Monday, October 28, 2013

A Prominent American Express Phish

Every once in a while we see a spam campaign where we dig in to the complexity, expecting to find malware, and find that the criminal has just built an extremely fool-proof phishing system for their daily phish. Such was the case on an American Express phishing campaign that we saw today over at Malcovery Security.

The spam messages started flowing shortly before 9 AM, and by 10:30 we had received 548 copies of a spam email that looked like this:

The subject line was always "Fraud Alert: Irregular Card Activity"

The From address was always "American Express (fraud@aexp.com)"

But the highlighted link that claims it will take you to https://www.americanexpress.com/ actually goes to one of 419 URLs on one of 57 compromised webservers. The list of servers is:

0067959.netsolhost.com
02fbd07.netsolhost.com
119.245.150.94
184.168.170.184
188.165.206.52
209.173.242.165
anggieystratega.com
bentleycrossing.com
bluestreakfinancial.com
bobjonesaccounting.com
certificaat.ledtechno.be
copyrman.site.aplus.net
criminalsearchcanada.com
dinnerat8.mywebcommunity.org
durushayakkabi.com
entertainindy.com
etbroderi.no
expert-log.com
fassion.toypark.in
feuerwehr-queckborn.de
flat.bplaced.net
fmax.in.th
ftp.ccmanitowoc.org
ftp.likvidace-aut.cz
ftp.selectstl.com
idealmobilemedia.com
mircomultimedia.com
missionwild.ieasysite.com
orbitek.hosting24.com.au
peterottenzonwering.nl
pm.vertigry.com
proteebar.com
quarksocial.net
russiantheatre.ca
secomimages.co.uk
shiragellman.com
spanglaw.www65.a2hosting.com
sprintcar1.com
swansonhaskamp.com
tastemasters.de
tvbox.veria.eu
user4634.vs.easily.co.uk
w7u20zuyb.homepage.t-online.de
walegion.comcastbiz.net
watertechnology.gr
wer1globle.com
www.59-90.com
www.contactl.www66.a2hosting.com
www.g4amt.com
www.myspringriver.com
www.purecoat.com
www.qigong-yangsheng-koeln.de
www.regionshg.com
www.teammoutai.com
www.yardvilleheights.com
www.zen65048.zen.co.uk
yourbabyname.awardspace.com
On each server there was a selection of randomly named dictionary word directory names, followed by a "/index.html" such as:


/lipid/index.html
/juno/index.html
/tarnished/index.html
/linker/index.html
/musicologist/index.html
/village/index.html
/mered/index.html
/satan/index.html
/laconic/index.html
/parsons/index.html
/strayed/index.html
Each of those index.html pages was actually a redirector that posted a message in a box that said "Connecting to server..." while it tried to load one of three JavaScript files from three different locations. Between all of the boxes, we saw a total of ten of these JavaScript files:

 http://184.177.180.52/boers/ghostwrote.js
http://194.15.212.104/hemispherical/inbounding.js
http://208.106.191.91/glamored/pans.js
http://ghanamusicbox.com/crystallization/carcinomas.js
http://hamidebirsengur.com.tr/honduras/wildernesses.js
http://kaindustries.comcastbiz.net/imaginable/emulsion.js
http://msco-iraq.com/chervil/capturing.js
http://naturesfinest.eu/eroding/patricians.js
http://portel.home.pl/aborigines/nerveless.js
http://winklersmagicwarehouse.com/handmade/analects.js
http://www.greenerhomesnortheast.co.uk/jacksonian/barrettes.js
http://zuniweb.com/burliest/squeaking.js
Each of THOSE files in turn did a "document.location" redirection to one of the three actual phishing sites:
steelhorsecomputers[.]net/americanexpress/
birddogpaperandhome[.]com/americanexpress/
cyfairfamilyfest[.]com/americanexpress/

Here's the Phish Walk Through once we finally arrive at one of the three destination phishing sites:


First they ask for the Userid and password


Then the Social Security number, your birthdate, your mother's maiden name, her birthdate, and a PIN.


Now the card number . . .


And the expiration date . . .


And finally your 5,000 Reward points are awarded, and you are forwarded to the actual AmEx page.

So, to gather the userid and password of a few hundred American Express card holders, the phisher today was willing and able to break in to SEVENTY web servers ... 57 used in the spam ... 10 more used for the JavaScript Redirection scrips ... and 3 used for the actual phishing hosts.

Quite an elaborate scheme. We'll be talking about MORE elaborate phishing schemes and webserver compromises in our Malcovery Webinar on Halloween Day, October 31, 2013 @ 1:00 Eastern / noon Central -- How Threat Intelligence Reveals The Scariest Cyber Attacks" -- (click the link to Register)

Sunday, October 20, 2013

MGMT - OPTIMIZER


Still image of Andrew Benson visual for the Optimizer

MGMT has released their third album, a self-titled LP and along with two psychedelic visual projects which have been launched together, one is called "Optimizer", an immersive audio and visual experience to accompany the new album for its full 44 minute run time. It has been directed and edited by Alejandro Miguel Justino Crawford by mixing the visuals produced by Andrew Benson, Chris Timms, Geoffrey Lillemon and Emilio Gomariz. The Optimizer comes together by buying the album on iTunes.
The second visual and interactive project it's their own website whoismgmt.com whose background features a classic already distortion and melting aesthetic created by Chris Shier who has built an interactive painting website working in multiuser mode which means that everyone who is on the website will be painting together over the same canvas in real time. For this occasion Chris has put several easter eggs in your keyboard keys to change colours and aesthetic of the different strokes, also there is another one to create "G"ifs of cropped areas of the painting process.. try it! See more;


Multiuser painting website by Chris Shier






"Optimizer" directed and edited by Alejandro Miguel Justino Crawford
(Below are some still images from the individual works from the different artists to create the Optimizer, courtesy MGMT)

Andrew Benson
http://pixlpa.com/


















Thursday, October 17, 2013

_playGnd by Nick Briz



Nick Briz launched few weeks ago an excellent and fun platform to learn and play with webGL, it is called  _playGnd, a perfect introduction to webGL and its possibilities working through animated threedimensional objects on the web. I find this project very interesting, specially for those ones who are not into programming and could think that webGL it's too complex.  
The _playGnd has three simple sections which Nick has explained very well through a video tutorial series that introduce you to be in touch and generate threedimensional environments easily using pre-programmed functions and by copying and pasting and modifying codes from different libraries. These are the 3 sections, explained into the post; the [1] graphix[toCode] interface, the [2] realtime editor, && the [3] sketches archive. See more;

[1] graphix[toCode] interface
http://threejsplaygnd.brangerbriz.net/gui/

"Software is the medium that is not a medium. [...] Code is never viewed as it is. Instead code must be compiled, interpreted, parsed, and otherwise driven into hiding by still larger globs of code. Hence the principle of obfuscation." - Alexander Galloway, The Interface Effect (2012)

"In this first section you generate code for basic three.js geometry using a GUI (graphical user interface). Traditionally GUI’s ‘obfuscate’ code. In the interest of making things more accessible they hide the code, and as a consequence compromise digital literacy. In the _playGnd the GUI is still concerned with accessibility, but in a way that augments the code rather than obfuscating it." - Nick Briz





"An iPhone is not technology, it's packaging and conventions. [...] Your software choices are like any addiction or religion, they want your loyalty and they want your money and they want you to think like them. [...] it's culture politics masquerading as technology." - Ted Nelson, The Myth of Technology/Computers for Cynics(2012)

Traditionally we don’t tend to think of our tools as being ‘political’, but software isn’t neutral. It reflects and imposes the politix of the folks who create it (some, like Galloway, argue it is itself ideology). The _playGnd is no less political and no less bias than any other digital tool, but it stems from a different ethic (an experimental new-media art ethic). For this reason you’ll notice that the editor is a little bit different from the conventional. First, it’s built into the browser + shares the same space as your sketch, which allows for immediate feedback >> you can experiment, tinker, play in ‘realtime.’ Second, the editor includes a ‘snippets’ menu to encourage copying + pasting + modifying + collaging code. - Nick Briz





after you finish working on a sketch in the editor you can ‘archive_it’, which adds your sketch to the xanalogically inspired archive. You can view all the other sketches saved from the _playGnd in the archives as well as remix (fork + edit your own variation of) any sketch in the archive. - Nick Briz




Credits: _playGnd has been buit on the shoulders of these open source projects: three.js (most importantly), HTML Editor (heavily modified version), CodeMirror, and dat.GUI. Also makes use of AsciiEffect.js ( by zz85 ), CSS3DRenderer.js (by mr doob ), Detector.js (by alteredq + mr doob ), ShaderToon.js (by alteredqmr doob ), proxy.php (by Abdul Qabiz ), and tween.js (by sole ). Some great help from Branger_Briz. Inspired by the ideas/worx of Katie SalenMary FlanaganAlexander GallowayMartin HeideggerMarshall McLuhan, and most importantly Ted Nelson && mr doob.

More info about all the credits and inspiration that Nick took to build this platform is on the bottom of this page.

The following still images are some tests made by different artists for the launching of  _playGnd , click on the images to see them. To check out all the (big already) archive go here.


firstStudy without plane by Emilie Gervais




Moody Vibes by Claudia Maté




Rock/through/2planez by Jenifer Chan




Tuesday, October 15, 2013

Gamut Warning by Jordan Tate



Denny Gallery presented few weeks ago the first solo gallery exhibition in New York City of Jordan Tate, titled Gamut Warning and running till next October 20, 2013.

"Jordan Tate’s work represents a shift away from the understanding of photography as mechanical reproduction and an acknowledgement of the image-maker as the mediator of sight. Tate explores process and practice in contemporary visual culture. His work is based in ongoing research/meta-photographic critique concerning the visual and conceptual processes of image comprehension." - Denny Gallery. See more;

"The exhibition will include a selection of recent work by Jordan Tate, notably featuring New Work #150 (Gamut Warning), 2012. Gamut Warning consists of three distinct iterations: 24 color photographs, a large-run newsprint artist’s book, and a PDF e-book. He uses the different forms of image delivery to examine how images are created, produced and viewed. His work often focuses on the technologies and physical practice of making photographs. In Gamut Warning, for example, we see lights, color reference cards, human hands setting things up and arranging subjects, color gradients, slide holders and a machine vision camera. The works in the exhibition question the institutional authority behind our understanding of images and suggest that authorship, medium and context, rather than the reality of an image’s referent, have the greatest influence on what we understand from an image." - Denny Gallery