CNN Top Ten Scam
We have seen a large influx of a new SPAM email this week with three different CNN subject lines. We have 'CNN Top 10 XP
Antivirus' and 'CNN.com Daily Top 10' the other day and today, we have 'CNN Alerts: My Custom Alert'.
We've also had reports of
increasing use of the upcoming Olympics by scammers to try to entice people to click on links, or open files in emails.
With the CNN attack, users were directed to a website with a blank video that used an enticing news item as its title. If you
clicked on the video it would prompt you to download a program to run the video. This was, of course, a malware program that in
most cases just trashed computers, but in some, took them over as part of a botnet.
We can expect to see many more of these types of attacks as they peak curiosity and seem to work very well. The Olympics or any
other internationally known event are a perfect ruse.
Expect these type of scams and avoid them by simply deleting any emails that promise a news story.
Storm Trojan Using FBI vs. FaceBook
A new spam that is yet another push of the Storm trojan is showing up with titles like "FBI may strike Facebook" or "FBI watching
us". The purveyors of the Storm malware are relentless and have not missed a trick to keep trying to get their malicious software
out there. In July alone we saw an Independence Day attack and more recently a campaign playing on people's fears about the
worldwide financial situation.
The Storm malware is one of the largest bot creators ever built. It is responsible for recruiting many hundreds of thousands of
un-knowing users' computers into remote controlled "botnets". These are used to spread more spam, extort web sites and critical
infrastructure, and create denial of service attacks.
Be aware of these types of attacks and just delete!
Airline E-Ticket Scam
Public reports indicate that a new email attack is circulating that uses email messages that appear to be from legitimate
airlines and contain information about a bogus e-ticket. These email messages instruct the user to open the attachment to obtain
the e-ticket. If a user opens this attachment, a file may be executed to infect the user's system with malicious code. Reports,
including a posting by Sophos, indicate that these messages have the following characteristics (please note that these attributes
may change at any time):
- The subject line "E-Ticket#XXXXXXXXXX"
- An attachment named "eTicket#XXXX.zip"
Yahoo Sold to Microsoft - More Fake Headline Spam
Security vendor Marshal is warning that a growing large-scale botnet – called Rustock - is forwarding spam containing exploitive
headlines in an attempt to infect users and grow its network.
Numerous small businesses and private web sites, so far predominantly in U.S. and China, have been targeted in the campaign,
claimed Marshal. The security vendor warned a variety of headlines are being used to lure victims into clicking on a malicious
link. They include: “Yahoo sold to Microsoft, record price;” “Bush Down to 8 Friends on Myspace;” “Al Qaeda Reports Declining
Revenues in Fiscal ‘08.”
The spammers appear to be experimenting to see which types of headlines solicit the most hits from recipients. Marshal’s records
revealed that Rustock is estimated to comprise over 150,000 infected PCs and distributes close to 30 billion spam messages daily
which in terms of volume makes it one of the biggest malicious spam campaigns ever seen.
Music Files Used to Spread Malware
A new kind of malicious software could pose a danger to Microsoft Windows users that download music files on peer to peer networks.
The new malware inserts links to dangerous Web pages within ASF (Advanced System Format) media files. If a user plays an infected
music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec. Users on a
digital audio enthusiast site differed over the danger level of the malware.
Twitter Exploits
In the last couple of weeks we have seen reports of Twitter vulnerabilities and now exploits are being seen in the wild. A
Twitter profile has started sending links with lures to a pornographic video of Brazilian pop star Kelly Key. This profile has
been especially created to infect users. If a user clicks on the video link they see a window that shows the progress of an
automatic download of a so-called new version of Adobe Flash, supposedly required to view the video. You end up with a file
falsely labeled 'Adobe Flash' on your computer (this is a very popular new technique with scammers). This file is in reality a
Trojan downloader that proceeds to download malware disguised as MP3 files.
Twitter also contains a known and unpatched auto follow-me vulnerability that, though partially patched, can still be exploited on
Internet Explorer. It basically allows an attacker to infect your account so that you automatically "follow" the attackers
twitters. This means that they can put anything they want on their twitter page and you will automatically be directed to it and
consume it if it is malware.
If you are a user of Twitter, watch for these types of scams and be sure to patch with the latest versions as soon as they
are available.
Facebook and MySpace Being Used to Spread Malware
Facebook and Myspace are being exploited to spread a worm that is a fake Flash Player update. The worms send a variety of
comments and messages to the friends of anyone infected. The comments use the names of celebrities such as Paris Hilton and topis
such as hacking and secret cameras to convince potential victims to click a link.
If you click the link you are redirected to a Web site which announces you need to download an update to your Flash player.
(NOTE: Does anyone else notice a pervading theme to this week's newsletter?)
These types of attacks are particularly difficult to repress because they are using the trust you have in your social network. A
message or comment left by one of your "friends" is much more likely to be successful and in fact these have proven to be
extremely lucrative for the bad guys.
If you are a member of a social networking site, remember the lessons of email. Don't click on any links that you can't
be sure are legitimate. If you're not sure - use that old fashioned telephone thing to call your friend and see if they actually
sent you the link.
A Photo That Can Steal Your Facebook Account
And while we're talking about Facebook...
At the Black Hat computer security conference in Las Vegas next week researchers will demonstrate software they have developed
that could steal online credentials from users of popular Web sites such as Facebook, eBay, and Google.
The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on
Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts
of Web surfers who use these sites.
They call this type of file a graphics interchange format java archive (GIFAR). At Black Hat, the researchers will show attendees
how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack. The
attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking
card photos or even Amazon.com. Because GIFARs are opened by Java, they can be opened in many types of browsers. However, the
victim would have to be logged into the Web site that is hosting the image for the attack to work.
Possible Back Door Built Into Skype
According to reports, there may be a back door built into Skype, which allows connections to be bugged. Skype has declined to
expressly deny the allegations.
At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June,
high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype
conversations. This has been confirmed by a number of the parties present at the meeting.
Skype declined to give a detailed response to specific enquiries as to whether Skype contains a back door and whether specific
clients allowing access to a system or a specific key for decrypting data streams exist. There has long been speculation that
Skype may contain a back door.
Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what
else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.
Apple Wins! (Or NOT)
Apple has achieved the dubious honor of now having the most reported vulnerabilities of any vendor. Microsoft, the reigning
champion for many years has actually fallen to 3rd place behind open source content management system Joomla.
The final results were very close according to the IBM X-Force 2008 mid-year report. Apple achieved a vulnerability disclosure
of 3.2 percent, followed by Joonla with 2.7 percent and Microsoft at 2.5 percent.
Another Apple Update
Apple has released Security Update 2008-005 to address multiple vulnerabilities that affect a number of applications. These
vulnerabilities may allow an attacker to conduct DNS cache poisoning attacks, execute arbitrary code, cause a denial-of-service
condition, or access the affected system with elevated privileges. Please note that this update addresses recent issues with
weaknesses in common DNS implementations; see Vulnerability Note VU#800113 for additional information.
International Phone Scam
A resident agent in charge of the Knoxville office of the U.S. Secret Service said some 8 to 10 areas of the country were
targeted recently by an international organized crime group. The organized crime group, the official said, routed recorded
messages to U.S. phone numbers through an Iowa telephone company where the group had leased a block of telephone numbers.
For intance, thousands of residents in one county received telephone calls on Wednesday night and Thursday morning that claimed to
be from a local bank and which warned the recipients that their bank cards had been canceled. The recorded messages directed
persons to call a Des Moines, Iowa, telephone number, supposedly to get their bank cards reinstated. When that number was called,
residents heard another recorded message that directed them to key in their bank account and PIN numbers.
The Secret Service agent
also noted that the bank’s own records were not compromised by the scam. He said the criminals did not obtain telephone numbers
of local residents from the bank. Instead, he said, the criminals apparently used computer software to sequentially generate
calls to many telephone numbers in the same area code on Wednesday and Thursday. That, he said, is why many people who had no
banking relationship with the local bank received the automated telephone calls.
One of the other areas affected by a similar scam was in central Missouri, according to an article posted on the Web site of
KRCG in Jefferson City, Missouri. The July 18 article said Central Bank there had been targeted in similar fashion to
the case sited above.
Be aware of these types of scams and be sure to warn your vulnerable friends and relations.
