Cyber Crimes Unit

Paul Ducklin joined me from Sydney this week as we both returned home from a long and rewarding trip to InfoSec Europe.

While the news has been dominated by the recent attack on Sony Computer Entertainment, we started off talking about the actions the US government took against the Coreflood botnet. The news was largely positive, but it does allow broadened powers for the police that include actions some feel could further harm the victims.

When the topic of DSLReports, Sony and other data leakage incidents came up, our conclusions were ultimately in alignment. While these incidents are important and may draw our attention to the problem, these losses are only a small part of what Paul likes to call the “death of a million cuts.”

On the topic of the supposed “Stars” virus, which Iran claims is a second stage Stuxnet virus, the conclusion was the same. Even if this “Stars” virus is real, and is a concern for Iran, in the meantime the rest of us are being hit with a barrage of cyber-crap that is having real impact on our lives.

No story is complete without some comment on Facebook and Chet Chat 58 is no exception. Aside from the usual list of attacks and scams, it appears that their DMCA takedown process and other pieces of their self-defense mechanisms are easily manipulated. Ars Technica’s Facebook page was arbitrarily deleted this week based on a DMCA claim that no one has yet been able to explain.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(28 April 2011, duration 18:37 minutes, size 12.6MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 58.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q6BfTIAzPZI/

It’s starting to seem like Facebook can’t win against those who wish to use their service to scam, spam and simply cause trouble. Over the last day or so, a new type of attack has been spreading using the phrase “OMG! I Can’t believe JUSTIN Bieber did THIS to a girl”.

It leads to a page asking you to verify a simple math problem to “prevent bots from slowing down the site”. In actuality, it is another clickjack-type scheme in which you are asked to type the answer into a box.

It doesn’t matter what you type, because it’s a social engineering trick. What you are actually typing is a comment that is used to share the link with your friends on Facebook. You can see the tooltip that says “Add a Comment” in the screenshot.

This bypasses Facebook’s recent attempt at detecting likejacking fraud. Links you comment on are not using the same mechanisms that Facebook is monitoring when you click “Like”.

Many moons ago, the first Facebook attacks started with illegitimate applications asking for permission to access your wall and spread their messages by spamming your friends through wall posts. While this worked well, it was a bit easy for Facebook to track down and remove the bogus apps.

Early in 2010 we saw the first attempts at likejacking. This technique involves layering one image over the top of a Like button and tricking the victim into clicking something that appears to play a video or a continue button, when in fact they are clicking the Like button hidden underneath.

More recently we have seen the attackers trying lots of new techniques. In the past few months we have seen them tagging people in photos they are not in to get you to click, inviting people to fake events and even making you an administrator of a Facebook page that isn’t yours.

While protecting yourself may not be as simple as not clicking anything that says “OMG!” that isn’t a bad start. Be skeptical, understand that messages from your friends may not in fact have been sent to you willingly, and if you are really tempted to click, take a short timeout to conduct a Google/Bing search.

As of the time of this writing some of the YouTube videos this scam leads to have been removed by YouTube. However, one video that is still working has over 525,000,000 views since February and thousands of comments in the last 24 hours — in other words, since this Facebook scam has been making the rounds.

To stay up to date on the latest threats, follow us on Facebook. For advice on how to configure your profile to protect your privacy check out our recommendations for Facebook settings.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/uUabpemwn2w/

In the absence of a genuine ticket to the real event, Facebook users are encouraging each other to reveal their Royal Wedding Guest name.

Here’s a typical message that is currently being spread by well-meaning users across the social network:

In honor of the big wedding on Friday, use your royal wedding guest name. Start with either Lord or Lady. Your first name is one of your grandparents’ names. Your surname is the name of your first pet, double-barreled with the name of the street you grew up on. Let’s do this! Post yours here. Then cut and paste it into your status.

Regally yours,
Lady Edith Spanky-Rushmoor

Do you see the problem?

By playing the game, you might be unwittingly making life easier for identity thieves and hackers.

Look at it this way. Think of all the websites which ask you to give it a “secret question” which can confirm your identity in the event of you forgetting your password.

If you tell everyone your Royal Wedding Guest name then you are giving away information which might help someone break into, say, your email account.

So, here’s my advice.

Firstly, don’t post this kind of personal information onto the internet – the few seconds worth of amusement you may get by telling people your Royal Wedding Guest name are not worth the potential pain of having your identity stolen.

Secondly, when websites ask you for a “secret answer” to reset your password… lie. You don’t need to tell the truth when you’re asked by a website what your mother’s maiden name was, or the name of your favourite TV show. So, say something random but memorable that no-one is likely to guess like “Xena Warrior Princess” or “Artichoke Sandwich”.

If you use Facebook and want to learn more about threats, you should join the Sophos Facebook page where we have a thriving community of over 70,000 people.

Of course, if you do happen to be one particular couple getting married tomorrow, you’re not going to have any chance keeping your grandparents’ names secret..

Hat-tip: Thanks to Naked Security reader Paul who brought this particular issue to our attention.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2HPEUtg1HTk/

As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and succeed in compromising a high profile, popular site. Another way to increase the number of users exposed to the attack is to compromise advertising content, thereby exposing all users of any 3rd party sites that happen to load the ads.

Late yesterday evening, we started to see evidence of such an attack – Sophos products were blocking certain ad content as Mal/Iframe-U.

Knowing that detection and what it looked for, I was pretty sure that the ad server of Campus Party was compromised.

Sure enough, I could see that in addition to the desired ads (for the July Campus Party event in Valencia), the content also contained malicious JavaScript (highlighted in yellow):

Not the first time I have seen an OpenX ad-server getting compromised, and I suspect it won’t be the last.

Deobfuscating the JavaScript reveals the payload. As our Mal/Iframe-U detection name suggests, it is an iframe to load further malicious content from a remote server.

This initiates the attack, triggering a chain of events summarised below:

• ad content (pro-actively blocked as Mal/Iframe-U) silently loads content from the attack site.
• user’s browser and browser plug-ins are inspected to determine most appropriate exploit content to load. For this a legitimate library is used.
• exploit content (e.g. Mal/HcpExpl-A, Troj/Lifsect-A, Mal/ExpJS-M) is loaded in order to infect the user with malware. At the time of writing, the exploit site is currently serving up a rootkit which Sophos products detect as Mal/TDSSPack-AX.

As is typically the case for today’s web attacks, all of the script components used are heavily obfuscated in an attempt to thwart detection efforts and hinder analysis.

We have already informed those at Campus Party about this issue in order that they can get the malvertising attack cleaned up as soon as possible. In fact as I type, I can see that the ad server is already offline, presumably whilst they resolve the issue. Kudos to them for actioning this quickly!

As to the root cause of the compromise, I do not know exactly how the server was compromised. However, given history, my money would be on an out of date or unpatched version of OpenX.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iPwX-lVK49k/