Information Security Newsletter

Bulletins posted 2/13/2009

Apple Issues Massive Security Update for Mac OS X
Apple Inc. today issued multiple updates for Mac OS X and Java that patched 55 bugs, including one for its Safari Web browser that had prompted a security researcher to blast the company for a halfhearted approach to security. It was the most updates Apple has released in nearly a year.

The year's first bug updates from Apple patched 48 security vulnerabilities in the company's operating system and its components, four in Apple's implementation of Sun Microsystems Inc.'s Java, two nonsecurity flaws it admitted it had introduced with faulty code in Mac OS X 10.5.6, and one fix it said was a "proactive security measure."

If you are using Mac OS X, or Safari, we highly recommend updating as soon as possible.

Security Update 2009-001 and the Java updates can be downloaded manually from the Apple site or installed using Mac OS X's built-in patch service. Safari 3.2.2 for Windows can be downloaded from the Apple site.

Bulletins posted 2/12/2009

Fraudulent AOL Emails in New Phishing Campaign
We have been warned of a new phishing campaign using the brand name of AOL (America Online), a popular Internet service provider, to capture the personal details of consumers.

Consumers have recently reported receiving e-mail messages from an ISP that pretends to represent the "AOL Safety and Security Group." The messages ask recipients for their billing details and warn that non-compliance will lead to the suspension of their accounts.

The phishing e-mail generally contains exciting or upsetting statements to lure victims to respond instantly. It typically asks the consumer to provide information such as their AOL screen name, other user ID and password, social security and payment card numbers, etc.

AOL has declared once again that it would never request end-users to reveal their passwords. Many organizations are good about repeatedly telling consumers that they won't do this.

Ignore any pop-ups when you're online, or delete any emails that ask for financial or other personal information. If you are concerned about an email or pop-up message, it is always safest to directly call or manually put in a Web address to contact an organization you do business with.

Massive Comment Spam Attack on Digg dot Com
According to PandaSecurity, the social news site Digg.com is the latest Web 2.0 service to be targeted by cybercriminals. The ongoing attack is far more widespread the originally stated, with +500,000 bogus Digg comments leading to 15 currently active malware domains, where the end user is enticed to install a fake video codec in order to view the video. Once executed, the codec informs the user that they’re infected with malware, and in order to get rid of it, a rogue security software has to be purchased.

The cybercriminals use both purposely registered bogus accounts and compromised accounts of legitimate users to first post enticing Digg stories and then to heavily comment on those stories with other bogus accounts. All of these link to the malware servers. This gives them many more ways to catch the unaware and infect them.

Of course, none of you would ever fall for this old strategy of downloading a new codec from an unknown site, or believing that you are now infected and installing a bogus antivirus! But some of your friends might, so let them know!

Dangerous Exploit on Googles Android Phone Software
A researcher at a hacker conference this weekend noted a new vulnerability in Google Android that allows hackers to remotely take control of the phone’s web browser and related processes. If a phone becomes compromised, hackers can gain access to saved credentials stored in the browser and browser history and could snoop on your web transactions, even if encrypted.

The researcher, Charlie Miller, recommends that Android owners “avoid using the browser until a patch is released” and otherwise only visit trusted sites over the T-Mobile network only.

Bulletins posted 2/11/2009

Virulent Strain of Virut Virus Appears in the Wild
Microsoft warned Wednesday that a particularly nasty variant of the Virut virus has been unleashed, and home users and businesses should ensure their anti-virus products are updated to deal with the new threat. The malware infects portable executable files, such as .exe and .scr, and is therefore able to spread from machine to machine, according to Microsoft. Each time it propagates, Virut uses polymorphism -- or mutated code -- to evade detection. Once on a machine, the virus opens a backdoor, connecting with an internet relay chat (IRC) server, which allows a remote attacker to download additional malware onto the computer, Jimmy Kuo, principal architect for the Malware Protection Center, told SCMagazineUS.com on Wednesday.

Typically, with past variants of Virut, users did not know when they were infected. "However, the additional complexity of this particular variant will likely cause instability in affected systems," Kuo said.

The virus was responsible for shutting down the court system in Houston this week. About 475 of the city's 16,000 computers were affected by the virus, which first appeared last Wednesday and was identified Sunday, Frank Michel, a mayor's spokesman, told SCMagazineUS.com. The virus also affected computers in Springfield City, Mo., forcing the city to shut down its website earlier this week, according to reports.

Updated anti-virus may not always be enough to rectify the virus. According to Microsoft, Virut can destroy certain files beyond repair, meaning companies and users may be required to install a clean version of the operating system to return a machine to a safe state.

Most major antivirus vendors now have new updates to detect and protect against this virus, so make sure your antivirus is up to date. The virus is most likely to come via an attachment in email, so as always - don't click on any attachments you don't know for sure are legitimate.

Bulletins posted 2/10/2009

Waledac Worm Sends No Love to Valentine's Day Spam Victims
Another large deployment of spam has been reported that is using the Valentine's Day theme.

Cybercriminals behind the Waledac botnet are trying to capture more victims by using Valentine's Day-themed exploits, researchers from McAfee Avert Labs warned Monday. Users are being spammed emails containing a link that when followed brings up a Valentines' Day-themed page with malicious executables.

For example, one such page has a picture of two puppies holding a heart that says “Happy Valentine's Day.” The website reminds users that Valentine's Day is nearing and they should get their significant others a present. The site offers a “Valentine's Devkit” download to get started," but it actually is malware.

You see these warnings from use all the time, so most of you already know - don't click on the links and just delete these types of email if you get them.

Microsoft's Feb Patch Tuesday Fixes Critical IE7 and Exchange Flaws
Microsoft issued four bulletins Tuesday, addressing critical flaws in Internet Explorer 7 and Exchange and holes in SQL Server and its Office Visio diagramming software.

The most serious holes in IE 7 and Exchange could be exploited remotely to gain access to critical files or conduct a denial-of-service attack.

We recommend applying these patches as soon as possible. If possible it is usually best to simply enable Auto Update if you are running a Microsoft operating system, to ensure you get these patches applied immediately.

Bulletin posted 2/9/2009

IRS Phishing Scam
US-CERT warned Friday of Internal Revenue Service (IRS) emails claiming to offer users stimulus-package payments.

The messages attempt to lure users to a website and then enter personal information.

People who receive the fraudulent e-mail messages are encouraged to send the e-mail message and the Web site URL to the IRS at phishing@irs.gov.

The IRS said it does not request taxpayer information through email and those who receive one should not click on any links, rather delete it immediately.

Bulletins posted 2/6/2009

Parking Tickets Lead to Malware
ISC Sans.org have reported on a novel new way of distributing malware – parking tickets. The scam involved the distribution of fake parking tickets placed on car windscreens, which claimed the vehicles owner had violated parking regulations and directed victims to a website for more details on what they had done wrong.

This is such a unique and sneaky attack, that even though it hasn't been spotted around here yet, we wanted to tell you about it.

On that website were pictures of some cars and a link to download a "Picture search toolbar" to locate the victims car. It was this link that downloaded the malware, which would ask to install a browser helper object (BHO). This would then attempt to trick the user into installing a fake anti-virus scanner. The scam seems to have operated only in Grand Forks, North Dakota, but is simple enough that it is expected to be copied around the world.

This is a great example of the creativity and devious imagination of those who are attempting to defraud all of us. You all should know by now not to fall for any type of scam that asks you to access a web site and download anything.

Be Alert to Fake Email Claiming to be from Wells Fargo
We have been notified of a new phishing scam that purports to be a message from Wells Fargo. These emails request information about customer accounts and services, including passwords.

On the Wells Fargo web site they have posted a security alert that says, "Wells Fargo customers are being sent FAKE emails right now." It goes on to say, "These emails are known as 'phishing' which are fake email schemes that attempt to collect secure information from you and from your computer. On rare occasions, legitimate inquiries may be made from a Wells Fargo representative who requests your User ID and Company ID. You should only provide this information when you are sure you are speaking with someone from Wells Fargo

Never respond or provide information in response to any email or phone call unless you are absolutely sure it is from your banker. The best way to be sure is to hang up and call a known good number. In their notice, Wells Fargo says, "If you responded to an email like this, you MUST IMMEDIATELY call your Relationship Manager at 1-800-AT-WELLS (1-800-289-3557) to protect your account and information.

Bulletins posted 2/4/2009

Mozilla Has Released Updates to Firefox, Thunderbird, and SeaMonkey to Address Multiple Vulnerabilities.
Multiple vulnerabilities have been identified in Mozilla Firefox, SeaMonkey and Thunderbird, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, cause a denial of service or compromise a vulnerable system.

If you use any of these products, the City of Seattle's Office of Information Security recommends updating to Firefox 3.0.6, Thunderbird 2.0.0.21, and SeaMonkey 1.1.15 as soon as possible.

Seattle Man Falls Victim to Facebook Hackers
Friends of Seattle, Washington resident Bryan Rutberg were alarmed to hear Bryan was in trouble overseas recently, and one sent money to help out.

Now they've learned they got caught up in the latest scheme targeting social networking sites like Facebook. This could be the scam of the future.

Instead of trying to sucker people with mass e-mails, crooks are now using a more targeted and personalized approach with the help of social networking sites like Facebook.

Last week, Bryan Rutberg's Facebook page fell into the wrong hands and a strange message appeared. "It changed to "BRYAN IS IN URGENT NEED OF HELP!", all caps, exclamation point," Rutberg said. "I guess that is the way the scammer set the table for reaching out to my friends." Rutberg couldn't access his own account because a hacker changed the password and was posing as Bryan. That hacker was chatting by instant message with the friends listed on Bryan's Facebook page, telling them a harrowing story. "The story was I'm stuck here in London," Rutberg said. "I was on vacation at a resort. We were held up at gunpoint and now I have no way to get back home. Please send money."

Beny Rubinstein was one of the first friends to get that instant message. "I asked him a couple of questions that were personal and he answered them properly so he made me believe I was talking to him," Rubinstein said. "Initially he asked for $600 so that's the amount I put in." When a friend left a message the next day saying Bryan was still in trouble -- Rubinstein sent hundreds more. Using Western Union, he wired a total of $1,200 dollars to London.

Facebook (and other social network users) be aware that this is becoming a big problem. You need to double check by phone or maybe even IN PERSON (I know it's a shocking concept - but it CAN be done!) before believing everything you read online.

Bulletins posted 2/3/2009

More Information On Growing Fraudulent Credit Consolidation and Mortgage Refinance Phone Calls
This problem is getting worse. At the City government offices we have had many new reports of City employees as well as many others in our community receiving these fraudulent phone calls. They are now using 'Mortgage Refinance' as their excuse for calling.

In the current financial crisis these tactics are a disturbing and disgusting attempt to exploit the most vulnerable and suffering people in our community and we are seriously committed to finding a way to stop it.

If you get one of these calls do not engage with them. Also, please tell others in your community, your family and friends about this scam so they don't become victims.

Large Rise in Fraudulent 'Invoice' and 'Customer Receipt' Spams
Our City of Seattle eMail Spam filter, Postini, is catching many more instances of fraudulent 'Invoice' and 'Customer Receipt' emails.

We are seeing invoices from iTunes, PayPal, Amazon and many others. While our filter seems to be catching them, we want to warn city users against releasing them for delivery. It may be tempting because they look like a possibly legitimate invoice for something you don't remember buying.

If opened these messages contain an image file that tries to lure you to their Canadian pharmacy site.

If you are a City of Seattle user, do not release these from Postini, and if you get one in your City email box, forward it as an attachment to 'SPAM' (without the quotes). Be aware of this type of scam, since you may get something like this at home. Also make sure your friends and family are aware as well.

Bulletins posted 2/2/2009

Trojan Designed to Steal Skype Credentials
SpySkype.C is a Trojan designed to steal Skype (Voice over IP phone service) credentials. To do so, it displays a false message when run informing users that a new Skype plug-in has been installed called "Skype-Defender", which requires starting a Skype session. It then ends all the Skype processes to prevent users entering their data on the original page, and displays a spoof window requesting the Skype user name and password.

When users enter their details, the Trojan sends them to its creator through an http connection. Finally, it sends users a message indicating that their credentials are invalid.

If you use Skype watch for this message and ignore it if it comes up. Also watch for Skype to issue a fix and apply it as soon as possible.

Phishing Scam with Bogus ‘Card Services’ Calls
Consumers have contacted the Missouri attorney general’s office saying a caller claims to be from a company called Card Services, asking them to enter their credit card number to see if they qualify for a better rate.

This is simply an attempt by thieves to steal credit card numbers. In the phone call, consumers are led to believe they are being contacted by their credit card company and they are asked to dial a number, usually 9, if they are interested in trying to get a lower interest rate.

The attorney general says in phishing scams like this, with thieves fishing for personal information, the crooks can steal credit card numbers, use them in a matter of minutes through online purchases and run up big charges that appear later on the consumer’s credit card statement.

While this is being reported out of Missouri right now, we know that these scams tend to spread and be used everywhere - so be aware of this and don't get fooled if you get a similar call. Also report it to the Washington Attorney General if you do get this or any other suspicious phone calls.