Phishers Offer Rita Ora’s Video

Contributor: Avdhoot Patil

Celebrity scandals are always popular and phishers are keen on incorporating them into their phishing sites. Recently, we observed a phishing site featuring British singer and actress Rita Ora. The phishing site was hosted on a free Web hosting site.

rita_ora_phishing.png

 

The phishing site prompted for Facebook login credentials that called the video a “social plugin”. The phishing page contained an image of a fake YouTube video of Rita in the background. The title of the video in question described it as an adult video of Rita Ora. A recent event involving an accidental exposure of Rita instigated phishers into devising this bait. The phishing site gave the impression that users could view the video shown in the background when login credentials are entered. In reality, after login credentials are entered, users are redirected to a legitimate site containing adult images of Rita Ora. The purpose of redirecting users to a site containing images of the video is to convince them that the login was valid and so avoid suspicion. If users fall victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https”, or the green address bar when entering personal or financial information
  • Use comprehensive security software, such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
  • Exercise caution when clicking on enticing links sent through email or posted on social networks

App developer calls critic “f*cken little know it all”; site goes down

Hackers compromised accounts belonging to maintainers of the open-source ZPanel after a team member supporting the Web hosting control panel called a critic a "fucken little know it all." The ZPanel site went completely down after the incident and remained down at time of writing.

ZPanel support member Nigel Caldwell made the comment in the site's official forums and it was directed at a user named joepie91. Shortly beforehand, the Netherlands-based software developer—whose real name is Sven Slootweg—claimed that websites using ZPanel in combination with certain modules were vulnerable to exploits that allowed attackers to remotely execute malicious code. Slootweg directed his statement at Caldwell, aka PS2Guy, after the support member left a comment saying ZPanel "is more secure than panels that you pay good money for." Caldwell also said users have "got more chance of someone hacking your Operating System than the control panel that sits on it."

In his response, Slootweg claimed there was an "arbitrary code execution and root escalation vulnerability in the current version of ZPanel." To support this, Slootweg provided an example line of code he said could be inserted into a main ZPanel template to trigger the vulnerability. Last month, Slootweg disclosed a ZPanel vulnerability here. Two weeks ago, he stepped up his criticism after claiming the vulnerability had gone unfixed. "I find it shameful that I even have to post here to point this out, to prevent someone from putting themselves at risk," Slootweg wrote in Wednesday's post on the ZPanel forum. "This should be the responsibility of the ZPanel team."

Read 12 remaining paragraphs | Comments

Critical Linux vulnerability imperils users, even after “silent” fix

For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole.

The severity of the bug, which resides in the Linux kernel's "perf," or performance counters subsystem, didn't become clear until Tuesday, when attack code exploiting the vulnerability became publicly available (note: some content on this site is not considered appropriate in many work environments). The new script can be used to take control of servers operated by many shared Web hosting providers, where dozens or hundreds of people have unprivileged accounts on the same machine. Hackers who already have limited control over a Linux machine—for instance, by exploiting a vulnerability in a desktop browser or a Web application—can also use the bug to escalate their privileges to root. The flaw affects versions of the Linux kernel from 2.6.37 to 3.8.8 that have been compiled with the CONFIG_PERF_EVENTS kernel configuration option.

"Because there's a public exploit already available, an attacker would simply need to download and run this exploit on a target machine," Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. "The exploit may not work out-of-the-box on every affected machine, in which case it would require some fairly straightforward tweaks (for someone with exploit development experience) to work properly."

Read 4 remaining paragraphs | Comments

Increase in Pump and Dump Stock Spam

In the last few weeks we have observed a drastic increase in “penny stock” spam emails. In 2011 Symantec published a blog entitled Global Debt Crises News Drives Pump-and-Dump Stock Scams, which also dealt with this type of spam.

Penny stocks, also known as cent stocks, are shares in small companies that trade at low prices, often as low as a few cents per share. Penny stocks are a very popular topic used by spammers. The spam emails advertise the cheap shares and state that the company is on the verge of becoming very successful and that the value of the shares will rise significantly. The emails make out that the company is more valuable than it actually is and implies that they have just created some major product or are on the verge of a breakthrough and that the share value is tipped to rise dramatically. The aim is to increase sales of the stock, which in turn raises the value, then the fraudster can sell their penny stocks for significantly more than they paid for them. This stock fraud method is known as “pump and dump.”

We are seeing various spam methods being used in stock spam such as broken words, obfuscation with irrelevant line spaces, and insertion of randomized characters in the header or body of the emails etc.

Figure1.png

Figure 1. Penny stock spam emails

Symantec is observing an increase in spam volume related to stock spam, which can be seen in the below graph.

Figure2.jpg

Figure 2. Volume trend of stock spam email

Below are the most frequently observed subject lines in these attacks:

  • Subject: Stock Picking Contest, Sign Up Today
  • Subject: "Before The Close" From Standout Stocks!
  • Subject: A Royal Treat To Start The Week
  • Subject: Expect More from this Bull
  • Subject: Explosive Pick Coming
  • Subject: It Is Our Hot New Trade Alert!
  • Subject: Its trading levels could be Set to Explode!
  • Subject: Let`s Do It Again! Tonight We Have Another Breaking Bull!
  • Subject: This Company Shows Gains
  • Subject: This Company shows Strength
  • Subject: What a Fantastic Week! Our Members had the Opportunity to Make Some Serious Gains!

Symantec advises users to be cautious when handling unsolicited or unexpected emails and to update antispam signatures regularly. Symantec is closely monitoring these “pump and dump” spam attacks and will continue monitoring this trend to keep our readers updated.