Splunk warns that it exposed users’ passwords
April 24, 2010 by admin
Filed under Security News
Splunk, a utility that allows IT administrators to search and analyse their organisation’s log files, has issued a warning to some of its users that their passwords were exposed by accident.
I wasn’t able to find mention of the incident on Splunk’s website, but a few affected users have Twittered about it, and a Clu-blog reader forwarded me an email from Splunk that tells more of the story:
Recently, some debug code was unintentionally implemented on the production splunk.com website which exposed a small number of passwords in our web server’s error log. The splunk.com team has corrected the issue and has improved their change process to prevent similar issues from occurring in the future.
In an abundance of caution, we have reset all affected users’ passwords and cleared all affected users’ active sessions on splunk.com. Your new temporary password has been emailed to the email address associated with your splunk.com account. We recommend that you change this temporary password as soon as possible using the instructions below.
It’s not clear from the warning sent out by Splunk how long passwords were exposed for, but there’s obviously a concern that if hackers had managed to stumble across the login details they could have tried to use them on other wesbites where users might use the same password.
In this case that could have been particular bad for enterprises, as Splunk’s typical users have key roles inside an organisation’s IT infrastructure and may have access to a number of critical systems and sensitive data.
Of course, it’s bad practice to use the same password on different websites – but that doesn’t stop far too many people from doing it.
Splunk’s action of changing affected users’ passwords was probably the right one – rather than waiting for users to do it themselves.
By Graham Cluley, Sophos
“Please attention!” fake DHL delivery emails contain malware
April 21, 2010 by admin
Filed under Security News
It’s another day, which means (almost inevitably) there’s another malicious email campaign carrying a fake anti-virus attack.
Once again the bad guys are packaging their attack in an email which claims to come from DHL Delivery Services.
A typical email, which has the subject line “Please attention!”, reads as follows:
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.You may pickup the parcel at our post office personaly.
Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
DHL Delivery Services.
Attached to the email is a file called label.zip, which Sophos detects as Troj/FakeAV-BEG. Even though there is some peculiar wording (and spelling) in the email it’s possible that some unwary users might fall into the hacker’s trap, and open the malicious attachment.
We are seeing many reports of this attack in our global network of traps right now.
If you receive one of these emails, don’t open the attached file as you could be putting your computer at risk of infection and allowing hackers to compromised your PC.
By Graham Cluley, Sophos
The FarmVille ‘Three Spring Eggs’ virus is a hoax
March 29, 2010 by admin
Filed under Security News
Panic is spreading quickly amongst FarmVille’s many online players following internet reports of a virus connected with sharing three eggs.
The Facebook farming simulation game, which is a huge hit on Facebook with over 80 million regular players, is currently being dogged with false reports that a virus is spreading via links which offer gamers the ability to send three eggs at once.
A typical warning being spread by concerned FarmVille players reads as follows:
RED ALERT!!! Norton has just informed me that the post for Send the 3 spring Eggs at a time is a virus, Rawand Bradosty is a HACKER from Pakistan, do not click on this post it is not legitimate, please copy and repost immediately.
The truth, however, is that we have not seen any virus being distributed in this manner and Rawand Bradosty appears to be having his name tarnished without justification. In fact, it could be argued that the warning is causing much more disruption and time-wasting than a genuine virus outbreak would ever have done!
Of course, you should always be careful about clicking on unsolicited links as they could lead you to page containing malicious content or a site designed to phish credentials from you. And you should ensure that you have up-to-date security on your computer, checking every link that you click on. But in this case, the scare has got out of hand and is proving to be a hoax that is hard to stamp out.
Do your bit – don’t forward virus alerts to your friends and family until you have confirmed that the alert is real with a reputable security company. Otherwise, you could be just helping to keep a hoax alive.
Don’t forget, if you’re on Facebook you may want to become a Fan of Sophos on Facebook to help stay up-to-date with the latest security news.
By Graham Cluley, Sophos
New password-stealing virus targets Facebook
March 18, 2010 by admin
Filed under Security News
Hackers have flooded the Internet with virus-tainted spam that targets Facebook’s estimated 400 million users in an effort to steal banking passwords and gather other sensitive information.
The emails tell recipients that the passwords on their Facebook accounts have been reset, urging them to click on an attachment to obtain new login credentials, according to anti-virus software maker McAfee Inc.
If the attachment is opened, it downloads several types of malicious software, including a program that steals passwords, McAfee said on Wednesday.
Hackers have long targeted Facebook users, sending them tainted messages via the social networking company’s own internal email system. With this new attack, they are using regular Internet email to spread their malicious software.
A Facebook spokesman said the company could not comment on the specific case, but pointed to a status update the company posted on its web site earlier on Wednesday warning users about the spoofed email and advising users to delete the email and to warn their friends.
McAfee estimates that hackers sent out tens of millions of spam across Europe, the United States and Asia since the campaign began on Tuesday.
Dave Marcus, McAfee’s director of malware research and communications, said that he expects the hackers will succeed in infecting millions of computers.
“With Facebook as your lure, you potentially have 400 million people that can click on the attachment. If you get 10 percent success, that’s 40 million,” he said.
The email’s subject line says “Facebook password reset confirmation customer support,” according to Marcus.
(Additional reporting by Alexei Oreskovic; Editing by Bernard Orr)
Source : uk.news.yahoo.com
Hackers exploit Oscar film awards to spread scareware
March 9, 2010 by admin
Filed under Security News
Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.
Internet users searching for phrases like
Oscars 2010 winners
may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.
By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.
As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.
Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.
As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.
Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.
Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.
By Graham Cluley, Sophos
Video of Twitter phishing: The BZPharma ‘LOL this is funny’ attack (Video)
February 24, 2010 by admin
Filed under Security Channel
Twitter users are being warned about a widespread phishing attack spreading across the system, designed to steal the usernames and passwords of unsuspecting members.
Messages include
Lol. this is me??
lol , this is funny.
Lol. this you??
followed by a link in the form of
http://example.com/?rid=http://twitter.verify.bzpharma.net/login
where ‘example.com’ can vary. As we have seen many variations of the URL in its entirety, you would be wise to avoid clicking on any links which refer to bzpharma.net at the very least.
Watch this YouTube video for more details:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it’s clear that dangerous links are also being posted in public feeds. This means that you can stumble across the links even if you aren’t sent it directly, or even if you are not a signed-up user of Twitter.
It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users *and* optionally made public.
As a result, as you can see in the video above, we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves!
Regardless of how you come to click on the dangerous link, if you do enter your username and password on the fake Twitter login page your details will be phished and placed in the hands of hackers.
The page then displays a “fail whale” screen, claiming that Twitter is over capacity, before taking you back to the real Twitter main page. As a result, compromised Twitter users may not realise that their login details have been stolen.
Interestingly, the bzpharma.net site doesn’t just appear to have been set up for Twitter phishing. It appears to also have been created for stealing the online identities of the Bebo social networking site too:
If you have been tricked by the phishing attack and accidentally handed over your username and password, change your password immediately.
We’re going to see many more attacks against social networks in the future I’m afraid. Last month, Sophos published its Security Threat Report revealing that there had been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networks in the last year.
Update: The phishing campaign appears to be bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts. Learn more now.
By Graham Cluley, Sophos
Critical security update for Adobe Reader and Acrobat
February 19, 2010 by admin
Filed under Security News
Adobe has issued a security bulletin urging users of its Adobe PDF Reader and Acrobat products to update their software before hackers take advantage of two critical vulnerabilities.
Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh are vulnerable to a flaw that could be exploited by hackers to make unauthorised cross-domain requests. This same vulnerability was revealed in Adobe Flash Player last week.
Meanwhile, another flaw could give hackers an opportunity to inject malicious code onto computers via vulnerable installations of Reader and Acrobat.
As we’ve mentioned many times before, it’s essential that you keep your installations of Adobe’s software up-to-date as they are increasingly being taken advantage of by hackers to launch attacks.
Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1 if possible. Similarly, Adobe Acrobat should be updated to version 9.3.1. It’s a shame, therefore, that Adobe’s Reader advisory makes such a bad job of linking to the right files.
For instance, the link it is giving for the Mac update actually links to a page full of Windows files:
Hopefully Adobe will sort that out soon, and make it clearer where users can download the right patches for their operating system from. I, for one, am still finding it difficult to locate Adobe Reader 9.3.1.
By Graham Cluley, Sophos
Facebook unnamed app: Hackers poison search results
January 27, 2010 by admin
Filed under Security News
Thanks to Clu-blog reader Jamie for contacting me regarding a scare that is currently spreading bewteen Facebook users.
Users of the social-networking site are warning each other of what is rumoured to be a rogue application, spying on their activities on Facebook. Users are told in the warning that they can find the “Unnamed app” by going to “Settings”/”Application Settings” and then choosing “Add to Profile” from the drop-down box.
Here’s a typical example of the message that is being passed around:
ALERT >>>>> Has your facebook been running slow lately? Go to "Settings" and select "application settings", change the dropdown box to "added to profile". If you see one in there called "un named app" delete it... Its an internal spybot. Pass it on. about a minute ago...i checked and it was on mine.
Sure enough, when I went to look on a Facebook account I found an “Unnamed app”:
However, I’m not seeing any evidence that the application is malicious. Indeed, it seems to me that the only sin it may have committed might be to have been given a daft unhelpful name. According to Facebook itself, it appears to be a buggy presentation of the boxes tab that appears on users’ Facebook profiles.
Of course, news of the “dangerous” app is spreading more quickly than the sensible advice for everyone to calm down and have a nice cup of tea. And, as a result, many people are searching the internet trying to find clues about the Facebook application.
It is at this point that the malicious hackers enter the story.
Just as they have done with other Facebook scares (like the Facebook Fan Check Virus scare and the Error Check System application), hackers have created webpages stuffed with keywords related to the “Unnamed” (sometimes “Un named”) app.
This and other search engine optimisation (SEO) techniques have helped hackers push their webpages high into the upper reaches of search results.
And if you happen to stumble across one of these malicious sites after searching for information about the “Facebook Unnamed app” you might find yourself infected by fake anti-virus software, designed to trick you out of your hard-earned cash.
Sophos detects the malware seen on these infected webpages as Mal/FakeVirPk-A.
By Graham Cluley, Sophos
Danger! Internet Explorer zero-day vulnerability – no patch yet
January 16, 2010 by admin
Filed under Security News
Microsoft has released a security advisory about a previously unknown vulnerability in versions of Internet Explorer. There is currently no patch for the vulnerability which is being blamed, in part, for the high-profile attacks against Google, Adobe and other companies.
Microsoft has published some mitigation advice and workarounds which can reportedly help block attack vectors, but at the time of writing there is no official patch available.
There has been much speculation in the computer security industry (including some from myself!) that an Adobe PDF vulnerability could have been the route through which hackers delivered malware into Google and Adobe’s systems. Certainly we have seen a significant rise in the last year of targeted attacks exploiting vulnerabilities in Adobe’s code.
But researchers close to the Google/Adobe hacking investigation say that they have found no evidence so far of the attack exploiting Adobe’s software in this way. Indeed, a statement posted yesterday on Adobe’s blog confirms this.
So, right now, Microsoft Internet Explorer is being looked at with suspicion. And as the world’s most popular internet browser it’s obviously a serious cause for concern that an unpatched vulnerability that allows remote code execution exists that is being actively exploited by cybercriminals.
System administrators and computer owners around the world will be holding their breath that an official patch from Microsoft arrives sooner rather than later. In the meantime, Microsoft is recommending that Internet Explorer users use Data Execution Prevention (DEP) – a technology that is enabled in Internet Explorer by default but needs to be turned on in earlier versions.
by Graham Cluley, Sophos
Twitter compromised, DNS hijacking to blame
December 18, 2009 by admin
Filed under Security News
A couple of hours ago, Twitter web site appeared to be defaced by someone called “Iranian Cyber Army”. The situation was fixed and as it turned out, hack was a result of DNS hijacking.
Initial message from the official Twitter account:
Twitter’s DNS records were temporarily compromised but have now been fixed. We will update with more information soon.
Twitter’s blog post that followed:
As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.
Source : www.net-security.org
