Nasty Twitter Worm Outbreak

September 21, 2010

Several new Internet worms are spreading quite rapidly via a newly-found vulnerability in Twitter.com. While the flaw that powers these attackers will most likely be sewn shut in a matter of hours, if you’re going to frequent Twitter today you’d be wise to use a Twitter client or at least block Javascript on the site, as these worms appear to be spreading with little or no interaction on the part of users.

According to security firm F-Secure Corp., the trouble started earlier today, when several worms began quickly spreading by leveraging a cross-site scripting vulnerability in Twitter that used “onmouseover” techniques, meaning it was enough to move your computer mouse on top of a malicious Tweet to resend the nasty message to all of your followers.

The initial worms apparently began as a proof-of-concept, but a number of new Tweets in the Twitter trending topics page indicate that newer versions are silently redirecting victim PCs to fetch more malicious payloads.

Until this mess gets cleaned up, F-Secure is warning Twitter users to use a Twitter client like TweetDeck to access Twitter instead of using Twitter.com, or to disable Javascript on the domain (always a sound idea). Several readers have pointed out another solution: Use mobile twitter (m.twitter.com), which has no Javascript. Alternatively, just stay logged out of Twitter for the next few hours.

The Twitter user who reportedly discovered the vulnerability — programmer Magnus Holm — remarked on his Twitter feed that in hindsight he probably should have reported the flaw to Twitter, “but when I discovered it, it had already been in the wild for some time, so I assumed they knew it. I’m not responsible for the tweets that blocks the whole screen and retweet. my worm was much less obtrusive.”

Update, 10:05 a.m. ET: I’m reminded now of why I generally don’t write about the Twitter/Facebook malware threats-of-the-day: Because they’re usually no longer a threat by the time you write a blog post about them! Twitter is now reporting that it has fixed the vulnerability.

Update, 1:31 p.m. ET: Twitter’s security chief Bob Lord now has a blog post describing what happened with this worm. Lord writes: “This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.” More here.

Security Fix for Critical Adobe Flash Flaw

September 20, 2010

Adobe Systems Inc. today rushed out a software update to remedy a dangerous security hole in its ubiquitous Flash Player that hackers have been exploiting to break into vulnerable systems.

Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.85.3, and users of Adobe Flash Player 10.1.92.10 for Android update to Adobe Flash Player 10.1.95.1. Updates are available from this link.

Adobe’s advisory on this flaw is here. The same security vulnerability also exists in the latest versions of Adobe Reader and Acrobat, although Adobe says it doesn’t plan to fix this vulnerability in those products until the week of Oct. 4.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update at least twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera or Safari. Google Chrome users can update to Chrome 6.0.472.62 to grab this latest Flash update. To check which version of Flash you have installed, visit this link.

Also, unless you want some “free” software — like McAfee Security Scan or whatever browser toolbar Adobe is bundling with Flash player this month — remember to uncheck that option before you agree to download the software.

Advertisement

Google Adds 2-Factor Security to Gmail, Apps

September 20, 2010

Google said today that it will begin offering users greater security protections for signing in to Gmail and other Google Apps offerings. This “two-step verification” process — which requires participating users to input a user ID, password and six-digit code sent to their mobile phones — effectively means Google will be offering more secure authentication than many U.S. financial institutions currently provide for their online banking customers.

The search giant will be making the technology available to its enterprise (paying) customers immediately, and it will be free to consumers within the next few months.  Users who choose to take advantage of the technology can have the codes sent via text message or a special Google mobile app. All devices that are successfully authenticated can then be set to not require the two-step process for the next 30 days.

Travis McCoy, product manager of Google Security, said the company was looking for a way to prevent Google account takeovers made possible by weak or stolen passwords.

“We wanted to look and see what single area could we work on that would have the greatest impact on user security,” McCoy said. “We found user names and passwords often end up being the weak link in the chain in terms of how accounts are being compromised.”

Continue reading

SpyEye Botnet’s Bogus Billing Feature

September 17, 2010

Miscreants who control large groupings of hacked PCs or “botnets” are always looking for ways to better monetize their crime machines, and competition among rival bot developers is leading to devious innovations. The SpyEye botnet kit, for example, now not only allows botnet owners to automate the extraction of credit card and other financial data from infected systems, but it also can be configured to use those credentials to generate bogus sales at online stores set up by the botmaster.

The "billing" section from SpyEye admin pageAs I noted in a post in April, SpyEye is a software package that promises to make running a botnet a point-and-click exercise. A unique component of SpyEye is a feature called “billinghammer,” which automates the purchase of worthless or copycat software using credit card data stolen from victims of the botnet.

The SpyEye author explained this feature in detail on several hacking forums where his kit is sold, even including a video that walks customers through the process of setting it up. Basically, the scam works like this: The botmaster acquires some freeware utility or legitimate program, renames it, claims it as his own and places it up for sale at one of several pre-selected software sales and distribution platforms, including ClickBank, FastSpring, eSellerate, SetSystems, or Shareit. The botmaster then logs in to his SpyEye control panel (picture above), feeds it a list of credit card numbers and corresponding cardholder data, after which SpyEye opens an Internet Explorer Window and — at user-defined intervals — starts auto-filling the proper fields at the botmaster’s online store and making purchases.

Continue reading

Following the Money, ePassporte Edition

September 15, 2010

A few weeks ago, I blogged about the financial troubles afflicting ePassporte, an online payment provider whose sudden disconnection from the Visa network left many account holders without access to millions of dollars. I became interested in ePassporte because it kept popping up as I was investigating stories related to affiliate programs that reward people who peddle things like rogue anti-virus products and spam.

Since then, I’ve heard from a large number of disgruntled ePassporte account holders, most of whom were or are in the online porn industry, a market that ePassporte’s CEO Chris Mallick helped to nurture. In fact, as I noted in that original blog entry, Mallick produced “Middle Men,” a movie released by Paramount in August that is a fictionalized account of his experiences in the porn billing industry.

Many of those readers have been asking for an update on this story, and I’m afraid I don’t have a whole lot more to report. But the old adage about following the money led me to at least try to understand a bit more about how ePassporte is structured, and where its money may be.

Continue reading

‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought

September 14, 2010

The “Stuxnet” computer worm made international headlines in July, when security experts discovered that it was designed to exploit a previously unknown security hole in Microsoft Windows computers to steal industrial secrets and potentially disrupt operations of critical information networks. But new information about the worm shows that it leverages at least three other previously unknown security holes in Windows PCs, including a vulnerability that Redmond fixed in a software patch released today.

Image courtesy Kaspersky Lab

As first reported on July 15 by KrebsOnSecurity.com, Stuxnet uses a vulnerability in the way Windows handles shortcut files to spread to new systems. Experts say the worm was designed from the bottom up to attack so-called Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities.

The worm was originally thought to spread mainly through the use of removable drives, such as USB sticks. But roughly two weeks after news of Stuxnet first surfaced, researchers at Moscow-based Kaspersky Lab discovered that the Stuxnet worm also could spread using an unknown security flaw in the way Windows shares printer resources. Microsoft fixed this vulnerability today, with the release of MS10-061, which is rated critical for Windows XP systems and assigned a lesser “important” threat rating for Windows Vista and Windows 7 computers.

In a blog post today, Microsoft group manager Jerry Bryant said Stuxnet targeted two other previously unknown security vulnerabilities in Windows, including another one reported by Kaspersky. Microsoft has yet to address either of these two vulnerabilities – known as “privilege escalation” flaws because they let attackers elevate their user rights on computers where regular user accounts are blocked from making important system modifications.

Continue reading

Adobe Warns of Attacks on New Flash Flaw

September 13, 2010

Adobe Systems Inc. warned Monday that attackers are exploiting a previously unknown security hole in its Flash Player, multimedia software that is installed on most computers.

Adobe said a critical vulnerability exists in Adobe Flash Player versions 10.1.82.76 and earlier, for Windows, Mac, Linux, Solaris, UNIX and Android operating systems. In a security advisory, Adobe warned that the flaw could cause Flash to crash and potentially allow an attacker to seize complete control over an affected system.

Worse still, there are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player. Adobe’s advisory states that while the latest versions of Adobe Acrobat and Reader also contain the vulnerable Flash components, the company is not aware of attacks against the Flash flaw in those programs.

That last bit may be of little comfort to Adobe Acrobat and Reader users: Last week, Adobe issued a similar advisory warning that hackers were attacking an as-yet unpatched critical flaw in both of those programs.

Adobe said it is in the process of finalizing a fix for the Flash issue and expects to provide an update for Flash Player on Windows, Mac, and Android systems during the week of Sept. 27, 2010. Updates to fix the Flash flaw in Adobe Reader and Acrobat should be ready by the week of October 4, 2010, Adobe said.

Flash is one of those Web components that can be difficult to do without. I often urge readers who use Firefox to install and use the Noscript add-on, which blocks Flash-based content by default and lets the user decide which Flash videos to enable.

A One-Stop Money Mule Fraud Shop

September 13, 2010

A recent chat with an individual who was almost tricked into helping organized criminals launder thousands of dollars stolen through e-banking fraud introduced me to one of the most clever and convincing money mule recruitment Web sites I’ve ever encountered. Through the use of images stolen from legitimate Web sites and well-placed video and interactive content, this bogus work-at-home job site may become a model for mule recruitment scams to come.

Training to be a “financial agent,” a.k.a. a “money mule.”

Money mules are people willingly or unwittingly lured into helping crooks launder stolen funds, usually through work-at-home job scams. Reshipping mules are sent goods and asked to reship them to addresses abroad, or are sent money and asked to purchase goods and then ship them overseas. In both jobs, the mule usually earns a commission for his or her work (either fixed percentage of the transfer or permission to keep one of the purchased goods), but both are usually cut loose before they see their promised paychecks.

A mule who spoke with KrebsOnSecurity.com on condition of anonymity said he was recruited as a financial agent by Lydon Online, which communicated with him via Web-based e-mails (see image directly below), as well as via cell phone text messages.

The mule, whom we’ll call “Jeremy,” ignored instructions to supply his bank account information in preparation for receiving deposits from Lydon Online. That’s because shortly after signing up with Lydon, Jeremy learned that another company which also had hired him for a work-at-home job as a financial agent had tried to send him nearly $10,000 stolen from a Pennsylvania dental practice that was robbed of many times that amount last month (the dental office also agreed to speak to me on the condition of anonymity).

Continue reading

Attackers Exploiting New Acrobat/Reader Flaw

September 8, 2010

Adobe warned today that hackers appear to be exploiting a previously unknown security hole in its PDF Reader and Acrobat programs.

In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical vulnerability is being actively exploited in the wild. The company says its in the process of evaluating the schedule for an update to plug the security hole.

Meanwhile, an evil PDF file going around that leverages the new exploit currently is detected only by about 25 percent of the anti-virus programs out there (the Virustotal scan results from today are here, and yes it’s a safe PDF).

Adobe’s advisory doesn’t discuss possible mitigating factors, although turning off Javascript in Reader is always a good first step. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Better yet, consider using an alternative PDF reader that isn’t quite so heavily targeted as Adobe’s, such as Foxit, Sumatra, or Nitro PDF.

Revisiting Secunia’s Personal Software Inspector

September 8, 2010

Security vulnerability research firm Secunia has released a public beta of its Personal Software Inspector tool, a program designed to help Microsoft Windows users keep their heads above water with the torrent of security updates for third-party applications. The new beta version includes the promised auto-update feature that can automatically apply the latest patches for a growing number of widely-used programs.

Secunia first announced in March that it would soon make the auto-update feature available to consumers, noting that the average PC user needs to install a security update roughly every five days in order to safely use Microsoft Windows and all of the third-party programs that  typically run on top of it.  The new beta version doesn’t allow auto-updating for all applications, although Secunia says the list of applications that can be auto-updated through its tool will grow as the public beta progresses.

Overall, PSI 2.0 Beta seems to work quite a bit faster and use fewer resources than earlier versions. But my main concern in allowing third-party programs to update through PSI has so far been — ironically — relinquishing control over the update process. That’s because many “free” applications — such as Java, Adobe and Foxit readers — are free because a number of users never bother to deselect the check mark in the box next to offers to install additional software that is often bundled with these products, including virus scanners and various browser toolbars.

Continue reading