i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

New Year Selena Gomez Facebook Scam

So its the start of 2012 and the first of many Facebook scams has begun.  It involves Selena Gomez and tempts you to see some ‘possibly’ naughty video leaked.

The link includes the words:

Selena Gomez Caught On (LEAKED Tape) 
 you will lost your all respect for Selena Gomez after watching this


Clicking the wall post link takes you to the following page designed to look like Facebook:

Clicking the play button loads a “share” box allowing you to spread the scam message to your friends. The following survey scam also loads:

**Note – Scams like this often use multiple domains, so you may see a variation in the landing pages and scam messages.

Dealing with the Scam:

If you did make the mistake of sharing the scam link, then you are now spamming your friends with the very same message. Clean-up your newsfeed and profile to remove references to the scam. (click the “x” in the top right hand corner of the post).

Never complete surveys to unlock videos or other content on Facebook. Scammers use these tricks to either spread malware, obtain personal identification or earn commissions from marketing companies. Don’t pad their pocket and possibly open yourself up to harm!

Some of the surveys require you to download files to your computer. Never do this! If you did so in error, then run a complete system scan with a good anti-virus software program. The I.Q. Quiz scam has been around for a while, and it typically requires you to enter your cell phone number to receive the results. The scammers then bill you for premium services. Keep an eye on your phone bill for bogus charges.

Yet another Facebook Worm

Today another new attack on Facebook users with the Zeus Bot comes in action. Researchers at Danish security firm CSIS, have spotted a worm spreading within the Facebook platform. The new worm has popped up on Facebook, using apparently stolen user credentials to log in to victims’ accounts and then send out malicious links to their friends. The worm also downloads and installs a variety of malware on users’ machines, including a variant of the Zeus bot.

 

If followed, the link takes potential victims to a page where he or she are offered what appears to be a screensaver for download. Unfortunately, it is not a JPG file, but an executable (b.exe). Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems. The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare.

 
Zeus is a common tool in the arsenal of many attackers these days, and is used in a wide variety of attacks and campaigns now. It used to be somewhat less common, but the appearance of cracked versions of the Zeus code has made it easier for lower-level attackers to get their hands on the malware. Zeus has a range of capabilities, and specialises in stealing sensitive user data such as banking credentials, from infected machines.
The worm carries a cocktail of malware onto your machine, including a Zbot/ZeuS variant which is a serious threat and stealing sensitive information from the infected machine,” warn the researchers. The worm is hosted on a variety of domains, so the link in the malicious message may vary. Other servers are used to collect the data sent by the malware and to serve additional malicious software.

As always be very wary of any links that are posted to you on Facebook, even if they appear to be from your friends.  Also if you receive any emails asking for login details or banking details, or even if they just request your name and address be very wary.

  • If you haven’t asked for a password reset then a company won’t have sent you an email asking you to reset your password.
  • If you haven’t made a banking transaction recently then your bank won’t be cancelling it.
  • etc etc etc

Facebook promises ‘consequences’ for smut scammers!

Facebook officials have tracked down the scammer’s responsible for filling the social network with images depicting bestiality, self-mutilation and other depravity and is vowing to seek justice.

 

Facebook has blamed the extreme smut on a “self-XSS vulnerability in the browser” that tricked users into pasting and executing malicious javascript in their address bars and caused them to unknowingly share this content. Many victims have reported that the highly offensive content is visible to others but not to the user whose account was used to spread it.

 

According to reports published by PCMag.com and ZDNet, Facebook officials have also figured out who is behind the attack. Both reports cited the same statement from a Facebook PR representative that says:

“In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow.”

 

Facebook has yet to elaborate on key details of the ongoing attack. It’s still unknown if the cross-site scripting vulnerability is unique to a particular browser and how many of its 800 million users have been affected.

Security firm Zscaler has a primer on self-inflicted JavaScript injection on their website. In the post, researcher Mike Geide said the most common ploy in the ongoing deluge comes from malicious Facebook groups that ask users to join and then enter JavaScript into their URL bar.

 

The scripts contain obfuscated code that generates invite messages to all of a user’s Facebook friends and includes an invisible link which has now been taken down.

Hollywood hacker changes his mind and pleads not guilty

The Florida man  accused of breaking into the email accounts of actresses Scarlett Johansson and Mila Kunis, and as many as 50 other celebrities, and making off with nude photos and personal information has changed his plea and pleaded not guilty.

Chaney, 35, of Jacksonville, Florida, denied the allegations during his first court appearance on Tuesday in California, where the charges were filed. US Judge Patrick Walsh increased Chaney’s bail to $110,000 from $10,000 after prosecutors presented evidence he may have stalked three additional victims.

The change came after he publicly apologised on a television news broadcast in Jacksonville.

“It started as curiosity and it turned to just being addictive,” Chaney said in front of a video camera. “Seeing the behind-the-scenes of what’s going on with the people you see on the big screen. I was almost relieved when they came in and took the computers inside.”

For more information visit the previous post on this website about this incident.

Vanity Fair published a brief article on Tuesday where Scarlett Johansson showed no regrets for snapping nude photos of herself and storing them online.

“I know my best angles,” she said. “They were sent to my husband. There’s nothing wrong with that. It’s not like I was shooting a porno.”

Attack on Wampserver and WordPress sites

Kimberly from Stopmalvertising found the Blackhole Exploit Kit on the Website of the very popular Webserver software site known as WampServer.  WampServer is an package of web components bundled together for windows users, the name comes from the package of software (Windows, Apache, MySQL, PHP).
Almost at the bottom of the webpage the team discovering this found some Javascript requesting a file from jquery.googlecode.com. The URL is followed by a long string of parameters. The file returns a 404, it’s just there to fool people.

Once the script was decoded they found an iframe leading to vc-business.com/in.php.  According to the analysis of this, if a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 91.194.214.66/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 91.194.214.66 has been listed as distributing the ZeroAccess rootkit.

Another attack by Blackhole Exploit was discovered in thousands of WordPress websites that use a popular non-updated TimThumb image tool.  Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the sites.  But this is not the only way the attack was successful.  Another vector was to use stolen passwords to direct FTP changes.  In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

Xbox Kinect Malware created by Indian Researchers

A 15year old Indian security researcher ‘Shantanu Gawde’ from MalCon Research has created a malware that utilizes the Microsoft xbox kinect controller.

The Indian researcher from MalCon created a malware that utlises Microsoft Kinect to secretly capture pictures and upload them to a picasa account.

In recent months, there have been a number of innovative Kinect hacks that make use of the Kinect, using both Open source drivers and the Kinect SDK.

The malware, code-named ‘gawde’ after its creators name, works on Windows 7 to secretly capture pictures of the victim / surroundings from a connected Kinect device and uploads them to a picasa account.

Rajshekhar Murthy, Director at ISAC, (Information Sharing and Anaysis Center), a scientific non-profit body that holds the International Malware Conference, MalCon said. “We believe that in coming years, a lot of windows based applications will be developed for Kinect and the device will gain further immense popularity and acceptance- and from a perspective of an attacker, such a popular device can be an exciting target for visual and audio intelligence. At MalCon research labs, we promote proactive security research and the malware utilizing Kinect is only a proof of concept. ”

The Kinect malware ‘gawde’ goes a step ahead and even uses voice recognition to execute a program based on keyword, without the knowledge of the victim. The malware proof of concept (PoC) will be demonstrated at the upcoming MalCon 2011 in Mumbai, India.

Skype Flaw Allows IP Address and Location Tracking

A newly discovered flaw in Skype allows tracking of Skype users by IP address.  
The serious breach in the popular, Internet video chat program means that any person could potentially hunt down users’ whereabouts, according to a study co-authored by an NYU-Poly professor.

The flaw in Skype could allow a skilled hacker to find out the IP address from which a user has logged in to Skype, thereby determining the location of Skype users, which is a massive breach of privacy and security. However just by having the IP address doesn’t mean you can be tracked to your home address.  This is more just being able to locate you to a certain area and a certain ISP.

The company is trying to downplay the flaw, claiming that the ability to derive IP addresses was common with all web based communication clients.

The flaw can reportedly be exploited without the user’s knowledge, and can be executed on a large scale. The research team demonstrated this by scheduling hourly calls to tens of thousands of Skype users.

Adrian Asher, Skype’s chief information security officer, said that IP addresses are easily uncovered in most web communications clients.”Just as with typical Internet communications software, Skype users who are connected may be able to determine each other’s IP addresses. Through research and development, we will continue to make advances in this area and improvements to our software,” he told.

The IP address that you are using is usually from a pool of IP’s that your ISP is giving out.  By locating a Skype users’ IP address a hacker could work out their ISP and a rough location, potentially shown by the ISP, but don’t worry you won’t get someone knocking at your door because you told them off on Skype , they may just know which part of the country you are in 🙂

Tesco. Argos. ASDA Facebook Scams

Well its almost Xmas and the Facebook scams are rife.  Over the last few days we have seen ASDA, Argos and now Tesco hit by Facebook scams offering people £500 for ‘liking’ them on Facebook and following links.

This  hit ASDA recently, Argos a few days ago and now Tesco is the favourite.  The same scammers are probably responsible for all of these campaigns and are just using different retailers to refresh the scam.

Facebook users are tricked into sharing the link with their online friends, in the belief that they will win a prize. Of course, the more that the link is shared the more traffic is driven to a website of the scammers’ own choosing – and they earn commission every time they trick users into filling in an online form requesting personal information.

Tens of thousands of users have already been duped – proving just how easy it is to be conned into sharing “special offer” links.
Of course, Argos, ASDA and Tesco have nothing at all to do with the scheme – but it’s their brand names which are being besmirched.

If you were fooled into participating in this scam remove the message from your newsfeed, so you are no longer spreading it with your online chums.

Microsoft YouTube site pwned

The weekend saw Microsoft’s youtube presence hacked and content changed from helpful video’s to cartoons and advertising offers.

One of the uploaded videos, called Bingo, showed a character from the LA Noire video game shooting another animated figure in the head. Other videos called on YouTube visitors to post video responses, create new background images for the channel or provide sponsorship.

By midday GMT the site had been returned to normal.  Nobody is claiming to know how this hack took place, but the obvious theory is poor password security by a Microsoft employee.  There are also rumours circulating that the account and channel was actually created by a Microsoft fan before being handed over to Microsoft at a later date.  It could be that the account was still linked to the previous owners email and therefore a password change was easy to facilitate.

One heading on the channel also read, “I DID NOTHING WRONG I SIMPLY SIGNED INTO MY ACCOUNT THAT I MADE IN 2006 :/.”  So maybe there is something

iPad2 iOS5 Lock Screen Vulnerability

ipad2 imageAs soon as iOS5 was released people were already looking for issues with it.  One of the first discovered on the iPad2 was an issue with the screen lock functionality.

Marc Gurman has discovered a vulnerability on the iPad that allows for a limited bypass of the device’s locked screen. Anyone with a Smart Cover on their iPad can gain access to the previously-open app (or the home screen if no app was open).

Simply hold the power button to bring up the ‘Power Off’ screen, close the smart cover, re-open it, and click cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Address Book (or any other app) was the open when the device was locked, then the attacker would have access to that app.

From a locked iPad 2:

1) Lock a password protected iPad 2
2) Hold down power button until iPad 2 reaches turn off slider
3) Close Smart Cover
4) Open Smart Cover
5) Click cancel on the bottom of the screen

Obviously with more and more iPad’s being used in the business world and also in education you can probably imagine the issues this type of vulnerability could cause.  Just imagine if your email was the last app open, or your address book with all of your customers 🙂

For now the only way to stop this happening is to disable the “Smart Cover Unlocking” feature, which can be found in Settings>General.

Although I’m sure Apple will be working on a fix for this already.