Domain registrar Joker.com says its nameservers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany. Any of those domains that use Joker's DNS servers are likely to be affected.
"Joker.com currently experiences massive distributed denial of service attacks against nameservers," the registrar says in an advisory on its home page. "This affects DNS resolution of Joker.com itself, and also domains which make use of Joker.com nameservers. We are very sorry for this issue, but we are working hard for a permanent solution."
Bots are registering user accounts on thousands of phpBB forums across the Internet, raising concerns that the bot's authors are laying the groundwork for mass exploitation down the road. The activity of a bot named FuntKlakow was discussed in a Digg thread Sunday, with many forum owners confirming that FuntKlakow had created accounts and even posted simplistic messages ("O How nice" and "Wow that is cool").
FuntKlakow's post signatures have included links to proxy surfing and "traffic generator" services, raising the prospect that its goal may be spam rather than exploits. But as noted on a German site that issued an early warning about the bot's behavior, "the next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums." Google searches suggested the bot may have created accounts on as many as 33,000 forums.
A web server belonging to a state-operated Chinese bank is hosting phishing sites targeting U.S. banks and financial institutions. Phishing e-mails sent on Saturday (March 11) targeting customers of Chase Bank and eBay were directed to sites hosted on ip addresses assigned to The China Construction Bank (CCB) Shanghai Branch. The phishing pages are located in hidden directories with the server's main page displaying a configuration error. This is the first instance we have seen of one bank's infrastructure being used to attack another institution.
The attack on Chase offers recipients the chance to earn $20 by filling out a user survey which presents a series of questions about the usability of the Chase online banking site, followed by a request for user ID and password, so the $20 "reward" can be deposited to the proper account. The form also requests the victim's bankcard number, PIN number, card verification number, mother's maiden name and Social Security number. Any data submitted is then sent to a free form processing service (free.allforms.mailjol.net) operated by an Indian company but hosted in the U.S. at NetAccess.
Hackers are actively seeking out unpatched versions of the Mambo content management system, which recently repaired a serious security hole. The latest exploit attempts target a different vulnerability than the Mare.D worm, which grabbed headlines last month but apparently did limited damage to Mambo sites. Sites running on Mambo should upgrade to the latest version as soon as possible.
On Feb. 24 James Bercegay of GulfTech Security Research announced vulnerabilities in Mambo that could allow a server compromise by a remote attacker, including several methods of an SQL injection attack. Bercegay also found a way for attackers to use Mambo's file inclusion features to breach system security. Last July Bercegay discovered a weakness in XML-RPC libraries used by numerous PHP-based blogging and content management apps.
Security holes in PHP-based content management and forum apps are an increasingly active front in Internet security, as hackers target unpatched weaknesses. The latest example is Monday's hack of chip maker AMD's customer support forums, in which an older version of Invision Power Board was compromised and used to distribute malware using the Windows Metafile (WMF) exploit.
While Windows flaws like the WMF vulnerability are useful to hackers assembling armies of compromised desktop computers, security holes in PHP applications provide access to more powerful servers hooked directly to high-speed network connections.
Internet criminals have targeted unpatched vulnerabilities in open source CMS apps including phpBB, PostNuke, Mambo, Drupal and others, hoping to build botnets for use in phishing scams and distributed denial of service (DDoS) attacks. Compromised web forums hosted more than 600 phishing spoof sites identified by the Netcraft Toolbar Community in 2005 (as noted in our Year in Phishing roundup).
The DDoS capabilities of server-based zombies was demonstrated in a December attack by a large botnet of Linux machines, in which attackers flooded their target with more than 6 gigabytes of data per second. Hosting providers with multiple IP addresses being used in the botnet included Level 3, Savvis, AT&T WorldNet, 1&1 Internet, Interland and The Planet. The network used in the December attack was assembled by exploiting known security holes, including a vulnerability in the Limbo CMS that had been patched at least six weeks earlier.
ChoicePoint will pay $10 million in civil penalties and another $5 million to set up a fund to compensate consumers whose financial records were exposed in a massive data breach last year, the Federal Trade Commission (FTC) announced today. The fine is believed to be the largest ever for a security incident, and signals Washington's growing impatience with corporate security breaches.
"The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves," said Deborah Platt Majoras, Chairman of the FTC. "Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America."
ChoicePoint provides data to credit providers, government agencies and landlords. Earlier today it reported $1.1 billion in revenue for 2005. In late 2004 criminals using falsified credentials were able to sign up for sensitive ChoicePoint services and access account information for 163,000 consumers, the FTC said.