Rogue toolbars phish for Facebook credentials

There are a number of Toolbars out there in the wild with a nasty sting in the tail for anybody using them to login to Facebook. We’ve seen two of these so far; it’s possible there are more.

Promoted as toolbars that allow you to cheat at popular Zynga games such as Mafia Wars, they appear to be normal at first glance with a collection of links to various websites and other features common to this type of program.

Upon closer inspection, the toolbar is revealed to be a tool used to steal login credentials. If the user clicks on the "Facebook" button in the left top corner, he is taken to a Facebook look-alike phishing page:

The domain on which the phishing page is hosted is constantly changing because in time every domai gets reported, detected and blocked by the browsers. The different domains used had names like apps-facebook-inthemafia(dot)tk, mafiamafiamafiamafia(dot)t35(dot)com, apps-inthemafias-facebook(dot)tk, etc.

The problem is that the toolbars - when they are not pointing towards the phishing page - point to the real Facebook URL, and the switch can happen anytime. It is best to distrust "cheating" toolbars altogether, and access Facebook and other networks and services by typing in the URL yourself or following your own bookmark.

Full report here.

Symbian-targeting SMS worms in-the-wild

A string of SMS worms targeting Symbian Series 60 3rd Edition devices has been spotted in-the-wild in China.


Called MerogoSMS, this family of worms propagates in the most typical of ways: the recipient receives a text message containing a link that, if followed, leads the user to a malicious website where he is asked to download and install an application.

The application "infects" the phone, and the phone starts sending out the malicious messages and, thus, the worm is spreading. F-Secure researchers say that these worms also send messages to expensive premium-rate numbers.

It is interesting to note that while an unsigned software can't be installed on the Symbian Series 60 3rd Edition phones, the SISX installation packages of this particular worm HAS passed through the Symbian Signed process, probably because the author(s) submitted those packages that wouldn't be raising any red flags.

The Symbian Foundation has reacted by revoking the publisher ID used for the packages.

20 critical Apple vulnerabilities to be revealed

Just because you're an Apple Mac user, doesn't mean you're safe from the clutches of software exploits.

Charlie Miller, the security researcher renowned for hacking Apple products during many a hacking competition, will be making public (at the CanSecWest security conference later this month) his latest research through which - he claims - he was able to find some 30 critical flaws in commonly used software.

Having hacked in the past the MacBook Air and the Safari browser, he might seem bent of making Apple look bad, but his research encompassed testing of software form different vendors: Adobe Reader, Apple Preview, Microsoft PowerPoint and Oracle's OpenOffice.

Using a simple Python script in order to fuzz test the applications, he discovered more than a 1000 ways to crash them. Of that number, 30 bugs allowed him to hijack the programs. And of those 30, 20 were found in Apple's Preview.

He says that he was surprised to find so many bugs, since the only thing required for this kind of testing is some knowledge and a lot of patience - the script was running on the programs for 3 weeks. “It’s shocking that Apple didn’t do this first,” said Miller in an interview with Forbes.

The results are even more surprising when one considers that Adobe Reader was also tested. One of Adobe's most widely used software, Reader is considered to be one of the most flawed applications out there and its vulnerabilities are regularly exploited by cyber criminals.

Miller is still considering what to do with his discovery. He still hasn't revealed the details of the bugs to Apple or to the other vendors, and is thinking about not doing it at all, but keeping them secret and checking occasionally if they have been fixed.

This way, we could all definitely know which vendors are serious about security - and which are not.

IE8, iPhone will fall first day of hacking contest, predicts organizer

Microsoft's Internet Explorer 8, not Apple's Safari, will be the first browser to fall in next week's Pwn2Own hacking challenge, the contest organizer said today.

Aaron Portnoy, security research team lead with 3Com TippingPoint, the sponsor of Pwn2Own, also predicted that Apple's iPhone will be the only smartphone hacked during the contest, which starts March 24.

Researchers will compete for $100,000 in cash prizes next week at CanSecWest, the Vancouver, British Columbia, security conference that has been the home of Pwn2Own. The dual-track contest -- one for browsers, the other for mobile operating systems -- will pit hackers against the latest versions of Chrome, Firefox, Internet Explorer (IE) and Safari running on Windows 7 or Mac OS X. The smartphone track will set hackers against Apple's iPhone 3GS, a Blackberry Bold 9700, a Nokia phone running the Symbian S60 platform and a Motorola, most likely a Droid, powered by Google's Android.

So, who do you think are the contenders for surviving this hacking challenge?

Read full report here and updates of the event here.

Collection of security checks for Linux

Linux seems to be catching up with what seems to be a Microsoft's MBSA** equivalent tool.

Buck Security is a collection of security checks for Linux. It was designed for Debian and Ubuntu servers, but can be useful for any Linux system.

The aim of Buck Security is, to allow you to get a quick overview of the security status of your system. As a Linux system administrator - but also as a normal Linux user - you often wonder if your system is secure. In this situation it is useful to get an overview of the security status of the system immediately. Buck Security was designed exactly for this. It runs important tests and returns the results to you after a couple of minutes.

By now the following tests are implemented:

• Searching for worldwriteable files
• Searching for worldwriteable directories
• Searching for programs where the setuid is set
• Searching for programs where the setgid is set
• Checking your umask
• Checking if the sticky-bit is set for /tmp
• Searching for superusers
• Searching for installed attack tools packages.

Download a copy here and try it out.

===============================================================

** Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.

If you're a MS Windows user, you can download a free copy of this tool and run a check your system.

Researchers build 8,000-strong smartphone botnet

Looking to raise awareness about the security implications of third-party apps in smartphones, a pair of security researchers used the lure of an innocuous weather application to commandeer about 8,000 iPhones and Android devices in a mobile botnet.

The research project, first discussed by Dark Reading’s Kelly Jackson Higgins, was unveiled at this year’s RSA conference to show how harmless-looking smartphone apps can harvest sensitive user information, including GPS coordinates and phone numbers.

It was created and submitted it to app clearinghouses that offer apps for Androids and jailbroken iPhones.

It should be made clear that only jailbroken iPhones were caught in the proof-of-concept botnet. The researchers said they avoided Apple’s iPhone app store because of Apple’s strict security process, which includes code signing.

From the Dark Reading article:

Within an hour of the app being set up on the SlideME and ModMyI app sites, the researchers had 126 downloads, and 702 after eight hours. “After 24 hours, we had 1,862,” Tijerina says. And as of yesterday, the count was 7,800 iPhones and Androids running the app. “This was really surprising because if this was malicious code, that’s a lot of bots we would control,” he adds.

To prove the dangers of the mobile botnet, the report said the pair also wrote a malicious version of the weather app that runs bot code and can grab contact information, cookies, and physical addresses, and can send spam runs.

The researchers say they have no plans to release the malicious application.

Details of how the actual malicious application works here.

Most costly security scam of 2010 - Scareware

Scareware will be most costly security scam of 2010 as McAfee reports 400% increase in reported incidents.

Wonder what is scareware? Here's what it is and how they look like.

Fake antivirus programs that encourage web users to part with their hard-earned cash and download hoax security software is likely to be the most costly scam of 2010, says McAfee.

According to the security firm, cybercriminals make upwards of $300m from conning web users worldwide into downloading scareware.

The security firm also said it had seen a 660 percent rise in scareware over the past two years, and a 400 percent increase in reported incidents in the last 12 months.

"Even the savviest of computer users fall victim to online threats because cybercriminals have become so sophisticated," said Jeff Green, senior vice president of McAfee Labs.

The scareware scam starts with a pop-up that claims the web user's PC is infected with malware and then prompts the user to purchase the fake 'security software' which is actually malware in disguise. Cybercriminals also obtain the user's computer and bank details.

"It's an incredibly lucrative business for cybercriminals," added Francois Paget from McAfee Labs.

With this in mind, McAfee has launched the Consumer Threat Alerts program that is designed to warn web users about the latest and most dangerous online threats

McAfee said subscribers can expect to receive periodic email alerts about how to recognise the latest online dangers and tips on how to stay safe.

"We're giving consumers the 'street smarts' they need to live their online lives safely," said Green.

"With education and the right technology, we can all play a part in the fight against cybercrime."

Mariposa Botnet Malware Found On Vodaphone HTC Magic

Following Energizer's acknowledgment last week that it had been distributing infected software in conjunction with its DUO USB charger comes a report that malware has been found on a Vodafone HTC Magic running Google's Android OS

"Today one of our colleagues received a brand new Vodafone HTC Magic with Google's Android OS," researcher Pedro Bustamante wrote on the Panda Research Blog on Monday.

"The interesting thing is that when she plugged the phone to her PC via USB, her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious," he wrote. "A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into."

The malware began "phoning home" for instructions, Bustamante wrote. It's likely the user's credentials would have been stolen, he speculated.

The malware turned out to be related to the Mariposa botnet, but there was other malware on the device too--Conficker and a Lineage password-stealing Trojan, he said.

The botnet is said to have stolen account information and other sensitive data from an estimated 12.7 million compromised IP addresses belonging to individuals, companies, and other organizations across 190 countries.

The botnet spread through P2P networks, USB drives, and MSN links, according to Panda.

A Vodafone spokesperson did not return an e-mail from CNET seeking comment, but The Register published a statement from Vodafone that said it is investigating the matter.

"Following extensive quality assurance testing on HTC Magic handsets in several of our operating companies, early indications are that this was an isolated local incident," the statement said.

Last week, three people were arrested in Spain on charges of operating a massive botnet composed of 12.7 million PCs that stole credit card and bank log-in data and infected computers in half of the Fortune 1,000 companies and more than 40 banks. The botnet was dubbed "Mariposa," which means butterfly in Spanish.

USB battery charger installs Trojan

The software that shows to which extent the battery is charged through the Energizer DUO USB recharger comes bundled up with a Trojan, says US CERT

The installer file for the software drops one file too many - the file Arucer.dll is placed into the Windows system32 directory, and allows unauthorized remote access to the system via the TCP port 7777. Through it, it can download further (malicious) files, send stolen files from the infected computer and execute programs.

The Trojan springs to like every time Windows starts and is active even when the charger is removed. By deinstalling the USB charger software, the malicious file is disabled. It is still in the computer, but the mechanism that executes it is no longer present.

The Arucer.dll file must be removed manually from the Windows system32 directory, possibly after restarting the computer after the deinstallation of the software. Blocking the aforementioned port is only a partial, temporary solution, and the removal of the software and of the malicious file is recommended.

Energizer (the company) has pulled the device from the market and is currently investigating on how the software was compromised.

Apple bans Wi-Fi hotspot sniffers from App Store

Earlier, Apple made news by removing bikinis and other risqué content from the App Store as part of a new “no-skin” policy.

Apple has banned another category of apps from the iPhone app store without notice – this time Wi-Fi hotspot detection applications.

Three Jacks Software, developer of one such application, reported that its product had been pulled from the store in a blog post this week. The blog post said that all other apps using similar technology also appear to have gone.

The ban appears to only apply to products which use the iPhone's built-in 802.11 radio to find hotspots, Softpedia reported, and not apps which use databases, or GPS and network triangulation capabilities.

Another app, augmented reality software Sekai Camera, was also recently banned for “problematic Wi-Fi access,” suggesting that Apple is cracking down on apps it feels uses Wi-Fi improperly.

The latest round of exclusions comes weeks after Apple began a purge of all apps containing risque content – including women in bikinis and silhouettes of body shapes – from the app store.

GigaOM commentator Colin Gibbs said the sudden banning of an entire category of apps on a whim is “a sure way to incense the developers, who are the foundation of the app store.”

This move is particularly risky now that the developers have an ever-growing number of alternative platforms to develop content for, he added.

Taiwan earthquake damages undersea Internet cables

A major earthquake and several aftershocks in Taiwan, which injured dozens of people and caused several fires on Thursday, also sent Chunghwa Telecom workers scrambling to fix undersea fiber-optic telecommunications cables to prevent service disruptions around Asia.

Taiwan's biggest telecommunications company said the initial 6.4-magnitude earthquake, which struck near the southern Taiwan city of Pingtung, damaged four undersea cables in six different places, knocking out service for parts of the day Thursday and early Friday. Global communications and Internet service on all networks has already been restored, mainly by rerouting service on undamaged cables.

Full report here.

Tool Automates Targeted Attacks On Social Network Users

SAN FRANCISCO -- RSA Conference 2010 -- A researcher here today released a free tool that impersonates a Twitter user's account in order to execute automated targeted attacks on the person's followers.

Pedro Varangot, a security researcher with Core Security Labs, says the group wrote the tool as a way to demonstrate and test for how social networks can be used for spear phishing. The initial version executes attacks on Twitter, but Varangot says it can be extended to work against Facebook and other social networks. The tool is based on Core's Exomind, an experimental Python-based framework written to test social network, search engines, and instant messaging attacks.

He says he and his team at Core believe attackers eventually will build this type of tool as a way to leverage social networks for targeted attacks.

Varangot says the attack begins with the manual setup of a Twitter profile of a real person. "We're not doing fake identities -- that wouldn't do us any good [for spear phishing]," he notes. The profile then gets fed into the tool, which basically builds a cloned look and feel of the real user's Twitter page, including his last tweets.

"We can create a whole fake network," Varangot says. "We emulate someone and tell him to follow other people, and then tell the others we control to follow him."

The attack can easily lure a particular follower on the counterfeit Twitter account because it's purportedly from someone that person knows. That leaves the door open for tweeting malicious links, for example, aimed at a follower or group of followers.

Managing these impersonated Twitter accounts is much easier with the automated tool, Varangot says. "It's really hard to manage these by hand, but easy to do automatically," he says.

Like stolen email account details, pilfered social networking account credentials also are sold on the underground market, he says.

"Spear phishing on email is dangerous, but it's even more dangerous on social networks," he says. "We believe these attacks are a real threat now."

See full report here.

Pressing F1 In Internet Explorer flaw

Microsoft has confirmed that an unpatched Internet Explorer vulnerability makes it potentially dangerous to press F1 if you are running earlier versions of Windows.

A security bug in the VBScript technology bundled with Internet Explorer means that it might be possible to create a web site that displays a specially crafted dialog box that pushes malware providing a victim is tricked into pressing the F1 (help menu) key while viewing a booby-trapped site using Internet Explorer. The novel exploit technique works on older versions of Windows (Win 2000, XP and Server 2003). Vista, Windows 7 and Windows Server 2008 are immune.

Proof of concept code is reportedly in circulation but Microsoft said: “We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.”

Redmond went on to criticise security researchers for not coming to them with the problem first in an advisory, published on Monday.

“Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”

The advisory expands on an earlier holding statement in providing a list of potentially vulnerable systems, a preliminary risk assessment and suggested workarounds. Redmond security gnomes are still investigating the flaw but a decision to develop a patch looks like a big odds-on favourite if past form holds true.

Microsoft gave no indication of when a patch might become available but the next scheduled Patch Tuesday is only six days away, cutting it very fine to develop, much less test, a fix. An April or even May update for IE seems more likely.

Hitler and Cloud Computing Security

Hitler learns a painful lesson about Cloud Computing security.