According to the Daily Mail an undercover investigation in India has uncovered that some call center workers have been selling confidential information on nearly 500,000 Britons.
Undercover reporters from The Sunday Times met with two individuals who claimed to be IT workers who offered to provide them with 45 different types of data gathered from the victims.
Information offered up included names, addresses, phone numbers and credit card details (including CCV/CVV codes and expiration dates).
The reporters allege they could purchase the records for as little as 2 pence apiece ($0.03 USD). One of the
IT workersthieves bragged:
"These [pieces of data] are ones that have been sold to somebody already. This is Barclays, this is Halifax, this is Lloyds TSB. We’ve been dealing so long we can tell the bank by just the card number."more
Early today Symantec published an inside look at a new targeted malware attack called Duqu. This might not be important news if it weren’t for its ties to Stuxnet.
Early analysis of Duqu shows it has evolved from the Stuxnet codebase. We shouldn’t jump to conclusions that it was developed by the same authors, but whoever created this malware likely had access to the original source code used to compile Stuxnet.
The components that were reused were not the pieces used to target SCADA/industrial control systems, but rather related driver files that provide the malware the ability to download additional components.
Symantec reports that after it retrieves the additional malicious files it is focused on gathering information rather than industrial sabotage.
SophosLabs confirms that the driver files are signed, similar to the drivers used by Stuxnet. In this case the certificate purports to belong to C-Media, a Taiwanese firm known for their embedded audio chipsets.
Signature of driver file:
SHA1 hash of file: A5190A8E01978C903BF1FABCFCBA40D75996D8B9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 3/08/2028 12:59:59 AM
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 21/05/2019 12:59:59 AM
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: C-Media Electronics Incorporation
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: 3/08/2012 12:59:59 AM
SHA1 hash: 83F430C7297FBF6C1D910B73414132DB48DBDE9C
This may not be a coincidence, as Stuxnet used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers in the same neighbourhood.
The mystery remains, however. Were these certificates stolen, or simply generated through compromised certificates to appear to belong to these organizations?
As with Stuxnet, it is too early to determine anything definitive about the who, why or what this malware was designed to do. I can assure you that the security industry will be analyzing these samples diligently to determine their intent.
Toshiba announced this weekend that a web server run by its US sales subsidiary had been hacked, and the email addresses, telephone numbers and passwords of hundreds of customers had been compromised.
The Japanese electronics firm said that the server was run by Toshiba America Information Systems Inc., and held personal data relating to 7,520 customers. Fortunately, according to the firm, the personal information exposed did not include any credit card data.
Nevertheless, you don’t want your email address and password falling into hands of malicious hackers.
Not only could cybercriminals “try out” your passwords to see if they unlock any of your other online accounts (too many people use the same password on multiple websites), but they could also target you with attacks pretending to come from Toshiba.
After all, you have a business relationship with Toshiba – so you would be less suspicious of opening an email or clicking on a link which appeared to have been sent by them. Especially if some clever social engineering made the email appear particularly enticing.
A Toshiba spokesperson told the Wall Street Journal, that the Toshiba subsidiary’s IT staff first noticed a problem with the web server on July 11th, and confirmed on July 13th that it had been hacked.
"We will continue the investigation and intend to thoroughly protect customers' information and manage (related computer) systems to prevent a recurrence."
All customers potentially affected by the hack are said to have been informed of the problem by the firm.
If you run a website it’s essential to ensure it is as secure as possible from hacker attacks.
July 14th is a big day in the French calendar as it celebrates the anniversary of the storming of the Bastille in 1789.
Concerts and parades are held to celebrate La Fête Nationale, marking what is considered the birth of the modern French nation.
July 14th is just a couple of days away, of course. But that doesn’t mean that there isn’t still time to decide what you’re going to do if you want to celebrate Bastille Day.
And it doesn’t mean that there’s not an opportunity for malware authors to take advantage.
Here’s one of a wave of spam messages being sent out to French email addresses, and intercepted by the experts in SophosLabs:
Subject: Bastille Day
Attached file: BastilleDay.rar
Bastille Day activities .See the attachment.
The attachment is, of course, malicious.
Inside the RAR archive attached to the emails is a file called
which has a text Notepad icon. That will be enough to probably fool many people into believing that it is a harmless text file.
Opening the SCR file (which Sophos detects as Troj/Mdrop-DPB) drops another file called WindowsUpdate.exe onto your computer and displays the following message in Notepad.
This is clearly designed to continue the illusion that you have only opened a harmless TXT file.
Bastille Day Festival Just Several days Away
Don't forget to mark your calendar for the biggest French festival of the year -- the 9th Annual Bastille Day festival on July 10, 2011, from noon to 8:00 p.m.
The festival features live music all day long, with an evening headliner act of "Le Jazz" with the Patrick Lamb Band as well as performances by the Portland Ballet and Portland Opera.
The popular beer and wine garden will feature Lillet apéritifs, Kronenbourg beer, and Georges Duboeuf wine; look for a whole block of food booths as well.
Visitors will enjoy shopping the crafts and vendor booths and handcrafted items, including original art. Children will enjoy the kids activity area, where they can do crafts, spin the wheel for prizes, learn how to play pétanque, or how to hula hoop.
Sophos detects the WindowsUpdate.exe malware dropped on victims’ computers as Troj/Agent-SNH.
What’s strange about their entire attack is that it is clearly targeting French people, but is the social engineering is conducted entirely in English. You have to think that the malicious hackers behind the campaign would have been more successful if they had used French language throughout.
Whether you’re a Francophile or not, don’t let malware rain on your parade. Always be suspicious of unsolicited email attachments that are emailed to you out of the blue, and ensure that you have defences in place to protect against the threats of malware and spam.
The website of British football superstar David Beckham has been hacked, with an image of a hapless dog attempting to eat a bowl of food painted on a street sign.
A message on the picture reads
"ScooterDAshooter = FAIL"
To be fair, Beckham probably has other things to distract him than his website’s security right now. Yesterday, his celebrity wife Victoria Beckham gave birth to a daughter, who they have decided to name – in the style of a science fiction android – Harper Seven.
That does mean, of course, that more people than usual might be visiting Beckham’s website in the hope of reading more information about their happy event.
Fortunately it appears that this particular hack is more about defacement than being malicious – if those who broke in had chosen to, they could probably have inserted malicious code into David Beckham’s website to install malware onto visiting computers.
And, in all seriousness, I doubt that David Beckham is a dab hand with an HTML editor and cascading style sheets, and he probably hires other people to maintain his website and be responsible for its security.
This isn’t the first time, of course, that a footballer’s website has been hacked. For instance, Diego Maradona was dubbed a “cry-baby” after his website was hacked by a Peruvian football fan in 2009.
And earlier this year, a hacker defaced Ronaldinho’s website with pictures that compared him to Star Wars hate figure Jar Jar Binks and Osama bin Laden.
If you run a website make sure you are doing everything to keep it as secure as possible. If you haven’t already done so, read this informative paper by SophosLabs, “Securing websites”, which covers some of the issues.
If you went to the website of Sony Music Ireland (sonymusic.ie) earlier today you would have discovered some astonishing celebrity stories:
- Scientists have proved that the X Factor TV show is for the stupid.
- Two members of the Irish pop band “The Script” were found dead in their backstage dressing room.
- Rebecca Black (the teenage singer who became an internet meme after her phenomenally bad “Friday” video became a YouTube hit) has married R Kelly in Disneyland.
- Perhaps most astonishingly of all, the story claims that Miss Black has joined Sony’s security team.
If it’s true that Rebecca Black is going to be helping Sony with their computer security, then she’s going to be kept busy.
But, of course, all of the stories are fake.
Hackers appear to have broken into Sony Music Ireland’s site and planted the bogus celebrity stories. It’s just the latest in a long line of attacks upon Sony websites, and further embarrasses the company as it tries to protect its online reputation.
Sony Music Ireland is presently redirecting visitors to its website to its Facebook page instead. Presumably they will bring the site back online once they are confident they have got its security under proper control.
If you run a website it’s essential that you ensure it is being kept as secure as possible. If you haven’t already done so, read this informative paper by SophosLabs, “Securing websites”, which covers some of the issues.
A Los Angeles man has been sentenced to a total of 13 years in jail after being found guilty of leading an international phishing operation, and growing marijuana on an industrial scale in his house.
27-year-old Kenneth Joseph Lucas II was sentenced after judges found the Los Angeles man guilty of leading the US branch of an international phishing operation that stole banking login details through spam email and bogus websites.
In addition, Lucas found himself on the wrong side of the law for growing more than 100 marijuana plants in his home, in a set-up which included an irrigation system, fans, indoor lighting and ventilation. He was clearly proud of his industrial scale marijuana operation as he posted videos on YouTube showing off his set-up.
What a plonker.
Lucas was the lead defendant in part of a multinational investigation known as “Operation Phish Phry”. The operation, which spanned the United States and Egypt, led to charges against 100 individuals in total – the largest number of defendants ever charged in a cybercrime case according to an FBI press release
As a result of Operation Phish Phry, 47 people have been convicted in federal court in Los Angeles.
Here’s how Operation Phish Phry worked.
Egyptian scammers would spam out emails that claimed to be from online banks. Victims would receive the emails, click on the links, and be directed to fake websites that pretended to be the online banks and enter their passwords, account numbers and other personal identifiable information.
The victims’ real bank accounts would be broken into, using the stolen information, and scammers in Egypt would transfer funds from the compromised accounts into other accounts.
Meanwhile, the US part of the phishing ring run by Lucas and two others recruited runners to set-up and use bank accounts which received the stolen funds.
The ring leaders would alert the runners through various methods (SMS, internet chat, and phone calls) to withdraw the cash and send it to them via Western Union. A portion of the money stolen was then transferred via wire services to the Egyptian gang members.
The total amount of money stolen in this way was estimated to be more than $1 million.
So, don’t doubt that the threat is real – and significant amounts of money have been stolen through phishing. Banks and consumers alike need to take security seriously and make it harder for criminals to break into accounts and steal our hard-earned cash.
Sophos has published some best practice guidelines to help you avoid being phished.
FOR LATEST NEWS ON SCAM, SPAM ALERTS, HACKING, TECHNOLOGY NEWS. PLEASE
By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.
SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.
Idahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”
If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.
Contact me at : email@example.com
The same hackers who recently attacked PBS.org have turned their attention back to Sony by releasing the latest dump of information stolen from Sony’s websites.
While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.
The data stolen includes:
- A link to a vulnerable sonypictures.com webpage.
- 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.
- 21,000 IDs associated with a DB table labeled “BEAUTY_USERS” including email addresses and plain text passwords.
- ~20,000 Sony Music coupons (out of 3.5 million in the DB).
- Just under 18,000 emails and plain text passwords from a Seinfeld “Del Boca” sweepstakes.
- Over 65,000 Sony Music codes.
- Several other tables including those from Sony BMG in The Netherlands and Belgium.
The attackers, LulzSec, stated in their file titled “PRETENTIOUS PRESS STATEMENT.txt”:
“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”
This sounds like a broken record… Passwords and sensitive user details stored in plain text… Attackers using “a very simple SQL injection” to compromise a major media conglomerate.
Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.
The take away for the average internet users is clear. Don’t trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.
I took a brief look at some of the information disclosed and many passwords used were things like “faithful”, “hockey”, “123456”, “freddie”, “123qaz” and “michael”.
Companies collecting information from their customers have a duty to protect that information as well.
In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.
Interested in some practical help with data security? Download our Data Security Toolkit.
Interested in encrypting your own personal files? Try out Sophos Free Encryption.
Contact me at : firstname.lastname@example.org
Are you one of the many people who is using a dangerously easy-to-guess password?
Maybe now’s the time to fix that before it’s too late.
Twitter, LinkedIn, World of Warcraft and Yahoo are amongst the popular websites which are advising users to change their passwords in light of the recent security breach at the Gawker Media family of sites.
The issue is that many people (33% in our research) use the same password on every single website. That means that if your password gets stolen in one place (like Gawker’s Gizmodo or Lifehacker websites), it can be used to unlock access to other sites too.
Unfortunately, an analysis of the passwords stolen in the Gawker incident show that many people are choosing very poor passwords, that are easy for intruders to guess:
Disturbing isn’t it? Too many of us are choosing risible passwords – and trust me, the hackers know about the most commonly chosen passwords and are quick to try them out when trying to break into your accounts. Malware like the infamous Conficker worm have even had lists of commonly-used passwordsbuilt into them – and have used them to try to spread further.
So, clearly people need to get out of the habit of using the same password everywhere, and they also need to ensure that their passwords are not easy to guess or crack.
But another thought springs to my mind. Why don’t more websites test the password that you’ve chosen to ensure that it’s strong enough?
It would be fairly simple, for instance, when a new user creates an account for the website to run the password they submit against a database of commonly used passwords and a dictionary. If the password you offer is a dictionary word, or is too easy to crack then it should be rejected by the website.
If websites simply tell users to change their passwords after the Gawker incident what’s to stop folks changing their “123456” password to the just as bad “password” password?
We need to not just drum into users heads about the importance of password safety, but also police submitted passwords better to ensure weak ones *can’t* easily be chosen.
Contact me at : email@example.com