Spyware, viruses, & security forum: NEWS - April 17, 2012

Microsoft's most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations.

Since Microsoft announced Operation B71, I've heard from several researchers who said they were furious at the company for publishing data on a group of hackers thought to be behind a major of the ZeuS botnet activity — specifically those targeting small to mid-sized organizations that are getting robbed via cyber heists. The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members).

At the time, nobody I'd heard from with complaints about the action wanted to speak on the record. Then, late last week, Fox IT, a Dutch security firm, published a lengthy blog post blasting Microsoft's actions as "irresponsible," and accusing the company of putting its desire for a public relations campaign ahead of its relationship with the security industry.

Continued : http://krebsonsecurity.com/2012/04/microsoft-responds-to-critics-over-botnet-bruhaha/

Related: Controversy Erupts Over Microsoft's Recent Takedown Of A Zeus Botnet

"Is your site doing weird redirects? We just sent a 'your site might be hacked' message to 20K sites," read a tweet posted by Matt Cutts, the head of the webspam team at Google, yesterday.

So, you may be wondering what Google has to do with website security and what they mean when they say weird redirects.

Search Engine Land informs that in many cases website owners and administrators are not aware that their assets have been compromised, mainly because the sites identified by Google as being overtaken only redirect visitors who access them from the search engine.

Since owners and admins rarely go to their sites from search engines, they're unaware of the malicious operations that take place.

Regarding the systems used by Google to scan and block potentially infected websites, the company's support page reveals the following:

This identification is based in part on guidelines set by StopBadware.org. Google uses its own criteria, procedures, and tools to identify sites that host or distribute badware. In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.....

Continued : http://news.softpedia.com/news/Google-Sends-Notifications-to-20-000-Hacked-Site-Owners-264803.shtml

From the GFI Labs Blog:

There's been a couple of rather nasty spam runs taking place on Twitter over the last few days. Heres an example of a rogue URL being spread at the weekend: [Screenshot: Fake AV Spam]

The link in question - fuuut(dot)tk, was being sent by both compromised accounts and spambots. Anybody visiting the link would find themselves redirected to detectoptimizersupervision(dot)info where a piece of Fake AV was just dying to introduce itself:

[Screenshot] - [Screenshot]

The file above had a detection rate on VirusTotal of 3/42, and we caught it as Trojan.Win32.Fakeav.tri (v). A member of the FakeVimes family, the sites involved in this one would be replaced every three to six hours.

Today things continue to take a turn for the worse with all new spam links spreading on Twitter, which we have of course reported. Example:

Continued : http://www.gfi.com/blog/spam-leads-to-exploits-and-fake-av-on-twitter/

From the avast! Blog:

Germany leads EU in unpronounceable consumer protection

Germany has become the first country to enact a new EU law to protect online consumers against new types of fraud. One visible change will be a "Zahlungspflichtig bestellen" button on internet sites which translates into "order with an obligation to pay" button. [Screenshot: Button]

The law is designed to combat internet "subscription traps", sites that lure consumers with a free offer but actually sign them up for a service where the real costs are hidden and conditions can be misleading if not fraudulent. By late 2012, customers at German ecommerce sites will have to click a button labeled "zahlungspflichtig bestellen" to complete their online purchases instead of the current "anmeldung" (registration) button.

The "Button Law" adopted by the German Bundestag is a result from EU Directive 2011/83/EU on consumer rights. And, it might be used as a model for the other EU countries to copy as the 2013 deadline on the consumer rights Directive approaches. Since Germany is the largest economy in the European Union, this new law might just have a knock-on impact on consumer rights that goes outside of the country's borders.

According to Jana Pattynova, a partner at the Prague office of Pierstone, an international law firm, pointed out that along with the new button, potential customers will get information on three basic points:

Continued : https://blog.avast.com/2012/04/17/here-comes-the-zahlungspflichtig-bestellen-button/

Recent enforcement actions against Facebook and Google show the Federal Trade Commission (FTC) is on track to safeguard consumer privacy in the era of social networking, an agency official said Tuesday.

While FTC commissioner Julie Brill acknowledged the networking sites are changing how people get information and interact, she said it's important to remember that participation "can't be forced."

It's a "basic principle of the playroom," Brill said at a Broadband Breakfast Club event.

Brill pointed to a "trifecta" of enforcement actions the FTC has taken against Facebook, Google and Twitter as evidence the agency is moving aggressively to protect privacy. In the cases of Facebook and Google, the actions resulted in consent decrees that she said will be in place for two decades to ensure the companies only share and delete information with users' consent.

The FTC penalized Facebook for changing its terms of service to make public user information that had previously been private. Google's problems arose from the launch of the Buzz social network, a service that was scrapped after it created confusion for users about what information was shared and how one opted out.

Continued : http://thehill.com/blogs/hillicon-valley/technology/221911-ftc-official-sharing-on-social-sites-cant-be-forced

Related: FTC flexes muscles, warns that sharing can't be 'forced' on social websites

The story that I desire to report on seems it could be the plot of a movie. Khosrow Zarefarid, an Iranian software manager, found security vulnerabilities in Iran's banking system and tried to inform the management of the affected banks by preparing a detailed report.

As usual the bank's managers ignored the alert, so the Iranian expert decided to demonstrate the risk related to the discovered vulnerability, moving from theory to action.

He hacked 3 million bank accounts belonging to at least 22 different banks to support his study. Zarefarid's intellectual honesty is admirable, as he limited his actions to hacking systems, stealing anything from the accounts. He simply exploited the vulnerability by retrieving account details of around 3 million individuals, including card numbers and related PINs.

Zarefarid works at Eniak, which operates the Interbank Information Transfer Network System (Shetab), an electronic banking clearance and automated payments system used in Iran. Eniak is a leader in providing payment systems in Iran for point of sale, a crucial sector in the banking world and also manufacturing.

What is really seriuos is that on occasion of his first alert, the expert provided details on the security flaw and also on 1000 bank accounts, but he was ignored, and for this reason Zarefarid decided to make public the vulnerability.

Continued : http://www.infosecisland.com/blogview/21033-Iranian-Bank-Accounts-Hacked-A-Cyber-Warfare-Hypothesis.html

Also:
Iranian Takes Credit For POS Hack That Spills Three Million Bank Accounts
3 million bank accounts hacked in Iran