Twitter phishing attack disguised as BT

BT’s customer services’ Twitter account has been used to spread a phishing attack.

Twitter users have been claiming that BT Care has been hacked, but BT said this is not the case.

"The BT Care Twitter account has not been hacked. There is a suspected phishing attack which has affected a small number of our followers," said a BT spokeswoman.

http://www.computerweekly.com/Articles/2009/10/30/238357/twitter-phishing-attack-disguised-as-bt.htm?

eBay.co.uk blocked for smelling phishy

Online tat bazaar ebay.co.uk was blocked for much of yesterday because OpenDNS wrongly labelled auction pages on the site as phishing pages.

Individual items, with addresses starting cgi.ebay.co.uk, were unavailable to anyone using the system, or using an ISP which uses the system.

Instead surfers saw this error message:
"Phishing Site Blocked Phishing is a fraudulent attempt to get you to provide personal information under false pretenses."

Several threads in forums reported the issue and explained how to manually restore access. The problem has now been fixed, according to a poster in OpenDNS’s own support forum.

http://www.theregister.co.uk/2009/10/30/ebay_opendns_block/?
http://forums.opendns.com/comments.php?DiscussionID=5317&page=2

Tech Know: How to hack a handset

The recipe is simple.

Take as many mobile phone developers, hackers and builders that you can find; put them in The Great Hall at Imperial College; add a liberal helping of heavyweight companies talking about new tools, developer aids and techniques to program mobile phones during the day; then challenge them to come up with "something new".

Leave this to simmer as hackers work through the night and have everyone present their new programs to the rest of the conference the next day.

That sums up the Over the Air hackathon. Now in its second year of bringing together the UK’s mobile developer community, it continues to have a huge impact on those who get involved with the overnight competition.

One of the groups involved in the hacking challenge was from mobile developer Future Platforms. Last year it walked away with the Best Overall Prototype for a multi-limbed robot called Octobastard. This year it wanted to produce something beautiful as well as clever. The result was Project Bluebell.

Continue reading about Handset hackaton in http://news.bbc.co.uk/2/hi/technology/8332665.stm?

Sanford Wallace Loses Again; Owes Facebook $711 Million

Sanford "Spamford" Wallace, of course, was the original "spam king" back in the 1990s. Despite his claim to have reformed at one point, he apparently has been spamming various social networks and advertising spyware. Back in 2004, the FTC investigated him and fined him $4 million. Last year, MySpace won a $234 million judgment against him. Wallace responded by disappearing. At one point, even his lawyer couldn’t find him. Earlier this year, when Facebook sued him for spamming their users as well, it seemed unlikely that he would bother to respond. Surprising pretty much everyone, he showed up in court, though claimed he was totally bankrupt. Either way, Facebook has just been awarded a $711 million judgment against him.

http://techdirt.com/articles/20091029/1840516725.shtml?

Also in http://www.pcworld.com/article/181060/will_facebooks_711_million_antispam_win_matter.html?

I removed MS09-058 security update in Vista

Wish me luck.  I removed MS09-058 security update (released by Microsoft earlier this month).  I keep getting BSOD 0x1000008e each time I will click "Send/Receive" button in Outlook.  I’ve done memtest, diagnostic test, re-insert the memory sticks and clean-boot (also used Dell diagnostics tool) but nothing is helping or showing that any of my devices or software and drivers is to fault.  I went thru removing AV and firewall software but no joy.  I’ll see if MS09-058 is the culprit.  If it is… then I got a friend who will try it too because he’s seeing the same issue – BSOD 0x1000008e.

Anyway, event log is not much help.  Just seeing 1 info and 1 error that I figured not related. Info on many Minidump files is not helping too other than it is say kernel error. Keeping my fingers crossed! If no more BSOD after removing MS09-058… I’m a happy camper!

10-27-2009 11-47-33 AM   10-30-2009 2-08-38 AM

So I have MS09-058 now being offered again by MU because I removed it:

10-30-2009 3-27-02 AM

I’ll install that back if I’ll get another BSOD. 

Update:  BSOD again even MS09-058 has been removed :( Back to square 1!

Update 2, Oct 31:  SBS Diva Susan Bradley is helping me to find the culprit.  Armed only with dump files… keyscrambler.sys seems to be the culprit but another dmp file I have shows ntoskrnl.exe will not load.  First to do is remove KeyScrambler v2.60 to see if BSODs will stop.  Note though that I installed that new version of KeyScrambler on Oct.6 or 7.  The crashes started Oct. 19 to present.  Many thanks Mom Susan for helping all the time!

Update 3, Nov. 1:  I reported the issue to KeyScrambler.  I had another BSOD even after uninstalling KeyScrambler but the BSOD bug check shows for ntoskrl.exe.  Whether it’s related to KeyScrambler (because the driver of KS hooks in kernel)…. I’m tired of this.  I think I spent alot of days already.  The system is OK but not until I will use Outlook to send email.  It’s crazy.  I better go back to my ‘image’ backup prior Oct. 13.  Yeah, I better do that today.  It’s Halloween anyway (not so busy… at least not my inbox with full of malware spam to review and add to collection!) And BTW, the new BSOD even after I removed KeyScrambler v2.60 is this and this occurred today Nov. 1, at 4:15PM (GMT+8):

11-1-2009 4-15-44 PM

Another thing for me to analyze? :( 

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:WindowsMinidumpMini110109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6002.18082.x86fre.vistasp2_gdr.090803-2339
Machine Name:
Kernel base = 0x81e4c000 PsLoadedModuleList = 0x81f63c70
Debug session time: Sun Nov  1 16:12:06.310 2009 (GMT+8)
System Uptime: 0 days 2:34:32.596
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
…………………………………
Loading User Symbols
Loading unloaded module list
…….
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {20, 2, 0, 8a491e2f}

Probably caused by : tcpip.sys ( tcpip!TcpPushRequestReceive+86 )

Followup: MachineOwner
———

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000020, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8a491e2f, address which referenced memory

Debugging Details:
——————

READ_ADDRESS: GetPointerFromAddress: unable to read from 81f83868
Unable to read MiSystemVaType memory at 81f63420
00000020

CURRENT_IRQL:  2

FAULTING_IP:
tcpip!TcpPushRequestReceive+86
8a491e2f 8b4620          mov     eax,dword ptr [esi+20h]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

TRAP_FRAME:  81f41a7c — (.trap 0xffffffff81f41a7c)
ErrCode = 00000000
eax=00000001 ebx=b6d6dc44 ecx=b6d6dd2c edx=00000000 esi=00000000 edi=b6d6db58
eip=8a491e2f esp=81f41af0 ebp=81f41b0c iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
tcpip!TcpPushRequestReceive+0x86:
8a491e2f 8b4620          mov     eax,dword ptr [esi+20h] ds:0023:00000020=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8a491e2f to 81e99fb9

STACK_TEXT: 
81f41a7c 8a491e2f badb0d00 00000000 00000000 nt!KiTrap0E+0x2e1
81f41b0c 8a47c19c b6d6db58 85663bc0 00000100 tcpip!TcpPushRequestReceive+0x86
81f41b30 8a47bdb1 00632330 81f41b94 81f41c50 tcpip!TcpProcessExpiredTcbTimers+0x165
81f41b68 81ef62eb 85663bc0 00000000 0048ba31 tcpip!TcpPeriodicTimeoutHandler+0x18b
81f41c88 81ef5eab 81f41cd0 868c0802 81f41cd8 nt!KiTimerListExpire+0x367
81f41ce8 81ef6615 00000000 00000000 000911d9 nt!KiTimerExpiration+0x22a
81f41d50 81ef487d 00000000 0000000e 00000000 nt!KiRetireDpcList+0xba
81f41d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x49

STACK_COMMAND:  kb

FOLLOWUP_IP:
tcpip!TcpPushRequestReceive+86
8a491e2f 8b4620          mov     eax,dword ptr [esi+20h]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  tcpip!TcpPushRequestReceive+86

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: tcpip

IMAGE_NAME:  tcpip.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a856b4a

FAILURE_BUCKET_ID:  0xD1_tcpip!TcpPushRequestReceive+86

BUCKET_ID:  0xD1_tcpip!TcpPushRequestReceive+86

Followup: MachineOwner
———

I’m tired. I have backup that don’t have all these before Oct. 13… I need to go back!  ROFL

Kaspersky tool detects malware in Twitter links

Kaspersky unveiled a new tool on Thursday called "Krab Krawler" that analyzes the millions of tweets posted on Twitter every day and blocks any malware associated with them.

The tool looks at every public post as it appears on Twitter, extracts any URLs in them and analyzes the Web page they lead to, expanding any URLS that have been shortened, Costin Raiu, a senior malware analyst at Kaspersky, said in an interview.

The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users’ accounts.

About 26 percent of the total posts contain URLs, and many of those lead to spam sites that are marketing products or services and aren’t considered malware, according to Raiu. Tens of thousands of different accounts are posting spam links, most likely from accounts created by bots, he said. The most frequent URLs posted lead to online dating sites, he added.

http://news.cnet.com/8301-27080_3-10386144-245.html via CoU

Taiwan: Spear Phishers Target Gmail Users

Trend Micro threat analysts found several phishing sites registered in China that target specific people or companies. The said email can customize phishing URLs using the names of intended recipients via a technique called "spear phishing."

Spear phishing has been used by cybercriminals before in attacks that involved specific targets. In the previous post, "So Is It Twitter or Facebook?," for instance, cybercriminals exploited Twitter’s direct message function to inform users that their pictures were seen on another website, the link to which is embedded in the same message. The link led to a bogus Facebook page from which user credentials are then stolen.

In this attack, the cybercriminals went as far as spoofing the From field to imply that the sender is from the same company the target is employed in. The URL embedded in the email is also customizable, depending on who its intended recipient is. Clicking the link points the user to a bogus Gmail Taiwan login page where the target’s user name has already been entered.

http://blog.trendmicro.com/taiwan-spear-phishers-target-gmail-users/

Amazon downplays report highlighting vulnerabilities in its cloud service

Hypothetical example described in report much harder to pull off in reality, company says

Amazon said today that it has taken steps to mitigate a security issue in its cloud computing infrastructure that was identified recently by researchers from MIT and the University of California at San Diego.

The report described how attackers could search for, locate and attack specific targets in Amazon’s Elastic Computer Cloud (EC2) because of certain underlying vulnerabilities in the infrastructure.[…]

In response, Amazon spokeswoman Kay Kinton said today that the report describes cloud cartography methods that could increase at attacker’s probability of launching a rogue virtual machine (VM) on the same physical server as another specific target VM.

http://www.networkworld.com/news/2009/102909-amazon-downplays-report-highlighting-vulnerabilities.html

Google rushes out Social Search tool

Service finds relevant public content from friends and contacts

Google has released a beta version of a search tool aimed at users of social networking sites.

The company said at the Web 2.0 Summit last week that the ability to search Twitter feeds will be added in a few months, but has surprised many by getting it out so soon. Microsoft’s Bing engine started social networking searches last week.

"Today we are rolling out a new experiment on Google Labs called Google Social Search that helps you find more relevant public content from your broader social circle," said Google in a blog post.

http://www.v3.co.uk/v3/news/2252002/google-rushes-social-search

Google accused of ‘malicious revenge’ in China

The official newspaper of China’s ruling communist party has accused Google of seeking "malicious revenge" after a malware warning appeared by one of its Web sites in Google’s search results.

The Google notice, which said the books section of the People’s Daily site could contain malware, appeared last week and prevented some visits to the Web page because its link redirected to a Google warning, according to a local media report also posted by the People’s Daily. A site representative was cited in the report as blaming "malicious revenge from Google" and saying the paper would take actions against such "vile behavior" by the company. The paper would not rule out legal action, the representative was cited as saying.

http://www.thestandard.com/news/2009/10/28/google-accused-malicious-revenge-china