Phishing Trojan Grabs Browser Screen Shots

A new phishing trojan captures screen shots of browser activity when an infected machine visits a banking site, adding an imaging capability to its repertoire. The trojan, which targets Barclays Bank, has apparently found a way to defeat one of the banking industry's more secure login systems.

Phishing trojans are typically auto-downloaded from a bogus web page, and secretly log keystrokes as the victim visits an online banking site. Barclays uses a two-step login that includes a secret word as well as the usual username and passord. After the initial login screen, a second page presents a pair of drop-down boxes in which bank customers must select letters from their secret word. Because the secret word is never typed into the keyboard, trojans are unable to capture all the info needed to access the Barclays account.

The "Purchase confirmation" trojan, documented at Codefish Spamwatch, has evolved its multi-faceted attack to address this obstacle.

Continue reading

E-commerce Firm 2Checkout Reports DDoS Extortion Attack

E-commerce firm 2Checkout, which processes credit card payments for online merchants, says it has been hit with a distributed denial of service ((DDoS) attack after it rebuffed an extortion attempt. The 2Checkout site experienced rolling outages from the attack, which began on April 9 and was still ongoing as of April 16, according to a statement on the company's web site.

"2Checkout continues to fight an extortion based ('Pay us or else we will continue to attack') DDOS attack," the company said earlier this week. "We apologize for any service interruptions. Rest assured that our full staff in addition to some consultants are working relentlessly in conjunction with our providers to combat and minimize any effects of the attack."

Continue reading

Microsoft goes Opensource

Will Monday, 5 April 2004, be celebrated as the day Microsoft began turning into an open source company?

At first sight, the Windows Installer XML (WiX) toolset released then is just the latest piece of software distributed under Microsoft's Shared Source Initiative. This is the company's increasingly complex attempt to steal some of open source's thunder by offering classes of users degrees of access to the underlying code - mostly to look at, but in certain circumstances to touch, too.

Microsoft's nervousness about letting others see its source can be judged by the plethora of different licensing schemes now available. It is also reflected in the low- key description of the "WiX Shared Source Licensing Program". It is only when you follow the link to the SourceForge page where the project is hosted that you discover that WiX is being released under a licence that is fully approved by the Open Source Initiative. In other words, WiX is Microsoft's first open source code.

Continue reading

Windows Update struggling to remain available

Microsoft's Windows Update web site has been experiencing slow response times in the wake of yesterday's release of critical security updates. A browser request through Internet Explorer eventually raises the site after an extended wait, and in some cases it is possible to successfully download and install updates over a broadband connection. Dynamically updating performance charts for Windows Update are available here.

The service is struggling for availability at a crucial moment of need for Windows users. Microsoft yesterday released four security updates, including three critical patches that Microsoft urged customers to install immediately. They include a patch for an SSL vulnerability that leaves Windows 2000 and NT4 SSL sites open to remote compromise. The current sluggish performance of Windows Update is a particular challenge for Windows users on dial-up Internet connections, as the Windows XP download is 3 megabytes.

"After the release of yesterday's security updates, the number of requests to Windows Update was double the usual volume," said a Microsoft spokesperson. "The slowdowns didn't last very long. We've added some system resources to support Windows Update, and are not seeing much trouble anymore."

This morning the DNS for windowsupdate.microsoft.com was being managed by Savvis Communications though its Digital Island content distribution network (CDN). CDNs help manage Internet traffic (including DDoS attacks) by using large, geographically distributed networks of servers to move files closer to the end user. Microsoft used a CDN service from Akamai to keep its web site online last August, when the Blaster worm programmed machines to launch a DDoS on the Windows Update site. Microsoft's strategy drew considerable attention, as the front page of the www.microsoft.com site was served by Linux machines on Akamai's network. Today Savvis was using Windows Server 2003 to manage the Windows Update traffic. This evening the site is being served from a netblock assigned to Hotmail, Microsoft's e-mail service.

Microsoft SSL Vulnerability gives attackers opportunity to gain control of leading banking sites

Microsoft has issued a fix for a security vulnerability that has exposed tens of thousands of sites offering encrypted transactions to potential compromise. The bug in Microsoft's Secure Sockets Layer (SSL) library allows remote attackers to gain control of unpatched Windows 2000 and Windows NT4 servers offering encrypted services over the internet.

The vulnerability was revealed Tuesday by Internet Security Systems, which warned that "hackers will aggressively target this vulnerability given the high-value nature of Web sites protected by SSL," which secures web sites for online banking, stock trading and retailing. Microsoft issued a critical security update Wednesday to address the vulnerability, which allows a buffer overflow in Private Communications Transport (PCT) packets. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said in its advisory, adding that "only systems that have SSL enabled" are vulnerable. SSL is only commonly used protocol for encrypted transactions of financially important or confidential information on the Web.

More than 132,000 web-facing SSL servers are running either Windows 2000 or Windows NT4, according to our March Secure Server Survey, representing nearly 45 percent of all SSL servers. The PCT and SSL 2.0 protocols targeted by the exploit are enabled by default in Win2K and NT4.

Continue reading

Strong Hostname Growth for Domain Registrars

March was a banner month for domain registrars, as Dotster, Go Daddy and eNom were the fastest-growing providers in our Hosting Provider Switching Analysis, adding more than a half million hostnames between them.

Go Daddy and eNom may be benefiting from speculative purchases amid growing awareness of improvements in the domain resale market. The planned sale of whitehouse.com (a porn site often confused with whitehouse.gov) gained widespread media notice in the U.S. last month, with many stories noting the sale of men.com for $1.3 million in December. In the first quarter of 2004, at least 24 domains changed hands for $25,000 or more at auction, according to domain industry observers.

Top Hosting Providers By Growth, Feb 04 to Mar 04
Hosting Company Feb 04 Mar 04 Growth %
Growth
Primary
Region
Dotster 336,369 597,290 260,921 77.6% America
GoDaddy Inc 1,918,182 2,056,278 138,096 7.2% America
eNom 5645,544 782,411 136,867 21.2% America
1&1 Internet AG 3,731,277 3,833,086 101,809 2.7% Europe
Global Media Online 78,610 134,265 55,655 70.8% Asia
MCI 708,444 763,557 55,113 7.8% America
The Planet 191,466 229,877 38,411 20.1% America
EV1Servers 711,035 743,089 32,054 4.5% America
AboveNet/MFN 212,439 244,107 31,668 14.9% America
Deutsche Telekom.com 354,780 385,772 30,992 8.7% Europe

Continue reading