Spam Poses as a Twitter Email Notification

Beware, Twitter enthusiasts! Spam posing as Twitter email notifications are currently proliferating in the wild. The spam are of two types—the first type attempts to steal personal information or login credentials while the second attempts to infect systems with malware.

Almost a week ago, Twitter began warning its users about fake Twitter Support emails.

A legitimate Twitter notification email looks like this:

It usually begins with “Hi, *name of user*” and contains the words, “You have a direct message:,” followed by the message itself.

On the other hand, a couple of variants of the email have surfaced, with small differences in the text ("unreaded messages", "information messages"). The Spam mails typically look something like this:


By comparison, the fake emails look very simple and lack details that Twitter would usually use. The emails are very generic because they are intended to fool any and every recipient.

The emails contain an embedded URL that supposedly takes you to your messages, but actually links directly to malware, which is then downloaded onto your computer.

The links have already made inaccessible, but TrendMicro warns users to be vigilant when checking their emails.

New Malware Scheme Targets IPad Owners

iPad owners and all-around Apple fans can take comfort in one fact today: the iPad isn't technically affected by a new problem. However, iPad owners who also own PCs running Windows have been targeted by a fresh scheme meant to create a backdoor and steal important info.

A statement provided by BitDefender warned that people are receiving emails telling them to update their iPad's software. A link then takes them to an authentic-looking site where they can download what's supposed to be an iTunes tweak, and the situation gets hairy.

BitDefender explained that things go downhill as "Backdoor.Bifrose.AADY . . . injects itself in to the explorer.exe process and opens up a backdoor that allows unauthorized access to and control over the affected system."

The explanation continued, "Moreover, Backdoor.Bifrose.AADY attempts to read the keys and serial numbers of the various software installed on the affected computer, while also logging the passwords to the victim's ICQ, Messenger, POP3 mail accounts, and protected storage."

Losing all of that information (along with control of one's computer) is perhaps not the nicest way to celebrate a new gadget purchase. iPad owners should try hard to keep their collective guard up.

Facebook shows its true face

The F8 conference has ended, and Facebook has started making changes and setting the stage for the announced spread through the entire Internet. They might not put it like that, but nobody can doubt their intent.

To allow for that goal to be met, Facebook has started changing privacy options in users' profiles. Personal information like current city, hometown, education and work, likes and interests will now become "connections", and as such, they will be made public. Users are not asked for permission, because the changes are "opt-out".

Of course, Facebook says that users will be notified of the changes - and they have been. The only problem in this is that a great part of the users will not understand the implications of the changes, scroll through them without paying attention, or even skip the whole explanation altogether because it's just to complicated and too long and keep using the service as they have been doing so far, not knowing that information that they thought was private and accessible only to their "friends", is now accessible to anyone.

Facebook doesn't care about it - if it did, it wouldn't carry on like this. They have washed their hands of any responsibility by releasing the announcements, and it will be free to offer its users' data to an ever increasing number of companies - and get paid for it. As Molly Woods says: "I hold few illusions that Facebook's business strategy has ever been about anything other than building up a huge user base and then selling ads to those users." Deep down inside, we all knew it. There is no such thing as a free service. Either way, we have to pay - if not with money, then with information.

And maybe some people genuinely wouldn't mind doing it, were it not for the way this changes are carried out: "opt-out" instead of "opt-in". And, it seems likely that all future changes that could stand between Facebook and more revenue will be carried out in this way.

The Electronic Frontier Foundation has a solution for everyone that wants this information to remain private: delete it from your account. Or, set up a new account and tell Facebook you're under 18 - under its policy for minors, you information is protected and visible only to friends and family and verified networks.

I might add - there is always the option of deleting your account and not making another one. And I wonder: how many people have had the same thought?

iPad users with PCs threatened by backdoor malware

A malicious spam email campaign has been targeting iPad users who own PCs, says Bitdefender. The message is the following:

The message claims that updates have been released for software installed on their iPad devices, and that they need to update their iTunes software so that they will be able to update their iPad software. An embedded URL is offered and, if clicked on, directs the users to a perfect copy of the legitimate page from where iTunes software updates are usually downloaded.

If they choose to download the offered "update", their PCs will be infected with malicious code that "injects itself in to the explorer.exe processand opens up a backdoor that allows unauthorized access to and control over the affected system."

Not content with that, the malware also tries to get keys and serial numbers of the various software installed on the PC, and records the users' passwords for ICQ, Messenger, POP3 mail accounts, and protected storage.

According to Bitdefender, Mac users are not affected - the target are only PC users.

Russian hacker offers 1.5m Facebook credentials for sale

What will Facebook do if the Russian hacker Kirllos' claim that he has in his possession login credentials for 1.5 million Facebook accounts proves to be true?

The hacker was spotted offering the credentials for sale on an underground forum. This image of the post in question was posted on Twitter by Mikko Hyponnen, CRO at F-Secure:

Kirllos asks from $25 to $45 per 1,000 accounts (that's $0.025/$0.045 per account), and according to VeriSign's Director of Cyber Intelligence Rick Howard, he has already been able to sell almost half of the total number.

If the credentials are legitimate and the accounts exist, that means that 1 in every 300 accounts is compromised, and can be used by the buyers to prey on other users by spamming and scamming them - not to mention, to direct them towards sites serving malware. And people are more likely to fall for such tricks, since they have a tendency to trust other users that are encompassed in their (online) social circle.

Infoworld reports that Facebook has yet to comment on the whole situation, but I can bet everything I have on the fact that they are investigating the claim thoroughly.

Gray Powell, the lost iPhone and malware

The story of the day is Gray Powell and the lost iPhone. I searched for him on Google and I was really surprised to see that 4 out of 10 results from Google’s first page were links to malware.

If you click on any of those links, here is what you get:

Then you receive the classic "Your computer is infected" window that proved to be so lucrative for malware writers. The window looks like a real Windows application and many people get confused and run the malware.

I’ve downloaded and scanned the malware on virustotal.com. Here is the report. Basically, only 10 from all 41 antiviruses from VirusTotal detected the malware. That’s only 24.4%, a pretty low detection rate for a malware that appears on the first page of Google results for a hot topic. I think many people already got infected by this.

The malware writers are pretty inventive, I think they’ve made an automated tool that automatically reads Google’s Hot Trends page or Twitter’s trending topics and generate pages containing malware with those terms/searches in the title and some description around it. Gray Powell is #13 on Google’s Hot Trends page right now.

It’s a very dangerous technique and I think Google should do something about it, otherwise a lot of people will get infected. Lately, Search Engine Optimization is being widely used for distributing malware. Pay attention before you click any of Google’s results. Don’t just read the page title and description, but also check the URL!

New Hack Pinpoints Cell Phone User's Location, Personal And Business Relationships

Just when you thought that by staying offline, your privacy on desktops / laptops wouldn't be invaded? What you wouldn't expect, is that even the mobile devices you carry around are not spared.

Researchers demonstrated a technique that exploits the cell phone infrastructure to compromise cell user's privacy.

Turns out you don't even need a GPS to track a mobile phone user's whereabouts and glean her movements and interactions: Researchers have discovered a way to use information from the GSM mobile infrastructure to track down someone and even listen in on her voicemail messages and calls.

More details here.

Malwarebytes and Sunbelt Software partnership

I'm sure most of you out there would have used MalwareBytes to clear off infections on your machine some time or another. For those who haven't, MalwareBytes is a great anti malware software. It does its, for free.

Sunbelt has announced a collaboration with MalwareBytes this morning, the details are in the press release.

Basically the partnership is starting with a new portal for consumers to clean their systems (http://vipre.malwarebytes.org).

In addition to this initial first offering, they are also working together on a broad range of initiatives for sharing information on emerging threats, methods to mitigate risk, and other joint efforts.

Let's see how this new partnership fares.

Trojan disguised as Google Chrome extension

The announcement that Google Chrome is now the third most widely used browser wasn't lost on cybercriminals. They follow the crowd, and that explains the recent appearance of a bogus Google Chrome extension that purportedly enables access to documents from emails.

Malware City reports that the offer of downloading the extension comes to the users via email. If the user follows the link, he is taken to a look-alike of the Google Chrome Extensions page, where the "extension" is provided for download.

But, one obvious indication that the file is not what it supposed to be is the extension of the file - instead of .crx, the file in question sports an .exe extension:

It turns out that it's a Trojan that messes with the Windows HOSTS file in such a way that every time the user wants to access Google and Yahoo webpages, he is redirected to malware-laden clones of the search sites.

Infected XP machines remain unpatched

To avoid the systems crashes from February, which were triggered by the security updates to the Windows kernel and tied to the fact that the machines were infected by the Alureon rootkit, Microsoft has made some modifications to the security updates released on Tuesday.

The updates will do their job with uninfected Windows XP systems, but will halt installation if they spot that the system is compromised by the rootkit. As Microsoft explained in the notes that follow the issuing of the patch, some "abnormal conditions on a system could be the result of an infection with a computer virus that modifies some operating system files, which renders the infected computer incompatible with the kernel update."

That means that those people whose PCs are infected will not be able to update their system, and I can understand Microsoft not wanting to put people off patching and updating.

I am just a little bit skeptical about the effectiveness of way they are trying to warn their customers about the problem - i.e. when the automatic patching fails, the users are presented with a warning message about why that happened (or, actually, didn't happen), so that they can do something about it - i.e. download a malware removal tool and remove the rootkit.

The problem lies in the users - some will see the message and ignore it, and some will not understand what they should do. On the other hand, there is not much Microsoft can do about it - there is no big red button that the users can press and "make it all better".

New Mac Malware Variant Detected

Yesterday, Elinor Mills published an interview transcript in which hacker Marc Maiffret said, "[T]he Apple community is pretty ignorant to the risks that are out there." Today, one of those risks was made much harder to overlook, with a new variant of malware getting identified.

Intego, a company that deals exclusively in Mac security, announced in a press release that it's "discovered a new variant of a malware for Mac, called HellRTS, which, when installed on computers running Mac OS X, opens a backdoor that allows remote users to take control of infected Macs and perform actions on them."

It's possible that HellRTS is about to become rather common, too, given that Intego found it being distributed on more than a couple online forums.

The good news for Mac users/Maiffret critics is that Intego hasn't yet encountered a single HellRTS-infected Mac in the wild, so it's possible that the malware won't ever represent any sort of real threat.

One last note: Maiffret doesn't appear to bear even the faintest connection to Intego, so there's no need for anyone to worry too much about the timing of his comment and Intego's apparent substantiation of it.

iPhone unlocking tricks get PCs into trouble

A malware-spreading mechanism targeting the “iPhone unlocking” fans goes to prove that cybercrime is never short of imagination. This is how the story goes: you receive an e-mail in which you find out that you might get your hands on a new version of an iPhone unlocking application which basically allows you to overcome vendor set network restrictions. All you have to do is click a link that will take you to the web page on which the technical wonder awaits you.

As you get further on into the maze of this scheme and actually click the link, you land on a web page which provides instructions to be followed in order to download the unlocking application:

First off, you are to connect the iPhone to the PC, then download “the new modified” application and run it on the iPhone. And that’s when the magic begins: once downloaded and run, the executable opens up the way for a nice Trojan to fester on your PC.

The “enhanced” version of the executable hides Trojan.BAT.AACL.

Identified by BitDefender as Trojan.BAT.AACL, this piece of malware comes as a Windows batch file packed alongside the iPhone jailbreaking application. The Trojan attempts to change the preferred DNS server address for several possible Internet connections on the users’ computers to 188.210.[REMOVED]. This allows the malware creators to intercept the victims’ calls to reach Internet sites and to redirect them to their own malware-laden versions of those sites.

WordPress hacked, affected blogs point to malware site

A throng of blogs have been compromised and are pointing readers to a malicious website containing scripts that lead to a Trojan that drops and executes other malicious files.

The origin of the attack can be found in a WordPress hack and a virus that - according to Tech Cocktail - "infiltrates WordPress and adds a new file in your scripts directory called jquery.js and then inserts that file into the header or footer files of your site. It also inserts an iFrame that calls a 3rd party site which is known for malware or other malicious activities."

Users who's blogs have been hacked are advised to contact WordPress for help and to provide information that can help them devise a fix as soon as possible.

Most of the affected blogs are hosted by Network Solutions, which says that event the users using the latest version (2.9.2) of the blogging platform are affected.

They also reacted pretty quickly and put a fix in place that requires no action by most customers. The exception are those that have custom code with manually-embedded database passwords, in which case they will have to change them.

Phishers Send Out Standard Chartered Spam

TrendLabs^SM recently encountered a phishing email specifically targeting Standard Chartered Bank clients. The spammed message instructs recipients to log in to their online accounts and to visit the Secure Messages section to read a specific message. The email body includes an embedded link, which when clicked leads to a phishing page.

Sample spam email:

Phishing page:

The use of bogus login pages has become a typical attack vector that phishers continue to use. Similar phishing attacks via spammed messages have been documented here in the Malware Blog:

• Phishing Pages Pose as Secure Login Pages
• Caisse d’Epargne Customers, Beware!
• Citi Prepaid Phishing Services

While this is an old trick, clients who visit the page may still unwittingly provide their bank credentials to cybercriminals’ waiting hands. Users are then advised to constantly exercise caution when opening email messages and when clicking embedded links. Standard Chartered Bank likewise reminds its clients to be wary of the reality of online threats, including phishing attacks.

Remember, when accessing you online banking account, never follow links from an email. Type in the address of you bank directly into the browser's address bar and go on from there.

And, if you get an email that supposedly comes from your bank, it's best to check on their official website for information about the issue or to call them directly.

Farm Town players targeted by malvertisements?

Players of the popular Facebook game application Farm Town are warned not to fall for the fake security warnings claiming that the user is infected by a virus that pop up while they are playing.

SlashKey, the developers of the game, have been warning users via posts on their online forum, advising them not to follow the link but instead just close the window with the warning and perform an antivirus check to ensure that they have not been infected.

A lot of Farm Town players responded to the posts and said they have been faced with the warning. After some initial investigation in the matter, SlashKey believes that the pop-ups are caused by malicious advertisements:

It is highly likely that the attackers have poisoned the adverts that are displayed below the playing window.

Sophos advises users to stop playing the game until the issue is fixed or to disable adverts using browser add-ons such as Adblock Plus on Firefox.

Cash extortion scheme targets BitTorrent users

A new type of malware is riding the wave of file-sharing pre-settlement letters by infecting BitTorrent users’ machines and then demanding payments in order to make imaginary lawsuits go away. ICPP Foundation try to give the impression they are RIAA and MPAA affiliated but the whole thing is a scam to extort cash and obtain credit card details.

BitTorrent users are targeted by an unprecedented extortion campaign that threatens them with legal action for copyright infringement, unless the pay a $400 "fine".

According to TorrentFreak, the method of infection is yet unknown. It could be through a download of a fake file or a email attachment. In any case, the infected user is faced with this alert:

It locks the screen and redirects the user to the site of the ICCP Foundation, which purports to be a "law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally."

This professional-looking site lists the Recording Industry Association of America (RIAA), the Copyright Alliance (CA) and the Motion Picture Association of America (MPAA) as partners, in a bid to give an aura of legitimacy to the site.

The alert also has a very polished look that could fool many into believing the claims it states. The scareware even searches for .torrent files located on the user's hard drive and then displays their names on the alert. The user is threatened with 5 years in prison and a $250,000 fine, and is asked to choose one of the two options: "Pass the case to court" or "Settle case in pre-trial order".

If he chooses to "go to court", he is faced with a warning pop-up that tries to scare him some more ("Performing this action is construed as a refusal to cooperate…") and recommends the user to cancel the action and choose the "pre-trial settlement" option:

If he chooses the "settlement" option, he is asked to enter his name, address and credit card number in order to pay the various fees included in it:

Users are warned not to fall for this scam. When faced with something like this, it's always good to do a quick research online. If the claim is fake, you will be able to find proof very easily.

On another note, I can just see the music and movie industry moguls reading about this and thinking to themselves: "Could we do something like this?"

Full report here.

President's death used for fake AV peddling

Scammers are taking advantage of the people's interest in the news of the tragic death of Poland's President Lech Kaczynski to peddle their fake AV software.

By poisoning search results, they are hoping to dupe as many users as possible. And even though Google is detecting and labeling many of the malicious links with the well known "This site may harm you computer" warning, there are always some that escape detection:

According to CA, the fake AV in question is named "CleanUp Antivirus", and presents the usual fake results that are aimed at making you think that your computer is a hotbed of viruses and Trojans.

As always, when searching for high profile news stories, it is best to stick to the well-known, legitimate news sites.

XBox gamers, beware!

Various fake websites that purport to be hosting a XBox Live application have been detected by Sunbelt, but are actually intent on making you download and run a password stealing Trojan that has a predilection for browsers and applications such as Firefox, Steam, DynDNS and other IM clients.

The sudden proliferation of these sites is due to a DIY kit that allows the scammer to set up an extremely simplistic website that looks like this (notice the abuse of the Softpedia assurance on the bottom that is there to try and establish a level of trust towards the site):

The only thing standing between the Trojan and your computer is this screen:

On the bright side, it says plainly that the application's digital signature cannot be verified, and that should be warning enough that something is wrong and you shouldn't run it.

But, not everybody is acquainted with scammers' tricks and approaches - Microsoft is listed as the publisher and for some people that might just be enough to trust it and allow the application to run.

If the user does run it, it will download a benign-looking file which will put the "Crypted.exe" file in his Temp folder - and that's it: the Trojan is on the computer!

Trojan disguised as Windows Mobile game

A "trojanized" pirated version of a 3D first-person shooter game for the Windows mobile platform found its way to some Windows Mobile freeware download sites and "infected" the phones of those who downloaded it and installed them on their devices.

3D Anti-terrorist action is the name of the game, and it's manufacturer is located in China. But, as F-Secure reports, the trojanized version is the work of a Russian malware author, and makes the phones automatically, repeatedly and silently dial premium-rate numbers.

Here is the part of the trojanized game's code that makes the phone execute the code:

What is the virus writer's payoff, you might ask? Usually, it is a percentage of the revenue that resulted from those calls. The rates for this numbers are higher than normal, and you get billed by the minute.

Having a malicious software like this on your cell phone and not noticing it can result in a heart attack-inducing phone bill. Users are advised not to download pirated copies of any software, since there in no guarantee you'll get what you think you will.

iPad, iPhone "prizes" as lures for Twitter users

Not surprisingly, spam using the Apple iPad as a lure to get users to give up personal or credit card information has began to make rounds of Twitter users.

Sunbelt reveals that Twitter bots have been hard at work spamming users discussing (or just mentioning) the iPad with messages such as these:

The link takes the users to promotional sites that where - in order to get and iPad - they are asked to fill in forms with a large amount of personal information, and to fill in some more information and get "accepted for a financial product such as a credit card or consumer loan” or even purchase something to get an additional gift ("2 years of unlimited data service").

In another instance, Sophos spotted an advert within a Twitpic page that offers the iPhone as a prize if you enter a competition that provides a perfunctory "spot the difference in the two pictures" quiz (in which, by the way, you can make as many mistakes as you want because you will be offered another chance to answer correctly).

When you provide the right answer, you are asked to provide various personal information so that they can send you the prize:

Both promotions seem legitimate, but it is only a matter of time when these "competitions" take a more malicious turn. Users are advised to remember that even if it says "Free!", you are actually "paying" for it with your personal information.

In this last instance, you could also incur an immediate material cost if you are not careful - the checked (by default) checkbox at the bottom of the page will sign you up for an alert service that costs £1.50 per week.

Check how secure, private and open an app is

Surfing through the Net in search of a objective review of an application can be a daunting task, and even when you find one, it usually barely touches the issues of security or privacy.

Enter WhatApp (https://whatapp.org), a wiki page where you can rate and read reviews of Web and social network applications, browsers, add-ons and mobile platforms - reviews that will not tell you if an app is cool or not, but will tell you how secure, private and open it is.

The WhatApp wiki is the brainchild of Stanford's Center for Internet and Society academics and is funded by the Rose Foundation, which supports different projects that - among other things - promote consumer protection and civic participation.

In the teams' own words: "We want WhatApp to be a useful tool for both savvy Internet experts and novices to pool resources and share insights about the privacy features of a wide variety of applications, including Facebook and iPhone Apps, office suites, online maps, toolbars, and media players. The project’s aim is to fill the current market gap between consumer demand for privacy friendly applications and anti-privacy practices employed by the developers and thereby to foster better privacy practices Net-wide."

The page is actually quite simple and easily navigable and usable - search for the app you want to check out or browse the list of already reviewed apps:

The main page also contains two boxes that feature "good" and "bad" apps (of the week? Month?).

Currently, the Featured App is BugMeNot, a service that allows you to bypass compulsory registration to various sites and services by offering bogus data. RockYou Live is in the Penalty Box, for getting hacked and revealing (unencrypted) user data.

Beware fake eBay security alert

Red Condor issued a warning of a new blended email threat that appears to be a security alert from eBay. The email message with the subject line "eBay Procedural Warning - Security Alert," is addressed to "Dear eBay Member," and warns recipients that the sender has "detected security issues on behalf of your account."

The email warns that to correct the issue, users "have to download and install the eBay Security Shield." The embedded link in the email actually takes user to a likely compromised site on eBay's network.

On the site is a Download Now button that when executed installs a Trojan. After the victim installs the malware as prompted by the email, they are directed to log into their eBay accounts, which then sends their eBay log-in credentials to the scammers.

"While this is a relatively low volume campaign, the scammers have not only figured out how to circumvent the majority of anti-virus engines, they have also exploited an 'About Me' page of a compromised eBay account to host the Trojan," said Dr. Tom Steding, president and CEO of Red Condor.

"In past eBay phishing attacks, the call to action URL has been on some random compromised machine. This scam, however, is a malicious and very sophisticated attack, and unfortunately, is a good representation of the types of phishing attacks that we are likely to see going forward. This attack is likely to get by many email security systems, so users should delete the message immediately."

Games on social networks increase spam and phishing by 50%

In order to reach high scores, social entertainment applications require users to gather a considerable number of friends and supporters to play the same game, leading to player-development of social gaming channels, groups and fan pages to facilitate player interaction.

Spammers and phishers exploit the increasing trend of social gaming with fake profiles and bots that send spam messages to groups, as a BitDefender case study shows.

Unlike the regular social networking spam, when the users are enticed to add the spammer in their circle of friends, the social gaming-related phony profiles are willingly added by the users as an immediate consequence of their interest in enlarging the supportive players’ community. This makes it almost impossible for the bogus accounts to be automatically suspended, since the spammers’ action does not constitute an abuse.

The study also demonstrates that the most successful fake accounts are those miming real profiles, which hold plenty of details and pictures of the “user.” In an acceptance experiment, BitDefender researchers created three honeypot profiles – one without any picture and holding few details, another with an image and limited information and a third with a large amount of data and photos. All three profiles where subscribed to general interest groups.

One hour after adding people to each profile, the circle of friends enlarged with 23 connections for the first profile, 47 for the second profile and 53 for the third profile.

After joining social games groups, the volume of users willing to add unknown people drastically increased. Within 24 hours, 85 users accepted a request from the first profile, 108 from the second and 111 from the third.

“Users are more likely to accept spammers in their friends list when they are in a social network than in any other online communication environment,” said George Petre, BitDefender threat intelligence team leader and author of the case study.

The security implications are numerous, ranging from the consolidation and increase of the spamming power, data and ID theft, accounts hijacking to malware dissemination. A shortened URL posted without any explanation on each honeypot profile was followed by 24 percent of the friends from the three accounts, even if they did not know who posted it and where was going.

Hacked Yahoo email accounts in China and Taiwan

Yahoo email accounts of several journalists and human activists have been hacked and their contents likely downloaded in what seems like an organized attack concentrated on gaining as much intelligence as possible regarding activities that those people might be engaged in and that the Chinese government finds objectionable or threatening to social stability.

Among the owners of the hacked accounts are Kathleen McLaughlin, a freelance journalist; Andrew Jacobs, reporter for the New York Times in Beijing; and Dilxat Raxit, spokesmen of World Uyghur Congress, a group that supports the idea of separatism among the ethnic Uighurs.

The accounts were inaccessible for several days, and Raxit says that that he couldn't access his for a whole month. Jacobs says that he discovered that his account was set to forward his emails to an unknown account - without his knowledge, of course.

Reuters reports that Yahoo made a statement in which claims it is going to investigate the matter and that it "condemns all cyber attacks regardless of origin or purpose". It was speculated that the company was among the ones that were breached by the Aurora attacks in January, but it was never actually confirmed by Yahoo itself.