Black Hawk Safety Net down

China Daily has reported that Chinese law enforcement officials raided a hacker training and resource operation in Hubei province with 12,000 members, shut it down and arrested three principals in November.

The paper said: “The three, who ran Black Hawk Safety Net, are suspected of offering others online attacking programs and software, a crime recently added to the Criminal Law. A total of 1.7 million yuan ($249,000) in assets were also frozen.

“Hubei province named Black Hawk Safety Net as the largest hacker training site in China, which openly recruited members and disseminated hacker techniques through lessons, Trojan software and online forum communications.

“Since it was established in 2005, the site had recruited more than 12,000 VIP members and collected more than 7 million yuan ($1.03 million) in membership fees. More than 170,000 people registered for free membership.”

The story also said: “According to a report released by the National Computer Network Emergency Response Coordination Center of China, the hacker industry in China caused losses of 7.6 billion yuan ($1.1 billion) in 2009.”

The New York Times reported that the shutdown actually occurred in November and quoted a noted China watcher as saying that the action was just “window dressing” since Chinese authorities have not shut down the well-known servers that were used to attack Google and other western companies recently.

Observers in the west have been trying to fathom the meaning of events in China ever since Marco Polo wandered there in the 13th century and lived to write a book about it. China is big, in some ways very disorganized and has a history of being strange to the rest of the world. It will be interesting to see if there are more take downs coming.

China Daily story here.

New York Times story here.

Tom Kelchner

Sunbelt supports Safer Internet Day: Think B4 U post!

Sunbelt Software is supporting tomorrow’s Safer Internet Day, an awareness-raising initiative co-funded by the European Commission. Organizations in more than 60 countries are behind the campaign, this year focusing on the theme "Think B4 U post!"



New technologies have turned all of us, and mostly young people, into publishers of information, pictures, and videos. While bringing about new opportunities for personal expression and creativity, the same technologies can also conjure up embarrassing or even traumatic situations. For example, photos, once posted online, remain online and can be seen by anybody, even years after they have been posted. Therefore, children and teenagers need guidance to manage their online identity in a responsible way, to be in control of their own online identity.

“We are proud to be supporting Safer Internet Day. Whilst it is generally assumed that the latest generation will be the most technologically savvy, we see that children are taking increasingly liberties with their online identity and opening themselves up to a wealth of very real dangers,” explained Sunbelt Software CEO Alex Eckelberry. “By following this simple five point checklist they can enjoy the many social and academic benefits of the Internet safely.”

Sunbelt Software offers the following five-point checklist to both children and parents to enable a safer online experience:

1. Do not to open any emails that come from senders you don’t know. Many of those emails have luring titles like “You have won a lottery” or “Happy birthday, I have a present for you” and so on. Never open any attachments coming with such emails, as it is likely that in such cases you will install a virus or a worm in your PC.

2. Try to avoid suspicious websites, and if you accidentally enter one that seems strange, leave it immediately.

3. If pop-up windows alert you or ask you to agree to anything, immediately close them and never click on any button inside them.

4. Install antivirus software such as Sunbelt Software’s award winning VIPRE on your PC. This will protect your computer against viruses and other malware threats. Antivirus software needs to be regularly updated, and can provide added security such as content or website filtering.

5. Install a firewall, which will keep watch on all files that go in and out of your computer.

About Insafe

Insafe is the European Safer Internet awareness-raising network co-funded by the European Commission. It’s made up of national contact centers across the European Union and in Iceland and Norway, with partner organizations in Argentina, Australia and the US. Insafe aims at empowering users to benefit from the positive aspects of internet whilst avoiding the potential risks.

Further information is available at www.saferinternet.org or contact info-insafe@eun.org

Tom Kelchner

You’d think a company pursuing an IPO in this economy would clean up its act

You’d think that a company trying to raise several hundred million with an initial public offering of stock would tell their affiliates to be on their best behavior for a while.

For example, maybe they’d discourage them from hacking government web sites to attract search engine hits on the word “bestiality,” then redirect browsers to the company’s site.

The sites:



The code:







Remember Adult Friend Finder? Penthouse Media Group (which also owns Penthouse magazine) purchased the online adult… ah… dating service in 2007 for $500 million. Well now they’re called FriendFinder Networks, Inc. In December, 2008 they filed with the U.S. Security and Exchange Commission for permission to make an initial public offering $460 million of stock.

That timing wasn’t too good given the near collapse of the global economy back then, so last month they amended their IPO filing in hopes of raising $220 million. Lead underwriters are Renaissance Capital and Ledgemont Capital Markets LLC. Co-managers are Merriman Curhan Ford and Lighthouse Financial.

See story “FriendFinder Still Sees IPO, But Less Capital Raised (FFN)”

In 2007 AdultFriendFinder.com settle an enforcement action by the Federal Trade Commission that charged that their explicit online pop-up ads violated federal law. The settlement bared them from “displaying sexually explicit online ads to consumers who are not seeking out sexually explicit content.” (Story here.)

Thanks Eric Howes.

Tom Kelchner

Major U.S. crackdown on work-at-home fraud coming?

The U.S. Federal Trade Commission today announced that next Tuesday they will hold a news conference to make public details of “a law enforcement sweep cracking down on job and work-at-home fraud fueled by the economic downturn.”

The media advisory said that the news conference would feature the director of the FTC’s bureau of Consumer Protection David C. Vladeck, an assistant attorney general and the Ohio Attorney General. The advisory listed as “also attending” representatives of the U.S. Postal Inspection Service, Monster.com and Microsoft.

People who sign on as work-at-home employees from Internet ads (also called “money mules”) often are used as conduits for stolen funds that are transferred from the bank accounts of victim individuals or companies who have been scammed by phishing or spear-phishing. The money mules set up bank accounts into which stolen funds are transferred. They are instructed to keep a portion of the funds and wire the remainder to the scammers, who are generally outside the U.S.

In November, the FBI reported that it had been notified of about $100 million in attempted losses from such scams.

Prominent computer security blogger Brian Krebs ( http://www.krebsonsecurity.com/ ), formerly of the Washington Post, has reported extensively about losses from similar scams from small and medium size businesses in the last few months.

A blog piece he did in January “Top 10 Ways to Get Fired as a Money Mule” is not only a good description of the work-at-home scam, but is very funny as well.

FTC media advisory here.

Tom Kelchner

It looks like a phish but isn't

This is really bad for so many reasons.  It certainly doesn’t help their security.

And yes, it’s completely legitimate.

Alex Eckelberry

Vote for VIPRE Enterprise

If you like VIPRE Enterprise, you can vote for it here for the Network Computing Awards 2010.

Alex Eckelberry

Trojan code sneaks into two Mozilla add-ons

Mozilla yesterday posted a notice on its AMO blog (that’s an acronym for their add-on site addons.mozilla.org) that two add-ons have been found infected with Trojan code: Sothink Web Video Downloader v. 4.0 and all versions of Master Filer.

Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen and Master Filer contained Win32.Bifrose. According to the blog, Masterfiler was downloaded 600 times before it was removed from the site Jan. 25 and Sothink was downloaded more than 4,000 times before it was removed Feb. 2.

Mozilla said “AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.”

Blog post here.

Tom Kelchner

VIPRE for Valentines

Ok, it’s not my personal favorite color, but this is a new special being run for the Valentines Day weekend by our web team.  


Alex

Tech support hell

Funny and too close to the truth:

When you finally do get through to an agent, you'll hear something like: "Welcome to DSL technical support, my name is Larry how can I help you today?" You give Larry your account number and begin to explain your situation, knowing all the while that this is a formality. As soon as you stop talking he'll begin the same dance you've danced every time you call tech support.You conclude your exhaustive rundown of your case history. There's a beat, and then Larry responds, "I understand sir. Can you tell me. Is your computer plugged in?"

Link (Warning: off-color language).

Everything we aim not to be in our support.

Alex Eckelberry
(Thanks Jamie)

Haiti relief scams: more than 170 reported to feds

USA Today is reporting that federal law enforcement agencies have taken more than 170 complaints about Haiti earthquake relief scams. They expect more on social networking sites such as Facebook and Twitter. The scams include spam email, fraudulent web sites and in-person scams.

The story advises those wishing to check on the legitimacy of a relief organization to check the web site of the American Institute of Philanthropy ( http://charitywatch.org/ ), which rates charities.

The Institute says that charitable organizations should spend 75 percent of the cash they raise on their charitable work and no more than 25 percent on fund-raising expenses. Its web page lists several dozen legitimate charities providing relief for the victims of the Haiti earthquake here.

Story here.

Tom Kelchner

Phishing scam steals carbon credits

Wired magazine has run a story on a phishing scam in Europe, New Zealand and Japan that resulted in the loss of 250,000 carbon credit permits worth $4 million from six companies.

The phishing emails spoofed the German Emissions Trading Authority and said that the victim companies needed to re-register their accounts with the authority. When victims entered their information on a fraudulent web page from the link in the phishing emails the scammers accessed their accounts, transferred emissions credits to accounts they controlled then sold them. The amount the scammers made hasn’t been disclosed.

Wired cited information from the BBC and the German newspaper Der Spiegel.

Story here.

User education. User education. User education. User education.

Tom Kelchner

Human factors: compulsive Internet life can replace the real thing

Psychologists doing research at Leeds University in the UK found that people who spend an excessive amount of time on the Internet show signs of depression, although they did not determine if the on-line behavior caused the depression or if depressed people spent more on line.

Catriona Morrison, the lead author, wrote in the journal Psychopathology: "This study reinforces the public speculation that over-engaging in websites that serve to replace normal social function might be linked to psychological disorders like depression and addiction."

The research is the first such study of people in the west. The researchers analyzed the Internet use and depression levels of 1,319 people in Britain between the ages of 16 and 51. They concluded that 1.2 percent were "Internet addicted" and “spent proportionately more time browsing sexually gratifying websites, online gaming sites and online communities. They also had a higher incidence of moderate to severe depression than normal users.

"What is clear is that for a small subset of people, excessive use of the Internet could be a warning signal for depressive tendencies," Morrison said.

Story here.

The “Internet addiction” headlines mostly have been from Asia recently, where marketeers have been trying to convince the public that 10 percent of them are Internet addicted and in need of rehab camps (complete with military-style discipline, beating deaths and electro-shock therapy) that cost thousands.

See our blog piece “China bans use of electroshock therapy” from August.

In the U.S., what is believed to be the first Internet addiction treatment center, called “reStart Internet Addiction Recovery Program,” opened last summer near Fall City, Wash.

See our blog piece “First Internet addiction treatment center opens in Washington state”

Tom Kelchner

VIPRE is a finalist in UK’s Network Computing Awards

VIPRE is among nine finalists in the Security Product of the Year category of the 2010 Network Computing Awards competition. Voting on the Network Computing web site will continue until Feb. 22.

“The Network Computing Awards were launched to recognise the companies, the products and the services that have most impressed the readers of the UK’s longest established computer networking publication.”

“Categories have been refined to recognise the hardware, software and managed services that can assist an organisation in operating securely, efficiently and responsibly in today’s world.”

Awards will be presented on 4th March at Guoman Tower Hotel, London.

More information here. 

Tom Kelchner

 

Phony Firefox update comes with Hotbar adware

Our good friends at Broomfield, Colo., security firm eSoft have found an interesting scam to trick Internet users into installing the Hotbar adware: a fake Firefox download site.

The eSoft researchers are theorizing that an affiliate of Pinball Publisher Network (PPB). is responsible. Pinball bought the Zango assets after that pestilent operation failed last spring.

However Sunbelt Software Spyware Research Manager Eric Howes did some more digging and found that PPN offers the download file on a site they own so affiliates can send customers victims there for downloads.

The PPN home page notes that PPN is itself distributing the custom Firefox installer that PPN put together and digitally signed from this web site:

http://freesoftwaredl.com/

The PPN setup wizard says that the distribution of Firefox is “sponsored” by Hotbar. We’re wondering what that means. In reality, they’re taking a distribution of Firefox and infecting it with adware.




We blogged about the Pinball Publisher Facebook fan site last week.

eSoft blog piece here.

The real site to download a legitimate copy of the Firefox browser is here:
http://www.mozilla.com/en-US/firefox/personal.html?from=getfirefox

Tom Kelchner

Update 02/04:

PPN made and signed the installer that both PPN directly and their affiliates indirectly are distributing. That's why PPN is responsible for what's going on at the affiliate site that eSoft found -- the affiliates are only promoting a download created and hosted by PPN itself. PPN itself is running a web page that promotes the same bundleware install that the affiliate site is offering.

Thanks Eric

It’s lame ransomware, but it could fool somebody

Our researcher Adam Thomas found this little gem today. It’s distributed with other malware, cracks and drive-by downloads. It purports to be a security warning from your Windows operating system.



Notice the “Visa, MasterCard, etc” – it doesn’t even bother to list all the cards it accepts.




The really cool thing about it is that it takes FAKE credit card numbers as well as real ones!




Thanks to Sunbelt Software researcher Francesco Benedini for help with the analysis.

Tom Kelchner

Pushdo/Cutwail/Pandex botnet attacking major sites

No one is sure why the Pushdo botnet is running a distributed denial-of-service-like attack against over 300 major web sites including the CIA, Mozilla labs, SANS and Twitter, according to the Shadowserver Foundation. Pushdo is also called Cutwail and Pandex.

The botnet has been spewing initial SSL connection requests, causing servers to return an SSL negotiation error. The attacks don’t appear to be of sufficient intensity to knock any of the target sites off line and possible could be a mechanism to mask the botnet’s other traffic.

SecureWorks said Pushdo is sending the SSL packets to port 443. The botnet also uses that port for command-and-control traffic.

Last June, MessageLabs estimated that the Pushdo botnet, believed to be the world’s largest, was comprised of 1.5 to 2 million bots that pumped out 74 billion spam messages per day (51 million per minute.) They said 14 percent of the bots were in Brazil, 14 percent in South Korea and 10 percent in the U.S.

Story here.

The ghost of Zango toolbar has a Facebook fan page

Here’s something they don’t teach in marketing 101: If you’re pushing software that no one wants -- like, say, annoying adware -- and your downloads are going nowhere, what do you do?

Answer: you push somebody else's popular software and bundle your junkware with it.

Remember Zango? It was that irritating adware company that spent years and a million weasel words trying to make its operation seem legitimate. It was fined $3 million in 2006 by the U.S. Federal Trade Commission and it unsuccessfully sued anti-virus vendor Kaspersky in Federal Court in 2007 for calling the Zango malcode “malcode?” After several years of sagging revenue amidst a larger collapse of the adware industry, the company finally folded and sold its assets at fire sale prices last April. (Sunbelt Blog story here. )

The buyer, Pinball Publisher Network, is still distributing Zango and sadly enough it still offers users nothing of any value, which is why PPN offers Open Office, 7-Zip and Firefox bundled with it. PPN and its affiliates are simply trying to piggyback on those programs and in the process, leech from their value and good name.

Here’s what its fans get:

“Hotbar's toolbar for IE, Outlook/Outlook Express and Word provides FREE access to premium content including weather, paid for by advertising. Based on keywords generated by your browsing, Hotbar shows ads in a separate browser window or a temporary Slider, and toolbar search suggestions. ShopperReports provides comparison shopping offers in a Sidebar. Both run continuously and update automatically. Uninstall easily via Add/Remove Programs.”

AND how do you suppose Pinball Network affiliates are persuading people to install adware-laden software that can be had free and clean of Pinball's software elsewhere on the Net? Here's a cynical bit of advice from a user on a forum where affiliates discuss their experiences with PPI (pay per install) programs such as Pinball Publisher Network:

"if your users use IE tell them they need firefox to see the website and bingo $$$ pinball is so easy to make money with. All you need is sites that users are looking to download things. Alot of sites are loosing money using silly fill me in to unblock me content, i mean if your users are looking to download they will download!"

VIPRE detects this adware application as "Pinball Corporation. (v)". Since the installer basically loads all the old Zango files, users who happen across it will probably see VIPRE detecting “Zango” and “Hotbar” as well.

Thanks Adam Thomas and Eric Howes and big hat tip goes to Wendy Ivanoff for getting spammed with this crap and bringing it to our attention

Tom Kelchner

Facebook privacy settings: 35 percent actually checked them

At a privacy roundtable sponsored by the U.S. Federal Trade Commission in San Francisco, Facebook Director of Public Policy Tim Sparapani said that 35 percent of the 350 million Facebook users (that's 122 million!) actually checked their privacy settings when Facebook suggested it in December.

The BayNewser, a San Francisco media news site, said Sparapani told their reporter that “the industry average for users' actively engaging with their settings is actually between 5-10 percent.”

Story here.

Tom Kelchner

Happy Data Privacy Day

From Richard Purcell, executive director of The Privacy Projects (www.theprivacyprojects.org), organizing sponsor of Data Privacy Day:

“Most consumers see the benefit of living online, but too few are aware of just how much information is being collected, who is collecting it, and how it is being used. We hope to reach adults and young people and advance privacy awareness with the educational materials and resources available at the Data Privacy Day webpage.”

The Privacy Projects is a Nordland, Washington-based, non-profit research institute that funds academic research into “evidence-based” privacy aimed at enhancing policies, practices and tools necessary to meet the power of the new technologies. An independent voice, TPP seeks to offer insight to companies, governments and consumer advocates as new information-driven businesses are considered, developed and deployed.

News Release here.

Tom Kelchner

Hacker puts porn clip on Moscow video billboard

Someone hacked into a 3Stars outdoor advertising screen on the Garden Ring road in Moscow about midnight last Thursday and ran a two-minute hardcore video clip.

The showing caused a massive traffic jam but city officials said the good news was that there were no traffic accidents.

3Stars commercial director Viktor Laptev said "There was a hacker attack as a result of which a commercial was replaced with an obscene video in the control computer. It is unclear whether it was an act of hooliganism or competitors' intrigues."

The Moscow city advertising committee will investigate.

Story here (and no, there’s no video).

Tom Kelchner

Botnet C&C switching to http; away from IRC

Researchers with Internet security group Team Cymru, headquartered in Burr Ridge, Ill., have reported that in the last six months they found a doubling of the number of botnets controlled through http – indicating easy-to-use point-and-click kits that function in a browser. The number of botnets controlled through Internet relay chat channels – a traditional command-and-control mechanism – has remained steady.

In the report just released, the group said “the kits are becoming more accessible and the easier user interface for http botnets means that they are generally favored over more traditional control mechanisms.”

Well-known Internet security blogger Brian Krebs calls it the rise of “Web Fraud 2.0.”

The hosting locations for botnet IRC channels are overwhelmingly in the U.S. and western Europe. The http servers that are used for botnet C & C are in the U.S., China, Russia and Brazil, Team Cymru said.

Team Cymru Research specializes in monitoring malicious Internet activity.
Their white paper "Developing Botnets - An Analysis of Recent Activity," by Steve Santorelli can be found here.

Tom Kelchner