2009
has seen some incredibly diverse and creative attacks - shall we take one last
look the scams, hijacks and infections that particularly caught our eye?
January : If someone told you people will pay good money to have a third party
create a Botnet designed to DDoS gamers out of Xbox console sessions, you might
have wondered what exactly they were talking about. However, this technique
(which has remained off radar for quite some time) finally went mainstream with
every second script kiddy trying to work out how to do it via endless Youtube
tutorials and “What am I doing wrong” posts on hacking forums.
Attacks on games and gamers have been a constant thread in research this year,
as scammers realise there’s a fair amount of money invested in gaming profiles
- and those profiles can be bought and sold, just like any other stolen
account. Attacks on consoles provide a bit of a headache for office network
admins, who may well be jumping on the “put a net connected console in the
office rec room and leave it to its own devices” bandwagon. Not a good idea…
February : Taking the idea of valued gaming accounts one step further, Erik
Larkin of PC World explored the attacks on Steam
account holders via phishing techniques . Steam accounts can have hundreds
(or in some cases thousands) of dollars invested in them, and regular seasonal
sales tend to send profits through the roof. Indeed, there’s a heavy collection
of “ten free games in exchange for your login” phish pages in circulation at
the moment. Don’t be fooled!
April : You can never be too careful with downloads, as this
story readily illustrated . An instant messaging password stealer (that
could disguise itself as Yahoo Messenger, Live Messenger or Skype) turned up on
Download.com, a trusted source of legit downloads. Rogue elements will sadly
always slip through somewhere, but full credit to CNET for removing the offending
program quickly.
June : A program surfaced claiming to be a mail bombing
extravaganza that would smite all of your enemies. The catch? You had to
give them your own email address to use it.
We’ve seen many, many programs that attempt to punk out people in the hacking /
cracking communities and while the majority of those files tend to stay on hacking
forums some do occasionally creep outside into the daylight.
July : Oh dear. Targeting twelve year old kids? There’s lame - then there’s this . Popular
social networking / gaming site Neopets came under attack from individuals who
decided to offer kids “magical paintbrushes” for their Neopet in return for
running an executable file. Of course, those files would be Trojans, password
stealers and various other nasties in disguise. Taking advantage of a young
child’s desire to obtain rare ingame items - then break their computer - is one
of the lowest attempts at being “a hacker” we can think of.
There was also a look
at Xbox Gamerscore hacking - a technique used by people who want to
artificially inflate statistics related to a gaming account then sell it on.
Did we mention the Megan Fox fake sex tape yet? No? Well, here
it is (an article about it, anyway). Celebrities will always be used as low
hanging fruit as a means for people to infect themselves or fill in surveys and
Megan is no exception where that is concerned.
August : Here we arrived at what seems to have been a phishing page linked to
from a legit
Facebook application URL . There was also this infection, designed to overwrite
all the images on your PC with the word “Hacked”. The Facebook attack was fairly inventive,
though we haven’t seen a repeat performance so that’s good news.
September : Twilight fever. This was
always going to be sucked into various scams and sure enough, just before New
Moon came out in cinemas sites such as Youtube had videos on them promoting ” online
versions” of the film . Sure enough, all you got for your trouble was Zango
installers and empty pages.
Can’t have an end of year summary without a mention of Zango!
October : This particular file hit the streets a little while after Google Wave
invites were no longer the hot topic of debate which probably helped to lessen
the impact. A fake
Google Wave invite generator most certainly did not generate passwords of
any kind, but did seem to be a likely candidate for harvesting email passwords.
Clever.
We also talked about Gamers
Under Fire at SecTor 2009, a security conference held in Canada. You can
take in all the conference presentations here - they’re well worth
checking out.
November : Ah, Facebook applications. Sometimes you get rogue ones - other
times, you get scams like this where no applications exist. Someone had the
idea of putting together a fake program that claimed to exploit a genuine
application by revealing who-said-what
about you . Of course, this was all nonsense and the program infected your
PC with a horrible file of the attacker’s choosing. A simple but effective
attack technique.
December : We’d been writing about
various fake “work from home with Google” scams all year long, and it was nice
to see some of them finally being tickled
with the legal stick . Long may it continue.
We wound up the year with ZBot ,
in the form of a fake “Your VISA account has been compromised, download this
file to see what’s been going on” alert.
A wide-ranging set of attacks then, and a good indication (as if any were
needed) that social networks, popular culture, videogames and the lives of
celebrities will be targets for Botnets, exploits, scams, get rich quick
schemes and every fake program you can think of well into 2010. It will be
interesting to see how many 2.0 sites maintain a robust privacy policy (if such
a thing is even possible) in the face of potential earnings from ad revenue,
and how easy (or difficult) those policies will make it for those who want to
use that data for nefarious purposes.
Continue here: A Year In Security
