GFI Labs Issues Labor Day Phishing Warning
September 3, 2010 by admin
Filed under Security News
Online holiday retail sales traditionally serve as prime platform for attacks
GFI Software security researchers issued a warning today regarding an expected increase in phishing attacks in relation to the upcoming Labor Day holiday. GFI Labs, the dedicated malware research center of GFI Software, warns that consumers are traditionally at high risk for targeted phishing attacks due to the preponderance of online retail sales events over the holiday weekend.
Amidst the flurry of emails promoting holiday sales are fraudulent messages that include bogus links to sites that download malicious software or phishing sites soliciting personal information. While research from companies like IBM have suggested that phishing attacks were on the decline last year, GFI Labs warns that customers should not be lulled into a false sense of security. According to phishing tracker Phishtank.com, there are over 2,900 active phishing web sites currently verified on the internet. Furthermore, the popularity of social media sites such as Facebook and Twitter has made them attractive platforms for holiday-themed attacks.
According to GFI Software, one of the world’s leading providers of security software, consumers can reduce their risk of infection by following three simple rules:
1) Ensure that your computer is protected against the newest malware threats by installing a combined antivirus and antispyware solution. This serves as the first point of protection against dangerous viruses and Trojans – and one without the other is no longer effective.
2) Never click on a link from an email to make a credit card purchase. The email you’ve received may look legitimate, but there’s a high probability that the link will take you to a spoofed site where your credit card information will be recorded by cyber criminals. Instead, navigate to the retailer’s Web site directly through your browser. Again, the email may look harmless, but it’s better to be safe than sorry.
3) Even when visiting a trusted Web site, be vigilant about anything that looks out of the ordinary. Social networking sites like Facebook, Twitter and MySpace have all served as points of infection recently. Do not download anything, even from a trusted site, unless you are 100% sure of its contents.
“Every Labor Day, we see a wave of phishing attacks taking advantage of consumers’ expectations of increased retail email promotions connected with the holiday,” said Tom Kelchner, research center manager, GFI Labs. “Cyber criminals see an opportunity to slip by unnoticed among the legitimate promotions. Along with making sure virus updates and security software patches are current, consumers need to stay vigilant and use common sense in order to avoid any unnecessary headaches that these fraudulent emails look to deliver over the long weekend.”
About GFI
GFI Software provides web and mail security, archiving and fax, networking and security software and hosted IT solutions for small to medium-sized enterprises (SME) via an extensive global partner community. GFI products are available either as on-premise solutions, in the cloud or as a hybrid of both delivery models. With award-winning technology, a competitive pricing strategy, and a strong focus on the unique requirements of SMEs, GFI satisfies the IT needs of organizations on a global scale. The company has offices in the United States (North Carolina, California and Florida), UK (London and Dundee), Austria, Australia, Malta, Hong Kong, Philippines and Romania, which together support hundreds of thousands of installations worldwide. GFI is a channel-focused company with thousands of partners throughout the world and is also a Microsoft Gold Certified Partner.
Backdoors in Twitter, Now in Arabic
June 30, 2010 by admin
Filed under Security News
Twitter is becoming a common medium to spread spam, malware and all kinds of badness. Just a few weeks ago, we wrote about FIFA and the Gaza attacks being used as social engineering leverage by Trojan creators, and there are no signs of them stopping any time soon.
Over the past two weeks, several Twitter accounts were created for the sole purpose of tweeting Poison Ivy or Bifrost download links. Both Poison Ivy and Bifrost are backdoors, malicious programs that allows an unauthorized user access to the infected machine. Interestingly, these backdoor programs are uploaded at either freewebtown.com or leadhoster.com, both free web hosting sites.
 |
 |
| For some of our readers, these things aren’t new, but what caught my eye are these tweets written in Arabic: |
 |
Cybercrime groups it seems, are broadening the scope of their social engineering by employing localization techniques. Quite clever huh?
Lastly, these rogue Twitter accounts either have very few or no followers and following, which means the only way for potential victims to see the backdoor URL is to do a Twitter Search with the appropriate keywords. Hmmm… blackhat SEO Twitter style anyone?
All Twitter Users Have 0 followers and 0 following !
May 10, 2010 by admin
Filed under Security News
Before 10 min I just want to follow some twitter users and I got this message
Then I refreshed the page to see Virus Experts profile and I saw it has 0 followers and 0 following !?
I thought we only have this problem with our account so I checked more than twitter account and I saw it has the same problem.
I think twitter is fixing followers spam problem.
we will wait…
Update : after 20 min twitter fixed the problem.
‘More followers’ spam hits Twitter accounts
May 10, 2010 by admin
Filed under Security News
Thousands of Twitter users are finding that their accounts have been compromised, and are posting messages advertising a website which claims to help users attract more followers.
A typical message reads:
CHECK out this site, im a member of it, It gets you more followers: http://tinyurl.com/[removed]
Clicking on one of these links takes you to the Twtfaster website, which asks you to enter your Twitter username and password.
Of course, regular readers of the Clu-blog know that it’s never a good idea to hand over your login credentials to a third party, and that’s the case with this site too. Curiously, when I entered bogus information on the above screen it didn’t display an error message – suggesting that it might be created simply to scoop up users’ login details. Hmm.. that smells worryingly like a phishing attack to me.
Further investigation finds some small print on the Twtfaster website that suggests that they plan to use your account to advertise their service – but I wonder how many people would read that before eagerly signing up for more followers?
One piece of good news is that TinyURL appears to be currently blocking links used in the campaign, but of course that’s not going to stop the people behind this latest outbreak from using alternative URL shortening services.
So, if you’ve found out that your Twitter account has been sending messages advertising how to get more followers, I would recommend that you change your password immediately. And next time a third-party website asks you to hand over your username and password for Twitter, steer well clear.
It is possible that the accounts that are spamming out the adverts for Twtfaster have not signed-up for the site themselves, but have been compromised in some other way. Even so, that’s still a good reason to change your Twitter password. If you need help choosing a memorable, hard-to-crack password you should watch the video I made on the subject.
As I’ve discussed before, you should always exercise extreme caution before signing-up for a service which offers to increase your Twitter following.
Unfortunately, as the popularity of Twitter grows and the desire for more followers deepens we can expect more and more users to fall for scams like this.
Canadian Pharmacy spammers set up shop on Twitter
April 27, 2010 by admin
Filed under Security News
At the beginning of this month I received an email telling me about someone new who had started following me on Twitter.
Their name was @canadianshop, and it was immediately apparent that they were promoting a Canadian online pharmacy via their account. These kind of websites are frequently promoted in email spam.
Like every other time you receive a new follower on Twitter, the service reminds you that you can report them for spam:
If you believe canadianshop is engaging in abusive behavior on Twitter, you may report canadianshop for spam.
But for once I decided not to. After all, this account was clearly spammy and I was curious to see how long it would take before someone else reported them and their account was suspended.
That was 24 days ago. And despite the @canadianshop account making no attempt to hide who they are – even their background wallpaper uses familiar imagery used in hundreds of thousands of emails to promote medications like Viagra and Cialis – they remain active on Twitter.
At the time of writing the account is following over 2000 people, and has 589 folk following it back.
In addition to its activities on Twitter, the account has also created a number of custom bit.ly links to promote its online stores which redirect to Canadian Pharmacy websites like the one below:
So, let’s hope the account gets shut down soon. I’ve reported it to Twitter now, and also dropped a line to the folks at bit.ly about the links in case they want to take action against those.
As if anyone needed reminding let me say it again – if you buy drugs online you’re not only putting your personal information at risk (remember these guys are prepared to spam and use scummy tactics to promote their sites, they possibly wouldn’t flinch at doing something naughty with your credit card details), but you’re also potentially putting your health in jeopardy.
By Graham Cluley, Sophos
Facebook privacy given a poor scorecard by WhatApp project
April 21, 2010 by admin
Filed under Security News
Facebook has been rated lower than its social networking competitors Twitter and MySpace for privacy and security, according to a study from Stanford University.
According to a report in Forbes, the WhatApp website has rated the security and privacy of Facebook as being lower than that of the Apple iPhone, Twitter and MySpace.
| Service | Privacy | Security |
|---|---|---|
| 2/5 | 2/5 | |
| 3/5 | 3/5 | |
| MySpace | 3/5 | 3/5 |
| iPhone | 3/5 | 3/5 |
WhatApp, which was co-created by Stanford University Law fellow Ryan Calo, describes itself as “an online resource where experts and other users can assess, discuss, and rate the privacy and security of mobile and Internet-enabled applications. Now in Beta, the website combines traditional consumer reporting and review tools with wikis and news feeds to allow users to make informed choices about the applications they download.”
Calo told Forbes that he believed Facebook users are concerned about the amount of information applications can access: “I think people are upset because when you download an app, you don’t have any control over what the app developer sees on your profile. There’s the perception among users that they don’t need to give away so much information to have the apps do the same thing as they are currently doing.”
However, I think we would be rash to take WhatApp’s scorecard for Facebook at err.. face value. It’s important to note that the WhatApp site’s goal is primarily to look at specific applications, and that the results publicised by Forbes are extrapolated from those individual application scores to give an overall score for how well Facebook as a whole is faring. (I’ve been contacted by Oliver Chiang, the author of the Forbes article, who tells me that WhatApp do rate platforms such as Facebook separately from the apps, so it’s not an aggregation. Sorry about that).
What isn’t clear is how well can we verify Carlo’s credentials as an expert, and it’s also not shown how many of the site’s “verified” experts contributed to the scores that have been published so far. Nevertheless, Facebook won’t be best pleased to see it ranked poorly against its competitors.
Facebook security and privacy are very real concerns, of course, and this debate is likely to run and run. Many of us may well have good reason to long for the days of 2006, when Facebook privacy was a much simpler thing:
"No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings."
It’s very simple – all I want is to have control over who can see my personal information on Facebook.
But it seems that more and more Facebook is preventing me from achieving that seemingly simple aim.
By Graham Cluley, Sophos
Twitter fights back against spam, phishing, and other malicious links
March 11, 2010 by admin
Filed under Security News
In a move that should be welcomed by many users, Twitter has announced that it is introducing a new feature to combat the many malicious and malware URLs that are distributed via the micro-blogging site.
In a blog entry posted by Del Harvey, Twitter’s Director of Trust and Safety, it was revealed that the site will start using its own URL shortener (twt.tl) for Twitter messages sent privately between two users via a direct message (DM), giving it the opportunity to “detect, intercept, and prevent the spread of bad links across all of Twitter”.
As Sophos’s Chet Wisniewski told DarkReading, the new http://twt.tl shortened url appears to be only evoked with email notifications for direct messages at this time.
Details of how Twitter is determining if a link is potentially malicious or not do not appear to have been released at this time, and it would certainly be great if Twitter would post some more information on how the system will work and what users can expect to see.
It’s also to be hoped that this new service will be rolled-out to other areas of Twitter too. We’ve seen many times in the past that phishing and spam attacks on Twitter don’t tend to restrict themselves purely to DMs, but will also often be found in the public timeline too, as the following YouTube video demonstrates:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
The problem of dangerous links being distributed via Twitter has been growing for some time, with some 70% of people polled by Sophos reporting that they have been on the receiving end of spam and malware attacks via social networks in the last year.
The news of Twitter’s new twt.tl short url facility follows a few months after bit.ly announced that it would protect users against visiting webpages that may contain a malware, spam or phishing threat using technology from security vendors such as Sophos.
* Image source: wonderferret’s Flickr photostream (Creative Commons)
By Graham Cluley, Sophos
Video of Twitter phishing: The BZPharma ‘LOL this is funny’ attack (Video)
February 24, 2010 by admin
Filed under Security Channel
Twitter users are being warned about a widespread phishing attack spreading across the system, designed to steal the usernames and passwords of unsuspecting members.
Messages include
Lol. this is me??
lol , this is funny.
Lol. this you??
followed by a link in the form of
http://example.com/?rid=http://twitter.verify.bzpharma.net/login
where ‘example.com’ can vary. As we have seen many variations of the URL in its entirety, you would be wise to avoid clicking on any links which refer to bzpharma.net at the very least.
Watch this YouTube video for more details:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it’s clear that dangerous links are also being posted in public feeds. This means that you can stumble across the links even if you aren’t sent it directly, or even if you are not a signed-up user of Twitter.
It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users *and* optionally made public.
As a result, as you can see in the video above, we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves!
Regardless of how you come to click on the dangerous link, if you do enter your username and password on the fake Twitter login page your details will be phished and placed in the hands of hackers.
The page then displays a “fail whale” screen, claiming that Twitter is over capacity, before taking you back to the real Twitter main page. As a result, compromised Twitter users may not realise that their login details have been stolen.
Interestingly, the bzpharma.net site doesn’t just appear to have been set up for Twitter phishing. It appears to also have been created for stealing the online identities of the Bebo social networking site too:
If you have been tricked by the phishing attack and accidentally handed over your username and password, change your password immediately.
We’re going to see many more attacks against social networks in the future I’m afraid. Last month, Sophos published its Security Threat Report revealing that there had been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networks in the last year.
Update: The phishing campaign appears to be bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts. Learn more now.
By Graham Cluley, Sophos
Twitter compromised, DNS hijacking to blame
December 18, 2009 by admin
Filed under Security News
A couple of hours ago, Twitter web site appeared to be defaced by someone called “Iranian Cyber Army”. The situation was fixed and as it turned out, hack was a result of DNS hijacking.
Initial message from the official Twitter account:
Twitter’s DNS records were temporarily compromised but have now been fixed. We will update with more information soon.
Twitter’s blog post that followed:
As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.
Source : www.net-security.org
WARNING: “98B351″ AMBER Alert Hoax Still Spreading on Twitter, Facebook
October 15, 2009 by admin
Filed under Security News
A very resilient hoax is making the rounds on Twitter and Facebook. It consists of a message that poses as an AMBER Alert about a 3-year-old kidnapped boy. The message further claims the boy has been kidnapped in a Mitsubishi Eclipse with the registration plate “98B351“, and many users have fallen for it, spreading it further via Facebook, Twitter, and SMS.
According to IT security company Sophos, the message is nothing more than a hoax, but the said license plate number is already ranking high among the most commonly searched terms on the internet, which means the hoax is working. Don’t fall for it!
A quick search on the reveals there are currently no active AMBER Alerts. Interestingly, this hoax has been making the rounds for several weeks, but – as hoaxes often do – it seems to now be resurfacing stronger than ever. An AMBER Alert is a child abduction alert issued upon the suspected abduction of a child; the best way to check if it’s real is to go straight to National Centre for Missing and Exploited Children’s website.
by Stan Schroeder from mashable.com
