General discussion

NEWS - February 26, 2010

Britain all atweet over Twitter phishing attack

"A Twitter phishing attack has hit several prominent British Twitter users"

The latest phishing attack on Twitter users swept the U.K. overnight claiming several prominent users.

The result was evident on Friday morning when users woke up to find messages on compromised accounts that read, "hey, i've been having better sex and longer with this here," followed by a link to a Web site selling sexual-performance drugs.

Although the number of people affected is difficult to determine, it made top news on the country's TV networks and news sites perhaps in part because of those affected. They include at least one member of Parliament and several journalists.

Ed Miliband, a British Cabinet member and the country's secretary for energy and climate change, tweeted on Friday morning, "Oh dear it seems like I've fallen victim to twitter's latest 'phishing' scam." The tweet had been removed from his Twitter stream.

Continued here:

Also From Sophos: UK Cabinet Minister Ed Miliband hacked on Twitter
Discussion is locked
Reply to: NEWS - February 26, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - February 26, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Searching For Joannie Rochette Leads To Rogue AV

Websense Security Labs? ThreatSeeker? Network has detected that the black hat Search Engine Optimization (SEO) techniques are abusing the name of an Olympic figure skater who is very popular in recent news.

Joannie Rochett is a Canadian figure skater and the 2009 world silver medallist. In the 2010 Winter Olympics in Vancouver, despite the loss of her mother just 48 hours before her competition, she delivered a sensational performance and qualified to compete for gold.

The bad guys still took advantage of this tragic incident and used it in the infamous Black SEO poisoning attacks. Searching for Joannie Rochette in reputable search engines leads to rogue AV.

This use of the Black SEO technique is even more pertinent now that the results have been announced, with Rochette receiving a bronze medal for her performance. [...]

Once the victim clicks on the poisoned search results, he/she is redirected to the rogue AV page, and a fake Anti-virus executable asks for the victim's confirmation before being downloaded.

Related topics are 4th and 7th on Google's Hot Trends USA list. Joannie Rochette is currently the most popular search term on Google Canada at the time of writing: [...]

Continued here:

- Collapse -
Troj/IFrame-DY Old websites don?t die they just get infected

Earlier this week Sophos informed a UK Local Police Authority (Hertfordshire) that a website they owned was infected with Troj/IFrame-DY.

It turns out that the Police Authority has a new site and the infected site is an old one that just leads the user to the new site: [...]

Unfortunately, the old site also contains a malicious script, appended after the closing </HTML> tag. [...]

There are several ways of migrating users to a new website:

Deleting the old and let a search engine take the strain
Doing Server side redirects
Asking the ISP to point the old website to the new sites IP address.
and relying on client side redirects.
There are benefits and costs for all the above methods, however, from a security point of view having an old abandoned (not updated and secured) website is the worst.

There are benefits and costs for all the above methods, however, from a security point of view having an old abandoned (not updated and secured) website is the worst.

Continued here:

- Collapse -
Do I Know You?

(Symantec products detected the downloaded misleading application below as AntiVirus2010)

From the Semantic Security Response Blog:

Imagine that you?re sitting at home catching up on your email backlog. In comes an email from your ISP, FooBarBazCo (some creativity required here, I know). The email seems to be from Technical Support ? ?From: Team? ? and states that you need to update your email settings as a result of a recent security upgrade. Can you trust it?

Today we observed an increase in spam messages containing links to a particular malicious URL. The messages masquerade as having come from mail administrators, with the ?from? address spoofed so that they appear to have come from the same network domain as the address to which the mails are sent (the ?from? and ?to? addresses are actually identical, although this will not be visible in most email programs).

The received messages state that mailbox 'settings were changed' and urge users to 'apply the new set of settings' by clicking a link to an executable, which unsurprisingly turns out to be malicious: [...]

Clicking the link leads to a download of the following misleading application, which we see here with the usual UI misspellings and fake scan results: [...]

Continued here:

- Collapse -
Insight into fake AV SEO

From the SophosLabs Blog:

Readers of the Sophos blogs will probably have seen the post Graham made about the ?killer whale video? SEO attacks. We have described SEO attacks before (for example here). In this post I want to highlight how these attacks are working, and how Sophos protects you against them.

1. Pages using server side kits to fool search engine bots into ranking them high in results are uploaded to legitimate web sites. If all goes to plan, when a user searches for a popular term, high up in the search engine results are links to these pages. In the example below, the malicious SEO page was the 2nd item in the search results (highlighted in blue).

2. When the user arrives on such a page (highlighted in green in the example below), the referrer is typically checked to ensure they came from a search engine. If so, there are redirected (302 redirect) to another site (orange below).

3. There are typically additional levels of redirection from this point. In the example shown below, the user is bounced from the .org to the .in site (purple).

4. Finally, the user will be redirected to the fake AV distribution site (red). This is where the user receives the usual visual trickery, in order to fool them into installing the rogue application.

Continued here:

- Collapse -
Thunderbird 3.0.2 released

One week after releasing security updates for its Firefox browser, the Mozilla Foundation has also updated Thunderbird. In version 3.0.2, the developers have closed several critical holes that can be exploited to compromise a system.

Reportedly, disabling the DNS pre-fetching feature is now easier. When activated, DNS pre-fetching in Thunderbird allows spammers to check whether an email has been read via links incorporated in the email message. Unlike other known web bugs that retrieve further content, Thunderbird's default pre-fetching setting resolves the included domains in advance. Special sub-domains and a dedicated name server then allow spammers to establish whether a certain query has been resolved.

Continued here:

- Collapse -
Cloud based Web application security assessment

Cenzic released ClickToSecure Cloud, a self-service, completely cloud based Web application security assessment solution. With this new cloud platform, Cenzic has created open APIs to allow deeper integration with other vendors.

The solution allows the user to test their Websites for vulnerabilities and conduct quick assessments entirely in the cloud. The solution will have various levels of assessments from a basic health check to a support for compliance for PCI 6.6, and other regulations.

ClickToSecure Cloud is the latest product in Cenzic?s Web vulnerability scanning solution portfolio, which also includes Cenzic Hailstorm (enterprise software), and Cenzic ClickToSecure Managed (a remote assessment service conducted by Cenzic security experts on behalf of customers).

Pricing starts at $399 allowing SMBs who in the past couldn?t afford Web application security solutions, to now jump start their security posture at very affordable price-points. Furthermore, the flexibility of Cenzic?s solutions allows customers to scale to deeper testing while doing so at their own pace.

- Collapse -
The future doesn't look bright for Google in China

Google's announcement that it will leave China if the censoring of their search results continues seems not to have affected the Chinese government much.

They have not showed any intention of complying to the request, and what's more, they actually announced new restriction as regards to Internet use. Anyone who wishes to have a personal website will have to ask for permission for the government to do so. They will also be required to supply a photo and some form of identification.

The government says all this will be employed as a measure to deal with pornography on the Internet, but there are many who see it just as another measure to silence the political opposition.

According to Wired, last year the Chinese government made it mandatory for every newly manufactured PC to be equipped with censorship software. Also last year, YouTube was blocked because of of videos of anti-Tibetan violence, and Google was often criticized by the government, who is of the opinion that the search giant makes pornography readily available.

- Collapse -
Hotbar has a whale of a time

With news of the rather horrible whale incident buzzing around in the news right now, two things were guaranted:

1) Rogue SEO would step up to bat and

2) A bunch of crumbum "videos" would pop up on Youtube, promising glimpses of the final moments of the dead whale trainer.

Sure enough: [...]

Hit the link, and you're dumped on the familiar site of a Hotbar gateway prompt: [...]

In addition to the Hotbar install, you get ShopperReports (preticked) and BrowserQuest (also preticked).

Place your bets. Do you think our curious ghoul is going to see some horrible footage, or an empty spamblog? [...]

Continued here:

- Collapse -
Microsoft warns over rogue Security Essentials

Microsoft has warned Windows users to be on their guard against a piece of rogue antivirus software passing itself off as Microsoft Security Essentials.

Security essentials 2010 is a piece of software Microsoft said installs a fake virus scanner on your machine and monitors and blocks processes it doesn't like.

The software will also block access to websites of antivirus and malware companies and flag up a warning message. You can see the list of blocked sites here.

Security essentials 2010 blocks access by downloading a Win32/Alureon component and another Layered Service Provider component, Microsoft's David Wood wrote on the company's Malware Protection Center blog.

Continued here:

From the Microsoft Malware Protection Center: If it calls itself ?Security Essentials 2010?, then it?s possibly fake, innit?

- Collapse -
NOT the real [ ] is a brilliant site that helps both public and researchers alike determine if an executable file they have is potentially malicious or not.

Julio Canto (of VirusTotal fame) has noticed that somebody decided to cash in on the good name of the site with the following domain:


Go there, and you?ll see a message claiming the site is a ?free online antivirus scanning service, click SCAN to begin scanning:? [...]

Hit ?Scan?, and it isn?t long before this happens: [...]

Yes, we have some Rogue Antivirus advertising in the house, to the tune of ?Your computer is infected by viruses? complete with the now familiar fake image of your drives and folders: [...]

Continued here:

CNET Forums