Looks like spammers continue to abuse the #MH370 issue for their malicious purposes. Currently we are observing a malicious tweet going viral among Twitter users.
The tweet contained a question “MH370 In Maladewa ?” followed by the malicious link and a random number with * in front. Once we click on the link, it will lead us to a page which ask us to authorize HootSuite to use our account. Of course, it will lure us to key in our username or email and password. Checked the link on VirusTotal and so far only ParetoLogic flagged it as Malware Site.
Since the first day MH370 was reported missing, we have seen few attacks which abused #MH370.
Fake Malaysia Airlines links spread malware
Beware of new Facebook Malware Claims, ‘Malaysia Plane MH370 Has Been Spotted”
Beware: Missing Malaysian Flight Malware Is a Thing
Please be more careful online.
MH370, a Boeing 777 belonged to MAS which bounded from KL to Beijing went missing on 8 March with 239 people on board. Extensive search is on-going but there is no postive result so far. Yesterday, there is rumour saying that Maldives Islanders claim to have spotted ‘low-flying jet’. Based on the latest PC, Malaysia’s Chief of Defence Forces has contacted counterpart in Maldives and sightings in Maldives confirmed untrue.
I first saw the warning regarding this Twitter phishing campaign by @JanneFI. Run a quick search on Twitter with the keyword “haha this tweet about you is nasty” and I got thousands of tweets which contained phishing links. When I first tested a shortened URL using urlQuery, it prompted a fake Twitter login interface with the message “Your session has timed out, please re-login“.
I done another quick search few minutes ago, and try to access more shortened URL. These URLs have been flagged by Google Chrome as phishing webiste and they are no longer accessible. However, there is still ZERO detection if we test the URLs on VirusTotal.
Some of the shortened URL:
Be aware! Do not click on any suspicious links even it is from someone you follow. Make sure you have strong password for your Twitter account, and do not install any unknown apps which linked to your Twitter account.
Yeah, Twitter spam is a never ending story…
A Facebook scam is going viral and it targeted on Malaysian’s user specifically with an attractive tag line – CARA MENGETAHUI PASSWORD TEMAN (Ways to know your Friend’s Password). The scammer is exploiting the curiousity of Facebook’s users to know their friends password.
Through the post, the scammer “teaches” Facebook’s user to obtain their friends’ password by running a set of codes from Pastebin in the console box. I have run through the code and found out that it is manipulating Facebook LIKE and FOLLOWING.
I then executed the code via a Facebook account and here are my observations:
(1) An image from http://i43%5Bdot%5Dtinypic%5Bdot%5Dcom/2r41oph%5Bdot%5Djpg turned into my Facebook’s background
(2) I am now following THREE Facebook users and THREE Facebook lists.
One of the common criteria of these 3 Facebook users is they have huge number of followers. According to their profiles, they are all teenagers from secondary school. Indeed, it is questionable how they can attract such a big group of followers. (Note: One of them have 67,000 followers)
Noteworthy that I got a message “The content is no longer available” when I executed the code. I checked with my friend who also run the code, and she told me that all her friends in her friend list were mentioned by her in the comments under the scam post (without she knowing that).
Wondering what is the motivation behind this scam?
I believed these guys are earning money via Facebook page. Impressive number of followers in your Facebook page may lead you to impressive financial gain.
Indicators – C&C Callback
So far I can’t see the motivation behind this attack. What the attackers trying to convey are:
(1) The victim’s security is LOW!
~In general, our security awarenss is LOW! Security is not a big concern for people here.~ *Sad*
(2) Don’t accuse the hackers of hacking the government’s and steal money.
~I can’t find any releated news on this.~
(3) They want to tell people where the money had gone.
~You still haven’t tell me where the money had gone.~
What they want actually???
Some of the websites which have been the victims are as follow:
When I checked further, most of the sites are powered by CMS such as Joomla and WordPress.
Seem like CMS is still hackers’ favourite, especially WordPress!
According to the message by Gbs Aremiey and J3bat Durh4ka from the defaced page, most probably they will launch the attack again on October 20, 2013:
So guys, be prepared!
If we think early detection is the solution, then we are TOO wrong!
Even you managed to recover from the web defacement within 5 minutes, you are still too late. Because I only need few seconds to get the screenshot, and few seconds to share it (via Facebook, Twitters and whatsoever) with the world.
If I fail to catch the screenshot, Google Cached Pages or Zone-H are always ready for help!
Note: #OpsFitnah (Fitnah is a Malay word, it means slander)
Yes, in the latest Security Advisory (2887505) published on September 17, 2013, Microsoft said they are investigating a new vulnerability which affects all supported version of Internet Explorer. The vulnerability is a remote code execution vulnerability which tracked under CVE-2013-3893.
So far we are not seeing any POC or Code/Exploit available. However, Qualys reported that “The exploit depends on a Microsoft Office DLL which has been compiled without Adress Space Layout Randomization (ALSR) to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much.” “The attack is very much targeted and geographically limited to Japan”, Wolfgang Kandek of Qualys added.
Still, it is the time to apply the Fix It solution “CVE-2013-3893 MSHTML Shim Workaround” to prevent the exploitation of this remote code bug.
As usual, there are few rules from Emerging Threats for detection purpose.
2017477 – ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass (web_client.rules)
2017478 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)
2017479 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)
2017480 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)
These rules are available for download here.
September 17. 2013, somehow it re-called my memory about another IE zero-day shared by Eric Romang back in September 16, 2012.
Is IE 0day part of the IT life?
September 30, 2013: Metasploit released an exploit module for CVE-2013-3893 (IE SetMouseCapture Use-After-Free).
Great report by Citizen Lab on FinSpy. Have a look into your logs based on the info below: