Category Archives: Security Alert

Spotting Fake Web Addresses

To most people at quick glance at the above address will look genuine, even if you look in detail you may say its Primark in the US, wrong !

It’s a fake site, what we have here is a well constructed fake web address.  Most people associate the www with the start of a web address and com as part of the address and the company name in the middle.

What we have here really is a site with 2 subdomains setup.  The first www is just a subdomain, the primark is a subdomain and the com-stores.us is the actual domain name.  Typically criminals and others setting up fake sites are using this method more often in order to trick people in to thinking the web address is genuine.

When you visit the site it maybe layed out to give the impression you are on a genuine site for that company.  In reality the site may have infected your computer with a virus or spyware, or maybe they want you to login to the site in order to get your login or bank details.

Note :- The above example web address is known to be fake, please do not visit that site.



IIS Zero Day Vulnerability Will Never Be Patched

Affected Platforms

Microsoft Internet Information Services 6.0

Description

A vulnerability found in Microsoft’s Internet Information Services (IIS) web server technology has been publicly detailed along with proof of concept exploit code. It is understood to have been under attack since July 2016. The flaw itself is found on IIS version 6.0. It reached end of life in July 2015 meaning it will likely not be patched which will leave all remaining servers that are yet to upgrade with the potential of a complete system compromise.

The vulnerability is a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service for IIS 6. The flaw itself is found within the WebDAV service, an extension to the [http] protocol designed to simplify sharing and content authoring.

An attack launched against a vulnerable server can cause a denial of service event but it could also result in a full remote code execution exploit.. With many IIS deployments running on a full Windows server installation often hosting other services for internal services, a break of this nature is capable of allowing a threat actor to gain a serious foothold in the network.

Remediation

  • Either upgrade IIS or disable WebDAV as soon as possible (see below how to disable WebDAV in IIS6)
  • Conduct scans of your own address space either internally or with the use of a third party to discover any previously forgotten deployments that may be left vulnerable.
  • Where vulnerable deployment have been available from the internet, access logs and other log data source should be analysed for unusual activity that may indicate a previous compromise.




How To Disable WebDAV In Microsoft IIS6

  • Click the Windows “Start” button, select “Administrative Tools,” and then click “Internet Information Services (IIS) Manager.”
  • Select the “Web Service Extensions” folder on the left side of the IIS Manager window.
  • Select the “Extended” tab near the bottom of the window.
  • Select the “WebDAV” item below the “Web Service Extension” heading on the right side of the window.
  • Click the adjacent “Prohibit” button.

Cisco Wireless Security Updates

Cisco has issued the following security alert for a range of Wireless products :-

Affected Platforms

Aironet 1830 Series and 1850 Series Access Points
Wireless LAN Controller 802.11 WME
Wireless LAN Controller IPv6
Wireless LAN Controller Management GUI

Description

Cisco has released several updates to address vulnerabilities affecting multiple products. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.

Remediation

Cisco encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates :-

Aironet 1830 Series and 1850 Series Access Points Mobility Express Default Credential Vulnerability cisco-sa-20170405-ame (Full details here)

Wireless LAN Controller 802.11 WME Denial-of-Service Vulnerability cisco-sa-20170405-wlc (Full details here)

Wireless LAN Controller IPv6 UDP Denial-of-Service Vulnerability cisco-sa-20170405-wlc2 (Full details here)

Wireless LAN Controller Management GUI Denial-of-Service Vulnerability cisco-sa-20170405-wlc3 (Full details here)




The Scammers Who Warn You Of Scammers

We had to share this one with you.  Alongside the daily intake of spam we spotted this one.  All the rest wanted our money, but this guy is warning us that there is scammers about ! But he does want $240, have a read.

Attn:

I am Mardiani Nasution, I am an Indonasia Citizen living in the USA ,62 years Old. I reside in New Jersey. My residential address is 35 romney road Bound brook NJ ,USA 08805 United States, I am one of those that took part in the Compensation in Nigeria many years ago and they refused to pay me, I had paid over $28,000 while in the United States of America, trying to get my payment all to no avail.

So I decided to travel down to Nigeria with all my compensation documents, and I was directed to meet Mr Phillip Uba, who is the heads member of COMPENSATION AWARD COMMITTEE with the UNITED NATIONS, and I contacted him and he explained everything to me. He said whoever has been contacting us through emails are fake and I saw your name (in the Central Computer among the list of unpaid beneficiaries, contractors,Internet Dating Scam, lottery winners, inheritance next of kin, that was originated from West Africa, United Kingdom, Asia and US .Please i will want to advice you to stop all further communication with any parties ,bank or group of people claiming to be in charges of your fund,

He took me to the paying bank for my Compensation payment of $5,400,000.00 and he showed me the full list of EMAIL ADDRESS of those that are yet to receive their payments were I saw your EMAIL ADDRESS as one of the beneficiaries. This is why I decided to email you to stop dealing with wrong people, they are not with your fund, they are only making money out of you. I will advise you to contact Mr Phillip Uba

UNITED NATIONS COMPENSATION
Name: Mr Phillip Uba
Email: solutiongiver091@outlook.com
TEL:+234 9075009131
You really have to stop dealing with those people that are contacting you telling you that your fund is with them, it is not in anyway with them, they are only taking advantage of you and they will dry you up until you have nothing. The only money I paid after I met Mr Phillip Uba was just $240 for the paper work which you have to pay once you contact him and he’ll work it out for you, take note of that. Once again stop contacting those people, I will advise you to contact Mr Phillip so that he can help you to transfer your Fund into your account, instead of dealing with those liars that will be turning you around asking for different kind of money to complete your transaction.

Thank You

Maradiani

This e-mail had the subject “GOOD NEWS BENEFICIARY” and it was from site_reg@aol.com

Whatsapp Hackers Can Now Steal Your Internet Banking Details

WhatsApp users should be made aware of a new scam that attempts to steal your bank account login details. Hackers are now targeting unsuspecting users with a mobile virus that is distributed via legitimate-looking Word document sent inside the application.

These documents are capable of seizing sensitive information from the users’ phone, such as online banking credentials and other personal data.  The documents that circulate via the messages are typically in Excel format, although Word and PDF files have been reported as well. The documents are able to access personal data on the phone, including banking credentials and PIN codes.

At the moment it is not known what else this virus does on a phone or tablet, or whether WhatsApp is taking any action to prevent the scam.

The best way to protect your phone or tablet is to avoid clicking on dubious links, no matter how, or who you receive them from, and limit app use to applications downloaded from official app stores.



Thousands Have Money Stolen In Tesco Bank Hack

Around 20 000 of Tesco Bank’s online customers accounts have had money stolen in a hacking attack over the weekend.  The exact amount stolen has not been disclosed. However, customers on online forums and on social media are reporting that several thousands of pounds have gone missing after checking their current accounts.

Tesco Bank has said that it has sent a text message to all those with accounts which have seen “suspicious activity”. Even if you haven’t received a text message, given the scale of the hack it may be worth checking your account for any unusual transactions.   According to reports in the media a lot of people have received the text message and amounts missing from accounts appears to vary, some have lost a few hundred pounds while others have lost a few thousand pounds.

If you see something suspicious about a transaction on your account or are unsure please call Tesco Bank on 0345 835 3353.

It appears that Tesco Bank credit card accounts or savings accounts have not been hacked, the issue appears to be only affecting current accounts.

Facts :-

Tesco Bank  has 7.8 million customer accounts.

At least 20,000 Tesco Bank customers have had money stolen over the weekend following the attack.

Around 40,000 reported ‘suspicious activity’ as the fraudsters accessed confidential account information.

The Financial Conduct Authority says banks must refund unauthorised payments immediately, unless they have evidence that the customer was at fault or the payment was more than 13 months ago. The banks are also required to refund any charges or interest added to your bank account as a result of the fraudulent payments.  So if you have been affected by this then you will get your money back, according to Tesco that should happen in the next day or so.

The Treasury Committee chairman and Tory MP Andrew Tyrie has said that he will be writing to Tesco’s chief executive to find out what went wrong and what steps are being taken to reduce the likelihood of a similar hack happening again. He said: “This is just the latest in a long list of failures and breaches of banking IT systems, exposing many thousands of customers to uncertainty and disruption.”

Back in 2014 there was an issue when 2,239 user accounts with email addresses, passwords and Clubcard voucher balances was posted online (details here).  That security breach did not appear to have come from Tesco’s end. They said the data must have been compiled by taking user details obtained from breaches at other websites. presumably users who had reused email addresses and passwords across multiple accounts.

It is not yet known exactly how the accounts were hacked this weekend.




On a statement on their website Tesco bank said :-

Tesco Bank can confirm that, over the weekend, some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.

We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts. That is why, as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers. While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible.

We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, Twitter and direct communication.

We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible.

Benny Higgins, Chief Executive

tesco1