Kudos to the Chinese authorities for shutting down an online hacker training operation known as the Black Hawk Safety Net.
The Black Hawk operation, which provides Trojan software and lessons in cyberattack techniques, comprises 12,000 paid subscribers and another 120,000 free members.
Three people who run the Black Hawk’s website have been arrested, and the site has now been blocked from access. The police also seized nine servers, five computers and a car during the raid.
For further details, you can read it at Yahoo! News.
We saw a pretty PDF file today (md5: 116d92f036f68d325068f3c7bbf1d535).
It looks like this:
Nice flowers.
Unfortunately, when viewing the file, it uses an exploit against Adobe Reader and drops and runs a file called 1.exe.
This executable is a Poison Ivy backdoor. It calls home to a host called cecon.flower-show.org. Whoever controls the computer at that address gains remote access to the target computer. The PDF was used in a targeted espionage attack against an unknown target.
We've seen the domain flower-show.org before, already in 2009. Then another PDF called home to posere.flower-show.org.
Today, both of those host names resolve to 202.150.213.12, which is not in China. It's in Singapore.
The World of Warcraft online game has over 10 million players around the world.
World of Warcraft also has hundreds of phishing websites targeting it, trying to steal end-user login credentials.
Like these:
The domain names for most of these phishing sites are easy to spot (wor1dcfwarcraft.com? give me a break), but others are a bit trickier (worldrofwarcraft.com - yes, there's an extra "R").
So, why are these accounts being stolen? For fun? No, they are stolen for the virtual gold and weapons. A stolen account gets emptied quickly and the goods are put for sale for real money online.
But who would buy virtual goods for a game with real cash? Well, based on the amount of sellers, quite a few.
Just a quick note to readers to be aware of e-mails purportedly from Gmail administrators. One of our Fellows recently received a message from "The Google Mail Team" asking users to verify their account details to combat "anonymous registration of accounts":
The reply-to address is listed as 'verifyscecssze@gmail.com', which obviously isn't an official Gmail admin account. Meanwhile, the domain name gmeadmailcenter.com is registered to a Catholic church in Michigan.
Just your typical phishing type message really. Gmail users who receive this e-mail can report it to the (real) Gmail team using the 'Report phishing' option in their account, or just delete it.
Do you really want all of your "friends" to know what applications you've been running?
You don't?
Then you'll want to take a look at the new control provided by Facebook.
Here's the old Applications and Websites settings page.
Here are the new settings.
The new privacy option allows you to "Control who can see your activity in the Friends' Recent Activity, Friends' Applications and Friends' Games sections of these pages."
The control options should be familiar enough at this point. Sharing can be set to Only Friends, Friends of Friends and Everyone.
Of course, utilizing Friends Lists can limit access in a more refined manner.
Updated to add: Here's another interesting iPhone/iPod touch related story at the Register.
Dan Goodin: The Elcomsoft iPhone Password Breaker, which was released for free into beta, recovers passwords for iPhones and iPod Touches by trying thousands of phrases per second.
Online criminals need people to move their money so they themselves don't get caught. We call these Money Mules.
Most money mules recruitment is done in the name of a fictitious company, but sometimes the scammers simply lift a well-known brand.
Here's an example of a recent money-mule ad that has been spammed around in the name of Texaco, the oil company:
The e-mail originated from an IP address in Lagos, Nigeria. I guess Texaco must be doing some drilling over there.
The PDF contains no exploits and looks like this:
The text reads, in part:
Texaco/Chevron Downstream Europe 1 Westferry Circus Canary Wharf London E14 4HA
Dear Job Candidate,
The TEXACO Online Employment System wish to inform you that your posted information onlinehas been carefully and confidentially reviewed by our Recruitment Team Professionals and we have considered under our current vacant opportunities within the Firm to employ you for work in our company.
TEXACO Online Employment System is affiliated to various job recruitment websites and your information was submitted to us by our online agent that submit job candidate resumes for consideration of employment depending on the vacancies we have in any branch of TEXACO Company Worldwide.
As regards to this, you have been automatically granted this employment to work in TEXACO Oil & Gas Field with a monthly salary of Eight Thousand Five Hundred Pounds (£8,500).
Kindly acknowledge the content of this message by reconfirming your interest in working for us and indicating your area of job interest, ensuring that you have quoted your vacancy title below or send your CV with a covering letter.
For further details relating to your employment, kindly send an email to Texaco/Chevron Downstream Europe H/R Recruitment Service Department texaco@post.com / http://texaco.us.ms / http://texaco.com/portal_default.asp/.
Regards, Paul Matins HR Recruitment Manager
Do note the suspicious contact information like texaco@post.com and http://texaco.us.ms. Top-level domain .ms belongs to a small Caribbean nation called Montserrat.
The website at texaco.us.ms looks like this:
Don't apply… although the salary looks good and you get to name your own area of job interest, I'm sure your job would include picking up cash and wiring it to far-away places with Webmoney, Western Union and Fethard Finance.
