Same hacker may have targeted Ars, reporter Krebs, and Wired’s Honan

Security reporter Brian Krebs has uncovered some details about one of the people tied to the denial of service attack on his site and the fraudulent 911 call that brought armed police to Krebs' doorstep. It turns out the hacker may have delivered grief to another technology reporter not too long ago: Mat Honan. And, yes, that hacker appears to have used accounts tied to Friday's DOS attack on Ars.

Krebs connected with the operator of TwBooter (booter.tw) who told the reporter that the accounts used to launch said attacks were taken over by a hacker who goes by Phobia. (The TwBooter operator wouldn't explain how he knew, however.) Other leads Krebs uncovered pointed to a group of gamers and hackers called "Team Hype," upset by his reporting on the identity theft clearinghouse site ssndb.ru—because they, apparently, had been using information from the site to take over the Xbox Live gamertags of Microsoft employees before selling them to other players.  One of the members of that group was known as Phobia.

According to Krebs' source, Phobia had been bragging to others that he was responsible for both the DOS attack on Krebs' site and the call that brought armed police to his house. But Phobia, who had until recently used the Twitter account @PhobiaTheGod, had his personal details exposed as well. He had been "doxed" on the site Skidpaste.org. So Krebs decided to use that information to give Phobia a call.

Read 1 remaining paragraphs | Comments

Details on the denial of service attack that targeted Ars Technica

Last week, Security Editor Dan Goodin posted a story about the "swatting" of security reporter Brian Krebs and the denial of service attack on Krebs' site. Soon after, Ars was targeted by at least one of the individuals behind the Krebs attack. On Friday, at about noon Eastern Daylight Time, a denial of service attack struck our site, making connectivity to Ars problematic for a little less than two hours.

The attack continued to run throughout Friday. At 9pm EDT, when our hosting provider brought down one of the filters that had been put in place to thwart it, it quickly became apparent that the attack was still underway, and the filter was restored. The most aggressive filters were finally removed on Saturday.

At least in part, the offensive used the same attack tool and user credentials that were involved in the denial-of-service (DoS) attack on Krebs On Security, as Krebs himself revealed in a blog post. The attackers used multiple accounts on TwBooter, a "booter" site that provides denial of service attacks as a paid service (ostensibly for security testing purposes), to launch an automated, denial of service attack on Ars. And at least one of those logins was also used to attack Krebs' site.

Read 13 remaining paragraphs | Comments

Bug in EA’s Origin game platform allows attackers to hijack player PCs

One scenario for using EA's Origin service as an attack platform to execute malicious code on end-user computers.

More than 40 million people could be affected by a vulnerability researchers uncovered in EA's Origin online game platform allowing attackers to remotely execute malicious code on players' computers.

The attack, demonstrated on Friday at the Black Hat security conference in Amsterdam, takes just seconds to execute. In some cases, it requires no interaction by victims, researchers from Malta-based ReVuln (@revuln) told Ars. It works by manipulating the uniform resource identifiers EA's site uses to automatically start games on an end user's machine. By exploiting flaws in the Origin application available for both Macs and PCs, the technique turns EA's popular game store into an attack platform that can covertly install malware on customers' computers.

"The Origin platform allows malicious users to exploit local vulnerabilities or features by abusing the Origin URI handling mechanism," ReVuln researchers Donato Ferrante and Luigi Auriemma wrote in a paper accompanying last week's demonstration. "In other words, an attacker can craft a malicious Internet link to execute malicious code remotely on [a] victim's system, which has Origin installed."

Read 5 remaining paragraphs | Comments

Android.Uracto Used to Trick Mothers, Anime Fans, Gamers, and More

Earlier today, we blogged about Android.Uracto, a malicious app that sends spam SMS messages in an attempt to infect others or scam users into paying a fee for a non-existing service. We continued doing further investigation on the attack and this has led us to discover more apps prepared by the same group of scammers. So far we have been able to find a total of 10 apps hosted on a few dedicated domains believed to be maintained by the group. The servers hosting the domains appear to be located in Singapore and in Georgia in the United States. They are currently still live at the time of this writing.
 

Figure 1. Market pages for the 10 apps
 

Though the apps look different in appearance, they can basically be broken down into three main variants. One steals data stored in the device’s Contacts. The second also steals contact details but also sends SMS messages, containing a link to download the malicious app, to all the contacts. The third one steals contact details and attempts to scam the victim into paying for fake services.

The type of apps include apps for mothers raising kids, video game emulators, apps allowing users to read comics for free, apps to read celebrity gossip, a fortunate teller app, adult-related video viewer, and an app that claims to allow the device’s camera to see through clothes.
 

Figure 2. Icons of the 10 apps
 

It’s unknown at this point how the Android device’s owners are lured to the sites. The sites are reachable by surfing the net, but spam could potentially be used as this is a common way to lure people into downloading Android threats in Japan.

It appears that some of the apps may have been around a while. Some of the directory lists of the servers hosting the apps indicate that the apps were hosted on the server as early as July 2012.
 

android uracto.png
Figure 3. Directory lists of the servers hosting the apps
 

One other interesting point to note is that Android.Uracto shares common code with Android.Enesoluty, which is still very much active in the wild, and Android Maistealer as well. We believe Android.Maistealer was created as the prototype for Android.Enesoluty. You can read the following blogs to find out more about this:

Could these malicious apps be maintained by the same group of scammers or was the same developer hired to create malware for two different groups? We’ll continue to investigate this and hope to give you an update at a later date.