Security Bytes: Spam that glitters isn't gold

By SearchSecurity.com Staff 24 Jul 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In a posting to the ISC Handler's Diary Sunday, ISC Director Marcus Sachs detailed the contents of an email that has started making the rounds in recent days.

The text of the message includes information about an alleged transaction involving e-Gold Ltd., an electronic payment site. The author attempts to convince the recipient that she lost currency from a transaction, but includes a screenshot detailing the problem called screen.zip. When opened, that file drops a series of executables and .dll files on a victim's machine, one of which includes a spyware-spreading Trojan that attempts to steal e-Gold account information.

Sachs said the issue and analysis were submitted to the ISC by a reader. "Readers… are the backbone of the SANS Internet Storm Center and we really appreciate those who send in their own analysis for us to turn around in alerts to others," Sachs said.

SiteDepth subject to .php vulnerability
The French Security Incident Responst Team (FrSIRT) is one of several organizations warning of a flaw in SiteDepth, a content management system used primarily by adult Web site operators, that could enable attackers to execute arbitrary commands.

Late last week FrSIRT warned of the issue, which was first reported by David "Aesthetico" Vieira-Kurz of German security firm Major Security.

"This flaw is due to an input validation error in the 'constants.php' script that fails to validate the 'SD_DIR' parameter, which could be exploited by remote attackers to include malicious files and execute arbitrary commands with the privileges of the Web server," said FrSIRT.

The issue affects SiteDepth version 3.0.1 and prior. A patch has not yet been issued by the vendor.

McAfee warns of adware on MySpace
Social networking site MySpace may be popular among young and old alike, but not all the media clips being shared there are for harmless fun.

In its Avert Labs Blog, antivirus vendor McAfee Inc. warned that not only have a pair of MySpace viruses circulated this year, but it's also become a hotbed for adware.

More specifically, McAfee's Allysa Myers noted the recent Washington Post report that an advertisement posted on MySpace used the Windows Meta File (WMF) exploit that Microsoft patched earlier this year to install adware. Plus, another organization has reportedly created fake MySpace profiles to increase adware installations.

That means harmless MySpace surfing during the workday may not be so harmless after all. "There's really nothing to prevent profiles being created for questionable purposes," Myers wrote.

Tags: Web Application Security,  Email and Messaging Threats (spam, phishing, instant messaging),  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Email and Messaging Threats (spam, phishing, instant messaging) The world's top 5 riskiest domains How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Email and Messaging Threats (spam, phishing, instant messaging) Research Security Awareness Training and Internal Threats Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary