Security Watch

Ad and Subtract

Google Inc.'s ad service DoubleClick inadvertently served malware along with one of its banner advertisements, Wired.com's blog Threat Level reported Dec. 10.

The ads, for gift cards from the retailer Target Corp., came from a fake agency called AdShuffle.

Visitors had only to view the bogus site to have their computers infected in what is known as a "drive-by" attack. The website then injected code, through vulnerabilities in the browser, which was then downloaded to users' computers.

The same code could exploit a vulnerability in software for reading PDF files.

The ads were hosted on sites including RunnersWorld.com and OrganicGardening.com.

The threat was discovered by the security company Armorize Technologies Inc., which notified DoubleClick.

Armorize said the attack created a back door in infected computers but that it was unclear how the back door would be used.

In a statement to Threat Level, Google acknowledged it had detected malware through its DoubleClick Ad Exchange filter and that the invader had failed to get through its system.

Stop Gawking

On Dec. 12 Gawker Media's servers were hacked and shut down, and user passwords and e-mail addresses for hundreds of thousands of users were stolen, the media company said.

Hackers from the group "Gnosis" claimed that they stole information on as many as 1.3 million users.

Gawker Media, which operates the popular consumer sites Gawker, Gizmodo and Jezebel, recommended that users immediately change their passwords. Gawker further suggested that, if visitors use the same passwords at other websites, such as for online banking access, those passwords should be changed as well.

Gnosis also published the names and passwords of some users they found particularly lame, for example, those who used "password" as their password, The New York Times website reported Dec. 12.

Making Tracks

Automated teller machine skimming technology keeps getting more sophisticated.

Fraudsters increasingly rely on cell-phone transmitters to retrieve stolen card details from compromised ATMs and point of sale terminals, reducing the risk associated with recovering that data in person.

Their new tool is called a "GSM-based ATM skimmer."

A Dec. 13 post by security expert Brian Krebs on his KrebsonSecurity blog details his communication with a vendor of one of these devices.

According to the vendor, after about six hours at one ATM, the typical skimming device can steal enough card data to net about $25,000 in fraudulent charges once that data has been used to make cloned cards.

Earlier skimming devices had to have their data downloaded through a wire, which raised the risk of the data being intercepted by police or rival fraudsters that might get to the device ahead of the person who planted it.

The GSM skimmer manual explains (in poor English) how its technology addresses this issue by transmitting the stolen data before the device is recovered by the fraudsters who planted it:

"And with GSM the equipment we have the following:

"Even if there comes police and takes off the equipment, tracks are already on your computer. That means they are already yours, and also mean this potential 20k can be cash out asap. In that case you lose only the equipment, but the earned tracks already sent. Otherwise without dumps transfer — you lose equipment, and tracks, and money."

The manual also says GSM is superior to older skimming technology because the people criminals might employ to help install the equipment cannot steal "tracks" of hapless ATM victims, as they could in the old days. This is because the numbers are instantly transmitted to the hacker's computer.

Now that's what we call progress.

'Tis the Season

Online holiday shoppers have been warned frequently about phishing and other online hacking scams that could wreak havoc on their ability to make purchases using credit cards or other online forms of payment.

But the latest shopping scam could involve merchants selling through Amazon.com Inc.

According to a Dec. 10 story in eWeek.com, the Amazon Receipt Generator is an executable file that scammers can easily use to create forged receipts of sellers through the Amazon site.

Scammers can then send the dummy receipts to merchants and demand refunds, according to threat researchers who urged all online merchants to be doubly vigilant as their busy season got underway.

By Jove

The hacker botnet Zeus that has wreaked havoc on bank computer systems is now affecting accounts for cards issued by some retailers, including Macy's Inc. and Nordstrom Inc., according to the security publication SCMagazineUS.com, which reported attacks on the companies Dec. 9.

The attackers work hand in hand with social engineering to trick users into disclosing their personal information.

Malware injected into the retailers' sites prompts customers, through a pop-up claiming to offer added security, to enter credit card numbers, expiration dates, dates of birth and Social Security numbers.

Security researchers expressed concern, the report said, because the retailer attack shows how Zeus is migrating from banks to other kinds of companies and also because the attacks occur after the user has been authenticated by the company website, making them even harder to track.

Dumpster Diving

Banks are employing a high-tech response to an age-old crime.

On Dec. 10 police nabbed 24-year-old Angelique Guillory in Buffalo, N.Y., after she allegedly held up a Bank of America Corp. branch and got $2,500. Within the bag of money, the teller planted a GPS tracking device that allowed police to apprehend the alleged robber the same day. She was found hiding in a dumpster, according to WGRZ.com. Guillory has been charged with first-degree robbery.