i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

New Year Selena Gomez Facebook Scam

So its the start of 2012 and the first of many Facebook scams has begun.  It involves Selena Gomez and tempts you to see some ‘possibly’ naughty video leaked.

The link includes the words:

Selena Gomez Caught On (LEAKED Tape) 
 you will lost your all respect for Selena Gomez after watching this


Clicking the wall post link takes you to the following page designed to look like Facebook:

Clicking the play button loads a “share” box allowing you to spread the scam message to your friends. The following survey scam also loads:

**Note – Scams like this often use multiple domains, so you may see a variation in the landing pages and scam messages.

Dealing with the Scam:

If you did make the mistake of sharing the scam link, then you are now spamming your friends with the very same message. Clean-up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post).

Never complete surveys to unlock videos or other content on Facebook. Scammers use these tricks to either spread malware, obtain personal identification or earn commissions from marketing companies. Don’t pad their pocket and possibly open yourself up to harm!

Some of the surveys require you to download files to your computer. Never do this! If you did so in error, then run a complete system scan with a good anti-virus software program. The I.Q. Quiz scam has been around for a while, and it typically requires you to enter your cell phone number to receive the results. The scammers then bill you for premium services. Keep an eye on your phone bill for bogus charges.

Yet another Facebook Worm

Today another new attack on Facebook users with the Zeus Bot comes in action. Researchers at Danish security firm CSIS, have spotted a worm spreading within the Facebook platform. The new worm has popped up on Facebook, using apparently stolen user credentials to log in to victims’ accounts and then send out malicious links to their friends. The worm also downloads and installs a variety of malware on users’ machines, including a variant of the Zeus bot.

 

If followed, the link takes potential victims to a page where he or she are offered what appears to be a screensaver for download. Unfortunately, it is not a JPG file, but an executable (b.exe). Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems. The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare.

 
Zeus is a common tool in the arsenal of many attackers these days, and is used in a wide variety of attacks and campaigns now. It used to be somewhat less common, but the appearance of cracked versions of the Zeus code has made it easier for lower-level attackers to get their hands on the malware. Zeus has a range of capabilities, and specialises in stealing sensitive user data such as banking credentials, from infected machines.
The worm carries a cocktail of malware onto your machine, including a Zbot/ZeuS variant which is a serious threat and stealing sensitive information from the infected machine,” warn the researchers. The worm is hosted on a variety of domains, so the link in the malicious message may vary. Other servers are used to collect the data sent by the malware and to serve additional malicious software.

As always be very wary of any links that are posted to you on Facebook, even if they appear to be from your friends.  Also if you receive any emails asking for login details or banking details, or even if they just request your name and address be very wary.

  • If you haven’t asked for a password reset then a company won’t have sent you an email asking you to reset your password.
  • If you haven’t made a banking transaction recently then your bank won’t be cancelling it.
  • etc etc etc

Facebook promises ‘consequences’ for smut scammers!

Facebook officials have tracked down the scammer’s responsible for filling the social network with images depicting bestiality, self-mutilation and other depravity and is vowing to seek justice.

 

Facebook has blamed the extreme smut on a “self-XSS vulnerability in the browser” that tricked users into pasting and executing malicious javascript in their address bars and caused them to unknowingly share this content. Many victims have reported that the highly offensive content is visible to others but not to the user whose account was used to spread it.

 

According to reports published by PCMag.com and ZDNet, Facebook officials have also figured out who is behind the attack. Both reports cited the same statement from a Facebook PR representative that says:

“In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow.”

 

Facebook has yet to elaborate on key details of the ongoing attack. It’s still unknown if the cross-site scripting vulnerability is unique to a particular browser and how many of its 800 million users have been affected.

Security firm Zscaler has a primer on self-inflicted JavaScript injection on their website. In the post, researcher Mike Geide said the most common ploy in the ongoing deluge comes from malicious Facebook groups that ask users to join and then enter JavaScript into their URL bar.

 

The scripts contain obfuscated code that generates invite messages to all of a user’s Facebook friends and includes an invisible link which has now been taken down.

TopShop Facebook Scam

Only the other week I reported about the Tesco, Argos and ASDA Facebook scams that were circulating.  They were offering you money in return for ‘Liking’ them on Facebook.

 

The scam detailed here has shown up again, this time using TopShop as the famous retailer how is ‘supposedly’ offering money, however do not do as they ask as you will not be getting anything in return.  Read my early post about the Tesco, Argos and ASDA scam

App Store expels iOS hacker

Charlie Miller, a well known Apple hacker who has exposed a large number of vulnerabilities in Apples software has been ousted from the iOS Developer Programme by Apple.  This happened after he published an app that exposes a serious bug in new iPhones and iPads.

 

InstaStock app, which had been accepted and approved by the App Store back in September, is a program that tracks stock prices in real time.  However there is also a secret hack that bypassed protections built into iOS devices that prevent code from running on them unless it has been signed by Apple’s official cryptographic seal.  As a result the app is capable of other things including downloading pictures and contact details from iPhone’s and iPad’s.

Apparently a few hours after Miller revealed the ‘extra’ functionality of his app he received an email stating that Apple was terminating him from the iOS Developer Program for violation of a clause in the program’s license in which he agreed he wouldn’t “hide, misrepresent or obscure any features, content, services or functionality” of applications he submitted.

 

Miller’s code-signing bypass exploits a change introduced in iOS 4.3 that for the first time created a small region in iPhones and iPads where unsigned code downloaded from the internet could be executed. The exception was designed to improve the performance of Safari by allowing it to do just-in-time compiling. To prevent the exception from being abused, Apple tightly restricted it to Safari, and even then only in certain cases.  Miller discovered a flaw in the way the checks are run though.

 

Miller said he’s concerned that his excommunication will hinder his ability to find security bugs in Apple software until it has become publicly available. A case in point is iOS version 5.01, which is currently in beta testing.  Now no longer part of the developer program Miller no longer has access to beta code and therefore will have to wait until the code is publicly available before he can check for vulnerabilities.  By which time it will probably be too late.

Hollywood hacker changes his mind and pleads not guilty

The Florida man  accused of breaking into the email accounts of actresses Scarlett Johansson and Mila Kunis, and as many as 50 other celebrities, and making off with nude photos and personal information has changed his plea and pleaded not guilty.

Chaney, 35, of Jacksonville, Florida, denied the allegations during his first court appearance on Tuesday in California, where the charges were filed. US Judge Patrick Walsh increased Chaney’s bail to $110,000 from $10,000 after prosecutors presented evidence he may have stalked three additional victims.

The change came after he publicly apologised on a television news broadcast in Jacksonville.

“It started as curiosity and it turned to just being addictive,” Chaney said in front of a video camera. “Seeing the behind-the-scenes of what’s going on with the people you see on the big screen. I was almost relieved when they came in and took the computers inside.”

For more information visit the previous post on this website about this incident.

Vanity Fair published a brief article on Tuesday where Scarlett Johansson showed no regrets for snapping nude photos of herself and storing them online.

“I know my best angles,” she said. “They were sent to my husband. There’s nothing wrong with that. It’s not like I was shooting a porno.”

Attack on Wampserver and WordPress sites

Kimberly from Stopmalvertising found the Blackhole Exploit Kit on the Website of the very popular Webserver software site known as WampServer.  WampServer is an package of web components bundled together for windows users, the name comes from the package of software (Windows, Apache, MySQL, PHP).
Almost at the bottom of the webpage the team discovering this found some Javascript requesting a file from jquery.googlecode.com. The URL is followed by a long string of parameters. The file returns a 404, it’s just there to fool people.

Once the script was decoded they found an iframe leading to vc-business.com/in.php.  According to the analysis of this, if a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 91.194.214.66/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 91.194.214.66 has been listed as distributing the ZeroAccess rootkit.

Another attack by Blackhole Exploit was discovered in thousands of WordPress websites that use a popular non-updated TimThumb image tool.  Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the sites.  But this is not the only way the attack was successful.  Another vector was to use stolen passwords to direct FTP changes.  In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

Xbox Kinect Malware created by Indian Researchers

A 15year old Indian security researcher ‘Shantanu Gawde’ from MalCon Research has created a malware that utilizes the Microsoft xbox kinect controller.

The Indian researcher from MalCon created a malware that utlises Microsoft Kinect to secretly capture pictures and upload them to a picasa account.

In recent months, there have been a number of innovative Kinect hacks that make use of the Kinect, using both Open source drivers and the Kinect SDK.

The malware, code-named ‘gawde’ after its creators name, works on Windows 7 to secretly capture pictures of the victim / surroundings from a connected Kinect device and uploads them to a picasa account.

Rajshekhar Murthy, Director at ISAC, (Information Sharing and Anaysis Center), a scientific non-profit body that holds the International Malware Conference, MalCon said. “We believe that in coming years, a lot of windows based applications will be developed for Kinect and the device will gain further immense popularity and acceptance- and from a perspective of an attacker, such a popular device can be an exciting target for visual and audio intelligence. At MalCon research labs, we promote proactive security research and the malware utilizing Kinect is only a proof of concept. ”

The Kinect malware ‘gawde’ goes a step ahead and even uses voice recognition to execute a program based on keyword, without the knowledge of the victim. The malware proof of concept (PoC) will be demonstrated at the upcoming MalCon 2011 in Mumbai, India.

MAC Attack using Tsunami Trojan

A new attack against Apple MAC’s has been discovered and is being termed the “Tsunami Trojan”.

 

The newly discovered Tsunami Trojan is derived from an earlier Linux-infecting backdoor Trojan, called Kaiten, which connected back from infected machines to an IRC channel for further instructions. It appears Security firms are still in the process of analysing Tsunami but early speculation suggests it may be a DDoS attack tool.

 

“Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn’t mean the problem is non-existent,” says Graham Cluley security firm Sophos.

“We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future. If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying. My advice to Mac users is simple: don’t be a soft target, protect yourself.”

 

I would fully agree with what Graham Cluley says, many people think there are no Trojans or Virus’ for MAC’s but they are mistaken, and this article proves it once again.  No matter what operating system you are running, be it Windows, Linux or Mac OSX you should still look to secure it and keep patches up to date and run security software.

 

Don’t be one of the poorly protected computers spoken of above!

 

If you are a Mac user concerned by security Sophos currently offer a free antivirus solution available from their site for download.

Skype Flaw Allows IP Address and Location Tracking

A newly discovered flaw in Skype allows tracking of Skype users by IP address.  
The serious breach in the popular, Internet video chat program means that any person could potentially hunt down users’ whereabouts, according to a study co-authored by an NYU-Poly professor.

The flaw in Skype could allow a skilled hacker to find out the IP address from which a user has logged in to Skype, thereby determining the location of Skype users, which is a massive breach of privacy and security. However just by having the IP address doesn’t mean you can be tracked to your home address.  This is more just being able to locate you to a certain area and a certain ISP.

The company is trying to downplay the flaw, claiming that the ability to derive IP addresses was common with all web based communication clients.

The flaw can reportedly be exploited without the user’s knowledge, and can be executed on a large scale. The research team demonstrated this by scheduling hourly calls to tens of thousands of Skype users.

Adrian Asher, Skype’s chief information security officer, said that IP addresses are easily uncovered in most web communications clients.”Just as with typical Internet communications software, Skype users who are connected may be able to determine each other’s IP addresses. Through research and development, we will continue to make advances in this area and improvements to our software,” he told.

The IP address that you are using is usually from a pool of IP’s that your ISP is giving out.  By locating a Skype users’ IP address a hacker could work out their ISP and a rough location, potentially shown by the ISP, but don’t worry you won’t get someone knocking at your door because you told them off on Skype , they may just know which part of the country you are in :)