Starting Friday, July 19, 2013 at 14:45 GMT, Cisco TRAC spotted a new spam campaign likely propagated by the Zeus botnet. The initial burst of spam was very short in duration and it’s possible this was intended to help hide the campaign, since it appears to be targeted towards users of a Trusteer product called Rapport. Within minutes of the campaign starting, we were seeing millions of messages.
This spam impersonated a security update from Trusteer. Attached to this file was the “RaportUpdate” file, which contained a trojan. We’ve identified this specific trojan as Fareit. This file is designed to impersonate an update to the legitimate Rapport product, which, as described by Trusteer, “Protects end users against Man-in-the-Browser malware and phishing attacks. By preventing attacks, such as Man-in-the-Browser and Man-in-the-Middle, Trusteer Rapport secures credentials and personal information and stops online fraud and account takeover.”
It’s important to note that while this end-point solution is designed to protect against browser-based threats, this specific attack is email-based. If the user downloads and executes the attachment via their mail client, it could bypass their browser and the protections of a legitimate Rapport client, entirely. If an end user is tricked into running malicious software for an attack via an avenue the attacker can reasonably predict, it becomes much easier to bypass network security devices and software.
Read More »
Tags: botnet, botnets, bots, malware, security, spam, targeted attacks, TRAC
Network Solutions is a domain name registrar that manages over 6.6 million domains. As of July 16, 2013, the Network Solutions website is under a Distributed Denial of Service (DDoS) attack. Recently, Network Solutions has been a target for attackers; in a previous outage, domain name servers were redirected away from their proper IP addresses. This was reported to be a result of a server misconfiguration while Network Solutions was attempting to mitigate a DDoS attack. It is possible that the DDoS attacks are related.
According to isitdownrightnow.com, the Network Solutions site has been having issues for at least the last 24 hours.
Response time in ms (GMT -8:00)
Read More »
Tags: cybersecurity, DDoS, dns, malware, security, TRAC, vulnerability
Within many organisations offering online services to the public, there must be a great temptation to expire redundant user accounts that occupy desirable user IDs but which are never used by their users. Presumably the user IDs have been registered by someone, used on a couple of occasions, and then forgotten about. Expiring and recycling these user IDs and offering them to new users allows the organisation to better manage the quantity of unique User IDs, and also allows new users to potentially own the user ID that they desire.
On 20th June, Yahoo! announced that they will be expiring user IDs that have been unused for over 12 months in order to offer them to users.
“you want a Yahoo! ID that’s short, sweet and memorable, like email@example.com instead of firstname.lastname@example.org”, described Jay Rossiter, SVP of Platforms at Yahoo! .
Yahoo! is not the only webmail provider that expires inactive users and recycles their email addresses. Recently, researchers at Rutgers University identified that Hotmail also reissues email addresses that have been dormant for some time . Yahoo! should be applauded for publicly raising the issue, describing their criteria for expiring accounts, and calling for users to access their accounts if they wish to prevent this happening. Read More »
Tags: email, TRAC
UPDATE: This blog post is related to the redirection of domain name servers that occurred back in June 2013. This post is NOT related to the ongoing activity occuring July 16, 2013. Cisco TRAC is currently analyzing the ongoing issues with Network Solutions’ hosted domain names and has more information available here.
Multiple organizations with domain names registered under Network Solutions suffered problems with their domain names today, as their DNS nameservers were replaced with nameservers at ztomy.com. The nameservers at ztomy.com were configured to reply to DNS requests for the affected domains with IP addresses in the range 126.96.36.199/24. Cisco observed a large number of requests directed at these confluence-network IP addresses. Nearly 5000 domains may have been affected based on passive DNS data for those IPs.
Traffic hits to 188.8.131.52/24
Read More »
Tags: dns, TRAC
On June 6, 2013, malwaretracker.com released an analysis of Microsoft Office-based malware that was exploiting a previously unknown vulnerability that was patched by MS12-060. The samples provided were alleged to be targeting Tibetan and Chinese Pro-Democracy Activists. On June 7, 2013, Rapid7 released an analysis of malware dubbed ‘KeyBoy,’ also exploiting unknown vulnerabilities in Microsoft Office, similarly patched by MS12-060, but allegedly targeting interests in Vietnam and India. The indicators of compromise (IoCs) listed by Rapid7 match some of the indicators of compromise listed previously by malwaretracker.com.
Read More »
Tags: sec, security research, targeted attacks, TRAC