Bogus Windows License Spam is in the Wild

October 26, 2012 by  
Filed under Security News

For everyone’s information:

Below is a screenshot of a new spam run in the wild, and the sender (whoever he, she, or it is) presents to recipients a very suspicious but very free license for Microsoft Windows that they can download.

Sounds too good to be true? It probably is.


From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:

You can download your Microsoft Windows License here –

Microsoft Corporation

Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.



This spam is a launchpad for a BlackholeCridex attack on user systems.

This method is likewise being used by the most recent campaign of the “Copies of Policies” spam, also in the wild.

Our AV Labs researchers have documented their findings in detail regarding these spam runs on our GFI Software Tumblr page. Please visit

Stay safe!


By Jovi Umawing @

Welcome to Apple iCloud phishing attacks

August 27, 2011 by  
Filed under Security News

When a Naked Security reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.


The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple’s MobileMe service.


Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in ‘the cloud’ and wirelessly push them to all of your devices).


Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.


iCloud phishing email


Welcome to iCLOUD

Message body:

Important information for MobileMe members.

Dear MobileMe member,

Please sign up for iCloud and click the submit botton, you'll be able to keep your old
email address and move your mail, contacts, calendars, and bookmarks to the new service.

Your subscription will be automatically extended through July 31, 2012, at no additional charge.
After that date, MobileMe will no longer be available.

Click here to update iCLOUD


The Apple store Team


If you make the decision to click on the link in the email, however, you are not taken to an official Apple website – but instead a third-party site that is trying hard to present itself in an Apple style.


Phishing website


Yes, it’s a phishing website.


And just look what it’s asking for: your credit card details, your address, your social security number, your full date of birth, your mother’s maiden name and your Apple ID credentials.


Crumbs! Imagine the harm a fraudster could cause with all that information.


Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox. It could be you who gets hit by a phishing attack next.


By Graham Cluley @

‘May God always bless..’ Facebook virus hoax spreads

August 27, 2011 by  
Filed under Security News

Facebook users are sending scary warnings to each other regarding a supposed new piece of malware spreading across the social network.


May God always bless this kind person below with peace, love and happiness


Attention!!!If you see anyone post out an application written "May God always bless this kind person below with peace, love and happiness", with your profile picture attached below, and send by your friend via Bold Text. Please DONT click "like" or "SHARE", is a spyware, and all your info at FB will be copy and reuse for other purpose. Please share this info out. Thanks......;)


The warnings are being spread rapidly by well-intentioned Facebook users, but the truth is that we have seen no evidence of any such spyware.


Our friends at Facecrooks believe they have got to the bottom of the mystery.


They have determined that rather than a genuine virus, the warning was kicked off by a Facebook application called Bold Text making over-exuberant, if not downright spammy, wall postings.


Bold text application. Picture by Facecrooks


Over one million people are reported to have used the application, so clearly its self-promoting tactics are working.


If you see one of your friends reposting the warning about the ‘May God always bless..’ message then please tell them that it isn’t true that it’s a virus, and point them to this article or the information on Facecrooks.


And if you installed the Bold Text application, and aren’t enjoying the messages it is posting, you should revoke its access to your Facebook account.


It’s not the first time, of course, that Facebook users have been misled of the full facts by virus hoaxes. Most recently we have seen a bogus warning message about an Olympic Torch virus that could “burn the whole hard disc.. C of your computer”


Make sure that you stay informed about the latest genuine scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 100,000 people regularly share information on threats and discuss the latest security news.


By Graham Cluley @


WARNING – Facebook Dislike button spreads fast, but is a fake – watch out!

May 16, 2011 by  
Filed under Security News

Don’t be too quick to click on links claiming to “Enable Dislike Button” on Facebook, as a fast-spreading scam has caused problems for social networking users this weekend.


Messages claiming to offer the opposite to a like button have been appearing on many Facebook users’ walls:

Dislike button on Facebook

Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!


Like the “Preventing Spam / Verify my account” scam which went before it, the scammers have managed to waltz past Facebook‘s security to replace the standard “Share” option with a link labelled “Enable Dislike Button”.

The fact that the “Enable Dislike Button” link does not appear in the main part of the message, but lower down alongside “Link” and “Comment”, is likely to fool some users into believing that it is genuine.


Clicking on the link, however, will not only forward the fake message about the so-called “Fakebook Dislike button” to all of your online friends by posting it to your profile, but also run obfuscated Javascript on your computer.


The potential for malice should be obvious.


As we’ve explained before, there is no official dislike button provided by Facebook and there isn’t ever likely to be. But it remains something that many Facebook users would like, and so scammers have often used the offer of a “Dislike button” as bait for the unwary.


Here’s another example that is spreading, attempting to trick you into pasting JavaScript into your browser’s address bar, before leading you to a survey scam:

Offer of Dislike button leads you into posting script into your browser's address bar


If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

By Graham Cluley @

WARNING: Dad catches daughters on webcam – spreading fast on Facebook

May 14, 2011 by  
Filed under Security News

Facebook is being hit by another viral message, spreading between users’ walls disguised as a link to a saucy video.


The messages, which are spreading rapidly, use a variety of different links but all claim to be a movie of a dad catching his daughters making a video on their webcam:


Dad catches daughters on webcam message

two naughty girls get caught in the WORST moment while making a vid on their webcam! omg!!


The messages also tag some of the victims’ Facebook friends, presumably in an attempt to spread the links more quickly across the social network.


If you make the mistake of clicking on the link you are taken to a webpage which shows a video thumbnail of two scantily clad young women on a bed. The page urges you to play the video, however doing so will post the Facebook message on your own wall as a “Like” and pass it to your friends.


Unfortunately, the new security improvements announced by Facebook this week fail to give any protection or warning about the attack.


Dad catches daughters on webcam message


When I tested the scam I was presented with a (fake) message telling me that my Adobe Flash plugin had crashed and I needed to download a codec.


Dad catches daughters on webcam message

Users should remember that they should only ever download updates to Adobe Flash from Adobe’s own website – not from anywhere else on the internet as you could be tricked into installing malware.


Ultimately, you may find your browser has been redirected to a webpage promoting a tool for changing your Facebook layout, called Profile Stylez and – on Windows at least – may find you have been prompted to install a program called FreeCodec.exe which really installs the Profile Stylez browser extension.





It’s certainly disappointing to see Facebook’s new security features fail at the first major outbreak – clearly there’s much more work which needs to be done to prevent these sorts of messages spreading rapidly across the social network, tricking users into clicking on links which could be designed to cause harm.


If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.


By Graham Cluley @

Verify My Account Spam Runs Rampant On Facebook

May 12, 2011 by  
Filed under Security News

In the past hour a new application has begun spreading on Facebook which has found an exploit in the existing sharing system. Whatever you do, don’t click the link described below.

The system is pretty straight forward. It suggests that you click “VERIFY MY ACCOUNT” within a link which ultimately results in the user posting the same message to all their friends’ walls. The message typically resembles the following one:

In order to PREVENT SPAM, I ask that you VERIFY YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to start the process…


The result is that thousands of users have seen the message spreading to their profiles in the past hour or so. Our guess is that this message could reach hundreds of thousands of users before it’s shut down (unless Facebook’s security team is up right now). The bottom line is this: don’t click any of the links resembling the ones pictured below. Have you seen this spreading on your profile?




Before Investing in an Anti-spam Filter Know What to Look For

May 12, 2011 by  
Filed under Security News



With a high percentage of emails directed at your inbox being spam, a good anti-spam filter is an absolutely vital piece of your email infrastructure. Knowing what to look for can help make the difference between a well-tuned email system, and a crawling mess of spam messages using up storage space and wasting users’ time. Before you go out and install the first anti-spam filter you find, here are some of the key things to consider.


Cloud-based or on-premise

There are hosted anti-spam filtering solutions that offer greater economies of scale, making them more affordable than in-house solutions. These can combine anti-spam with anti-malware, and filter out spam and other nasty stuff before it uses up your bandwidth or impacts your server’s storage and performance. The only downsides are that they represent a subscription service with monthly costs, and as an outsourced solution, some admins miss having the on-site control.


On-premise solutions are purchased (though they may have monthly or annual subscription costs for updates) so they can be capitalized, and by being in-house, the admins can have total control whenever they want.


Choose the solution that works best with your administrative style and costing strategy. If you choose an on-premise solution, make sure you select one that is server based, not client based. The administrative overhead of managing a server at your edge is much lower than trying to administer an agent installed on every client, and the licensing costs will likely be far less as well. Centralizing the anti-spam filter will make it easier to maintain, and will prevent spam messages from taking up space on users inboxes, and on your mailbox servers.


Spam detection methods

There are a variety of ways to detect and block spam. No single way is fully effective; you need a product that combines methods for a defense-in-depth approach. Bayesian filtering is a very effective way to detect spam, but it must be ‘trained’ to your environment. Whitelists need to be in place to minimize false positives that could block critical business communications. Keyword lists should also be an option for companies whose business might include words that others would consider spam. Other approaches include SMTP header analysis, blacklists, using SPF records to reduce spoofing, and reputation services. By combining the analysis of these multiple methods you ensure the maximum effectiveness of your anti-spam filter, while minimizing false positives.


User self-service

Whitelisting business partners and customers, and checking the quarantine folder for blocked messages, can both become major tasks for the helpdesk. Look for anti-spam filter solutions that offer user self-service, both for adding senders to the whitelist, and for enabling users to release quarantined messages themselves, or by delivering spam to the user’s junk mail folder.



Today’s management is all about the metrics. Look for an anti-spam filter that includes robust reporting and that includes the ability to use this information in dashboards or for computing SLAs. Spam is one of those problems that no one notices as long as your anti-spam filter is doing a good job, but that becomes a major issue if a spam message slips through.



Remember, whether cloud-based or on-premise, a good anti-spam filter offers you defense in depth, economical licensing, reduces the administrative overhead, and supports users for routine tasks.


This guest post was provided by Ed Fisher on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI email archiving.

All product and company names herein may be trademarks of their respective owners.

PlayStation Network hacked: Personal data of up to 70 million people stolen

April 27, 2011 by  
Filed under Security News

Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.


The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.


In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

    * Name
    * Address (city, state, zip code)
    * Country
    * Email address
    * Date of birth
    * PlayStation Network/Qriocity password and login
    * Handle/PSN online ID

Sony statement

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.


As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.


The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.


So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.


So you should always use unique passwords.


(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)


Oh, and you better be sure that you have changed your “secret answers” too.


2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.


3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.


This security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.


If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.


That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.


More information can be found in Sony’s blog post.


By Graham Cluley @

Malicious PDF attack spammed out from compromised VioVet email system

March 4, 2011 by  
Filed under Security News

If you’re a customer of VioVet, the UK pet supplies and medications website, then be very careful opening your email this morning.


Customers are reporting that they have received an email purporting to contain a gift certificate from the company – but the files linked to by the email actually contain malware.


VioVet email


Read more

Rogue Facebook apps can now access your home address and mobile phone number

January 16, 2011 by  
Filed under Security News

In a move that could herald a new level of danger for Facebook users, third party application developers are now able to access your home address and mobile phone number.


Facebook has announced that developers of Facebook apps can now gather personal contact information from their users.


Request for permission to access home address and phone number

I realise that Facebook users will only be allowing apps to access this personal information if they “allow” the app to do so, but there are just too many attacks happening on a daily basis which trick users into doing precisely this.


Facebook is already plagued by rogue applications that post spam links to users’ walls, and point users to survey scams that earn them commission – and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service.


Now, shady app developers will find it easier than ever before to gather even more personal information from users.


You have to ask yourself – is Facebook putting the safety of its 500+ million users as a top priority with this move?


Wouldn’t it better if only app developers who had been approved by Facebook were allowed to gather this information? Or – should the information be necessary for the application – wouldn’t it be more acceptable for the app to request it from users, specifically, rather than automatically grabbing it?


It won’t be take for scammers to take advantage of this new facility.


My advice to you is simple: Remove your home address and mobile phone number from your Facebook profile now. While you’re at it, go through our step-by-step guide for how to make your Facebook profile more private.


By Graham Cluley @



Next Page »