Microsoft security researcher Terry Zink pulled the pin on a virtual grenade when he aired his belief that he’d discovered a botnet manned by Android zombies.
After examining some spam, Zink found suggestions that the junk mail was being generated from Android smartphones with access to Yahoo mail accounts.
Google quickly discounted Zink’s findings, saying its analysis suggested that spammers were using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they were using.
Cybersecurity firm Sophos agreed with Zink, however.
“While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo!’s API or web interfaces,” wrote Sophos Security Advisor Chet Wisniewski in the company’s Naked Security blog.
Last week, another voice joined Google in discounting the botnet theory: There is no direct evidence of the botnet’s existence, contended Lookout Mobile Security. Moreover, Yahoo’s Android app may be muddling the situation.
“There are some legitimate vulnerabilities in that application that have the potential to put the privacy and security of users at risk,” Lookout Senior Security Product Manager Derek Halliday told TechNewsWorld. Those vulnerabilities could allow an eavesdropper to snatch a session cookie during a mail session and use it to send spam from another device.
The address-spoofing theory is still drawing skepticism, though.
“I think their research into Yahoo’s insecure practices [is] interesting, if not unsurprising,” Sophos’ Wisniewski told TechNewsWorld.
The accounts sending the spam are being automatically generated, he explained. “They are not legitimate user accounts. This means they couldn’t be man-in-the-middled this way.”
What’s more, the methods described by Lookout are too labor-intensive for large volume spammers, noted Wisniewski.
“Do you really believe Russian hackers are sitting in cybercafes waiting for a Yahoo user to stumble by so they can send a few lousy spam messages?” he asked.
Apple Plugs Hole
Apple acted quickly to address a glitch in its in-app purchasing technology that allowed users to buy items from its iTunes store for free, with the help of a Russian hacker.
Apple added a unique identifier to receipts for in-app purchases, according to developers cited in news reports last week. The move will allow Apple to identify users and devices sharing their receipts with the Russian hacker. App developers, though, will have to update their apps to take the new identifier information into account.
As it attempted to fix the in-app snafu, Apple decided to bounce from its App Store a program designed to inform users of iOS devices what the apps on those gadgets were up to. “Clueful,” made by Bitdefender, had been selling in the App Store for months before Apple changed its mind and pulled the app for reasons the company is studying.
Apple’s move came the same week that Bitdefender released a study of more than 65,000 iPhone apps that found only 57 percent of the apps encrypt the information they gather from a user’s iOS device, which potentially places the data at risk.
Among the most egregious practitioners of dubious data collection are free apps. Five percent of the apps on smartphones, which represent 80 million downloads, were embedded with “aggressive” ad networks that performed “non-kosher” acts on a smartphone, such as changing bookmark settings and delivering ads outside the context of the app they were embedded in, Lookout Mobile Security recently found.
Tougher guidelines on data manipulation by apps could help address the problem, according to Alex Kutsishin, president and founder of FiddleFly. “The companies distributing the app need to have strict guidelines for what app developers can and cannot do versus guidelines that allow them to do whatever they want as long as users agree to it,” he told TechNewsWorld.
Botnet Down, Malware Found
Bot fighters notched a major victory last week, as security researchers discovered yet another malware program aimed at Middle Eastern states.
Two command-and-control servers feeding instructions to spam-spewing computer zombies in the Grum botnet were taken down by Dutch authorities early in the week. The action will cripple the malnet in the short term, but because its servers in Panama and Russia are still alive, the long-term prognosis is still uncertain.
Nevertheless, the takedown should reduce the junk stream on the Net, said Atif Mushtaq, a researcher at FireEye Labs.
“I am sure the absence of the spam sent by the world’s third largest spam botnet will have a significant impact on the global volume,” he wrote in a company blog.
Meanwhile, on July 17, Kaspersky Lab and Seculert released the results of an eight month investigation into a cyberespionage campaign called “Mahdi,” that’s been primarily aimed at some 800 targets in Iran, Israel and other select countries around the world.
Targets of the Trojan at the core of the campaign were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.
“While the malware and infrastructure is very basic compared to other similar projects, the Mahdi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicolas Brulez, a senior malware researcher at Kaspersky.
“Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection,” he added.
Breach Diary
July 15. Anonymous posts to the Internet more than 1,000 email credentials, most in encrypted form, from five multinational oil companies — Shell, Exxon, BP, Gazprom and Rosneft.
July 16. The Consumerist notifies its members that it is resetting all passwords for the site due to unspecified security problems.
July 17. Elections Ontario reveals that two USB drives containing personal data of more than 2 million votes in the province have been missing since April.
July 18. Hacker group calling itself “TeamGhostShell” posts to the Internet detailed data on tens of thousands of job seekers from recruiting website ITWallStreet. Information included first and last names, mailing addresses, email addresses, usernames, hashed passwords and phone numbers, as well as salary and bonus expectations.
July 18. The Norfolk Constabulary officially closes its investigation of the data breach of the Climate Research Center at the University of East Anglia that led to “ClimateGate” controversy in 2009.
July 19. U.S. Justice Department announces the arrest of Dmitry Olegovich Zubakha, 25, who, with an unnamed accomplice, launched in 2008 a series of denial-of-service attacks on Amazon, Priceline.com and eBay, causing a disruption of service at those websites.
July 20. Dropbox announced that it hasn’t found any intrusions into its internal systems. Earlier in the week, some consumers complained that they received spam from what could only be an email address associated with Dropbox. The company has hired an independent investigator to further probe the situation.
Security Calendar
July 21-26. Black Hat Conference/USA. Las Vegas, Nev. Registration: US$2,195. Onsite: $2,595.
July 24. How To Become A Speaker at RSA 2013. 1 p.m. ET. Webcast, free, registration required.
July 26-29. Def Con 20. Las Vegas, Nev. Registration: $200.
July 26-Aug. 22. Data Breach Security Tour. A series of workshops sponsored by Utah to provide assistance to the nearly 800,000 citizens of the state affected by a healthcare data breaches.
Aug. 20-23. Gartner Catalyst Conference. San Diego, Calif. Standard price: $2,295.
Oct. 9-11. Crypto Commons. Hilton London Metropole, UK. Early bird price (by Aug. 10): Pounds 800, plus VAT. Discount registration (by Sept. 12): Pounds 900. Standard registration: Pounds 1,025.
Oct. 25-31. Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.