05/30/2011
Facebook "Baby Born Amazing Effect" is a Scam
Given the size of the Facebook network, it should be no surprise to any of us that the scammers are trying to target their next victims here, too.
The fine folks at antivirus software company Sophos have been keeping tabs on the latest Facebook scam, "Baby Born Amazing effect". This particular scam is being tracked by Sophos security researcher Graham Cluley who says,
Messages are spreading rapidly across Facebook, as users get tricked into clicking on links claiming to show an amazing video of a big baby being born.
"The messages are spreading with the assistance of a clickjacking scam (sometimes known as likejacking) which means that users do not realize that they are invisibly pressing a "Like" button to pass the message onto their online friends.
Now the real questions:
- What danger does this pose?
- How do I get rid of it?
What danger does this pose>
The actual danger to a Facebook user is pretty negligible.
The scam is that by tricking people into "Liking" their video, they're able to artificially inflate their Facebook "Like" count. Real "Like" counts tend to grow pretty slowly, so for someone looking to make a mint in Facebook, garnering a lot of "Likes" can bring in real money fairly quickly.
How do I get rid of it
Here's how:
- [See: Image 1]
- Find the offending message on your Facebook page.
- Select
Remove post and unlike
.
[See: Image 2]
- Go into your profile (top right corner)
- Select "Activities and Interests"
- Remove the "Born Baby Amazing Effect" (and anything else you don't like)
[Image 1]
[Image 2]
[N.B. We have to give full credit to Graham Cluley and Sophos for snagging these screenshots from within Facebook so we can help people get rid of this crap.]
Just to reiterate, this particular scam doesn't carry any typical virus payload and doesn't pose any threat to your PC. The only threat is in tricking other friends of yours to do the same thing and ultimately in helping a scammer inflate his or her bank account.
The one caveat here is that if you've made your Facebook personal profile information public, you have shared this information with the scammer, so who know what they're up to.
Put another way: you might want to reconsider what information you're sharing publicly within Facebook.
05/25/2011
Mac Defender 2.0... Malware Creator Responds to Apple Update
Apple may've taken a lot longer than anyone would have liked to respond to the Mac Defender fake antivirus malware, but he/she/they haven't.
In fact, on the heels of Apple's announcement, the Mac Defender creator has already fired another salvo back across Apple's bow.
The latest?
According to Intego, a Mac-centric antivirus firm, the latest version, dubbed "Mac Guard," that has upped the ante and made stopping it all the harder.
For starters Intego says in their blog post on Mac Defender,
Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts.
"The first part is a downloader, a tool that, after installation, downloads a payload from a web server.
"As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.
Yikes. Auto-download? That sounds a lot like Windows malware to me.
And, here's where it gets really ugly.
Apple, in their infinite wisdom, has Safari, the default browser on the Mac, in its default configuration, automatically open so-called "safe" files after downloading.
Translation, it downloads on its open and even opens itself for you... all on its own! Yay! Before you know it, and without your asking for it, the standard, friendly looking Mac installer is in front of you. All on its own.
What next? All you have to do is click 'Continue' and so on as you normally would, and poof! your machine is infected.
The thing is, a lot of people won't know any different. All they see is the friendly-looking installer (that can't be harmful, right??), and a 'Continue' button.
What do they do? Click 'Continue,' of course!
What's more, according to Intego, is Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program.
[Editor's note: emphasis theirs.]
This whole Mac Defender/Protector/Security/Guard trojan malware is causing more than a little buzz, including a piece on Mac Guard on ZDNet.
In the article, author Ed Bott's [Editor's Note: Botts... an apropos name for someone in Internet security], says,
Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots.
"Peter James, an Intego spokeperson, told me his company’s analysts were 'impressed by the quality of the original version.'
"The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.
That about sums up our take on things here, too. Seriously, Apple, these were a couple of real missteps on your part. First the long delay.
Then the craptastic response. C'mon. How 'bout disabling the inane Automatically open "Safe" files. That's not really a default, is it?
That's the best the company that makes innovative products like the iMacs, iPhones, iTunes, iPods, and iPads can do?
Maybe this is going to be a long road after all.
[N.B. The original Apple announcement on Removing Mac Defender, which we discussed in an earlier blog about Mac Defender, mentioned two steps Apple was taking to combat Mac Defender. They were going to be:
- releasing a Mac Defender remover as part of their next update and
- having OSX do some sort of realtime intervention if you tried to install the malware.]
05/24/2011
Mac Malware Removal: No Help from Apple Support
Even though our focus (at least for now) is on Windows antivirus software and malware removal, we've had a few people contact us asking about the malware known as Mac Defender1 (previously discussed in our blog on Mac antivirus software).
Here's the short version: it does not automatically install itself onto your Mac. It does require you to manually install it to be infected. And, the main way it's getting installed is when people are tricked into installing it.
How do you get rid of it?
Well, apparently, even though it's not that hard, you can't turn to Apple Support for help, as according to ZDNet there's No Help from Apple Support Reps Removing Mac Defender, although there is now an official Apple help article on Removing Mac Defender.
Although we've not tested the removal steps ourselves, given that the removal instructions come from Apple itself, you can be sure they work and are legit.
And, yes, all the top Mac antivirus software is already detecting and removing the malware.
MacDefender is known alternately as MacSecurity or MacProtector
04/07/2011
Epsilon Break-In... What's the Lowdown?
By now you've probably gotten notice, as I have, from at least one bank / credit card company / financial institution that, Epsilon, the company they use to send email messages to you had a network breach.
Looking at even a short list of affected firms, Epsilon, a company most consumers have never heard of, appears to have (or to have had) a sizable portion of top banks in the U.S. amongst its client base.
But, it wasn't just banks that were hit.
It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies. (Major hat tip to Brian Krebs of Krebs on Security who has been doing a stellar job keeping atop this list as more companies are added to the growing list of companies affected by the Epsilon break-in.)
Companies Affected by the Epsilon Break-In (So Far) | |
---|---|
|
|
Alright, so what's the big deal?
Well, for starters, it means spear-phishing risk for Y-O-U if you've ever had dealings with any of these firms.
While it's not yet perfectly clear what personal information was stolen from Epsilon, it's definitely clear names and email addresses were. What also isn't clear is if the companies with whom you have the relationships were stolen.
And, that's where a part of this becomes especially tricky.
If the spammers know you're a Target customer, for instance, and they know your name, and of course, your email, they can send you an email that looks perfectly like legitimate email from Target.
(N.B. We use Target only for illustrative purposes in this piece, not for any other reason. You can replace "Target" with the name of any of the other companies above with whom you've personally done business.)
Now image your email sent to [email protected] addressed to YOU in the email and looking and sounding like it's coming from Target.
Imagine something like the following:
Subject: | Get a $100 Target gift card... on us! |
---|---|
From: | Target Stores <"[email protected]"> |
Date: | April 7, 2011 |
To: | Nicole Campbell <"[email protected]"> |
Hi Nicole, Thanks again for your recent Target purchase! We're writing from the customer satisfaction division with a brief survey of your online or in-store shopping experience. As a way of saying, "Thank you!" all survey participants will receive a free $100 gift card from Target for use anytime. Click here to get started. Thanks again, Your friends at Target and Target.com |
And, here's where the scam is just unfolding.
Kroger, for instance, recently saw its customers lured by spams apparently from the Epsilon breach.
Quoting Krebs from his piece, he says, In most cases, the spam sent to customers of these companies pushed recipients to buy dodgy services and software.
In at least one attempt email recipients were pushed to buy Adobe Reader, which is free software.
Why? How are they making money if the software is free?
There's the catch: in most cases like these, you're not really buying anything, and here's what has happened:
You've just given the spammers/cyberthieves your credit card number and "permission" to charge your card. If you're lucky, they only charge your card for as much as you've given them permission to. If you're really lucky, they don't give you a virus or spyware to download instead of the real software.
Whatever the case, you may be facing a hefty credit card bill and some serious phone calls and letters to your credit card company to get them to absolve you of the charges.
Now, back to our Target example.
There are countless ways the spammers could spin things to get you to (a) give them your credit card number and/or (b) download a virus or spyware
- You need our special free "survey software"
- Your browser needs a special free plug-in to take the survey
- You need to upgrade your Adobe Reader for $10 to take the survey to get the $100 gift card
The list could go on-and-on.
So here are the take home messages from the Epsilon break-in:
- Use your head when it comes to messages emailed to you
- Just because something is addressed to you and addresses you by your name, doesn't make it legit
- Does the email have "free" offers or ways to earn gifts or money for very little work
- Were you expecting to receive the message? (If you just signed up to get coupons, and a coupon email comes five minute later, it's probably safe.)
- How are the grammar and spelling in it? Commonly the bad guys are overseas and their English is often imperfect, and other conventions are often different from ours.
Commonly you'll see a price in a scam email written as 35$ instead of $35 as is the convention here in the U.S. - Are they asking you to "verify" anything. Let me tell you something: companies don't need you to verify anything. Ever. You got their email, they know who you are. An email asking for verification is almost definitively a scam.
These are just a few things to be on the lookout for. Most importantly of all, especially given the number of banks and credit card companies involved is: never, ever, EVER put your social security number into a link that you clicked on in an email.
I cannot even once think of a legitimate bank or credit card email requiring this.
And lastly, lest it go unsaid, use an Internet security suite. The best ones include good anti-phishing and malicious website filters.
While nothing is perfect, between the filters built into today's top web browsers and top Internet security software, you can offset the threat posed by scammers, the emails they send, and the sneaky websites they setup.
03/28/2011
Mozilla Firefox Takes Steps to Block Fraudulent SSL Security Certificates
Mozilla reported on March 22, that they were informed about the issuance of several fraudulent SSL certificates intended for public websites.
These were removed by the issuers which should protect most users. Mozilla has patched their Firefox versions 3.5, 3.6, and 4.0 to recognize and block these certificates, even though it is not a Firefox specific issue.
The effect to users would be that if on a compromised network, they could be directed to sites using the fraudulent certificates and mistake them for legitimate sites. This in turn, could be used to deceive users into revealing personal information like usernames and passwords or downloading malware if thought to be coming from a trusted site.
Although current versions of Firefox are protected from this attack, Mozilla is still evaluating further actions to mitigate this issue.
The Comodo Group, Inc. (the certificate authority) first reported the issue.
A follow up by Mozilla indicated that on March 15 an RA partner of Comodo Group, Inc.--which is a Certificate Authority--suffered an internal security breach, where the attacker used the RA's account with Comodo to get 9 fraudulent certificates to be issued.
The domain names of the certificates were identified as:
- addons.mozilla.org
- login.live.com
- mail.google.com
- www.google.com
- login.yahoo.com (x3)
- login.skype.com
- global trustee
The attack was discovered immediately by an internal Comodo check, and the certificates were revoked and the RA account suspended.
To date, Comodo reports the only OCSP activity noted relating to these certificates has been two hits, one from the attacker's IP and another from very close by. Additionally, hits incurred from testing by Comodo and the notified companies. This hints that they have not been deployed in an attack, but it is possible the attackers would block OCSP requests as well.
Comodo has identified the IP address as an ADSL connection and originating from Iran. From the OCSP traffic mentioned, Mozilla thinks the attacker is aware the certificates have been revoked.
Mozilla does not believe there has been a root key compromise. However, an attacker armed with fraudulent certificates and an ability to control their victim's network could easily impersonate sites in a very inconspicuous way.
Risk mitigation actions implemented:
- Revocation of the certificates
- A hard coded blacklist of the certificate serial numbers in Firefox deployed as RC2 of Firefox 4 with two additional code patch releases, released on March 22.
- Mozilla released an announcement with some details of the problem.
Mozilla released the patch prior to publishing any announcements out of concern the attackers would be tipped off to blocking the updates.
Mozilla's security blog reported:
Mozilla recognizes that the obvious mitigation advice we might offer (to change Firefox’s security preferences to require a valid OCSP response in all cases, or to remove trust from Comodo’s certificates, or both) risked causing a significant portion of the legitimate web to break as well.
Additionally, neither we nor Comodo have found any evidence of access to their OCSP responder being blocked, either in Iran or anywhere else. We have also found no evidence of any other sort of attack.
In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.
Mozilla has requested that Comodo do the following:
- Publish a full account of exactly what happened. (So far: they have published an incident report and a blog post.)
- Monitor their OCSP logs for evidence of use of these certificates, or evidence that access to their OCSP responders is being blocked from any geographical locations. (So far: no sign of use or blocking.)
- Cancel all relationship with the RA concerned. (So far: the RA is suspended.)
- Change their practices to use intermediate certs rather than issuing directly off the root, and use a different one for each RA.
With Internet attackers always on the move, consumers of the Internet should always ensure their PCs are getting the latest updates, including updating Firefox, to protect against security intrusions and malware. Aside from that having solid, trusted, Internet security software can also give peace of mind in holding off these threats.
03/15/2011
Japanese Earthquake Disaster Scams Exploit at Record Pace
It is astounding how far malware attackers will go to to victimize people by taking advantage of the misfortune of others.
Today, Noriyaki Hayashi reports from Trend Micro's blog that they've discovered a phishing site that poses as a donation site to help the victims of the recent Japanese earthquake. The site http://www.japan{BLOCKED}.com was found to be hosted within the U.S. and was still active as of the time of this writing.
Additionally, the same authors of this site abused the blog function to insert advertisement-look-alike posts, presumably to increase the search engine rankings.
Attacks like this aren't uncommon. (Think back to Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and the Haiti earthquake in 2010.)
Norman Ingal -- threat response engineer at Trend Micro -- also reported on March 11 that immediately after the news broke of the 8.9 Richter scale magnitude earthquake and subsequent tsunami in Japan, several websites popped up with keywords relating to the quake.
One of the sites with the keyword 'most recent earthquake in Japan' led to FAKEAV variants that were identified by Trend Micro as MalFakeAV-25 and later identified as TrojFakeAV.PB.
These blackhat SEO attacks that lead to rogue antivirus downloads continue to be very common.
Many new domains are being created and parked with keywords similar to earthquake and tsunami in Japan. Key words such as help, earthquake, japan, tsunami, relief, disaster, fund, and donations were used.
Perhaps the message here is to be careful when searching for media content by using known trusted media sites.
Facebook pages are being utilized as well. One claims to contain video footage and lure the visitors to a site called hxxp://www.{BLOCKED}u.fr/view.php?vid=Le-plus-gros-Tsunami-du-Japon-depuis-20-an.
The facebook page is titled “Japanese Tsunami RAW Tidal Wave Footage!" and a script auto-directs visitors to a fake video page where the video is actually a hyperlinked image. Users that click on this get led to a page asking for their cell phone number.
The script also implements a 'Like' and posts a link to the user's wall. Trend Micro Antivirus Software detects this script as HTML_FBJACK.A.
Spammed email messages are being exploited as well. They ask for personal information first with promises of instructions on how to send your donations once the user responds.
Readers should use long-established avenues such as the Red Cross (http://www.redcross.com) and Medical Teams International (http://medicalteams.org) if you wish to donate.
Symantec's Samir Patel (with thanks to Dylan Morss, Christopher Mendes, and Sujay Kulkarn) in a Symantec piece on Japan relief scams says over 50 new domain names have been registered that use the keywords 'Japan tsunami' or 'Japan earthquake'.
These sites are either parked, for sale, or linked to other earthquake websites.
Some example sites include:
- 3-11-2011-[removed].com
- 3-11[removed].com
- earthquake-[removed].com
- earthquaketsunami[removed].com
- earthquakerelief[removed].com
Symantec has observed a a 419-type message that capitalizes on the disaster. It is a fake "next of kin" story that purports to settle millions of dollars owing to an earthquake and tsunami victim:
Attachments and .zip files can be embedded in such emails so beware if the source is unknown.
Activities such as these underscore the importance of keeping antivirus software updated along with a healthy dose of caution when browsing the Internet.
05/28/2010
Scareware Sellers Facing Hefty Charges
We have good news to share today in the fight against scareware, scumware, and malware purveyors.
Robert McMillan of the IDG News Service writes in an article appearing at NetworkWorld about scareware sellers facing charges.
Three men are facing federal fraud charges for allegedly raking in more than US$100 million while running an illegal "scareware" business that tricked victims into installing bogus software.
The backstory on this is that the products offered by Innovative Marketing, a so-called antivirus company sold products including:
- WinFixer
- Antivirus 2008
- Malware Alarm
- VirusRemover 2008
were nothing but scams.
Here's how the scam worked:
Innovative Marketing is alleged to've setup phony ad agencies which purchased online ad space from legit companies. They'd then have these legit companies display ads and pop-ups, which to most folks, looked like genuine error error messages and antivirus scans.
We've all seen these ads; unfortunately, a lot of folks took the bait, becoming victims of the scams, and plonking down their hard earned cash to rid themselves of what they believed were genuine threats on their PCs.
The thing is, a lot of people didn't take the bait though, and in fact, the article says, The company's products generated so many consumer complaints that the FTC brought a civil action against Innovative Marketing and Byte Hosting in 2008, effectively putting them out of business.
On Wednesday, May 26th, a Chicago grand jury handed down criminal charges to the company for their actions. Because of that and if they're convicted, the three could face time in prison.
Worth mentioning though is that two of the three involved, the ones that operated Innovated Marketing, both live overseas. (Bjorn Sundin is believed to live in Sweden; Shaileshkumar Jain is believed to live in Ukraine.)
The one U.S. resident, James Reno, the man behind the company operating the call centers that handled customer calls with a company called, "Byte Hosting Internet Services," was expected to turn himself in for arraignment.
Where does that leave consumers who purchased their products?
As for getting money back, sadly, that seems to be a very slim possibility at this point--even if the Justice Department successfully seizes funds as part of the conviction; as for getting consumers' PCs cleaned-up and the process to remove malware these guys installed, to our knowledge all real antivirus software can quickly, safely rid PCs of it.
11/12/2008
Major Spam / Scam Source Killed
Good news in the world of anti-spam and anti-virus today: the Washington Post's security blog, the aptly named "Security Fix," announced today that thanks to their data gathering spree, what appears to be a major spam / scam ring hosted by www.McColo.com has been shut down!
Just how much spam was this? A third party security firm, the blog says, estimates McColo was responsible for 75% of the spam today.
Wow. Even if that estimate is off by a factor of 10, even killing 7.5% is impressive.
After presenting the evidence to Hurricane Electric and Global Crossing, two of McColo's major Internet Service Providers, McColo's connections were yanked.
Turns out, according to the Washington Post piece, the fine folks at McColo seem to've been hosting a, "... client list experts say includes some of the most disreputable cyber-criminal gangs in business today."
According to Benny Ng with Hurricane Electric, one of McColo's ISPs,
"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."
Nice work, one and all.
For full details, check out the original post about their efforts at stopping spam.