Clickjacking

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:
http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

Anti-anti virus malware

The FBI has arrested six eastern European hackers for infecting numerous computers across the world with a sophisticated form on malware. The group known as The Rove Group, was actually hired and paid by advertising companies to increase traffic to specific sites. They did this by using a class of malware called DNSChanger which redirected traffic from legitimate sites to bogus sites instead. Some of the websites were iTunes, Netflix And even NASA and the IRS. The malware worked by redirecting a user that would click on a legitimate link to a site like iTunes to a site that pretended to sell Apple software or music.  Much like an online phishing attack except they would not steal your identity but rather the customer would pay them directly. Sometimes the customer would receive black-market good or pirated software and often they would get nothing at all. The scheme was discovered and brought down by a FBI investigation known as Operation Ghost but not before making 14 million dollars over four years. The rest of the story is here…

http://www.fbi.gov/news/stories/2011/november/malware

On-line Job Application Scam

As if job-seekers didn’t have it hard enough, the Better Business Bureau of Abilene, TX posted warnings about on-line job application scams that trick applicants into providing personal information.

http://abilene.bbb.org/article/score-a-job–not-a-scam-28725

The scammers were smart to target people who are willing to provide whatever information it takes to get hired by an employer.  Your resume usually contains your contact information and your employment history.  With the job market tightening up and many employers referring applicants to websites, it is no wonder that social engineers recognized this as a way to steal identities on a large scale.  With the publicity of websites like Linked.com and Monster.com it was inevitable that scammers would create copy-cat websites or create fake Craigslist postings.  Some scammers were even able to convince applicants to provide direct-deposit information or send money to the fake companies!

As we all prepare to look for Co-Op and permanent jobs, it is best to watch out for the red flags to a scam as suggested by the Better Business Bureau.

  1. Watch out for grammatical and/or spelling errors on application websites or in e-mails.
  2. Emails from job posting websites claiming there’s a problem with a job hunter’s account.
  3. Employer asks for extensive personal information such as social security or bank account numbers.
  4. An employer offers the opportunity to become rich without leaving home.
  5. An employer asks for money upfront.
  6. The salary and benefits offered seem too-good-to-be-true.
  7. The job requires the employee to wire money through Western Union or MoneyGram.

Overall, be sure to know the company that you are applying for.  Do some research and make some telephone calls to be sure that the company and website are legitimate.  And remember that if it sounds too good to be true, it probably is!

Real World Pen Testing

Want to get into pen testing? Knowing the following attack vectors is a good place to start. View the source for more detailed information on each category.

  • Information Gathering

    • Goal: Employee Information
  • Social Engineering

    • Goal: Gain Employee Credentials by directly asking for them
    • Goal: Enticing Users to a Website
  • Phishing

    • Goal: Internal Access via Employees

Behavioral monitoring malware

Behavioral monitoring malware is a new class of malware that mines many of the social networking sites for behavioral patterns. What I mean by behavioral patterns is that it will monitor what kind of websites you like, who you associate with, the kinds of things you buy. This kind of information is a goldmine for marketers. It allows them to build profiles of individuals outside a greater scope of sex, age, and location. Now they can know that your friends with x,y,z or that your a Chihuahua enthusiast who loves NASCAR. This kind of information can  be more insidious then more conventional malware.

Through this information they could then targets ads just for you or extending beyond marketing, unique attacks. We’ve talked about phishing attempts before in class and how its always kind of broad message to get as many people as possible. Thanks to behavioral pattern malware they can now easily tailor specific attacks just for you even if your some nobody. The usual malware targets things like credit cards or accounts and passwords. While these can cause trouble and be an inconvience you can at least cancel a credit card or change your password. But once they know who you are your in trouble. You can’t just change everything about yourself. Your not going to get rid of your friends and family and stop liking the things you do.

Some of the interesting technical aspects about this malware is it’s able to recognize who is on the fringe of social connections. That is if I’m someone who posts prolifically on twitter or Facebook and have lots of followers/friends, I’m going to stand out as a greater target compared to someone who has very few. Since I would have lots of connections I become a greater target because through my connections it can move on to new targets. Another interesting thing is that they infect unconventionally comapared to the usual malware. Most malware attempts to infect as many devices as fast as possible, while behavior patter malware would want to take its time in order to go unnoticed and collect as much information as it could.

http://www.pcworld.com/article/207659/malware_aimed_at_social_networks_may_steal_your_reality.html