i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

Tesco. Argos. ASDA Facebook Scams

Well its almost Xmas and the Facebook scams are rife.  Over the last few days we have seen ASDA, Argos and now Tesco hit by Facebook scams offering people £500 for ‘liking’ them on Facebook and following links.

This  hit ASDA recently, Argos a few days ago and now Tesco is the favourite.  The same scammers are probably responsible for all of these campaigns and are just using different retailers to refresh the scam.

Facebook users are tricked into sharing the link with their online friends, in the belief that they will win a prize. Of course, the more that the link is shared the more traffic is driven to a website of the scammers’ own choosing – and they earn commission every time they trick users into filling in an online form requesting personal information.

Tens of thousands of users have already been duped – proving just how easy it is to be conned into sharing “special offer” links.
Of course, Argos, ASDA and Tesco have nothing at all to do with the scheme – but it’s their brand names which are being besmirched.

If you were fooled into participating in this scam remove the message from your newsfeed, so you are no longer spreading it with your online chums.

Microsoft YouTube site pwned

The weekend saw Microsoft’s youtube presence hacked and content changed from helpful video’s to cartoons and advertising offers.

One of the uploaded videos, called Bingo, showed a character from the LA Noire video game shooting another animated figure in the head. Other videos called on YouTube visitors to post video responses, create new background images for the channel or provide sponsorship.

By midday GMT the site had been returned to normal.  Nobody is claiming to know how this hack took place, but the obvious theory is poor password security by a Microsoft employee.  There are also rumours circulating that the account and channel was actually created by a Microsoft fan before being handed over to Microsoft at a later date.  It could be that the account was still linked to the previous owners email and therefore a password change was easy to facilitate.

One heading on the channel also read, “I DID NOTHING WRONG I SIMPLY SIGNED INTO MY ACCOUNT THAT I MADE IN 2006 :/.”  So maybe there is something

iPad2 iOS5 Lock Screen Vulnerability

ipad2 imageAs soon as iOS5 was released people were already looking for issues with it.  One of the first discovered on the iPad2 was an issue with the screen lock functionality.

Marc Gurman has discovered a vulnerability on the iPad that allows for a limited bypass of the device’s locked screen. Anyone with a Smart Cover on their iPad can gain access to the previously-open app (or the home screen if no app was open).

Simply hold the power button to bring up the ‘Power Off’ screen, close the smart cover, re-open it, and click cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Address Book (or any other app) was the open when the device was locked, then the attacker would have access to that app.

From a locked iPad 2:

1) Lock a password protected iPad 2
2) Hold down power button until iPad 2 reaches turn off slider
3) Close Smart Cover
4) Open Smart Cover
5) Click cancel on the bottom of the screen

Obviously with more and more iPad’s being used in the business world and also in education you can probably imagine the issues this type of vulnerability could cause.  Just imagine if your email was the last app open, or your address book with all of your customers 🙂

For now the only way to stop this happening is to disable the “Smart Cover Unlocking” feature, which can be found in Settings>General.

Although I’m sure Apple will be working on a fix for this already.

MAC Webcams Hijacked via a bug in Flash

It has emerged that a bug in Adobe’s Flash player can allow webcam’s and microphone’s on Apple Mac’s to be hijacked by website owners allowing them to eavesdrop without permission.

All that’s required is to visit a malicious website and to click on a few buttons on that page.  Without warning, the visitor’s camera and microphone will be activated and the video and audio intercepted.  On Wednesday Adobe said they were planning on fixing the vulnerability, which is caused by flaws in the Flash Player Settings Manager.  The panel, which is used to designate which sites may access feeds from a user’s camera and mic, is delivered in the SWF format used by Flash.  A computer science student at Stanford University, Feross Aboukhadijeh, discovered he could embed the SWF file as an invisible iframe and superimpose misleading graphics on top that tricked visitors into making changes to the underlying privacy settings.

Settings Manager is actually hosted on Adobe’s servers and therefore a fix should be able to be implemented without having to release an update to users machines.  A spokesperson for Adobe has said an update should be in place by he end of he week.

The Stanford student said so far only Mac’s running Safari or Firefox were vulnerable, however he indicated that further research may lead to this attack becoming more universal.

Mass attack on websites running ASP.NET

Research has highlighted a mass attack on web servers running ASP.NET, the infection redirects users to site’s running old versions of Oracle’s JAVA, Adobe’s Flash and various browsers.  The attack was disclosed by security firm Armorize on Wednesday.

The initial attack is showing around 1.15 million infected pages and the follow on exploit around 17500 pages, figures shown are from Google searches.

The infection injects code into ASP.NET websites and plants an invisible link in to visitors’ browsers to sites including jjghui.com and nbnjkl.com, which in turn redirect to a number of other sites which include obfuscated code.  The sites use a number of attacks that exploit well known vulnerabilities in JAVA, Flash etc.  Computers running unpatched versions are then used by the attackers.

Armorize researchers submitted the attack code lastweek and at the time only six of the top 43 antivirus vendors detected the attack, hopefully this figure has drastically increased since then.

Another firm, Securi, has released a scanner that can detect if your site is infected, click here

If your site is compromised you must remove the infection from your database and audit ALL code to remove SQL Injection issues.

Facebook accused of violating US wiretap laws

A lady from Mississippi in the USA has accused Facebook of violating US federal wiretap laws by tracking her internet browsing history.  She states this happened even when she wasn’t logged into the social networking site.

In the lawsuit filed on wednesday, Brooke Rutledge of Lafayette County, Mississippi also claims breach of contract, trespassing, invasion of privacy and unjust enrichment.  Class action status has been set so that other users can join in the lawsuit.  This comes a few weeks after an Australian blogger published evidence that Facebook could track users browsing habits even when not logged into the site.


Celebrity Email Hacker Arrested by FBI

A 35-year-old man named as Christopher Chaney, was arrested in Jacksonville, Florida according to a recent FBI statement.  Chaney has been linked to recent attacks on celebrity email accounts which have led to exposure of naked photo’s of a number of high profile celebs.

If found guilty of all 26 indictments, which include accessing computer systems without authorisation, identity theft and wire tapping, Chaney could face a maximum of 121 years in a federal prison.

It is thought Chaney scoured the internet for information about his targets and then used that to hack into their email accounts.

“Operation Hackerazzi” as it was known was the FBI operation into hacking incidents was coming under huge pressure to catch the culprit that was causing tabloid headlines around the world.

Victims of the email hacks have included Scarlett Johansson and Lady Gaga to name just two.  More than 50 victims were identified by Operation Hackerazzi and nude pictures and naughty text messages have all been plastered across the internet.

German Police using Droid Trojan to spy on citizens

A backdoor Trojan that is capable of monitoring online activity and recording Skype calls has been detected – and is allegedly being used by the German police force.

The courts in Germany have permitted the use of Bundestrojaner to record Skype calls if the police have the legal permission for wiretap.

The Chaos Computer Club (CCC) have been researching this and have stated that, “The malware can not only siphon away intimate data, but also offers a remote control or backdoor functionality for uploading and executing arbitrary programs.”

CCC also stated in their research, “The Trojan can, for example, receive uploads of arbitrary programs from the internet and execute them remotely. This means an upgrade path from Quellen-TKÜ to the full Bundestrojaner’s functionality is built in right from the start.”

CCC finished by saying that control of the PC is not only open to the agency or police force who put the trojan there, but due to poor design may allow others to take control of the machine too.
A spokesperson from CCC said, “We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities. The security level this Trojan leaves the infected systems in is comparable with it setting all passwords to ‘1234’.”

CCC said, “The clandestine infiltration of IT systems by government agencies must stop. At the same time we would like to call on all hackers and people interested in technology to further analyse the malware, so that at least some benefit can be reaped from this embarrassing eavesdropping attempt.

“Also, we will gladly continue to receive copies of other versions of government malware off your hands.”

Chief research officer at F-Secure, said: “We do not know who created this backdoor and what it was used for. We have no reason to suspect CCC’s findings, but we can’t confirm that this Trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

Security company Sophos have also stated that their research shows the trojan can be used to eavesdrop on a number of common applications like Skype, Yahoo Messenger and MSN Messenger.  It can also keylog from a number of common browsers such as IE and Firefox and can also take screenshots of the users’ screen.

F-Secure are detecting this backdoor as Backdoor:W32/R2D2.A. The name R2D2 comes from a string inside the Trojan ‘C3PO-r2d2-POE’



German officials have now admitted to using the the above mentioned Trojan to spy on citizens.  Officials from Bavaria and other states have admitted to using the trojan, which may be in breach of German wiretapping law.

Bavarian Interior Minister Joachim Herrmann believed the police acted within the laws parameters but will investigate the matter of R2D2′s use.
German law permits the use of spy software by government officials in order to combat terrorists and criminals. Wiretapping is legal but courts need to give the approval for its use in all cases.

Windows 7 God Mode

Today I received an email detailing the “Windows7 God Mode”. OK, so its not quite God Mode but it gives you all the Administrator tools you could dream in one place, just by creating a new folder. Yes I know it sounds odd but carry on reading and try, you’ll be amazed. I just hope server administrators don’t let their users run as local administrators otherwise ALL of these tools will be available to them now, oops!!


Start by creating a New Folder on the Desktop (right click and choose New Folder)





Then rename the folder to “GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}” (no inverted commas)









Once this is created it automatically populates with a huge number of useful Windows administrative tools which are ready to use.

Now this is really useful for windows admins, however you should also make sure that your users cannot create this file. If they can create it they will still need to have admin rights to use most of the tools, however it’s best not to give them the chance.

BT and Nigel Mansell Twitter Accounts Hacked

BT Business and Nigel Mansell both fell victim to a Twitter account hijack on friday which then went onto punt a popular diet pill scam.

@btbusiness and @Mansell5 were both directed to a weight loss site on friday, where there was an article discussing the supposed benefits of Acai Berry.
@btbusiness soon noticed and regained control of their account, however @Mansell5 was only changed over the weekend, with Nigel tweeting on sunday evening, “I’m thinking its time to choose a new password!”
The image above shows the @btbusiness offering 🙂

The Acai Berry spam attack has been seen numerous times before, last December when Gawker was hacked a number of Twitter account were hijacked because users were using the same password on both their Gawker and Twitter accounts.

It appears no harm was done this time but both BT Business and Nigel Mansell could have faced a lot more embarrassment over this, if they had been punting something other than diet pill scams.