I, like many others, am a big fan of Twitter, although I am fairly ruthless about pruning those I follow. Most of the people I follow are either other security professionals or close friends and they normally Tweet content that I am genuinely interested in. The first hint of someone going to the dark side are Tweets like:

In McDonalds—should I get a cheeseburger or a big mac?
4 minutes ago from iPhone by InaneTwit

So confused—must decide soon—1 person in front of me in Q!
3 minutes ago from iPhone by InaneTwit

I got the cheeseburger!
2 minutes ago from iPhone by InaneTwit

And I will ruthlessly remove them. There is one exception to this, however, one of my younger siblings, who for some reason, I let get away with with this kind of thing. So I was not too surprised to see the following Tweet earlier today:

This site is AWESOME!!!—http://TwitterBuilding.com
about 2 hours ago from API

Following the link, I came to the following page:

Suddenly, my spider senses are tingling—call me paranoid but that does not look particularly official.  A quick search of the Web shows thousands of identical Tweets from thousands of people who have gladly handed over their passwords to this website (which is  most likely the same password they use for everything, including the Holy Grail, their email account—something I wrote about way back in February 2009).

What is the message here? Simple—“Think before you click!”

Would you give your Twitter password to a random person on the street? Of course not, so why would you give it to a random site on the Web? If nothing else, it will save you time when, like my younger sibling, you have to now change your password on  every site you use.

Less than a month after the so-called “Iranian Cyber Army” reportedly “hacked” the popular micro-blogging site, Twitter, they are back with another attack, this time against another Internet giant, Baidu. Baidu is China’s most popular search engine, as 62 percent of the total number of Web searches in the country are done with it compared with Google’s 29 percent share, according to research firm Analysys International.

Some days ago, users who tried to access Baidu were instead redirected to the following page:

According to Trend Micro advanced threats researcher Paul Ferguson, this attack was not a defacement. It was actually another Domain Name System (DNS) hijacking attack that the group staged to obtain the login credentials to the target site’s registrar account, quite similar to the DNS hacking they did to Twitter.

However, advanced threats researcher Ivan Macalintal found that some details differentiated this attack from the Twitter DNS attack, which he adds, may also be tied to a much larger string of other cybercriminal attacks.

Although cybercriminal activities are mostly tied to gaining profit from their malicious exploits, it seems that we are seeing more and more attacks that are not driven by monetary gain. Specifically, we have observed that politically motivated online attacks, which have been in the threat landscape scene since 2007, are slowly increasing worldwide.

We have not even reached half of January but Trend Micro has already noticed a spike in the number of politically motivated cybercriminal attacks on the websites of high-profile political figures and organizations from different parts of the world, as evidenced by the following blog posts:

• Official Website of Iran’s President, Ahmadinejad, Attacked by Hackers
• Mr. Bean Comes Out of Retirement, Takes Over Spain
• Pakistani National Response Center for Cybercrimes… Hacked!

As of now, it has been reported that some Chinese hackers have hacked several of Iran’s websites right after the Baidu attack happened, apparently in retaliation to the Baidu DNS compromise. Some comments circulating on Web discussions mentioned that Iranians are blaming the Chinese for interfering with their war with Israel, hence the attack on the Chinese site.

Whatever the reason may be, this kind of cybercriminal attack should not be ignored. Although they may seem to be inconsequential right now because they do not really have a direct payload on the part of users, they can potentially pave the way for a more serious threat to emerge—the kind that we mostly just see on movies—cyberwarfare.

Credits:
http://www.thedarkvisitor.com/2010/01/prc-hackers-attack-iranian-websites
http://it.people.com.cn for the screenshots

Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files (see Figure 1).

The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components—one steals banking-related information while the other steals email account information (see Figure 2).

Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:

• {BLOCKED}unicaobr.com/phps/procopspro.php
• {BLOCKED}unicaobr.com/working/lisinho.php

Looking for more details on webcomunicaobr.com revealed the following details:

IP: 69.162.102.130 Hosted in the USA
ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
ns1.brasilrevenda.com
ns2.brasilrevenda.com

Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far (see Figure 3), a list of PHP servers where stolen information is sent (see Figure 4), and a list of files that contained encrypted information downloaded by infected hosts (see Figure 5).

More spam campaigns from the said Web server may be seen in the days to come but Trend Micro product users need not worry as they are protected by the Smart Protection Network™, which blocks spammed messages and user access to malicious sites and domains and prevents the download of malicious files detected by Trend Micro as TSPY_BANKER.OCN and TSPY_BANKER.MTX.

Trend Micro was alerted to the discovery of a recent threat that takes advantage of malicious search results generated from the Microsoft Office’s site.

This threat targets users looking for tips and help-related information on using Microsoft Office products on Microsoft’s official website, particularly those looking to delete meeting notices without notifying the other invitees.

Using the search string, “delete meeting without notifying invitees,” apparently led users to malicious results, which led to the download of two malicious files—webvirusscanner77.com.htm-1 (detected by Trend Micro as HTML_FAKEALE.JD) and Setup102_2045-10.exe-1 or Setup111060_2045-10.exe-1 (aka TROJ_FAKEXPA.IA).

Both files have been found to be FAKEAV variants. Once executed, they displayed fake scanning results and prompted users to buy bogus antivirus software.

According to Trend Micro threat researcher Normal Ingal, typing the search query into the site does not only search for results on the site but from the entire Web. This attack puts users particularly at risk, as the URLs generated by the said search query begins with http://office.microsoft.com, which may trick them into thinking they are still in safe waters when they actually are not. Fortunately, however, Microsoft has addressed the said issue.

Smart Protection Network™ protects Trend Micro product users by blocking user access to identified malicious sites and by preventing the download of all related malware.