Home > Security News > Security Bytes: Spam that glitters isn't gold
Security News:
EMAIL THIS

Security Bytes: Spam that glitters isn't gold

By SearchSecurity.com Staff
24 Jul 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Spam that glitters isn't gold
According to the SANS Internet Storm Center, an emerging email scam could result in end-users' computers becoming infected by a string of malicious files.

In a posting to the ISC Handler's Diary Sunday, ISC Director Marcus Sachs detailed the contents of an email that has started making the rounds in recent days.

The text of the message includes information about an alleged transaction involving e-Gold Ltd., an electronic payment site. The author attempts to convince the recipient that she lost currency from a transaction, but includes a screenshot detailing the problem called screen.zip. When opened, that file drops a series of executables and .dll files on a victim's machine, one of which includes a spyware-spreading Trojan that attempts to steal e-Gold account information.

Sachs said the issue and analysis were submitted to the ISC by a reader. "Readers… are the backbone of the SANS Internet Storm Center and we really appreciate those who send in their own analysis for us to turn around in alerts to others," Sachs said.

SiteDepth subject to .php vulnerability
The French Security Incident Responst Team (FrSIRT) is one of several organizations warning of a flaw in SiteDepth, a content management system used primarily by adult Web site operators, that could enable attackers to execute arbitrary commands.

Late last week FrSIRT warned of the issue, which was first reported by David "Aesthetico" Vieira-Kurz of German security firm Major Security.

"This flaw is due to an input validation error in the 'constants.php' script that fails to validate the 'SD_DIR' parameter, which could be exploited by remote attackers to include malicious files and execute arbitrary commands with the privileges of the Web server," said FrSIRT.

The issue affects SiteDepth version 3.0.1 and prior. A patch has not yet been issued by the vendor.

McAfee warns of adware on MySpace
Social networking site MySpace may be popular among young and old alike, but not all the media clips being shared there are for harmless fun.

In its Avert Labs Blog, antivirus vendor McAfee Inc. warned that not only have a pair of MySpace viruses circulated this year, but it's also become a hotbed for adware.

More specifically, McAfee's Allysa Myers noted the recent Washington Post report that an advertisement posted on MySpace used the Windows Meta File (WMF) exploit that Microsoft patched earlier this year to install adware. Plus, another organization has reportedly created fake MySpace profiles to increase adware installations.

That means harmless MySpace surfing during the workday may not be so harmless after all. "There's really nothing to prevent profiles being created for questionable purposes," Myers wrote.

Tags: Web Application SecurityEmail and Messaging Threats (spam, phishing, instant messaging)Security Awareness Training and Internal ThreatsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Web Application Security
Black box and white box testing: Which is best?
InZero Systems launches hardware-based security gateway
Web application vulnerability assessment shows patching progress
Preventing SQL injection attacks: A network admin's perspective
Cisco acquires SaaS security vendor ScanSafe
Web application firewall use goes beyond compliance, company finds
Gumblar Trojan drive-by exploits spike following Adobe update
Some Facebook applications lead to Russian attack sites
Barracuda acquires Purewire expanding Web security reach
An enterprise strategy for Web application security threats

Email and Messaging Threats (spam, phishing, instant messaging)
The world's top 5 riskiest domains
How to secure a .pdf file
Top spammer gets four years in jail for stock fraud scheme
New Zeus spam poses as Social Security statements
Messaging security risks have upper hand on solutions
Web-based attacks skyrocket, pirating sites surge, security firms say
Pushdo botnet uses Facebook to spread malicious email attachment
Scareware report highlights successful business model
How to prevent phishing attacks with social engineering tests
Phishing protection begins with training, antiphishing evangelist
Email and Messaging Threats (spam, phishing, instant messaging) Research

Security Awareness Training and Internal Threats
Health Net breach failure of security policy, technology
Health Net healthcare data breach affects1.5 million
Massive T-Mobile UK security breach involves insiders
Secure your remote users in 2010
Layoffs prompt insider threat fears, cybersecurity survey finds
How to use Internet security threat reports
Creating a HIPAA employee training program
Successful rogue antivirus hinges on social engineering
External attacks start with unintentional mistakes, survey finds
Security technologies fail to address insider threat management

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
anonymous Web surfing  (SearchSecurity.com)
buffer overflow  (SearchSecurity.com)
cache cramming  (SearchSecurity.com)
cookie poisoning  (SearchSecurity.com)
dictionary attack  (SearchSecurity.com)
distributed denial-of-service attack  (SearchSecurity.com)
JavaScript hijacking  (SearchSecurity.com)
National Computer Security Center  (SearchSecurity.com)
threat modeling  (SearchSecurity.com)
trigraph  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts