Once again a viral scam is spreading rapidly across Facebook, posting messages on users' profiles in an attempt to trick the unwary into installing a rogue application.
Many Facebook accounts are currently posting messages saying:
OMG! Shocking Real Crimes caught live on Google Streets. This is SO Unbelievable and you have got to see it! hxxp:/tiny.cc/urztb
At first glance you may believe that your friend genuinely thinks that you will be interested in viewing what's at the end of that link, but the fact of the matter is that it wasn't your Facebook friend who posted that message - but a rogue Facebook application called Earth Finder.
If you do fall for the social engineering trick and click on the link you are taken to a Facebook page which says:
Google Street View
Big Brother is constantly watching us and does so all the time. These Crooks thought that they were above the LAW and could get away with anything. Unfortunately for them, Google Streets caught them red handed and on FILM!
See the world's most EMBARRASSING and SHOCKING CRIME photos that were caught live on Google Streets.
[Click Here to See The CRIMES]
By now you're hooked, and quite possibly desperate to find out what embarrassing and shocking photographs of criminals you might be about to be shown (remember, it was your friend's Facebook account which has recommended this content after all).
But going any further takes you to a page which tells you you need to give permission to a Facebook application called "Earth Finder" first.
And that's where things really begin to go wrong. Because now you've given the green light for "Earth Finder" to post messages from your Facebook profile, advertising it to all of your friends.
And once again (like the recent "Teacher Nearly Killed This Boy" application which I caught on video) you will be making money for the scammers by being redirected to a series of surveys and online questionnaires.
If you've fallen for a scam like this, spreading virally across Facebook, make sure you clean up your Facebook account - remove the references to it from your status updates and news feeds, and ensure that you have zapped it from your list of applications.
Please take care when you're online, and consider joining the Sophos page on Facebook to be kept informed of the latest security threats.
And be sure to warn your friends who passed the link onto you as well - clearly they're not taking enough care about their computer security if they're granting permission for apps like this to have access to their Facebook profile.
Yesterday my colleague Pablo Teijeira, who is based in our Madrid office, logged into Facebook as normal and was confronted with a rather unusual message in place of the usual reminder of whose birthday it was today:
Rather than "Hoy es cumple de" ("Today is the birthday of") the Spanish language version of Facebook was saying "f*ck you bitches". Charming.
Pablo dropped me a line, wondering if I knew if Facebook had been hacked or if there was some other sinister explanation.
Well, the good news is that it wasn't malware and it was more done as a prank than with malicious intent. Facebook has relied upon volunteers to translate its site, and if enough people vote for an incorrect translation it can automatically replace the legitimate wording.
It's all very well harnessing the power of the net to get your website translated, but maybe Facebook should put a few more checks in place before the system is abused again in future - perhaps with more malicious intentions.
By the way, the Turkish translation version of Facebook was also abused in a similar way changing messages such as
Your message could not be sent because the user is offline
to
Your message could not be sent because of your tiny penis
Updated A developer of Android apps has been accused of using their apps to steal information from more than one million smartphone users.
John Hering and Kevin MaHaffey, of mobile security firm Lookout, told the Black Hat security conference in Las Vegas that they discovered that a wallpaper app developed by Jackeey Wallpaper (who have created over 70 different applications for the Google Android mobile operating system) secretly transmitted affected phones' numbers, subscriber identifiers, and voicemail numbers to a server in Shenzen, China.
Over a million people are believed to have downloaded the app - which Sophos has not yet seen - from the Android Market (Google's equivalent to the Apple iPhone AppStore).
This isn't the first time that the Android smartphone operating system has apparently been targeted by malware, of course.
One of the challenges that owners of smartphones running the Android operating system face is that it is not as closely monitored as Apple's equivalent, and adopts a more relaxed philosophy as to what apps can be published.
Although there's much criticism that Apple has received for the way it controls the iPhone environment, it's clear that the only malware attacks we've seen to date on that platform (such as Duh and the infamous rickrolling Ikee worms) have affected users who have chosen to jailbreak their iPhones and escape the relative safety of the AppStore.
Yes, malware has previously emerged for jailbroken iPhones, but the malicious applications have not made it onto users' devices via Apple's highly guarded AppStore.
It remains to be seen how many users will treat security as a factor when choosing between the rival mobile operating systems.
Update Some media reports suggested incorrectly that voicemail passwords were accessed by the wallpaper app, and it's important to make clear that this is not true.
In fact, Kevin MaHaffey at Lookout has posted up a blog post downplaying the threat and emphasising that "while the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior."
Lookout and Google are apparently working together to investigate the apps in question.
At first glance these headlines might appear frightening. But there's one thing you need to know. All of this information was already available to anyone on the internet.
What's happened is that a security consultant called Ron Bowes wrote some scripts to harvest publicly-available information from the profiles of Facebook users who had left their profiles open for anyone to view.
In total he managed to scrape the names and urls of some 100 million Facebook users (about 20% of their population), and posted the database of snaffled information up on a peer-to-peer file-sharing network for anyone to download.
This wasn't really a "hack" as such, as the guy who collected this information didn't have to break into accounts to access the information. The personal information from users' Facebook profiles was already available to anyone because individuals' privacy settings had not been properly secured, and they had effectively left their lights on and curtains open for anyone to peek in and make a note of anything they could see.
The real problem here is that users haven't secured their profiles well enough - but I don't think they're the only ones at fault. Facebook has gradually eroded its users' privacy over the years, in an attempt to share more information with the rest of the internet. In fact, it's even recommended that users use settings that share more information - and some users may not have been aware that going with Facebook's recommendations would leave them open to being snooped on in this fashion.
The problem is that once you've shared your information with "everyone" on the net in this fashion, there's no going back. You can't withdraw your data - and now the user details have been harvested they will forever be available for anyone to access.
Facebook users need to wake up to the risks of sharing too much information online, and examine their Facebook security settings closely to ensure that they are not divulging too much to people they don't know, and are comfortable with their choices. Today the news story is about names and urls being scooped up - maybe tomorrow it could be more personal information that is gathered from poorly secured Facebook users.
We've published a step-by-step guide where Facebook users can check their privacy settings and ensure their information is better secured.
Please take care when you're online, and consider joining the Sophos page on Facebook to be kept informed of the latest security threats.
Last week I blogged about the net closing in on a group of Slovenian hackers believed to be connected to the Mariposa botnet.
Today it is being reported that a 23-year-old Slovenian, known as Iserdo, was arrested in the city of Maribor, Slovenia. The arrest comes after an international investigation involving the FBI and Slovenian and Spanish police.
Iserdo's real name has not been revealed, but it is understood that he has been released on bail pending further investigations.
Almost 13 million computers in more than 190 countries are believed to have silently recruited into the Mariposa botnet, named after the Spanish word for "butterfly". The affected computers were comandeered by hackers after they were infected by a polymorphic family of malware called W32/Rimecud, which spread itself via a number of methods including copying itself to removable storage devices, instant messaging and P2P file-sharing systems.
It is believed that Slovenian hackers created the malware, and sold it to cybercriminals in Spain who used it in their attacks.
It's great to see international co-operation like this in the fight against the computer underground - helping to make everyone's online activities safer, and sending a strong message that the authorities will not turn a blind eye to cybercrime.
Fake anti-virus software (also known as scareware or rogue anti-virus) continues to be a big problem. Malicious hackers create programs that pretend to be legitimate anti-virus products, but are actually designed to frighten you into believing you have security problems with your computer (in the hope that you'll pay up for a cure).
Overnight our spam traps intercepted a wave of malicious emails claiming to be a free 30 day trial of McAfee VirusScan (which is a legitimate product, of course).
Subject:McAfee VirusScan Plus Attachment:setup.zip Message body:
Download a FREE 30-day Trial of MCAfee VirusScan Plus and Be Automaticaly Entered to Win
Installation file attached
Sophos detects the attached file as Mal/FakeAV-EI. If you want to try McAfee VirusScan please go to McAfee's website and download it from there - don't trust unsolicited emails like this.
Check out this YouTube video, where Fraser Howard from our labs describes fake anti-virus software:
So, what's the background to the story? Well, in May of this year amateur video footage of an American teacher allegedly attacking a 13-year-old pupil in front of fellow students made headlines after being posted on YouTube.
Officials at Jamie's House Charter School in Houston, Texas, sacked 40-year-old Sheri Davis as the world looked on horrified at her rather unusual approach to disclipline in the classroom.
It was perhaps not surprising that cybercriminals took advantage of the furore - the following month I reported how a rogue Facebook application was posting spam from users' accounts saying "Teacher nearly killed this boy" and encouraging users to fill in surveys in order to view the controversial footage.
You would have hoped that that would have been the last of it. However, new versions of the app (using a variety of names and URL-shortening services) have continued to plague Facebook users, spamming from their accounts and worming their unwanted links across the social network.
I am shocked!!! The teacher nearly killed this boy. Video here: hxxp://tiny.cc/horrifying - Worldwide scandal!
Clearly it's appalling that these links are still spreading virally at such speed across Facebook, duping users. It seems to me that Facebook is virtually impotent to do anything about them - whenever they close down one rogue application the bad guys just create another.
Facebook can't seem to stop them, despite the attacks looking almost identical. Maybe it's time for Facebook to put more restrictions over who is allowed to create applications on their social network, as the current system just isn't working.
You can do your bit, though, by sharing this blog article with your friends on Facebook. Just click on the button below.
iPhone-owning customers of Citigroup have been urged to update their mobile banking app immediately because of a security flaw that secretly stored account numbers, bill payments and security access codes in a hidden file.
The Citi Mobile app allows customers to check their account balances, transfer funds and pay bills from their iPhone, and is one of the most popular finance applications in the Apple App Store with approximately 120,000 users since it was launched in March 2009.
Citigroup told the Wall Street Journal that it had "no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone."
However, there will undoubtedly be concerns that if users lost their iPhone the information could be accessed by an identity thief. Furthermore, it is believed that the sensitive data could also have been backed-up to customers' Windows and Mac computers when they are synchronised with the iPhone. Certainly, there are many more chances for the typical malicious hacker to access information stored on a PC than on the controlled environment of an Apple iPhone.
The good news is that the iPhone has a pretty slick system for notifying users that there is an update available for their installed apps, meaning it should only take a couple of clicks for users to upgrade their version of the Citi Mobile app to a more secure version.
Posted on July 27th, 2010 by Graham Cluley, Sophos
Filed under:
Apple, Banking, Mobile
Sophos engineers have been busy developing and testing a free tool that protects users from malware exploiting the critical zero-day vulnerability known as the "Shortcut exploit".
We have begun to see more hackers taking advantage of the exploit, spreading malware which takes advantage of Microsoft's unpatched vulnerability.
Sophos has been doing a good job of protecting its customers against this problem (we detect exploited files as Exp/Cplink). But what if you're not a Sophos user and are worried about the attacks?
We can now present, the Sophos Windows Shortcut Exploit Protection Tool. Watch the following video to see it in action:
1. It intercepts LNK shortcut files that contain the exploit, telling you which executable code it was attempting to run. That means it will stop malicious threats which use this vulnerability if they are on non-local disks, such as a USB stick for instance.
2. You can run the tool alongside your existing anti-virus product. No need to throw the baby out with the bathwater. The tool supports Windows XP, Vista and Windows 7. It doesn’t support Windows 2000.
3. Unlike Microsoft's workaround, it doesn't blank out all the shortcuts on your Windows Start Menu - meaning your life (and that of your users) will be easier.
The vulnerability, known as the shortcut exploit, is in the way that Microsoft Windows handles .LNK shortcut files. If Windows tries to display the icon of an exploited shortcut file it can run the malicious code pointed to by the shortcut, without any user interaction.
One of the ways we have seen this problem exploited is via malware infections on USB sticks - capable of running viral code even if AutoPlay and AutoRun are disabled.
The free Sophos tool installs a new icon handler for Windows shortcuts. Whenever Windows tries to display an icon corresponding to a Windows shortcut, the new icon handler will intercept this request and validate the shortcut. If the shortcut does not contain the exploit, control will be given back to Windows.
But, if the shortcut does contain an exploit, a message is displayed to the user and extraction of the dangerous icon is blocked.
A Windows shortcut is deemed to contain the exploit if it is a Control Panel shortcut, and it points to an existing file that can be opened for execution, and neither the shortcut nor the shortcut's target are on the computer's local disk.
What's really nice is that it doesn't matter what anti-virus software you're using - you can still install this free tool from Sophos, and it will work alongside your existing anti-virus.
And the Sophos Windows Shortcut Exploit Protection Tool (maybe we should have come up with a shorter name?) is a piece of cake to install. The tool can be installed and uninstalled easily and quickly. Administrators can run the installer package on the computer, and network administrators can push the installer package via Group Policies.
Hopefully soon Microsoft will release a proper patch to protect against the shortcut vulnerability, and then you can simply uninstall our tool. But in the meantime, this is neat. Very neat.
