Category: Cyber Security

Top Countries Hosting Phishing Websites – 2010

Unites States stands as a major hosting hub of phishing sites, according to a report from OpenDns. According to the report, more than 60,000 separate attempts came from websites hosted in the U.S.

The following are top countries hosting phishing websites in 2010:

  1. United States — 53.8%
  2. Germany — 6.3%
  3. Canada — 5.2%
  4. United Kingdom — 4.8%
  5. France — 3.5%
  6. Russia — 2.9%
  7. China — 2.8%
  8. South Korea — 2.8%
  9. Italy — 2.5%
  10. The Netherlands — 2.4%

Percentages indicate the proportion of phishing sites verified in 2010 hosted in a given country.
(more…)

Vulnerabilities Found in Google Chrome

Secunia has recently released an security advisory on Google Chrome asking users to update to the latest version (8.0.552.237) of the browser. According to the advisory, multiple vulnerabilities have been found on the browser that can be exploited by malicious people to manipulate certain data and potentially compromise a user’s system.

The vulnerabilities are as follows:
1) An unspecified error exists within the extensions notification handling.

2) A second unspecified error exists when handling pointers within node iteration.

3) A third unspecified error exists when printing multi-page PDF files.

4) An error when handling CSS and canvas can be exploited to reference a stale pointer.

5) An error when handling CSS and cursors can be exploited to reference a stale pointer.

6) A use-after-free error when handling PDF pages can be exploited to reference freed memory.

7) An error due to an out-of-memory condition when processing PDF files can be exploited to cause stack corruption.

8 ) An error when handling mismatched video frame sizes can be exploited to reference invalid memory.

9) An error when handling SVG “” elements can be exploited to reference a stale pointer.

10) An error when handling rouge extensions can be exploited to reference an uninitialised pointer.

11) An error within the Vorbis decoder can be exploited to cause a buffer overflow.

12) An error within PDF shading can be exploited to cause a buffer overflow.

13) An error when handling anchors may result in an incorrect type cast.

14) An error when handling videos may result in an incorrect type cast.

15) An error after removal of a DOM node may result in a stale rendering node.

16) An error when handling speech can be exploited to reference a stale pointer.

Procedure to check the version:
1. Click the Tools menu .
2. Select About Google Chrome.
3. If the version is not 8.0.552.237 then click on the Update button and restart the browser.

How Safe is Adobe Reader X for Windows?

Ad Serving solutionsVulnerabilities in commonly used and popular software applications were being exploited by the hackers to contaminate the PCs. Adobe PDF Reader was one of the most commonly exploited software.

Adobe Reader 9 was known for its vulnerabilities in the year 2010, which kept evolving despite the number of security patches released by Adobe. In order to check it, Adobe Reader X was released with security enhancements like sandboxing protection for Windows XP/Vista/7 and protected mode view. However, the safety in using Adobe Reader X, especially for Windows OS is still questionable.

Security in 2010 for Adobe Reader
Adobe applications were already the most targeted client-software by attackers during the last quarter of 2009. A report from McAfee came up saying that Adobe Reader and Flash, will be the primary target for attacks in 2010. According to National Vulnerability Database, there have been around 60 vulnerabilities reported for Adobe Reader and Acrobat for Mac, nearly all of which are rated with a “high” severity, since January 2010. In some cases, the vulnerabilities were released after they were already exploited.

The number of security patches addressing critical security vulnerabilities have increased for the version 9 of Adobe Reader. Amid these, Adobe came up with Adobe Acrobat X (version 10.0) on November 15, 2010.

Why Adobe Reader was targeted?
While there are many other PDF readers in the market, Adobe is heard much of all in terms of security vulnerabilities. This can be because of –

  • Adobe Reader supports JavaScript and Flash within PDFs. This creates opportunities for attackers to embed malicious codes in PDFs using these programming languages, that execute when you open the file.
  • Adobe Reader supports embedded content for which it uses Parser (a bit of software) to interpret the content and display it properly. However, each bit of parsing code is a potential point of failure and is mostly exploited by hackers. Malformed content is used in PDFs to crash the parser and execute a memory corruption attack on the PC.
  • The popularity of Adobe due to its support to the Windows is also one of the reasons why it is mostly targeted. Windows being the major OS with 91% market share in client PCs and Adobe being used in most of these PCs, hackers find it easy to hack into these PCs using vulnerabilities of Adobe. Adobe has Acrobat version for PDF reader in MAC OS, which isn’t reported to be targeted by attackers much.

Enhanced security features in X version
Adobe Reader X has many security advancements compared to its earlier versions. The majors being the following:

  • The biggest security change in Reader X is the addition of Sandboxing or Adobe Reader Protected Mode – only for Windows. Sandboxing mitigates the risk of what an attacker can do even if they successfully exploit Reader. The risks covered include deployment of malware in the PC to changing the file system or registry of the PC.
  • An intensive code hardening program was implemented to reduce vulnerabilities or security flaws in Reader. This security development process included a combination of testing, code review, and programming standards.
  • Improved JavaScript blacklist framework, which allows you to disable only specific functions of JavaScript instead of completely disabling it.
  • Altered way of prompting security alerts or preference settings. Especially for alerts, a yellow alert bar with descriptive text is dropped down, in place of Yes/No dialog boxes that users instinctively click without reading. The user will have to click on the Options in the text and choose one of them.

Adobe Reader X still not safe
The enhanced security features discussed above do not make Adobe Reader invulnerable. Sandbox mode only acts as a protection layer, preventing the attacker from writing files or installing malware on potential victims’ computers, even if the vulnerabilities are exploited. Other security features explained above depend on the preferences of the user. However, the version 10 of Adobe Reader is the best in terms of security, compared to its previous versions. If you are still using the older version of Reader click here to update.

Malware creators are getting innovative and looking for new ways to infect the PCs with malware. “Eternal vigilance is the price of freedom.” Similarly, the more you are watchful and aware of the security vulnerabilities and ways to defend them, the more you will be safer and secure.

(more…)

Being Secure from Drive-by Malware

Despite high levels of investment on security tools like firewall, anti-malware, etc and precaution measures like safe browsing, etc many Internet users still fail to keep their PCs from getting infected. This can be attributed to the lower awareness levels on the increasing types of malware which evolve with new tactics and also negligence in updating the application software of PC regularly. Drive-by malware is one such type of malware which infects a PC through vulnerabilities of the outdated applications installed.

What is Drive-by malware?
Drive-by malware mostly uses vulnerabilities in the web browser, browser plug-ins or a security hole in applications like Adobe Reader, etc to infect a PC. Drive-by malware is a malicious code that downloads when visiting an infectious website, opening an attachment to a spam e-mail or by clicking on a deceptive pop-up window. Often, this arbitrary code downloads and executes in the PC even without the knowledge or permission of the user.

Infected websites major source of malware
Despite avoiding illegitimate and suspicious URLs, one can be still be prone to online malware attacks. A recent report from Symantec says that 90% of all websites used to spread malware or launch attacks against users are legitimate ones that have been infected. Often most of the webmasters or owners of these infected websites will not be aware of the infection. This generally occurs due to usage of old vulnerable Web server software which can easily get exploited by a malicious ad distributed through an advertising network, and other means. According to Websense Security Lab, the number of websites with malicious software grew 225% in the last six months of 2009 alone and that most websites with malicious code are legitimate sites that have been hacked.

Since the owner of the website itself is not aware of the infection, the users will be unknowingly opening the legitimate-but-infected site and get their PC infected with drive-by or any such malware.

Avoid reading PDF documents in browsers
adobe-pdfAdobe Reader is the most popular PDF reader software today. However, it is also one of the mostly exploited software. According to researchers at the Georgia Institute of Technology and California-based SRI International, Adobe Reader attracted almost three times as many attempts by drive-by malware as the other programs. Thus, it is important to keep the Adobe Reader updated regularly. Despite regular updates of this PDF reader you might still be at the risk of its latest vulnerabilities. Thus, it is recommended to avoid opening PDF documents in web browser.

Other Applications that can be vulnerable
Researchers found that apart from Adobe Reader, the most frequently targeted applications of drive-by download exploitation are Sun Java and Adobe Flash. Firefox 3 had a lower browser infection rate than all versions of Internet Explorer. PCs using Microsoft’s Internet Explorer 6 are very likely to get infected by drive-by attacks. Microsoft has recently reported the instance of hackers hijacking PCs with drive-by attacks by exploiting security flaws of IE 6 and IE 7. However, IE 8 is said to be immune to the attacks.

Keep your Software updated
Keeping your system updated is the most important factor in protecting yourself against drive-by malware as it mostly exploits unpatched security holes of software applications. Users having PCs with Windows should check for patches and update their Operating System regularly. Updating all other applications like PDF reader, web browsers, plugins, etc is also as important for maintaining the immunity of the PC.

The malware existing in Internet today has become hyperactive in infecting the PCs. Even a small mistake, like neglecting the updates, in this scenario may take a big toll. Regular updation and abandoning usage of old vulnerable software is the best way to protect your PC against drive-by malware.

(more…)

Importance of Updating Adobe Flash Player

Flash has enabled the addition of animation, interactivity and video to web pages. According to a report, Flash as a format is used in around 95% of the PCs worldwide. Adobe Flash Player is very popular among the flash players with Adobe claiming that around 99.3% of the US web users having installed it in their web browsers. However, its popularity has gained the attention of the hackers who use it to exploit the PCs with outdated Flash player over internet. Accessing Internet with outdated flash players has some other issues too.

Issues with Outdated Adobe Flash Player
According to the report Flash Security Hole Advisory from security services provider Trusteer, 80% of users are using outdated flash player plugin. Accessing Internet with outdated flash player can leave you potentially vulnerable online. Using outdated flash player Activex and Plugin can cause browsers to crash or make them unstable while accessing web pages with rich content applications. It also allows an attacker to run some malicious code in your computer. It has become a common target for cyber-criminals, who exploit the vulnerabilities in outdated versions of flash players to silently infect web surfers with malware when visiting compromised websites.

In order to avoid exploitation on their PCs, Internet users have to update their flash player regularly.

Differences between Adobe Flash – Activex and Plugin
Internet explorer is default web browser in PCs with Windows OS. However, many users online may also use other browsers like Mozilla Firefox and Google Chrome. Adobe Flash Player has two different versions for different web browers. That is Adobe Flash Player Activex and Adobe Flash Player Plugin. Adobe Flash player Activex is used in Internet Explorer whereas Plugin is used in other popular web browsers like Firefox and Chrome. It is important to make sure that both the versions of Flash Players are updated to make your PC secure from any exploitations through flash player.

Checking if your Adobe Flash Player is Latest
There is a mechanism within web browsers to alert users whenever a new update for the Flash Player is available. However, you can use this link to know if your flash player is latest one or outdated.

http://kb2.adobe.com/cps/155/tn_15507.html

Email Spoofing – Commonly faced problem online

The trend of internet exploitation has moved away from viruses and trojans. Hackers are no more interested in just deploying these small infectious agents in others PCs unless there is any economic benefit in doing it. Getting access to the computers using technologies like malware, spambots, etc has become widely prevalent today.

Getting access to the computer of a well settled person is like getting access to his wallet. Since there is no complete solution for internet vandalism yet, awareness of the methods of exploitation is what can be helpful in present day situation. In our earlier article we have discussed on Website Spoofing. This article is about eMail spoofing – one of the common methods used by cyber criminals.

Understanding eMail Spoofing
A spoofed email is simply – an email sent impersonating a legitimate source. Generally, the sender will change the FROM address and other parts of the e-mail header like Return-Path, Reply-To, etc to make it appear that it originated from some other. This is generally done by adjusting settings of the email client like Mozilla Thunderbird, Outlook Express, Eudora, etc. There are a few websites too that offer sending of emails where the sender has option to enter any email address in the FROM or Reply-To fields.

Common Deceptive Tactics Used in eMail Spoofing
A standard email function like SMTP is used in email spoofing. The email programs allows them to modify email headers and thus forge the email originating identity. The most common deceptive tactic is that the spoofer sends out emails to thousands, even millions, of email accounts spoofed in name of a well-known company. The typical phishing email will contain a clever story designed to lure people into some action like clicking a link or button in the email or calling a phone number.

The link in the email might redirect you to a spoofed website which in turn will be used to capture data.

Possible Spammers intention behind a spoofed eMail
Though sending of spoofed emails is very simple compared to many of other deceptive online tactics, it has much higher potential to gain profits for the spoofer. Email spoofing is generally used for obtaining login details of financial information of a person. Once they have access to the account they can make withdrawals from the account or authorize payments for online purchases.

Identifying Spoofed eMails
Common methods to identify a spoofed email is as follows:

  • Emails from banks or finance related sources that do not address you by the name you registered with them can be suspected as a spoofed email. Ebay, PayPal and banks will never send out general emails saying “Dear valued customer”, or “Dear member” etc…
  • You can quickly tell if the link in the email is a spoof by hovering your mouse over the link in the email and comparing it with the link appearing in the status bar.
  • View the “FULL message header” to know where the email came from
  • Read your email carefully and look for any spelling or grammatical mistakes.
  • Consider any website asking for your PIN (personal identification number) as a spoof.
  • Some spoof sites will include pop-up message boxes. It is better if you do not entertain such emails.
  • Most spoof emails will create a false sense of urgency like a message saying that your account will be locked out or deleted if you don’t act quickly.

(more…)

Secure Online Transactions Through SSL/TLS

Internet transactions today are highly vulnerable to exploitation by cyber criminals. Online transactions in the current situation must be dealt very sensitively and sensibly in order to avoid any kind of data theft. The Secure Sockets Layer (SSL) enables encryption of sensitive data during online transactions through advanced encryption methods and validation processes. Encryption of data makes it very difficult for unauthorized people to view the information during data transmission, thus making your online transaction highly secure.

Almost all websites online are using SSL/TLS for securing their online transactions with their clients. All the popular browsers are having mechanism to identify the certificate and validate it. When you are visiting a secure site the browser will display a “lock” icon in its status bar. The internet address of a secured site begins with https:// rather than http://, where ‘s’ represents that the site is using a secure server. In the absence of any of the above indicators, it is recommended to avoid doing online transaction within the site.

Data encryption and SSL/TLS Process
An authenticated website for online transaction gets its SSL/TLS certificate from an Certified Authority (CA) like Verisign. The certificate is installed in the web server hosting the authenticated site.

  • When a user tries to access this authenticated site through his web browser, it sends a web page request to the web server.
  • The server now responds with the SSL certificate.
  • Web browser first verifies the validation of certificate, then encrypts the key seed of the session using SSL Public key and sends it to the server.
  • Server sends an indication that all the future transmissions are encrypted.
  • Then the communication between server and the browser in encrypted format follows until the connection closes.

Importance of SSL certified sites
Internet today can be called as wild west. This has become a major obstacle for the growth of ecommerce and online transactions. Making secure online transactions in these conditions majorly requires privacy and identity assurance. SSL/TLS certificate ensures both to the user. The encrypted format of data ensures safety from cyber criminals who try to steal the information during transactions. Identity assurance is another major feature of SSL/TLS certificate. This certificate is hard to obtain for ordinary or illegitimate websites. However, working with a website certified by an established CA is also important.

The credibility of SSL/TLS certificate
As mentioned earlier SSL/TLS certificates are not easier to obtain. These are operated by Certified Authorities. Certified Authority (CA) usually will be an well established entity. New comers must have to undergo significant barriers to enter into SSL/TLS certificate market and to be included into the web browser’s trusted “root” SSL/TLS certificates list. Thus, if it is an established CA that provides credibility for a SSL/TLS certificate, it is a secure and reliable browser that gives credibility to the CA.

How to validate a website for SSL certificate?
As SSL/TLS certificates are not easy to obtain, cyber criminals use different methods in web programming to create one of their own. However, we can validate a SSL certificate claimed by a website using few simple steps:

    1. Open the URL in a website and make sure that the URL starts with “https://” rather than “http://”
    2. When the website is loaded in the browser look for the lock icon. The

       

      lock icon is situated in the upper-right corner for Safari; in lower-right corner for Firefox and IE. The lock icon is situated in the right end corner of the address bar for Google Chrome. However, a lock icon doesn’t necessarily mean that the site is SSL certified.

       

 

  1. In order to validate the SSL certificate click on the lock icon of the browser which displays a pop up window of the page info. Click on view certificate option for further details. This will show further details of the organization and the CA who issued the certificate. Check on the expiry date of the certificate by selecting Validity – > Not After.
     

    Invalid SSL Certificate
  2. Always use high security browsers while doing online transactions. As these high security browsers have emerged after the development of the Extended Validation (EV) standard established by the CA/Browser forum, they can perfectly recognize between a valid and non-valid SSL certificate. IE 7+ and Mozilla Firefox 3+ versions are examples of high security web browsers.
    Warning message in Firefox

    Many web browsers block the webpage from loading and give an warning message when they find a website with suspicious or invalid SSL certificate.

(more…)

Beware of Spoofed Websites Online

Website spoofing is one of the deceptive snare used by cyber criminals for phishing. Internet is still a highly vulnerable place for transactions. Cyber-criminals keep finding different ways to exploit a user online. The only way to survive them is through conventional awareness and credible preventive measures.

What are Spoofed Websites?
A spoofed website is usually a replica of a legitimate website. Almost all the features of this site replicate the existing legitimate site including logos, fonts, colors, structure, etc. In few cases, even the URL of the spoofed site is almost close to the URL of the legitimate site so that it is easier for them to trick its visitor.

Techniques used in spoofing:

  • URL Redirection: URL redirection is possible through web programming to refer a URL to another URL. Many big companies like Google, Microsoft, etc., use them for legitimate business purposes. However, this has become a phishing tool for cyber criminals.They use a legitimate looking URL (www.domain.com, for example). However, when a visitor tries to visit the site, it actually redirects him to a spoofed site (www.phisher.com). It is possible for the user to identify redirecting URLs by monitoring location bar of his browser.
  • URL Cloaking: A legitimate looking URL is used to mask the URL of a spoofed site, by using ‘@’ symbol. Using @ symbol was originally intended as a way to include a username and password in the URL. When a user tries to open the legitimate looking URL, www.bank-domain.com@phisher.com, for example, it actually redirects him to the phishing site www.phisher.com, rather than www.bank-domain.com.
  • URL Masking: A illegitmate / phishing site is concealed behind the text of URL of a legitimate site. Web programming has enough attributes to support masking of a URL easily.A user gets an email from phisher containing a link to a legitimate site (www.domain.com, for example). However, the link is the mask of a spoofed site (www.phisher.com). The deception actually happens in the status bar of the browser. When you hover mouse over a link the status bar should show where the link will guide you to. The deceptive link is so well hidden that the user cannot find it even in the status bar on hovering mouse over the link. This is generally done using javascript.
  • Typo Scamming: Typos are inevitable when you are typing out on your keyboard. Cyber criminals use this as an advantage and register web addresses that resemble the name of a popular and legitimate site. These URLs are slightly differentiated by adding, excluding, or rearranging letters.For example, web address of a legitimate site www.bankm.com is differentiated as
    • www.banmk.com
    • www.bakm.com
    • www.bankm-online.com

Why beware of spoofed sites?
Spoofed websites are actual sources of phishing. The main job of the phisher is to convince the visitor that his spoofed site is legitimate. From then on it is the visitor who will be submitting his information to the phisher, unknowingly though. It can be his bank username and password, or any such information that is of economical value.

Cyber criminals also use spoofed websites to deploy malware into the visitors PC thus making it as a part of their botnet.

Precautions to take to avoid being a victim of spoofed sites

  • Avoid using sites that do not have SSL/TLS certificate while you are banking, buying, selling, transferring money or using credit/debit cards online.
  • Make it a habit of checking the SSL/TLS validity every time you visit a site before making financial transactions, by clicking on the lock icon.
  • Never click a hyperlink to get to a website for financial transaction unless you are CERTAIN that it is a legitimate link.
  • Just type out the URL yourself, use credible search engine results or copy paste it from your records.
  • Do not use same username / password for all your online logins.

(more…)