Censoring Web 2.0 - The Access Denied Map

Remember the World's Internet Censorship Map? This is a niche version of it that's "mapping the online censorship and anti-censorship efforts related to the Web 2.0". Compared to, for instance, Irrepressible, whose idea is to take advantage of the long-tail of anti-censorship by allowing everyone to embedd a badge that's spreading censored content, the Global Voices Advocacy "seeks to build a global anti-censorship network of bloggers and online activists dedicated to protecting freedom of expression and free access to information online." and aims to act as a vehicle to communicate the censored information to the rest of the world, a far more pragmatic approach than having the censored bloggers figure out how to post the facts online - they'll simply forward them to the GVA.

And just as important it is to take advantage of the wisdom of crowds, whose collective intelligence can in fact act as an early warning system, it's also important to educate those who cannot freely express their opinion on the process of expressing it

Malware Serving Online Casinos

Don't play poker on an infected table part two. The following three online casinos are currently serving embedded malware in the form of IFRAMES and the average javascript obfuscation.

The first one is poker.gagnantscasino.com (213.186.33.4) with current obfuscation loading statistics-gdf.cn/ad/index.php (116.0.103.133) where another obfuscation loads, deobfuscated attempts to load p423ck.exe (Zlob) at statistics-gdf.cn/ad/load.php, playing around with the host for too long results in zero malicious activity, at least they make you think so. Here's another internal URL statistics-gdf.cn/ad/index.php?com

Detection rate : Result: 7/32 (21.88%)
File size: 43008 bytes
MD5: 08f445712adcef5ef091378c51bbbaaa
SHA1: 3478fe6a600251b2ee147dbd50eaf4f204a884cb

Last week's obfuscation at this online casino was pointing to traffmaster.biz/ra/in.cgi?5 which is now down.

The second casino is fabispalmscasino.com (82.165.121.138) with current obfuscation attempting to connect to the now down stat1count.net/strong, a host residing on a netblock I covered before showcasing a scammy ecosystem. The third one is sypercasino.com which was resolving to 203.117.111.102 early this week, and taking advantage of WebAttacker at sypercasino.com/biling/index.php. Now it resolves to 58.65.236.10 and promotes banner.casino.com/cgi-bin/SetupCasino.exe

Detection rate: 9/32 (28.13%)
File size: 194077 bytes
MD5: 26da6f81349ff388d08280ababab9150
SHA1: f20e8fee439264915710f9478ec1e74583563851

It's interesting to monitor how people behind these manually change the obfuscations to further expand their connections with other scammers, or services and attack approaches they use, and even more interesting to see it happen on-the-fly just like meds247.org for instance.

Don't play poker on an infected table.

66.1 Host Locked

Having found a static pattern for identifying a Rock Phish domain a couple of months ago in the form of the bogus "209 Host Locked" message, the Rock Phishers seems to have picked up the finding and changed the default domain message to "66.1 Host Locked" as of recently. Here are the very latest Rock Phish domains using this :

business-eb.bbt.com.4rrt.es

ntu3ot1.com

nikogonet.com

ne5oe.com

nod-for-pc.com

sparkasse.de.4rrt.es

marip.com.es

Moreover, a recently released survey results by Cloudmark, whose study into the Economics of Phishing is also worth going through, indicates that current and prospective customers of a certain brand lose trust in it, if they're exposed to phishing emails pretending to be from that brand :

The survey revealed that:

- 42% of respondents surveyed feel that the trust in a brand would be greatly reduced if they received a phishing email claiming to be sent by that brand

- 41% of those surveyed felt that their trust in a bank would be greatly reduced if they received a phishing email claiming to be from that company, compared to 40% who felt the same for an ISP, 36% for an online shopping site and 33% for a social networking site

- 26% of those surveyed feel that they are the party most responsible for protecting themselves from phishing attacks, with 23% believing their Internet Service Provider (ISP) or email service provider is the most responsible and 17% thinking that the sender’s ISP and email service provider holds the greatest responsibility

The last point is perhaps the most insightful one, given it has to do with self-awareness and responsibility, forwarding the responsibility to the provider of the email service, and best of all, seeking more responsibility in fighting outgoing phishing and spam compared to incoming one.

Which CAPTCHA Do You Want to Decode Today?

Once you anticipate your success, you logically start putting more efforts into achieving a decent level of efficiency in the process of breaking CAPTCHA, now that's of course in between commercializing your know-how. CAPTCHA breaking or decoding on demand has been a reality for a while, with malicious parties empowered by proprietary tools, publicly available DIY CAPTCHA breakers, or services like this one doing it on demand.

The following service is offering the possibility for CAPTCHA decoding on a per web service basis, and enticing future customers by providing percentage of accuracy, the price, and the ease of difficulty of breaking it. CAPTCHA decoding is listed for the following services : 9you, tiancity, cncard, the9, kingsoft, taobao, dvbbs, shanda, csdn, chinaren, monter, and baidu. The hardest to break CAPTCHAs mentioned are those of Yahoo, Hotmail, QQ, Google. Moreover, Ticketmaster's the most expensive one, followed by Ebay's CAPTCHA decoding process.

What happens when malicious parties cannot directly decode the CAPTCHA? They figure out ways to adapt to the situation, namely by enjoying the benefits of the human factor in the process while sacrificing some of the efficiency, but continuing to achieve their objective.

A TrustedSource for Threats Intell Data

Following the series of posts on early warning security events systems, Secure Computing have just announced a major upgrade of their threat intell service :

"Secure Computing's TrustedSource acts like a satellite advanced-warning system for the Internet that detects suspicious behavior patterns at their origins, and then instructs security devices to take corrective precautions or action," said Dr. Phyllis Schneck, vice president of research integration for Secure Computing. "TrustedSource pinpoints reputation by looking at behavior and specific factors such as traffic volumes, patterns and trends, and enabling it to rapidly identify deviations from the norm on a minute-by-minute basis."

I've already mentioned the radical perspective of integrating all the publicly known IPs with bad reputation, and sort of ignoring their online activities in order to prevent common problems such as click fraud for instance. Think from the end user's perspective, what's the worst thing that could happen to both the average and experienced end user? Try witnessing the situation when a known to be infected with malware end user starts receiving messages like these, and will continue to receive them until a certain action is taken presumably disinfecting themselves. Of course, it's more complex than it sounds, but start from the basics in terms of the incentives for end users to disinfect themselves, the masses of which aren't that very socially oriented unless of course it's global warming and the possibility for a white Christmas you're talking about. Issuing an "Internet Driver's License" wouldn't work on an international scale, and even if it works on a local scale somewhere in the world, it wouldn't really matter, since you'll have the rest of the world driving unsafely, and you'll be the only country which has fastened its seat belt. Here's an example of such mode of thinking.

Are You Botnet-ing With Me?

Informative and recently released study by ENISA on the problem of botnets, especially the emphasis on how client side vulnerabilities surpassed email attachments, and downloading of infected files as infection vectors. Not because these aren't working, but because of the botnet's masters attitude for achieving malicious economies of scale has changed. Despite that we can question whether or not they put so much efforts while strategizing this, let's say they stopped pushing malware, and started coming up with ways for the end users to pull it for themselves :

"The most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Currently, the most dangerous infection method is surfing to an infected webpage. Indications of a bot on your computer include e.g.: Slow Internet connection, strange browser behavior (home page change, new windows, unknown plug-ins), disabled anti-virus software; unknown autostart programs etc."

Here's the entire publication - "Botnets - The Silent Threat" by David Barroso.