OMG! Profile Spy targeting Facebook users

Facebook users are a curious lot, and one of the things that seemingly regularly piques their interest is the opportunity to see who views their profile.

Posts that read "OMG OMG OMG... I can't believe this actually works! Now you really can see who views your profile!!! WOAH --> (link to site)" popping up on users' pages and Friend Feeds have ben seen in the last couple of days, but - All Facebook warns - don't go falling for this recycled scam.

The provided links will take you to pages outside Facebook designed to convince you that if you post the exact message you have fallen for on different places on your Facebook page, you will be allowed to download Profile Spy - a fake application that supposedly lets you see who viewed your profile:

Of course, after you have done all this, you won't be able to download the offered application, but you will be asked to complete a number of surveys and to register for a mobile service that costs $19.99 per month.

While experience users are able to spot scams like these from a mile away, there are always novices at Facebook and at computers that could be fooled. If you know any, do them a favor and educate them about the existence of the "OMG! You won't believe it!" scams.

Fake ImageShack emails lead to Zbot variant

Emails pretending to be registration notifications from the popular free image hosting website ImageShack are hitting inboxes, and are trying to get the users to follow a link to a malicious website where a Zbot variant awaits to be downloaded.

At first glance, they look pretty legitimate, but a second glance at the offered registration link reveals that the target page does not belong to ImageShack.

Another clue that the email might be fake is the provided username and password. Sunbelt's Chris Boyd received the email in question and remarks that he would never use the give combination of username and password, even if he had registered with the service.

The offered link belongs to an Australian art gallery whose website was probably compromised, and presents to the user the following request:

The file in question is, of course, the Zbot variant I mentioned in the beginning. Luckily for potential victims, the great majority of security solutions has the ability to detect this particular variant, which has been removed in the meantime.

But, Boyd says that users should still be careful about visiting the site, since "there’s still some iframe activity taking place". He also advises users to be careful of such emails in the future, because it is likely that criminals will be sending out the same email - albeit with a different malicious link, pointing to different malware and using a different exploit.

When in doubt whether you have signed up for something, it's better to just delete the email.

WoW players targeted with phishing emails

World of Warcraft players are once again targeted by a phishing scheme, says F-Secure.

Emails purporting to come from Blizzard Entertainment - the creators of WoW - have hit inboxes around the world, claiming that the Blizzard is investigating recent thefts of accounts and requiring of the users to change/restore their passwords. Of course, the email contains a link that takes the user to a web page that does not belong to Blizzard:

Apart from the suspicious link, a good indication that this email is not coming from Blizzard are the noticeable grammatical and language errors.

F-Secure experts have investigated further and discovered that the sender used a SMTP relay attack to spoof the "From" address to make it look like the email is coming from Blizzard, but is in fact coming from an individual Hotmail email account.

WoW players are advised to be careful when receiving such emails, and are asked to remember that a real account changes verification process includes more than just contributing your password - you must also provide a valid ID.

1.2 million infected by Eleonore exploits toolkit

AVG’s Web security research team has discovered a network of 1.2 million malware-infected computers controlled by cybercriminals who were using the Eleonore exploit toolkit – a commercial attack software enabling cybercriminals to infect and monitor compromised PCs.

The two-month-long study by AVG Research researched 165 Eleonore toolkits in use by cybercriminals and concluded that those using the Eleonore exploit toolkit were experiencing a 10 percent success rate in infecting the more than 12 million users visiting their compromised web pages.

All 165 domains experienced high volumes of traffic which the cybercriminals managed to compromise. The research was built using AVG LinkScanner product data, identifying URLs that the product blocked when it identified a threat.

“The accessibility and sophistication of easy-to-use cybercriminal toolkits proves that cyber gangs are raising the bar to monetize their criminal activities,” said Yuval Ben-Itzhak, senior vice president, AVG Technologies.

Safari's AutoFill reveals personal information

A feature of Apple's Safari browser can be used by hackers to harvest personal information, says Jeremiah Grossman, founder and CTO of WhiteHat Security, in his recent blog post.

The feature in question is the AutoFill, and it automatically fills the text fields of forms in HTML pages with information such as name, address (city, state, country), company, email address, etc.

Unfortunately, this feature is enabled by default and pull this information from the local operating system address book - not from previously entered data that the browser "remembered" from when you entered it on a different website.

"All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript," says Grossman. "When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker."

The only information that the feature - for some reason - doesn't automatically fill is the data starting with a number (phone number, street addresses) - so, yes, it could be worse.

"Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload," says Grossman. "In fact, there is no guarantee this has not already taken place."

He goes on to say that he contacted Apple with this information a little over a month ago, but has still received no reply from them other than an auto-response message. Until a fix is issued, he recommends to Safari users to disable the feature (Preferences > AutoFill > AutoFill web forms).

Mozilla Rolls Out Security Update For Firefox

This week, Mozilla released a security update for their popular Firefox web browser. Firefox 3.6.7 fixes several security issues that were found in the 3.6.6 version. Over half of the vulnerabilities fixed were listed as "Critical," which is the highest danger level that Mozilla associates with security issues.

Of the 14 vulnerabilities listed on the Firefox update site, eight are listed as critical. Mozilla defines a critical issue as a "vulnerability [that] can be used to run attacker code and install software, requiring no user interaction beyond normal browsing." Basically, a hacker can run their code on your computer to access your information and install malware on your system. For instance, they list an issue with PNG issues. If you browse a site with a maliciously crafted image on it without clicking on anything, you can get a computer virus.

The way that most of these vulnerabilities are able to execute code on your machine are to take advantage of pointers to unallocated memory. These pointers are caused by array overflows or de-allocating objects with multiple pointers pointing to it. By using these dangling pointers, they are able to put their code into sections of memory that your computer doesn't realize are being used, and therefore doesn't know to protect. Once the malicious code is in memory, it is easy to execute.

The best way to protect yourself is to make sure that your browser is always up to date with the most current software. In Firefox, this is as easy as clicking the "Check for updates..." link in the Help menu, or by going to mozilla.com and clicking the big green button in the middle of the screen. This will update your browser to ensure that you have the best protection for your web browsing pleasure.

Single Trojan Accounted For More Than 10 Percent Of Malware Infections In First Half 2010

Top two threats both exploit the Windows Autorun feature, BitDefender study say.

When something works, hackers keep doing it. And as a vehicle for delivering malware, Microsoft's Autorun.INF utility is still working just fine, according to researchers at BitDefender.

In a study issued earlier this week, BitDefender reported that the top two malware offenders during the first six months of 2010 -- Trojan.AutorunINF.Gen and Win32.Worm.Downadup.Gen -- both exploit Autorun.INF.

Trojan.AutorunINF.Gen alone accounted for 11 percent of all the malware infections detected by BitDefender in the first half, according to the report.

"The autorun technique is massively used by worm writers as an alternate method of spreading their creations via mapped network drives or removable media," BitDefender says.

Initially designed to simplify the installation of applications located on removable media, the Windows Autorun feature has been used large scale as a means of automatically executing malware as soon as an infected USB drive or an external storage device has been plugged in, the report states. Unlike legitimate autorun.inf files, those used by miscellaneous malware are usually obfuscated, the researchers say.

"Before the arrival of the second service pack for Vista, Windows-based operating systems would follow any autorun.inf file instructions and blindly execute any binary file the autorun file pointed to," the report says. "Because of the risk the users were exposed to, Microsoft subsequently deactivated the autorun feature for all the removable devices except for the drives of type DRIVE_CDROM4."

MBR worms made a comeback in early 2010, with upgraded viral mechanisms, BitDefender states. Late January saw the emergence of Win32.Worm.Zimuse.A, a deadly combination of virus, rootkit, and worm.

Regionally, China and Russia are the world's top malware distributors, the report says. "During the last six months, China [31 percent] has been the most active country in terms of malware propagation, followed by the Russian Federation [22 percent]. Both countries are known for their lax legislation regarding cybercrime, as well as for the plethora of 'bulletproof hosting' companies," such as the Russian Business Network, which has been officially terminated but remains extremely active in practice, the researchers say.

PayPal remains the top phishing target in the world, acting as the subject for 53 percent of attacks, BitDefender says. PayPal's parent, eBay, finished second with 16 percent.

Spam continues to be a problem for most companies, according to BitDefender. Most spam messages are used to sell pharmaceuticals -- in fact, medicine-related spam jumped from 50 percent to 66 percent in the first half, according to the report.

While Web-borne malware remains strong, cybercriminals are moving more toward Web 2.0 exploits, focusing on social networks, such as Facebook and Twitter, while also expanding their attacks on instant messaging systems, the researchers say.

Employees bypass security roadblocks to engage in social networking

Even though more workplaces are regulating social networking sites, employees are finding ways around security roadblocks, making social networking a way of office-life around the world.

Trend Micro's 2010 corporate end user survey, which included 1600 end users in the U.S., U.K., Germany and Japan, found that globally, social networking at the workplace steadily rose from 19 percent in 2008 to 24 percent in 2010. The highest surge of social networking on the corporate network during the last two years was found among end-users within the U.K., who tallied a 6 percent increase, and Germany, with a more than 10 percent leap.

With the exception of Japan, there were no significant differences between end users from small businesses and those from large corporations, but the survey found that laptop users are much more likely than desktop users to visit social networking sites.

Globally, social networking usage via laptops went up by 8 percent from 2008 to 2010. In the U.S., it increased by 10 percent and in Germany, up by 14 percent.

In 2010, 29 percent of laptop users versus 18 percent of desktop users surveyed said they frequented these sites at work. In Japan for 2010, small-company employees were much more likely than those from large companies to visit social networking sites – 21 percent from small companies compared to 7 percent from large companies.

For all countries surveyed in 2010, laptop users who can connect to the Internet outside of company network are more likely to share confidential information via instant messenger, Web mail and social media applications than those who are always connected to a company's network. This is significantly so in Germany and Japan.

As more and more people communicate through social networks, the more viable social networks become malware distribution platforms. KOOBFACE alone, the "largest Web 2.0 botnet," controls and commands around 51,000 compromised machines globally. This demonstrates the scale of the threat, and emphasizes the need to educate users and implement strong policies.

Trying to just prevent users accessing social networks from work could potentially increase the risk to an organization as users look for ways around computer security possibly increasing the chance of exposure to security threats.

Two Major Breaches Caused By Loss Of Physical Media

AMR loses data of some 79,000 employees; California agency and Care 1st misplace CD containing data on 29,000 patient.

Online attacks might be getting more sophisticated every day, but two incidents last week are reminding the industry that the loss of physical storage media is still among the most common causes of data breaches.

AMR, the parent company of American Airlines, is in the process of notifying some 79,000 current and former employees of the loss of a hard drive containing microfiche records dating from 1960 to 1995. Some of the records included bank information.

And on July 6, the California Department of Health Care Services (DHCS) reported to federal authorities that a missing compact disc (CD) delivered to the department may not have been encrypted by the sender, Care 1st Health Plan. The CD contains personal information, including names and addresses, for 29,808 Care 1st members.

Recent studies indicate that the theft of physical media remains one of the most common causes of data breaches. Both AMR and the California DHCS have discovered that the hard way.

The lost AMR drive contains images of microfilm files, which include names, addresses, dates of birth, Social Security numbers, and a "limited amount" of bank account information, the company told the Associated Press. Some health insurance information might have also been included -- mostly enrollment forms, but also details about coverage, treatment, and other administrative information.

The data spans a period from 1960 to 1995. AMR also believes some of the employee files contained information on beneficiaries, dependents, and other employees. No customer data was affected, the company says.

AMR has sent letters to the people who were impacted by the breach. AMR is offering one year of free credit monitoring for those affected, and is increasing security and testing the vulnerability of its computers.

The data lost between Care 1st and the California DHCS is in peril because the lost CD might not have been encrypted, officials said. Without proper encryption, which is required by DHCS of all of its trading partners who share protected and personal information, the CD could possibly be accessed by unauthorized users.

Care 1st cannot confirm the CD was encrypted. Though DHCS believes the CD is still on its premises and there is no indication of inappropriate access, DHCS reported the incident to the U.S. Department of Health and Human Services as required by law.

When the CD could not be located, DHCS immediately launched an investigation and conducted numerous exhaustive searches of the premises, according to a press release. DHCS then reiterated and reinforced its longstanding direction to Care 1st and all trading partners that all personal information must be transmitted or delivered to DHCS in an approved, secure format. Care 1st now submits the information using secure electronic transfer rather than CDs.

Care 1st delivered the CD to DHCS for the purpose of identifying Care 1st members who are also Medi-Cal beneficiaries. The members whose information is contained on the misplaced CD are mostly Medicare recipients. On April 29, when the information on the CD that was delivered on April 7 was scheduled to be processed, it was determined to be missing.

On June 18, Care 1st began sending individual notification letters to the members whose information was on the CD. The letters gave the members information on steps they could take to protect themselves from any possibility of identity theft. Care 1st also arranged for free credit monitoring services to be provided to the members for one year at no cost.

Windows 7 SP1 Beta released

Windows 7 SP1 Beta helps keep your PCs and servers on the latest support level, provides ongoing improvements to the Windows OS, by including previous updates delivered over Windows Update as well as continuing incremental updates to the Windows 7 platforms.

Windows 7 SP1 Beta will help you:

• Keep your PCs supported and up-to-date
• Get ongoing updates to the Windows 7 platform
• Easily deploy cumulative updates at a single time
• Meet your users' demands for greater business mobility
• Provide a comprehensive set of virtualization innovations
• Provide an easier Service Pack deployment model for better IT efficiency.

In order to download and install the Windows 7 SP1 Beta you must currently have a Release to Manufacturing (RTM) version of Windows 7 already installed. You can register for the download here.

ITunes Store To Receive Security Makeover

Apple is in the news this week about the new security measures it will be implementing in the wildly popular iTunes store. Granted, this is not a major security upgrade, but it does help to prevent the kind of security holes that have been recently exposed.

This all began when a Vietnamese app developer named Thuat Nguyen's apps covered 42 of the top 50 apps in the app store. This raised a few red flags, especially after people commented on the apps that they never purchased them. After some investigating, Apple determined that Nguyen had obtained account information from 400 accounts with stored credit card information and had used them to purchase his apps from the App Store. He then used these accounts to purchase his apps, driving up sales and his revenue.

In order to combat this type of security breach, iTunes will now require an extra step be taken by its customers. On accounts with saved credit card information, customers will need to enter their CCV code from the back of their card more frequently. That's it. Admittedly, this is not a full security overhaul, but the truth is that that would be unnecessary. The "hacked" accounts are more than likely victims of fishing attacks, as Apple has stated that their servers were unaffected by any kind of security breach.

Overall, the damage caused by this problem was minimal (assuming you are not one of the 400 accounts that were targeted). 400 accounts out of 150 million comes to roughly 0.0003% of accounts worldwide. This coupled with the fact that Nguyen and his apps have been banned from the App Store makes this a fairly open and shut case. For anyone who was affected by this fraud, Apple recommends that you contact your credit issuing agency about canceling your card and issuing a charge back for unauthorized transactions.

Twitter Kit, a spammer's dream come true

Cyber criminals and spammers have been (mis)using Twitter for a long time.

Twitter has tried to stop or at least limit their use of the platform by defining some Web page limitations regarding the amount of messages and updates allowed per day or per hour, and other things like API requests and changes of the account email.

Unfortunately for Twitter, the fight against these spammers is often similar to a game of Whack-A-Mole - it takes a malicious account down, another springs up in its place. Finding a way to bypass the limitations set by the social network is another key to success for these malicious users.

Luckily for them, other criminals are there to help them - for a price. Trend Micro has recently spotted a toolkit being offered for sale on many underground forums.

Dubbed "Twitter Kit", it allows the malicious user to send messages to thousands of followers using SOCKS5 proxy and to send Follow invites to users and their followers. It also breaks the aforementioned account limits set by the social network.

Trend Micro believes it is mostly used to send out messages with links to pornographic sites, since it is offered as a bonus when one buys a list of 10,000 Twitter users that follow adult content. But, the small price of $20 for the toolkit alone, it can and will be likely used for sending out a variety of malicious messages.

Botnet viruses invade smartphones

New mobile viruses, disguised as "Free World Cup VOD" and other hot topics, were captured last week by NetQin. More than 500 complaint cases were reported and filed on June 23.

Identified as ShadowSrv.A, FC.Downsis.A, BIT.N and MapPlug.A, these viruses were embedded in mini mobile games to lure users to download. Once downloaded, the device will be controlled by the virus originator. The virus propagation model is the same as a computer botnet so the viruses are defined as botnet viruses.

According to NetQin, these viruses will either send messages to all the contacts of the address book directly, or send messages to the random phone numbers by connecting to the server; both of which result in extra charges to the user's phone bill.

Furthermore, the viruses will delete the sent messages from a user's Outbox and SMS log. The messages sent by viruses are themed the hottest topics, including Free World Cup VOD, and the most popular blind date TV show, etc. All messages contain URLs linked to malicious sites that users are unable to see until they've already clicked and fallen into the virus trap.

The targets of these botnets are mobile devices with S60 3rd and 5th OS. An estimated 100,000 mobile phones were impacted, according to NetQin.

Facebook users receiving direct messages from Koobface

Every so often, the Koobface botnet mounts a campaign to increase the number of infected systems, and this latest one employs an already tried tactic.

According to Trend Micro, Facebook users receive a direct message, and the message contains a simple line of text and a link. The text reads: "Someobdy uplaod a vdieo wtih you on utbue. you shuold see", and the link points to a Facebook page whose URL looks like this:

http://www.facebook.com/l/

{random character};{redirected URL}

ANY link poing to such an URL will bring up the Facebook preview page for external links, and if the user ignores the warnings about the potential dangers of following the link to the final destination, he will be faced with a site (hosted on several different IP addresses) apparently displaying the video:

To view the video, the user must download a Flash Player update. As you may already suspect, the offered file is a Koobface variant that proceeds to infect the system and download additional malware.

Malicious PDF spam with Sality virus

Malicious spammers will try every approach they can think of to make you open the attachments included in emails.

Sophos warns that a malicious email containing the following text has been dropped into inboxes around the world:

"Hey man.. Remember all those long distance phone calls we made. Well I got my telephone bill and WOW. Please help me and look at the bill see which calls where yours ok.."

You surely don't remember such an occurrence or the sender of the email, since this is just a ploy to make you open the PhoneCalls.pdf attachment, but don't let your innate curiosity get the better of you.

The attached file is crafted in such a way that it can exploit a vulnerability in how Adobe Reader handles TIFF images, and proceeds to download and execute a Trojan that loads the Sality virus into your system's memory. The virus then proceeds to append its encrypted code to executable files, deploys a rootkit and kills anti-virus applications.

Having an up-to-date version of Acrobat Reader and of an anti-virus solution installed can help detect this threat, but teaching yourself to detect suspicious emails such as this one is also a great idea.

Just remember that opening documents attached to unsolicited emails is like the online equivalent of Russian roulette - the odds are stacked heavily against you.

The "New" Paper Trail

These days, with threats of computer hackers stealing data to insurance companies "accidentally" publishing hundreds of thousands of peoples most sensitive information on the internet, data security is a very prevalent issue. A CBS news investigation recently turned up a new source of potential data leakage, the standard office copy machine.

Unknown by the majority of Americans, almost every single copier built since 2002 has an internal hard drive which stores a digital copy of each document copied, scanned, or printed using the machine. This can be a useful feature for storing fax cover sheets and other commonly used documents. The problem comes when personal information is copied for office use. For example, doctors making copies of medical records, insurance companies making copies of claims information, or employers making copies of drivers licenses. Each time a copy is made, that information is stored in a way that is easily retrievable by anyone with access to the machine.

There are numerous rental services which rent out copiers to businesses with no set policies on dealing with this kind of security. Some offer to scrub the hard drive when it is returned, but they can charge up to $500 for the service. There are also refurbished copiers for sale containing data from any previous owners. At least in these cases, the owner has physical access to the machine to be able to take steps on their own, such as purchasing an encryption service for the internal hard drive, or their own data deletion tools. What is more worrisome are the copy and print shops where there are no guarantees on document security. Anything copied there is stored on their machines, where it is unlikely that any measures are taken to wipe the drives on a regular basis, if ever.

If your office handles private information, or anything else that doesn't need to be shared with others, steps should be taken to make sure that the information stored inside your copier is safe. There are usually services available from the manufacturers to have the data removed from the device after each job is completed, or at least encrypted, although this can significantly add to the cost of the machine.

10,000 XP machines attacked through 0-day flaw

The Windows Help and Support Center vulnerability, the details of which have recently been made public by researcher Tavis Ormandy, is being heavily exploited in the wild.

According to a recent post on Microsoft's Malware Protection Center Blog, public exploitation of the vulnerability started on June 15th, but those attacks were probably undertaken by other researchers, since they were targeted and rather limited.

After that, the attacks became more widespread, and the targets more numerous. Microsoft claims that as of yesterday, over 10,000 separate computers have reported witnessing this attack. Computers in Portugal and Russia have seen by far the highest concentration of attacks:

The attacks only increased with time. Microsoft started seeing "seemingly-automated, randomly-generated HTML and PHP pages hosting this exploit", and the goal of the attacks was to plant Trojans and viruses on the targeted system.

For those users who don't use Microsoft's security solutions with updated signatures for the detection of the exploit, the company advises implementing the workaround listed in the advisory.

New authorization process for Facebook apps

Ten months ago, when Facebook agreed to make some changes to its platform and add new privacy safeguards in order to comply with the requests made by the Canadian Privacy Commissioner, one of the changes that was agreed upon was the retrofitting of the social network's application platform in such a way that every application that the user want to add to its profile will have to obtain express consent from the user for each category of personal information it wishes to access.

Yesterday, Facebook made good on that promise and rolled out the new authorization process for applications and Facebook-integrated websites. From now on, when you install a new application or first log in to an external website with your Facebook account, you will be faced with a similar request:

Applications usually have default access to the public parts of your profile, but to access the private sections, they have to explicitly ask for your permission.

You can define which information will be private and which public by modifying your account's Privacy Settings.

Virus production from Russia increases again

Virus production from Russia is on the up again, after a temporary decline last month when Russian hosting service, PROXIEZ-NET – notoriously used by criminal gangs – was taken down in early May. This is according to analysis of internet threats in June by Network Box.

Russia is now responsible for 7.4 per cent of the world’s malware, and is back to being in the top four virus-producing countries, behind the US (13 per cent), Korea (10.1 per cent) and India (9.2 per cent).

This follows a similar pattern to malware production after the McColo shutdown in the US, in November 2008, when the US’s threat production decreased dramatically temporarily, but was back up to normal levels within a month.

Levels of viruses and spam from the UK remain high. The UK has the dubious honour of being the world’s fourth-largest producer of spam, with 4.1 per cent of spam originating from home shores, the same as last month. This is behind the US (11.1 per cent), India (8.0 per cent) and Brazil (4.2 per cent).

Virus levels from the UK are slightly down from last month (2.9 per cent, down from 5.9 per cent), but this figure results from an increase in production from other countries, notably India (up to 9.2 per cent of viruses from 5.5 per cent last month) and Russia. The US is back at the top spot, overtaking Korea, and is now responsible for 13.6 per cent of the world’s malware (up from 11.6 per cent last month).

Simon Heron, Internet Security Analyst for Network Box, says: “We predicted that Russian malware and spam production would be back up to normal levels this month, and this has proved to be the case. Any efforts to shut down criminal hosting services is to be applauded, it makes life a little harder for those who would prey on others but sadly in the current political climate it doesn’t normally have a long term effect, as the criminals simply go elsewhere.”