Category Archives: social networks

Social networks, such as Facebook, MySpace, Twitter, and dozens of others are being exploited actively by criminals.

Friends, Followers, Fans: Be On Guard in 2010

Posted on by

By Mike Kronenberg

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Do you use a social networking site? Be prepared, because I predict in 2010 it’ll be a major target for cyber criminals. Among the threat experts here at Webroot, we’ve discussed the ROI opportunity that social networks present an enterprising hacker who strings together the personal information people choose to share on social networks, or who creates a program to infect PCs with one click of a malicious link.

I’ve also discussed the issue with my colleagues in the security industry. Each of us acknowledges that users of all kinds – be it individuals, public figures, nonprofits, or corporations – assume a certain level of risk when signing on to one. But we all agree social networks are pretty much essential in today’s networked society and economy.

Given that, I’d like to share my take on the top five reasons why social networks hold such great appeal for cybercriminals so you can begin thinking about how you’ll use them in 2010. Continue reading

Ron Paul, Beyonce Tease a Drive-By Rogue AV

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Here’s a mind-bender for you to ponder over the holidays: What do diva musician Beyonce, the massively-multiplayer game World of Warcraft, the anime series Naruto, and Libertarian politician (and failed presidential candidate) Ron Paul have in common?

I couldn’t guess what you might come up with, but we’ve found a drive-by download attack that delivers malware, using these disparate icons as a hook to convince Web surfers to click malicious links. The hack attempt was discovered by a Threat Research Analyst who also happens to be a Ron Paul fanatic (and I do mean fanatic — that’s a photo of his truck parked out back). While doing his daily search for Ron’s latest words of wisdom, he encountered a cleverly crafted campaign to manipulate search results which originated with Twitter feeds suddenly lighting up with links supposedly pointing to YouTube videos.

A large number of Twitter accounts tweeted messages like “YOUTUBE RON PAUL – BEST NEW VIDEO – WATCH NOW” or “YOUTUBE NARUTO CHAT ROOM 1 | BEST NEW VIDEO | WATCH NOW” — you get the idea — all within a short amount of time. Each of those screaming teasers was accompanied by a URL shortened using the bit.ly (and to a lesser extent, TinyURL.com) service; The bit.ly URLs pointed to a (now deleted) hidden subdirectory on the website of Stage Time magazine, an online only, stand-up-comedy industry publication (neither YouTube nor Stage Time was, knowingly, involved in the hack — they were victims as well). And the many first-time visitors to that site found their computers in a world of hurt shortly after following one or another of those links.

The malicious pages on Stage Time hosted PHP scripts that pushed down several new malware samples; The scripts exploited security vulnerabilities in older versions of Adobe Flash and Adobe Reader, loading maliciously crafted SWF and PDF files in order to force the browser to pull down and run malicious executables which had virtually no detection across the spectrum of antivirus vendors. Some of these samples were droppers, others were downloaders; In either case, the drive-by payloads left the PC in a very bad state.

Drive-by downloads such as these serve to illustrate a point I can’t emphasize enough: No matter how careful you might think you are, one wrong click can lead to an infection. In the case of this drive-by, the malicious website attempted to load first an Adobe Flash video, then a PDF file, which tricked the browser into downloading more malware. Now more than ever, browser plug-ins like Flash and Adobe Reader need to be kept up to date. For additional protection, you can disable Javascript in Adobe Reader; in this case, it would have stopped the initial infection in its tracks.

Continue reading

New Koobface Creates its Own Malicious Web Pages

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Over the past several months, we’ve seen Koobface steadily progress in its ability to infect systems with malware. In our latest tests, we’ve found that the most recent version of this social-networm has a few new holiday-themed tricks up its sleeve. Among those tricks are a new, improved “captcha breaker” utility; A tool to check whether you have a Google and/or a Blogspot account (and, if not,  it creates a new Google account); And a tool designed to create Google Reader pages on the fly, which the worm then uses to post malicious code. Those Google Reader accounts then end up linked in private messages and wall-to-wall posts on a variety of social network sites.

The Koobface-generated Google Reader pages have been floating around for a little while now, but I’d never seen the worm in action. What I found fascinating was that I could observe the process of the worm creating a new Google account on my testbed.

In order to create the Google account, it downloaded and ran four new applications: “v2googlecheck” simply looks at your browser cookies to determine whether you already have a Google account; “v2newblogger” creates a new account if one doesn’t already exist; “v2captcha” prompts the user of the infected machine to enter a captcha into a dialog box that looks like a Windows login dialog (in order to complete the account creation); and “v2reader,” which creates the new page, and passes that information to the worm.

Once the Google account is created, it then uses that account to generate a new, malicious Google Reader page.

Continue reading

Facebook Phishing Campaign Wants Your Passwords

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20091102_fbphish_cropYet another new phishing campaign targeting users of Facebook struck over the Halloween holiday weekend. After scammers began filling inboxes last week with bogus “Facebook update” attachments, this weekend we saw a different group at work. Employing URLs with random domain names registered under the .eu top-level domain, the campaign looks similar to messages distributed in a recent series of phishing campaigns that attempt to convince the user that the mail comes from a legitimate source, such as the FDIC, IRS, HMRC (the UK’s tax authority), your IT department, or any of several well-known banks.

The email messages, which use a forged From: address that makes the message appear to originate from the legitimate facebookmail.com domain, and were timed for just after Facebook’s highly publicized changes to its homepage had just gone live, clearly indicate that the phishers were going for the jugular. When you follow the link, you’re presented with a login dialog identical to that used by Facebook. Once you enter your password into that form, you’re presented with a page titled “Account Update” where you’re prompted to download and execute something called the Facebook Update Tool.

The messages read, in part:

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.

…followed by the typical tease to “click here” and a link-that-doesn’t-lead-where-you-think-it-will. The URLs in the message begin with “www.facebook.com” but that’s part of the ruse: The full URL is http://www.facebook.com.(some random letters).eu followed by a query string that includes a long string of numbers and the recipient’s email address (see example).20091102_fbphish_download_crop

In the past, links formatted in precisely the same way led directly to pages hosting versions of the Trojan-Backdoor-Progdav (aka Zbot) keylogger. That’s also true in this case. So the bad guys don’t just want your Facebook password. They want all of your passwords.

We’ve seen a lot of this style of phishing campaign just in the past few weeks and if history serves as a guide, the small number of links in the spam messages we received over the weekend will likely be followed by dozens more versions, each with a distinct URL. Facebook users would be well advised to refrain from following the links in the message; If you suspect that you’ve inadvertently fallen victim to this dirty trick, change your Facebook password immediately — from another computer.
wordpress blog stats

“Shipping Confirmation” Malware on the Rise

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

fraudemail_cropAs autumn approaches, the world typically sees an increase in the number of online shopping trips, as people take advantage of bargains from late-year sales, and prepare for various holidays. And, right on cue, we’re also seeing an increase in the number of Trojans distributed in the guise of “shipping confirmation” email messages. And these Trojans are packing a triple threat of backdoors designed to steal logins and take command of infected PCs.

The Trojan arrives attached to a vaguely-worded email message thanking the recipient for their order of a high-ticket item. Previous versions of this same kind of message were crafted as though the message source was one of the major shippers, such as FedEx, UPS, DHL, or the US Postal Service, and the message (purportedly) contains tracking information.

fraudemail_fileBut these new versions appear to come directly from an online retailer, with attached files in the form of a zip archive containing an executable with an icon that makes it look like an Office document, such as an Excel spreadsheet. These email messages also imply that the document contains tracking information, but they give the user an extra nudge to open the file by telling the user to “print the label to get your package.”

Um, wait, what? Why would I need to print a label to receive a package? That makes no sense whatsoever. Do the malware authors think we’re dumb, or what? No, don’t answer that, because we’re not dumb. They’re using psychology against us.

Continue reading

‘Koobfox’ variant digs for Firefox cookies

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

koobfox_stringsA new variant of the Koobface worm started striking out this week, with a twist: Where the older Koobface would steal and use the cookies saved by Internet Explorer which store social network logins in order to spread its infectious messages in the victim’s name, this new variant is pulling down a tool designed to steal credentials saved by Firefox (in the form of cookies and stored passwords). Users of the Firefox browser were, until now, able to thwart the pernicious spy’s ability to hijack a victim’s social network accounts, because the two browsers store their cookies in different locations, and in different formats.

We got wind of the new variant as we saw the characteristic links spreading through various networks yesterday. In our early tests, the worm exhibited similiar skill at spreading over multiple networks: In addition to Facebook, the MySpace, Hi5, Friendster, Tagged and Netlog accounts we use for testing its behavior were used to spread malicious links, posted either to the victim’s “wall” or status, or as messages sent to all of the account-holder’s friends.

Using a well-documented hack to access the Firefox cookie file, the payload (appropriately named ff2ie.exe) looks for a copy of the file sqlite3.dll on the victim’s hard drive, then uses the functionality of that file to pull social network cookie information from the Firefox cookie database (as shown in the screenshot, above), and write an Internet Explorer cookie containing all that information. With the IE cookie(s) in place, the rest of the Koobface payloads work as they did before.

The worm continues to query the download server for payloads targeting 10 social networking services, but for an undetermined reason, it only delivered six targeted payloads. We also saw that, instead of downloading the executable payloads directly, the worm downloaded installers, each of which place various payloads in the Windows folder, then self-delete.

Continue reading