Behold: the drop-dead simple exploit that nukes Google’s Password Alert

Less than 24 hours after Google unveiled a Chrome extension that warns when user account passwords get phished, a security researcher has devised a drop-dead simple exploit that bypasses it.

This benign proof-of-concept exploit looks almost identical to a Google login page, and is typical of a malicious phishing page that attempts to trick people into entering their user name and password. If Google's freely available Password Alert extension was better designed, it would provide a warning as soon as someone tried to log into the page with their Google password. Instead, the warning is completely suppressed. (Note: although Ars fully trusts the researcher, readers are strongly advised not to enter passwords for Google accounts they use for anything other than testing purposes.) A video of the bypass exploit is here

Bypassing Google's Password Alert "Protection"

"It beggars belief," Paul Moore, an information security consultant at UK-based Urity Group who wrote the exploit, told Ars. "The suggestion that it offers any real level of protection is laughable." He went on to say Google would do better devoting its resources to supporting the use of password managers, since most of them provide much more effective protections against phishing attacks.

Read 3 remaining paragraphs | Comments

Spam-blasting malware infects thousands of Linux and FreeBSD servers

Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam, researchers said Wednesday. The malware likely infected many more machines during the five years it's known to have existed.

Most of the machines infected by the so-called Mumblehard malware are believed to run websites, according to the 23-page report issued by researchers from antivirus provider Eset. During the seven months that they monitored one of its command and control channels, 8,867 unique IP addresses connected to it, with 3,000 of them joining in the past three weeks. The discovery is reminiscent of Windigo, a separate spam botnet made up of 10,000 Linux servers that Eset discovered 14 months ago.

The Mumblehard malware is the brainchild of experienced and highly skilled programmers. It includes a backdoor and a spam daemon, which is a behind-the-scenes process that sends large batches of junk mail. These two main components are written in Perl and they're obfuscated inside a custom "packer" that's written in assembly, a low-level programming language that closely corresponds to the native machine code of the computer hardware it runs on. Some of the Perl script contains a separate executable with the same assembly-based packer that's arranged in the fashion of a Russian nesting doll. The result is a very stealthy infection that causes production servers to send spam and may serve other nefarious purposes.

Read 7 remaining paragraphs | Comments

Nepal Earthquake Disaster Email Scams

Original release date: April 30, 2015

US-CERT would like to warn users of potential email scams regarding the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for fraudulent charitable organizations commonly appear after these types of natural disasters.

US-CERT encourages users to take the following measures to protect themselves:

  • Do not follow unsolicited web links or attachments in email messages.
  • Maintain up-to-date antivirus software.
  • Review the Federal Trade Commission's Charity Checklist.
  • Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact    information can be found on the Better Business Bureau National Charity Report Index.
  • Refer to the Security Tip (ST04-014) on Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

This product is provided subject to this Notification and this Privacy & Use policy.