Monthly Archives - May of 2011
 

Tuesday, May 31, 2011

 
New DroidDream Variant Found on Android Phones Posted by Mikko @ 15:31 GMT

Android has become the main target for mobile malware.

Here's "Hot Girls 1", which was still yesterday available for download to your Android phone from Android Market:

hot girls 1

This application was originally harmless. However, a malicious developer called "Magic Photo Studio" downloaded the original application, modified it and re-uploaded it to Android Market.

As an end result, when installing "Hot Girls 1", you might notice that it requires suspicious rights, especially for an application which is just supposed to show you pictures of, well, hot girls:

hot girls 1     hot girls 1

The malicious developer has inserted code that triggers when the phone receives a call.

hot girls 1

The added code will connect to a server and send details about the infected handset to the malware authors. So we're talking about a mobile botnet.

Our Android security product F-Secure Mobile Security blocks this as a variant of the DroidDream trojan, with the detection name Trojan:Android/DroidDream.B.

Dozens of examples of infected applications have been found from Android Market, uploaded under such developer names as Magic Photo Studio, BeeGoo and Mango Studio. Google has now removed them from the Market.







 
 

 
 
No snow! Posted by Mikko @ 13:00 GMT

We've recently started a major project with one of the largest broadband operators in North America.

As a result, F-Secure is hiring a bundle of new people.

We are in need of Architects, Developers, Testers, and Scrum Masters. We're looking for expertise in Python, C, SQL, Linux, high availability, scalability, automation, and networking.

We offer relocation packages and the works. And Helsinki is beautiful!

Here's a picture taken from our office's sauna balcony just now:

Helsinki, heavily photoshopped to remove all the snow

You see? No snow. And we expect a really beautiful sunset tonight. At 10:27pm. Join us.

You can leave an application on our recruitment pages.

 
 

 
 
Monday, May 30, 2011

 
Phishing Sites Hosted on Google's Servers Posted by Mikko @ 08:45 GMT

Google Docs allows users to create documents, spreadsheets, et cetera at google.com (hosted in Google's cloud):

spreadsheets.google.com

Spreadsheets can even contain functionality, such as forms, and these can be published to the whole world.

Unfortunately, that means we regularly see phishing sites via Google Docs spreadsheets and hosted on spreadsheets.google.com.

Here are some examples:

spreadsheets.google.com

spreadsheets.google.com

spreadsheets.google.com

These are nasty attacks, as the phishing pages are hosted on the real google.com, complete with a valid SSL certificate.

spreadsheets.google.com

While researching these, we ran into this Google spreadsheet form:

spreadsheets.google.com

And for the life of us, we just can't figure out if this is phishing or if it's a valid page run by Google [see below for the answer].

Initially, the page obviously looks like phishing: it's hosted on the public spreadsheets.google.com server where anyone can host forms. And it asks for your Google Voice number, your e-mail address and the secret PIN code.

But then, you can also find that apparent Google Employees are linking to the form.

So, we can't figure it out. Can you?

Here's the URL to the form:
https://spreadsheets.google.com/viewform?formkey=cjlWRDFTWERkZEIxUzVjSmNsN0ExU1E6MA

If you can figure this one out, let us know via comments.

Updated to add: The consensus on Twitter seems to be that it's a phishing site. The jury's still out though.

spreadssheets

Updated to add: We got contacted by a Google employee.

They informed us that, surprisingly, the questionable page is indeed the official Google form to request Google Voice account transfer. They also told us to remove all references to the form in this blog post. But I'm afraid we can't do that.

 
 

 
 
Friday, May 27, 2011

 
Vulnerability Reporting in the Age of Social Media Posted by Mikko @ 13:28 GMT

Last night, I was searching for an old e-mail when I spotted this funny header:

Tweetdeck XSS

Somebody had a sense of humor, inserting an XSS joke in e-mail headers.

I thought it was funny, so I posted about it to Twitter:

Tweetdeck XSS

Few minutes later, I saw Robin Jackson reply with this:

Tweetdeck XSS

That can't be real. No Twitter client would execute JavaScript just because a Tweet would contain a "script" tag.

Tweetdeck XSS

Tweetdeck XSS

To prove it was real, Robin posted a screenshot.

Tweetdeck XSS

The client he was using was Tweetdeck for Chrome. Time to inform the developers. And of course, they are on Twitter as well.

Tweetdeck XSS

Randy Janinda from Twitter's security team responded within minutes:

Tweetdeck XSS

Tweetdeck XSS

Tweetdeck XSS

And just two hours later I got the confirmation from Tom Woolway of the Twitter development team that the fix is out:

Tweetdeck XSS

Signing off,
Mikko







 
 

 
 
"F-Secure HTK4S" is Fake Posted by Mikko @ 11:14 GMT

We've seen this one before, but there's been a new run today.

Some clown is trying to pose as us. If you see an e-mail like the one below, please ignore it:

     From: securitysupport@hotxf.com
     Reply-To: securitysupport@hotxf.com
     Subject: Security Maintenance.F-Secure HTK4S
     To: undisclosed-recipients:;
     
     Dear Email Subscriber,
     
     Your e-mail account needs to be improved with our new
     F-Secure HTK4S anti-virus/anti-spam 2011-version.
     Fill in the columns below or your account will be
     temporarily excluded from our services.
     
     E-mail Address:
     Password:
     Phone Number:
     
     Please note that your password is encrypted
     with 1024-bit RSA keys for increased security.
     
     Management.
     
     Copyright 2011. All Rights Reserved.


We've seen this same desperate attempt in multiple languages (done with machine translation), for example:

     From: Tampere University of Technology
     Reply-To: webmailantivirus@gmail.com
     Subject: Hyvä tilin käyttäjä
     To: undisclosed-recipients:;
     
     Hyvä tilin käyttäjä, HTK4S virus on havaittu webmailiin
     tilin kansiot, ja sinun webmail-tili on päivitetty uuden
     F-Secure HTK4S anti-virus/anti-Spam versio 2011 aiheutuvien
     vahinkojen välttämiseksi meidän webmail ja tärkeitä tiedostoja.
     Täytä sarakkeet alla ja lähettää takaisin tai sähköpostisi
     keskeytetään tilapäisesti palveluistamme.
     
      Käyttäjätunnus :........ Salasana :......... SYNTYMÄAIKA: ......
     
     Jos näin ei tehdä 24 tunnin sisällä heti tehdä sähköpostisi
     käytöstä meidän database.
     Thank käytit Jyväskylän yliopisto webmail.
     
     Tampereen teknillinen yliopisto Copyright © 2009-2011
     
     (c) Verkot Kaikki oikeudet pidätetään


Ignore these e-mails and move on.

 
 

 
 
Thursday, May 26, 2011

 
Mac OS X Malware is Here For Real Posted by Mikko @ 13:31 GMT

In 1990s, we used to have a Mac product. It eventually got discontinued due to lack of threats.

Then, in October 2007, we saw something unusual: a DNS Changer Trojan for OS X.

We estimated the risk level of new Mac malware and as a result, we started developing F-Secure Anti-Virus for Mac.

While we have seen new Mac malware every now and then, many experts have been downplaying the malware risk on Mac OS X systems. But the fact is that we are seeing more and more activity.

Just during the last week, we've seen a significant rise of infections with Mac scareware trojans. These trojans are distributed via poisoned Google Images Search links.

The trojans attempt to trick the user into believing their Mac is infected — when it's actually clean. Once the user is convinced he has a problem, he will purchase a license for the fake security product called MacDefender, MacSecurity, MacProtector or MacGuard.

The trick is actually quite convincing. The user is redirected to a web page which doesn't look like a web page at all. Instead it resembles Mac's Finder:

Mac OS X fake
While this looks bad, it's just a webpage which has been designed to look like Finder.

Here's a short video showing how Google Images search will take the user to a page that tries to scare him.



The user still has to install the fake security product offered to him. The latest versions of the malware use a separate downloader which is able to install the trojan without ever prompting for the root password:

Mac Guard installer

Mac Guard installer

Here's what the rogue application looks like when it has been installed:

Mac Security

Once the user has installed the rogue product, it will further try to convince the user he's infected with something. This is done by randomly opening porn websites.

Mac Porn

Even a stubborn user will be convinced he has a problem when random porn sites will pop up every few minutes on his system.

It's important to notice that these are fake security products. They don't protect the system in any way. They simply try to scam the user into purchasing them for no reason.

This is a widespread scam and we have lots of reports of real-world infections.

How can Mac users protect themselves?

So far, our Mac product has only been available via our operator (ISP) partners.

But today, we are releasing a direct to consumer version of F-Secure Anti-Virus for Mac.

F-Secure Anti-Virus for Mac

For a limited time, you can try it for free!. Use promotional code AVMAGL. More information on the product is available here.

F-Secure Anti-Virus detects and blocks these Mac trojans as variants of Rogue:OSX/FakeMacDef and Trojan-Downloader: OSX/FakeMacDef.

 
 

 
 
Tuesday, May 24, 2011

 
Banks Profit From Spam Posted by Mikko @ 14:07 GMT

While doing some spam research a couple of years ago, we did a series of test purchases from spam e-mails.

We bought pills, software, cigarettes, et cetera. We were a bit surprised that almost all of the orders went through and actually delivered goods. Sure, the Windows CD we got was a poor clone and the Rolex was obviously fake, but at least they sent us something.

We were carefully watching the credit card accounts we created for our tests but we never saw any fraudulent use of them.

The most surprising outcome from this test was that we didn't see more spam to the e-mail addresses we used to order the goods.

Our findings were reinforced today by an excellent new study published by University of California researchers (with an impressive list of authors).

The researchers not only did test purchases from spam, they also tracked down the botnets used to send the e-mails, the hosting systems to host the spam sites and the banks that moved the money.

spam banks

One of the most interesting details in the study is this: almost all spam sales worldwide are handled by just three banks.

The banks? They were:

  •  DnB NOR (a Norwegian bank)
  •  St. Kitts-Nevis-Anguilla National Bank (in the Caribbean)
  •  Azerigazbank (from Azerbaijan)

We have to remember that spam is actually very profitable for the banks and credit card companies that move the money. That might affect how likely they are to actually do something about this.

Download the full paper from here.

P.S. We never actually got the Rolex we ordered. It was stopped and confiscated by local customs as a pirated product. They ended up destroying it. With a hammer.

Updated to add: DnB NOR bank has responded to the allegation. See their reply.







 
 

 
 
Look Carefully at the Web Address Posted by Mikko @ 12:38 GMT

What a stupid phishing site.

This site goes to great lengths to make sure you double-check that the URL you're on is accounts.craigslist.org.

And it isn't.

Craigslist phishing

This has got to be one of the stupidest phishing attacks I've ever seen.

Nobody will ever fall for that.

Except they will.

You see, people aren't reading e-mail on their computers any more. They are reading it on their phones. So they'll receive the phishing scam e-mails on their phone and they'll open the scam sites on their phones.

Let's have a look at what the site looks like on iPhone, Android and Nokia devices.

craigslist scam iphone

craigslist scam android

craigslist scam nokia e72

Now it isn't very obvious any more. (And it's particularly well formated for iPhone…)

As you can see, the small screen estate on smartphones makes phishing easier.

When you add this with the fact that most smartphones have no phishing e-mail filters and no web blocking of scam sites, we can only come up with one result: phishing works much better on phones than on PCs.

This is why our Mobile Security product blocks bad sites.

Here's what it looks like when you try to access the same site with a phone running our product.

F-Secure Mobile Security in action

We have reported the phishing website and it should be taken down soon.





 
 

 
 
AppStore Phishing Posted by ThreatInsight @ 06:28 GMT

The next time you see another post on a phishing attack and think "there's no way I'm going to fall for that", you might want to reconsider. As general users become adept at detecting a phishing attempt, the authors are changing their tactics and are taking the time to learn about the target beforehand.

This e-mail for instance, was sent to a person who recently made a purchase from the AppStore on his iPad. The "coincidental" timing is enough to warrant at least an attention from the intended recipient. Combined with tricks such as spoofed address and vague links, the recipient might even fall for the trap.

AppStore Phishing

AppStore E-mail Phishing Text

So what happens if the recipient clicked on the link? Turns out that the link leads to a drugstore site. Odd. We are expecting it go to a fake iTunes/AppStore page, in which the recipient would be prompted to input his account details. But that didn't happen.

ThreatInsight post by — Rauf

 
 

 
 
Monday, May 23, 2011

 
Using Google Web Search to Find Compromised Google Images Posted by Sean @ 15:00 GMT

Google Search has a problem.

For several weeks now, Google Image search results have been increasingly tainted by Search Engine Optimization (SEO) poisoning. Numerous sites linked to scareware trojans and exploits via Google Image results are discovered every day. Many of these sites would otherwise be considered as safe but they've been compromised by a hack of some sort.

Google's method of crawling for and ranking images is part of the problem.

This is an example of a poisoned link from Google Image results:

Google Image Search, imgurl, imgrefurl

Notice that imgurl and imgrefurl don't match. The image is "hotlinked". And even though the image is actually hosted on a server at enterupdate.com, Google will display the image preview and site information as though it's from the referring (compromised) site.

But then there are legitimate reasons for displaying the referring site as the "home" of the image. For example, our Safe and Savvy blog is powered by VIP WordPress.com, and its images are hosted on servers belonging to WordPress. If Google didn't consider the referring source of the image and ignored hotlinking (as Bing appears to), this search result wouldn't be very useful.

On the topic of WordPress, the poisoned image of actress Olivia Wilde, from the example above, is embedded in an html page located within a folder called wp-images. The compromised site is a WordPress.org blog.

http://www.#####################.co.uk/wp-images/olivia-wilde-twitter.html

Here's a selection of the olivia-wilde-twitter.html page:

oliva-wilde-twitter

As you can see, the text is complete gibberish. All of the page's hyperlinks connect to additional pages located on the same site, and all of the images are hotlinked and are loaded from external sources.

The html also includes a section focused on topics that have been more or less directly pulled from Google Trends.

All of this investigation brings us to a useful Google Web search that can be used to locate compromised sites. Searching for inurl:wp-images and a currently "trending topic" yields plenty of results that attempt an SEO attack.

Needless to say, we don't recommend such a search unless you're doing so from a research network. (And then you should also use Google SSL as the poisoned SEO sites will only attack if visited from http://www.google.com.)

 
 

 
 
Friday, May 20, 2011

 
Phishing Site Found on a Sony Server Posted by Mikko @ 07:42 GMT

We know you're not supposed to kick somebody when they're already down… but we just found a live phishing site running on one of Sony's servers.

However, this incident has nothing to do with the Sony PSN hack.

This is the official homepage of Sony Thailand:

sony.co.th

And here's a phishing site running under hdworld.sony.co.th, targeting an Italian credit card company.

sony.co.th

Basically this means that Sony has been hacked, again. Although in this case the server is probably not very important.

Sony has been notified. The malicious URL is blocked for our customers.

 
 

 
 
Wednesday, May 18, 2011

 
Online Criminals Trading in Twitter Posted by Mikko @ 06:24 GMT

Surely nobody would sell stolen credit cards on Twitter?

Except they do.

For example, check out Mr. SshoaibAhmed:

Shoaib Ahmed, sshoaibahmed, sshoaibahmed607

Let's follow the link…

Shoaib Ahmed, sshoaibahmed, sshoaibahmed607

Indeed, he seems to sell credit card info, most likely collected with keyloggers from infected home computers.

The prices of stolen credit cards range from $2 to $20, depending on the country where they were stolen from:

Shoaib Ahmed, sshoaibahmed, sshoaibahmed607

The "vis" stands for VISA, "mas" for MasterCard, "dis" for Discovery, and "amex" for American Express cards.

Alternatively, if you'd rather not use stolen credit cards yourself, you can have him buy you iPhones, iPads and laptops with stolen credit cards and ship them to you. In practice, the thief will log into an online store, then purchase an iPad as a gift purchase, giving your address as the delivery address and paying for the good with a stolen credit card. An iPad bought like this goes for $150.

Shoaib Ahmed, sshoaibahmed, sshoaibahmed607

But keyloggers collect more than credit cards. They also record passwords when you log into online services.

So this vendor is also selling access to other people's online bank accounts. An account with a balance of $28,000 sells for $1,000:

Shoaib Ahmed, sshoaibahmed, sshoaibahmed607

Finally, to prove he really has the goods, the vendor posts "demo" information. Which basically is personal information on a handful of victims, including names, home addresses, credit card numbers, and passwords (heavily redacted here):

Shoaib Ahmed, sshoaibahmed, sshoaibahmed607

The accounts shown above have been reported to relevant authorities.

 
 

 
 
Friday, May 13, 2011

 
Professional Online Criminals Posted by Mikko @ 13:09 GMT

Some of the most common banking trojans we run into are versions of ZeuS (ZBot) and SpyEye. These are not your average bots. They are commercially developed crimeware. The trick is that the groups that develop and sell ZeuS and SpyEye do not use them themselves.

ZeuS for sale

Customers that buy ZeuS or SpyEye are the ones that actually attack the banks, and doing so, they take a higher risk of getting caught.

This is the equivalent of somebody selling instructions on how to break into banks vault, complete with the tools to do it — but not actually breaking in themselves.

Just how professional are these tools? Well, take a look at the recently leaked manual of ZeuS 2.0.8.9.

ZeuS manual

Turns out this criminal banking trojan has better documentation than most software that we see.

 
 

 
 
Thursday, May 12, 2011

 
Facebook Video Spam Revamped Posted by ThreatInsight @ 11:11 GMT

Last week there was an outbreak on Facebook of video spam related to Osama bin Laden's death. The previous spam was basically variations of this:

Facebook spam

If a curious user clicked on the link in the spam, it would eventually bring them to a page which basically makes the user manually send out spam to his own Facebook contacts, under the guise of a "security check" to view the video:

fake security check

The user essentially does a copy and paste execute of the script:

Facebook spam code

That code messages the user's first-degree friends (with spam).

So we were analyzing the previous run of video spam on our test machine and today, woke up to find our Facebook Inboxes with tons of new spam, which has been revised so that we don't even need to copy and paste the script any more. How convenient.

The spam we received looked like this:

Friend spam

Then, we'd be expected to clicked the ==VERIFY MY ACCOUNT== at the bottom (note: we do not recommend this).

Then we saw this at the bottom of our browser:

Facebook spam code latest

The code would post the same message on our Facebook account's Wall as the message the previous spam run sent out to the first-degree contacts.

Next, a pop up box appeared:

verification fail notice

And then redirects to this page:

redirect

It is not really clear as to what the aim of the author is, there does not seem to be any obvious monetary gain. But it is definitely an upgrade on the previous spam run.

On a side note — posted "via iPhone"? No, not really. Assigning the 6628568379 to the app_id parameter apparently makes Facebook recognize that the posting is from an iPhone:

Facebook spam code

For example, visiting http://www.facebook.com/apps/application.php?id=6628568379 would lead to http://www.facebook.com/iphone.

Threat Insight post by — Shantini and Rauf

 
 

 
 
Wednesday, May 11, 2011

 
Pravda Hacked Posted by Mikko @ 08:14 GMT

The English language version website of a major Russian newspaper Pravda (Правда, i.e. "The Truth") has been hacked.

Pravda

There are no visible changes done to the site. Instead, the page silently loads exploit scripts that try to infect the user via vulnerabilities in Java. If successful, the visitors computer gets hit by a bot that allows outsiders to access and use the computer.

An attack like this is particularly devious. An end user might go to the same news website every morning for years, learning to trust it. Then one day it has become dangerous and will take over your computer, just by opening your favorite page.

Five years ago, if somebody managed to break into a major site like this, they would typically delete all content and post stupid pictures on the front page. Nowadays they do an invisible modification on the site, trying to stay undetected as long as possible, hoping to gain access to thousands of visitors computers.

We expect the site to get cleaned shortly.

Pravda

 
 

 
 
Monday, May 9, 2011

 
Problematic Certificates Posted by Mikko @ 17:40 GMT

Recent events have highlighted that certification — and the lack of accountability in code signing and SSL certificates — have become a major issue.

Having an SSL certificate is a way for website owners to prove to their sites' visitors that they really are the genuine owners. Most Internet users and even major Internet companies implicitly trust the Certification Authorities (CAs). CAs sell SSL certificates for the encryption of web traffic, which enables secure transactions such as online banking and shopping across https connections.

However, the current certification system dates from the 1990s and has not scaled well to the sheer size and complexity of the Internet today. In addition to the major certification companies such as Verisign, GoDaddy and Comodo, there are hundreds or even thousands of regional CAs that are basically resellers for the larger companies.

Comodo recently announced that a hacker had gained entry to its systems by obtaining the password and username of one of Comodo's Italian resellers. The hacker, who has since publicly claimed that he is from Iran, issued nine rogue certificates through the company. The certificates were issued for popular domains like google.com, yahoo.com and skype.com.

It just boggles the mind that a small reseller in Italy can issue a certificate for google.com in the first place. You would think that would trip some sanity check somewhere. It didn't.

What can you do with such a certificate? If you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to a fake https://login.skype.com address and collect their usernames and passwords, regardless of the SSL encryption seemingly in place. Or you can read their e-mail when they go to Yahoo, Gmail or Hotmail. Even most geeks wouldn't notice this was going on.

In August 2010 Jarno Niemelä, Senior Researcher at F-Secure, started investigating a case of identity theft also involving Comodo, after discovering a malware sample that was signed by a code signing certificate. He tracked down the company mentioned in the certificate, and found a small consulting firm.

Niemelä contacted the company and asked whether they were aware that their code signing certificate had been stolen. Their response was that *they did not have any code signing certificates*. In fact, they didn't even produce software and therefore had nothing to sign. Clearly someone else had obtained the certificate in their name; they had been a victim of corporate identity theft.

With the help of the victim and Comodo, Niemelä discovered that the certificate had been requested in the name of an actual employee and that Comodo had used both e-mail and phone call verification to check the identity of the applicant. Unfortunately, the fraudster had access to the employee's e-mail and Comodo's phone call verification had either ended up with the wrong person or had failed due to a misunderstanding.

In fact, the compromised employee had also received a phone call from Thawte, another CA company. When Thawte asked if she had requested a code signing certificate in the company's name, she answered "No". Thawte then aborted the certification process.

This case shows that the malware authors will try multiple CAs until they find a way in.

When scammers have access to a company's e-mail, it is very difficult for a CA to verify whether the request coming from the company is genuine. It is likely that we will see more cases where an innocent company with a good reputation is used as a proxy for malware authors to get their hands on valid certificates.

Certification Authorities already have measures to pass information about suspicious certification attempts, and other kinds of system abuse. However, these systems are maintained by humans and are thus fallible. We have to accept the fact that with the current systems, certificates are not fool proof.

We talk more about this topic in our latest YouTube video.


 
 

 
 
Thursday, May 5, 2011

 
Analysis of an Osama bin Laden RTF Exploit Posted by Sean @ 09:07 GMT

Targeted/semi-targeted attacks have been utilizing exploits against Microsoft's "RTF Stack Buffer Overflow Vulnerability" (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.

Many of the attacks we've seen which exploit CVE-2010-333 have used topical subject lines.

And this week is no different. So of course, there's an Osama bin Laden RTF exploit circulating in the wild which uses the subject: "FW: Courier who led U.S. to Osama bin Laden's hideout identified".

The file name is called: "Laden's Death.doc" and appears as so:

Courier who led U.S. to Osama bin Laden's hideout identified

When the RTF file is opened, the exploit executes shellcode and drops a file named server.exe inside C:/RECYCLER and executes it.

C:/RECYCLER/server.exe does the following:

  •  Drops a file in the system's temp folder: vmm2.tmp
  •  File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll
  •  Makes registry modifications in an attempt to hijack the DHCP service.

It attempts to connect to a C&C hosted at ucparlnet.com.

The payload has the ability to:

  •  Download additional malware
  •  Connect and send sensitive data back to remote servers
  •  Act as a trojan proxy server

The folks at contagio malware dump report that "It was sent to many targets in the US Government today".

Checking our back end shows that some of our customers have also been exposed. Our detection name for the exploit is Exploit:W32/Cve-2010-3333.G and the RTF payload is detected as Trojan:W32/Agent.DSKA.

As always, the usual advice applies, exercise caution when opening attachments, patch/update your MS Word/Office, and make sure your antivirus is up to date.

You can see more examples of CVE-2010-3333 attacks at contagio.

Updated to add: Here's a picture of an e-mail spreading this document. This was sent to analysts in Washington, D.C. The picture was published by Lotta Danielsson-Murphy. Do note that the sender information in the e-mail is forged.

Laden's Death.doc

 
 

 
 
Wednesday, May 4, 2011

 
Facebook Prompting Users to Enable HTTPS Posted by Sean @ 16:36 GMT

I was examining some Facebook spam this morning, hosted on a Page using an iframe tab application of some sort.

(Facebook appears to have a handle on spam Applications at the moment, as the current batch of spam is abusing Pages rather than Applications.)

In any case, the iframe content of the Page was not encrypted, and so I needed to temporarily disable my account's https option.

When I returned to my New Feed, I saw this promotion:

Help Protect Your Account with Secure Browsing (https)
Help Protect Your Account with Secure Browsing (https)

I shouldn't have seen the prompt, as my account already had the https feature enabled, and the page was already https encrypted, but, well, Facebook is buggy like that.

Anyway, it seems that Facebook is poking users to Enable Secure Browsing.

Good. Kudos to Facebook.

Now that the https setting is persistent and the feature appears to be dynamic, everybody should consider using it; there's plenty of benefits and very little down side. If your Facebook account is not yet https enabled and you don't yet see the prompt, you can also find the option in your Account Settings under "Account Security".

Regards,
Sean

 
 

 
 
Tuesday, May 3, 2011

 
Yes, Fotos_Osama_Bin_Laden.exe is Malware Posted by Mikko @ 08:29 GMT

We have just received the first samples of malware trying to ride on the death of Osama bin Laden.

A file called Fotos_Osama_Bin_Laden.zip is being spammed via e-mail. The archive contains a file called Fotos_Osama_Bin_Laden.exe (md5: d57a1ef18383a8684c525cf415588490).

Fotos_Osama_Bin_Laden.exe / Osama bin Laden

Of course, running this file won't show pictures of dead bin Laden. Instead it executes a banking trojan belonging to the Banload family. It will install itself on the system (as msapps\msinfo\42636.exe) and starts to monitor your online banking sessions (via a BHO), trying to redirect your payments to wrong accounts.

We detect this one as Trojan-Downloader:W32/Banload.BKHJ.

As a general advice: It's unlikely you'll find pictures or videos of Bin Laden's death online — but searching for one will certainly take you to sites with malware. Take care.







 
 

 
 
Sony's PC Gaming Network Hacked Too Posted by Mikko @ 07:32 GMT

We've just updated our FAQ on the Sony hacks to cover both the PSN and SEO hacks.