(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Joe wrote this weekend that:

A customer called me yesterday to make me aware of their computer that was compromised by one of those scam websites, that pops up an 800 numbers and tells them to call. Against her knowing better, she STILL called in.... ugh.

The site, I wanted to make you aware of wasamvets.COMShe wanted to make a donation, but the real website isamvets.ORG

It is always sad to see how people with good intentions, willing to donate to a deserving cause, are being taken advantage of. So I took a bit time to investigate this particular case.

First of all: I do NOT recommend you go to the .com version of the site above. I didnt see anything outright malicious, other then popupsadvertising the fake tech support service, but you never know what they are going to send next.

The content returned from the page is very variable. Currently, I am getting index pages linking to various veterans related pages. Typically these pages are auto-created using key words people used to get to the page, or keywords entered in the search field on the page. So no surprise that this page knows it is mistaken for a veteran charity.

When it does display the Fake Virus Warning page, then it does so very convincingly:

- the lok and feel is adapted to match the users OS and browsers
- even on mobile devices, like my iPad, the page emulates the browser used

After a couple of visits to the site, it no longer displayed the virus warning to me, even if I changed systems and IPs. So I am not sure if they ran out of ad impressions or if they time them to only show up so often.

According to Farsight Securitys DNS database, 10,000 different hostnames resolve to this one IP address. Most of them look like obvious typo squatting domains:

For example:
www.googele.be, besbuy.ca, wwwhockey.ca.

For some of them, I still get ads for do nothing ware like Mackeeper. (looking at the page from a Mac)

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The National Cybersecurity Center of Excellence (NCCoE) invites comments on a draft practice guide designed to help financial services companies monitor and manage IT hardware and software assets more securely and efficiently.Financial ...

A diagram of the Regin platform. (credit: Kaspersky Lab)

German Chancellor Angela Merkel may not be the only high-ranking leader from that country to be spied on by the National Security Agency. According to a report published over the weekend, German authorities are investigating whether the head of the German Federal Chancellery unit had his laptop infected with Regin, a highly sophisticated suite of malware programs that has been linked to the NSA and its British counterpart, the Government Communications Headquarters.

As Ars reported almost 12 months ago, Regin is among the most advanced pieces of malware ever discovered, with dozens of modules that can be used to customize attacks on targets in the telecommunications, hospitality, energy, airline, and research industries. Its technical DNA bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that the US and Israel reportedly unleashed to disrupt Iran's nuclear program.

According to research published last year by security firm Kaspersky Lab, Regin was used to infect more than 100 targets and has been active since 2008. Kaspersky Lab researchers went on to say that the targets included Belgacom, the partly state-owned Belgian telecom, and Jean-Jacques Quisquater, a prominent Belgian cryptographer. Documents leaked by former NSA subcontractor Edward Snowden have further linked Regin to the NSA, specifically to an NSA attack tool dubbed QWERTY. According to German magazine Der Spiegel, QWERTY is a keylogging plugin that's part of a much larger framework described in Snowden-leaked documents as WARRIORPRIDE. The takeaway is that Regin and WARRIORPRIDE are the same thing.

Read 3 remaining paragraphs | Comments

ISC BIND CVE-2015-5477 Remote Denial of Service Vulnerability
Mozilla Firefox CVE-2015-4495 Same Origin Policy Security Bypass Vulnerability
IBM WebSphere Application Server CVE-2015-1885 Remote Privilege Escalation Vulnerability
Microsoft Internet Explorer CVE-2015-2444 Remote Memory Corruption Vulnerability
Linux Kernel '/scsi/sg.c' Integer Overflow Vulnerability
PHP CVE-2015-4598 Multiple Security Bypass Vulnerabilities
PHP CVE-2015-5589 Remote Denial Of Service Vulnerability
MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow
MacOS X 10.11 hardlink bomb cause resource exhaustion (Avast PoC)
Oracle Java SE CVE-2015-2625 Remote Security Vulnerability
Multiple Zend Products CVE-2015-5161 XML External Entity Injection Vulnerability
Secunia Research: Google Picasa Phase One Tags Processing Integer Overflow Vulnerability
Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities
FreeBSD Security Advisory FreeBSD-SA-15:25.ntp

Posted by InfoSec News on Oct 26


By Cyrus Farivar
Ars Technica
Oct 25, 2015

We now live in a world where a New York City sixth grader is making money
selling strong passwords. Earlier this month, Mira Modi, 11, began a small
business at dicewarepasswords.com, where she generates six-word Diceware
passphrases by hand.

Diceware is a well-known decades-old system...

Posted by InfoSec News on Oct 26


OCTOBER 23, 2015

Your next tinfoil hat will won’t be made of tinfoil. A small company
called Conductive Composites out of Utah has developed a flexible material
— thin and tough enough for wallpaper or woven fabric — that can keep
electronic emissions in and electromagnetic pulses out.

There are a few ways to...

Posted by InfoSec News on Oct 26


By Lucian Constantin
IDG News Service
Oct 23, 2015

A Russian cyberespionage group that frequently targets government
institutions from NATO member countries tried to infiltrate the
international investigation into the crash of Malaysia Airlines Flight 17

MH17 was a passenger flight from Amsterdam to Kuala Lumpur that crashed in...

Posted by InfoSec News on Oct 26


By Frank Gardner
25 Oct 2015

It’s slick, it’s fast-paced and it’s sexy. But that’s the cinema. SPECTRE,
the latest James Bond thriller starring Daniel Craig opens in cinemas on
Monday to critical acclaim. Pure fantasy? Or are there any similarities
with the work of a real-life...

Posted by InfoSec News on Oct 26


By Geoff Ziezulewicz
Naperville Sun
October 24, 2015

Hackers were able to break into Naperville's computer network in an
unprecedented 2012 cyberattack because of a vulnerability in the city's
Web software that had not been patched, even though an alert and update
had been released roughly a month earlier, according...
AlienVault OSSIM 4.3 CSRF
AlienVault OSSIM 4.3 CSRF vulnerability report
Internet Storm Center Infocon Status