The domains were used in an IRS phishing fraud attack - as it is taxing season in the US.
So if you see anywhere on your hosting platform or site pop up subdomains like IRS.GOV.yourdomainname.whatever/fraud(or whatever)
you have been hacked and you are used to defraud US citizens and small businesses
Just to remind you also that .be is a national Belgian domainname under national Belgian law and that in that case you can be held accountable if you do nothing or just much too late.... You would be the first but who knows....
My other question is off course how banks and others treat the information afterwards. Do they get the logs of the used phishing websites to see which clients were defrauded and how ? Does anybody do any follow up ? Or is it just re-active, waiting for someone to contact the offices to tell them that they have been ripped off ?
Tomorrow the .ru domain is closed for international crimegangs without a base in Russia itself - and as now real identification will be necessary it will become more risky.
The .cn domain is already more closed to them now.
We said that the .be and .eu domains will be the next one because
* they are cheap
* they are trustworthy at first sight
* there is no real hard identification control
* they have been used before with success in these networks
So by controlling Arbor Networks list it was clear that
* there is a spurr of domains in .ru as it is the last day
* there are other domains also being used by fastflux networks as .kr, .pl and co.uk
* and .be is back again in the list
luckily we have (had) a quick way to get them down immediately at the root - but it is clear that in this new context one will have to set up some controls and limits to be sure that one doesn't start running after the facts all the time instead of blocking fraudulent international buys from the beginning of the process
It is the only way to prevent that in the long run one will have to invest considerable resources cleaning up the mess and having a longtime enduring reputation loss for the .be domainextension as a whole.
Because if this registration is not fraudulent, than I will have to go back to schooland another question is how the registrar company itself didn't see it . The country was Italy but the address in the US and the emailadres was stupid and so on.
- If you have no alternative (such as using encryption software) and urgently need to discuss confidential matters over a mobile phone:
- cover your mouth so you can't be lip-read
- choose a location where you can't be overheard
- talk quietly and be brief
- use code words
- split information across different channels (e.g. refer to emails or send texts etc so information is incomplete and meaningless on its own)
http://censored31.skynetblogs.be/ is made by what it calls itself "Center for Research and Islamic intelligence" but by all the looks is an international english language direct reporting pro-holy war blog. It is linked with a number of other international jihad blogs and forums like this one
The problem with the blog is that instead of having only good articles and analyses which you can appreciate - even if you don't agree - they are mixed with videos and other stuff of martyrdom, terrorism and jihad in which there is no doubt about the essence of the message. Which is a pity, but makes the blog even more dangerous by mixing research and jihad. It is even a mix of werkgroep zonhoven paranoia, anti-polio hysteria and other master conspiracies theories that are invading the 'real truth' web. But this doesn't mean that the jihad part of its message is acceptable.
and with quotes like these, what would you think about the message of the blog ?
O Allah, make them and their weaponry a booty for the Mujahideen
O Allah, you are our support and you are our only Victor; by your order we attack; by your order we retreat and by your order we fight
O Allah, the sky is yours; the earth is yours; the sea is yours, so whatever forces they have in the sky, drop them. Destroy all their forces in earth and sink all their forces in sea
O Allah, deal with them for verily they can never disable you
O Allah, retaliate upon them, afflict them like you did to Pharaoh and his nation
O Alah afflict their country with floods, make them in need of money and food and persons
O Allah defeat them, destroy them O the All-Strong, the All-Mighty
"Honor, Power and Glory belong to Allah, His Messenger and the believers, but the hypocrites know not"
Don't we have Belgian soldiers over there and families of them over here ? Is Skynetblogs not part of Belgacom, a semi-public enterprise ? And is this not HATE ?
So why is this kind of stuff accepted over here, even if it is contrary to the conditions of use ?
Apple has released a bunch of security updates
VMware has also released a new bunch
tomorrow a whole series of critical holes in internet explorer 6 and 7 (also non-published) will be released Go to http://updates.microsoft.com
This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on March 30, 2010. The bulletin is being released to address attacks against customers of Internet Explorer 6 and Internet Explorer 7. Users of Internet Explorer 8 and Windows 7 are not vulnerable to these attacks. The vulnerability used in these attacks, along with workarounds, is described in Microsoft Security Advisory 981374. The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to this attack.
It is clear that your online reputation of your business stands with your online security especially if you are in the security, risk and reputationbusiness
so if you have a site saying this
been quite sick the last days, but that didn't seem to impress the hackers (as if it should :) )
At one side there were more than 100 sites hacked because they were all hosted on one linux server. You know if you get pay pennies you won't get gold service and if you sleep with dogs you get flees. So if your business reputation online is anything worth, take dedicated hosting. If anything goes wrong you will get only yourself or your technical support to blame. Not one of the hundred other administrators on the same machine.
and maybe this is the first thing not to do when you want to write a veiligheidsboek (a website about a book about security)
but as long as the hosting sector itself isn't setting independent verification and standardisation, maybe the clients should ask more security (even if it costs more because nothing is for free and security asks time and investment - even with open source stuff or free patches).
do you have such long listings in zone-h.org of Turkish hackers penetrating .gov.cn systems all the time
No firewall to stop them
No cyberwar capability to defend it or clean it
Maybe China is not the real hackers paradise
Infosecurity is a small fair in which every year the people of the security industry see each other and have a good chat. Nothing that special, no big inventions, some interesting products and concepts but nothing to be overwhelmed about. Although met some interesting people and had some interesting discussions.
The one thing I didn't wanted to miss was the first presentation before a more or less professional public of the Belgian CERT. BUt afterwards one thought that maybe the cert had better given a presentation behind closed doors for the professionals that were working with all the big firms that were present and another one in for the public without any knowledge of what security is all about.
The problem with the presentation and the very - official - timid way in which the CERT presented itself - bounded by several other limitations and lots of people watching over their shoulders - is that for professional security researchers and people who are responsable for CSIRTS in security and other companies it was a really cold shower. So some said so afterwards. However I still think they should send their Belgian ecrimedata to the CERT because otherwise we will never get the funding it needs.
Which is a shame, because now after so many years of lobbying for it we have a CERT and we should help and support it and give it all the money and resources that it would need to do its job as it should because the return on investment of a good focused professional CERT is immediate and 100 time fold.
The other cold shower is that it will from now on take some 2 years before the next stage will be set. Nowadays, it only works between 08 and 18h, 5 working days a week. The project manager Lionel says after that the phone calls arrive at home and everybody is helped (social engineering information leakage) but this is not ideal and I now. It is work you aren't paid for it and all depends on your health, your partner and family and so on and all of them will always have to accept those intrusions for something they see as 'work'. Even if you are passionate about security and even if you see this not as work but as a mission, your personnel could become exhausted or very sarcastic because why should take the phone while having dinner with your familiy to respond to a case in which a server is hacked from a company that doesn't give a damn about security and because the government doesn't want to invest the necessary resources to have a real CERT that is effectively running like it should be running, around the clock. Explain that to your wife and kids. You can do this once, twice but not all the time. I know.
So I hope that by the end of the year we will have more realtime information from the CERT. Something like Arbor Networks - the real attacks now happening on our networks (sql, 445,.....) where do they come from and wich vulnerability do they use, that kind of information would be practical because it would give us something to work with and to watch out for.
By the way their twitter feed is dead and their delicious
You can find hundreds of securitytwitters on my account and you can follow interesting delicious links in the dashboard. There are about 40.000 links (not all esec) in diigo as well.
Off course these are only the spams that have arrived in the distributed network of honeypots that this project has set up and doesn't indicate that these are the only ones or the most important ones in Belgium.
It only shows the top 5 spamservers that have sent Spam to these honeypots and are still active in the last days. The number of spams received from that server is since the server has been registered (first date). It is curious to see that these servers are doing so since 2009 and nearly one year later are still sending spam.
Maybe no one is controlling these servers and so they should be handled as very risky contacts. Sorry to say.
|188.8.131.52 | SD||Bad Event||1,742||2009-12-09||2010-03-24|
|184.108.40.206 | SD||Bad Event||1,959||2009-04-08||2010-03-25|
|220.127.116.11 | SD||Bad Event||3,154||2009-08-24||2010-03-24|
|18.104.22.168 | SD||Bad Event||6,994||2009-03-30||2010-03-24|
|22.214.171.124 | SDC||Bad Event||5,798||2009-11-23||2010-03-24|
the list is not complete and for several reasons
one is I don't accept .ru and .cn domains anyway except if they are whitelisted
secondly it is a copy of a list I use myself and it maybe that some domains seem to be already blocked somewhere where I use it and others I did not check because I have also other things to do
According to the web the attacks started at the end of last week but they seem to be continuiing
so if you have a facebook, twitter, netlog or any other social site, be careful with links, have an updated antivirus and download stuff to seperate folders that you close down for a while
do not click on codecs to view a film
do not click on fake securitysoftware and don't let your computer be scanned by those crooks
if you need something free, go to microsoft.com and look for securityessentials or go to download.com and look for other free antivirussoftware (do not look for it on the web through Google because many domains will pop up that look like the right thing but aren't)
it is also better to close down your browser and to put it in the highest security and to add some special security stuff
and maybe ask your friend if he or she has really send you that stuff before opening it, if it is a virus the answer will be negative or none
The commercial happening for securitypeople - and as it is a small world in Belgium it is in fact a meeting-with-friends-you-didn't-see-for-a-while - has started.
It is off course infosecurity.be
something funny although
when you want to make your access card online there is a warning that it uses a bad ssl key that is already compromised since a very long time
they are not alone - some other big firms and applications have still the same stupid breakable SSL certificate - but they aren't securityfestivals
according to the malware domainlist it were the following
For the moment there is a big attack against facebook users under way to try to steal the logins and install malware. It is known as koobface but other malwaredetectors use other names sometimes.
When we look at phishtank where the url's are placed to steal those logins, there are some hosters that are being preferred
As we have written before, there is an exploit for IIS 6 and the only way to fix it is to upgrade to IIS 7 (and windows 2008)
or maybe someone in Microsoft should take notice and send out a clear fix for this attack so that people have time to keep their online presence safe while awaiting the migration to IIS6. The main problem with the migration is that it is a double migration and in most cases even a triple migration. You have to migrate the server (IIS), the OS (to windows 2008) and sometimes even the hardware if it isn't enough to run websites and the new OS.
Windows2008 is much safer than windows2003 so you will have to upgrade soon but can someone in Microsoft get a fix for that that is more than a workaoround ? It doesn't mean that IIS7 on windows2008 can't be hacked or defaced but it won't be so simple if you use the tools and advice that you get. There are IIS7 hacks happening.
Last year, more than 2/3 of the hacks were linux/unix servers. This could change if this problem ain't fixed. Joomla also took the centerstage of the hackers attention when they found an easy whole in its system. Now the exploits against Joomla just continue to come out.