Information Security Newsletter

Bulletins posted 6/26/2009

Hacked High-Profile Twitter Accounts Still Spreading Malicious Links
Phishing scams involving hijacked accounts continue to sweep through the popular microblogging site Twitter. In January, hackers commandeered the accounts of several high-profile members, including Britney Spears and Barack Obama, and distributed malicious links and spam messages. On Tuesday, scammers used the profile of Guy Kawasaki, a former Apple Fellow with over 100,000 followers, to post a link to a site that claimed to offer a (non-existent) sex tape featuring 'Gossip Girl' star Leighton Meester.

According to PC World, University of Alabama at Birmingham computer forensic scientist Gary Warner believes that over 1,600 people have already followed the link to a fake porn site that links to a Trojan horse program. This software affect both Macs and PCs, and, if downloaded, essentially turns your computer into a zombie that can be controlled from afar, enabling perps to extract valuable personal information. The scheme also leeched off the compromised accounts of a political blogger, a rising musician, and a gay news site, some of which still have the malicious link available on their Twitter pages.

With numerous scams currently afflicting Twitter and Facebook, it's incredibly important to refrain from immediately clicking on links, even if they seem to be from a trusted source. You should also take steps to stengthen and protect your passwords, and to be aware of the current prevalent and popular scams being employed.

From Switched, by Warren Riddle

New Scare Tactic E-mail Threatens Legal Action For Fake Accusations
We have reports of a new email virus campaign designed to scare email users with bogus legal action for activities including illegal music downloads.

The virus campaign calls attention to users' supposed recent activity at sites commonly used to share and download copyrighted movies, music and software. The email content threatens recipients with legal action and includes a link to a "log report" that is actually a virus executable.

This is a new twist on the scare tactics we're seeing more of lately. Be aware and inform your vulnerable friends and family.

From Enterprise Security Today

Social Networking Sites Victimizing Families of Deployed U.S. Military Personnel
The Kansas City Division of the FBI is issuing information regarding a new scam involving the victimization of families of deployed U.S Military personnel through social networking sites.

Significant personal data is available through these sites which users join by city, workplace, school and region to connect and interact with other people.

The scam involves individuals using these social networking sites to contact relatives of deployed U.S. military personnel, most specifically grandparents. The impostor advises the grandparents that he is returning home on leave from Iraq and asks the grandparents to keep his presence secret so he can surprise his parents. A short time later, the grandparents are again contacted and the impostor advises them that he and a friend are stranded with a broken down car. He then asks the grandparents to wire a significant amount of money to cover the cost of the repairs.

As always, caution is advised regarding the posting and protection of personal information on public websites. It is recommended that family members of U.S. Military visit social networking sites in which they have accounts to ensure that no exploitable information is available.

Additionally, it is recommended that all relatives should verify the identity of anyone who contacts them by asking specific questions known only to that person if you must wire funds or develop a code word or phrase to verify identity.

From FBI, Kansas City

Jackson's death to spark massive spam runs
Of course there's nothing like a tragedy to inspire the scum that take advantage of every opportunity to defraud. Just hours after the death of pop star Michael Jackson, security vendors are tracking attempts to cash in on the event by spammers and malware writers.

In a blog posting by security firm Sophos, the firm reported the first wave of spam messages "employing the sad news in the subject line and body part to harvest victims’ email addresses".

The message sender claims to have information about Jackson's death that they want to share with the recipient. Although the body of the spam message does not contain any URLs or other call-to-action links, if replied to it will allow the spammer to harvest the user's email address, said Sophos.

Rik Ferguson, senior security adviser at vendor Trend Micro, warned that any event of this magnitude would be expected to generate significant amounts of spam and malware.

"We fully expect to see black hat SEO [search engine optimisation] activity and significant spam runs using the news as bait, because people are hungry for details."

Black hat SEO manipulation attacks were launched soon after the death of actor Heath Ledger, and have already been seen in the past 24 hours since the death of actress Farrah Fawcett was announced.

They involve hackers disguising malicious links as URLs to legitimate sites containing news about a high-profile event in order to push the results higher up the search listings.

"Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities."

From V3.co.uk, by Phil Muncaster

Fake News Advertisements Pushing Work at Home and Pharmaceuticals
I just read a well written and somewhat humorous article about a disturbing advertising trend that uses fake news stories to sell products.

These "news items" are posted on genuine web news sites such as Salon, Slate and Huffington Post. Some of them offer work at home jobs, one of which had the headline: “How I Make $1700 a Week Posting Links on Google.”

The article says there is a "whole fake-media empire pushing the story of the massive profits to be made by gaming Google from home: The Boston Weekly News, USA Financial Post, America Finance News, New York Finance News, Ohio Business News, the New York Tribune News, the Bakersfield Gazette, the San Jose Times, and the prestigious New York City Hearld. No, not 'Herald'; Hearld."

It goes on to report that people who have fallen for the advertised products are quite often finding unexpected charges on their credit cards.

This seems just short of criminal to me, and is certainly exploitive of the more gullible among us. Warn your vulnerable friends and family that they may not get what they expect from these advertisements that pretend to be news items.

See the full article at Wired, Threat Level, by Kevin Poulsen

Critical Adobe Shockwave flaw affects millions
Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker.

The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory:

This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system.

Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content. To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available at: http://get.adobe.com/shockwave/.

We recommend updating to the latest version after uninstalling older versions as soon as possible.

From ZDNet, by Ryan Naraine

Bulletins posted 6/23/2009

Mozilla released security update for Thunderbird
As part of Mozilla Corporation’s ongoing stability and security update process, Thunderbird 2.0.0.22 is now available for Windows, Mac, and Linux as a free download from www.getthunderbird.com.

If you already have Thunderbird 2.0.0.x, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.

Due to the security fixes, we strongly recommend that all Thunderbird users upgrade to this latest release.

Please note: If you’re still using Thunderbird 1.5.0.x, this version is no longer supported and contains known security vulnerabilities. Please upgrade to Thunderbird 2 by downloading Thunderbird 2.0.0.22 from www.getthunderbird.com.

From Donna Buenaventura at Donna's Security Flash Blog

Twitter users offered security plug-in (SecureTwitter)
As Twitter becomes increasingly abused by hackers, Finjan Software has released a free browser add-on with a new feature that scans links and warns if they point to a page containing malware.

The SecureTwitter component is wrapped into SecureBrowsing, a plug-in for either the Firefox or Internet Explorer browsers, said Yuval Ben-Itzhak, Finjan's CTO.

SecureTwitter is designed to warn people about links that people post on the micro-blogging service. Because of Twitter's 140-character limit, most of the URLs posted have been shortened using services such as Bit.ly or TinyURL.

Those services completely obscure the true destination of the link, which is dangerous since users have no idea that they could be directed straight to a site that will look for software vulnerabilities in order to infect the PC with malware.

Even if a URL isn't shortened, it's nearly impossible to tell if a site may host malware since many legitimate sites have been hacked, too.

This is a very good product that we recommend highly to anyone using Twitter. You can find more information and the download at securebrowsing.finjan.com.

From TechWorld, By Jeremy Kirk, IDG News Service

Bulletins posted 6/22/2009

Mass Mailing Phishing Attempt on BlackBerry Devices
We've received a bulletin this afternoon warning about multiple reports of a mass-mailing phishing attempt being sent to BlackBerry devices.

The scam comes as an email to your BlackBerry. At least one of them comes from Carol.Barnfather@northumberland.gov.uk. The subject line is "You have exceeded the storage limit for you mailbox".

The message itself says:
"Your mailbox has exceeded the storage limit set by your administrator. You may not be able to send or receive new mail until your mailbox size is increased by your system administrator. You are required to contact your system administrator through e-mail with your Username:{ } and Password:{ } to increase your storage limit."

The message then goes on to provide you with a handy link to your "system administrator's" email so you can send your username and password to them!

If you get such a message on your City owned BlackBerry, you should report it to the service desk. If you own a personal BlackBerry, be aware of these types of scams and never respond to a suspicious email or follow links.

Latest upgrade to iPhone includes 46 security fixes
Apple on Wednesday released the long-anticipated upgrade to its iPhone operating system.

Along with a host of new features, version 3.0 comes fitted with patches for 46 security vulnerabilities. The upgrade fixes everything from heap buffer overflows, multiple memory corruption issues in the handling of PDF files to cross-site scripting flaws, according to Apple.

For example, one patch updates the iPhone mail application to enable more user discretion in the loading of remote images within HTML messages. The app was upgraded so that an application cannot cause an alert to appear that could be enlisted to initiate a phone call without the user's knowledge.

Another patch fixes what could have led to the disclosure of credentials or application data when users of Microsoft's Exchange server accepted an untrusted certificate.

iPhone users should ensure that this update is installed as soon as possible.

From SC Magazine, by Greg Masters

Mac trojan targets game sites to infect users
Virus researchers have spotted a new variant of a Mac trojan that attempts to change a victim computer's DNS settings.

Analysts at Mac security firm Intego said Friday in a blog post that the latest variant of the RSPlug trojan can be found on websites claiming to offer legitimate game downloads. Until now, the trojan was only appearing on pornographic sites or sites hawking pirated software.

The newest attack scenario works similarly to previous versions of the malware, Peter James, an Intego spokesman, said in the post. In this case, users who follow the link to a rogue game are brought to another download link, which actually is a trojan.

If infected by the malware, computers may have their DNS settings altered, meaning hackers can direct users to anyplace they want.

"We recommend that Mac users download software only from trusted sites," James said. "The spread of this trojan horse is such that more and more sites will be providing it instead of real software, and it may become increasingly easy to get fooled.

From SC Magazine, by Dan Kaplan

Microsoft To Launch Public Beta of Free Antivirus Product on Tuesday
Microsoft turned a page in consumer antivirus protection today with the official announcement of free anti-malware software that users can download on their Windows machines. The new Microsoft Security Essentials software -- which had been known by the code name "Morro" -- will be available in a public beta version next Tues., June 23.

Unlike Microsoft's Live subscription-based OneCare consumer offering, Microsoft Security Essentials focuses solely on anti-malware security, detecting and removing viruses, spyware, rootkits, and Trojans, and doesn't bundle in the firewalls or computer maintenance tasks and backup common in many security suites today. And there's no charge or registration required.

"This is real-time protection for consumers," says Alan Packer, general manager of Microsoft's anti-malware team. "We were surprised at the number of people out there not running anti-malware software -- a lot of Windows consumers are not protected."

This will probably be a recommended product in the future, but unless you like to experiment with your computer it's probably best to wait till it is out of Beta.

From Dark Reading, by Kelly Jackson Higgins

That e-mail attachment is not a Twitter invite
Symantec is warning about a mass-mailing worm that comes in an attachment pretending to be a Twitter invite.

"The observed messages appear as if they have been sent from a Twitter account; however, unlike a legitimate Twitter message, there is no invitation URL present in the body," a Symantec blog post says. "Instead, the user will see an attachment that appears as a .zip file that purportedly contains an invitation card."

The name of the attachment is "Invitation Card.zip" and Symantec identified it as W32.Ackantta.B@mm, a worm targeting Windows computers that was discovered in an e-card virus attack in February, according to Symantec. The worm gathers e-mail addresses from compromised PCs and spreads by copying itself to removable drives and shared folders.

As with any other suspicious email attachment, you should never open a link you aren't sure about. Remember Twitter invitations have a URL in the email, not an attachment. But then again, the bad guys may take advantage of that as well and just include a fake URL next time - so remain suspicious of any Twitter invite and type in twitter.com to go to the site yourself if you think it's legitimate.

From CNET News, by Elinor Mills

Bulletins posted 6/16/2009

Credit Union Users Target of Text Scam
We see these types of scams more and more, and even though this one isn't in our back yard, it certainly could be - so we're taking this opportunity to warn you about this one as an example.

The UVA (University of Virginia) Credit Union is warning customers about a text message scam targeting their accounts.

Credit union officials say the bogus text message claims that your debit card has been blocked and that you need to call a phone number to verify your information. Don't do it.

We have seen scams like this via email and can expect that this tactic will be used around here. So if you get a suspicious text message, just delete it. If you think you've been a victim of this type of scam, call your bank immediately.

From NBC29.com

Apple Fixes Java Security Hole
After being goaded by the online security community last month to respond faster to software vulnerabilities, Apple on Monday finally fixed a longstanding flaw in the Java code that the company ships with its Mac OS X operating system.

The flaw could allow a Java applet to execute malicious code on affected Macs, potentially leading to information theft or a compromised system.

In a patch summary posted Monday, Apple states, "Java for Mac OS X 10.5 Update 4 delivers improved reliability, security, and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X v10.5." The company also released an update for Mac OS v10.4.

In May, Intego, which makes security software for Macs, warned Mac users to disable Java in their Web browsers until Apple got around to fixing the Java vulnerability.

If you are running either Mac OS 10.4 or 10.5, you should install this update as soon as possible.

From Information Week, by Thomas Claburn

Bulletins posted 6/15/2009

Chrome update completes busy browser patch week
Google has pushed out an update designed to fix a pair of vulnerabilities involving the WebKit application framework that underpins its Chrome browser.

The most severe of the two flaws involved a "high risk" memory corruption flaw in WebKit, which creates a potential means for hackers to inject hostile code into the sandbox used by the browser. The second flaw involves a less severe information disclosure risk, involving the Drag and Drop functionality built into WebKit.

The update completes a busy week on the browser security front with a significant cumulative update for Internet Explorer on Tuesday and a Firefox update on Thursday. In addition, Apple released a beta version of its Safari 4 browser earlier this week.

If you use Google Chrome, we recommend updating it as soon as possible. It is set to update itself by default, but you should check to ensure the update has been completed.

From The Register, by John Leyden

Symantec Warns of Wireless Keyboard Security Threat
Security firm Symantec has uncovered a new form of attack aimed at users of wireless keyboards.

The warning follows the release of Keykeriki, an open-source "sniffer" project that allows users to remotely decode wireless transmissions.

Symantec said that this effectively creates a new type of key-logger that could be used by cybercriminals to steal sensitive data such as user names, passwords and bank details.

Symantec warned that, although the creator's intentions appear honorable, making the software code and hardware schematics open to everyone means that criminals could use the software to eavesdrop on wireless keyboard inputs.

The criminals would not have to install anything on the host system, but would simply have to be in range of the keyboard's wireless signal.

Symantec said that future wireless keyboards should introduce encrypted communication between the device and the receiver, and warned those working on office or public computers to resort to wired keyboards for the time being.

From Enterprise Security Today, by Ian Williams

More Scamming and Spamming on Twitter
Twitter is seeing a surge in activity from the scamming and spamming classes.

A spate of phishing attacks have been followed by myriad other efforts to soak Twitter’s enthusiastic and rapidly growing user base. In the last week, attackers have tapped into popular topics and latched onto popular people to get in front of big Twitter audiences. Their goal: to persuade people to click and visit their Web sites and then hand over personal information, be sold a bill of goods or become infected with a malicious program.

The first strategy capitalizes on Twitter users’ penchant for searching for random commentary on news subjects. Last week and this week, attackers have been using hundreds of dummy accounts to tweet messages about popular subjects, including the death of actor David Carradine, “Britain’s Got Talent” singer Susan Boyle, the U.S. rock band Phish as well as airplane crashes and child rape.

Links in the messages pointed to malicious video sites pretending to show porn. Visitors who clicked to download a program supposedly needed to watch videos actually installed a fake security application called Privacy Center, which tried to hit them up for money for a full version of the bogus product.

Pop culture buzz and shocking breaking news aren’t the only lures, though. Beware any topic that hits Twitter’s list of “Trending Topics.” The hashtag #smx, used to call out news about a search-marketing conference, reached the list last week and was summarily added to blasts of spam tweets. In a blog post, an irritated conference host, Danny Sullivan, said: “We knew this would happen, but it’s annoying and becoming a growing problem. Question is, will Twitter do anything about it, beginning with removing its ‘Trends’ feature?”

And on Saturday, Mr. Sullivan became a spammer vehicle when his @sengineland account was used for fake retweets. “Today, it got even more personal,” he said in the post. “Someone is using multiple accounts to retweet things we’ve said — except we’ve never said what they’re putting out.” The purpose? To lend credibility to a message pitching a way to make money on Twitter.

The approach is a twist on earlier efforts by Twitter spammers and scammers to hijack the names of well-known people, including Al Gore and Vint Cerf, who can draw gobs of followers. Stars don’t appreciate it; Tony La Russa, St. Louis Cardinals manager, has filed a lawsuit against Twitter after being impersonated. Twitter says the suit is frivolous and it won’t settle. But it plans to experiment this summer with a “Verified Account” seal that will let users know they’re looking at official accounts for public officials, celebs, famous athletes and others who may be impersonated.

Other than that, Twitter isn’t saying much about what it plans to do about dross on its site. (It didn’t respond to a request for comment.) But calls for action are growing. The security firm Sophos is advocating for extensive checking of Web links distributed via Twitter as well as search results and trends information. In addition to vetting Web links, Mr. Sullivan argues Twitter should impose restrictions on whose content shows up in searches and trends, keeping out brand-new accounts and those with bad reputations.

This is not any real new news, but instead a nice summary of all the ways the scammers are attacking Twitter. Be careful if you use this communications medium.

From The New York Times - by Riva Richmond