The Facebook Friend Suggestions security scare

Warnings are being posted all across Facebook suggesting that users who have received multiple friend suggestions are really infected with a computer virus.

 

A typical version of the warning reads as follows:

VIRUS WARNING: ANYONE WHO HAS GOTTEN A TON OF FRIEND SUGGESTIONS BE CAREFUL! IT IS A VIRUS! IF YOU ACCEPT THEM THEN YOUR ACCOUNT WILL SEND OUT ABOUT 85 TO SOMEONE ELSE!!! WARN YOUR FRIENDS NOW! This is a new virus that is sending requests to spread. DO NOT ACCEPT FRIEND SUGGESTIONS AT THE MOMENT!

The reality, however, is somewhat different. Most importantly, the behaviour and sightings of more than the usual number of Friend Suggestions are not a sign of a computer virus infection.

 

Instead, it appears that Friend Suggestions on Facebook now go to both parties, rather than just the one you specifically suggests takes up your suggestion of a new online connection.

 

So, imagine you are Tom, and you think that your friend Dick should become Facebook friends with Harry. You visit Dick’s Facebook profile, scroll down to where it says “Suggest friends for Dick” and choose Harry’s name.

Your suggestion that Dick should become friends with Harry doesn’t just go to Dick, but it will also now go to Harry as well. Presumably Facebook has made this change in order to encourage more users to interconnect.

 

But there’s more.

 

As Facebook reveals on its help pages about Friend Suggestions, Facebook can alsosuggest possible friends for you to connect with.

 

It does this by automatically examining “the networks that you are a part of, mutual friends, work and education information, contacts imported using the Friend Finder, and many other factors.”

 

Aside from the mysteriously ambiguous “many other factors”, the thing I find concerning there is the reference to Friend Finder.

 

What Facebook means is that they can suggest friends based upon email addresses that you may have imported into Facebook from your email account address book, perhaps when you first set up your account.

 

What many people may not realise is that even if you didn’t add everyone you imported from your address book as a Facebook friend, Facebook can still use those contacts imported from Outlook, Gmail, Hotmail, Yahoo, etc, in order to make future recommendations.

 

Therefore, Facebook may also see your email address in other people’s contact lists, and determine relationships based upon that.

 

If this bothers you (and I can perfectly understand why it would), then Facebook says you can tell it to remove the contacts from its suggestions system. Of course, it might have been better if you hadn’t offered up your address book to Facebook in the first place..

 

Facebook also says that you can change your privacy settings to prevent your profile from being visible to everyone as a potential friend suggestion.

 

More information about Facebook’s Friend Suggestions system can be read online here.

 

No doubt most of the souls forwarding and reposting this latest Facebook security scare to their profiles are oblivious to all these fine details, however, and are still believing that a virus is behind the suggestion messages that they are viewing.

 

Of course, it should still go without saying, that whether you receive a friend request or a friend suggestion, you should exercise caution about who you befriend on a social network – as it could be a cybercriminal rather than a long lost chum who is trying to access your profile.

 

Oh, and don’t forget. If you’re on Facebook you might want to become a Fan of Sophos on Facebook to ensure you are kept up-to-date with the latest security news.

 

 

By Graham Cluley, Sophos

 

KHOBE ‘vulnerability’: is this game over for security software?

The last couple of days there have been a lot of headlines in the security press about a report by a firm called Matousec, which claimed that “today’s most popular security solutions simply do not work.”

 

The attack method, dubbed KHOBE and described by Matousec researchers as an “8.0 earthquake for desktop security software”, describes a potential bypass in the way some parts of some anti-malware products operate on some versions of Microsoft Windows.

 

The dramatic headlines might make you think that this is TEOTWAWKI*, but the truth is somewhat different.

 

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

 

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

 

So, before you hide yourself in the basement and prepare for nuclear winter, make sure you read this excellent piece by Paul Ducklin, which examines and discusses the KHOBE claims in greater detail.

TEOTWAWKI: The End Of The World As We Know It

 

By Graham Cluley, Sophos

 

 

Danger! Fake $50 iTunes certificate carries malware

 

 

Amid all the usual attacks posing as delivery notices from DHL and FedEx this morning, I spotted some malware that had been spammed out posing as an Apple iTunes certificate for $50.

 

The emails read as follows:

Subject: Thank you for buying iTunes Gift Certificate!
From: "iTunes Online Store" <software@itunes.com>
Attached file: iTunes_certificate_997.zip

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

 

Running the attached malware can infect Windows computers. Clearly the hackers are hoping that in your excitement about receiving a $50 iTunes gift certificate that you will throw caution to the wind and open the attachment.

 

Sophos detects the malware, contained inside a ZIP file, as Troj/BredoZp-AM andMal/FakeAV-BW.

 

 

By Graham Cluley, Sophos

 

‘More followers’ spam hits Twitter accounts

Surveillance firm sells Apple iPad spyware

Could someone be spying on the emails you send and the websites you visit on your iPad?

 

For many the thought that someone could be reading every email you send, secretly logging every call that you make on your mobile phone, or silently tracking your location via GPS would be the stuff of nightmares.

 

And yet software exists (and is sold completely legitimately online) that does exactly this for those who wish to spy on their workers, or on members of their family.

 

And now a firm which in the past has made surveillance software to monitor the usage of iPhones, BlackBerrys, and Android , Windows Mobile and Symbian smartphones has announced a version of its snooping software to spy on iPads.

 

For just $99.97 a year, Mobile Spy customers can access a website that allows them to view a list of every website visited on an iPad, every contact added to the address book, and every email sent and received.

 

The way that vendors get away with this is by explaining that it is almost certainly an offence to install software onto a phone or computer that monitors or spies upon the owner unless you have authorisation to install it.

 

So, for instance, it would be okay to spy on your employees phone, computer or iPad activity if they had agreed to such surveillance in their contract. And it would be okay to snoop upon your kids because.. well, they’re your kids, and how likely are they to take you to court?

 

Such software exists in the “grey” area between legitimate and illegitimate software, typically promoted as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, or to assist companies in enforcing acceptable use policies, rather than more traditional identity theft – but it’s clear that it can be used for a criminal purposes too.

 

Fortunately, Mobile Spy’s spyware for iPads only works on jailbroken devices. In other words, not only does whoever want to spy on you need access to your iPad to install the software, your iPad also needs to have been tinkered with to allow you to run software that hasn’t been given the stamp of approval by Apple.

 

Late last year we saw malware which targeted users of jailbroken iPhones. My expectation is that if enough iPad owners jailbreak their gizmos too that some of the hackers at least won’t be far behind.

 

Hat-tip: Krebs on Security

 

By Graham Cluley, Sophos

Malicious contracts spammed out by hackers

All of us know how easy it is to accidentally send an email to the wrong address. If two people in your address book have similar names then your email client might make it all too simple to send a message to the wrong one.

 

For instance, I work with Carole, but a simple slip of the fingers or not reading carefully enough might mean I drop a note to Carla Bruni instead. (In my dreams..)

 

And it’s this kind of common inccident that cybercriminals are exploiting when they launch an attack like the one we are currently seeing in our worldwide network of traps.

 

This is a significant attack – the malicious emails are being spammed out enmasse to computers around the globe, claiming to contain contracts for the unsuspecting recipient to approve.

 

A typical message reads:

Dear ladies and gentlemen,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
"<name>

 

Subject lines used in the attack include:

• Rent contract
• Loan contract
• Contract of order fulfillment
• Permit for retirement
• Open an account
• Record in debit of account
• Contract of settlements
• Your new labour contract
• Open an account

 

The danger is that recipients of the emails might be curious and tempted to examine the attached file (called Contract_01_05_2010.zip) and end up infecting their Windows computer. And it’s possible that they might open the file out of the goodness of their heart, hoping that it will contain information that will help them identify who should have received the unsolicited message.

 

Sophos detects the attached malware as Troj/Invo-Zip and Mal/Koobface-E. Make sure that you keep your anti-virus software automatically updated, and always be suspicious of unsolicited emails.

 

Opening an unknown file on your computer could mean that you’re opening a backdoor for hackers to compromise and infect your PC.

 

By Graham Cluley, Sophos

The Hacker Door Facebook security scare

A warning being sent across Facebook is scaring users into believing that their accounts have been hacked.

 

Here is a typical example of a warning message:

To all of my friends: COPY & PASTE: New problem found.... Hacker in door in our friends list!....We are now listed as friends of ourselves! You need to delete yourself from your friends list to close the door to hackers. To do this ... Go to Account, go to edit friends, there search for your name on the list and click the X to get your name removed.

 

The problem with this warning is that it’s complete poppycock, and causing some users to panic that they could have been hacked.

 

Yes, there is a bug that means that when you search through your Facebook friends list, you show up yourself as one of your friends. And yes, even if you try and “delete” yourself as a friend you’ll pop up again when you refresh the webpage.

 

But this is not evidence that your account has been compromised, and if you forward this warning to your Facebook friends and acquaintances you are only helping to perpetuate the hoax.

 

We saw a similar hoax spreading across Facebook earlier this year in what we called the “Automation Labs” security scare.

 

In summary, the “Hacker Door” scare is not something to worry about, and you should always check your facts before forwarding security warnings like this to your friends and colleagues.

 

However, there are real security issues on Facebook, as with any other social network. Make sure you read our guidelines for better security and privacy on Facebook.

 

Oh, and you might want to become a Fan of Sophos on Facebook too!

 

By Graham Cluley, Sophos

 

 

Canadian Pharmacy spammers set up shop on Twitter

At the beginning of this month I received an email telling me about someone new who had started following me on Twitter.

Their name was @canadianshop, and it was immediately apparent that they were promoting a Canadian online pharmacy via their account. These kind of websites are frequently promoted in email spam.

Like every other time you receive a new follower on Twitter, the service reminds you that you can report them for spam:

If you believe canadianshop is engaging in abusive behavior on Twitter, you may report canadianshop for spam.

 

But for once I decided not to. After all, this account was clearly spammy and I was curious to see how long it would take before someone else reported them and their account was suspended.

 

That was 24 days ago. And despite the @canadianshop account making no attempt to hide who they are – even their background wallpaper uses familiar imagery used in hundreds of thousands of emails to promote medications like Viagra and Cialis – they remain active on Twitter.

 

At the time of writing the account is following over 2000 people, and has 589 folk following it back.

In addition to its activities on Twitter, the account has also created a number of custom bit.ly links to promote its online stores which redirect to Canadian Pharmacy websites like the one below:

So, let’s hope the account gets shut down soon. I’ve reported it to Twitter now, and also dropped a line to the folks at bit.ly about the links in case they want to take action against those.

 

As if anyone needed reminding let me say it again – if you buy drugs online you’re not only putting your personal information at risk (remember these guys are prepared to spam and use scummy tactics to promote their sites, they possibly wouldn’t flinch at doing something naughty with your credit card details), but you’re also potentially putting your health in jeopardy.

 

By Graham Cluley, Sophos

 

Splunk warns that it exposed users’ passwords

Splunk, a utility that allows IT administrators to search and analyse their organisation’s log files, has issued a warning to some of its users that their passwords were exposed by accident.

 

I wasn’t able to find mention of the incident on Splunk’s website, but a few affected users have Twittered about it, and a Clu-blog reader forwarded me an email from Splunk that tells more of the story:

Recently, some debug code was unintentionally implemented on the production splunk.com website which exposed a small number of passwords in our web server’s error log. The splunk.com team has corrected the issue and has improved their change process to prevent similar issues from occurring in the future.

In an abundance of caution, we have reset all affected users’ passwords and cleared all affected users’ active sessions on splunk.com. Your new temporary password has been emailed to the email address associated with your splunk.com account. We recommend that you change this temporary password as soon as possible using the instructions below.

 

 

It’s not clear from the warning sent out by Splunk how long passwords were exposed for, but there’s obviously a concern that if hackers had managed to stumble across the login details they could have tried to use them on other wesbites where users might use the same password.

 

In this case that could have been particular bad for enterprises, as Splunk’s typical users have key roles inside an organisation’s IT infrastructure and may have access to a number of critical systems and sensitive data.

 

Of course, it’s bad practice to use the same password on different websites – but that doesn’t stop far too many people from doing it.

 

Splunk’s action of changing affected users’ passwords was probably the right one – rather than waiting for users to do it themselves.

 

By Graham Cluley, Sophos

 

Scareware hackers exploit McAfee false positive problem

Hackers are exploiting a problem with McAfee’s anti-virus product that has caused hundreds of thousands of computers around the world to repeatedly reboot themselves.

 

The New York Times (and many other news outlets) have reportedon the problems businesses suffered after a detection update issued by McAfee yesterday caused its anti-virus product to mistakenly detect a harmless Windows file, svchost.exe, as “W32/Wecorl.a” and caused computers to become inoperable.

 

To its credit, McAfee is discussing the problem on its online community forum, has apologised, withdrawn the buggy update, and advised customers on how to manually fix the affected computers.

 

But what might be making McAfee’s job of getting reliable information about the false positive problem out to the masses that much harder is that malicious hackers are exploiting the situation.

 

By using blackhat SEO techniques, cybercriminals have managed to get poisoned webpages high in the search rankings if you hunt for information on the McAfee false positive.

If you click on a dangerous link like this then you risk the chance of your computer being hit by a fake anti-virus attack (also known as scareware) which may attempt to con you out of your credit card details or trick you into install malicious code onto your computer.

 

Sophos detects the malware proactively as Mal/FakeAV-BW.

 

The last thing you want to happen if you’re searching for advice on how to fix a problem with the other computers in your company.

 

And it’s not just McAfee’s false alarm problem that these hackers are exploiting. Looking a little deeper at the poisoned domains, allows us to view a cache of hundreds of other pages that this gang have created around a wide range of topics.

Be careful out there folks..

 

 

* Image source: peasap’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

 

« Previous Page — Next Page »