Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-07-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Simple Javascript Extortion Scheme Advertised via Bing

Published: 2014-07-02
Last Updated: 2014-07-02 20:49:25 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Thanks to our reader Dan for spotting this one.

As of today, a search for "Katie Matusik" on Bing will include the following result. The rank has been slowly rising during the day, and as of right now, it is the first link after the link to "Videos" 

Once a user clicks on the link, the user is redirected to http://system-check-yueedfms.in/js which loads a page claiming that the user's browser is locked, and the user is asked to pay a fine via "Moneypak", a Western-Union like payment system. Overall, the page is done pretty bad and I find it actually a bit difficult to figure out how much money they are asking to ($300??).

extortion web page
(click on image for full size)

The user is no not able to close the browser or change to a different site. However, just rebooting the system will clear things up again, or you have to be persistent enough in clicking "Leave this Page" as there are a large number of iframes that each insert a message if closed.

The link was reported to Bing this morning but the result has been rising in Bing's search since then. Respective hosting providers for the likely compromised WordPress blog have been notified. 

Quick update: For "katie matysik" (replace 'u' with 'y', the correct spelling of the ), Bing now returns the malicious site as #1 link. Both spellings are valid last names, so either may be the original target of the SEO operation.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

7 comment(s)

Cisco Unified Communications Domain Manager Update

Published: 2014-07-02
Last Updated: 2014-07-02 17:06:05 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Yet another round of patches, this time for Cisco's Unified Communications Domain Manager [1].

The vulnerability that is probably going to be exploited first is the backdoor Cisco left behind for support access. In order to provide Cisco support with access to customer equipment, the company felt it was a great idea to equip all instances with the same SSH key. 

Having the same key on all systems is mistake number one, but wouldn't be fatal if the secret key would have been tugged away in Cisco's special safedeposit box. Instead, they left the secret key on customer systems as well. So in other words: If you own one of the systems, you got the key to access all of them.

Filtering SSH access to the device at your border is a good first step to protect yourself if you can't patch right away.

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: backdoor cisco ssh
0 comment(s)
July Ouch! Security Awareness Newsletter Released. E-mail Do's and Don'ts http://www.securingthehuman.org/resources/newsletters/ouch/2014#july2014
ISC StormCast for Wednesday, July 2nd 2014 http://isc.sans.edu/podcastdetail.html?id=4047
Diary Archives