Skip to content
Jan 26 15

Defending Against Spear Phishing, RAT Deployment and Email Tracking

by Pierluigi Paganini
spear phishing

Gary Miliefsky explain how Spear Phishing works as well as Email Tracking that allow the sender to collect very useful data on the recipient.

Defending Against Spear Phishing, RAT Deployment and Email Tracking

In my 2015:Year of the RAT Threat Report (see:,  I described how I felt Sony Pictures Entertainment (SPE) was attacked by the Guardians of Peace aka #GOP.  In this supplement, I would like to cover how Spear Phishing works as well as Email Tracking, even commercial tools that are freely available for trials or limited email sending, which allow the sender to collect very useful data on the recipient including that which hackers typically use to exploit a common vulnerability and exposure (CVE, see: of which I serve on the Board and its sister search engine site, funded by the US Department of Homeland Security to allow you, for free, to track and find any vulnerabilities in your network equipment, computer, operating system and software that might be used to exploit you).

Finding and Exploiting Vulnerabilities

It works like this – first you need to find email servers with vulnerabilities (CVEs) and then exploit them to eavesdrop upon and track others emails.  This will then allow you to build up a contact list and what kind of messages a person sends, receives and opens, thus allowing you to spoof a trusted party and attach a remote access Trojan (RAT).  I’m not telling you this to recommend you commit crime – in fact, I’m 100% against you doing so.  However, without understanding why and how you might become a victim of a Spear Phishing attack with an embedded RAT attachment, or even exploitation of vulnerabilities in your email client or web browser, how can you expect to defend yourself?  Just watch and you’ll see loads of attacks against EMAIL SERVERS in the USA.  Why?  Because the first step in reconnaissance (RECON) for a spear phishing attack, is to break into a mail server, or find a recipient you can victimize so that you can later spoof an email to their important friend, boss or business associate that is your ultimate target.

What is the difference between Spear Phishing and Email Tracking? 

Typically Spear Phishing are very targeted attacks going after one individual.  Usually, email tracking is used by marketeers to make sure you opened an email they sent you and to collect additional information about you.  Lately, due to the proliferation of free email tracking offerings, anyone from a debt collector to your local dentist or attorney or even a jealous spouse might use email tracking services to ‘check up on you’ which includes GEOLOCATION technology, now.

Email tracking generally will use a hidden cookie and a web bug (also known as a web beacon) to track the email.  Spear Phishing will usually attach a RAT to the email hoping you will trust the spoofed sender and open the attachment, then causing a much more painful and deeper infection that may go unnoticed until it’s too late, as in the case of Sony Pictures Entertainment.

Email tracking will tell the person tracking the email when an email was received, opened, and forwarded.  It can tell when attachments or hyperlinks were opened and clicked.  It can determine how long someone was reading the email. It can also collect information about the geolocation of where it was opened.   In addition they can find out about your computer operating system and the email client or web browser you are using to read the email.

Email tracking is used by individuals, email marketers, spammers, hackers, cyber criminals and phishers, to verify that emails are actually read by recipients, that email addresses are valid, and that the content of emails has made it past spam filters. When used maliciously, it can be used to collect confidential information about businesses and individuals and to create more effective phishing schemes.  Most likely email tracking was employed with a spear phishing attack on Sony Pictures to learn what kind of environment they had inside their network and then to attack them with a Remote Access Trojan (RAT) through email.

There are dozens of email tracking companies and software to choose from with leading companies including icontact, constant contact, didtheyreadit, getresponse, activecampaign, interspire, getnotify, mxhero, litmus to yesware and so many more.  Now anyone can afford email tracking because most sites off either a limited free account or free trial.  On the limited free accounts you can only send so many tracking emails each day but they are completely free.  Others offer a trial period such as 7 day free trial.

Is Email Tracking Creepware?

Email tracking can be considered #CREEPWARE because if you don’t inform the recipient of your privacy policy, they may not know they are a victim of being eavesdropped upon.  On the other hand for business purposes the argument is that you don’t have to send a followup email and annoy someone to see if they opened your email or read it. The business argument is that you will learn how to better communicate with your customers.

What other ways are we being tracked?

Email tracking is only a part of the tracking process.  Most folks have smartphones with apps that track them in even creepier ways every day.  Companies that want to track you will use your email and your apps on smartphones and tablets plus search engines and social media sites like facebook and others will continue to expand their invasive eavesdropping on our behavior.  The fact that email tracking is free and easy for anyone to try out and use, means it will probably continue to grow as another tracking arrow in the marketing  or creepware quiver.

Beyond normal marketers, spammers, hackers, cyber criminals and phishers, some folks including spouses might use this method to make sure their spouse is where they say they are and some companies, including HP used it to make sure Board members weren’t leaking information to the press or wall street analysts.  Even investigators, attorneys, skip tracers for debtor or fugitive tracking and collection companies are using this tool to track people down.

Most people don’t realize how our emails are being tracked.  They simply open their emails, read them, ignore them or delete them and move on to the next email.  Most people don’t have antispam technology enabled and many of these emails get passed spam and antivirus filters.  I think it’s creepy for folks to use email tracking, even if it passes legal muster, without at the bottom of each of these emails, informing the recipient and offering them an opt out option.  Privacy is good for business and job seekers should also show they respect the privacy of the recipient, especially someone who might consider hiring them.  This is alarming if a predator or stalker or spouse or x-spouse uses email to track you for their own creepy reason.

While Spear Phishing is Illegal, is Email Tracking Legal?

It is legal to track email.  There are rules about spam and there are rules about bugging and eavesdropping on conversations but not about email.  It’s always best to disclose that you’re using tracking tools to make sure the email gets to the right recipient and so that you won’t have to bother them to see if they received and opened it.

However, here’s where it gets real creepy.  Imagine a stalker was trying to find out where you lived.  If you opened their email, they could start to collect geolocation information on you as well as the ‘fingerprint’ of your computer and/or email client.  This is the first part of a smarter attack known as spear phishing – they might use this to then find the right malware to attack your operating system or email or web client to install a RAT – a remote access Trojan, which is even more creepy software to watch you on your webcam and listen to you on your microphone.

If you want to legally and legitimately use email tracking for marketing or other purposes, I recommend folks put together a very positive and honest privacy policy or privacy statement in the bottom of these tracking emails so the recipients don’t become victims.

How can you tell it’s a Spear Phishing or Email Tracking Attack?

If it’s an email that doesn’t look like it contains a picture, usually the tracking cookie is an invisible picture – so by turning off ‘display images’ automatically, is the first hint.  If you simply use TEXT only mode to read your emails instead of HTML, you’ll know right away.  If there’s an attachment you were not expecting or if it seems ‘fishy’ it’s probably a Spear Phishing attack.  If you find a tiny white graphic that’s one pixel in size, it’s usually an Email Tracking attack.  However, Spear Phishing attacks may also use this technology but they haven’t in the past because it tips of the victim.

Defending Against Both Spear Phishing and Email Tracking Attacks

What is the simplest thing you can do to defend against this kind of attack?  Change your email client settings to only display TEXT instead of HTML emails.  When the email arrives, it might not look as pretty but you can still read it.  If the entire email is a picture you know it’s spam or email tracking.  You won’t enjoy missing the pretty colors, HTML hyperlinks, graphics and attachments but simple TEXT ONLY email is the answer.  You simply cannot be victimized if you only read the text portion of the email message.  That means an email client or special plug-in that renders the email as text only.  Good news on major email clients such as Microsoft ® Outlook – all you have to do is change your security settings and you can make sure all hyperlinks are turned into text, all emails are read as text only and attachments are rejected.

This may start out making your day difficult, where you would then ask folks to send you attachments in a different fashion, but then you know it’s really from them.  For example, unless and until DropBox, Filesanywhere, Box or similar services get hacked (which does happen from time to time…so be aware and stay vigilant), you can tell all your friends, coworkers and business associates you only accept attachments in a DropBox type service.  I wouldn’t recommend using Apple iCloud, Amazon Cloud, Microsoft Cloud Drive or Google Cloud Drive as they are targeted by hackers daily.  Look for a less known service that offers encryption and stronger guarantees. Then, when someone is going to send you a file, tell them – don’t use email, send it to this link (you provide them a way into your DropBox) and then before opening any of these attachments, you download them and then run them through your favorite antivirus scanner.  If you are serious about security, run it through one of these:

  • which has over 40 different antivirus scanners that it runs on your file upload to determine if it’s malware.
  • which has currently 42 different antivirus scanners and like virustotal will accept file uploads that are over 100mb if need be to be scanned for detection of malware.
  • which has been around for a while only accepts 25mb file size uploads and quickly runs them through about 22 antivirus scanners to check for malware.

It’s time we treat privacy respectfully.  It’s good for people and for businesses to be respectful to others right to privacy.  If you want to track an email tell the recipients you are using email tracking technology.  Sure, it can be a 4 point font at the bottom of the email but at least you’re being honest about it.  And for folks worried about their privacy, only receive emails in a TEXT viewing mode and you’ll be safe.  Consider this one more lesson we’ve learned from the Sony Pictures Entertainment breach.

Getting More Proactive and One Step Ahead of the Next Threat

As I said recently on BNN in Canada, see: entitled Go Phish: The Rise of Hacking – Part Three, the biggest threats we face this year are:

  • Spear phishing (targeted email) attacks
  • Remote Access Trojans (RATs) which are used to control a computer in another location
  • Mobile Devices loaded with eavesdropping malware in the form of trusted and free apps

It’s time consumers, small offices – home offices (SOHOs) and small to medium sized businesses (SMBs) as well as large enterprises get more proactive and assume you already have vulnerabilities and malware. Start with:

  • Training employees better
  • Hardening systems
  • Detecting and removing RATs
  • Deploying full disk encryption and real-time backups
  • Defending against phishing attacks
  • Managing the BYOD (Bring Your Own Device) dilemma

If you’re an SMB or Enterprise, you should take the following steps right away before you become the next victim:

  • Educate employees against social engineering and phishing attacks.
  • Make sure you encrypt computers, hard drives, databases and all the data.
  • Make sure you enforce better password management policies.
  • Run and test frequent backups and disaster recovery plans.
  • Create and manage corporate security policies around the standards such as ISO 27001 or COBIT.

About The Author

Gary Miliefsky 2015 Year of the RAT Threat Report Supplement spear phishing

Gary Miliefsky is the CEO of SnoopWall and inventor of the company’s new Counterveillance technology. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine and the cover story author and regular contributor to Hakin9 Magazine. He also founded NetClarity, Inc., an internal intrusion defense company, based on a patented technology he invented. He is a member of, CISSP® and Advisory Board of the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. He also advised the National Infrastructure Advisory Council (NIAC) which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace. Miliefsky is a Founding Member of the US Department of Homeland Security (, serves on the advisory board of MITRE on the CVE Program ( and is a founding Board member of the National Information Security Group ( Email him at:

Jan 26 15

Topface data breach – 20 Million records exposed

by Pierluigi Paganini
topface head

Topface, the Russian-based dating site, has been hacked, User names and e-mail addresses of 20 million visitors are offered for sale online.

Nearly 20 Million User names and e-mail addresses of visitors to the Russian-based dating website Topface have been available for sale online, the news first reported by Bloomberg. According to Daniel Ingevaldson, chief technology officer of fraud-detection software-maker Easy Solutions Inc, Topface website has been hacked and attackers have stolen username and passwords of its users to offer them online.
Fifty percent of the Topface credentials belong to Russian users, meanwhile 40 percent is related to European visitors.
“These aren’t credit cards, but this is a tier-one breach,” said Ingevaldson. “These credentials are like the iron ore of the cybercrime industry.”
The company didn’t respond to a request for comment neither has provided details on the incident. Ingevaldson clarified that is no longer clear that users’ passwords were also stolen, as he originally reported to Bloomberg.
Data breach are always dangerous for unaware users that share same credentials across various web services, users’ credentials are precious commodities in the underground market, criminal organizations use to acquire/use them for different kind of online frauds, including banking account takeover. Cyber criminals use a wide range of automated tools to search sites where victims used the same information they did to access the dating site.
topface hacked

Ingevaldson discovered the data breach by noticing a posting by the allegedly responsible for the data theft, which used the alias ‘Mastermind,’ on an online forum used by criminals for sale illegal products. The collection of stolen data includes email addresses related to nearly 345,000 different domain names.

“Seven million of the people that logged in to the St. Petersburg-based dating site used, 2.5 million used, and 2.3 million used” reported Blooberg

Unfortunately cases like this are not isolated, investigators are waiting for a domino effect in the coming weeks that may result in the impairment of several accout used by victims online.

Stay Tuned …


January 26 –  UPDATE

Topface published the statement below :

Concerning the information that 20 mln user names and emails of Topface users were hacked we would like to state the following:

1. At the moment we do not have any proven information that any data was stolen from Topface. We have a sophisticated security system and will investigate whether we were hacked or not.

2. Almost all our users use Facebook and other social networks authorisation to access Topface and we have no access to their passwords or any secure data. We also never keep any payment information or other secure information about our users. All the data that we have is e-mail address which can not be used alone to access any secure data. That is why we a pretty sure that our users will not have any problems even if any data wass stolen from our service.

Pierluigi Paganini

(Security Affairs – Topface, data breach)

Jan 26 15

Alleged Lizard Squad members hacked Malaysia Airlines. Are They linked to the IS?

by Pierluigi Paganini

The Malaysia Airlines website was hacked by hackers that claimed to be from the Lizard Squad, but who referenced the IS and the cyber Cyber Caliphate.

The Malaysia Airlines website was hacked by alleged members of the popular collective “Lizard Squad”, the curious thing is that hackers also referenced Islamic State jihadists.

Malaysia Airlines released an official statement confirming its domain name had been compromised and hijacking visitors.  The company had reported the incident to Malaysian authorities.

“At this stage, Malaysia Airlines’ web servers are intact,” reported Malaysia Airlines.  “Malaysia Airlines assures customers and clients that its website was not hacked and this temporary glitch does not affect their bookings and that user data remains secured,” it said.

The Lizard Squad has reached a peak of popularity at Christmas, when a series of DDoS attacks have paralyzed networks of Sony PSN and Xbox Live.

In the following weeks, the group has proposed on the market the DDoS service Lizard Stresser, then some of its alleged members were arrested by the police, and finally the database of their DDoS tool was hacked and published online.

The question is … why Lizard Squad hacked the Malaysia Airlines?

Lizard Squad announced via Twitter the imminent disclosure of the database used by the official website of the company.

“Going to dump some loot found on servers soon.”

Lizard Squad Malaysian airlines

Visitors to the website were re-directed to another page displaying the message

“404 – Plane Not Found” – “Hacked by LIZARD SQUAD — OFFICIAL CYBER CALIPHATE”.

Lizard Squad Malaysian airlines 2

Experts speculate that the message refers to the loss of flight MH370 disappeared with 239 people aboard.

Which is the link with the Cyber Caliphate and ISIS? Some Media reports that the page displayed for the website defacement, in some countries, included the message “ISIS will prevail”.

Is it possible that Lizard Squad is supporting the same persons that have beheaded the Japanese security contractor Haruna Yukawa.

Malaysia is one of the nations in which the ISIS starts to collect numerous and troubling consensus, local authorities last week revealed they have detained 120 people suspected of linking with IS or planning to travel to Syria.

Pierluigi Paganini

(Security Affairs – Malaysia , Lizard Squad)

Jan 26 15

Davos – experts warned about major cyberattacks

by Pierluigi Paganini
45th Annual Meeting of the World Economic Forum, WEF, in Davos

Davos World Economic Forum Annual Meeting 2015 – The elite of experts confirms the rising technological risks, notably cyber attacks.

The World Economic Forum in Davos brings together some 2,500 of the top players in the sphere of politics, finance and business. The elite of experts meeting in Davos for the World Economic Forum Annual Meeting 2015 warned the world about a catastrophic cyberattacks

Eugene Kaspersky, CEO of Kaspersky Lab, has no doubts about our exposition to cyber attacks, our attack surface will increase even more. This means that a growing number of cyber threats will menace a society that is increasingly dependent on IT. New paradigm, such as the Internet of Things, will increase the likelihood being hacked..

“What you call the Internet of Things, I call the Internet of Threats,” told to the assembled global political and business movers-and-shakers explaining that a new family of devices, including smartTV, will be the primary vector for a new generation of threats. “The worst of the worst scenarios is an attack on a big infrastructure, a power plant. If there’s no power, the rest of the world doesn’t work,” Kaspersky cautioned.

The Estonian President Toomas Hendrik Ilves explained that criminal syndicates could create serious problems without having to have outstanding capabilities. Criminal can hit everywhere in every moment, they can steal our data and compromise our systems.

“You can wreak havoc in all kinds of ways,” said Ilves. “Basically nothing is safe.”

Cybercriminals, state-sponsored hackers and cyber terrorists are threatening or society, these actors do not operate in a disconnected manner, their forces overlap giving rise to a threat difficult to mitigate.

“Governments pay criminals … I call it the ‘little Green Men-isation of cyber space’ — you don’t know who’s doing it,” Ilves said, referring to the Russian “Little Green Men” secret service agents accused of engineering the annexation of Crimea last year.

Jean-Paul Laborde, head of the UN’s counterterrorism unit, confirmed that organized crime and extremist groups such as Islamic State could not be approached as disjoint phenomena, they are closely related and are managing global stability.

“They even attack now … in a low key way … police infrastructure, in order to block police action against them outside their terrorities,” said Laborde.

The fight against these threat actors requests a joint effort of government, law enforcement and intelligence agencies that must share an international legal framework to bring these criminals to justice.

A shared legal framework could help law enforcement to operate on a global scale by overwhelming local laws across nations.

The experts also warned about the risks of introducing “backdoors” to communications systems to track criminal activities and prevent attacks. The presence of backdoors, as recently requested by British Prime Minister David Cameron represents a serious threat to the security of everyone. These backdoor could be exploited by foreign government to spy adversaries and by cyber criminals for illicit activities.

Let’s close giving a look to the “The Global Risks report 2015“, in particular, I have extracted for you a couple of interesting graphs. In the following picture is reported the map of the most likely and impactful global Risks.

Cyber attacks are considered events with high impact and high likelihood as confirmed in the report:

“2015 differs markedly from the past, with rising technological risks, notably cyber attacks, and new economic realities, which remind us that geopolitical tensions present themselves in a very different world from before.”

Global Risk Landscape Word economic Forum davos 2015


In this second graph is illustrated the strict relationship between cyber attacks and other technological risks related to others adverse events.

risk interconnections Word economic Forum davos 2015

Pierluigi Paganini

(Security Affairs – Davos, World Economic Forum)

Jan 25 15

Adobe issued the update to fix CVE-2015-0311 zero day

by Pierluigi Paganini
adobe flash player update

Adobe released a security update that fixes also the zero-day vulnerability CVE-2015-0311 discovered by Kafeine in the last release of Angler exploit kit.

The French security expert Kafeine has recently discovered an unpatched vulnerability (0day) in Flash Player is being exploited by Angler Exploit Kit.

The new variant of the Angler exploit kit that exploit three different vulnerabilities in Flash Player, including the zero-day flaw (coded CVE-2015-0311) for the latest version of Flash (version in several versions of Internet Explorer running on Windows 7 and Windows 8.

Adobe recognized this flaw as a critical vulnerability and it immediately started the investigation on the new Angler exploit kit to develop a security update to secure its customers.

The new Angler exploit kit includes also the code to exploit two known vulnerabilities, but security industry way scared by the presence of a zero-day in Flash that was being used in the wild to install a the Bedep malware.

Angler exploit kit CVE-2015-0311 zero day


“A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” warned Adobe in an Adobe Security Bulletin.

Security experts noticed that attackers that are exploiting the vulnerability in the wild via drive-by-download attacks are targeting systems running Internet Explorer and Firefox on Windows 8.1 and below.

On January 24, Adobe has issued a security update that fixex the vulnerability, as explained by the company users who have enabled auto-update for the Flash Player desktop runtime will be receiving the update that fix also the CVE-2015-0311.

Adobe also announced that the manual download for the update will be available during the week of January 26.Adobe is working with distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.

“This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post. ” states the security advisory.

If you have doubts about the Adobe Flash Player version installed on your machine, verify it by browsing the About Flash Player page.

Pierluigi Paganini

(Security Affairs – Adobe Flash Player, zero day CVE-2015-0311)

Jan 25 15

Law enforcement using Range-R devices to see through walls

by Pierluigi Paganini
Range-R device 2

At least 50 US law enforcement agencies quietly deployed Range-R radars that let them effectively see inside homes seeing through walls.

Edward Snowden has confirmed our suspicions about the massive surveillance programs of the US government, but the news that we are going to comment together is very disturbing.

At least 50 U.S. law enforcement agencies are using a technology that allows the agents to see through walls of buildings to spy on people inside the apartments, once against raising privacy questions.

According to a report from USA Today, several dozen law enforcement agencies, including Federal Bureau of Investigation (FBI) and U.S. Marshals, have secretly been using the new radars during the last years. The uncomfortable truth was revealed last month during a court hearing in Denver.

The equipment used by law enforcement is the Range-R, a device that uses radio waves to detect the slightest movements, including breathing, from as much as 50 feet away.

“RANGE-R is a highly sensitive handheld radar system designed to detect and measure the distance to moving and near-stationary personnel through walls constructed of common building materials.” reports the official website of the company that commercialize it.

The news was confirmed by a police officer during the court hearing, the officials described the Range-R as a “hand-held Doppler radar device. It picks up breathing, human breathing and movement within a house.

Range-R device

“Agents’ use of the radars was largely unknown until December, when a federal appeals court in Denver said officers had used one before they entered a house to arrest a man wanted for violating his parole. The judges expressed alarm that agents had used the new technology without a search warrant, warning that “the government’s warrantless use of such a powerful tool to search inside homes poses grave Fourth Amendment questions.” states the post published by the USA Today.

The US Marshals Service began using the Range-R radars in 2012, and official documents confirm that it has so far spent at least $180,000 to buy this equipment.

“The Range-R’s maker, L-3 Communications, estimates it has sold about 200 devices to 50 law enforcement agencies at a cost of about $6,000 each.” reports the USA Today.

The Range-R is easy to sue, agents just have to hold the device against the outside a building to scan every object inside it. The Range-R can detect bouncing off a moving object and classify it as either a “mover” (more active) or a “breather” (less active).

police radar-x Range-R

The official website of L-3 CyTerra reports the following description for the Range-R:

  • The device covers a conical view of 160 degrees and works in a range of around 50 feet.
  • The sensitivity of the Range-R is sufficient to detect people breathing, making it difficult for individuals to hide from Range-R.
  • It will “penetrate most common building wall, ceiling or floor types including poured concrete, concrete block, brick, wood, stucco glass, adobe, dirt, etc. However, It will not penetrate metal.”
  • If a wall is saturated with water, this also may reduce the device’s effect.

I’m not surprised that law enforcement needs to use advanced technology in order to fight the crime and the terrorism. This kind of technology is crucial operations run by authorities, let’s think anti-terrorism and many other.

I understand the fear of many citizens to be unfairly spied on, which is why it is right that the authorization with a search warrant by a Court, but we have also to understand that in certain situations the time is a crucial factor … nobody will use Range-X to look in your home.

Pierluigi Paganini

(Security Affairs – Range-X, law enforcement)

Jan 25 15

Click-fraud malware drives millions of views to YouTube videos

by Pierluigi Paganini
Click-fraud malware campaign tubrosa

Scammers are earning advertising revenue by spreading click-fraud malware Tubrosa, which sends compromised computers to their YouTube videos.

A new Click-fraud malware campaign aimed at earning money by using the victim’s machine to view YouTube videos and benefits from ads embedded in them.
The malicious campaign, discovered by experts at Symantec, has targeted users around the world for months by serving a malware dubbed Tubrosa. The click-fraud threat Trojan Tubrosa is composed by two modules, one that is delivered via spear-phishing emails and a second one that is downloaded and run by the first component.
“A few weeks ago, we noticed a two-component click-fraud malware (detected as Trojan.Tubrosa) taking advantage of the YouTube Partner Program. The attackers compromise victims’ computers with the malware and use them to artificially inflate their YouTube video views. This allows the scammers to take advantage of the YouTube Partner Program validation process and monetize their fraudulent activity.” states a blog post published by Symantec.
The Tubrosa Click-fraud malware receives a list of nearly a thousand YouTube links from the C&C server and opens them in the background of the infected machine. The malicious code uses some tricks to avoid arousing suspicion, in fact, it turns down the volume of the speakers while it opens the video in the background, even if there isn’t installed the Adobe Flash player the infected machine, the malware downloads it and installs it to allow viewing of the videos.
Click-fraud malware campaign tubrosa

Symantec experts estimated that the scammers have so far earned several thousand dollars via this particular campaign. It’s impossible to know, but it’s likely they are running other similar ones at the same time.

A possible indicator of infection is a significant performance degradation of the victim’s machine.
“The YouTube Partner Program uses a validation process in order to verify that the user’s account is in good standing. In order to bypass Google security checks, the malware dynamically changes the referrer (REFS.txt) and the useragent (UA.txt) using two PHP scripts. This allows the malware to pretend to be a new connection to Google servers, appearing like a different user is connecting to the same videos,” reports Symantec.
According to Symantec, the scammers started distributing the malware in August 2014, and the campaign is still ongoing. The Tubrosa Click-fraud malware mainly infected systems in South Korea, India and Mexico and US.
Tubrosa Click-fraud malware
Symantec researchers estimated that the scammers have so far earned several thousand dollars via this Click-fraud malware campaign and they haven’t excluded that bad actors are running other similar ones campaigns.

To prevent computers from being compromised with click-fraud malware such as Trojan.Tubrosa, Symantec suggested the respect of the following best practices:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Use comprehensive security software

Pierluigi Paganini

(Security Affairs – Click-fraud malware, YouTube)

Jan 24 15

SplashData published the list of Worst passwords of 2014

by Pierluigi Paganini
Worst Passwords 2014

SplashData has published its annual report on the used of passwords that includes the list of the Worst passwords of 2014.

Here we are to analyze the annual study published by SplashData, titled “123456” Maintains the Top Spot on SplashData’s Annual “Worst Passwords” List“, on the use of the passwords. Which are the most common passwords used by the users? Despite numerous suggestions, do users use strong passwords?

SplashData has analyzed more than 3.3 million passwords leaked in 2014 which were publicly released, the researchers revealed the top 25 most common passwords.

“The 2014 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords.” states the report.

The top 25 most common passwords represent 2.2% (72600 passwords) of the overall leaked passwords analyzed by the study.

Comparing the data with results of previous reports issued by SplashData, it is possible to note that only 2.2 percent of passwords now come from that list, this represent a significant decline in the use of weak passwords.

“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years,” said Mark Burnett, author of “Perfect Passwords” ( “The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”

People are becoming more aware of the need for strong passwords to protect their digital identity, but it is important to highlight that single factor authentication are not enough to protect us.

“As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.” said Morgan Slain, CEO of SplashData.

The number of data breaches in still increasing, such as their overall cost, as confirmed by the study published by the Ponemon Institute.

Let’s go deep in the report by starting from the results of the previous year:

Worst Password Infographic-2013-rev011814

and let’s compare it with data emerged from the study of this year:

Worst Passwords 2014

That’s incredible! The situation hasn’t changed for the top two passwords that remain the same as 2013, ‘123456’ and ‘password’ are still the most used passwords.

The new entries in the “Worst Passwords” list are the world ‘baseball’, ‘dragon’ and ‘football’, extending the analysis to the Top 100 passwords novelties include ‘michael’, ‘mustang’, ‘superman’ and ‘batman.’

Analyzing the list of worst passwords published in the study it is easy to recognize the propensity of users to adopt favorite sport,  birthday date, birth year and baby names as their passwords.

Here’s the complete list.

1) 123456
2) password
3) 12345
4) 12345678
5) qwerty
6) 1234567890
7) 1234
8) baseball
9) dragon
10) football
11) 1234567
12) monkey
13) letmein
14) abc123
15) 111111
16) mustang
17) access
18) shadow
19) master
20) michael
21) superman
22) 696969
23) 123123
24) batman
25) trustno1

The list above shows a resistance on a strong inclination towards numeric patterns, but very dangerous are also passwords composed of sequences such as “qwertyuiop,” which is the top row of letters on a standard keyboard, or in a similar manner, “1qaz2wsx” which comprises the first two ‘columns’ of numbers and letters on a keyboard.

“Don’t use your birthday or especially just your birth year — 1989, 1990, 1991, and 1992 are all in the top 100. While baby name books are popular for naming children, don’t use them as sources for picking passwords. Common names such as “michael,” “jennifer,” “thomas,” “jordan,” “hunter,” “michelle,” “charlie,” “andrew,” and “daniel” are all in the top 50.” continues the study.

If you see one of your passwords in the above list … don’t waste time, change it immediately.

Pierluigi Paganini

(Security Affairs – Worst passwords, Spash data)

Jan 24 15

Rumors say Lizard Squad is going to release PlayStation 4 Jailbreak

by Pierluigi Paganini
PlayStation 4 Jailbreak

Rumors on the Internet reveals that the PlayStation 4 Jailbreak hack allegedly made by the Lizard Squad would be soon available.

It is difficult to understand right now how true the news, but according to rumors circulating in the Internet the popular hacking collective Lizard Squad, responsible for the attacks against Sony PSN, XBox live and Tor network,  is working on a PlayStation 4 Jailbreak that could be released within the year.

The availability of a new PlayStation 4 Jailbreak will allow gamers to Play Pirated Games And Go Online without PS Plus, if confirmed the circumstance indicates that members of the hacking group could include high profile experts with a deep knowledge of gaming environment.

Another possibility is that Lizard Squad business for hacking services is proficuous and allowed the team to outsource the development of a PlayStation 4 Jailbreak to other hackers. Let’s remember that Lizard Squad was offering their DDoS attack service Lizard Stresser, a powerful tool that uses thousands of hacked home Internet routers to run the attack by drawing on Internet bandwidth from these devices worldwide.

PlayStation 4 Jailbreak Lizard Squad

“PS4 Jailbreak In Development And Will Be Available This 2015 Says Lizard Squad; Sony PlayStation 4 Hack Allegedly Allows Users To Play Pirated Games And Go Online Without PS Plus” states Kdramastars speculating that Lizard Squad have allegedly successfully developed the PlayStation 4 Jailbreack and now is going to public release it.

According to Kdramastars, during the Lizard Squads DDoS attacks in the Christmas holidays, Cyberland confirmed that the hacking crew was reportedly able to exploit a security vulnerability in the latest version of firmware running on the PlayStation 4 console (ver. 2.03).  The alleged vulnerability could be exploited by hackers to run their arbitrary code.

“It was then revealed by a member of the Lizard Squad on 4Chan that they chip they used to find the security flaw in the PS4 would be available for everyone to try this 2015. The member also said that they have included their Jailbreak hack method in the chip that allegedly allows the user to play pirated games and to go online without the need for PS Plus. A side effect of this hack allegedly allows the user update their games via PSN and be able to play cracked DLC content for a specific game.” reports Kdramastars.

According to Cyberland, Lizard Squad team has designed the PlayStation 4 Jailbreak starting from the code of the previous PS4 jailbreak hack made by “Reckz0r”. In November 2013, The security expert Graham Cluley reported that Reckz0r has published a tutorial to to jailbreak the new PlayStation 4 and play pirated games. Reckz0r used the FreeBSD distro known as the Orbis.

Let’s wait the comment from Lizard Squad, but personally I have many doubts about the events … but Lizard Squad has already surprised us with their capabilities.

Stay Tuned …

Pierluigi Paganini

(Security Affairs – PlayStation 4 Jailbreak, hacking)

Jan 24 15

5800 Gas Station Tank Gauges vulnerable to cyber attacks

by Pierluigi Paganini
gas station gauges fuel

Rapid7 revealed that more than 5000 Automated tank gauges (ATGs) used to prevent fuel leaks at gas stations in US are vulnerable to remote cyber attacks.

A recent research conducted by HD Moore of Rapid7 revealed a disconcerting truth, the Automated tank gauges (ATGs) used to prevent fuel leaks at more than 5,000 gas stations in the US are vulnerable to remote cyber attacks that could completely shut down the stations using vulnerable ATGs.

Fortunately, according to Rapid7, hackers haven’t yet exploited the vulnerabilities in the wild.

The gauges are manufactured by Veeder-Root that once informed about the risks confirmed that is working to introduce additional security features.

“We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges. It is important to note that no unauthorized access of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers.” said Andrew Hider, president of Veeder-Root.

The Automated tank gauges (ATGs) are used to monitor the level of fuel in the gas station storage tanks and trigger alarms when the fuel tanks are overfilled.

“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board,” explained Moore in a post published Security Street blog. “In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001.”

According to Moore, there are 5,800 ATGs worldwide connected to the Internet without password protection, and 5,300 of those are located in the US.

An attacker could easily hack into ATGs remotely, but Moore also explained that a bad actor with access to the serial port interface interferes with the information reported by the Automated tank gauges, in this way the attacker can trigger false alarms and shut the stations down.

The greatest number of vulnerable Automated tank gauges is in New York, Texas and Florida.

ATG gauges hacking

The experts at Rapid7 discovered the vulnerable gauges by scanning the Internet searching for services exposing port 10001.

“An unknown number of ATGs are exposed through modem access,” Moore wrote. “The majority of the ATGs appear to be manufactured by Vedeer-Root, one of the largest vendors in this space, and were identified on IP ranges associated with consumer broadband services.”

Moore also provides a series of recommendations to protect the Automated tank gauges:

“Operators should consider using a VPN gateway or other dedicated hardware interface to connect their ATGs with their monitoring service,” Moore said. “Less-secure alternatives including applying source IP address filters or setting a password on each serial port.”

Automated tank gauges, traffic lights, and road signs are just a few examples of potentially exploitable devices, and a possible cyber attack could cause serious consequences.

Pierluigi Paganini

(Security Affairs – Automated tank gauges, hacking)