Hackin9

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Todays story is on another (sort of) phishing campaign - the twist on this one is that the targets are .. us, again, sort of. This one caught my eye because Ive never had a logmein account - no reflection on the product, Ive just always had licenses on other comparable products.

The email discusses a real situation, where a breach at one site can result in those credentials being used on a different site, because of the wide practice of folks using the same password for everything.

The note then continues on with two click here links, which point to the two different websites, neither of which is logmein.com.

The blog entry in the email points blog.logmeininc.com is different than the blog on logmeins home page, which is at blog.logmein.com. And accounts.logme.in is a domain that truly looks like it was set up to steal credentials.

The use of lookalike sites like this, where the dns name is close but no cigar and the content is scraped from the real site is a very widespread and successful approach - if a person is faked into clicking the first link, they almost always continue on by giving up their password or installing the malware thats hosted on the site. This password change form looks precisely like that.

The truly ironic links in this note is that the one to the Privacy Policy and the heres a logmein blog that explains why you should never click on links in random emails - both of these point to logmein.com links that look for real

The final verdict? This note is absolutely legitimate, they really are asking folks to reset their passwords. Unfortunately, the way the note is constructed it should be setting off alarm bells for anyone in the security business.

This really is too bad, because the message is a good one - as Worf (STNG reference) is fond of saying, its always a good day to change your password" />

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
WASHINGTON – The Commerce Departments National Technical Information Service (NTIS) has reached a turning point. The agency published a Federal Register notice (FRN) announcing a new joint venture partnership (JVP) opportunity focused on ...
 

Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is Swift Payment Notice, pls check" />

The HTML link point to a malicious PE file called SWIFT COPY.exe (MD5:6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromizedWordpress instance andseems to containa keylogger. Data are sent to onyeoma5050s.ddns.net. The host resolved to 95.140.125.110 but it is not valid anymore (take down already completed?)

Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55) which still makes it dangerous.

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Symphony CMS v2.6.7 Session Fixation
 

Infosecurity Magazine (blog)

Come Spy with Me: Drones and Info-Sec
Infosecurity Magazine (blog)
As drone use increases, both for commercial applications and for recreational purposes, new challenges are emerging with regard to privacy and information security. Millions of drones are estimated to have already been sold worldwide; tens of millions ...

and more »
 
[SECURITY] [DSA 3605-1] libxslt security update
 
sNews CMS v1.7.1 Remote Command Execution / CSRF / XSS
 

this diary while waiting for my flight back to home. Last week, SANSFIRE was held in Washington where I met some ISC handlers. I did not pay too much attention to the security newsbut I faced an interesting story. Recently, a data leak affected LinkedIn and a friend of mine had a chance to have access to the data (o.a. decrypted passwords). He contacted my and suggested to change my password as soon as possible (as a proof, he sent my password). It was indeed a valid one but not my current one. More precisely, it was the very first password that I used when a created my LinkedIn account (a long time ago). Interesting">">Passwords are a sensitive topic: dont play with fire and follow this golden rule: Change them often and dont re-use them. The leak">">Usually, when I receive an invitation to create an account on a website, I accept it and createa unique email account that will NEVER be used somewhere else. Im using something like: website-url(at) unused (dot)rootshell (dot) be or login_webshop.com. This helps me to track:
  • Spammers: I can learn">Another interesting feature of some password managers (well, the one Im using includes it), they keepa">Based on this information, Im able to estimate when the data leak really occurred and if it is really coming from the supposed victim or from another source. ">">Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status