Graham Cluley’s blog

The five most popular Clu-blog posts of 2008

(You may want to read the first half of this countdown first)

Well, the tension is building as we get ever closer to revealing the most popular posting I made on this blog during 2008.

Fill your glasses, as I now reveal the final countdown and our winner..

5th. Stop viewing porn in Internet Explorer - for now

A vulnerability in the world’s most popular web browser is always going to be news amongst us techies. But when that vulnerability is being actively exploited by hackers, and Microsoft doesn’t have a fix for the problem, well.. that begins to be mainstream news for the great unwashed public too.

Sophos experts saw many in-the-wild examples of websites struck by SQL injection attacks that then served up the exploit to vulnerable Internet Explorer users, and defended our customers against the threat.

Which lead us nicely on to the fourth most popular article on the Clu-blog during 2008…

4th. Microsoft to release emergency patch for zero-day flaw

Thankfully, Microsoft was able to produce a patch for the critical problem with Internet Explorer described above, but not before many internet users were potentially put in peril.

I can’t help worrying that there will be more examples of hackers exploiting zero day vulnerabilities in the 12 months ahead.

And so we’ve made it to the top three blog posts of 2008. And there’s one thing they all share in common - a video. So grab your popcorn and we’ll begin.

3rd. Bono’s private bikini party photos exposed by Facebook privacy issue

He may be no stranger to being top of the pops, but Bono’s brush with computer security only managed to get him into third place when it came to the most read Clu-blog posts of the year.

The Cuban-heeled crooner and anti-poverty campaigner was revealed to have been up to hijinks in St Tropez with a couple of bikini-clad teenage girls after they posted their private photos to Facebook.

We’re not sure that Mrs Bono’s wife was that impressed, and the general public hopefully learnt a lesson about the danger of sharing private data online.

2nd. Free Norton AntiVirus? Hackers disguise fake product to spread Trojan

As our recently published Security Threat Report revealed, scareware (also known as fake anti-virus software) has been one of the big trends of the last twelve months, with hackers attempting to frighten people into purchasing bogus products.

As this video and blog post revealed, the hackers have no qualms about using the names of legitimate security products to try and make their fortune.

Will we see more scareware in 2009? It seems inevitable.

And so, we’ve made it. Well done on getting this far.

With a fanfare of trumpets I can now reveal the most widely read story on the Clu-blog during 2008..

1st. Barack Obama Sex Video malware campaign

Well, when you think about it perhaps there isn’t that much surprise about Barack Obama malware coming top of our list of most-read stories on the Clu-blog. After all, he won that other popularity competition late last year.

Sleazy hackers tried to take advantage of interest in the US presidential race by claiming in a widely distributed email that Barack Obama had been captured in sex video with a bunch of Ukranian girls.

Clicking on the link did actually show you an excerpt from a homemade X-rated video, but it didn’t star Barack Obama.

Instead, curious election-followers had the Mal/Hupig-D Trojan horse insidiously installed onto their Windows computers.

Of course, the idea that a man putting himself forward for the post of president would be cheating on his wife is ridiculous, but that’s not likely to have stopped many users from clicking on the link out of curiousity.

In the days that followed we saw more attempts by hackers to infect computers by exploiting Barack Obama’s name, and no doubt we will see many more in the four years to come.

So, that’s it. You now know the most popular Clu-blog posts of 2008.

Since the Clu-blog started on 23 April 2008, I have made 319 postings (including this one). That means, there were a stonking 315 posts during the year.

2009 is likely to be even busier, so keep tuned and thank you all for reading.

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Clu-blog, Data leakage, Malware, Round-up, Scam, Spam, Video, Web 2.0

                                      

The top ten Clu-blogs of 2008

So that was 2008. Roll on 2009.

I thought some of you might be interested in what the most popular blog entries on the Clu-blog were during 2008.

(Caveat: The blog wasn’t running for the whole of the year and stats weren’t collected for all of the time it was live to the public, so this may well be nonsense. But hey, it’s interesting nonsense. It will be better next year, I promise.)

So without further ado, lets kick off proceedings in true beauty contestant style in reverse order, starting with positions 10 to 6.

10th. Do you really need anti-virus on your Apple Mac?

Oh, the furore that resulted as Apple wobbled back and forth over whether it should or shouldn’t advise Mac users to run anti-virus software.

I wouldn’t be surprised if we saw more rumbles around Apple Mac security during 2009.

9th. Results of McAfee-sponsored West Coast Labs anti-virus test

I try and keep self-puffery and the marketroids out of the Clu-blog as much as possible, although a few shameless plugs slip through the net.

However, this story proved popular enough to make it into our top ten articles of the year, presumably because it’s somewhat different than the typical good review.

What makes this test interesting is that the West Coast Labs tests were paid for by McAfee, one of our largest competitors. They make the review available for download from their website, but they didn’t come top according to West Coast Labs’ research.

Kudos to the guys at McAfee for not sweeping it under the carpet, and actually they didn’t perform badly in the tests.

8th. BNP membership list posted on the internet

When it was discovered that the membership list of the highly controversial British National Party, complete with names and addresses, had been published on the internet the resulting stampede of Googlers hunting for it came as no surprise.

This blog entry received a large amount of traffic although - as you can see in the blog post - we were careful to disguise the personal names and addresses of BNP members in the snapshot we published.

7th. London hospitals hit by computer virus

St Bartholomew’s (Barts) in the City, the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green had their networks shut down after being struck hard by a variant of the Mytob worm.

Concerns were raised about patient confidentiality and the quality of care as some workers had to resort to using paper and pen.

Eventually the hospitals announced that they had remedied their security problem and were on the road to recovery.

6th. Your internet access is going to get suspended - NOT

Judging by the large number of page views that this blog post received, an awful lot of people received emails in the last third of 2008, claiming that they had committed “illegal activities” such as pirating software, movies or music. The emails went on to warn that recipient’s internet access would be suspended.

Opening the attached report was definitely not a good idea, however, as it contained malicious code designed to compromise your Windows PC, and hand control over to remote hackers.

When they’re not tempting you with nude pictures of Nicole Kidman or Angelina Jolie, they’re threatening to cut off your net access..

Now learn about the top five stories on the Clu-blog during 2008.

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Apple, Clu-blog, Data leakage, Identity Theft, Malware, Round-up

                                      

Phishing scam money mule claims he was threatened by bank and police officials

An unemployed Indian man who claims he became unwittingly involved in a phishing scam says he was threatened by bank officials and beaten up by police investigators.

D Sakthi Kumar, a resident of Nanmangalam in Chennai, alleges that pressure has been put on him to pay the 50,000 Indian Rupees (just over US $1000) that authorities have accused him of stealing.

According to reports, Kumar claims that he received an email from a company called Rose Textiles, offering him the job of ‘payment officer’ out of the blue, if he allowed them to put money into his account which he would then (after skimming off a 5% payment) move to another account.

Seasoned readers of the Clu-blog will, of course, recognise that this is the classic story of the money mule. A phishing gang breaks into bank accounts and transfers money into an “innocent” third party account. They then request the third party, who may have no notiion of what they are mixed up in, to move the money elsewhere - often making it much harder for the authorities to determine its ultimate destination.

No doubt the authorities are now investigating Kumar’s claims of intimidation and brutality, as well as whether he was an innocent party caught in the midst of a phishing scam or simply someone who saw an opportunity to make easy money.

But the message for the rest of us is to be extremely suspicious of unsolicited job offer that arrive in your inbox. You may find yourself an accomplice in a cybercrime ring, and the police may not be sympathetic when they come knocking on your door.

* Image source: The Untrained Eye’s Flickr photostream (Creative Commons 2.0)

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Banking, Law and Order, Scam

                                      

Zunes crash - but it’s a bug, not a virus

Yesterday, December 31st 2008, owners of Microsoft’s Zune MP3 player found that their devices were freezing at start-up.

The internet was bombarded by reports from 30GB Zune owners, concerned that their MP3 player may have been stricken by an astonishingly delayed variant of the Y2K bug or something more sinister.

Grunfloz summarised the issue pretty neatly on the Zune.net forum:

From what I can tell it looks like every Zune 30 on the planet has suddenly crashed. Is this a virus? A glitch? A time bomb? A disgruntled Microsoft employee? Planned obsolescence to make us buy a new one? Or just a terrorist plot to drive the free world crazy?

The reality was, as normal, rather more down-to-earth. It seems when the boffins at Microsoft created the Zune in 2006, they didn’t tell it how to handle leap years properly. So when the last day of the next leap year came around in 2008 it got its knickers in a twist.

Microsoft says the problem will resolve itself as the date clicks around to January 1st in your part of the world. For more information read Microsoft’s FAQ.

By the way, happy new year everyone!

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Malware, Oddball

                                      

Don’t be dumb in internet cafes in 2009

I was fortunate enough to spend the last couple of days wandering the chilly streets of Prague. It’s a beautiful city, and if you ever get the chance to visit I’d recommend it.

It was pretty strange though flying out of the Czech Republic as the last hours of 2008 ticked away. All the shops at the airport seemed to be shutting up by 4pm, presumably so the workers could get themselves uttery banjoed in readiness for the midnight New Year’s celebrations.

And this left the passengers on a delayed flight to Leeds kicking their heels with nothing to do but throng around the one remaining coffee bar that was still open.

Mattoni Bar at Terminal One of Prague Airport runs a neat little “buy a drink and use one of our internet-connected computers for free” deal. Naturally with hours to waste until their flight to Leeds, and with no retail therapy opportunities to distract people, the computers were all constantly in use.

With my BlackBerry out of juice, I quite fancied using one of the cafe’s PCs myself to check out the news online, but the most I could manage was some shoulder-surfing, and that - of course - is when I began to see some dangerous behaviour.

From my position in the cafe, I could see that one woman was booking a holiday through a well-known travel website, another was checking her HSBC bank account, and one chap was checking his Windows Live Hotmail account (before also checking his HSBC bank balance).

That was just what I noticed in less than 10 minutes. Who can tell how much sensitive information is entered onto these computers in a typical day? And. by the way, I’m not picking on this particular internet cafe, as similar scenes are probably playing out at every cybercafe in the world.

Computers in internet cafes can be tremendously useful and even entertaining if you need to while away some hours, but I would never use them to log in to my personal email account or check my bank balance. The fact is that you simply cannot be confident that an internet cafe’s computer, which may have been used by scores of different people during the course of the day, hasn’t been compromised and might not contain malware that is grabbing your details as you surf the web.

Fortunately for me I wasn’t flying back to Leeds, so I was able to catch my flight home without delay. But it also means I never did find out if those computers were compromised or not.

Don’t take the risk in 2009 - start acting more sensibly with public access computers.

Posted on December 31st, 2008 by Graham Cluley, Sophos
Filed under: Malware

                                      

Phishing with Google Calendar

As you know, one of the challenges that phishers face in defrauding you out of your username, passwords and - ultimately - cash, is how can they convince you that they are legitimate?

I’m indebted to Clu-blog reader Pete who sent me details of an unusual phishing email he received earlier this week, which goes further than many in attempting to pull the wool over your eyes.

Pete, who uses Google Calendar, received the following in his email inbox.

Unlike many phishing emails it included his real name alongside his email address, and looked identical to a genuine Google Calendar invite.

And that’s because it is a genuine Google Calendar invitation to an event (just like you might receive one to a friend’s barbecue or New Year’s Eve cocktail party). And sure enough clicking on the link in the email takes you to a “real event” in your Google Calendar, which it appears a number of other people have been invited to as well.

Part of the event invitation reads as follows:

THIS Email is from Gmail Customer Care and we are sending it to every Gmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted.We are sending you this email so that you can verify and let us know if you still want to use this account.

The Calendar invite then encourages you to respond with your Google username, password and date of birth.

Remember, you really are on Google’s Calendar website. You haven’t been taken to a fake site posing as Google, but alarm bells should definitely be ringing in your head at this point.

It should be obvious to everyone that Google is very unlikely to send out an email of this nature, and that it wouldn’t ask you to confirm whether you wanted your account to continue by accepting an invitation on your Google Calendar.

Furthermore, is it really likely that Google customer service would have an email address like customerserviceXXXX@gmail.com (where XXXX is a four digit number)?

What’s happened here is that a scammer has created a Gmail account with the name “Customer Varifaction” (another spelling mistake which should have raised suspicion) and added these people as guests to an event designed to steal their credentials. Google itself has then sent the event invitation email automatically on their behalf, helpfully inserting the recipients’ real names.

As with any phishing email you receive on Gmail, you should report it as an attempt to phish information from you, which will help warn the security team at Google and help others.

Fortunately Pete has his wits about him, and didn’t fall for this phishing attempt.

Thanks to Fraser in SophosLabs who had a good enough memory to recall that the problem of phishing via Google Calendar was also encountered earlier this year, as this blog post by Philipp Lenssen describes.

Posted on December 29th, 2008 by Graham Cluley, Sophos
Filed under: Scam, Spam

                                      

Who needs spammers when you have the CIA pushing Viagra?

We’ve grown to think of spammers and other internet bad guys as finely-honed organised criminals, quick to use new avenues to make a quick buck, and rapid in their exploitation of breaking news stories and emerging trends.

It’s therefore surprising to me that we have seen spammers doing such a poor job at profiteering from an apparent virgin market for Viagra. Afghan chieftains.

According to a report in the Washington Post, the CIA has discovered a novel way to extract information from ageing Afghan warlords - supplying them with the sex-enhancing drug Viagra.

The report describes how, in one case, a warlord in his sixties with four younger wives was given four pills of the anti-impotence drug. Four days later he returned for more in exchange for detailed information on Taliban movements. The news story explains that often the CIA operatives need to explain the benefits of Viagra to their informants.

The CIA has historically often bought information with cash, but can backfire if the informant is then seen surrounded by expensive goods or acts ostentatiously. On the other hand, Viagra - as the Washington Post so delicately puts it - “leaves little or no visible trace”.

So it seems to me that while much of the rest of the world is under near constant bombardment from spammers trying to tout Viagra and other sex-enhancement pharmaceutical drugs to us, the Aghan people have been largely left alone. I knew there had to be some silver lining to living in that troubled country.

Posted on December 27th, 2008 by Graham Cluley, Sophos
Filed under: Spam

                                      

RBS WorldPay data breach puts 1.5 million cardholders at risk

RBS Worldpay, the electronic payment service, has admitted that hackers have broken into its systems and may have accessed the personal information of some 1.5 million cardholders and other individuals. Of these, some 1.1 million people may have had their social security numbers compromised by the hackers.

According to reports, the company informed law enforcement agencies and federal regulators of the incident on 10 November, but it waited until 23 December before issuing a press release and publishing advice to affected customers on its website.

I’m sure that if it had been my confidential information that might have been compromised that I would want to know about it as soon as possible, and I can’t help but think that making a public statement just before a major holiday may fulfil regulatory requirements but may “bury” the bad news from reporters.

RBS Worldpay is keen to stress that only 100 payroll cards have been used in a fraudulent manner so far, and that they have all been deactivated.

Of course, this isn’t the first time that Worldpay has suffered at the hands of hackers. In 2003 and 2004 the internet payment service was bombarded with distributed denial-of-service attacks that clogged its systems and seriously affected its ability to operate.

Posted on December 26th, 2008 by Graham Cluley, Sophos
Filed under: Banking, Data leakage, Identity Theft

                                      

Pakistani hackers hit Indian railway website

The official website of Eastern Railway, part of the state-owned Indian railway network, was struck by an SQL Injection attack earlier this week by a hacking gang believed to be based in Pakistan.

According to reports, the www.easternrailway.gov.in website was defaced with messages such as “Cyber war has been declared on Indian cyberspace by Whackerz-Pakistan”, “Indians hit hard by Zaid Hamid” and “You are hacked”.

A further message was displayed claiming that the website had been hacked as a response to an alleged violation of Pakistan’s air space by India earlier this month.

Officials at Eastern Railway claim that the website hack was achieved through an SQL injection attack, similar to the others that we see everyday striking websites around the world installing malware.

As far as we can tell, no malware was installed during this SQL injection attack, for which everyone should be grateful. Nevertheless it’s embarrassing for the companies concerned that their websites were not written more securely in the first place to prevent the hack attempt from succeeding.

Of course, this is not the first time that Indian and Pakistani hackers have attacked each other’s country via the internet. For instance, in 2002 Pakistani government websites were struck by a denial of service attack, and aggressive messages have been embedded inside viruses threatening Pakistani hackers.

Posted on December 26th, 2008 by Graham Cluley, Sophos
Filed under: WWW

                                      

Happy Christmas

Huzzah! It’s Christmas!

Newspapers are reporting that Santa Claus’s reindeer-powered Sat-Nav system was not affected by a computer virus, and he has managed to deliver presents to good boys and girls around the world.

As I write this he is on the final stretch back home where he plans to put his feet up, munch his way through a large pile of mince pies, and boot up his Commodore 64 to play some retro games from the 1980s. (If you’re curious, being a public figure he has had to stick to his C64 to avoid accusations of partisanship in the age-old Windows vs Mac handbag fight).

Hopefully you’ll be having a fun day too - but spare a thought for those people who will be working through the holiday. The police, the hospital workers, the prison warders, and - dare I say it? - the security researchers.

Yep, the good guys and gals at SophosLabs (and indeed many of our competitors) will be working as normal during the holiday, ensuring that defences remain in place against the latest malware and spam campaigns.

As you can see above and in Numaan’s post over on the SophosLabs blog, the Vancouver lab is looking particularly seasonal at the moment.

Have a happy holiday wherever you are.

Posted on December 25th, 2008 by Graham Cluley, Sophos
Filed under: Clu-blog