And the leader according to the highly non-scientific research done using Google for a specific attack vector is: Barack Obama. Obama related sites have managed to get infected in such a way that they attack their visitors in 364 separate instances, while McCain is right behind with 230 instances.

As always, and as we have reported in the past, those behind eCrime are watching the news as diligently as the rest of us and are “affected” by current affairs in terms of the ways they tune their attack vector to achieve maximum exposure to their target market. The financial situation, jobs, housing, and now the US elections are causing a shift in the context of the sites targeted to carry malicious code and perform web attacks in order to gain as many “eyeballs” as possible.

Now, given that this example is just the tip of the iceberg, and only gives a general idea on one specific attack vector, the conclusion is pretty obvious in terms of the global magnitude of having relevant sites infected with Malweb. Do the math, Google’s own tools enable some pretty insightful data into the search trends (and thus the chances that a site that comes up in one of the first 100 results of such search terms) both for sociological and technological studies, as well as for eCrime market reach optimization.

(Image showing Google’s trends search volume for the phrases “john mccain” and “barack obama”)

Now that’s why security research is a little more than just playing cat-and-mouse with a technological attack or a new vulnerability. Security research is also the understanding of how the motive and MO of the attackers work in order to be prepared for the next wave and the next technological advancements.

I’ve been contemplating a title for this post for a long time, eventually I decided to merge two of my favorites (and leave the third alone: looking for the cuckoo’s egg). Basically, after a couple of weeks of almost nonstop work on a major research project (hence the relatively quiet blog), and some major news outbreak following this research (1, 2, 3, 4, 5, 6, 7, 8, 9, and more…), it’s time for a quick recap and a preview.

Recap: so, we saw that Neosploit was back, even after the group’s demise in July, we clearly saw that its activity has not subsided and that a build, dated August, is pretty much active and doing its rounds on the net (see older post). We didn’t just sit there trying to watch where the server would go next (which it did in fact – from Argentine to sunny Florida), but also had the chance to do some digging around it, and take a peek into one of the largest cybercrime operations uncovered in the wild, considering the fact that it is being run from a single server.

You are probably familiar with the numbers; over 200,000 credentials to servers around the world (mainly focused on western Europe and the US), tons of back-end applications that the criminals used to manage their operations, and even a brief encounter with a person logged on to the server… (for that, you’ll have to wait for our monthly threat report!).

As part of this activity, CERT has been working days and nights to help us contact all the affected parties. These guys are amazing! They’ve been sorting through the data and figuring out how to communicate securely with the 86 different countries affected is a major operation, (in addition to handling law enforcement communications in the US), so huge kudos to them (you know who I’m referring to NI…).

Nevertheless, we are talking about hundreds of thousands of compromised credentials – we never imagine these could all be contacted by law enforcement or the local CERTs and CSIRTs, so we have set up a page on our site where all you have to do is enter some basic contact info and the domain in your responsibility, and we’ll check to see if they have been compromised or not. Spam free, no commitments – just because we are nice ;-)

The preview, well, the heaps of data that we managed to pull from the criminal server is going to make for quite an interesting read on our next monthly threat report, so stay tuned and watch our brand new AIRC homepage for updates! As I mentioned, backend applications and even a look through the peeping hole to see the attackers on the other side.

That’s it for this time, I'm off to get ready for my talk at BlueHat later this week (more info is also available here).

Following the recent news on how an anonymous group has managed to take over Sarah Palin's Yahoo! email account; we have noticed some interesting happenings. As wikileaks which was the original posting location of the images taken from Palin's yahoo inbox was unavailable for some time, copies of the wikileaks post started to appear on other sites.

Our assumptions are that as users  found  the original site unavailable, they started resorting to deepening their searches to try and find other copies of the original images. It seems that e-Criminals are just in-tune with the latest news and browsing habits, and have managed to publish (or alter an already published) zip archive of the original wikileaks post with a small alteration that included a malicious script appended to the html content. Users that are eager to take a look at the leaked images finally found themselves looking at an archive copy of the original wikileaks page, but without having any clue about the malicious script running on their PC at the same time.

The script used is the usual obfuscated JavaScript that is designed to evade detection, which exploits a couple of vulnerabilities in QuickTime and Microsoft's WMV components. The exploits are designed such that once successful, a Trojan is installed on the local machine with the pretence of an Anti-Virus application. The specific Trojan that is being used in this incident is similar to other related attacks covered in our latest security research findings that traced sites connected to recent news as well.

Attackers are at a position where they can choose the kinds of malicious software running on victims machines, as Malweb is allowing them to run any kind of code on them.

In conclusion - although it may be hard to stop on your tracks when the original site hosting breaking news is down, it seems like a wise decision to try and really look into alternate copies of the evidence that are being posted on other locations. Some may be legit and just have carbon copies of the content, some may have a slight addition to the news in order to serve less legitimate purposes.

Update: Further information on the technique itself used to obtain access to Palin's account is covered here.

As websites are getting to be treated more like applications, users, both end-users and especially business ones, are moving from traditional old-school desktop applications (remember when “client-server” architecture was the thing?) to Software as a Service (SaaS), in-the-cloud, and just plain web applications. Security has been shifting from securing the local operating system to securing the web channel.

This has been backed by the clear shift from email being the number one carrier of all things bad, to the web being the most prominent and efficient channel for cyber attacks. This shift – both the usability one, as well as the security one, brought in a lot of improvement in what we use to browse the internet today – our browsers. With the recent release of Firefox version 3, Google’s release of Chrome, and the upcoming Internet Explorer 8, browser makers are showing great improvements in both usability as well as security.

Nevertheless, the picture isn’t that pretty on the security front after all. Both Mozilla and Google are facing some major vulnerabilities that have been disclosed shortly after releasing the browsers. IE8 is lurking on the sidelines trying to make sure its release will go hopefully uneventful (on the security side of course).  History and reality are proving that as long as the web will keep providing such usability, we will still have to come up with more than just new versions of browsers, but with more elaborate ways to secure the web. Issues such as authorization, authentication, permissions, cross-site relationships, mashup data sharing (and these are just scraping the surface) – will have to be approached from a higher level, taking into account infrastructures, open protocols and APIs to be used across applications. Merely focusing on securing the endpoint (or now almost literally “window”) to the application is not enough, as corporations would have to deal with the actual essence of the data and applications handling it.

Don’t get me wrong – I highly appreciate the advancements that Chrome, FF3 and IE8 are making (and proud to be using all of them almost equally throughout the day), but let’s just remember not to keep living in a “whack-a-mole” security state of mind, and make sure we look at the whole picture.

A further research made on the recent cyberwarfare between Russia and Georgia comes to enforce our assumptions in our last blog post regarding the identity of the party behind the attacks against Georgia. The research speculates the fact that the series of cyber-attacks were carried out by the Russian government in parallel to conventional military operations. The article could be found at:
http://www.stratfor.com/analysis/georgia_russia_cyberwarfare_angle

Note: membership is required in order to view the above article.