Recently, we obtained a current Gameover ZeuS configuration file and we noticed that in addition to CareerBuilder — Gameover now also targets Monster.
Here's the legit hiring.monster.com URL:
A computer infected with Gameover ZeuS will inject a new "Sign In" button, but the page looks otherwise identical:
And then the following "security questions" are requested via an injected form:
Here's the full list:
• In what City / Town does your nearest sibling live? • In what City / Town was your first job? • In what city did you meet your spouse/significant other? • In what city or town did your mother and father meet? • What are the last 5 digits / letters of your driver\'s license number? • What is the first name of the boy or girl that you first dated? • What is the first name of your first supervisor? • What is the name of the first school you attended? • What is the name of the school that you attended aged 14-16? • What is the name of the street that you grew up on? • What is the name of your favorite childhood friend? • What is the street number of the first house you remember living in? • What is your oldest sibling\'s birthday month and year? (e.g., January 1900) • What is your youngest sibling\'s birthday? • What month and day is your anniversary? (ie. January 2) • What was the city where you were married? • What was the first musical concert that you attended? • What was your favorite activity in school?
A cookie called "qasent" is spawned by the process.
HR recruiters with website accounts should be wary of any such irregularities. If the account is potentially tied to a bank account and a spending budget … it's a target for banking trojans.
It wouldn't be a bad idea for sites such as Monster to introduce two factor authentication, beyond mere security questions.
It's not exactly the perfect timing for tax refunds in Finland, but that did not deter impatient phishers. Earlier today, we received a tip regarding an e-mail that has been going around pretending to be a Vero refund.
When the link on the page is visited, the user will end up in a page that looks like this:
It contains all the fields that the user of course needs to fill up, not to get a refund, but to give their credit card numbers and personal information away.
Folks, please delete that e-mail. It's not from Vero.
We're always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.
Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.
Analysis is ongoing.
Here's the SHA1: 657b1dd40a4addc1a6da0fb50ee6e325fff84dc4
Analysis by — Mikko Suominen
Updated to add:
Gameover ZeuS can now steal both Bitcoin wallets and the passwords used to encrypt them.
Theft is accomplished by hooking two functions in processes named bitcoin-qt.exe (the normal GUI client) and bitcoind.exe (the client used for Bitcoin mining). The hooked functions are:
• The Windows API NtCreateFile • A function in the Bitcoin process that is called when the user encrypts his Bitcoin wallet
The first hook enables Gameover ZeuS to steal the content of the Bitcoin wallet as the Bitcoin client accesses it. The second hook enables Gameover ZeuS to steal the password the victim uses to encrypt his wallet.
When the web became commonplace, the decision-makers ignored it, considering it irrelevant. As a result, freedom flourished online. People weren't just consuming content; they were creating it.
But, eventually, politicians and leaders realised how important the internet is. And they realised how useful the internet can be for other purposes � especially for surveillance of citizens. The two chief inventions of our generation � the internet and the mobile phone � changed the world. However, they both turned out to be perfect tools for the surveillance state. And in such a state, everybody is assumed guilty.
US intelligence agencies have a full legal right to monitor foreigners � and most of us are foreigners to the Americans. So when we use US-based services, we are under surveillance � and most of the services we use are US-based.
Advancements in computing power and data storage have made wholesale surveillance possible. But they've also made leaking possible, which will keep organisations worrying about getting caught over any wrongdoing. The future of the web is hanging in the balance between parties that want to keep us under surveillance and parties that want to reveal the nature of such surveillance. Both parties have the data revolution on their side.
While governments are watching over us, they know we're watching over them.
Mikko Hypponen
This column was originally published in Wired's Web at 25 Special. Be sure to read the other columns from Tim Berners-Lee, Jimmy Wales, Vint Cerf and others
Somebody with access to Justin Bieber's Twitter account was "hacked" on March 8th. And for a brief period of time, the attacker was able to publish as Bieber. It's hardly worth mentioning except for the fact that the Tweets included a bit.ly link — and offers a few interesting statistics.
How many Beliebers clicked on the bit.ly links?
70,381 in total.
And where did the clicks come from?
The USA was the source of nearly 24,000 clicks. (Finland apparently has 348 true Beliebers.)
70 thousand clicks from more than 50 millions followers — that's not a very big percentage overall. But still, not a bad result for the spammer considering the account was only compromised for 15 minutes.
You can examine the stats for yourself at: bitly.com/1ezBYiQ+ (for now).
