Our latest newsletter is posted below. In case you missed our last ones they are still available in our
archives.
All of our latest newsletter content is now available via RSS feed. In case you don't know how to subscribe to RSS feeds and
missed the tip where I gave instructions on how to do so - I've archived that tip
here.
This Week's Trends
Welcome to our first newsletter in 2009! The attackers didn't take a vacation unfortunately, so there is plenty of news to
share.
Of course we saw plenty of the holiday themed scams as usual and this year is starting out with problems with Twitter, one of
the exciting new features of Web communications that has become popular. As always, when you become popular you also
become a target.
The other scam du jour that is growing by leaps and bounds is the fake antivirus/antispyware scam. There are several examples
of those in the news these days and we have included some examples below.
2009 will be a challenging year for all of us, but also a year of hope and rebuilding. Be careful and have courage.
We can only get through this by working together.
Several Security Researchers Report Holiday eCard Scams
US-CERT is aware of reports from several security researchers that the Waledac worm is currently propagating via phony holiday
e-card messages, a tactic common in seasonal malware campaigns of the past. The worm's download sites are being hosted across
a fast-flux network utilizing multiple nameservers and domain names.
New malware is spreading via Christmas and holiday greetings, security researchers said today, a tactic reminiscent of those
used last season by the notorious Storm Trojan horse.
Researchers at the Bach Khoa Internetwork Security Center in Hanoi, Vietnam, reported today that a new piece of malware,
dubbed "XmasStorm" by the center, is spreading through holiday-themed spam.
Touting subject lines such as "Merry Xmas!" and "Merry Christmas card for you!" the spam includes links to sites that
purportedly host electronic greeting cards waiting for the recipients. In fact, the sites are serving up malware that
hijacks the visiting PC, then installs a bot that waits for commands from the hacker controllers.
These types of scams are no news to experienced and sophisticated web surfers, but we can expect to see many more of
them as the year goes on. Expect the next round to hit with love themes around Valentine's Day. Be aware of these scams and
don't be a victim.
Scammers Use Microsoft and IRS Web Sites to Install Viruses on Computers
Recently, criminals have been installing phony security applications that claim a user has viruses and then takes the user to
their Web site demanding money to get rid of them. One report states that these companies are able to make $5 million a year
by charging $40 or $50 to get rid of nonexistent viruses.
Microsoft has been fighting back. A recent update of their Malicious Software Removal Tool was able to remove “Antivirus
2009” from almost 400,000 PCs. The Antivirus 2009 installs itself on a computer when the user visits a Web site. The bogus
security application then begins to annoy users with pop ups and warnings.
There is a new technique for luring unsuspecting users into installing viruses on their systems. Criminals will use a
combination of Search Engine Optimization techniques and common redirects to disseminate their fake anti-virus scams.
Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities
and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with
the University of Alabama, who first reported the activity on his blog.
Many websites use redirector links to take visitors away from the site, although the web site operators try to stop them from
being misused by scammers. If criminals can use a redirector on a major website like Microsoft's or IRS's, however, they can
make their malicious links pop up very high in Google search results, said Warner. "Microsoft is a super-powerful site as far
as search engine weight is concerned," he said.
The bad guys have tricked search engines into returning their malicious links to tens of thousands of search terms, Warner
said. They've done this by using special software to add these redirector links to "tens of thousands of blog comments,
guestbook entries, and imaginary blog stories all around the Internet," Warner said in his blog posting.
One example of this fake anti-virus software (also called "scareware") installs a keylogger on the victim's computer, presumably to steal login
names and passwords, and also launches fake warning popups on every web page that the victim visits telling him he needs to buy
anti-virus software, called System Security. The price for the fake product? A believable-sounding $51.45.
The FTC estimates that 1 million consumers were taken in by other fake anti-virus products which go by names such as WinFixer,
WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. On 10 December a federal court ordered two companies, Innovative
Marketing and ByteHosting Internet Services, to stop promoting these products.
It is always a good practice to type in any web address instead of following links to avoid these types of scams.
Also, be very suspicious of any antivirus pop ups or advertising that comes over your web browser or an email message. There
are many good, legitimate and inexpensive or even free antivirus solutions out there, so avoid anything you're not sure
about.
New Critical XSS Flaw Plagues Facebook
A new cross-site scripting vulnerability affecting the Facebook social networking Web site has been disclosed on the XSSed project’s
website.
The flaw allows for injection of potentially malicious code. The XSSed report credits security researcher DaiMon with the discovery of
this latest threat.
According to Alexa, Facebook currently has a global page rank of 5 and, as one of XSSed Project’s co-founders, points out, this
significantly increases the flaw’s attack potential. “Malicious users can inject code to phish credentials and other sensitive personal
information from millions of Facebook members,” he explains.
Facebook will no doubt address this as quickly as possible. But in the meantime be very careful if you are a member of this
social network.
Digital Picture Frame Viruses Back for Christmas
Purchasers of some models of Samsung digital picture frames received warnings earlier this week, following the discovery that a
six-month-old computer virus had hitched a ride on the devices.
The file infecting virus, known as W32.Salty.AE, compromised version 1.08 of the Samsung Frame Manager software for Windows XP that comes
preinstalled on some of Samsung's frames, according to an alert published earlier this month by the company. Some purchasers of the Samsung
SPF-85H 8-Inch Digital Photo Frame from Amazon.com received a warning from the online retailer about the virus.
"The alert involves the SPF-85H 8-Inch Digital Photo Frames w/1GB Internal Memory, designed to work with Windows-based PCs
via a USB connector," the warning states. "They were sold between October and December 2008 for about $150. ... If you are
using Vista or a different version of Frame Manager, this issue does not affect you."
Security experts first flagged digital picture frames as a danger a year ago, when several models of the devices were found to
be carrying Trojan horses. Last holiday season, a number of consumers reported that photo frames -- small flat-panel displays
for displaying digital images -- received over the holidays attempted to install malicious code on their computer systems. In
January, consumer technology store Best Buy pulled its Insignia-branded 10.4-inch digital picture frame from store shelves,
acknowledging that it found some devices infected with an older computer virus.
Samsung recommends using antivirus software to quarantine W32.Salty, and then installing version 1.082 of its Frame
Manager software.
Trend Micro's Free Antivirus Scanner Hit by Bug
Windows users are under threat from a bug in Trend Micro’s free online virus scanning service, warn security researchers.
Attackers able to dupe users into visiting a malicious Web page could exploit a vulnerability in the custom ActiveX control
that Trend Micro distributes to users of its free HouseCall service, said Danish bug tracker Secunia in an alert. HouseCall
bills itself as a free scanning tool that checks “whether your computer has been infected by viruses, spyware, or other
malware.”
Trend Micro has fixed the flaw in the ActiveX control and patched the public HouseCall servers, but it noted that the latter
has not been extensively tested, and essentially waived responsibility if it turns out not to be sufficient. “This hot fix was
developed as a workaround or solution to a customer-reported problem. As such, this hot fix has received limited testing and
has not been certified as an official product update,” Trend Micro said in its own advisory. “Consequently, this hot fix is
provided ‘as is.’ Trend Micro makes no warranty or promise about the operation or performance of this hot fix nor does it
warrant that this hot fix is error free.”
Users running Microsoft Corp.’s Internet Explorer — the only browser that requires the ActiveX control — should run
Version 6.6 of the service, rather than the older HouseCall 6.5, said Secunia. Companies running HouseCall Server in-house
should request the HouseCall 6.6 Hot Fix Build 1285 update through their normal support channels, Trend Micro advised.
Twitter Detected Phishing Scam
The social networking Web site Twitter announced over the weekend that it has detected a phishing scam on its Web site. A
message on the Web site warns users to be suspicious about links that redirect them to Web sites looking similar to those on
Twitter.com and request them to enter their log in credentials.
The co-founder of Twitter posted a message on its blog in which it admitted that there is a phishing swindle “directed at
Twitter users” which consists of emails that are automatically sent to users’ inboxes and look very similar to personal
notification messages. The emails contain texts such as “hey! check out this funny blog about you?” and “Hey, i found a website
with your pic on it? LOL check it out here.” He added that users should always log on Twitter through the homepage only, as it
is the most secure way to do it. However, many of them use third party services or other Web pages to do this, so they will not
be so mistrustful when they will have to enter their user name and password on the Web site provided by the fake email
message.
Twitter announced that it would reset passwords of users that have been scammed, but it also recommends that all users
should do the same in order to be sure that their information is not stolen and used to defraud others, too. Also, as noted
above - always log into Twitter through their homepage.
Hackers Hijack Obama's, Britney's Twitter Accounts
In a scam first thought to be related to the phishing scam noted above, but later found to be a separate incident -
hackers hijacked the Twitter accounts of more than 30 celebrities and organizations, including President-elect Barack Obama,
Britney Spears and Fox News, early on Monday, the company confirmed.
"This morning we discovered 33 Twitter accounts had been 'hacked,' including prominent Twitter-ers like Rick Sanchez and Barack
Obama," Twitter co-founder Biz Stone said in post to the company blog. "We immediately locked down the accounts and
investigated the issue. Rick, Barack and others are now back in control of their accounts."
Earlier in the day, the hacked accounts had been used to send malicious messages, many of them offensive. CNN correspondent
Rick Sanchez's account, for example, tweeted a message claiming that "i am high on crack right now might not be coming to
work today," while Fox News' Twitter update reported "Breaking: Bill O Riley [sic] is gay," referring to the network's
conservative talk show host.
According to Twitter, the accounts were hijacked using the company's own internal support tools. "These accounts were
compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the
e-mail address associated with their Twitter account when they can't remember or get stuck," Stone admitted. "We considered
this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're
safe and secure."
Security Risk in Pirated Copies of Windows 7
Security professionals are warning that installing pirated leaked copies of Microsoft’s Windows 7 operating system is highly
risky. (Duh!)
Pirate versions of an early build of Microsoft’s latest operating system are available on file-sharing networks. Windows 7 is
under final developer testing ahead of an expected commercial release later this month. But security firm Fortify Software
says there is no way of knowing whether or not hackers have tampered with the 2.44Gbyte file.
Anyone downloading and installing the operating system could find their PC generating malware, denial of service attacks, and
spam, said Fortify. It is highly unlikely that any IT security application will protect users from internally coded malware in
the operating system, said the director of product marketing at Fortify. “Fall-out from using an unofficial version of the new
operating system could be quite severe,” he said.
OK, this should be obvious - but dealing in any kind of pirated software, from operating systems to audio or video
files is and always has been extremely dangerous. A large majority of these types of files are infected with malware. And
that's not to mention the fact that it is ILLEGAL! (and people ARE being prosecuted)
New Scams Using Current News Items
Webroot has detected a new string of
rogue antivirus applications that use URLs related to Continental Flight 1404 and other current news to manipulate consumers
into purchasing phony Internet security protection. The URLs link to a download site which triggers a series of fake infection
and firewall pop-up messages, bearing the generic name "Spyware Guard 2008."
"Cybercriminals are capitalizing on the Continental Flight 1404 incident and other news catching the nation's attention,
including NFL game results and regional holiday events, and they're programming fraudulent Web site links to appear near the
top of search engine results," said Paul Lipman, senior vice president and general manager of Webroot's Desktop Business.
"As a result, consumers can easily click on a link that leads to deceptive messaging from a seemingly trusted source, and
subsequently share personal information to purchase fake software. We encourage anyone searching for news online to be
skeptical of unfamiliar URLs, and to protect themselves by having a legitimate antispyware, antivirus and firewall software in
place."
This is yet another tactic being used by the "scareware" criminals. As noted above you should never believe antivirus
messages delivered from your browser or an email. Use well known antivirus software and keep it up to date.
Bogus LinkedIn Profiles Punt Malware (Free HINT: Beyonce is NOT your friend!)
Bogus profiles on social networking website LinkedIn are punting malware to the credulous and starstruck.
Fraudulent accounts in the name of celebrities such as Beyoncé Knowles, Victoria Beckham, Salma Hayek and others are
littered with links that take surfers to site harbouring malware, Trend Micro reports. The attack - which is still under
investigation - represents a web 2.0 update of the old hacker trick of baiting infectious email attachments with celebrity
lures.
As if to reinforce the point, one of the fraudulent profiles is registered in the name of Paris Hilton and tempts the
foolhardy with supposed links to her infamous sex tapes.
Another bogus profile created in the name of Beyoncé Knowles claims to offer nude pics of the shapely singer. A
quick search of LinkedIn reveals that the offending profile has since been purged. We can expect the others fraudulent
registrations to also disappear in short order.
Security researchers have identified that at least some of the maliciously constructed profiles punted malicious scripts,
specifically the Decdec-A Javascript code, linked to Trojan attacks.
If you are a member of LinkedIn (or other social networking sites) - be skeptical if you get an invite
from a celebrity to be friends (Did I say 'Duh!' already?).
Zune Freeze Result of Leap Year: Microsoft
It was the Z2k problem after all, a glitch related to the inability of the device clock to handle the extra day in a leap year
that froze thousands of Zune media players Wednesday morning.
"A bug in the internal clock driver related to the way the device handles a leap year affected Zune users," said the company
in a statement. "That being the case, the issue should be resolved over the next 24 hours as the time change moves to
January 1, 2009."
Early Wednesday users worldwide woke to find their 30GB Zune devices freezing. Without an immediate response from Microsoft,
users flooded support groups and blogs to speculate on what could have gone wrong. Many suggested that Zune devices may have
been facing the equivalent of the feared Y2k bug, a glitch that was supposed to fell computers in year 2000 as many older
programs used the last two digits to represent the year instead of the whole four digits.
Zune users suspected something similar might have occurred with the player as its internal clock may have been incapable of
handle the extra day in the year. Now Microsoft says they were right. The company said the "widespread" issue affected the
2006 30GB model of the device.
The problem should fix itself, says Microsoft. The internal clock on the Zune 30GB devices should automatically reset January
1st at noon GMT.
"By tomorrow [Jan 1st] you should allow the battery to fully run out of power before the unit can restart
successfully then simply ensure that your device is recharged, then turn it back on," said Microsoft in a statement.
Microsoft recommended users with frozen Zunes just let the battery drain out instead of opening up the device.
Zune Pass subscribers may need to sync their device with their PCs to refresh the rights to the subscription content on
their device.
Google Calendar Phishing Scam Resurfaces
A phishing campaign that makes use of the Google Calendar features was recently distributed to the users of the service. The
same techniques were employed by another Google Calendar-based phishing scam that made the rounds during May and June
2008.
According to a report by Graham Cluley, senior technology consultant for anti-virus vendor Sophos, the scam consists of event
invitations that attempt to socially engineer accounts and passwords out of unsuspecting users. The invitations originate in
e-mails of the form customerservice####@gmail.com addresses (# represents a digit), which have been registered by the scammers
specifically for this purpose.
The event is called “DEAR ACCOUNT USER,” and the invitations are addressed to the users' names that have been provided for
the e-mail accounts. Many times, this happens to be a person's real name and, as a result, it increases the credibility of
the invitation. This outcome is facilitated by Google, as the invitations are not fake and are really sent through the Google
Calendar service.
Choosing to view more details will take a user to the calendar event page that claims to be an alert from Gmail Customer Care,
which informs them that their account has been selected from deletion. “We are having congestions due to the anonymous
registration of Gmail accounts, so we are shutting down some Gmail accounts and your account was among those to be deleted.”
The message also claims that, in order to avoid having the account closed, a user needs to confirm that they are still using it
by submitting their username, password, date of birth, and country.
There are several obvious reasons why individuals should be on the alert when it comes to this e-mail. For one thing, despite
the scammers' efforts to increase the credibility of the Google Calendar event invitation, the name displayed for the sender's
e-mail address is misspelled - “Customer Varification.” The second thing that should set off alarm bells stands in the
inconsistencies and poor grammar of the event description. For example, the message claims that this alert has been sent to all
Gmail users, but then goes on to suggest that one has received it because their account was amongst the ones selected for
removal. From this it would result that Google intends to delete all Gmail accounts, something that is extremely unlikely.
In addition, users with some online experience should know that Google, or other major service provider, would never send out
e-mails or warnings like these. However, the fact that such campaigns are still in circulation suggests that many don't.
Finally, another more subtle piece of evidence is the sender's e-mail address itself. Why would Google have a Customer
Service e-mail address that has four digits at the end?
“As with any phishing email you receive on Gmail, you should report it as an attempt to phish information from you,
which will help warn the security team at Google and help others,” Graham Cluley advises.
