Mozilla pulls password-sniffing Firefox add-on

Mozilla has issued a warning that a Firefox add-on available from the official Mozilla Add-Ons website was secretly sending users’ stolen passwords to a remote location.

 

“Mozilla Sniffer” was uploaded to the Firefox add-on site on June 6th, but was only determined at the start of this week to contain code that sent the contents of website login forms to a remote location.

 

In other words, if you installed this add-on (and according to Mozilla about 1800 people did) then everytime you entered your password on a website you were potentially handing over your confidential login details to an unknown party.

 

And this isn’t the first time that Firefox add-ons have made the security headlines. For instance, earlier this year Mozilla revealed that the Master Filer add-on was infected by the LdPinch password-stealing Trojan.

 

Back then Mozilla said it would strengthen its vetting procedures, scanning all add-ons with additional anti-virus tools. Clearly that wasn’t enough in this latest breach, and there is a proposal to introduce a requirement that all add-ons be code-reviewed before they are published on the site. More details on this proposal are available in a document about the new review model.

 

Mozilla has now block-listed the “Mozilla Sniffer” add-on, meaning that users who are already running the code will be promoted to remove it.

 

If you’re one of the potential victims, however, I would go further than just removing the add-on. Make sure you change your passwords too.

 

 

Read More…

 

The ‘Never gonna drink Coca Cola again’ Facebook scam [WARNING]

If one of your friends said they were never going to drink Coca Cola again after watching a horrific video, would you be tempted to watch the video?

 

Judging by the number of Facebook users who have posted status updates claiming they are never going to drink Coca Cola again, it seems plenty found it an invitation impossible to resist.

 

A typical message reads:

<name> I am part of the 98.0% of people that are NEVER gonna drink Coca Cola again after this HORRIFIC video --> http://www.[removed]

Find out the TRUTH about Coke!!!

 

If you do click on the link you will find yourself on a website saying that “9/10 People said they WOULDNT drink Coca Cola After seeing this video!!!” above a thumnail of a video which says that “Coca Cola can’t hide its crimes”.

 

 

Perhaps surprisingly, this webpage isn’t exploiting the now familiar clickjacking technique to falsely claim that the Facebook user “Like”s the page without the user’s permission. Instead, they say you can’t watch the “horrific video” until you’ve shared the link on Facebook by hand seven times.

 

The page claims to poll whether you have shared the link enough (in order to allow the video to be viewed). But when you realise you’re not making any progress – despite your valiant attempts to recommend the link to all and sundry – you might hit the link which says:

 

>>>Cant Be Botherd To Wait? --> Click Here To Skip This<<<

 

 

Read More…

 

Never Texting Again: Facebook rogue app spreading quickly

Updated Over 290,000 people have in the last few days clicked on a link that is spreading virally across Facebook, claiming to point to a video of someone who died after sending a text message on their cellphone.

The links are being posted on innocent Facebook users’ walls by a rogue application. A typical message posted by the rogue application reads:

 

I am shocked!!! I'm NEVER texting AGAIN since I found this out. Video here: http://bit.ly/a37TaB - Worldwide scandal!

 

If you do make the mistake of clicking on the link then you are taken to the rogue Facebook application

 

The problem is that even though Facebook is warning users that they are giving the “I will never text again after seeing this” application permission to post to their wall (as well as access their personal information) many people are still go ahead and press “allow”.

 

Why should you ever have to grant an application such permissions in order to watch a video?

 

Sigh.. Sometimes you just feel like you’re hitting your head against a brick wall..

 

Sure enough – with the permission granted, the application begins to spread its links virally via your Facebook profile:

 

I'm Never Texting Again Since I Found This Out
<name> has seen a shocking video, which shows someone dying because of texting

 

Properly cleaning-up your account after you have given permission for the rogue application to access your Facebook account takes two steps. But I’ll throw in a third for good measure.

 

1. Remove the application
Firstly, visit your Application Settings on Facebook and click on the “X” to remove the app from your profile.

You will be asked to confirm if you really want to remove it. Obviously the correct answer is to go ahead and remove it.

 

2. Clean-up your wall
With the application gone, you now need to clean-up your own wall – and stop advertising the link (and rogue application) to your online friends. Hovering your mouse over the posts on your wall should display a “Remove” option which will allow you to sanitise the news feed you are sharing with others.

 

3. Get smart
There are only two things you need to do to clean-up your Facebook account, but I’d recommend you get yourself educated about internet threats too, so you’re wise to these sort of attacks in the future. If you’re regular user of Facebook, you should really join the Sophos page on Facebook to be kept informed of the latest security scares and attacks.

 

Read More…

 

Try not to laugh xD: Worm spreads via Facebook status messages

A clickjacking worm spread quickly across Facebook earlier today, tricking users into posting it to their status updates.

The worm, which some have dubbed Fbhole because of the domain it points to, posts a message like the following:

try not to laugh xD http://www.fbhole.com/omg/allow.php?s=a&r=<random number>

 

Clicking on the link would display a fake error message that would trick you – through a clickjacking exploit – to invisibly push a button that would publish the same message to your own Facebook status update. We’ve seen clickjacking exploited by hackers before in attacks on social networks, for instance in the “Don’t click” attack seen on Twitter in early 2009.

 

READ MORE…. and see the video

 

 

The Facebook ‘Stupidity’ virus warning meme

In the wake of the recent headlines about privacy concerns and the widespread“sexiest video ever” malware attack against Facebook users earlier this week, I’ve been keeping a close eye on the messages people post publicly to see how they’re coping, and what general advice they give to each other about security and privacy issues.

 

One of the things I’ve noticed is a growing number of people sharing a joke virus warning with eachother.

A typical version reads:

Another Virus is Spreading Like Wild Fire on FACEBOOK. IT'S CALLED "STUPIDITY". It makes U join FAKE FAN PAGES Promising FREE STUFF 4 Your Games. This Virus Spreads to ALL Ur Friends and they TOO Become Stupid. There is No Known Cure For this as of YET, Only Precaution is When Someone Invites U to become a FAN...JUST CLICK 'IGNORE' or better- 'BLOCK'. COPY & REPOST THIS WARNING SO OTHERS ARE SAFE FROM "STUPIDITY"

 

Hopefully I don’t need to tell any regular Clu-blog readers that this isn’t a genuine virus warning. Rather like the Amish, Badtimes and Irish virus hoaxes, this “Stupidity” alert is being sent around Facebook as a joke.

 

READ MORE…. and see the video

 

 

The Facebook Friend Suggestions security scare

Warnings are being posted all across Facebook suggesting that users who have received multiple friend suggestions are really infected with a computer virus.

 

A typical version of the warning reads as follows:

VIRUS WARNING: ANYONE WHO HAS GOTTEN A TON OF FRIEND SUGGESTIONS BE CAREFUL! IT IS A VIRUS! IF YOU ACCEPT THEM THEN YOUR ACCOUNT WILL SEND OUT ABOUT 85 TO SOMEONE ELSE!!! WARN YOUR FRIENDS NOW! This is a new virus that is sending requests to spread. DO NOT ACCEPT FRIEND SUGGESTIONS AT THE MOMENT!

The reality, however, is somewhat different. Most importantly, the behaviour and sightings of more than the usual number of Friend Suggestions are not a sign of a computer virus infection.

 

Instead, it appears that Friend Suggestions on Facebook now go to both parties, rather than just the one you specifically suggests takes up your suggestion of a new online connection.

 

So, imagine you are Tom, and you think that your friend Dick should become Facebook friends with Harry. You visit Dick’s Facebook profile, scroll down to where it says “Suggest friends for Dick” and choose Harry’s name.

Your suggestion that Dick should become friends with Harry doesn’t just go to Dick, but it will also now go to Harry as well. Presumably Facebook has made this change in order to encourage more users to interconnect.

 

But there’s more.

 

As Facebook reveals on its help pages about Friend Suggestions, Facebook can alsosuggest possible friends for you to connect with.

 

It does this by automatically examining “the networks that you are a part of, mutual friends, work and education information, contacts imported using the Friend Finder, and many other factors.”

 

Aside from the mysteriously ambiguous “many other factors”, the thing I find concerning there is the reference to Friend Finder.

 

What Facebook means is that they can suggest friends based upon email addresses that you may have imported into Facebook from your email account address book, perhaps when you first set up your account.

 

What many people may not realise is that even if you didn’t add everyone you imported from your address book as a Facebook friend, Facebook can still use those contacts imported from Outlook, Gmail, Hotmail, Yahoo, etc, in order to make future recommendations.

 

Therefore, Facebook may also see your email address in other people’s contact lists, and determine relationships based upon that.

 

If this bothers you (and I can perfectly understand why it would), then Facebook says you can tell it to remove the contacts from its suggestions system. Of course, it might have been better if you hadn’t offered up your address book to Facebook in the first place..

 

Facebook also says that you can change your privacy settings to prevent your profile from being visible to everyone as a potential friend suggestion.

 

More information about Facebook’s Friend Suggestions system can be read online here.

 

No doubt most of the souls forwarding and reposting this latest Facebook security scare to their profiles are oblivious to all these fine details, however, and are still believing that a virus is behind the suggestion messages that they are viewing.

 

Of course, it should still go without saying, that whether you receive a friend request or a friend suggestion, you should exercise caution about who you befriend on a social network – as it could be a cybercriminal rather than a long lost chum who is trying to access your profile.

 

Oh, and don’t forget. If you’re on Facebook you might want to become a Fan of Sophos on Facebook to ensure you are kept up-to-date with the latest security news.

 

 

By Graham Cluley, Sophos

 

The Hacker Door Facebook security scare

A warning being sent across Facebook is scaring users into believing that their accounts have been hacked.

 

Here is a typical example of a warning message:

To all of my friends: COPY & PASTE: New problem found.... Hacker in door in our friends list!....We are now listed as friends of ourselves! You need to delete yourself from your friends list to close the door to hackers. To do this ... Go to Account, go to edit friends, there search for your name on the list and click the X to get your name removed.

 

The problem with this warning is that it’s complete poppycock, and causing some users to panic that they could have been hacked.

 

Yes, there is a bug that means that when you search through your Facebook friends list, you show up yourself as one of your friends. And yes, even if you try and “delete” yourself as a friend you’ll pop up again when you refresh the webpage.

 

But this is not evidence that your account has been compromised, and if you forward this warning to your Facebook friends and acquaintances you are only helping to perpetuate the hoax.

 

We saw a similar hoax spreading across Facebook earlier this year in what we called the “Automation Labs” security scare.

 

In summary, the “Hacker Door” scare is not something to worry about, and you should always check your facts before forwarding security warnings like this to your friends and colleagues.

 

However, there are real security issues on Facebook, as with any other social network. Make sure you read our guidelines for better security and privacy on Facebook.

 

Oh, and you might want to become a Fan of Sophos on Facebook too!

 

By Graham Cluley, Sophos

 

 

Splunk warns that it exposed users’ passwords

Splunk, a utility that allows IT administrators to search and analyse their organisation’s log files, has issued a warning to some of its users that their passwords were exposed by accident.

 

I wasn’t able to find mention of the incident on Splunk’s website, but a few affected users have Twittered about it, and a Clu-blog reader forwarded me an email from Splunk that tells more of the story:

Recently, some debug code was unintentionally implemented on the production splunk.com website which exposed a small number of passwords in our web server’s error log. The splunk.com team has corrected the issue and has improved their change process to prevent similar issues from occurring in the future.

In an abundance of caution, we have reset all affected users’ passwords and cleared all affected users’ active sessions on splunk.com. Your new temporary password has been emailed to the email address associated with your splunk.com account. We recommend that you change this temporary password as soon as possible using the instructions below.

 

 

It’s not clear from the warning sent out by Splunk how long passwords were exposed for, but there’s obviously a concern that if hackers had managed to stumble across the login details they could have tried to use them on other wesbites where users might use the same password.

 

In this case that could have been particular bad for enterprises, as Splunk’s typical users have key roles inside an organisation’s IT infrastructure and may have access to a number of critical systems and sensitive data.

 

Of course, it’s bad practice to use the same password on different websites – but that doesn’t stop far too many people from doing it.

 

Splunk’s action of changing affected users’ passwords was probably the right one – rather than waiting for users to do it themselves.

 

By Graham Cluley, Sophos

 

Farm Town virus warning: Malvertising at work?

Players of the online game Farm Town are being warned to be on their guard for malicious adverts that display fake security warnings in an attempt to dupe unsuspecting users into installing malicious code or handing over their credit card details.

 

SlashKey, the developers of the game which has over 9.6 million monthly active users on Facebook, has posted a warning on its forum advising players to be wary of warnings that suddenly pop-up telling them that their computer is infected:

If you suddenly get a warning that your computer is infected with viruses and you MUST run this scan now, DO NOT CLICK ON THE LINK, CLOSE THE WINDOW IMMEDIATELY. You should then run a full scan with your antivirus program to ensure that any stray parts of this malware are caught and quarantined.

If you do research on many of these spyware programs you will also find a myriad of sites proclaiming they are the only ones who can rid you of these programs. This is not true and on a personal level I urge you to use great caution as some of these so called wonder cures are as much of a scam as the malware you are trying to remove.

 

Hundreds of Farm Town players have responded on the forum, saying that they have been on the receiving end of the attack – but the worry is that many many more users may not have seen the warning and could have been tricked by the fake anti-virus warnings into infecting their computers or handing over personal information.

It appears that the problem is related to the third-party advertising that Farm Town displays underneath its playing window. In all likelihood, hackers have managed to poison some of the adverts that are being served to Farm Town by the outside advert provider.

 

Such malicious advertising (or malvertising as it is known) has been the vector for other infections in the past, including attacks against the readers of the New York Times and Gizmodo.

 

What makes this attack all the more serious, of course, is the sheer number of people that regularly play Farm Town, and that – in all likelihood – they might not be as tech-savvy as the typical Gizmodo reader, and thus more vulnerable to falling for the hackers’ scam.

 

Rather than SlashKey simply asking its players to report offending adverts when they appear, it might be sensible for the company to disable third-party adverts appearing alongside Farm Town until the problem is fixed.

 

It may not be Farm Town’s fault that a third-party advertising network is serving up malicious ads, but doing anything less is surely showing a careless disregard for the safety of its players.

 

Until the makers of Farm Town resolve the problem of malicious adverts, my advice to its fans would be to stop playing the game and ensure that their computer is properly defended with up-to-date security software. If you do feel you have to play Farm Town then it might be wise to disable adverts in your browser (for instance, using an add-on such as Adblock Plus on Firefox).

 

By the way, if you are on Facebook and want to keep yourself informed about the latest security news you may want to become a Fan of Sophos on Facebook.

 

 

By Graham Cluley, Sophos

 

 

 

Account notification email warning? Don’t follow the instructions

If you’re returning to an overflowing inbox after the Easter holiday weekend, make sure that you don’t fall for the latest scam being distributed widely by spammers.

 

Emails claiming that recipient’s accounts have been temporarily suspended are being seen around the world today, attempting to trick users into believing that their email account has been accessed by somebody else.

 

The spammed-out emails try to hoodwink users into running the attached file (Instructions.zip) which is, predictably, carrying a malicious payload.

Dear Customer,

This e-mail was send by example.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions

(C) example.com

 

In an attempt to make the email more convincing, the attackers reference the domain name (for instance, example.com) used by the recipients’ email account in the emails they are spamming out.

 

Sophos detects the malicious attachment proactively as Mal/FakeAV-BT and Mal/BredoZp-B, but users of security products from other vendors would be wise to ensure that they are properly updated and protected.

 

The hackers are once again using a tried-and-trusted social engineering trick (in this case trying to fool you into believing that your account has been compromised) to lure you into the serious mistake of opening the attached file.

 

Wiser computer users should have learnt by now that you should always be extremely suspicious of unsolicited attachments.

 

 

By Graham Cluley, Sophos

 

Related Blogs

Next Page »