Hunting Cybercrooks The cybersleuths who helped smoke out some of the biggest crooks online can be as reclusive as their prey. Tucked inside an inconspicuous office in a business park on the banks of the Monongahela River, two dozen employees of the National Cyber-Forensics & Training Alliance quietly peck away at PCs in small cubicles. Here, the nation's cyberequivalent of CSI relies on a computer lab that simulates Internet attacks and diagnostic tools that extract clues from tainted PCs and suspicious Web sites. Yet few people are aware of the non-profit group. "I chuckle whenever people complain nothing is being done to stop cybercrime," says investigator Sarah Patrick, who -- like a dozen other college students -- monitors Web sites and chat rooms from a desktop computer in a small, unadorned cubicle. "What have I been doing the past nine months?" That was abundantly clear in August, when a Justice Department sting led to 160 arrests, including dozens of spammers and online fraudsters. Key evidence came from NCFTA, whose discoveries could fetch more arrests. "We're at the start -- not the end -- of a major crackdown on digital crime," FBI Special Agent Tom Grasso says. As consumer losses to online fraud mount, the FBI has identified cybercrime as one of its top priorities, behind terrorism and counterintelligence. Lab work The rugged mountains of western Pennsylvania seem more suited for deer hunting than for hunting the Internet's most-wanted criminals. But Pittsburgh is considered a digital epicenter by federal officials. It is also home to Carnegie Mellon University's CERT Coordination Center and near the FBI's Internet Crime Complaint Center (IC3) and finger-printing facility, both in West Virginia. NCFTA was established in 2002 as an extension of the Pittsburgh High Tech Crimes Task Force, a team of federal, state and local law enforcement officials. The federal government, private industry and academia underwrite NCFTA's annual bud ..

(10/15/2007) NCFTA was alerted to the existence of a web-based kit known as n404, sometimes referred to as n404-X. Similar to MPACK and WebAttacker, this exploit allows hackers to create malicious and automated websites. The kit is named after HTTP error code 404, and contains nine different malicious URLs which are signified by the X in n404-X. “The X represents the numbers 1 through 9, meaning the HTML pages evolve and change every 5 to 10 minutes, thus producing more malicious pages. Currently there are 130 plus sites.” When the links containing the exploit are clicked, they resolve to an HTTP error page. In actuality, each URL points to a webpage containing obfuscated exploit code attempting to utilize a specific vulnerability. This allows hackers to control the type of malicious files downloaded and also to install more malicious files. http://www.ncfta.net/alerts.asp?id=92

Here is yet another reminder that emails that appear to come from legitimate sources...most likely are not legitimate at all. Do not let the bad guys trick. ""Phishing Attempts Detected on Equifax Customers Dear Equifax Customers, We’re sorry to inform you about a recent “phishing” attack on Equifax. Phishing" or "spoofing" is an e-mail threat where fraudulent e-mails appear to be from a well-known company and ask you to provide, update or confirm certain confidential information – such as User ID or password. This week, we detected e-mail phishing activity by fraudsters attempting to solicit sensitive personal information, including user IDs and passwords, from Equifax customers and consumers. For your protection, please know that Equifax never sends out requests for personal information via e-mail or phone. If you received an e-mail that appears to be from Equifax and requests personal information, please do not respond and delete the e-mail immediately. If you did respond to an e-mail that appears to have been from Equifax, and you provided personal information, such as your user ID and password, please let us know by following the “Contact Us” links from www.equifax.com so we can assist you further. As a general rule, to help safeguard your identity – we recommend that you never click anywhere within a suspected “phishing” or “spoofing” e-mail, and never hit “reply”. At Equifax, your privacy is extremely important to us and we wanted you to know about this unfortunate situation. Your continued trust and confidence in Equifax is greatly appreciated. Sincerely, Your Equifax Personal Solutions team.""

Microsoft is investigating public reports of a remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed. Microsoft is aware of proof of concept code that has been posted publicly and is continuing to investigate public reports. We are also aware of attacks that try to use the reported vulnerability. This vulnerability does not affect Windows Vista or any supported editions of Windows where Internet Explorer 7 is not installed. Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.