Graham Cluley’s blog

Free virus scan - Download the Threat Detection Test

Flirty phishing? 24/female/horny has just Twitter-spammed you

Plenty of Twitter users must be finding the spate of spam and phishing attacks that have plagued them this week pretty tedious by now.

The latest message being spammed out claims to come from a young woman:

hi, i'm 24/female/horny... i have to get off here but message me on my windows live messenger name <username>@hotmail.com

Hilariously, this message is being sent from hacked Twitter accounts that belong to middle-aged, male and.. well, I can't easily verify the other attribute.. users.

It's hard to believe that anyone with an ounce of common sense would fall for a message like this, inviting them to connect via Windows Live Messenger (the instant messaging system formally known as MSN Messenger), but maybe some would out of curiousity and intrigue.

It's not to be recommended though, because whoever was prepared to spam you might also be prepared to lure you via instant messaging chat into visiting an adult website, or send you a malicious link or dangerous executable file, or try and phish your login details to further the attack even further around the world.

These attacks are becoming quite an issue, and if they continue at their current rate one has to wonder how many Twitter users will become so fed up that they'll close their account, up-sticks and move elsewhere.

Of course, if you find that your Twitter account has been sending out messages like the one above then you should change your password and double-check your computer's security as soon as possible.

If you don't, then you may find that someone else has taken action against you. Twitter has indicated that it is beginning to reset the passwords of accounts that have been compromised by the hackers.

Posted on February 26th, 2010 by Graham Cluley, Sophos
Filed under: Spam, Web 2.0

                                         

Guest blog: Educate your users about social networking threats with our free toolkit

Sally in the marketing department has put together a really handy package, which will help you educate your users about social networking threats. And the best news of all is that it's completely free! Tell us all about it Sally..

Hi, I'm Sally Adam from the Sophos marketing team and I'm hijacking Graham's blog to tell you about our new Social Media Security Toolkit.

As followers of the Clu-blog know only too well, malware infection and data loss through social networking sites are on the rise. And with one of the biggest security weakspots being users themselves, it's important everyone knows the risks.

Which is where the Social Media Security Tookit comes in. It's packed with resources to help you explain how social networking threats work, the dangers they possess, and also give practical advice on how to stay safe.

The toolkit includes videos on safe passwords and how to avoid phishing, PowerPoint presentations on social media threats, top tips for staying secure and an example social networking security policy.

You're free to use the resources however you see fit. So stick them on your intranet, include them in training sessions, add your logos... whatever you want!

The whole idea for the toolkit came from feedback at our "Anatomy of an Attack" seminars last year - people told me they really enjoyed the sessions but would love to be able get the security message out to all their users. And so the social media security toolkit was born.

For me, working on the toolkit was great. Well mostly.

We consulted over 50 IT managers to find out what sort of things they would use, and I got to work with security experts across Sophos. That was fine.

But it definitely learnt that I'm not cut out for a career behind the camera! Yes, it's me in the phishing video and filming it was without doubt my most awkward moment in my years working at Sophos. I have renewed admiration for TV professionals!

Anyhow, do go ahead and download the toolkit - I hope it will help in the good fight against security threats!

Posted on February 25th, 2010 by Sally Adam, Sophos
Filed under: Data loss, Guest blog, Identity Theft, Malware, Podcast, Scam, Shameless plug, Spam, Video, Web 2.0

                                         

Sea World killer whale attack video leads to malware

Dawn Brancheau, a trainer at Sea World in Orlando, was killed yesterday after being attacked by a killer whale.

News of the tragedy sped quickly around the world, and now sick cybercriminals are exploiting the story of 40-year-old Brancheau's death for their own commerical gain.

Through SEO (search engine optimisation) techniques, hackers have created webpages stuffed with content which appears to be ghoulish video footage of the animal trainer's death - but are really designed to infect visiting computers.

Searching for terms such as

killer whale video pictures

and

dawn brancheau video

can lead you to dangerous search results:

The heartless hackers are taking advantage of the hot news story by popping up fake anti-virus (also known as scareware or rogue anti-virus) alerts. The alerts are designed to frighten unsuspecting users into believing there is a security problem with their computer, which could lead them into downloading dangerous software or handing over their credit card details.

The tactic being used by cybercriminals is the same as the one we saw after the death of Natasha Richardson and Patrick Swayze, and when they exploited interest amongst the public in the anniversary of the 9/11 terrorist attack last year.

You could argue that anyone hunting for footage of this horrific accident deserves everything that's coming to them, but the real sick ones here are the hackers who are trying to profit from the death of an innocent woman in a tragic accident.

Sophos is adding detection of the fake anti-virus software hosted at these sites as Mal/FakeAV-BW.

Posted on February 25th, 2010 by Graham Cluley, Sophos
Filed under: Malware, WWW

                                         

Guest blog: Beta test upcoming Sophos products

Camera-phobic guest blogger Kim Charlton, who manages the beta program at Sophos, wants to bribe you into helping us improve our products. Over to you Kim..

It's beta time again and I am once again on the lookout for people to trial our latest offerings.

This time I have two beta programs running almost concurrently (I obviously didn't look busy enough last year!):

Sophos Endpoint Security and Control 9.5 beta offers:

• Live reputation database lookup to provide protection against the latest threats
• Live Web protection for fixed and mobile endpoints, blocking access to malicious URLs
• Client firewall and NAC support for 64-bit Windows
• Tamper-proofing to prevent end users from uninstalling Sophos

And in parallel PureMessage for Microsoft Exchange 3.1 will provide:

• Microsoft Exchange 2010 support
• Database mirroring
• And a number of 'under the hood' improvements

If anyone would like to join these beta programs, please register your interest - the brave are welcome to beta both products!

We really appreciate all of the feedback we get during the beta programs and try to incorporate as many feature requests as we can into future releases. We will even send out Amazon vouchers worth £50 to the first ten who provide detailed feedback. Have I tempted you yet?

If anyone has any questions, you can email me. I'm going to go back to beta world now and leave the blogging to the experts!

Posted on February 25th, 2010 by Kim Charlton, Sophos
Filed under: Guest blog, Shameless plug

                                         

This you???? : Phishing attack hits Twitter users

There is another widespread phishing attack hitting users of Twitter today.

Messages asking "This you????" followed by a link are being sent via the system to unsuspecting users. If you click on the link you are taken to a fake Twitter login page, where hackers are just waiting for you to hand over your credentials. In fact, they can automatically post the phishing message from your account as soon as you hand over your details.

If you have received a message like this from one of your friends it is likely that their account has been compromised by cybercriminals.

Watch this YouTube video for a demonstration of the phishing attack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

It's bad enough if hackers gain control of your Twitter account, but if you also use that same password on other websites (and our research shows that 33% of people do that all of the time) then they could access your Gmail, Hotmail, Facebook, eBay, Paypal, and so forth.

So, be cautious about the links you click on, choose a strong password, and - if you have found that you're spreading suspicious messages from your Twitter account or believe that you have been compromised - change your passwords immediately.

You should also check your Twitter account and check the Settings/Connections screen. If there are any third party applications you don't recognise listed there, revoke their permission to access your account.

Posted on February 24th, 2010 by Graham Cluley, Sophos
Filed under: Spam, Video, Web 2.0

                                         

Vote for your favourite security blogger

Those terribly nice folks at SC Magazine are running a number of online polls on their homepage in the run-up to their awards ceremony at the RSA Conference.

The poll for the most popular security blogger caught my eye in particular.. :)

Seriously, there are some awesome security bloggers listed there, and even being shortlisted in such company is an enormous honour - especially as the Clu-blog is still relatively young. You should make a point - regardless of who you vote for - of following all of these bloggers.

Fingers crossed that my Aunty Hilda votes for me this time.. :)

The poll closes at 11 a.m. EST on Friday 26 February.

Posted on February 23rd, 2010 by Graham Cluley, Sophos
Filed under: Clu-blog, Shameless plug

                                         

FTC notifies almost 100 organisations of P2P data leaks

The Federal Trade Commission has notified close to 100 US organisations of serious P2P-related security breaches that have exposed consumers to the risk of identity theft and fraud.

The use of P2P file-sharing networks to download music and movies opens the door for data loss both in the office and on consumers' personal PCs, when users take work home in the evening or at weekends.

The worry is that there are now cybercriminal gangs who scavenge the file-sharing networks, hunting for sensitive work documents such as financial records, driving licences and social security numbers.

If not configured properly, Kazaa, Limewire and other P2P file-sharing networks can scoop up files on your computer that you would probably prefer the whole world didn't have access to - not only embarrassing your company, but also putting your firm, your fellow employees and your customers at risk.

The FTC's warning acts as a stern reminder to companies worldwide towards the dangers posed by P2P file-sharing in the work environment, and the need to control the movement of sensitive data.

A survey conducted by Sophos revealed that 86.5% of organisations would like the ability to block P2P file-sharing applications, with 79% indicating that blocking is essential. These statistics point towards the concerns felt by most businesses with regard to protecting their data.

Last year, a US House of Representatives Committee hearing revealed that a confidential document was shared via the Limewire peer-to-peer (P2P) file-sharing network. This document contained details of the secret service safe house that would be used by Michelle Obama in the event of the White House being evacuated. In addition, the hearing heard that sensitive details regarding the location of every nuclear facility in the USA were available via file-sharing systems.

The Obamas suffered again at the hands of a P2P data leak, when sensitive blueprints regarding the US Presidential "Marine One" helicopter appeared on a peer-to-peer file-sharing network from an IP address located in Tehran.

There have been countless other incidents of data being leaked accidentally through file-sharing networks.

A Sophos survey found that uncontrolled applications are causing serious concern for system administrators. For example, 86.5% of respondents said they want the opportunity to block P2P applications, with 79% indicating that blocking is essential.

View the wide-ranging list of applications that Sophos is able to control on your network.

• Download and listen to a Sophos podcast on how you can control applications like P2P on your network

By the way, if you enjoy the podcast you can download many more via iTunes or directly from our website.

Posted on February 23rd, 2010 by Graham Cluley, Sophos
Filed under: Data loss, Identity Theft, P2P, Podcast

                                         

Surveillance rootkits on smartphones

Liviu Iftode and Vinod Ganapathy, two researchers at Rutgers University, have revealed some experiments they have been conducting, showing how rootkits could be used to take control of smartphones.

The scientists have shown that a malicious attacker could cause a smartphone to "eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless".

Watch the following YouTube video to learn more:

It's a cute little video, but how realistic is this threat in reality?

I don't think the kind of attack described by Iftode and Ganapathy is a big deal right now.

Yes, it is possible to change or put software onto a smartphone (by, for instance, installing a rootkit) so that the mobile device then performs malicious functions. For instance, code that enables covert remote surveillance, battery drainage or silently steals data.

Of course, this relies upon the smartphone allowing you to make changes to its low-level software. Popular smartphones like the Apple iPhone lock down that kind of meddling to a great extent.

So, the key thing to remember is that the bad guys have to somehow get the malicious rootkit onto your phone in the first place.

How are they going to do that?

They would either need to have physical access to your smartphone, exploit an unpatched security vulnerability or use a social engineering attack to trick you into installing malicious code. Even if they went down the "trick" route they would be relying upon the phone's OS to allow you to install unapproved apps (iPhones, for instance, are strictly controlled by their Cupertino-based overlords, allowing users to only install code that has been approved and checked by the AppStore).

So it doesn't sound like what Iftode and Ganapathy are describing is actually any different from the rootkits that infect traditional desktop computers. The main difference is that there are probably less opportunities (and thus much harder) to infect a mobile phone than, say, a computer running Windows.

Furthermore, I would argue that the typical mobile phone user is still typically less used to installing applications from untrusted sources than their Windows counterparts, and so the chances of success via fooling the user into installing a dangerous application can be assumed to be even lower.

Iftode and Ganapathy have not demonstrated any revolutionary new way of getting round the biggest hurdle for those wanting to spy on smartphones: how are they going to get the malware onto the phone?

If I really wanted to snoop on someone's phone I think it would probably be easier to swap my victim's mobile phone for an identical (but bugged) device rather than go to all this effort with no promise of success.

Sure, the mobile phone malware threat is growing - but it's a tiny raindrop in a thunderstorm compared to regular attacks that strike Windows computers. Slowly but slowly it's becoming more serious (the recent discovery of financially-motivated malware that targets jailbroken iPhones is proof of that), and undoubtedly we will begin to see more users running anti-virus security on their phones in the years to come.

However, if I was responsible for securing my company's mobile phones I would be much more worried about the real security threat of staff losing their phones in taxis or on the train, rather than the theoretical risk of surveillance rootkits.

It's a nice video and presentation that Iftode and Ganapathy made, but I won't be losing any sleep over it just yet.

More information on the topic of smartphone rootkits can be found in the paper Iftode and Ganapathy have produced: "Rootkits on Smart Phones: Attacks, implications and opportunities" [PDF]

Posted on February 23rd, 2010 by Graham Cluley, Sophos
Filed under: Data loss, Malware, Mobile, Video

                                         

Routers with poor passwords at risk from Chuck Norris

Have you changed the password on your home router, or are you still using the default password it shipped with?

Well, a new malware attack named after a cult action movie star might make you wake up to the risk you could be running.

As ComputerWorld reports, the network security department at Masaryk University's Institute of Computer Science in Brno have discovered a new example of malware that installs itself on routers and DSL modems by cracking admin passwords.

Of course, the malware finds it much easier to break into your router if you're using an easy-to-guess password or - even more recklessly - the one the device shipped with.

The Czech researchers have dubbed the threat Chuck Norris as a comment in the source code reads in Italian "in nome di Chuck Norris", which means "in the name of Chuck Norris".

The attack is actually a collection of various different pieces of malware, based upon an older IRC bot and combined with a tool to scan for weak passwords. Sophos detects the various components as W32/Mytob-KN, Troj/Batten-A, Exp/MS04011-A and Troj/DwnLdr-IBH.

It's important to realise that the worm spreads via traditional means - from Windows computer to Windows computer - so it would be wrong to describe this a worm router.

Make sure that you have chosen a strong password on your router and DSL modem, that your anti-malware protection is up-to-date, and avoid allowing any of your computers to be recruited by the Chuck Norris botnet.

Posted on February 23rd, 2010 by Graham Cluley, Sophos
Filed under: Botnet, Malware, Web 2.0

                                         

Malware-spiked adverts hit Star Tribune website

The Star Tribune, the largest newspaper in the state of Minnesota, has confirmed that visitors to its website (www.startribune.com) were hit by malicious adverts earlier this week.

The "malvertising" attack, which began on Sunday, spurred the newspaper into disabling all online advertising on Monday afternoon while it investigated the infection, after users began reporting seeing fake anti-virus alerts as they read their daily fix of news.

According to the newspaper, scared users were told that their computers had a security problem and urged to cough up some cash for a "fix" from the internet.

Regular readers of the Clu-blog will recall that last September the New York Times was hit by a similar case of malvertising, and in the past a wide variety of media outlets (such as the Daily Mail, Gizmodo, ITV and RadioTimes) have also fallen foul of poisoned adverts serving up malware and fake anti-virus alerts.

As discussed in Sophos's recent Security Threat Report, scareware has become one of the biggest revenue-generators for cybercriminals in the last 12 months, and we're seeing more attacks all the time either planting malicious scareware on compromised websites, posing as legitimate security companies, or explotiing hot internet search topics such as celebrity deaths.

Regrettably, the Star Tribune hasn't published details of the precise malware which was being distributed by the third-party adverts - but all computer users who could have been affected would be wise to ensure that their anti-virus protection is updated, and that their browsers and other vulnerable software is properly patched.

Posted on February 23rd, 2010 by Graham Cluley, Sophos
Filed under: Malware, WWW, Web 2.0