Twitter fights back against spam, phishing, and other malicious links

In a move that should be welcomed by many users, Twitter has announced that it is introducing a new feature to combat the many malicious and malware URLs that are distributed via the micro-blogging site.

 

In a blog entry posted by Del Harvey, Twitter’s Director of Trust and Safety, it was revealed that the site will start using its own URL shortener (twt.tl) for Twitter messages sent privately between two users via a direct message (DM), giving it the opportunity to “detect, intercept, and prevent the spread of bad links across all of Twitter”.

 

As Sophos’s Chet Wisniewski told DarkReading, the new http://twt.tl shortened url appears to be only evoked with email notifications for direct messages at this time.

 

Details of how Twitter is determining if a link is potentially malicious or not do not appear to have been released at this time, and it would certainly be great if Twitter would post some more information on how the system will work and what users can expect to see.

 

It’s also to be hoped that this new service will be rolled-out to other areas of Twitter too. We’ve seen many times in the past that phishing and spam attacks on Twitter don’t tend to restrict themselves purely to DMs, but will also often be found in the public timeline too, as the following YouTube video demonstrates:

 

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

The problem of dangerous links being distributed via Twitter has been growing for some time, with some 70% of people polled by Sophos reporting that they have been on the receiving end of spam and malware attacks via social networks in the last year.

 

The news of Twitter’s new twt.tl short url facility follows a few months after bit.ly announced that it would protect users against visiting webpages that may contain a malware, spam or phishing threat using technology from security vendors such as Sophos.

 

* Image source: wonderferret’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

 

Hackers exploit Oscar film awards to spread scareware

 

Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.

 

Internet users searching for phrases like

Oscars 2010 winners

 

may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.

 

By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.

 

As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.

 

Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.

 

As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.

 

Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.

 

Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.

 

By Graham Cluley, Sophos

Video of Twitter phishing: The BZPharma ‘LOL this is funny’ attack (Video)

Twitter users are being warned about a widespread phishing attack spreading across the system, designed to steal the usernames and passwords of unsuspecting members.

 

Messages include

Lol. this is me??
lol , this is funny.
Lol. this you??

followed by a link in the form of

http://example.com/?rid=http://twitter.verify.bzpharma.net/login

where ‘example.com’ can vary. As we have seen many variations of the URL in its entirety, you would be wise to avoid clicking on any links which refer to bzpharma.net at the very least.

 

Watch this YouTube video for more details:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it’s clear that dangerous links are also being posted in public feeds. This means that you can stumble across the links even if you aren’t sent it directly, or even if you are not a signed-up user of Twitter.

 

It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users *and* optionally made public.

 

As a result, as you can see in the video above, we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves!

 

Regardless of how you come to click on the dangerous link, if you do enter your username and password on the fake Twitter login page your details will be phished and placed in the hands of hackers.

 

The page then displays a “fail whale” screen, claiming that Twitter is over capacity, before taking you back to the real Twitter main page. As a result, compromised Twitter users may not realise that their login details have been stolen.

 

Interestingly, the bzpharma.net site doesn’t just appear to have been set up for Twitter phishing. It appears to also have been created for stealing the online identities of the Bebo social networking site too:

 

If you have been tricked by the phishing attack and accidentally handed over your username and password, change your password immediately.

 

We’re going to see many more attacks against social networks in the future I’m afraid. Last month, Sophos published its Security Threat Report revealing that there had been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networks in the last year.

 

Update: The phishing campaign appears to be bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts. Learn more now.

 

By Graham Cluley, Sophos

 

Surveillance rootkits on smartphones

Liviu Iftode and Vinod Ganapathy, two researchers at Rutgers University, have revealed some experiments they have been conducting, showing how rootkits could be used to take control of smartphones.

 

The scientists have shown that a malicious attacker could cause a smartphone to “eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless”.

 

Watch the following YouTube video to learn more:

 

 

It’s a cute little video, but how realistic is this threat in reality?

 

I don’t think the kind of attack described by Iftode and Ganapathy is a big deal right now.

 

Yes, it is possible to change or put software onto a smartphone (by, for instance, installing a rootkit) so that the mobile device then performs malicious functions. For instance, code that enables covert remote surveillance, battery drainage or silently steals data.

 

Of course, this relies upon the smartphone allowing you to make changes to its low-level software. Popular smartphones like the Apple iPhone lock down that kind of meddling to a great extent.

 

So, the key thing to remember is that the bad guys have to somehow get the malicious rootkit onto your phone in the first place.

 

How are they going to do that?

 

They would either need to have physical access to your smartphone, exploit an unpatched security vulnerability or use a social engineering attack to trick you into installing malicious code. Even if they went down the “trick” route they would be relying upon the phone’s OS to allow you to install unapproved apps (iPhones, for instance, are strictly controlled by their Cupertino-based overlords, allowing users to only install code that has been approved and checked by the AppStore).

 

So it doesn’t sound like what Iftode and Ganapathy are describing is actually any different from the rootkits that infect traditional desktop computers. The main difference is that there are probably less opportunities (and thus much harder) to infect a mobile phone than, say, a computer running Windows.

 

Furthermore, I would argue that the typical mobile phone user is still typically less used to installing applications than their Windows counterparts, and so the chances of success via fooling the user into installing a dangerous application can be assumed to be even lower.

 

Iftode and Ganapathy have not demonstrated any revolutionary new way of getting round the biggest hurdle for those wanting to spy on smartphones: how are they going to get the malware onto the phone?

 

If I really wanted to snoop on someone’s phone I think it would probably be easier to swap my victim’s mobile phone for an identical (but bugged) device rather than go to all this effort with no promise of success.

 

Sure, the mobile phone malware threat is growing – but it’s a tiny raindrop in a thunderstorm compared to regular attacks that strike Windows computers. Slowly but slowly it’s becoming more serious (the recent discovery of financially-motivated malware that targets jailbroken iPhones is proof of that), and undoubtedly we will begin to see more users running anti-virus security on their phones in the years to come.

 

However, if I was responsible for securing my company’s mobile phones I would be much more worried about the real security threat of staff losing their phones in taxis or on the train, rather than the theoretical risk of surveillance rootkits.

 

It’s a nice video and presentation that Iftode and Ganapathy made, but I won’t be losing any sleep over it just yet.

 

More information on the topic of smartphone rootkits can be found in the paper Iftode and Ganapathy have produced: “Rootkits on Smart Phones: Attacks, implications and opportunities” [PDF]

 

By Graham Cluley, Sophos

 

Malware attack spammed out disguised as email settings file

Sophos is intercepting a large number of malicious emails that have been spammed out around the world, posing as a new settings files for internet users’ email systems. However, attached to the emails is a Trojan horse.

 

Each email is carefully disguised in an attempt to lure the recipient into believing they are genuine. For instance, they use the recipient’s email address in the subject line and pretend to come from the support team at the recipient’s email domain:

A typical malicious email reads as follows (I’m assuming the user’s email address is username@example.com below):

Subject: A new settings file for the username@example.com has just be released

Attached file: settings.zip

Message body:
Dear use of the example.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox username@example.com settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, example.com Technical Support.

Although the hackers behind this attack have clearly put a little thought into how they might infect as many people as possible, they have made some grammatical mistakes which may tip off potential victims that the emails are not genuine.

For instance, the subject line of

A new settings file for the username@example.com has just be released

is very clumsy.

 

Attached to each email is a file called settings.zip, which contains a copy of the Troj/Bredo-BE Trojan horse.

 

Stay on your guard against attacks arriving via email. Although we see many web-based attacks these days, the rumours of the death of email-based malware are greatly exaggerated.

 

By Graham Cluley, Sophos

 

 

Danger! Internet Explorer zero-day vulnerability – no patch yet

Microsoft has released a security advisory about a previously unknown vulnerability in versions of Internet Explorer. There is currently no patch for the vulnerability which is being blamed, in part, for the high-profile attacks against Google, Adobe and other companies.

 

Microsoft has published some mitigation advice and workarounds which can reportedly help block attack vectors, but at the time of writing there is no official patch available.

 

There has been much speculation in the computer security industry (including some from myself!) that an Adobe PDF vulnerability could have been the route through which hackers delivered malware into Google and Adobe’s systems. Certainly we have seen a significant rise in the last year of targeted attacks exploiting vulnerabilities in Adobe’s code.

 

But researchers close to the Google/Adobe hacking investigation say that they have found no evidence so far of the attack exploiting Adobe’s software in this way. Indeed, a statement posted yesterday on Adobe’s blog confirms this.

 

So, right now, Microsoft Internet Explorer is being looked at with suspicion. And as the world’s most popular internet browser it’s obviously a serious cause for concern that an unpatched vulnerability that allows remote code execution exists that is being actively exploited by cybercriminals.

 

System administrators and computer owners around the world will be holding their breath that an official patch from Microsoft arrives sooner rather than later. In the meantime, Microsoft is recommending that Internet Explorer users use Data Execution Prevention (DEP) – a technology that is enabled in Internet Explorer by default but needs to be turned on in earlier versions.

by Graham Cluley, Sophos

 

First iPhone worm discovered – ikee changes wallpaper to Rick Astley photo

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

 

The worm, which could have spread to other countries although we have no confirmed reports, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again

 

On each installation, the worm – written by a hacker calling themselves “ikex” – changes the lock background wallpaper to an image of Rick Astley with the message:

ikee is never going to give you up

What’s clear is that if you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, “alpine”. In fact, it would be a good idea if you didn’t use a dictionary word at all.

 

The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.

SophosLabs is analysing the worm’s code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labelled the “D” version) is that it tries to hide its presence by using a filepath suggestive of the Cydia application.

 

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

Presently it appears that the worm does nothing more malicious than spread and change the infected user’s lock screen wallpaper. However, that doesn’t mean that attacks like this can be considered harmless.

 

Accessing someone else’s computing device and changing their data without permission is an offence in many countries – and just as with graffiti there is a cost involved in cleaning-up affected iPhones.
Other inquisitive hackers may also be tempted to experiment once they read about the world’s first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.

 

iPhone users may rush into jailbreaking their iPhones in order to add functionality that Apple may have denied to them, but if they do so carelessly they may also risk their iPhone becoming the target of a hacker.

 

My prediction is that we may see more attacks like this in the future. Indeed, only last week we saw hacked iPhones in the Netherlands being held hostage for 5 Euros.

 

Who wrote the ikee iPhone worm?

The source code of the worm says at its start:

/ "ikee virus" by ikex
/ Revision: 10 (Variant D)

A quick trawl of the Whirlpool forum where users are reporting that their iPhones are unexpectedly displaying an image of Rick Astley, reveals a user calling themselves “ike_x”.

 

According to ike_x’s user profile on the Whirlpool forum he is based in Sydney. Further searching on the internet reveals other pages seemingly related to ike_x of Sydney, using the name “Ash” or “Ashley Towns”. For instance, here is a MySpace page and this appears to be Ash/ikex on Twitter.

 

The worm’s author appears to have realised that people might be interested to learn why he wrote the worm, and posted this explanation inside the code:

Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn't anyone RTFM anymore?

There is a certain irony in the notion that a hacker who says he was trying to expose sloppy security by the owners of jailbroken iPhones has done such a bad job of covering his own tracks..

 

Source of image of affected iPhone: Batman from the Whirlpool forums.

By Graham Cluley, Sophos

“See Who Blocked You on MSN” Phishing Attacks

We have received samples of a new phishing mail targeting users of MSN Messenger inviting them to see who deleted or blocked them from their contact list. Users would be interested to know who among their friends have deleted them from their lists.

 

Figure 1. Phishing email

Clicking on the link displays the following fake login page asking the user to input his or her password:

Figure 2. Phishing website

It is obvious that the intention of the cybercriminals is to harvest the user’s MSN Messenger login credentials. Afterwards, they can then continuously sends spam messages to the account or, worse, they can use the account for their malicious intent.

 

Getting in touch with friends is now much easier than before. Because of the growth of social networking sites, we can stay connected with our old friends, or even find new ones. This may include reading the profile pages of other members, sending and receiving invitations to fun games, videos and other applications. However, users must be on guard when interacting within online social networks. Spammers are now abusing these in their phishing attacks.

 

Always be mindful in accepting “invitations”, especially when it concerns your personal information. This particular spam message, and the associated website, are already blocked by Trend Micro products via the Smart Protection Network.

 

by Merianne Polintan (Anti-spam Research Engineer)

Preventing Man-in-the-Middle Attacks (Video)