Graham Cluley’s blog

Hackers use celebrity image SEO to spread scareware

Scareware, the fake anti-virus programs which try and frighten you into reaching deep into your wallet, have been one of the biggest security stories of the last twelve months.

By displaying bogus security warnings their intention is to panic you into purchasing a product you don’t need, or install a malicious program you don’t want.

Late last week, Paul Baccas (aka ‘pob’) of SophosLabs found out that scareware scammers were using search engine optimisation (SEO) techniques in combination with photographs of celebrities like Warren Beatty and Shania Twain in their attempts to steal money.

Below you’ll find a video made by Paul demonstrating the problem in regards to “Beaches” actress Barbara Hershey, and make sure to also read the additional information he has posted on the SophosLabs blog.

You can learn more about the rise of scareware and web threats in Sophos’s 2009 Security Threat Report.

Posted on January 6th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Video, WWW

                                      

Naked celebrities on LinkedIn lead to malware

A blog post by our friends at Trend Micro caught my eye this morning, and got some of the guys inside SophosLabs looking a little closer at some of the profiles listed on the business networking site, LinkedIn.

It’s surprising how many people signed-up on LinkedIn have words like “nude” and “naked” in their job title. It’s possible that some of these are genuine (for instance, the person who claims to be the Chief Nude Parachutist at a New York-based company), but many of them are not.

For instance, I think it’s very unlikely that Paris Hilton works for a firm called “company B”, and that she would want to post links claiming to be of her infamous sex video.

Another celebrity who has fallen foul of a private home movie becoming public is Kim Kardashian. It seems that the hackers who have peppered LinkedIn with fake profiles also believe that people will be searching for videos of her, and so they have created a page for her too.

Other names (of various levels of fame) with fake profiles on LinkedIn include Jaime Pressly, Christina Aguilera, Keri Russell, Zooey Deschanel, Lizzy Caplan, Brooke Hogan and Tila Tequila.

Some of the links contained in these profiles are currently down, but SophosLabs can confirm that as recently as January 1st 2009 the malicious Troj/Decdec-A Javascript code was being found on them, downloading further malware onto visiting computers.

It’s a shame that LinkedIn aren’t keeping a closer eye on obviously bogus profiles being created on their site. Undoubtedly spammers, malware authors and other cybercriminals may be abusing the system to link to their webpages in the hope that it will generate a higher ranking in search engines like Google.

Posted on January 6th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam, Web 2.0

                                      

Twitter: Britney, Barack, Rick and Fox News weren’t phished - they were hacked

The guys at Twitter have posted more information on their website about the high profile accounts (belonging to the likes of Britney Spears, Barack Obama, Fox News, CNN’s Rick Sanchez and others) that were compromised on their website today.

Fascinatingly, Twitter claims that these accounts were not broken into as a result of the widespread phishing attack that has taken place on Twitter over the last couple of days, but instead were the result of Twitter’s own systems being compromised by hackers.

As a result, tools that normally only Twitter’s technical support team can use to help locked-out members reset their email address were accessed by hackers, enabling them to steal control of the high profile accounts from their rightful owners.

As a result, Britney Spears’s Twitter stream made claims about a sensitive part of her anatomy, Rick Sanchez’s Twitter entry declared that he was high on crack, and Fox News appeared to published breaking news that Bill O’Reilly was gay.

This is actually much more serious than these people and organisations falling for a simple phishing attack. It appears that Twitter’s systems were potentially exposing everybody’s account to the danger of being taken over by hackers - it’s just that they chose some 33 high profile accounts to abuse with their defacements.

Here’s part of the statement from Twitter co-founder Biz Stone:

These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.

What is still unclear is whether the person who hacked the accounts was an external hacker, or someone inside the Twitter organisation.

Twitter seem convinced that it was an individual rather than a gang of criminals, so it may be that they have identified the person responsible. If so, they may choose to involve the authorities to see justice done for what was both a cruel and criminal act.

Whether the full details of what actually happened are ever revealed remains to be seen. But one thing is for certain: Twitter has had an appalling start to 2009 from the security point of view.

So what of Britney herself? Well, there’s been no word from the singing sensation - but someone who claims to be her Social Media Director did post a message on the Rolling Stone website apologising for any offence caused by the vulgar message:

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Identity Theft, Web 2.0

                                      

Has Britney Spears had her Twitter account phished?

(Read the update to this story: Twitter: Britney, Barack, Rick and Fox News weren’t phished - they were hacked).

Could Britney Spears, the troubled pop princess, have become the victim of the phishing scams that have shaken Twitter users in the last few days?

I just visited her page on Twitter and saw the following update, which I find unlikely to have been approved by her management team who are taking care to control her public image as she rebuilds her career:

At approximately 17:30 UK time the message was removed - but clearly this is a sign that someone broke into her account. Whether this was a result of the current Twitter phishing attacks or not is hard to prove, but it seems a strange coincidence if not.

Other Twitter accounts which have had bizarre messages posted to them include ones belonging to Barack Obama’s election campaign, Fox News and CNN anchorman Rick Sanchez.

In a Twitter update which has since been deleted, Sanchez’s account - which is followed by some 40,000 people - displayed the message:

i am high on crack right now might not be coming into work today

The message is clear. Whether you are world famous, a business organisation, or a general member of the public, you have to be much more careful about securing your online presence.

Hackers may have hooted with joy at realising they had the power to post messages under the names of Britney Spears or Fox News, but normally their intentions are to hurt people in the pocket through scams and identity theft.

If you believe you may have clicked on a link to a possible phishing site, and think it is possible that you may have given your password to someone else or that account may have been compromised, change your password now.

Twitter confirms multiple accounts hacked

At about 18.30 UK time, Twitter posted an update on one of its blogs in an attempt to reassure users, confirming that multiple accounts had been hacked and advising members that it may be prudent to reset their passwords.

Hopefully Ms Spears and Mr Sanchez are amongst those doing that right now.

(Read the update to this story: Twitter: Britney, Barack, Rick and Fox News weren’t phished - they were hacked).

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Identity Theft, Scam, Spam, Web 2.0

                                      

Sophos versus police spyware in “legal hacking” debate

In a rather disturbing development it is being reported in the British press that police have been given the power to hack into computers without a court warrant.

Naturally this news has resulted in massive consternation amongst those concerned with civil liberties, who contend that the move signifies a continuing shift towards a surveillance society in Britain. Already the country is believed to have the highest density of CCTV cameras in the world (one camera for every 14 people is the last figure I heard).

The Association of Chief Police Officers has said that in 2007-2008, British police carried out 194 remote hacking operations, including 133 in private homes, 37 in company offices and 24 in hotel rooms. It isn’t clear how many of these attacks used spyware software or keylogging hardware to examine information held on a suspect computer.

There is no doubt that high-tech criminals are able to use sophisticated technology such as encryption to help them commit their offences, and that this does bring enormous challenges to investigators which may make the use of spyware and keylogging devices attractive.

However, that doesn’t mean that there shouldn’t be strict guidelines and independent approval before this kind of police surveillance can take place. Law enforcement agencies should be forced to seek approval from a court, who would have to be convinced that there was sufficient reasons to surreptitiously break into a computer belonging to a member of the public.

One thing I can promise you though: If Sophos encounters any malware written by the police, we won’t turn a blind eye. We will add detection for it.

And if you think about it, we don’t have any other sensible choice.

For anti-virus vendors to know which spyware Trojan horse to ignore, the British police would need to provide us with a sample of their code. For security reasons, it seems unlikely that this would happen. As a result, how will we (and other security vendors) know which code is written by the cops and which originates from traditional hackers? After all, it’s not likely to say

Copyright (c) New Scotland Yard

is it?

In order to properly protect customers, Sophos continues to protect against all the malicious code that we see.

Even if security vendors were made aware of the code, how would we know that our customer was the intended target of police surveillance? You see, by planting spyware on the PCs of those under suspicion, the police could essentially be placing a weapon directly into the hands of their enemies.

Spying and remote-hacking code could easily be adapted and new variants created with far more sinister intentions in mind. Once the Trojan was released, there would be no way of knowing who would use it to spy on whom, and with what consequences. In an ironic twist of fate, the police could even find itself to be the victim of its own code.

So we will continue to defend computer users against malware and spyware, regardless of who might have written or installed the code.

And if that puts us at loggerheads with our friends in the police, so be it.

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Law and Order, Malware

                                      

Twitter users hit by more phishing and spam attacks

The phishing campaign which spread over the weekend via Twitter, stealing users account details has evolved into a series of new campaigns.

Many Twitter users are reporting that they have been struck this morning with a barrage of new direct messages such as:

hey. i won an iphone! come see how here [url removed]

and

Wanna win the new iPhone? It’s so easy and cool, I love this thing! Visit: [url removed]

Clicking on the links can take users to a website that claims that they might win an Apple iPhone if they hand over their credentials including their cell phone number. It is possible the spammers are earning a commission via affiliate links by directing traffic to these websites.

Even Twitter celebrities such as Stephen Fry (perhaps not surprising considering how many followers he has) have reported clicking on links from the earlier phishing campaigns without thinking of the possible consequences.

With typical wit the self-confessed gadget freak Fry admits that another Apple iPhone is the last thing he needs.

The good news is that because Twitter celebs like Stephen Fry have so many followers they can help spread warnings to other members of the Twitter community about phishing campaigns very quickly. On the other side of the coin, however, if their accounts were ever compromised the spammers would believe that they have hit the mother lode. After all, a link in a message from someone famous might be very hard for many people to resist..

Twitter is obviously concerned about the phishing and spam problem, and has added a warning on its site.

However, the constant stream of reports suggests that there are still a sizeable number of Twitter users who do not realise that their accounts have been compromised.

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Identity Theft, Scam, Spam, Web 2.0

                                      

Phishing scam spreads on Twitter

Twitter users are reporting that they have received direct messages from their online followers enticing them to visit a phishing website which attempts to steal their username and password.

Users have been receiving messages such as:

hey! check out this funny blog about you… [url removed]

and

Hey, i found a website with your pic on it… LOL check it out here [url removed]

which led - sometimes leapfrogging via a Blogspot page - to a website which posed to be the regular Twitter login page, but is actually stealing usernames and passwords from the unwary.

Having hacked into some Twitter accounts it appears that the criminals then used the Twitter identities of their victims to pass on the message to even more Twitter users.

It would be bad enough to hand your Twitter username and password over to a criminal, as they could pose as you online and spread malware and spam to your friends and followers. However, as so many internet users foolishly use the same username and password for every website they access, the potential for abuse is even greater.

Twitter co-founder Biz Stone alerted followers to the danger as his team worked on the problem, and later advised members who may feel “weirded out” by the incident to change their passwords.

Twitter has published information on its blog about the security incident and advised users to exercise caution when they reach web pages which ask them to log in to Twitter.

The phishing webpage has also masqueraded as the login page for Facebook - so users of all social networking websites should be on their guard.

Posted on January 4th, 2009 by Graham Cluley, Sophos
Filed under: Scam, Web 2.0

                                      

Internet Explorer loses ground to Firefox and Safari

Web analytics firm Net Applications is reporting that Microsoft Internet Explorer continued to stumble in its position as the world’s most popular web browser during December 2008.

Although Internet Explorer is by far the most widely used program for accessing websites, it has slipped from a 75% marketshare at the start of 2008 to 68.15% during December 2008.

Mozilla Firefox (21.34%), Apple Safari (7.93%), and Google Chrome (1.04%) all appear to be benefiting as users either choose alternative web browsers or run an operating system not supported by Internet Explorer (in other words, anything other than Windows).

What I always find interesting is to compare these usage figures, which are collated across a very wide spectrum of web usage, with what I see myself when I look at details of how people are viewing this blog. You could argue that the typical profile of someone reading this blog and accessing the Sophos website is rather more security conscious than the typical Joe User.

Browsers accessing Graham Cluley’s blog in December 2008

What’s clear from this is that Clu-blog readers are much less likely to be using Internet Explorer than their non-technical friends and family. Firefox, meanwhile, is teetering on the brink of being responsible for one in four of all visits to this blog.

We’re also seeing Chrome being more widely used by this audience, and we can expect to see Chrome make further inroads as versions for Unix and Mac OS X arrive during 2009.

Fascinatingly, Safari on the Apple iPhone is also making a small but beautifully formed impression on the chart, outgunning its Windows cousin.

Have IT teams tasked with security managed to convince their bosses to fork out for Apple’s lusted-for gadget? Perhaps blogs carrying security news are more likely to be viewed “on-the-move” outside of regular working hours, and so gizmos like the iPhone make a justifiable expense.

Why does any of this matter? Well, Sophos’s recently published Security Threat Report 2009 revealed the enormous role that web browsing plays in the successful spreading of malware today. As the web browser market shifts we can expect the cybercriminals to increasingly follow.

Of course, this already happens to some extent. In the past we’ve seen malware attacks embedded into websites that determine what web browser you are running - for instance, if it’s Internet Explorer they’ll serve you some Windows .EXE malware, if you’re running Safari they’ll give you a malicious Mac OS X .DMG file. Additionally, if an Internet Explorer exploit fails to find a successful playground the dangerous website may try a Firefox attack instead.

And in 2009, we’ll expect to see more hackers exploiting vulnerabilities in code which runs alongside your browser - whatever your browser should be. So, expect to see more attacks trying to exploit loopholes in Adobe Flash and PDF reader plugins etc.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, WWW

                                      

Classmates malware attack poses as school reunion invite

Remember the days of the old school yard? You may prefer to forget them, but many people are nostalgic for the days of grazed knees, poor food and double geography.

A new malware campaign seen in the last few days plays on the popularity of websites like Classmates.com and FriendsReunited, by posing as an invitation to an imminent school reunion.

Part of the email reads:

Subject lines used in the malware campaign have included:

Clicking on the link doesn’t of course take you to the real Classmates website, but a bogus site which tries to fool you into installing an update to Adobe Flash to view a video invitation to your school reunion. Of course, the update is really a malicious Trojan horse designed to compromise your computer.

With many people returning to the office after the holiday break there is a danger that some will click on the link without thinking as they plough through their inboxes.

As ever, be wary of unsolicited emails, and if you are going to update software and plugins on your computer make sure you are getting those updates from the real, legitimate producer of the code, not a third party website that a hacker could have set up.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                      

Zune Leap Year bug under the microscope

More information about the non-virus problem which hung 30GB Zune MP3 players on New Year’s Eve has been uncovered.

It turns out that the problem is actually on the clock chip from Freescale embedded inside Microsoft’s music device.

As you can see in this post from the Zune Boards message forum, there is a flaw in the programming logic which means that when the Zune accesses its clock as it finishes booting up, it tries to convert the time from its internal count (the number of days since 1st January 1980) into a more human readable form.

And there’s nothing wrong with that, of course, unless the logic of the code is wrong and it enters into an infinite loop if it happens to be the 366th day of the year.

By now, everyone’s Zune should be working properly again and have shaken off its brain freeze. But unless this problem gets fixed, owners of Zune 30 MP3 players will be frozen out of their music collections again on December 31 2012.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Oddball