The Pirate Bay Hacked, User Info Exposed

July 8, 2010 by  
Filed under Security News

An Argentinian hacker named Ch Russo claims that he and two associates have found several SQL injection vulnerabilities in The Pirate Bay’s database, which granted him access to all user information, including usernames and e-mails.


According to KrebsOnSecurity, who spoke with Ch Russo on the phone, the hackers did not modify the user data or give it away to a third party. They did, as they say, consider how much this info would be worth to various anti-piracy outfits such as the RIAA.


“Probably these groups would be very interested in this information, but we are not [trying] to sell it. Instead we wanted to tell people that their information may not be so well protected,” Ch Russo said.


It seems that the vulnerability has been at least partially patched however, as Russo said the website component that gives access to The Pirate Bay’s database has been removed. Furthermore, The Pirate Bay site is currently down, sporting the following message: “Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”


Although it’s been under the attack of the entertainment industry for years now, The Pirate Bay has somehow been able to survive to this day, even in the wake of some other major torrent trackers, such as Mininova.


Security problems such as this one, however, might cause huge problems to the service if user information falls into the wrong (or right, depending on how you look at it) hands.



By :Stan Schroeder

Source :

Justin Bieber fans under fire in YouTube XSS attack

July 5, 2010 by  
Filed under Security News

If there are any breathless fans of Justin Bieber reading this – let me calm you straight away: Justin Bieber has not died in a car crash.


But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.


A vulnerability in YouTube’s comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.


Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site’s defences.


Those watching YouTube videos of Justin Bieber and others could find their eyeballs assaulted by other prankish pop-ups and offensive messages or redirected to tasteless websites.

YouTube hacked

It took about two hours before Google, YouTube’s parent company, got things under control.


XSS attacks are a serious problem, of course. Potentially they can fool unsuspecting users into handing over their login details (although this doesn’t appear to have happened on this occasion) or direct them to a malicious webpage.


Read More…


Don’t click on ‘Paramore n-a-k-ed photo leaked!’ Facebook link

June 5, 2010 by  
Filed under Security News

Updated Many Facebook users are being hit by further clickjacking attacks today, taking advantage of the social network’s “Like” facility.


The latest lure is a link which claims to point to a website containing a naked photo of Hayley Williams, the lead singer of the American rock band Paramore.


Affected profiles can be identified by seeing that the Facebook user has apparently “liked” a link:

Paramore n-a-k-ed photo leaked!

Paramore n-a-k-ed photo leaked! malicious message


The fact that 21-year-old Hayley Williams has recently been the subject of much internet interest after a topless photo of her was leaked online, is only likely to fuel interest in the naked pictures promised by these links. But take care, because all may not be what it seems.


Clicking on the links takes Facebook users to a third-party website which displays a message saying:

Click here to continue if you are 18 years of age or above

Paramore naked photo age check

What the hackers have actually done is very sneaky. They have hidden an invisible button under your mouse, so wherever you click on the website your mouse-press is hijacked. As a consequence, when you click with the mouse you’re also secretly clicking on a button which tells Facebook that you ‘like’ the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally.


Attacks like this can spread very very fast. Judging by the number of messages I’ve seen, thousands have already found it impossible to resist the idea of seeing the lead singer of Paramore naked and have fallen head-first into the “likejacking” trap.


This use of a clickjacking exploit to publish the same message (via an invisible iFrame) to the visiting user’s own Facebook page works in a similar fashion to the clickjacking attacks we saw earlier this week.


Read More…

Critical security updates from Microsoft and Adobe

May 12, 2010 by  
Filed under Security News

It was “Patch Tuesday” yesterday, which means another parcel of security updates for computer users to unwrap, and this time the fixes aren’t just from Microsoft, but from Adobe too.


First on the menu is Microsoft, which has served up two security bulletins detailing vulnerabilities that could be exploited by hackers to execute malicious code (such as a worm) on your computer.


The first of these security holes exists in Outlook Express, Windows Mail, and Windows Live Mail. Microsoft’s Security Research & Defense blog goes into some detail about the vulnerability, explaining that although the security hole is given a “critical rating” on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, it is considered less serious for Windows 7 users as Windows Live Mail is not installed by default on that platform.


The other patch from Microsoft addresses a vulnerability in Visual Basic for Applications, a component used by Microsoft Office and other third-party products. Microsoft has given this security update its highest possible rating – “Critical” – for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. It is also rated “Important” for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System.


Adobe Shockwave PlayerNext up is Adobe, who have released patches to squash over 20 security vulnerabilities in its Shockwave and ColdFusion products.


The critical vulnerabilities identified in Adobe Shockwave Player and earlier versions impact both Windows and Macintosh users, and could allow attackers to run malicious code on your computer.


Adobe recommends that users update their version of Adobe Shockwave Player to version


Details of the ColdFusion vulnerabilities, classed as “important”, are provided in Adobe Security Bulletin APSB10-11.


Enough of waffle. Download and install the patches if your computer is affected.


By Graham Cluley, Sophos


Canadian Pharmacy spammers set up shop on Twitter

April 27, 2010 by  
Filed under Security News

At the beginning of this month I received an email telling me about someone new who had started following me on Twitter.

Canadian Shop following me on Twitter

Their name was @canadianshop, and it was immediately apparent that they were promoting a Canadian online pharmacy via their account. These kind of websites are frequently promoted in email spam.

Canadian Pharmacy on Twitter

Like every other time you receive a new follower on Twitter, the service reminds you that you can report them for spam:

If you believe canadianshop is engaging in abusive behavior on Twitter, you may report canadianshop for spam.


But for once I decided not to. After all, this account was clearly spammy and I was curious to see how long it would take before someone else reported them and their account was suspended.


That was 24 days ago. And despite the @canadianshop account making no attempt to hide who they are – even their background wallpaper uses familiar imagery used in hundreds of thousands of emails to promote medications like Viagra and Cialis – they remain active on Twitter.


At the time of writing the account is following over 2000 people, and has 589 folk following it back.

Canadian Pharmacy tweet

In addition to its activities on Twitter, the account has also created a number of custom links to promote its online stores which redirect to Canadian Pharmacy websites like the one below:

Canadian Pharmacy website

So, let’s hope the account gets shut down soon. I’ve reported it to Twitter now, and also dropped a line to the folks at about the links in case they want to take action against those.


As if anyone needed reminding let me say it again – if you buy drugs online you’re not only putting your personal information at risk (remember these guys are prepared to spam and use scummy tactics to promote their sites, they possibly wouldn’t flinch at doing something naughty with your credit card details), but you’re also potentially putting your health in jeopardy.


By Graham Cluley, Sophos


Windows and Mac users urged to update Safari

March 12, 2010 by  
Filed under Security News

Apple has released version 4.0.5 of its Safari browser, fixing a number of issues with its browser for Windows and Mac OS X including – most importantly – a grand total of 16 security vulnerabilities.


If you dilly-dally over updating your computer, it’s possible that hackers could exploit the security bugs – including some that could mean that simply visiting a webpage with a maliciously crafted image could lead to malicious code being automatically run on your computer.


Interestingly, one of the bugs (CVE-2009-2285) fixed in Safari 4.0.5 was announced and patched in Mac OS X 10.6.2 back in December 2009, and in Mac OS X 10.5 since January, meaning that Windows users of Safari have been vulnerable for over two months to the way their browser handles booby-trapped TIFF images.


But it doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website.


Safari users should practise safe computing, and update their systems as soon as possible.


By Graham Cluley, Sophos



Mozilla admits Firefox add-ons contained Trojan code

February 6, 2010 by  
Filed under Security News

Mozilla has issued a warning that two add-ons available from AMO (, the Mozilla Add-ons website) were infected by malicious code capable of infecting Windows computers.


According to a security notice on AMO’s blog, the Master Filer add-on was infected by the LdPinch password-stealing Trojan, and Sothink Web Video Downloader version 4.0 was infected by a version of the Bifrose backdoor Trojan horse.


Judging by the statement on the Mozilla Add-ons blog, a fair few people could have found that their Windows computers were infected:


Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010.

Versions of Sothink Web Video Downloader greater than 4.0 are said not to be infected. Furthermore, both Trojans were specifically written for Windows, meaning they could not infect on Mac OS X and Linux installations of Firefox.

Sotink Web Video Downloader

This isn’t the first time malware has slipped through Mozilla’s security procedures. In May 2008, users who downloaded Firefox’s Vietnamese language pack were warned that it had contained a malicious script designed to display irritating advertising messages.


Mozilla says that in light of the security lapse it has strengthened its systems, scanning all add-ons with additional anti-virus tools.


Personally, I would recommend that all computer users remember not to rely on someone else doing the virus scanning for them, and ensure they have anti-malware protection running on their computer.


By Graham Cluley, Sophos


Banking malware found on Android Marketplace

January 12, 2010 by  
Filed under Security News

An application for smartphones running the Google Android operating system has been reported to steal users’ banking information.


According to a blog post from the First Tech Credit Union, an app developer called 09Droid created applications which posed as a shell for mobile banking applications, and in the process phished personal information about the users’s bank accounts. The information would, presumably, have been usen for the purposes of identity theft.


SophosLabs has not yet seen a sample of the malware, which has now been removed from the Android Marketplace, and First Tech Credit Union is at pains to point out to its customers that it does not currently have an app for the Android phone.


A number of other financial institutions have also published warnings regarding the Android applications. For instance, here’s a similar warning about the Android app that was published on the website of Travis Credit Union, and this is what the credit union posted on its official Facebook page:

Warning on Travis Credit Union's Facebook page

Although malware has previously emerged for jailbroken iPhones (such as the infamous Rick-rolling Ikee worm) the malicious applications have not made it onto users’ iPhones via Apple’s highly guarded AppStore.


The Android marketplace, however, is not as closely monitored as Apple’s equivalent, and adopts a more “anything goes” philosophy. This, combined with the current buzz around new phones running Android such as the Motorola Droid and the Google Nexus One, may make the platform more attractive to cybercriminals in future.


As more and more users inevitably take advantage of smartphones to access their bank accounts in the future, the temptation for hackers to exploit systems may become greater.


by Graham Cluley, Sophos


Baidu, China’s largest search engine, defaced by Iranian Cyber Army

January 12, 2010 by  
Filed under Security News

Hot on the heels of last month’s attack on Twitter, the so-called “Iranian Cyber Army” appears to have defaced another high profile website.


Baidu, formed in 2000, is China’s number one search engine, dominating the home market for online searches – partly because it had a six year head start over Google. As a result of its huge popularity, it’s no wonder that from time to time hackers might try and take advantage of the site, just as top websites can be in the frame for attack in the West.


Earlier today, visitors to’s home page were met with a message – “This site has been hacked by Iranian Cyber Army” – alongside what I presume to be Farsi, and a picture of the national flag of Iran:

Baidu website defacement

It’s not presently clear whether Baidu’s site itself was compromised or, as in the case with the Twitter attack, its DNS records. If the website’s DNS records were breached then the hackers would have been able to redirect users who typed into their browser to a webserver under their control.


Within two hours the Baidu website appeared to be returning to normal operation, and as far as we can tell the motive for the attack was political rather than financial. However, imagine how easy it might have been for the hackers to have created a cloned version of the main Baidu webpage complete with a silent invisible-to-the-naked-eye link to a software exploit or piece of malware.


Attacks like this are a reminder to everyone that you always need to have security scanning every webpage you visit, even if it’s an established legitimate website.

by Graham Cluley, Sophos


WARNING: “98B351″ AMBER Alert Hoax Still Spreading on Twitter, Facebook

October 15, 2009 by  
Filed under Security News


A very resilient hoax is making the rounds on Twitter and Facebook. It consists of a message that poses as an AMBER Alert about a 3-year-old kidnapped boy. The message further claims the boy has been kidnapped in a Mitsubishi Eclipse with the registration plate “98B351“, and many users have fallen for it, spreading it further via Facebook, Twitter, and SMS.

According to IT security company Sophos, the message is nothing more than a hoax, but the said license plate number is already ranking high among the most commonly searched terms on the internet, which means the hoax is working. Don’t fall for it!

A quick search on the reveals there are currently no active AMBER Alerts. Interestingly, this hoax has been making the rounds for several weeks, but – as hoaxes often do – it seems to now be resurfacing stronger than ever. An AMBER Alert is a child abduction alert issued upon the suspected abduction of a child; the best way to check if it’s real is to go straight to National Centre for Missing and Exploited Children’s website.


by Stan Schroeder from