Perunding keselamatan China dipercayai hasilkan spyware serang Google

BEIJING 22 Feb. - Penganalisis kerajaan Amerika Syarikat (AS) percaya seorang lelaki China yang mempunyai rangkaian dengan kerajaan telah menulis bahagian utama program perisikan atau spyware yang digunakan dalam serangan siber ke atas Google pada tahun lepas, lapor akhbar The Financial Times hari ini.

Lelaki tersebut, seorang perunding keselamatan ketika berusia 30-an, menyiarkan bahagian program itu pada sebuah forum penggodam di mana dia menjelaskan ia sebagai sesuatu yang sedang 'diusahakan' olehnya, menurut akhbar tersebut, memetik seorang penyelidik yang tidak dikenal pasti dan bekerja untuk kerajaan AS.

Pereka spyware tersebut bekerja sebagai seorang penulis bebas dan tidak melancarkan serangan itu, namun pegawai China mendakwa, mereka mempunyai 'laluan masuk khas' ke dalam programnya, menurut laporan itu lagi.

"Sekiranya dia mahu menjalankan kajian di bawah kemampuannya, dia perlu mematuhi peraturan," lapor akhbar itu yang memetik kata penyelidik kerajaan AS itu.

"Mungkin tiada anggota berpakaian seragam yang memerhatikannya dari belakang, namun tiada jalan lain untuk sesiapa yang memiliki tahap kemahiran sepertinya melarikan diri daripada perkara itu,'' kata laporan itu.

Bagaimanapun, laporan itu tidak menyatakan bagaimana penganalisis itu mengetahui mengenai hubungan antara lelaki terbabit dengan pihak kerajaan.

Dakwaan terhadap spyware itu merupakan episod terbaru dalam kemelut yang melanda Google dan AS terhadap China berhubung tembok kawalan Internet dan kelompok penggodam.

Pada Januari lalu, syarikat enjin carian gergasi Internet itu, Google, mengancam untuk berundur daripada China dan menutup portal bahasa Cinanya, Google.cn selepas tidak berpuas hati dengan lembaga tapisan dan serangan siber dari China.

Washington menyatakan sokongan mereka berhubung kritikan itu dan menggesa Beijing supaya menyiasat aduan serangan dengan mendalam dan secara telus.

Sebelum ini, Beijing menyatakan bahawa negaranya menentang gejala menggodam.

Laporan The Financial Times turut memetik sumber yang menyokong laporan akhbar The New York Times bahawa penganalisis telah mengesan serangan siber itu di dua buah institusi pendidikan China iaitu di Universiti Jiaotong Shanghai dan Sekolah Vokasional Lanxiang. - Reuters

Sumber Capaian : http://www.utusan.com.my/utusan/info.asp?y=2010&dt=0223&pub=Utusan_Malaysia&sec=Luar_Negara&pg=lu_11.htm

Kredit : www.utusan.com.my

Adobe security updates confuse users

18 February 2010

Adobe has issued a security bulletin warning users of its PDF and Acrobat applications against two widely publicised vulnerabilities but, in the haste to get the relevant patches out of the door earlier this week, one of the two URLs in the update was incorrect.

According to Adobe, its Reader 9.3 for Windows, Apple Mac and Unix, along with Acrobat 9.0, Reader 8.2 and Acrobat 8.2 for Windows plus Apple Mac, are vulnerable to the first potentially serious security flaw.

The second flaw could – under the right circumstances – give hackers the opportunity to inject malicious code using flaws in Adobe Reader and Acrobat for Windows, Apple Mac and Unix.

Graham Cluley, senior technology consultant with Sophos, has spotted the fact that the Apple Mac URL actually links to a page full of Windows files.

"A not entirely helpful link for Mac users", he said in his blog posting, adding that: "Hopefully Adobe will sort that out soon, and make it clearer where users can download the right patches for their operating system from. I, for one, am still finding it difficult to locate Adobe Reader 9.3.1."

Infosecurity also notes that Adobe was – as of lunchtime today – still offering Adobe Reader 9.3.0 on its official download site, despite the fact that the two security vulnerabilities have been detected in this edition.

The best option seems to be to install Adobe Reader 9.3.0 and then the security update to patch the software up to version 9.3.1.

Url Ref : http://www.infosecurity-magazine.com/view/7441/adobe-security-updates-confuse-users/

Credit to : www.infosecurity-magazine.com

Operation Aurora malware investigated

Posted on 10.02.2010

Operation Aurora has become a name that is instantly recognized by everyone involved in cyber security. Speculation still abounds regarding the people and/or nation behind it, but what is certain is that the primary intent behind it is the theft of intellectual property.

According to a HBGary report, all these attacks on different companies have in common the means of execution: a flaw in the Internet Explorer browser was exploited to insert malware which drops a backdoor program in the targeted systems and networks.

There is a high probability of this malware having been developed in Chinese, and the control system seems designed for Chinese users, which suggests that the operation is Chinese. But, there is no hard evidence to suggest that the Chinese government is behind it.

Indeed, taking into consideration the thriving global underground economy that sprung up around malware and data theft, and the considerable money-hungry hacking subculture existing in China, it is likely that the ultimate goal was money. In Google's case, it's possible that the compromise of Gmail accounts belonging to Chinese dissidents served to throw the investigators off the scent of the real culprits.

According to the report, "forensic tool-marks in the CRC algorithm can be traced to Chinese origin. That, combined with domain registration information, leads to at least one potential actor, Peng Yongii." Peng Yongii is the owner of a small company from whose 3322.org service many of the attacks originated. "While Peng Yong is clearly tolerant of cyber crime operating through his domain services, this does not indicate he has any direct involvement with Aurora," says in the report.

So how can you detect Operation Aurora in your enterprise? First, you have to be aware of how the attack is executed:

• The JavaScript exploits a vulnerability in Internet Explorer 6
• The shellcode embedded in the JavaScript downloads the dropper
• A secondary payload server delivers a dropper
• The backdoor program is decompressed from the dropper and an embedded DLL is inserted into the Windows system32 directory and loads it as a service. The DLL is then modified to avoid detection, and the dropper deletes itself from the system.

Secondly, you should know that even though at first glance it is difficult to detect it, this attack does leave some traces in the system.

There are some exploit remnants that can be searched for in the heap space of Internet Explorer post exploitation attempt. There are some patterns and paths through which you can detect the final payload command and control communications, some additional registry keys created by the payload, and other potential dropped files that can be detected. You can look up all of these in the report.

The malware allows commands to be executed and files to be stolen. With the public release of the MS10-002 vulnerability by Microsoft and the exploit code being added to Metasploit to form the module “ie_aurora.rb”, a lot of other attackers were able to mount the same attack. HBGary is at the moment identifying these group though their Digital DNA database and tracking their movements.

They also presented the highly useful digital DNA sequence for the Aurora malware:


This sequence can be detected by using a Digital DNA capable platform such as McAfee ePO. Also, many anti-virus products have signatures for detecting the exploit and allow for removal of the malware. Known "command and control" domains (also in the report) can be blocked by firewalls. Additionally, HBGary has made available on their website a signed binary that scans and removes the malware from the network.



Url ref : http://www.net-security.org/malware_news.php?id=1223
Credit to : Net-security.org

Critical infrastructure is a primary cybercriminal target

Posted on 11 February 2010.

Critical infrastructure such as energy, pharmaceutical and government assets are more than twice as likely to be targeted by cybercriminals than other organizations, according to a ScanSafe report.


The report is based on an analysis of more than a trillion Web requests processed in 2009 by the ScanSafe Threat Center on behalf of the company's corporate customers in more than 100 countries. It represents the world's largest security analysis of real-time traffic.

This research reflects a disturbing trend – organizations that harness the most valuable intellectual data are encountering Web malware with much greater frequency than other verticals. Most at risk are:

1. Energy & Oil with a 356% greater rate of direct encounters with data theft Trojans
2. Pharmaceutical & Chemical with a 322% greater rate
3. Government with a 252% greater rate
4. Banking & Finance with a 204% greater rate.

"There is a misconception that cybercriminals are only intent on stealing data intended for credit card fraud and identity theft. In reality, cybercriminals are casting a much wider net," said Mary Landesman, senior security researcher at ScanSafe. "Consumer credit card details are child's play compared to the value of infrastructure and intellectual data from these sensitive verticals. The message is clear – cyberwar is already here. The Web is the battlefield and the enterprise is on the frontlines."

In addition, the report reveals that Web-delivered malware more than doubled through the course of the year. At the start of 2009, the average enterprise experienced 8 Web malware encounters each day. By the end of 2009, the rate of exposure had more than doubled to 19 encounters per day. Twenty-three percent of those encounters were with zero day malware undetectable by signature-based methodologies and nineteen percent were direct encounters with data theft Trojans.

Other key findings include:

Malware is the new Internet business of choice
The business structure behind cybercrime today is not unlike the business structure behind any other global economy. Attackers play many roles in this commercial world including 'The Sole Proprietor', 'The Middleman', 'The Developer', and 'The Buyer'.

Gumblar botnet dominated the malware scene in 2009
14% of the total Web malware blocks for the year were from Gumblar. This peaked to 35% of all blocks in November 2009. Asprox was the second largest at 2% of all Web malware blocks and Zeus was the third largest with 1%.

Malicious PDF files are up, malicious Flash files are down
Malicious PDF files comprised 56% of Web-encountered exploits in 1Q09, growing to 80% by 4Q09. Flash exploits encountered via the Web dropped from 40% in 1Q09 to 18% in 4Q09. This trend is likely indicative of attackers' preference for PDF exploit, likely due to the increasing availability of vulnerabilities and the continued widespread use and acceptance of PDF files in the workplace.


"To confront the challenges of the coming years, we must reposition our thinking to match the new reality. We must forgo our perceived familiarities and see the issues that are already at hand – the criminal business of data harvesting," comments Landesman. "Our defenses must extend beyond the confines of brick and mortar and into the cloud to ensure end-to-end protection of our most sensitive assets and people, regardless of operating system, device or geo-locale."

___
Url Ref : http://www.net-security.org/secworld.php?id=8860
Credit to : net-security.org

Lebih Banyak Pakar Keselamatan Maklumat Diperlukan, Kata CyberSecurity Malaysia

09 Februari, 2010 21:08 PM

KUALA LUMPUR, 9 Feb (Bernama) -- Meskipun jenayah siber perbankan Internet masih di paras yang boleh ditangani, negara masih perlu melahirkan lebih ramai pakar keselamatan maklumat, demikian menurut CyberSecurity Malaysia.

"Saya tidak mahu mendakwa bahawa kita kekurangan pakar atau pakar kita sudah mencukupi untuk menyelesaikan masalah tetapi kita perlu bekerjasama bagi melahirkan lebih ramai pakar," kata Ketua Pegawai Eksekutifnya Lt Kol (Bersara) Husin Jazri.

Beliau berkata dengan bilangan pengguna Internet yang semakin meningkat dan aliran sekarang yang menuju ke arah penggunaan lebih canggih seperti perbankan mudah alih, negara perlu bersedia dalam segenap segi, terutamanya dengan pakar keselamatan maklumat.

Ketika ini, Malaysia mempunyai kira-kira 16 juta pengguna Internet, katanya kepada pemberita selepas menyampaikan ucapan pembukaan di Seminar RSA CyberSecurity 2010, di sini, pada Selasa.

Mengenai perbankan dalam talian, Husin berkata pihak yang paling terjejas akibat daripada jenayah siber adalah pengguna dan bukannya institusi kewangan.

"Saya tidak bimbangkan bank-bank. Mereka mempunyai banyak wang untuk menjamin keselamatan sistem mereka. Mereka boleh mendapatkan perunding terbaik dunia untuk memeriksa sistem keselamatan mereka," katanya.

"Manusia yang menerima kesan, bukan bahagian teknologi. Pengguna menjadi mangsa. Apabila pengguna berkomunikasi dengan bank, mereka terdedah kepada ancaman kejuruteraan sosial, skim penipuan dan ancaman-ancaman lain."

Menurut Husin, pengguna dalam talian perlu sedar bahawa bank-bank tidak pernah membuat penyenggaraan dalam talian bagi pelanggan mereka berkaitan dengan perbankan Internet.

"Kami perlu memberi pendidikan kepada pengguna tentang hakikat ini yang mana boleh membantu membendung masalah apabila mereka menyedari akan aspek ini," katanya.

Daripada sejumlah 3,564 kes yang dilaporkan tahun lepas, 1,022 merupakan kes penipuan dan pemalsuan yang menyumbang satu pertiga daripada kes, kata Husin.

"Kita harus berkongsi pengetahuan dan mengenal pasti strategi yang perlu untuk menangani ancaman seperti peningkatan risiko menceroboh sistem keselamatan, pencurian identiti, emel penipuan dan keganasan siber," katanya.

-- BERNAMA

Sumber Capaian : Bernama.com

More information security experts needed, says CyberSecurity Malaysia

2010-02-09 18:16

KUALA LUMPUR, Feb 9 (Bernama) -- Although Internet banking cybercrimes are still at a manageable level, the country still needs to produce more information security experts, according to CyberSecurity Malaysia.

"I do not want to claim we have a lack of experts or our experts are enough to solve problems but we need to collaborate to produce more experts," said its chief executive officer Lt Col (Rtd) Husin Jazri.

He said with the number of Internet users rising and the trend moving into an advanced level such as mobile banking, the country needed to be prepared in all areas, particularly with information security experts.

Currently, Malaysia has about 16 million Internet users, he told reporters after delivering the opening speech at the CyberSecurity RSA Seminar 2010 here today.

On online banking, Husin said it was the users rather than financial institutions that were most affected by the cybercrimes.

"I'm not worried about the banks. They have a lot of money to secure their systems. They can have the world's best consultant to look into their security systems," he said.

"It's the human part that gets affected, not the technological part. The users become the victims. When the users communicate to the banks, they are exposed to the social engineering, scams and other threats."

According to Husin, online users should be aware that banks never do online maintenance as far as Internet banking is concerned for their customers.

"We need to educate users on this fact which can contribute towards curbing the problem when they aware of this aspect," he said.

From the total of 3,564 cases reported last year, 1,022 were fraud and forgery cases, which accounted for one-third of the cases, Husin said.

"We should share know-how and identify the necessary strategy to address threats such as increasing risk of security breaches, identity theft, phishing and cyberterrorism," he said.

MySinchew 2010.02.09

Sumber Capaian : mysinchew.com

Elak masuk jerat laman web sosial

2010/02/10

KUALA LUMPUR: Golongan muda khususnya pelajar sekolah disaran berwaspada menggunakan laman web sosial seperti Facebook, MySpace dan Friendster bagi mengelak ancaman jerat siber.

Ketua Jabatan Capaian Luar Cyber Security Malaysia, Azman Izham Khairuddin, berkata ini berikutan pihaknya mendapati banyak kes jenayah siber yang menjadikan golongan muda sebagai mangsa.

Beliau berkata, masyarakat Malaysia masih belum menyedari laman web adalah penyumbang utama kepada jenayah.

Katanya, ini berikutan ledakan dunia siber memberi banyak pendedahan kepada sebarang maklumat buat masyarakat serta mampu menerawang ke segenap sudut dan dicapai oleh siapa saja.

"Jenayah siber di Malaysia tidak kurang hebat seperti apa yang berlaku di negara luar, cuma kita kurang pendedahan dan orang ramai bebas mendedahkan identiti di laman web masing-masing.

"Di Malaysia, banyak kes membabitkan golongan muda seperti kanak-kanak dan pelajar sekolah terpedaya dan akhirnya terperangkap," katanya selepas sesi pertama seminar kesedaran CyberSAFE For Youth, di sini, semalam.

Seminar sehari anjuran Cyber Security Malaysia ini diadakan untuk memupuk kesedaran ancaman siber kepada golongan muda agar tidak terpedaya dan taksub dengan dunia di laman web.

Mengulas lanjut, Azman Izham berkata, sekiranya tidak berhati-hati mereka boleh menerima 'virus' berbahaya dan terdedah kepada pelbagai risiko termasuk buli alam siber, , mangsa penipuan, kehilangan data atau kecurian identiti.

Sementara itu, peserta seminar, Hazeeqah Amirah Yaziz, 16, berkata dirinya kini akan mula berhati-hati dan tidak lagi mendedahkan maklumat peribadi di laman web khususnya laman sosial.

"Selepas ini saya akan mula menapis kenalan di Facebook dan tidak meletakkan gambar berunsur peribadi dalamnya. Saya juga tidak akan mudah percaya dengan rakan kenalan di laman sosial kerana kini baru saya sedar ia boleh mendatangkan bahaya serta mengancam keselamatan," katanya.

Sumber Capaian : Harian Metro

SKMM siasat 352 kes seleweng maklumat dalam internet

KUALA LUMPUR: Sebanyak 352 kes penyelewengan maklumat dalam internet telah disiasat Suruhanjaya Komunikasi dan Multimedia Malaysia (SKMM) sepanjang tahun lalu dan daripada jumlah itu 13 kes dibawa ke mahkamah, kata Menteri Penerangan Komunikasi dan Kebudayaan, Datuk Seri Dr Rais Yatim.

Beliau berkata, semua kes yang telah dibawa ke mahkamah disiasat mengikut Seksyen 211 dan 233 Akta Komunikasi dan Multimedia 1998 yang membawa hukuman denda maksimum RM50,000 atau penjara setahun atau kedua-duanya sekali jika sabit kesalahan.

"Justeru, pengamal media terutamanya media baru (dalam talian) diingatkan lebih bertanggungjawab dalam memastikan penulisan mereka selaras dengan peruntukan undang-undang yang digunapakai.

"Golongan ini juga perlu melaporkan maklumat yang benar dan bukannya penyelewengan yang akan mengakibatkan masyarakat berpecah-belah," katanya dalam ucapan pada pelancaran akhbar dalam talian Makkal Osai di sini hari ini.

Teks ucapan beliau dibacakan Timbalan Ketua Setiausaha Kementerian, Datuk Dr Mohd Ali Mohd Noor.

Rais berkata, sepanjang tahun lalu juga sebanyak 38 kes telah didenda atau dikompaun dengan jumlah kutipan RM460,000, manakala 88 kes telah ditutup oleh pendakwa raya atas sebab-sebab tertentu, sama ada tidak cukup bukti ataupun atas budi bicara jabatan itu.

Mengenai akhbar Makkal Osai, Rais berkata pelancaran versi dalam talian itu secara tidak langsung memperlihatkan pencapaian akhbar yang selari dengan arus teknologi masa kini dan sewajarnya dicontohi oleh akhbar berbahasa Tamil lain.

Namun, beliau difahamkan pengurusan akhbar berbahasa Tamil di negara ini mengalami kekangan di mana kurangnya sokongan pengiklan dengan hanya 0.4 peratus daripada jumlah keseluruhan pengiklan di negara ini.

"Oleh yang demikian, saya berharap kepada pengiklan supaya memberikan sokongan kepada akhbar Tamil di negara ini yang pengedarannya mencecah 100,000 manakala jumlah pembacanya hampir 400,000 orang setiap hari," katanya.

Akhbar Makkal Osai mula diterbitkan secara mingguan sejak 1992 dan seterusnya diterbitkan setiap hari mulai 2005 dengan purata jualan 52,000 nashkah sehari dan bermula hari ini versi dalam talian boleh dilayari menerusi www.makkalosai.com.my. - Bernama

Sumber capaian : Berita Harian

February 2010 Bulletin Release Advance Notification

Today we released February bulletin information through our Advance Notification Service (ANS). This month, we will be releasing 13 bulletins - five rated Critical, seven rated Important, and one rated Moderate - addressing 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office. More information about the upcoming security updates can be found on the Advance Notification Service (ANS) webpage.

As we started to do in December, we want to give customers a peek at what our deployment guidance will be next Tuesday. This month, we will be giving four of the bulletins a deployment priority rating of 1. In the ANS, those are bulletins 1, 2, 3, and 6. We recommend that customers test and deploy all security updates as soon as possible but you should prioritize these first.

To further help customers prioritize, I have pulled the Windows information from the ANS into a summary table so depending on the version you are running, you can see how many bulletins you need to prepare for:

Version	Critical	Important	Moderate	Low	Total
Windows 2000	5	3	1	0	9
Windows XP	5	2	1	0	8
Windows Server 2003	4	3	2	0	9
Windows Vista	3	3	0	0	6
Windows Server 2008	3	4	0	1	8
Windows 7	3	2	0	0	5
Windows Server 2008 R2	3	1	0	1	5

The Office related bulletins are both rated Important and would require user action to be exploited (usually in the form of convincing a user to open a specially crafted file). The vulnerabilities only affect older versions of Office so customers on Office 2007 or Office 2008 for Mac will have not actions this month.

We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products.

I also want to give a summary of the three open Security Advisories so customers know what to expect on Tuesday:

· Advisory 980088, Vulnerability in Internet Explorer Could Allow Information Disclosure: this advisory was released yesterday (Feb 3). We do not have an update for this issue planned for the normal February bulletin release. However, this vulnerability only affects versions of windows older than Vista in their default configuration, and there is a “Fix It” available so customers in non-default configurations can protect themselves.

· Advisory 979682, Vulnerability in Windows Kernel Could Allow Elevation of Privilege: we are on track to release an update for this issue next Tuesday.

· Advisory 977544, Vulnerability in SMB Could Allow Denial of Service: we are still working on an update for this issue so it will not be addressed in the February bulletins. As a reminder, this issue cannot be used to allow an attacker to take control of a system remotely, but instead results in a system becoming unresponsive due to resource consumption.

We are not aware of any attacks on these vulnerabilities and continue to encourage customers to implement the mitigations and workarounds outlined in the advisories.

Last month I started including important information about Windows versions that are reaching the end of their product lifecycle. Customers using these versions should consider upgrading before support for these products end as, once they do, we will no longer provide security updates:

• Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
• Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
• Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updates for Windows 2000.

Finally, please plan to join Adrian Stone and myself next week for our regular live webcast where we will go in to detail on each bulletin to give you even more information and guidance:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope to see you there!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

url ref : http://blogs.technet.com/msrc/archive/2010/02/04/february-2010-bulletin-release-advance-notification.aspx

Greater Manchester Police hit by Conficker

04 February 2010

The continuing problem of staff popping infected USB sticks `from home' into their office PCs has reportedly hit Greater Manchester Police with a full-blown Conficker worm infection.

Reports on Northwestern TV news and the local press in Manchester say that the computer systems of Greater Manchester Police were effectively cut off from most of the police national computer for around three days. It's unclear whether the cut-off was caused by the Conficker worm or the PNC operators shutting off access to protect their own resources, but the police say the infection was caused a member of staff plugging an infected USB drive into an office computer system.

The problems started on Friday evening and spread over the weekend, downing internet connections and email access, and causing officers to switch to contingency plans which involved their phoning colleagues in other forces for urgent PNC information.

According to the Manchester Evening News, the police's IT staff worked through the weekend and managed to eradicate the Conficker worm by Monday afternoon.

This isn't the first time that Mancunian computer systems have been hit by Conficker as almost a year ago, Manchester council's computer systems were downed by the worm, costing the local government agency an estimated £1.5m to fix the problem.

In that incident the council was forced to write off a number of parking tickets. It is not known whether police in Manchester will also have to write off similar penalty notices due to the outage.

According to Jason Holloway, Northern European sales manager with SanDisk, the reports that the infection was caused by a USB stick underlines the fact that conventional USB flash drives are a key method for spreading these infections stealthily.

The infections can, he said, occur without the USB stick owner being aware of the infection, as was the case with the Ealing and Manchester council worm problems of last year.

"Virus scanning has to extend beyond the PC to all types of removable storage", he said.

"Better still, employees should only be able to use authorised flash drives that include on-board antivirus scanning. This ensures that users cant turn off, disable or work around the protection, and would stop these infections from spreading", he added.

Url article : http://www.infosecurity-magazine.com/view/7005/greater-manchester-police-hit-by-conficker/

____________________

wee..this attack still happen..

Hackers don't just want your banking passwords; now they take everything

By Robert McMillan Moscow | Sunday, 31 January, 2010

http://computerworld.co.nz/news.nsf/scrt/538E31806B2A2662CC2576BB007009FD

According to researchers at Kaspersky Lab, cybercriminals are trying to sell hacked Twitter user names and passwords on-line for hundreds of dollars.

Since 2005, the bad guys have been developing new data-stealing malware that is now a growing problem on the internet. Some of these programs look for banking passwords, others hunt for on-line gaming credentials. But the fastest-growing data stealers are generic spying programs that try to steal as much information as possible from their victims, said Kaspersky Researcher Dmitry Bestuzhev, speaking at a press event Friday.

In 2009, Kaspersky identified about 70,000 of these programs — twice as many as the year before, and close to three times the number of banking password stealing programs.

They're popular because criminals are starting to realise that they can do better than simply swiping credit card numbers. Bestuzhev has seen Gmail accounts for sale on Russian hacker forums, (asking price 2,500 roubles, or US$82) RapidShare accounts going for $5 per month, as well as Skype, instant messaging and Facebook credentials being offered.

Asking prices can vary greatly, depending on the name of the account and the number of followers, but attackers are looking for an initial, trusted, stepping stone from which to send malicious Twitter messages and, ideally, infect more machines.

Bestuzhev said that one Twitter account, with just over 320 followers, was offered at $1,000 in an underground hacker forum. The user's name was a simple three letter combination that Bestuzhev thought might make it more valuable to criminals. Compare that to an MSN account, which Bestuzhev has seen priced at €1 ($1.40).

"The price for Twitter accounts is really high," he said.

When the value of stolen credit cards and other types of credentials are added up, hackers can easily take in $1,000 worth of data from just one hacked computer, Bestuzhev said.

About 63 percent of all password stealing Trojan programs come from China, he said. The number-two source is Russia, which accounts for 12 percent.