Operation n

As seen in the theregister, Spammers have been using the rarely used “I’m feeling lucky, punk” button and the idea of googlewhacking (popularised by Dave Gorman) for this google attack vector.

The trick worked because a spammer had managed to make a search query that was specific to their website, using an advanced Google search combining the “inurl” and “intext” operators. Next comes the clever part: spammers simulate a user click on Google’s seldom-used “I’m Feeling Lucky” button, so that surfers are taken directly to the first result that comes up for the entered search query. As the spammer has designed the query to yield only one result - that of the spamvertised site - surfers are taken directly to a junk-mail-promoted site after selecting what looks like a search result entry.

Always be careful of the opposite sex, especially online as there’s a virtual stripper floating about which seemingly slip pass captchas for yahoo as a trojan.

Spammers have come up with a sleazy - but undoubtedly ingenious - way to defeat anti-spam security checks. The Captcha Trojan disguises itself as a stripper game that offers voyeurs the chance to see images of a model getting undressed. In order to get “Melissa” to lose an item of clothing, the user must identify the letters or numbers found within a scrambled text image that forms the basis of a captcha (Completely Automated Public Turing test to tell Computers and Humans Apart). Providing users identify the letters correctly, Melissa shows a bit more skin.

I like this combo attack of vishing and phishing…

Cloudmark reports that would-be fraudsters are taking advantage of VoIP systems to develop more convincing attacks. One recent email scam, for example, poses as a notification from a recipient’s bank requesting that they ring customer services to deal with a problem.
“If the recipient makes the call, it gets routed to a cheap VoIP answering system, which may have been set-up on a compromised host,” explained Neil Cook, UK technology chief at Cloudmark. “The system captures the user ID and pincode to sell on to the highest bidder, who then has full access to your account. All the while the call seems very genuine. The reassurance of speaking to an individual rather than working online will lead to many instances of consumers falling foul to such threats.”

Going back to bits and bobs relating to VoIP. VoIP spam isn’t new at all. It dates back to 2004. Take Network World.

“While acknowledging that VoIP spam isn’t yet creating the headaches that traditional e-mail spam has, Qovia plans to develop a tool that blocks unwanted voice mail messages so when spammers begin blasting IP networks with multiple copies of a voice recording, administrators will be able to defend their users’ voice mailboxes, says Richard Tworek, CEO of Qovia. In late June the company filed a patent application for a method of detecting and blocking VoIP spam, and plans to release a tool to implement that technology by year-end.”

This begs the question isn’t the tool working properly? Or is it really closed shop? Or has VoIP spam attacks evolved?
More recently, I love the irony that one of the co-author’s of SIP was V-hacked!

“According to a report in the Guardian, hackers are increasingly targeting VoIP services, such as Skype, with SPam over Internet Telephony (spit) attacks. Ironically, hackers have attacked the VoIP system at Columbia University, where Henning Schulzrinne is professor of computer science. Professor Schulzrinne was the co-author of the protocol that VoIP runs on - session initiation protocol (SIP). SIP is used by most VoIP services, with the notable exception of Skype. The attack left unsolicited marketing messages on multiple phone extensions at the university. Professor Schulzrinne supports the view that VoIP is becoming a major target for spammers, especially with filters becoming more effective at blocking email spam.”

Check out sipera’s vulnerability links for more articles about VoIP.

I was watching a good movie last night called ‘Along came a spider’ starring Morgan Freeman (Alex Cross). Two things I didn’t like about the movie though. Firstly, it didn’t stay true the novel at all. In fact, the novel actually appears to be more interesting. Secondly and the point of this post, there is a scene where Alex Cross is looking for clues at an agent’s house with whom he had been working closely with. Naturally, he greeted with a login prompt but only has to guess the password. Of course, he works it out in about one minute (due to it being a 104-minute movie). But he worked out the password was relating to the agent’s dad and some poker game and the password was ‘Aces&Eights’. Yes, the characters are seen on screen as he types it and not obscured with asterisks. LAME!

Similarly in ‘Batman & Robin’, there is a scene where Alicia Silverstone (Batgirl) finds out her identity when she hacks into a computer. Surprising it takes her just three attempts to do this but the password relates to her dying uncle, if I remember correctly. That scene is particularly memorable because when she hacks in, she gets a repeated ‘Access granted’ response. No computer ever does that!

Lessons learned? Never believe a Hollywood movie! Never choose a password that anyone is going to be able guess. Seriously! So keep it random but memorable. On reflection, having a password that only someone you trust would be able to guess, doesn’t sound that bad… well in an ideal Hollywood movie, it doesn’t!

Can you think of any other movies with dodgy password cracking practices or general computer weirdness? Please comment if you do!

Please note, this post was not an excuse to mention the lovely Alicia Silverstone nor was it an attempt to make this site popular by mentioning any Alicia Silverstone sites.

;)

The irony of this data leak story is very much in the given photo..

VOIP has been around the IP block for a few years. It’s still a confusing entity as to exactly what technologies are involved with it. Voice over IP is the routing of voice conversations over the Internet through any IP-based network. Under that definition that could include Instant Messaging (a.k.a. VOIM) such as MSN, Yahoo, Gtalk…
They use their own proprietary protocols, as does skype. VOIP has its own standard protocols primarily for Quality of Service, e.g. SIP. There are a number of commerce and open-software VOIP solutions. Some traverse into PSTN.

Anyways enough of the introduction, an issue that raring its ugly head is VOIP spam as explained by zdnet and connect.