This is probably not connected at all, but we've noticed a steep increase in the amount of targeted attacks against organizations supporting the Uyghurs.
These support groups operate around the world. The attack techniques against them are the same as we've seen in similar attacks before: highly targeted emails with innocent looking booby-trapped document attachments.
Here's some examples of such malicious documents that we've seen. Most of them look pretty innocent.
When opened, all the above documents use known vulnerabilities in Adobe Reader or Microsoft Word to invisibly take over the computer. After this a backdoor allows an outsider full access to the computer and the local area network.
The two screenshots above are not from documents but instead fake screen savers… which contain backdoors.
Again, this wave of attacks against Uyghur supporters probably isn't connected to the real-world riots in any way. We think.
Mr. h1t3m's other website is still up at h1t3m.org.
According to Australian media, "Federal police officers in co-operation with Victoria Police executed a search warrant on premises in Brighton, Melbourne, connected to the administrator of an underground hacking forum, r00t-y0u.org, which had about 5000 members."
1. r00t-y0u.org was taken over by the police 2. …but it was still up and running
And now, someone calling himself KillaWho infiltrated r00t-y0u.org, replacing the front page again.
Mr. Killawho also posted details about the system itself and files found from it. He posted full details to this posting on pastebin.com. "I decided I would move on to getting control of r00t-y0u.org. See what the authorities know about server maintenance.. and how secure they can make stuff."
Right now the server seems to be taken down for good.
There are already several media reports that claim that Australian Police itself got hacked.
Now, if the police take over a web server run by hackers, and that server later gets hacked, I wouldn't be too worried!
We've seen no evidence showing that any internal police systems would have been infiltrated.
We received a report that the popular IntegrIT website was suspected to be compromised and performing a redirect-link to a pornography website. The case occurred when the user searched for "integrit" (without quotes) in a search engine.
We inspected the www.integrit.ru contents and found no suspicious code, hence we suspect that the www.integrit.ru Web server configuration files (htaccess, etc.) redirecting the client browsers were compromised.
This was the page we were redirected to when the HTTP Header containing the "referer" parameter (above) was detected:
This is what you would get without the "referer":
A few search engines were tested and only two search engines (Yahoo! and Google) were redirecting users to the pornography website; the other search engines (Bing, Altavista, Ask, and Lycos) were not affected.
Users who type the web address "www.integrit.ru" directly into their browsers won't see this redirection.
The website owner was informed and our users are protected.
Web Security team post by — Chu Kian
Updated to add: Currently the .ru domain is not resolving, though the redirect is still occurring.
As if being deluged under DDoS attacks isn't bad enough, this week Twitter found itself the target of another sort of threat. The Register recently reported that the wildly popular social networking service is also being used to direct part of a botnet's activities.
According to the report, a security analyst accidentally stumbled across a Twitter account being used by botherders as a cheap and effective way of directing infected computers to websites where they can get further instructions.
This appears to be the first time Twitter has been used as part of a botnet's command and control structure. At time of writing, the malicious account has already been taken offline.
For more details, you can also check the original post from Arbor Sert.
Last night we saw a massive attack on a Georgian blogger who goes by the name "Cyxymu".
The attack included at least these components:
• DDoS attack against Cyxymu's Twitter account (http://twitter.com/cyxymu) • DDoS attack against Cyxymu's Youtube account (http://www.youtube.com/cyxymu) • DDoS attack against Cyxymu's Facebook account (http://www.facebook.com/cyxymu) • DDoS attack against Cyxymu's Livejournal account (http://www.livejournal.com/cyxymu and http://cyxymu1.livejournal.com) • DDoS attack against Cyxymu's Fotki account (http://public.fotki.com/cyxymu/) • An e-mail "Joe Job" campaign against Cyxymu
The effects of some of these attacks are still visible. For example, Livejournal and Facebook are still not accepting connections to Cyxymu's pages.
Here's an example of what the Joe Job e-mails looked like. They were not sent by Cyxymu although they look like it.
Launching DDoS attacks against services like Facebook is the equivalent of bombing a TV station because you don't like one of the newscasters. The amount of collateral damage is huge. Million of users of Twitter, Livejournal, and Facebook have been experiencing problems because of this attack.
Whoever is behind this attack, they had significant bandwidth available. Our best guess is that these attacks were done by nationalistic Russian hackers who wanted to silence a visible online opponent. While doing that, they've only managed to attract more attention to Cyxymu and his message.
Then again, Cyxymu himself simply comments in his Tweets that the attack was done by the Russian KGB.
We're unlikely to ever know the truth.
Updated to add: Added info that Cyxymu's Fotki account was under attack as well.
Updated to add: See the comments section for commentary from a person who worked at a radio station that was bombed…
This scam is old as hills, but scammers are still using and making money of unsuspecting people. So we thought that a warning is in order.
Today, one of our senior researchers received a call from unknown international number and when he answered the call, it was immediately dropped. And being used to receiving calls from reporters from around the world he might have done the obvious thing and called the number back.
But what he did instead was to perform a Google search on the number. He discovered there are a lot of other people who have received calls from same number and wondered what the calls are about, and more importantly people who called back and are complaining about mysterious charges on their phone bill.
The scam used by fraudsters is very simple. Set up a premium rate number, use that number to call a group of randomly selected phone numbers and either let the phone ring only once, or cut the call immediately after receiver answers the call.
Then simply wait for curious people to call back, play an "busy tone" audio file to make the caller think that call did not connect, and then rake in the profits.
Usually these numbers charge something in between 1 to 5€, a big enough sum to make money if you can fool thousands of people into calling, small enough to make complaints impractical.
The best way to avoid this scam is to be wary of unknown numbers and not to call them back immediately. If the number looks something you have not seen before and the country code is something you haven't even heard of run a Google or WhoCallsMe search on the number before calling back.
Malware Domains List (MDL) is a popular website among security professionals and others interested in IT security. Now a rogue antivirus promoter seems to have latched onto its popularity by setting up a website on a URL very close to MDL's domain.
Visitors expecting to see this:
May instead end up seeing the following:
Note the difference in the URL between the legitimate website and the fake.
Despite a few grammatical errors, the warning does a decent job of looking like a legitimate notice from Firefox. Compare it to the (legit) one below:
Note the "Get security software" button on the malicious website's "warning" message. If clicked, the user is directed to a website promoting a rogue antivirus solution.