October 31, 2014

Phishing and cyber-attacks likely to rise during the World Cup

World-Cup-2014-logo(LiveHacking.Com) – As is often the case with large, well known events, cyber-criminals and spammers will be using the World Cup as a chance to steal more personal information and disrupt services in “cyber protests.”

According to TrendLabs phishing campaigns have intensified and are evening targeting Brazilian nationals in a attempt to steal from them during the fervor of the World Cup. Typical campaigns try to solicit information like credit card numbers or personal identifiable information (including name, date of birth and even national identity numbers), from unsuspecting victims. This data is later sold on the black market.

The example given by TrendLabs was for a $2.2 million lottery. As with legitimate lotteries you need to pay to enter. Since the lottery is a scam the credit details entered are harvested for sale. TrendLabs has  identified more than 80,000 people whose credentials have been stolen. Of those 83% had email address from providers with domain names in the .br top-level domain.

But it isn’t only phishing that will be increasing during the World Cup. According to reports by Reuters, the hacker group Anonymous is preparing cyber-attacks on the corporate sponsors of the World Cup.

“We have already conducted late-night tests to see which of the sites are more vulnerable,” said the hacker who operates under the alias of Che Commodore. “We have a plan of attack.”

The threats by Anonymous and the increased amount of phishing are just another problem for the Brazilian government. The event has been marred by delays in the building of the stadiums and widespread discontent among Brazilians over the excessive cost of hosting the event in a country.

Recently Anonymous attacked the Brazil’s Foreign Ministry computer networks and leaked dozens of confidential emails. In what is a massive security breach, Anonymous posted 333 Foreign Ministry documents including documents about the briefing of talks between Brazilian officials and U.S. Vice President Joe Biden, and a list of sport ministers that plan to attend the World Cup.

The World Cup 2014 kicks off on 12 June with a game between hosts Brazil and Croatia. The event continues until Sunday 13 July when the final will be held in Rio de Janeiro.

Anonymous planning lots of activity for November 5th

(LiveHacking.Com) – Since the mascot for the Anonymous hacking group is a stylised mask of Guy Fawkes, a member of a group of provincial English Catholics who planned the failed Gunpowder Plot of 1605; and since today is November the 5th, the night British peoples traditionally celebrate the failed plot by lighting bonfires and setting off fireworks; and since it has said as much, the Anonymous hacking group is planning multiple hacking activities today.

And it looks like it has already started. ZDNet is reporting on claims circulating by hackers, some connected with Anonymous – and some not, of dumped user and employee account information on accounts from PayPal and Symantec. There are also reports of defacements of Saturday Night Live’s website and Australian government websites.

According to the various Twitter accounts related to Anonymous, today could see more hacks and database/document dumps. News of hacking spree is is being published on Twitter, Facebook, YouTube, and Pastebin.

The November the 5th protests are focusing on the emerging TrapWire and INDECT technologies, both of which are designed to collate data and predict or find criminal behavior. Very much like the supercomputer depicted in the ‘Person of Interest’ TV show INDECT, a research project being carried out by several European universities, aims to automatically detect criminal threats through processing of CCTV camera data streams, while TrapWire is meant to be a ‘counter-terrorism’ technology designed to find patterns indicative of terrorism attacks. It was mentioned by WikiLeaks as software that facilitates intelligence-gathering citizens, using surveillance technology, incident reports, and data correlation from law enforcement agencies.

Anonymous is calling people n the UK to march on The Houses of Parliament (albeit peacefully and unarmed). It says that this is the centrepiece of a worldwide operation of global strength and solidarity, a warning to all governments worldwide that if they keep trying to censor, cut, imprison, or silence the free world or the free internet they will not be governments for much longer.

As part of the activities Anonymous has claimed to have breached The Organization for Security and Co-operation in Europe (OSCE), the world’s largest security-oriented intergovernmental organization with a mandate that includes issues such as arms control and the promotion of human rights, freedom of the press and fair elections.

Due to timezones, Anonymous Australia seems to be the most active at this time.

In brief: GoDaddy outage was not due to hacking

(LiveHacking.Com) – As reported yesterday, GoDaddy suffered an interruption to its services on Monday starting shortly after 10 a.m. PDT. The company, which is one of the world’s biggest domain registrars and web hosts,  managed to restore full services by by 4 p.m. PDT. It was thought that the down time was due to a denial of service attack when a user on Twitter, who claimed to be an official member of the hacking group Anonymous,  took sole responsibility for the alleged attack, stating, “was only me not the Anonymous [collective]“.

However GoDaddy has now completed its investigation and is reporting that the incident was not related to a “hack”.

“The service outage was not caused by external influences. It was not a ‘hack’ and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented measures to prevent this from occurring again,” said Scott Wagner CEO of GoDaddy in a statement.

What happens when a big web hosting service has troubles – Did Anonymous hack GoDaddy?

(LiveHacking.Com) – GoDaddy suffered an outage yesterday that left millions of users frustrated. The cause of the outage, which lasted about four hours, has yet to be confirmed by GoDaddy but a hacker known as @AnonymousOwn3r has claimed sole responsibility for the alleged attack, stating, “was only me not the Anonymous [collective]“. According to his Twitter profile, AnonymousOwn3r is an official member of Anonymous.

GoDaddy , which is one of the world’s largest web hosting providers and domain registrars, first mentioned a problem on Twitter just after 1:30 p.m. ET, the tweet said “Status Alert: Hey, all. We’re aware of the trouble people are having with our site. We’re working on it.”

GoDaddy’s main website also went down for a short time with the message:

We are experiencing problems. We understand this is impacting some customers and we take this situation very seriously. Everyone at GoDaddy.com is working to restore all sites affected by this outage as soon as possible.

After some 7 hours, the GoDaddy Twitter account was updated: “Most customer hosted sites back online. We’re working out the last few kinks for our site & control centers. No customer data compromised.”

The key to that statement was that no customer data was compromised. From this we can ascertain that the attack was a denial of service attack and not a security breach. According to ZDNet, the problem was that GoDaddy’s DNS servers were not resolving and so took many websites offline. Even if the site wasn’t hosted by GoDaddy but GoDaddy was the domain registrar then the site itself became unavailable.

Of course the people hit the hardest by this attack are the web site owners themselves. GoDaddy has a large engineering staff which is dedicated to keeping their servers up and running. But as Darnell Clayton, a normal web user, mentioned in a tweet to AnonymousOwn3r, not only was his site down, “but so are millions of struggling small biz owners.” I don’t think that those who lost potential income, bread taken from the mouths of their children, will find any pleasure in AnonymousOwn3r’s skill set.

Anonymous Moves Against Multiple UK Government Websites with DDoS Attack

(LiveHacking.Com) – The hacker group Anonymous has attacked three UK government websites, including the Prime Minister’s site, in a protest about the extradition of British citizens to the USA and about a proposed new law to increase the surveillance powers of the British state. The so-called hacktivists disrupted traffic  through a series of distributed denial of service (DDoS) attacks, designed to take the websites offline by flooding them with more traffic than they can handle. The sites attacked were homeoffice.gov.uk (Home Office), number10.gov.uk (Prime Minister’s Office) and justice.gov.uk (Ministry of Justice). By Sunday morning all the sites appeared to be functioning normally again.

It appears that the attacks were in response to a proposed new law would allow the British government to conduct some trials in secret and allow authorities to track the phone calls, emails, text messages and online activity of everyone in the country.

The group took credit for the attack in a series of tweets  (herehere and here) which specifically mention the UK’s proposed “draconian surveillance proposals” and “derogation of civil rights.”

The attack could be considered as quite courageous, especially in light of recent efforts by global law enforcement agencies to crackdown on the group’s cyber protests. Sophos noted on its blog that “other hacktivists who have launched DDoS attacks against websites belonging to British authorities have been arrested in recent history, and are currently facing trial.”

In a separate attack,  the group targeted the website of the US House of Representatives but failed to prevent access.

DDoS Attack Tool Comes to Android

(LiveHacking.Com) – McAfree has reported that the common Low Orbit Ion Cannon (LOIC) denial of service (DoS) tool has been ported to Android. ‘Ported’ might be too strong of a word as this mobile device version is in fact a wrapper around the Javascript version. Nonetheless, this is an interesting advancement in the ubiquity of hacking tools.

Hacktivism (hacking as political or social protest) is becoming increasingly popular with groups like Anonymous using hacking tools to launch distributed denial of service attacks on organizations all over the world. LOIC, one such tool used by the hackers, was originally developed to stress-test websites, however it has now been effectively used by hackers to take websites offline by sending a flood of TCP/UDP packets which overwhelms the server and makes it inaccessible.

Originally written in C#, LOIC inspired the creation of an independent JavaScript version. This version allowed a DoS attacked to be launched from a web browser. In conjunction with PasteHTML, which allows anyone to post HTML onto the web anonymously (no pun intended), and the free AppsGeyser service, which converts web pages into an App, an Android App has been created which encapsulates the Javascript version of LOIC in an Android app. Specifically, the version spotted by McAfee, targets the Argentinian government, but theoretically an Android app can be created to attack any web site. When the app is launched a WebView component is used to run the JavaScript that sends 1,000 HTTP requests with the message “We are LEGION!” as one of the parameters.

“Creating Android applications that perform DoS attacks is now easy: It requires only the URL of an active web LOIC–and zero programming skills–thanks to automated online tools,” wrote Carlos Castillo for McAfee.

Symantec Working with Unnamed Law Enforcement Agency

(LiveHacking.Com) – Following my blog post about Anonymous releasing the source code for pcAnywhere, Symantec has contacted us here at LiveHacking.com with further details of the events leading up to the uploading of the source code. Symantec are underlining the following things:

  1. Symantec did NOT offer a bribe to Anonymous. Anonymous tried to extort Symantec for money to withold posting of additional source code. (As a point of clarification – I didn’t say that Symantec offered a bribe and have never inferred it, the original blog post said that the hacker YamaTough asked for $50,000 not to release the source code).
  2. The e-mail string posted on Pastebin by Anonymous was actually between them and a fake e-mail address set up by law enforcement.
  3. Once Symantec saw that it was a clear cut case of extortion, they contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec.

“The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation.  Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved,” said Cris Paden of Symantec in his email to us.

Anonymous Releases Source Code for pcAnywhere [Updated]

Update: Symantec has contacted us here at LiveHacking.com with the following correction: The e-mail string posted on Pastebin by Anonymous was actually between them and a fake e-mail address set up by law enforcement. For more details see Symantec Working with Unnamed Law Enforcement Agency

(LiveHacking.Com) – The hacking group Anonymous has tweeted that it has released the source code of Symantec’s pcAnywhere on The Pirate Bay. The release of the software seems to have come after a set of emails between Symantec a  law enforcement agency (masquerading as Symantec) and the hacker YamaTough. The hacker tried to exhort money from Symantec when he asked for $50,000 not to release the source code. According to the email exchange the negotaions ended when the hacker gave Symantec the law enforcement agency (masquerading as Symantec) a 10 minute utlimatum: “we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus.” To which Symantec the law enforcement agency (masquerading as Symantec) replied “We can’t make a decision in ten minutes.  We need more time.”

It seems that this then prompted the release of the source code. We spoke with a security expert who has downloaded the archive of the source code and his initial impression is that the release is genuine. According to our expert (who wishes to remain unnamed due to fears of possible reprisals by Symantec) the archive contains the following directries:


AccessServer
CE_Remote
CM
Development
InfoDev
Java_Remote
LU_Patches
Mac_ThinHost
RAPS
SCA
Shared
Tivoli
Unix_Host
pcA-NG
pcAnywhereExpress
pca32
pca_LiveState_2.0
pca_ONiCommand_3.0
r12.0-M1

The Development directory contains documentation including a document called “Programming Style Guide” which is marked as “Symantec Confidential” and pertains to “pcAnywhere / Decomposer / Packager”. The “pca32″ project seems to contain source code with valid Microsoft Visual Studio project files.

According to ComputerWorld there is no official word yet from Symantec as “it happened so recently that we’re still in the process of analyzing and won’t be able to confirm until the morning.”

US-Cert Warns of On-going Denial-of-Service Attacks by Anonymous

(LiveHacking.Com) – The United States Computer Emergency Readiness Team (US-CERT), the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS), has issued a warning about on-going distributed denial-of-service attacks against different government institutions both in the USA and in the EU. According to the reports, these attacks are being attributed to the hacker group Anonymous.

Recent attacks by the group include:

  • Several Polish government web sites, including those of the Prime Minister, the President and Parliament. A Polish branch of Anonymous has already claimed responsibility for the attacks.
  • The European parliament website came under cyber attack on Thursday.
  • The Irish Department for Justice website and the sites of several large financial institutions
  • Other targets in the last week have included Universal Music, the U.S. Department of Justice and the Recording Industry Association of America.
The attacks are motivate either by the recent shutdown of the Megaupload site or by the signing of the  international Anti-Counterfeiting Trade Agreement (ACTA).

US-CERT encourages users and administrators to do the following to reduce the risk associated with this and other malware campaigns:

Global Intelligence Company Hit by Anonymous. Or Was it?

(LiveHacking.Com) – The hacking group known as Anonymous says it has stolen emails, passwords and credit card information from the Texas based security think-tank Strategic Forecasting, Inc. According to the BBC, an alleged member of Anonymous posted an online message, claiming that the group had used Stratfor clients’ credit card details to make “over a million dollars” in donations to different charities.

Stratfor’s website was defaced with the message “merry lulzxmas! are you ready for a week of mayhem? H0h0h0h0h0.” In response Stratfor took down its website and suspended email processing. The company, which provides independent analysis of international affairs and security threats, sent an e-mail Sunday to subscribers:

“On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.”

However in a bizarre twist another posting appeared from Anonymous saying “hackers claiming to be Anonymous have distorted this truth in order to further their hidden agenda”

“The leaked client list represents subscribers to a daily publication which is the primary service of Stratfor. Stratfor analysts are widely considered to be extremely unbiased. Anonymous does not attack media sources” said Anonymous via an emergency Christmas Anonymous press release.