Information security digest, 20.03 – 04.04


Due to the intensity of recent incidents, we have decided to release our security digests more often. From now on, it will be released every two weeks. Since March 20th to date there have been several significant incidents that we will analyze in this post.


RTF as a threat

The last week of March gave Microsoft customers a reason to get nervous. There was a zero day vulnerability discovered and the effective exploits to it could allow attackers to run an arbitrary code using maliciously crafted RTF files under Windows and Mac OS X. The vulnerability affects the versions of MS Word 2003, 2007, 2013 and 2013RT, and besides them – Office for Mac, Office Web Apps 2010 and 2013, and Word Viewer.

Microsoft reported “limited, targeted attacks” that exploits a newly discovered Microsoft Word RTF file format parser flaw. The problem persisted even after the emailed documents were only previewed.

In order to solve the problem, Microsoft released a Fix-It utility, which disables processing RTF files. A patch for this critical vulnerability is expected within days. Incidentally, this patch will be the last official one for MS Word 2003 because its support is being terminated together with the Windows XP’s.




DDoS at Pingback

At the end of March, there was a report of a seemingly strange DDoS attack, which used sites running the very popular CMS WordPress as intermediaries.

Those sites were perfectly clean without any malicious software. The attackers exploited the content management system’s pingback feature. They abused a number of sites that have the feature enabled, essentially XML-RPC requests that make it easy for blogs to cross-reference other blog posts.

In this case they were legitimate sites, 162,000 of them, sending “random requests at a very large scale” to the site’s server, each one with a randomized value that bogged their site down by bypassing their cache and mandating a full page reload each time.

Securing oneself against such attacks is very difficult because all requests appear to be coming from purely legitimate resources.

See the details of the attack here.

DDoS attackers have recently been applying techniques that were previously considered exotic. And the most unpleasant factor is that criminals are using legitimate and seemingly harmless things like NTP servers or the pingback feature, which is the basic WordPress function. And if servers’ reconfigurations help to ward off NTP-amplified attacks, the only way to avoid exploiting the WordPress pingback feature is disabling it.


Career Trojan

A new variant of the Gameover computer Trojan (a descendant of ZeuS whose source code appeared on the Web in 2011) targeted job seekers and recruiters by attempting to steal log-in credentials for and accounts. Both sites are designed for job searching.

The Trojan performs web injections by modifying the login page so that a new ‘sign in’ button appears on the pages for and After victims authenticate through the rogue web form the malware injects a second page that asks them to select and answer three security questions out of 18. The answers to these questions expose additional personal information and potentially enable attackers to bypass the identity verification process.

Recruiters with accounts on employment websites should be wary of irregularities on log-in pages, especially if those accounts are tied to bank accounts and spending budgets. We also suggest that you check your computer for malware.

Read more…


More victims of POS malware

Personal data of more than 550,000 customers of Spec’s stores may have been stolen by malware that was illegally placed by cybercriminals on payment terminals of 34 of the 150 stores owned by Spec’s.

Apparently, the cause was something similar to BlackPOS, the malicious program that already helped criminals breach the Target Corporation and Neiman Marcus last year.

Yet another large retail network fell victim to POS malware. There are logical reasons to assume that criminals will switch to lesser targets in the near future

The point is that the Spec’s hack appears to have lasted much longer than before it was made public. The company issued a statement saying the breach is believed to have started Oct. 31, 2012, and continued as late as March 20th 2014, i.e. for six months which implies, the low efficiency of payment terminals’ means of protection, if there were any at all.

According to representatives of Spec’s, it took professional forensics investigators considerable time to find and understand the problem then make recommendations for Spec’s to fully address and fix them. The company replaced cash registers and disabled and removed malware that was illegally placed on the computer systems. We hope that the replacements are more reliable now.

It should be noted that after the largest retail networks have finally realized the scale of the disaster and enabled adequate protection, attackers are likely to switch to smaller networks and individual shops. You had better start thinking about protecting from POS malware right now.