New password from Facebook? Beware widely spread malware attack

November 19, 2010 by  
Filed under Security News

Malicious hackers have spammed out an attack that pretends to be an email from Facebook support saying that your password has been changed.


The messages, which have a variety of subject lines including “Facebook Service. A new password is sent you”, “Facebook Support. Your password has been changed” and “Facebook Service. Your account is blocked”, have a ZIP file attached which carries a Trojan horse.


New password from Facebook?

Good afternoon.


A spam is sent from your Facebook account.
Your password has been changed for safety.


Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.


Thank you for your attention,
Facebook Service.


Sophos products detect the attached ZIP file as Mal/BredoZp-B, and the Trojan horse contained within as Troj/Agent-PLG.


It’s possible that the attackers are attempting to exploit the problems many female Facebook users had this week when the social network disabled many accounts by accident.


Don’t forget – you should always be extremely suspicious of any unsolicited email which arrives out of the blue, encouraging you to open an attachment.


By Graham


Danger! Fake $50 iTunes certificate carries malware

May 10, 2010 by  
Filed under Security News



Amid all the usual attacks posing as delivery notices from DHL and FedEx this morning, I spotted some malware that had been spammed out posing as an Apple iTunes certificate for $50.


iTunes malware

The emails read as follows:

Subject: Thank you for buying iTunes Gift Certificate!
From: "iTunes Online Store" <>
Attached file:


You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.


Running the attached malware can infect Windows computers. Clearly the hackers are hoping that in your excitement about receiving a $50 iTunes gift certificate that you will throw caution to the wind and open the attachment.


Sophos detects the malware, contained inside a ZIP file, as Troj/BredoZp-AM andMal/FakeAV-BW.



By Graham Cluley, Sophos


Surveillance firm sells Apple iPad spyware

May 10, 2010 by  
Filed under Security News

Could someone be spying on the emails you send and the websites you visit on your iPad?


For many the thought that someone could be reading every email you send, secretly logging every call that you make on your mobile phone, or silently tracking your location via GPS would be the stuff of nightmares.


And yet software exists (and is sold completely legitimately online) that does exactly this for those who wish to spy on their workers, or on members of their family.


And now a firm which in the past has made surveillance software to monitor the usage of iPhones, BlackBerrys, and Android , Windows Mobile and Symbian smartphones has announced a version of its snooping software to spy on iPads.


For just $99.97 a year, Mobile Spy customers can access a website that allows them to view a list of every website visited on an iPad, every contact added to the address book, and every email sent and received.


iPad Mobile Spy

The way that vendors get away with this is by explaining that it is almost certainly an offence to install software onto a phone or computer that monitors or spies upon the owner unless you have authorisation to install it.


So, for instance, it would be okay to spy on your employees phone, computer or iPad activity if they had agreed to such surveillance in their contract. And it would be okay to snoop upon your kids because.. well, they’re your kids, and how likely are they to take you to court?


Such software exists in the “grey” area between legitimate and illegitimate software, typically promoted as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, or to assist companies in enforcing acceptable use policies, rather than more traditional identity theft – but it’s clear that it can be used for a criminal purposes too.


Mobile Spy URL log

Fortunately, Mobile Spy’s spyware for iPads only works on jailbroken devices. In other words, not only does whoever want to spy on you need access to your iPad to install the software, your iPad also needs to have been tinkered with to allow you to run software that hasn’t been given the stamp of approval by Apple.


Late last year we saw malware which targeted users of jailbroken iPhones. My expectation is that if enough iPad owners jailbreak their gizmos too that some of the hackers at least won’t be far behind.


Hat-tip: Krebs on Security


By Graham Cluley, Sophos

Malicious contracts spammed out by hackers

May 5, 2010 by  
Filed under Security News

All of us know how easy it is to accidentally send an email to the wrong address. If two people in your address book have similar names then your email client might make it all too simple to send a message to the wrong one.


For instance, I work with Carole, but a simple slip of the fingers or not reading carefully enough might mean I drop a note to Carla Bruni instead. (In my dreams..)


And it’s this kind of common inccident that cybercriminals are exploiting when they launch an attack like the one we are currently seeing in our worldwide network of traps.


This is a significant attack – the malicious emails are being spammed out enmasse to computers around the globe, claiming to contain contracts for the unsuspecting recipient to approve.


Malware contract

A typical message reads:

Dear ladies and gentlemen,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.


Subject lines used in the attack include:

  • Rent contract
  • Loan contract
  • Contract of order fulfillment
  • Permit for retirement
  • Open an account
  • Record in debit of account
  • Contract of settlements
  • Your new labour contract
  • Open an account


The danger is that recipients of the emails might be curious and tempted to examine the attached file (called and end up infecting their Windows computer. And it’s possible that they might open the file out of the goodness of their heart, hoping that it will contain information that will help them identify who should have received the unsolicited message.


Sophos detects the attached malware as Troj/Invo-Zip and Mal/Koobface-E. Make sure that you keep your anti-virus software automatically updated, and always be suspicious of unsolicited emails.


Opening an unknown file on your computer could mean that you’re opening a backdoor for hackers to compromise and infect your PC.


By Graham Cluley, Sophos

“Please attention!” fake DHL delivery emails contain malware

April 21, 2010 by  
Filed under Security News

It’s another day, which means (almost inevitably) there’s another malicious email campaign carrying a fake anti-virus attack.


Once again the bad guys are packaging their attack in an email which claims to come from DHL Delivery Services.


Please attention email pretending to be from DHL

A typical email, which has the subject line “Please attention!”, reads as follows:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.

Attached to the email is a file called, which Sophos detects as Troj/FakeAV-BEG. Even though there is some peculiar wording (and spelling) in the email it’s possible that some unwary users might fall into the hacker’s trap, and open the malicious attachment.


We are seeing many reports of this attack in our global network of traps right now.

Reports of the malware in Sophos's traps

If you receive one of these emails, don’t open the attached file as you could be putting your computer at risk of infection and allowing hackers to compromised your PC.


By Graham Cluley, Sophos


Farm Town virus warning: Malvertising at work?

April 13, 2010 by  
Filed under Security News

Players of the online game Farm Town are being warned to be on their guard for malicious adverts that display fake security warnings in an attempt to dupe unsuspecting users into installing malicious code or handing over their credit card details.


SlashKey, the developers of the game which has over 9.6 million monthly active users on Facebook, has posted a warning on its forum advising players to be wary of warnings that suddenly pop-up telling them that their computer is infected:

If you suddenly get a warning that your computer is infected with viruses and you MUST run this scan now, DO NOT CLICK ON THE LINK, CLOSE THE WINDOW IMMEDIATELY. You should then run a full scan with your antivirus program to ensure that any stray parts of this malware are caught and quarantined.

If you do research on many of these spyware programs you will also find a myriad of sites proclaiming they are the only ones who can rid you of these programs. This is not true and on a personal level I urge you to use great caution as some of these so called wonder cures are as much of a scam as the malware you are trying to remove.


Hundreds of Farm Town players have responded on the forum, saying that they have been on the receiving end of the attack – but the worry is that many many more users may not have seen the warning and could have been tricked by the fake anti-virus warnings into infecting their computers or handing over personal information.

Farm Town virus warning

It appears that the problem is related to the third-party advertising that Farm Town displays underneath its playing window. In all likelihood, hackers have managed to poison some of the adverts that are being served to Farm Town by the outside advert provider.


Such malicious advertising (or malvertising as it is known) has been the vector for other infections in the past, including attacks against the readers of the New York Times and Gizmodo.


What makes this attack all the more serious, of course, is the sheer number of people that regularly play Farm Town, and that – in all likelihood – they might not be as tech-savvy as the typical Gizmodo reader, and thus more vulnerable to falling for the hackers’ scam.


Farm Town gameplay

Rather than SlashKey simply asking its players to report offending adverts when they appear, it might be sensible for the company to disable third-party adverts appearing alongside Farm Town until the problem is fixed.


It may not be Farm Town’s fault that a third-party advertising network is serving up malicious ads, but doing anything less is surely showing a careless disregard for the safety of its players.


Until the makers of Farm Town resolve the problem of malicious adverts, my advice to its fans would be to stop playing the game and ensure that their computer is properly defended with up-to-date security software. If you do feel you have to play Farm Town then it might be wise to disable adverts in your browser (for instance, using an add-on such as Adblock Plus on Firefox).


By the way, if you are on Facebook and want to keep yourself informed about the latest security news you may want to become a Fan of Sophos on Facebook.



By Graham Cluley, Sophos




Windows Mobile Terdial Trojan makes expensive phone calls

April 12, 2010 by  
Filed under Security News

Some players of a mobile phone game called “3D Anti-terrorist action” are reporting an unexpected feature of the game – expensive international phone calls appearing on their bill.


A number of owners of Windows Mobile phones are reporting online that their cellphones have been making pricey calls to numbers to a variety of destinations including the Dominican Republic, Somalia and Sao Tome and Principe, without their permission.


What the victims all appear to have in common is that they installed the same game to their Windows Mobile phone.


It appears that a Russian-speaking hacker has taken the game “3D Anti-terrorist action”, embedded his Trojan horse inside it, and uploaded it to Windows Mobile download sites on the web. Presumably they are hoping to skim some money from the expensive premium rate phone calls.


Terdial malware victim

It’s important to remember that malware for mobile devices is still quite rare, particularly when compared to infections on conventional Windows computers. But what may surprise some is that there is nothing particularly revolutionary about criminals attempting to make money out of mobile malware.


For instance, back in 2004 we saw the Mosqit Trojan that could infect Nokia phones running Symbian, forcing affected devices to send text messages to premium rate numbers. Like this latest report, the hackers hid their Trojan inside a cracked version of a mobile phone game.


Sophos detects the malware as Troj/Terdial-A, and advises all mobile phone users to exercise caution when downloading and installing new applications.



By Graham Cluley, Sophos


Related Blogs

    AVG Rescue CD A powerful toolset for rescue & repair of infected machines

    March 26, 2010 by  
    Filed under Removal Tips,Tools and Videos

    The AVG Rescue CD is a powerful must-have toolkit for the rescue and repair of infected machines. It provides essential utilities for system administrators and other IT professionals and includes the following features:

    • Comprehensive administration toolkit
    • System recovery from virus and spyware infections
    • Suitable for recovering MS Windows and Linux operating systems (FAT32 and NTFS file systems)
    • Ability to perform a clean boot from CD or USB stick
    • Free support and service for paid license holders of any AVG product
    • FAQ and Free Forum self-help support for AVG Free users



    Key technologies


    • Anti-virus: protection against viruses, worms and Trojans
    • Anti-spyware: protection against spyware, adware and identity theft
    • Administration toolkit: system recovery tools


    The AVG Rescue CD is essentially a portable version of AVG Anti-Virus supplied through Linux distribution. It can be used in the form of a bootable CD or bootable USB flash drive to recover your computer when the system cannot be loaded normally, such as after an extensive or deep-rooted virus infection. In short, the AVG Rescue CD enables you to fully remove infections from an otherwise inoperable PC and render the system bootable again.


    Apart from the usual AVG functions (malware detection and removal, updates from internet or external device, etc.), the AVG Rescue CD also contains the following set of administration tools:

    • Midnight Commander – a two-panel file manager
    • Windows Registry Editor– simple registry editor for more experienced users
    • TestDisk – powerful hard drive recovery tool
    • Ping – to test the availability of network resources (servers, domains, IP addresses)
    • Common Linux programs and services– vi text editor, OpenSSH daemon, ntfsprogs etc.


    Free of charge


    The AVG Rescue CD is a free-to-use product that anyone can download. This also covers any new program versions and virus database updates. If you have any other paid AVG license, you are also entitled to receive our full technical support.



    Download Rescue CD (for CD creation)

    Download Rescue CD (for USB stick)



    No, you’ve not received a postcard from a family member

    March 22, 2010 by  
    Filed under Security News

    Over the weekend there has been a new wave of attacks spammed out, spreading a version of the Bredo Trojan horse via malicious emails.


    The emails claim to be an ecard from a family member, but opening the attachment can infect your computer with the Troj/Bredo-BS Trojan horse.


    Malicious email pretending to be a postcard from a family member

    A typical email has the following characteristics:

    Subject: You've received a postcard
    Attached file:
    Message body:
    Good day.

    Your family member has sent you an ecard
    If you wish to keep the ecard longer, you may save it on your computer or take a print.
    To view your ecard, open zip attached file.


    This is clearly an old tactic to trick people into infecting their computers, but the reason why it’s so familiar is that it really does work.


    There’s clearly a danger that some people may return to their work email on Monday morning and, with still sleepy eyes after the wekeend, open the attachment before their brain has been woken up by a strong sip of coffee.


    Sophos detects the ZIP file as Troj/BredoZp-AC, and its contents as Troj/Bredo-BS.


    Somehow the BS nomenclature seems particularly appropriate for this clearly bogus ecard from a family member.


    Wave of malicious Bredo emails

    Make sure your anti-virus software is up-to-date, and able to protect against these latest threats, which are still being distributed via spam right now, as you can see in the above snapshot of malware being detected in our traps.


    Don’t forget you should always be cautious of opening unsolicited email attachments – criminal hackers will often use this technique to try to trick you into running malicious code on your computer.


    By Graham Cluley, Sophos



    Hackers exploit Oscar film awards to spread scareware

    March 9, 2010 by  
    Filed under Security News


    Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.


    Internet users searching for phrases like

    Oscars 2010 winners


    may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.


    By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.


    Malicious Oscar-related search results

    As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.


    Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.


    Oscar scareware

    As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.


    Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.


    Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.


    By Graham Cluley, Sophos

    Next Page »