Video of Twitter phishing: The BZPharma ‘LOL this is funny’ attack (Video)

Twitter users are being warned about a widespread phishing attack spreading across the system, designed to steal the usernames and passwords of unsuspecting members.

 

Messages include

Lol. this is me??
lol , this is funny.
Lol. this you??

followed by a link in the form of

http://example.com/?rid=http://twitter.verify.bzpharma.net/login

where ‘example.com’ can vary. As we have seen many variations of the URL in its entirety, you would be wise to avoid clicking on any links which refer to bzpharma.net at the very least.

 

Watch this YouTube video for more details:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it’s clear that dangerous links are also being posted in public feeds. This means that you can stumble across the links even if you aren’t sent it directly, or even if you are not a signed-up user of Twitter.

 

It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users *and* optionally made public.

 

As a result, as you can see in the video above, we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves!

 

Regardless of how you come to click on the dangerous link, if you do enter your username and password on the fake Twitter login page your details will be phished and placed in the hands of hackers.

 

The page then displays a “fail whale” screen, claiming that Twitter is over capacity, before taking you back to the real Twitter main page. As a result, compromised Twitter users may not realise that their login details have been stolen.

 

Interestingly, the bzpharma.net site doesn’t just appear to have been set up for Twitter phishing. It appears to also have been created for stealing the online identities of the Bebo social networking site too:

 

If you have been tricked by the phishing attack and accidentally handed over your username and password, change your password immediately.

 

We’re going to see many more attacks against social networks in the future I’m afraid. Last month, Sophos published its Security Threat Report revealing that there had been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networks in the last year.

 

Update: The phishing campaign appears to be bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts. Learn more now.

 

By Graham Cluley, Sophos

 

Malware attack spammed out disguised as email settings file

Sophos is intercepting a large number of malicious emails that have been spammed out around the world, posing as a new settings files for internet users’ email systems. However, attached to the emails is a Trojan horse.

 

Each email is carefully disguised in an attempt to lure the recipient into believing they are genuine. For instance, they use the recipient’s email address in the subject line and pretend to come from the support team at the recipient’s email domain:

A typical malicious email reads as follows (I’m assuming the user’s email address is username@example.com below):

Subject: A new settings file for the username@example.com has just be released

Attached file: settings.zip

Message body:
Dear use of the example.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox username@example.com settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, example.com Technical Support.

Although the hackers behind this attack have clearly put a little thought into how they might infect as many people as possible, they have made some grammatical mistakes which may tip off potential victims that the emails are not genuine.

For instance, the subject line of

A new settings file for the username@example.com has just be released

is very clumsy.

 

Attached to each email is a file called settings.zip, which contains a copy of the Troj/Bredo-BE Trojan horse.

 

Stay on your guard against attacks arriving via email. Although we see many web-based attacks these days, the rumours of the death of email-based malware are greatly exaggerated.

 

By Graham Cluley, Sophos

 

 

Critical security update for Adobe Reader and Acrobat

Adobe has issued a security bulletin urging users of its Adobe PDF Reader and Acrobat products to update their software before hackers take advantage of two critical vulnerabilities.

 

Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh are vulnerable to a flaw that could be exploited by hackers to make unauthorised cross-domain requests. This same vulnerability was revealed in Adobe Flash Player last week.

 

Meanwhile, another flaw could give hackers an opportunity to inject malicious code onto computers via vulnerable installations of Reader and Acrobat.

 

As we’ve mentioned many times before, it’s essential that you keep your installations of Adobe’s software up-to-date as they are increasingly being taken advantage of by hackers to launch attacks.

 

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1 if possible. Similarly, Adobe Acrobat should be updated to version 9.3.1. It’s a shame, therefore, that Adobe’s Reader advisory makes such a bad job of linking to the right files.

 

For instance, the link it is giving for the Mac update actually links to a page full of Windows files:

 

Hopefully Adobe will sort that out soon, and make it clearer where users can download the right patches for their operating system from. I, for one, am still finding it difficult to locate Adobe Reader 9.3.1.

 

By Graham Cluley, Sophos

 

 

Fake Conflicker.B Infection Alert puts internet users at risk

The global network of spamtraps controlled by the experts inside SophosLabs are seeing a swarm of attacks today, posing as an email warning about the Conficker worm.

 

Here is a typical message that has been spammed out by hackers:

Subject: Conflicker.B Infection Alert
Attached file: open.zip

 

Message body:

 

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

 

Opening the file attached to the email (in this case it’s called open.zip) infects your computer with malware which Sophos detects as Mal/EncPk-KW.

 

The wording is nearly identical to a similar attack I blogged about last October.

 

What surprises me is that during the last few months the hackers behind the attack appear to have made no effort to fix mistakes in their disguise – for instance, it should say Conficker in the subject line not Conflicker!

 

I can only presume that they’re counting on their potential victims not spotting that typo. It certainly has not stopped the cybercriminals from sending out the infected messages en masse today. Presently this malicious spam campaign is one of the most commonly seen examples of file attachment malware being spread around the world:

 

By Graham Cluley, Sophos

 

Apply the Critical Security Updates for Internet Explorer Vulnerabilities (MS10-002 – Critical)

This cumulative security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. This security update is rated Critical for all supported releases of Internet Explorer.

 

Executive Summary

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

 

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate.

 

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.

 

This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.

 

Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

 

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

 

[ Download MS10-002 ]

 

Operation Aurora: Microsoft knew about Internet Explorer flaw for four months

On Thursday there were sighs of relief from all corners as Microsoft released a security patch for a vulnerability that had been exploited by hackers.

 

The patch fixed a critical zero-day vulnerability in versions of Internet Explorer that would have meant visiting a boobytrapped webpage could have infected your computer, opening a backdoor for remote hackers.

 

Nasty stuff, especially as it was being alleged that the security hole had been exploited by Chinese hackers who broke into the likes of Google and Adobe in an attack dubbed “Operation Aurora”.

 

Interestingly, details are now emerging that Microsoft was first told about the security hole early last September – a full four months before it hit the world’s headlines.

 

According to reports, Microsoft was informed about the security problem with its software (and the potential for hackers to take advantage of it) by security researcher Meron Sellen, and the company planned to roll-out a fix in a cumulative update for Internet Explorer scheduled for next month.

 

Now, if you were one of the high-tech, financial or miltary targets that are said to have been struck by the Chinese hackers you might be feeling a little bit miffed that Microsoft didn’t roll out its patch for this critical vulnerability sooner.

 

For their part, Microsoft may well feel that as the flaw primarily affected Internet Explorer 6 that such organisations should already have updated to a more secure version of their browser (such as version 8.0).

 

Is four months too long a time to fix a security hole of this severity? I’m not sure. One thing we have to bear in mind is that it can be very complicated developing and then testing a security patch to ensure that it works in all environments with multiple different versions of the software being patched.

 

I would rather a patch worked than was rushed out and caused more problems than the bug it was trying to solve.

 

The thing we should all be grateful for is that there is now a patch for Internet Explorer, meaning there really is no excuse for any company to be breached via this particular security hole again.

 

But if Microsoft knew about this critical security vulnerability four months ago, I wonder how many other security holes there are that they secretly know about, but we don’t have a clue about yet.

 

Oh, and don’t forget, there’s nothing to suggest that the hackers only exploited this Internet Explorer flaw. Chances are that they took advantage of a whole bunch of different weaknesses in different products, as well as some social engineering tricks, to break into computers inside the affected companies.

 

By Graham Cluley, Sophos

 

Danger! Internet Explorer zero-day vulnerability – no patch yet

Microsoft has released a security advisory about a previously unknown vulnerability in versions of Internet Explorer. There is currently no patch for the vulnerability which is being blamed, in part, for the high-profile attacks against Google, Adobe and other companies.

 

Microsoft has published some mitigation advice and workarounds which can reportedly help block attack vectors, but at the time of writing there is no official patch available.

 

There has been much speculation in the computer security industry (including some from myself!) that an Adobe PDF vulnerability could have been the route through which hackers delivered malware into Google and Adobe’s systems. Certainly we have seen a significant rise in the last year of targeted attacks exploiting vulnerabilities in Adobe’s code.

 

But researchers close to the Google/Adobe hacking investigation say that they have found no evidence so far of the attack exploiting Adobe’s software in this way. Indeed, a statement posted yesterday on Adobe’s blog confirms this.

 

So, right now, Microsoft Internet Explorer is being looked at with suspicion. And as the world’s most popular internet browser it’s obviously a serious cause for concern that an unpatched vulnerability that allows remote code execution exists that is being actively exploited by cybercriminals.

 

System administrators and computer owners around the world will be holding their breath that an official patch from Microsoft arrives sooner rather than later. In the meantime, Microsoft is recommending that Internet Explorer users use Data Execution Prevention (DEP) – a technology that is enabled in Internet Explorer by default but needs to be turned on in earlier versions.

by Graham Cluley, Sophos

 

Baidu, China’s largest search engine, defaced by Iranian Cyber Army

Hot on the heels of last month’s attack on Twitter, the so-called “Iranian Cyber Army” appears to have defaced another high profile website.

 

Baidu, formed in 2000, is China’s number one search engine, dominating the home market for online searches – partly because it had a six year head start over Google. As a result of its huge popularity, it’s no wonder that from time to time hackers might try and take advantage of the site, just as top websites can be in the frame for attack in the West.

 

Earlier today, visitors to Baidu.com’s home page were met with a message – “This site has been hacked by Iranian Cyber Army” – alongside what I presume to be Farsi, and a picture of the national flag of Iran:

It’s not presently clear whether Baidu’s site itself was compromised or, as in the case with the Twitter attack, its DNS records. If the website’s DNS records were breached then the hackers would have been able to redirect users who typed www.baidu.com into their browser to a webserver under their control.

 

Within two hours the Baidu website appeared to be returning to normal operation, and as far as we can tell the motive for the attack was political rather than financial. However, imagine how easy it might have been for the hackers to have created a cloned version of the main Baidu webpage complete with a silent invisible-to-the-naked-eye link to a software exploit or piece of malware.

 

Attacks like this are a reminder to everyone that you always need to have security scanning every webpage you visit, even if it’s an established legitimate website.

by Graham Cluley, Sophos

 

Exclusive Offer – FREE RVS 2010 Home Lux for 1 year By ( Softpedia )

Full Version for Softpedia users only

You will save – US $39.95
Offer expires December 31, 2009

 

 

 

Twitter compromised, DNS hijacking to blame

A couple of hours ago, Twitter web site appeared to be defaced by someone called “Iranian Cyber Army”. The situation was fixed and as it turned out, hack was a result of DNS hijacking.

 

 

Initial message from the official Twitter account:

Twitter’s DNS records were temporarily compromised but have now been fixed. We will update with more information soon.

Twitter’s blog post that followed:

As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.

Source : www.net-security.org

Next Page »