Saturday 28 September 2013

DIY commercial CAPTCHA-solving automatic email account registration tool available on the underground market since 2008

With low-waged employees of unethical ‘data entry’ companies having already set the foundations for an efficient and systematic abuse of all the major Web properties, it shouldn’t be surprising that new market segments quickly emerged to capitalize on the business opportunities offered by the (commercialized) demise of CAPTCHA as an additional human/bot differentiation technique. One of these market segments is supplying automatic (email) account registration services to potential cybercriminals while on their way to either abuse them as WHOIS contact point for their malicious/fraudulent domains, or to directly embed automatically registered accounting data into their Web-based account spamming tools. This takes advantage of the clean IP reputation/white listed nature of these legitimate free email providers.
In this post, I’ll discuss a commercially available (since 2008) DIY (do it yourself) automatic email account registration tool capable of not just modifying the forwarding feature on some of the email providers it’s targeting, but randomizes the accounting data as well. The tool relies on built-in support for a CAPTCHA-solving API-enabled service, and can also activate POP3 and SMTP on some of these accounts thus making it easier for cybercriminals to start abusing them.

Sample screenshots of the tool in action:
DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_01 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_02 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_03 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_04 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_05 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_06 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_07 DIY_Commercial_Email_Automatic_Account_Registration_Tool_Application_Software_Buy_Purchase_Sell_CAPTCHA_08 The multi-threaded tool “naturally” supports direct syndication of “fresh” Socks4/Socks5 malware-infected hosts, as well as randomization of the user agent, in an attempt by its users to anonymize their malicious account registration activities. The tool also has a built-in support for two of the market leading commercial CAPTCHA-solving services, ensuring that the CAPTCHA challenge will by successfully bypassed thanks to the introduced API on behalf of these services.
What would a cybercriminal do with all of these automatically registered bogus accounts? Plenty of (fraudulent) options.
  • Web-based spam relying on the DomainKeys verified/trusted network infrastructure of the providers – over the years spammers have realized the potential of a DomainKeys trusted (internal) network, and therefore, quickly adapted to its adoption, largely thanks to the demise of CAPTCHA, allowing them to efficiently register hundreds of thousands of rogue accounts to be later on used in spam campaign.
  • Automatic activation and abuse of related account services – certain free email service providers, also automatically enable FTP and Web hosting services, allowing the cybercriminals behind the campaign to multi-task by abusing each and every activated service, of course, in an automated fashion, just like the initial account registration process
  • Sell access to the bogus accounting data to fellow (novice) cybercriminals – novice cybercriminals look for ways to obtain automatically registered accounts to be later on used as a foundation for their fraudulent campaigns, are the prime market segment targeted by customers of such tools, who take advantage of the fact that novice cybercriminals are still building their capabilities, and remain unaware of the existence of such type of tools, meaning the’d be even willing to pay a premium to get hold of such type of rogue accounts
We’ll continue monitoring the development of this DIY tool, and post updates as soon as new “innovate” features get introduced.

Top Ten Tips For Keeping Kids Safer Online

kids_title_EN
There are also specific dangers that children face. These include obviously undesirable content like pornography, violence and drugs, but also sites focused on self-harm or even suicide.  Sadly, inappropriate material can be just a few clicks away:  objectionable content can be displayed alongside search items as innocuous as ‘Peppa Pig’, ‘Dora the Explorer’, ‘Fireman Sam’ or other items that we’re happy for our children to view.
Children can also be exposed to banner ads on pages they visit. You may wonder what fraudsters hope to gain by delivering context-sensitive advertisements to children.  But a lot of children use their parents’ credit cards and this makes them a prime target. It’s less a problem of fraudsters peddling bogus products and services than it is about children looking to pay for online goods like computer games, books, films and in-app purchases inside games on laptops, tablets and smartphones.
Parents are more worldly-wise, but they’re often less tech-savvy. Children have no trouble driving the technology, but are often blithely unaware of the potential dangers.
Hide nothing, share everything
There’s another aspect to online safety too. Our children are growing up in a culture of ‘share everything’.  Social networks allow them to treat the web like the notice-board in the family kitchen – and they do. They post information about where they are, who they’re with, what they’re doing – with pictures to illustrate this narrative of their lives. But while the notice-board in the kitchen is accessible only to family and friends, what’s posted on a social network could be shared with the whole world. Personal information could be used by an online predator to profile a child or teenager, get their trust and then try to arrange to meet them in the real world.  Shared pictures can be used by their peers to bully or coerce them.  Adults are more likely to see the inherent problem in the ‘share everything’ culture, but children don’t – until something goes wrong.

Technology generation gap
Unfortunately, we face a technology generation gap. Parents are more worldly-wise, but they’re often less tech-savvy.  They don’t always understand what’s possible with today’s technology. Children have no trouble driving the technology, but are often blithely unaware of the potential dangers.
Children need to know that there’s good and bad online – just as, when a child is old enough we introduce road safety and the importance of staying close to us.
Monitor and mentor
That’s why it’s so important for parents to involve themselves in their children’s online activities from a very young age, so they can ‘mentor’ their children and help to shape and inform their online experiences.  Of course, the online safety message needs to be tailored to the age of a child. We can’t expect a young child to understand the intricacies of online threats.  But they need to know that there’s good and bad online – just as, when a child is old enough to walk around town with us, we introduce road safety and the importance of staying close to us.  It’s also important explain the online safety equivalent of road crossings too – using Internet security software to block harmful code, the need to protect things that belong to us with a password, the danger of disclosing personal information, and so on.  These messages need to be reinforced and developed as a child gets older.  But if they’re ‘on board’ with security from an early age, they’re less likely to see security measures as an encumbrance.
Here’s our list of top tips for keeping your children safe online.
  1. Talk to them about the potential dangers.
  2. Involve yourself in your childrens’ online activities from an early age so this is the established norm, and so you can ‘mentor’ them.
  3. Encourage them to talk to you about their online experience and, in particular, anything that makes them feel uncomfortable or threatened.
  4. Today’s ‘share everything’ culture is pervasive. Children are less likely to instinctively recognise the inherent dangers in oversharing, so it’s important to spell out the potential problems.
  5. Set clear ground-rules about what they can and can’t do online and explain why you have put them in place. You should review these as your child gets older.
  6. Use parental control software to establish the framework for what’s acceptable – how much time (and when) they can spend online, what content should be blocked, what types of activity should be blocked (chat rooms, forums, etc).  Parental control filters can be configured for different computer profiles, allowing you to customise the filters for different children.
  7. Encourage your children to be vigilant about their privacy and settings on social media sites so that posts are only visible to selected friends and family.
  8. Wordly-wise vs tech savvy: you may be more aware of the potential pitfalls of the internet, but the chances are your children are more technologically clued up. Encourage an exchange of information so that you can both learn from each other.
  9. Protect the computer using Internet security software.
  10. Don’t forget their smartphone – these are sophisticated computers, not just phones.  Most smartphones come with parental controls and security software providers may offer apps to filter out inappropriate content, senders of nuisance SMS messages, etc.

Students Find Ways To Hack School-Issued iPads Within A Week

Los Angeles Unified School District started issuing iPads to its students this school year, as part of a $30 million deal with Apple. But less than a week after getting their iPads, hundreds of students had found a way to bypass software blocks meant to limit what websites the students can use.

Thousands of hacked WordPress sites used in global scale attacks

Thousands of WordPress based websites have been hacked to compose a global scale botnet that is performing powerful DDOS attacks.

I start the post with recommendations, if you are a blogger using WordPress don’t waste time and update it and all installed plugins to the latest versions!
Have you done it? OK, now I can explain you what it is happening.
Thousands of WordPress blogs have been hacked to compose a global scale botnet that is performing powerful DDOS attacks.
We read in the past of a massive cyber attack coordinated with a huge botnet against millions of websites based on the popular CMS WordPress, around 100000 servers were successful compromised fueling the malicious architecture used for the attack.
The news was reported by CloudFlare and HostGator that on April alerted the WordPress community on the ongoing massive attack launched against WordPress blogs all over the Internet, the alert was related to a massive brute-force dictionary-based attack conducted to expose the password for the ‘admin’ account of every WordPress site.
In August, 2013 researchers at Arbor Networks have discovered a botnet dubbed Fort Disco  that was used to compromise more than 6000 websites based on popular CMSs such as WordPress, Joomla and Datalife Engine.
My colleagues at TheHackerNews received a DDOS attack logs report from ‘Steven Veldkamp‘ that highlights that the victim’s website was under heavy DDoS attack recently, originated from numerous compromised WordPress based websites. It is highly probably that the ongoing attack is linked to the events occurred in April that allowed attackers to take control of a high number of vulnerable WordPress Hosts.
The attacks are very concerning due to the botnet extension and the high performance of bots. The offensive is conducted on a global scale and appears highly distributed in nature and well organized, for these reasons it is very difficult to block malicious traffic.
WordPress Massive DDoS attack
The attack logs from timing 23/Sep/2013:13:03:13 +0200 to 23/Sep/2013:13:02:47 +0200 revealed that just in 26 second attacker was able to perform a powerful DDOS attack from 569 unique compromised WordPress.
The list of sources used by attackers includes blogs of Mercury Science and Policy at MIT,  Stevens Institute of Technology and The Pennsylvania State University.
According to statistics proposed by WP WhiteSecurity, from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.
 WordPress vulnerability statistics
Following other shocking statistics based on the analysis of  42,106 WordPress websites found in Alexa’s top 1 million websites.
  • 74 different versions of WordPress were identified.
  • 11 of these versions are invalid. For example version 6.6.6.
  • 18 websites had an invalid non existing versions of WordPress.
  • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
  • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
  • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
  • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.
It is important to remark that the availability of automated vulnerability assessment tools and DIY attack tools on the black market is causing a meaningful increase in the number of cyber attacks.
Owners of Website based on WordPress CMS must improve at least basic security settings and implement best practices such as the use of robust passwords and the accurate management of  ”admin” accounts.
Within the WordPress community are also already available interesting plugins that could help site managers to improve the security of their WordPress instance.
If you believe that the security of a WordPress based site has a limited impact on the Internet community you are wrong, the crocks could use the hacked platforms for various illegal activities …. we must stop them!