Embarrassing privacy flaw found on Facebook
May 19, 2010 by admin
Filed under Security News
A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.
M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.
IDG security reporter Robert McMillan has explained the problem well:
The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.
This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.
The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.
M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.
However, IDG has reported that the security hole is still present.
Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.
If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..
By Graham Cluley, Sophos
The sexiest video ever? Facebook users hit by Candid Camera Prank attack (Video)
May 16, 2010 by admin
Filed under Security Channel
Video Source : Websense Security Labs
Apple Safari zero-day exploit revealed
May 11, 2010 by admin
Filed under Security News
Apple’s Safari browser contains a critical, unpatched bug that attackers can use to infect Windows PCs with malicious code, researchers at US-CERT and other security firms said today.
Hackers could compromise PCs with simple “drive-by” attack tactics, researchers added.
The vulnerability, first reported by Danish vulnerability tracker Secunia and confirmed by the United States Computer Emergency Readiness Team (US-CERT), was disclosed by Polish researcher Krystian Kloskowski on Friday. The bug is caused by an error in the handling of the browser’s parent windows.
Apple Safari gets security fix in update | Apple Safari 4 browser | How to use Greasemonkey scripts with IE, Chrome and Safari
“This can be exploited to execute arbitrary code when a user visits a specially-crafted web page and closes opened pop-up windows,” said Secunia’s alert.
The vulnerability can also be exploited by attackers who dupe users into opening rigged HTML-based e-mail within Safari, added US-CERT in its advisory. That scenario likely would involve tricking users into opening malicious messages in a Web mail service, such as Gmail or Windows Live Hotmail.
Both Secunia and US-CERT confirmed today that the proof-of-concept attack code published by Kloskowski successfully compromises the Windows version of Safari 4.0.5, the most up-to-date edition. Secunia rated the vulnerability as “highly critical,” the second-most-dangerous ranking in its five-step threat scoring system.
It’s not known whether the vulnerability also exists in the much more widely used Mac OS X version of Apple’s software. “Other versions may also be affected,” cautioned US-CERT.
Charlie Miller, the noted vulnerability researcher who won $10,000 by hacking a Mac in March at the Pwn2Own contest, was out of his office and not able to verify that the bug also exists in Safari on Mac OS X.
US-CERT urged users of the Windows version of Safari to disable JavaScript as a temporary defense.
Apple last patched Safari in mid-March when it fixed 16 flaws, including six that applied only to the Windows version of the browser. It’s not unusual for Apple to patch Windows-only vulnerabilities when it updates Safari.
Apple patched Miller’s $10,000 vulnerability in mid-April by plugging a hole in ATS (Apple Type Services), a font renderer included with Mac OS X. Miller accessed the ATS bug via Safari during Pwn2Own.
By Gregg Keizer, techworld.com
‘More followers’ spam hits Twitter accounts
May 10, 2010 by admin
Filed under Security News
Thousands of Twitter users are finding that their accounts have been compromised, and are posting messages advertising a website which claims to help users attract more followers.
A typical message reads:
CHECK out this site, im a member of it, It gets you more followers: http://tinyurl.com/[removed]
Clicking on one of these links takes you to the Twtfaster website, which asks you to enter your Twitter username and password.
Of course, regular readers of the Clu-blog know that it’s never a good idea to hand over your login credentials to a third party, and that’s the case with this site too. Curiously, when I entered bogus information on the above screen it didn’t display an error message – suggesting that it might be created simply to scoop up users’ login details. Hmm.. that smells worryingly like a phishing attack to me.
Further investigation finds some small print on the Twtfaster website that suggests that they plan to use your account to advertise their service – but I wonder how many people would read that before eagerly signing up for more followers?
One piece of good news is that TinyURL appears to be currently blocking links used in the campaign, but of course that’s not going to stop the people behind this latest outbreak from using alternative URL shortening services.
So, if you’ve found out that your Twitter account has been sending messages advertising how to get more followers, I would recommend that you change your password immediately. And next time a third-party website asks you to hand over your username and password for Twitter, steer well clear.
It is possible that the accounts that are spamming out the adverts for Twtfaster have not signed-up for the site themselves, but have been compromised in some other way. Even so, that’s still a good reason to change your Twitter password. If you need help choosing a memorable, hard-to-crack password you should watch the video I made on the subject.
As I’ve discussed before, you should always exercise extreme caution before signing-up for a service which offers to increase your Twitter following.
Unfortunately, as the popularity of Twitter grows and the desire for more followers deepens we can expect more and more users to fall for scams like this.
Malicious contracts spammed out by hackers
May 5, 2010 by admin
Filed under Security News
All of us know how easy it is to accidentally send an email to the wrong address. If two people in your address book have similar names then your email client might make it all too simple to send a message to the wrong one.
For instance, I work with Carole, but a simple slip of the fingers or not reading carefully enough might mean I drop a note to Carla Bruni instead. (In my dreams..)
And it’s this kind of common inccident that cybercriminals are exploiting when they launch an attack like the one we are currently seeing in our worldwide network of traps.
This is a significant attack – the malicious emails are being spammed out enmasse to computers around the globe, claiming to contain contracts for the unsuspecting recipient to approve.
A typical message reads:
Dear ladies and gentlemen,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
"<name>
Subject lines used in the attack include:
- Rent contract
- Loan contract
- Contract of order fulfillment
- Permit for retirement
- Open an account
- Record in debit of account
- Contract of settlements
- Your new labour contract
- Open an account
The danger is that recipients of the emails might be curious and tempted to examine the attached file (called Contract_01_05_2010.zip) and end up infecting their Windows computer. And it’s possible that they might open the file out of the goodness of their heart, hoping that it will contain information that will help them identify who should have received the unsolicited message.
Sophos detects the attached malware as Troj/Invo-Zip and Mal/Koobface-E. Make sure that you keep your anti-virus software automatically updated, and always be suspicious of unsolicited emails.
Opening an unknown file on your computer could mean that you’re opening a backdoor for hackers to compromise and infect your PC.
By Graham Cluley, Sophos
Watch out from new type of spams that attack Facebook users
April 28, 2010 by admin
Filed under Security News
Today I received a private message at my Facebook account, its says that I win money and it asked me for my information so its look the same spams that attack e-mails account but it moved to Facebook by maybe fake users so be careful and press on ”Report Spam” .
Example of spam message :
“Please attention!” fake DHL delivery emails contain malware
April 21, 2010 by admin
Filed under Security News
It’s another day, which means (almost inevitably) there’s another malicious email campaign carrying a fake anti-virus attack.
Once again the bad guys are packaging their attack in an email which claims to come from DHL Delivery Services.
A typical email, which has the subject line “Please attention!”, reads as follows:
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.You may pickup the parcel at our post office personaly.
Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
DHL Delivery Services.
Attached to the email is a file called label.zip, which Sophos detects as Troj/FakeAV-BEG. Even though there is some peculiar wording (and spelling) in the email it’s possible that some unwary users might fall into the hacker’s trap, and open the malicious attachment.
We are seeing many reports of this attack in our global network of traps right now.
If you receive one of these emails, don’t open the attached file as you could be putting your computer at risk of infection and allowing hackers to compromised your PC.
By Graham Cluley, Sophos
Farm Town virus warning: Malvertising at work?
April 13, 2010 by admin
Filed under Security News
Players of the online game Farm Town are being warned to be on their guard for malicious adverts that display fake security warnings in an attempt to dupe unsuspecting users into installing malicious code or handing over their credit card details.
SlashKey, the developers of the game which has over 9.6 million monthly active users on Facebook, has posted a warning on its forum advising players to be wary of warnings that suddenly pop-up telling them that their computer is infected:
If you suddenly get a warning that your computer is infected with viruses and you MUST run this scan now, DO NOT CLICK ON THE LINK, CLOSE THE WINDOW IMMEDIATELY. You should then run a full scan with your antivirus program to ensure that any stray parts of this malware are caught and quarantined.
If you do research on many of these spyware programs you will also find a myriad of sites proclaiming they are the only ones who can rid you of these programs. This is not true and on a personal level I urge you to use great caution as some of these so called wonder cures are as much of a scam as the malware you are trying to remove.
Hundreds of Farm Town players have responded on the forum, saying that they have been on the receiving end of the attack – but the worry is that many many more users may not have seen the warning and could have been tricked by the fake anti-virus warnings into infecting their computers or handing over personal information.
It appears that the problem is related to the third-party advertising that Farm Town displays underneath its playing window. In all likelihood, hackers have managed to poison some of the adverts that are being served to Farm Town by the outside advert provider.
Such malicious advertising (or malvertising as it is known) has been the vector for other infections in the past, including attacks against the readers of the New York Times and Gizmodo.
What makes this attack all the more serious, of course, is the sheer number of people that regularly play Farm Town, and that – in all likelihood – they might not be as tech-savvy as the typical Gizmodo reader, and thus more vulnerable to falling for the hackers’ scam.
Rather than SlashKey simply asking its players to report offending adverts when they appear, it might be sensible for the company to disable third-party adverts appearing alongside Farm Town until the problem is fixed.
It may not be Farm Town’s fault that a third-party advertising network is serving up malicious ads, but doing anything less is surely showing a careless disregard for the safety of its players.
Until the makers of Farm Town resolve the problem of malicious adverts, my advice to its fans would be to stop playing the game and ensure that their computer is properly defended with up-to-date security software. If you do feel you have to play Farm Town then it might be wise to disable adverts in your browser (for instance, using an add-on such as Adblock Plus on Firefox).
By the way, if you are on Facebook and want to keep yourself informed about the latest security news you may want to become a Fan of Sophos on Facebook.
By Graham Cluley, Sophos
Account notification email warning? Don’t follow the instructions
April 7, 2010 by admin
Filed under Security News
If you’re returning to an overflowing inbox after the Easter holiday weekend, make sure that you don’t fall for the latest scam being distributed widely by spammers.
Emails claiming that recipient’s accounts have been temporarily suspended are being seen around the world today, attempting to trick users into believing that their email account has been accessed by somebody else.
The spammed-out emails try to hoodwink users into running the attached file (Instructions.zip) which is, predictably, carrying a malicious payload.
Dear Customer,
This e-mail was send by example.com to notify you that we have temporanly prevented access to your account.
We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions
(C) example.com
In an attempt to make the email more convincing, the attackers reference the domain name (for instance, example.com) used by the recipients’ email account in the emails they are spamming out.
Sophos detects the malicious attachment proactively as Mal/FakeAV-BT and Mal/BredoZp-B, but users of security products from other vendors would be wise to ensure that they are properly updated and protected.
The hackers are once again using a tried-and-trusted social engineering trick (in this case trying to fool you into believing that your account has been compromised) to lure you into the serious mistake of opening the attached file.
Wiser computer users should have learnt by now that you should always be extremely suspicious of unsolicited attachments.
By Graham Cluley, Sophos
Related Blogs
Beware airplane ticket N648365 – it contains malware
March 29, 2010 by admin
Filed under Security News
The bad guys are up to their old tricks again, spamming out malicious attachments posing as airline tickets.
The latest attack, which we’re seeing in many of our spamtraps around the world, poses as an email from Delta Air Lines.
Here’s a typical message:
Subject: Online order for airplane ticket N648365
Message body:
Good afternoon,
Thank you for using our new service "Buy airplane ticket Online" on our website.
Your account has been created:Your login: [removed]
Your password: G6vFjbdpYour credit card has been charged for $998.63.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!Kind regards,
Delta Air LinesAttached file: eTicket.zip
Of course, even if you haven’t booked an airline ticket you may still very well open the attachment – especially if you believe your credit card may have been charged for such a large amount of money!
Sophos detects the malicious file attached to the emails as Mal/BredoZp-B and Mal/EncPk-MP. Users of other anti-virus products are advised to ensure that they are up-to-date and capable of detecting this email-borne threat.
By Graham Cluley, Sophos
Related Blogs
