Chris Mosby at myITforum.com

Looks like there are reports out there of yet another Word vulnerability had its Proof of Concept (POC) code released last night. 

From what I have read, this does require user interaction to exploit and will run under the rights of the user.

Looks like Santa skipped one of my presents, a stress free Christmas..

Here are some links to information that I have been able to gather so far:

FrSIRT
http://www.frsirt.com/english/advisories/2006/4997

SecurityFocus:
http://www.securityfocus.com/bid/21589/info

Symantec (Bloodhound Detection)
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121412-1329-99

Insecure.org
http://seclists.org/isn/2006/Dec/0052.html

Infoworld
http://www.infoworld.com/article/06/12/13/HNthirdword_1.html

Techworld
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=7577

Bloodhound.Exploit.106 False Positive

On the heels of resolving the Bloodhound.Exploit.104 virus alert last night, I was greeted with a Bloodhound.Exploit.106 alert this morning When our file server was indexed by Sharepoint, the antivirus on the file server quarantined a word document. I believe this detection is a false positive.

Bloodhound.Exploit.106 is a heuristic detection for an Unspecified Vulnerability in Microsoft Word (as described in Microsoft Security Advisory 929433).

The URL I have used in the past to submit files no longer seems to be available. So I enabled the quarantine option to submit the file to Symantec. It was the first time I've used that method of submission. They say the reply time to reporting this false positive is two days. I hope it doesn't take that long.

Roger's Information Security Blog: Bloodhound.Exploit.106 False Positive.

Description:
A vulnerability has been reported in HP Integrated Lights Out (iLO), which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error when using SSH key based authentication and can be exploited to gain unauthorized access.

The vulnerability is reported in iLO firmware version 1.70 through 1.87 and iLO 2 firmware version 1.00 through 1.11 running on Proliant servers.

Solution:
iLO:
Update to firmware version 1.88 or later.

HP Integrated Lights Out Unspecified Security Bypass - Advisories - Secunia.

Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:
http://www.microsoft.com/technet/security/Bulletin/ms06-Dec.mspx

Critical Bulletins:
Cumulative Security Update for Internet Explorer (925454)

http://www.microsoft.com/technet/security/Bulletin/ms06-072.mspx

Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)

http://www.microsoft.com/technet/security/Bulletin/ms06-073.mspx

Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)

http://www.microsoft.com/technet/security/Bulletin/ms06-078.mspx

Important Bulletins:
Vulnerability in SNMP Could Allow Remote Code Execution (926247)

http://www.microsoft.com/technet/security/Bulletin/ms06-074.mspx

Vulnerability in Windows Could Allow Elevation of Privilege (926255)

http://www.microsoft.com/technet/security/Bulletin/ms06-075.mspx

Cumulative Security Update for Outlook Express (923694))

http://www.microsoft.com/technet/security/Bulletin/ms06-076.mspx

Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)

http://www.microsoft.com/technet/security/Bulletin/ms06-077.mspx

Re-Released Bulletins:

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)

http://www.microsoft.com/technet/security/Bulletin/ms06-059.mspx

MS Word, another 0-day for the month.

posted by: Roberto Tayag, 12/12/2006

Another 0-day exploit is currently being investigated by Microsoft, last week we reported about a previous MS Word 0-day. Yesterday, a couple of reports emerged about a new 0-day and according to the MSRC blog this new claim is being investigated by them. We are still acquiring a sample for the appropriate solution and for our analysis, we will update you as soon as we got one.

According to the MSRC blog, in their initial investigation, the 0-day affects the following versions:

• Word 2000
• Word 2002
• Word 2003
• Word Viewer 2003

However, Word 2007 is not affected.

Update (Roberto Tayag, Tue, 12 Dec 2006 01:55:22 PM)

Yes, we have acquired a sample and Trend Micro will be detecting this file as TROJ_MDROPPER.EB. The pattern for this malware has already been submitted and is now under our scrutiny of our QA team. updates will come as soon as the pattern file has been released.

Trend Micro Malware Blog.

Bloodhound.Exploit.105
Risk Level 1: Very Low

Discovered: December 11, 2006

Updated: December 11, 2006 04:16:57 PM GMT

Bloodhound.Exploit.105 is a heuristic detection for the Windows Media Player ASX PlayList File Heap Overflow Vulnerability (as described in Security Focus BID 21247).

Bloodhound.Exploit.105 - Symantec.com.

Two Unpatched Apple QuickTime Vulnerabilities Still Imperil Users	Posted by SGMasood @ 11:14 GMT

You all know the story by now – A week ago MySpace was attacked by the Quickspace worm that abused an alleged "feature" of Apple QuickTime movie files to inject and execute malicious javascript in user profile pages. The malicious code attempted to phish accounts and to offer spyware to an unspecified number of users with obvious hopes of financial gain by the perpetrators. The primary cause that made the attack possible is not a MySpace flaw, but rather an Apple QuickTime feature that is clearly a security vulnerability. QuickTime fails to enforce the same origin policy and to warn the user before loading and executing javascript from external resources – two things that all similar applications are expected to do. For example, Flash allows embedded scripts, but it warns the user when a flash application tries to access an external resource.

We have yet to see Apple acknowledge this as a security issue. On the contrary, it has claimed that this is a legitimate feature. A temporary, trivially evadible, fix was provided by Apple to MySpace that was, controversially, distributed only to MySpace users and only to those MySpace users who use IE. All other users of Apple QuickTime, including MySpace users who use a browser other than IE, are still vulnerable. And, since this fix was given only to MySpace users, other websites are still vulnerable to an attack by a worm similar to Quickspace.

We did some investigation and found that —

1. Apart from the HREF track flaw exploited by the worm, Apple QuickTime is still vulnerable to another similar flaw that has been publicly known for quite some time. This flaw can be exploited in the same way to achieve the exact same results as the first flaw. The second flaw is obscure and it still remains unfixed. We haven't yet seen anyone bringing attention to it or talk about fixing it. Any patch that fixes the first flaw but not the second one is inadequate.

2. MySpace is still vulnerable to both the flaws and nothing prevents another web application worm from exploiting them.

3. We tested a few other social networking sites and all the sites we tested were also vulnerable to web application worms utilizing the two flaws as an attack vector. With no fix available, currently the only feasible workaround for these social networking sites, and also other websites on the Net, is to completely block users from uploading Apple QuickTime content. Though scrubbing javascript from the content before accepting it is a solution, it is complex enough to make it impractical in this case.

Recommendation: Websites should block Apple QuickTime content completely until a patch is available from Apple for both vulnerabilities.

Bottom line: These are security vulnerabilities, not "features".

F-Secure : News from the Lab - December of 2006.

I don’t know how long this has been around, I found Trend Micro’s Malware Blog this morning.  Looks like another good resource.

You can find it here: http://servicecenter.antivirus.com/malwareblog/diary/

New Microsoft Word Zero-Day Reported

Microsoft have announced they are investigating yet another zero-day vulnerability, apparently unrelated to the December 5 Microsoft Security Advisory 929433. According to their investigations, Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word 2007 is not affected by the vulnerability. They also report that the vulnerability is being exploited on a very limited and targeted basis. Symantec Security Response is monitoring the situation and will respond appropriately once further information is available. As always, standard best practices apply in this situation and caution should be exercised when dealing with unsolicited attachments from both unknown sources, as well as from trusted sources.

Posted by Security Response Alert on December 10, 2006 08:47 PM

Symantec Security Response Weblog: New Microsoft Word Zero-Day Reported.

Exploit-MSWord.b: Is that another Word for 0-day vulnerability ?

Monday December 11, 2006 at 3:06 am CST
Posted by Geok Meng Ong

Trackback

Last Wednesday, Microsoft posted an advisory for a targeted “zero-day” attack using a Microsoft Word vulnerability, and until we get a CVE number, we refer to this as “Microsoft Word 0-Day Vulnerability I”.

In our tracking of this new 0-day vulnerability, I analyzed a Word Document sample for MessageLabs. Just when you would have thought this could be the same 0-day which was most recent, Microsoft confirmed upon our request that we are seeing double trouble — this was really “Microsoft Word 0-Day Vulnerability II”.

I previously wrote about non-executable file formats being a popular vector in recent years; this is a trend that will continue into 2007 and deserves to be given ample consideration in planning for security resources, policies and user education programs.

McAfee Avert Labs released DAT coverage for payload associated with “Microsoft Word 0-Day Vulnerability I” in DAT version 4714 for Downloader-AZQ and Downloader-AZR. The new threat that is exploiting “Microsoft Word 0-Day Vulnerability II” is now covered in DAT version 4715 as Exploit-MSWord.b.

Computer Security Research - McAfee Avert Labs Blog.

Yet another Word vulnerability	Posted by Patrik @ 02:34 GMT

Last week we posted on a new vulnerability in Word. Today, the Microsoft Security Response Center reported on yet another Word vulnerability.

The new vulnerability affects Word 2000, 2002, 2003, and Word Viewer 2003 but not Word 2007. The vulnerability allows a malicious person to automatically execute code on the target machine when a DOC file is opened, so it's very similar to most of the other Word vulnerabilities we've seen during 2006. As it is actively being exploited, although the distribution so far is very limited, and there is no patch available we can only continue to use the same workaround as previously recommended – not to open or save any DOC files from untrusted sources or files that you have unexpectedly received from sources you trust.

F-Secure : News from the Lab - December of 2006.

Another new Word 0-day, information & dat released by McAfee (NEW)

Published: 2006-12-10,
Last Updated: 2006-12-10 22:03:23 UTC by Patrick Nolan (Version: 1)

We received notification from an ISC participant that McAfee has released a dat today for protection against a buffer overflow attack in MS Word. The announcement says "Note: This vulnerability was first found through one of the samples that McAfee analyzed, and this vulnerability differs from the "Microsoft Word 0-Day Vulnerability I" that was published on December 5, 2006.".

Other vendors are expected to follow suit

Exploit-MSWord.b
McAfee "Microsoft Word 0-Day Vulnerability II "

"Vendor Status - Unacknowledged
Vulnerable systems - Windows XP  SP0 - SP2, Windows 2003  SP0 - SP1, Microsoft Word  XP, Microsoft Word  2003"

McAfee has identified PWS-Agent.g as "a password stealing trojan that was most recently installed by Exploit MSWord.b via a 0-day Microsoft Word vulnerability.".

Thanks for the heads up!

eEye Research has a site that's quite useful for tracking 0-days, Zero-Day Tracker

There's a report over at the Microsoft Security Response Center Blog!, see the New Report of A Word Zero Day.
According to the post, "the vulnerability is being exploited on a very, very limited and targeted basis". That is a description that adds further granulization to MS's explanation of "What “very limited, targeted attacks” Means"". And as long as there's no patch forthcoming for this vuln (or the December 5th one), it's starting to sound like using the exploit is going to be "Rewarding, very, very, very rewarding" (see the Citi commercials/video).

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

What “very limited, targeted attacks” Means

Hi, this is Christopher Budd.

We’ve gotten some question from customers about what we mean when we say we’re aware of “very limited, targeted attacks” in a security advisory.  I wanted to take a moment and help give some clarity.

When we talk about “very limited, targeted attacks” we specifically mean this in contrast to attacks that affect a broad number of customers randomly.  Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers (sometimes only one or two even) and are carried out in a very deliberate fashion against a specific organization or organizations.

Where the goal of these broad, random attacks is large in scope, the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted. For example, in investigating the issue that we just issued Microsoft Security Advisory 929433 on, part of our investigation showed that the attacks were specifically attempting to introduce malicious software rather than propagate themselves to additional customers. As part of our Software Security Incident Response Process (SSIRP),  we have provided information about this malicious software to our AV partners through partner programs such as those in the Microsoft Security Response Alliance (MSRA) so that they can build signatures to detect the malicious software. The Windows Live OneCare Safety Scanner also contains signatures for this malicious software.

One of our goals when we issue a security advisory is to give you information to help you understand the risks posed by an issue. One thing we know that customers want to know about is what the scope of an attack is. Through our work with partners, with customers, and internal investigations, we’re sometimes able to tell if an attack is a broad, random attack, or if it’s a very limited, targeted attack. When we’re able to do this, we include it in our security sdvisory as another piece of information to help you understand what’s going on, so you can make a better informed risk assessments.

I hope this helps to clarify the statement.  Of course, if an attack is broad, or if an attack is limited, we still treat every issue as a priority and teams continue to actively investigate this issue.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Published Friday, December 08, 2006 12:41 AM by MSRCTEAM

Welcome to the Microsoft Security Response Center Blog! : What very limited, targeted attacks Means

Public Proof of Concept Code for ASX File Format Isssue

Hey everyone this is Alexandra-

 

I wanted to let you know that we’re aware of proof-of-concept code published publicly affecting Windows Media ASX file format. We are currently investigating this report. We are not currently aware of attempts to exploit this vulnerability.

 

The ASX file format is an XML-based media file format which is processed by Windows Media Player.  An attacker could construct a malformed ASX file and use it to cause Media Player to overrun a heap-allocated buffer, potentially leading to remote code execution. 

 

We are also investigating other attack vectors to reach the same vulnerable code.

As part of our investigation, we are working with our MSRA partners to monitor and secure the ecosystem.

Thanks,

Alexandra

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Published Thursday, December 07, 2006 10:42 PM by MSRCTEAM

Welcome to the Microsoft Security Response Center Blog! : Public Proof of Concept Code for ASX File Format Isssue.

Word hole will remain open	Posted by Patrik @ 02:39 GMT

Microsoft just announced the patches that they will release on Tuesday the 12th. And as we feared, the Word vulnerability disclosed earlier this week will not be fixed. Looks like we'll have to not open or save Word files from untrusted sources, or unexpectedly received from trusted sources, for another month. No one sends DOC files in e-mails anyway, right?

The dropped files we have seen used together with the Word vulnerability are detected as Trojan-Downloader.Win32.Cryptic.ec, Trojan-Downloader.Win32.Cryptic.f and Trojan-Downloader.Win32.Tiny.y.

The patches that Microsoft will release are five security patches for Windows where the highest severity rating is Critical. A patch for Visual Studio with a severity rating of Critical will also be released. In addition, 14 non-security related patches will be released.

F-Secure : News from the Lab - December of 2006.

Windows Media Player - ASX Playlist Buffer Overflow

Published: 2006-12-07,
Last Updated: 2006-12-07 22:29:51 UTC by Tom Liston (Version: 1)

ISS has published an advisory on a buffer overflow found in Windows Media Player 9 and 10 related to handling .ASX playlist files.  This follows a similar advisory by FrSIRT.  It appears that these advisories are coming in response to indications that there are in-the-wild exploits of the vulnerability.  The issue has been public since back on November 22nd.

Read the ISS Advisory, the FrSIRT Advisory, and the original Bugtraq posting.

(Thanks to everyone who sent this in...)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Intel LAN Driver Buffer Overflow Local Privilege Escalation (NEW)

Published: 2006-12-07,
Last Updated: 2006-12-07 20:11:47 UTC by Tom Liston (Version: 1)

According to Intel, there is a buffer overflow in the drivers for one of their most popular NICs that can be used to escalate privilege locally.  The flaw affects drivers for Intel PRO 10/100 adapters on Windows (>Win2K), Linux, and UnixWare platforms.  A complete listing of affected driver versions can be found here.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Malformed MIMEs can bypass AV (NEW)

Published: 2006-12-07,
Last Updated: 2006-12-07 15:18:57 UTC by Tom Liston (Version: 1)

Over on Quantenblog, they're reporting that malformed MIME attachements can, in some cases, be used to bypass email AV filtering.  It works like this:  because email standards were written back in the day when messages were only text (as God intended), they only guaranteed that 7 of the 8 bits in a byte would make it through.  Now that emails contain everything from spreadsheets and executables to pretty-formatted dancing gerbils, we need a way to send the full 8 bits, while still meeting the original standards.  To do this, we need a means of encoding 8 bit content into 7 bit email messages.  One encoding scheme uses an "alphabet" containing 64 characters, and essentially takes 3 bytes of data and turns them into 4 bytes of encoded information.  This is what Multipurpose Internet Mail Encoding (MIME) and specifically MIME64 is all about.  The standard for MIME encoding (RFC 2045) says that when you're decoding, if you come across a character that isn't part of your "alphabet," you're supposed to ignore it and move on.  The problem arises when an AV engine doesn't follow this standard, and an email program does.  The AV engine doesn't scan the attachement properly, but the email program presents the fully decoded attachment for the end-user's clicking pleasure.

More info: http://www.quantenblog.net/security/virus-scanner-bypass

(Thanks Robert!)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Windows Media Player ASX File Handling Vulnerability

added December 7, 2006

US-CERT is aware of a heap buffer overflow vulnerability in Windows Media Player. The flaw occurs when the Windows Media Playback/Authoring library (WMVCORE.DLL) processes malformed ASX Playlist files. By persuading a user to access a specially crafted HTML document (e.g., a web page or an HTML email message), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user or cause a denial of service.

Until a security fix from Microsoft becomes available, US-CERT recommends the following actions to help mitigate the security risks:

• Upgrade to Microsoft Windows Media Player 11 .
• Disable Windows Media Player from auto-opening .ASX files.
• Learn about web browser features and security by reading US-CERT informational paper Securing Your Web Browser .

US-CERT will continue to investigate this vulnerability and provide additional information as it becomes available.

US-CERT Current Activity.

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1

http://www.myitforum.com/forums/fb.asp?m=147497

Allaple.A Internet/LAN worm - Highly polymorphic with Password attacks http://secunia.com/virus_information/34550/allaple.a/

http://www.f-secure.com/v-descs/allaple_a.shtml

Microsoft Word Zero-Day Under Investigation

On December 5, 2006, Microsoft announced they were investigating reports of the exploitation of a zero-day vulnerability in Microsoft Word (described in Microsoft Security Advisory 929433). There is very little information available regarding the technical details of this new vulnerability. Symantec Security Response is monitoring the situation and will respond appropriately once further information is known.

At this time, Security Response has seen various malware binaries which may be related to the limited reports noted by Microsoft. These files are detected as "Downloader" by LiveUpdate virus definitions, version 12/6/2006 rev. 16. At least one known downloaded file is detected as Backdoor.HackDefender, using Rapid Release virus definitions, version 12/6/2006 rev. 25.

The standard best practices apply in this situation and as such, caution should be exercised when dealing with unsolicited attachments from unknown, and even known, sources.

UPDATE
The aforementioned "Downloader" detections have been renamed to Downloader.Realog and Downloader.Sniper starting from Rapid Release virus definitions, version 12/6/2006 rev. 53.

Posted by Security Response Alert on December 6, 2006 11:10 AM

Symantec Security Response Weblog: Microsoft Word Zero-Day Under Investigation.

Adobe Acrobat Update (NEW)

Published: 2006-12-06,
Last Updated: 2006-12-06 18:53:00 UTC by Mark Hofman (Version: 1)

Adobe has classified the recent vulnerability as a critical issue and are recommending that the Acrobat reader be upgraded to version 8 or as a minimum the affected dll is replaced. 

To quote them directly they are saying "Adobe categorizes this as a critical issue and recommends affected users uninstall any affected software."

Their advisory can be found here

You may need to take steps to test and patch/upgrade your end user systems.

Thanks Matt for the pointer.

Mark
ISC Handler on Duty
Shearwater

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- http://www.microsoft.com/technet/security/advisory/929433.mspx

Want spies with that?

Wednesday December 6, 2006 at 1:48 am CST
Posted by Jimmy Shah

Trackback

We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.

The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).

MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A.

SymbOS/Mobispy.A is based on an early version of commercial call and SMS recording software. SymbOS/Mobispy.A installs on a phone and records incoming and outgoing SMS messages. It also tracks the phone numbers of all dialed and received calls. The purchaser of the software gets an account on a central server. SymbOS/Mobispy. A sends all the data it’s captured to that account.

Considering that data-stealing and other for-profit malware have made their entrance on mobile phones, it is worrisome to see spyware make its debut. Around eight months ago a commercial remote phone monitoring application was released. There was much speculation on how much time it would take for malware authors to integrate it into their own malware. We have seen malware authors create custom prototype code to implement new attacks but it is interesting to see them purchase commercial spyware to do their job for them.

It would appear that the SymbOS/MultiDropper.CG author has made a wise choice in using commercial products, avoiding the hassle and expense of creating a new hit single by using an existing one. There are two things though that complicate the picture:

• The software is licensed for only one phone ID(IMEI). As soon as the monitoring account on the central server receives logs from an unregistered IMEI it’s expected to be shut down.
• It is unlikely that the author of SymbOS/MultiDropper.CG is the original purchaser of this copy of the software. Only the original purchaser would have access to the results of SymbOS/Mobispy.A’s spying.

Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit.

Computer Security Research - McAfee Avert Labs Blog.

An open letter to domain registrars	Posted by Mikko @ 12:26 GMT

F-Secure : News from the Lab - December of 2006.

Word Zero-Day, So Sayeth Microsoft (NEW)

Published: 2006-12-05,
Last Updated: 2006-12-05 23:05:27 UTC by Ed Skoudis (Version: 1)

Microsoft released an announcement of a zero-day vulnerability in Microsoft Word.   Read about it here.

Of particular interest, they say:

"Microsoft is investigating new public reports of limited 'zero-day' attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.  In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker."

Microsoft's advice?  They say, "Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file."

Ok... sure.  Thanks.

--Ed Skoudis
Intelguardians.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Phishers Don't Like Monday (NEW)

Published: 2006-12-04,
Last Updated: 2006-12-04 15:55:24 UTC by Deborah Hale (Version: 1)

 

"Symantec is declaring 2006 as the year that fraud grew up."

That is an interesting opening to the article that discusses the changes that Symantec has witnessed over the last year in regards to phishing and the evolution of the tactics and methods used to attempt to defraud the cyber community.  According to their observations they indicate an increase in VOIP and SMS targets. 

Symantec's observation is that the bad guys like 3 day weekends as well and take a break from their life of crime.  They also indicate that Mondays are usually the quietest days for new phishing emails and Tuesday they ramp back up.  Humm.  Interesting, guess I will have to pay closer attention to the spam in my filter.

Vnu Article

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.