CA Security Advisor Research Blog

The Anatomy and Deception of a Malicious URL

Mark Wade — Wed, 26 Mar 2008 22:00:00 GMT

In this article I promise deception, technological trickery, impart a bit of knowledge, insight, and all through what I hope to be an interesting read for you. I was browsing through a long list of malicious URL's and I came across an interesting URL that caught my eye, hxxp://www.yahoo550.com/...../logo.jpg?queryid=77092. Your first question might be; What is a...

PayPal Closes a Phishing Vulnerability

Stefan Berteau — Sun, 17 Feb 2008 15:44:00 GMT

Take a close look at this image. You can click to enlarge it. It looks like the PayPal login page, but some things are off. For one, the title is "Login - PayPal Phishing Proof of Concept". That is because this isn't the PayPal login page at all, but a Phishing proof of concept. It was hosted on PayPal's servers and secured with PayPal's security...

The Face of Credit Card Fraud – And What You Can Do

Benjamin Googins — Mon, 11 Feb 2008 23:50:00 GMT

The Human Story - Devil in the Details Last week I went over to a friend's house. For purposes of this writing, I will call her Daffodil. As we sat around the kitchen table, Daffodil mentioned she found a strange charge on her Visa statement -- billed to a company she never heard of and on a day she didn't use her card. She is diligent about looking over her...

USB drives infected? A quick analysis

Rossano Ferraris — Mon, 04 Feb 2008 18:48:00 GMT

by Rossano Ferraris Interestingly the new year 2008 opened its doors with a surprising news in the malware field. Hardware infected? Yes, again malware guys have showed their extraordinary fantasy to spread panic and disasters over the computer world. According to recent reports by SANS Internet Storm Center there is a new trend to transmit malwares through hardware...

Internet searches under attack: next in series

Rossano Ferraris — Tue, 15 Jan 2008 16:40:00 GMT

by Rossano Ferraris Another interesting case I would like to bring to your attention is the effect of the so-called “fake-codec” trojans. Here is what I figured out after searching the phrase “daily dawn” on the Google search engine. The screenshot reflects a blogspot webpage from the search results: There is a video displayed on the page. Out of curiosity,...

Internet searches under attack

Rossano Ferraris — Wed, 09 Jan 2008 22:30:00 GMT

by Rossano Ferraris Users are being infected with malware from a variety of sources. Unfortunately, malware authors are continually refining their technique. As I will show in this write-up, clicking on the results from innocent searches, like looking for a flight, music or news story, can infect your machine with harmful malware. The process of getting infected...

The advent of Rogue Media Players

Akhil Menon — Wed, 09 Jan 2008 13:31:00 GMT

by Akhil Menon It has been quite common in recent times that a wide variety of malware has been distributed over the Internet using the “free codec” tagline. To the user, this fake codec promises on installation sophisticated video and graphics on their computer at absolutely no cost, but in reality subjects their machine to a wide variety of malicious spyware activity. The Zlob Trojan is...

Update: Records search disabled on managemyhome.com

Stefan Berteau — Fri, 04 Jan 2008 23:36:00 GMT

This is an update to my blog post from yesterday evening. As of this afternoon, Sears has removed the "Sears Purchase History" box along with the "Find your products" button from the home profile page on managemyhome.com. Logging into the site and then attempting to access the search results page via a bookmarked URL produces the following result: As far as we...

Managemyhome.com: Another privacy issue for Sears

Stefan Berteau — Fri, 04 Jan 2008 00:33:00 GMT

"Hey Dad, did you guys by any chance buy a new sewing machine from Sears on September 30th?" "We did. How did you know that?" "I just found it listed on a Sears web site. It looks like they have another privacy problem." We were informed about managemyhome.com by Heather, who left the following comment on Benjamin...

2nd Response to Rob Harles, VP of Sears' SHC Community

Benjamin Googins — Wed, 02 Jan 2008 23:29:00 GMT

On December 29, Rob Harles, the SVP for Sears' SHC, submitted a comment to my post titled: "Sears Update: Response to Rob Harles, VP SHC Community", here is his comment in its entirety. I follow his comment with my response and disappointment. By way of reference, here are my three previous posts on this topic: 1, 2, and 3. "Author:...

Sears Update: Response to Rob Harles, VP SHC Community

Benjamin Googins — Sat, 22 Dec 2007 05:01:00 GMT

Earlier today comments were submitted by Rob Harles, VP SHC Community, to my original blog posting titled: Sears.com: Join the Community - Get Spyware using the comment feature at the bottom of the page. Unfortunately, it doesn't look like our CMS can handle a comment that large, so I am posting it in its entirety here along with my response. Rob's comments on Sear's blog...

Sears Update: Privacy Policy, Scorecard, and Genetic Heritage

Benjamin Googins — Fri, 21 Dec 2007 19:11:00 GMT

In my blog post yesterday I reported that there was a significant change in how the privacy policy for My SHC Community reads - replacing straightforward language with vague legal language (see section: The Privacy Policy). What I have come to learn is that if you navigate to http://www.myshccommunity.com/Privacy.aspx you could actually get one of two policies. One of these...

Sears.com: Join the Community – Get Spyware

Benjamin Googins — Thu, 20 Dec 2007 15:30:00 GMT

Update to this blog here. While Christmas shopping online this season, be careful what you are signing up for. Visiting Sears.com (and Kmart.com) a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. Sears.com is distributing spyware that tracks all your Internet usage - including banking...

Facebook’s Beacon is Improved, But Remains a Threat

Benjamin Googins — Tue, 11 Dec 2007 21:59:00 GMT

Last week, Facebook made positive changes to their Privacy Policy. This update states that Facebook discards user data coming from users who are logged out or who are not Facebook users. The addendum to Facebook's Privacy Policy is as follows and can be found here: "Facebook Beacon is a means of sharing actions you have taken on third...

NTLM Authentication: Old Password Usable After Password Changed

Eugene Bodenshtein — Tue, 11 Dec 2007 21:43:00 GMT

Did you know, that when you change your NT password, the old one is still active and can be used for authentication into Active Directory or even to map a network drive for the next hour? NTLM (NT LAN Manager) is a Microsoft authentication protocol used to authenticate clients in various Microsoft network protocol implementations, including Active Directory, Exchange Server services...