I first saw the warning regarding this Twitter phishing campaign by @JanneFI. Run a quick search on Twitter with the keyword “haha this tweet about you is nasty” and I got thousands of tweets which contained phishing links. When I first tested a shortened URL using urlQuery, it prompted a fake Twitter login interface with the message “Your session has timed out, please re-login“.
I done another quick search few minutes ago, and try to access more shortened URL. These URLs have been flagged by Google Chrome as phishing webiste and they are no longer accessible. However, there is still ZERO detection if we test the URLs on VirusTotal.
Some of the shortened URL:
Be aware! Do not click on any suspicious links even it is from someone you follow. Make sure you have strong password for your Twitter account, and do not install any unknown apps which linked to your Twitter account.
Yeah, Twitter spam is a never ending story…
A Facebook scam is going viral and it targeted on Malaysian’s user specifically with an attractive tag line – CARA MENGETAHUI PASSWORD TEMAN (Ways to know your Friend’s Password). The scammer is exploiting the curiousity of Facebook’s users to know their friends password.
Through the post, the scammer “teaches” Facebook’s user to obtain their friends’ password by running a set of codes from Pastebin in the console box. I have run through the code and found out that it is manipulating Facebook LIKE and FOLLOWING.
I then executed the code via a Facebook account and here are my observations:
(1) An image from http://i43%5Bdot%5Dtinypic%5Bdot%5Dcom/2r41oph%5Bdot%5Djpg turned into my Facebook’s background
(2) I am now following THREE Facebook users and THREE Facebook lists.
One of the common criteria of these 3 Facebook users is they have huge number of followers. According to their profiles, they are all teenagers from secondary school. Indeed, it is questionable how they can attract such a big group of followers. (Note: One of them have 67,000 followers)
Noteworthy that I got a message “The content is no longer available” when I executed the code. I checked with my friend who also run the code, and she told me that all her friends in her friend list were mentioned by her in the comments under the scam post (without she knowing that).
Wondering what is the motivation behind this scam?
I believed these guys are earning money via Facebook page. Impressive number of followers in your Facebook page may lead you to impressive financial gain.
Indicators – C&C Callback
So far I can’t see the motivation behind this attack. What the attackers trying to convey are:
(1) The victim’s security is LOW!
~In general, our security awarenss is LOW! Security is not a big concern for people here.~ *Sad*
(2) Don’t accuse the hackers of hacking the government’s and steal money.
~I can’t find any releated news on this.~
(3) They want to tell people where the money had gone.
~You still haven’t tell me where the money had gone.~
What they want actually???
Some of the websites which have been the victims are as follow:
When I checked further, most of the sites are powered by CMS such as Joomla and WordPress.
Seem like CMS is still hackers’ favourite, especially WordPress!
According to the message by Gbs Aremiey and J3bat Durh4ka from the defaced page, most probably they will launch the attack again on October 20, 2013:
So guys, be prepared!
If we think early detection is the solution, then we are TOO wrong!
Even you managed to recover from the web defacement within 5 minutes, you are still too late. Because I only need few seconds to get the screenshot, and few seconds to share it (via Facebook, Twitters and whatsoever) with the world.
If I fail to catch the screenshot, Google Cached Pages or Zone-H are always ready for help!
Note: #OpsFitnah (Fitnah is a Malay word, it means slander)
Yes, in the latest Security Advisory (2887505) published on September 17, 2013, Microsoft said they are investigating a new vulnerability which affects all supported version of Internet Explorer. The vulnerability is a remote code execution vulnerability which tracked under CVE-2013-3893.
So far we are not seeing any POC or Code/Exploit available. However, Qualys reported that “The exploit depends on a Microsoft Office DLL which has been compiled without Adress Space Layout Randomization (ALSR) to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much.” “The attack is very much targeted and geographically limited to Japan”, Wolfgang Kandek of Qualys added.
Still, it is the time to apply the Fix It solution “CVE-2013-3893 MSHTML Shim Workaround” to prevent the exploitation of this remote code bug.
As usual, there are few rules from Emerging Threats for detection purpose.
2017477 – ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass (web_client.rules)
2017478 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)
2017479 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)
2017480 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)
These rules are available for download here.
September 17. 2013, somehow it re-called my memory about another IE zero-day shared by Eric Romang back in September 16, 2012.
Is IE 0day part of the IT life?
September 30, 2013: Metasploit released an exploit module for CVE-2013-3893 (IE SetMouseCapture Use-After-Free).
Great report by Citizen Lab on FinSpy. Have a look into your logs based on the info below:
Here is a simple Python script which will output only American Standard Code for Information Interchange (ASCII) from Hex dump (hexadecimal view of computer data). Moreover, it is added up with the URL decode function. Personally, this script is very useful for me to perform analysis, eg. identify SQL injection parameter on the payloads captured by Snort.