ru genuinehollywood.ru sugaryhome.ru webpowerguide.ru
bi-test.ru genuinehollywood.ru superhighest.ru webworldshop.ru
biltop.ru greatsalecenter.ru superore.ru whosaleonline.ru
bio-age.ru guidebat.ru superseatoddy.ru wintersaleonline.ru
bio-free.ru halfsite.ru superseawind.ru worldhighspeed.ru
bio-oib.ru homesaleplus.ru supertruelife.ru worldsouth.ru
bio-tube.ru homesitedesigns.ru supertruelife.ru worldwebworld.ru
bio-z.ru huntalong.ru susance.ru xboxliveweb.ru
bionaft.ru huzzahwebdesign.ru teenwebdesign.ru yourasite.ru
biovoz.ru inother.ru theanotherlife.ru yourauthentic.ru
biozavr.ru lagworld.ru theantimatrix.ru yourhotelsite.ru
biozov.ru maxserviceworld.ru theatticsale.ru yourtagheuer.ru
bitest.ru mindgameworks.ru theaworld.ru yourtruegame.ru
bluejackin.ru mingleas.ru thechocolateweb.ru yourtruemate.ru

Though the groupings here are obviously all .ru domains, other researchers indicate countless other domains being used in the same way. Many are using dynamic dns 2lds while others have a similar structure to the domains above, only with .cn TLDs, as was the original gumblar.cn. Others appear to have no theme and are using .cz, .dk, .de, .nl, and several other country code TLDs. The IPs behind these domains are just as widespread and varied. This list is also likely incomplete:

188.138.24.133 77.68.44.169 89.110.147.181 91.121.86.130
188.40.118.68 78.31.107.49 89.149.202.142 91.121.88.218
188.72.199.24 78.41.156.236 89.149.244.211 91.121.96.181
188.72.211.253 80.69.74.73 91.121.1.99 92.48.124.212
195.242.98.212 82.165.194.22 91.121.108.53 92.48.78.252
212.117.165.149 82.165.47.29 91.121.112.227 94.228.219.11
213.186.57.19 82.192.88.35 91.121.121.6 94.23.11.38
213.251.164.84 82.98.231.25 91.121.142.111 94.23.14.110
213.251.184.114 84.16.227.72 91.121.166.221 94.23.199.154
217.160.110.21 84.201.9.32 91.121.167.41 94.23.206.229
217.23.5.27 85.14.202.210 91.121.211.226 94.23.211.214
62.212.74.148 85.184.10.80 91.121.24.139 94.23.4.164
62.250.9.105 85.25.152.241 91.121.4.99 94.23.89.95
62.4.85.229 85.25.73.243 91.121.49.129 95.168.170.89
62.75.184.40 87.106.247.193 91.121.7.26 95.211.10.130
62.75.218.192 87.118.90.76 91.121.74.84 95.211.4.193
77.37.19.43 89.105.199.130 91.121.79.191

The full unobfuscated domains look something like this, containing popular domain name snippets in an effort to appear legitimate:

foxsports-com.google.cn.spiegel-de.avattop.ru
yomiuri-co-jp.google.cz.playstation-com.yourtagheuer.ru
theplanet-com.1133.cc.nikkansports-com.bestnewhaven.ru

The full URLs will include file requests similar to:
:8080/ts/in.cgi?pepsi[variable numbers]
:8080/cache/readme.pdf
:8080/cache/flash.swf
:8080/filez/java.html
:8080/filez/Show.class
:8080/filez/win.jpg

The files are designed to exploit vulnerabilities in Acrobat, Flash, and Office, and redirect to the final domain for download of the actual malware, which consistently appears to be Bredolab.

The Bredolab downloader has been tied to Gumblar from the beginning and is still being served by the malicious domains, ultimately serving up rogue AV and information theft end-goal malware. The information theft malware is to grab the FTP credentials to perpetuate the whole cycle. Bredolab has also been found in mass spam campaigns since late last year, attached to emails purporting to represent DHL, UPS, Facebook, Western Union, ISPs fake ecard senders and “potential girlfriends.”

You may have come across one like:

Subject: Facebook Password Reset Confirmation.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

If many benign sites are hosting the final malware download due to the highjacking mechanism, blocking the redirection attempts would to be the best course of action. It is necessary for the owners of the highjacked sites to clean up the injected redirection domains or malicious files, and the end user to keep their software updated in an effort to negate exploits.

The Pepsi Challenge
Many of the files requested on the redirect domains have something similar to
“:8080/ts/in.cgi?pepsi18”:

18-plus.ru:8080/ts/in.cgi?pepsi18
inother.ru:8080/ts/in.cgi?pepsi18
test-health.ru:8080/ts/in.cgi?pepsi18

I just find this amusing, because one of the Gumblar sites reported here hosted “/rimages/coke.php”. It’s nice that we have a choice of malicious beverage and, while I prefer Coke, it seems Pepsi is the choice of the new “Rumblar” generation of domains.

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]

Rumor has it.

Facebook users are being targeted again, but in a more roundabout manner. Rumors are spreading, as rumors do, that an “unnamed app” is integrated into user accounts which is responsible for slowing down facebook and is being used to spy on user activity. (These rumors have not been proven true.)

Users are then advised in the form of ALERTS to delete this unnamed app. The interesting part is that user suspicion of these messages is what gives them their malicious power. A Facebook user would then Google the alert or the keywords “unnamed app” and be directed through several sites to ones serving rogue AV. Using SEO techniques many of the top sites listed are the key redirection sites in this process.

One such site, at the number three spot in our google search:
“http://kittingservice.com/canst.php?avi=facebook-unnamed-app”

The domain kittingservice.com is found at 62.93.239.41.

Using javascript redirection, we are taken to:
“http://onlinetechnicals.ru/sm/r.php”
at 212.95.58.37

It looks like the referrer might be necessary for the redirection: “Referer: http://www.google.ca/search?hl=en&source=hp&q=facebook+unnamed+app&meta=&aq=f&oq=” Otherwise a page comes up with the multiple facebook and SEO terms planted throughout, including some of the original instigating Facebook alert phrases:

“Has your facebook been slow today? Check your application settings, go into ” added to profile”. If you see one in there called “unnamed app” delete it.”

“There is a ” Unnamed App ” spybot on facebook and it may be slowing down Facebook applications or it may be work as a Spyware.”

The onlinetechnicals.ru page then uses another javascript to direct us to uscaau.com:

uscaau.com 212.95.58.37

Looking up uscaau.com/back.php comes back with the location of: “http://battlestartedsecurity.com/hitin.php?land=20&affid=94801”

battlestartedsecurity.com
109.232.225.22

and “hitin.php?land=20&affid=94801”
is said to be at the location:
“index.php?affid=94801”

This is where we finally download the beginnings of the Rogue AV. A pop up window tells us that “Your computer contaigns various signs of viruses and malware programs presence….” Our browser window has also seemingly disappeared but if you move the warning slightly you can see it resized to hide behind the pop up.

Agreeing to the scan displays the fake scan of our system, going back to battlestartedsecurity.com for the necessary visual items.

A few more agreements to clean up our system advises us to download “install.exe”, currently only detected by 7 of 41 AV groups.

Other researchers have indicated different redirection paths being taken and different end result fake security tools.

As for the unnamed app it is said to just be the “boxes” tab on your Facebook profile.
“The Boxes tab contains application profile boxes. A user or Page will have a Boxes tab added to their new profile by default if they currently have application boxes that do not support integration with the main profile/Page left column or if they have more profile boxes than can fit into the main profile/Page left column (more than 5).” (http://wiki.developers.facebook.com/index.php/Tabbed_Profile)

Removing it seems to be both nondestructive and reversible. According to
(http://answers.yahoo.com/question/index?qid=20100126190431AAJkPoW)
“to put back your boxes tab:

1. go back to the page where you removed the Unnamed App from.
2. select “edit settings” for an app under the “added profile boxes” section
3. click remove, then click add when it appears.”

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]