CyberInsecure.com

Archive for the ‘Social Networks’ Category

Facebook and MySpace have closed gaping security holes in their sites that gave attackers full access to accounts that had automatic-login features enabled.

The vulnerabilities were significant. Because the unauthorized access would be mapped to the victim’s IP address and website cookie, the intrusions would be virtually untraceable. Attackers were then free to upload photos and messages designated as private with no indication at all to the victim.

Facebook and MySpace closed the backdoors shortly after being notified, a marked improvement from the past, when the sites sometimes allowed serious security holes to persist for months. Still, it probably shouldn’t have taken an outsider to discover the bug. This is the latest episode to demonstrate that the only sure way to ensure that data is private is to keep it off social networking sites altogether.

The backdoors were the result of a misconfiguration of a crossdomain.xml, a file websites use to share content using Adobe Flash across domains. Some of the domains that were accessible exposed authentication tokens for accounts that had the auto-login feature turned on.

Facebook developers had blocked access from the main domain, but didn’t bother to notice the sensitive data was accessible when Facebook subdomains were used. MySpace similarly locked its front door but left a window at farm.sproutbuilder.com, which had full access to the data.

The holes could be exploited by luring victims to sites that had a Flash application installed designed to grab the authentication information, the developer said.

Credit: The Register

Crimeware distributors have begun using Facebook as a command and control channel for a Trojan that turns compromised Windows PCs into zombie drones.

Zombie clients poll the Notes section of the mobile version of Facebook for instructions. Compromised clients might be instructed to download further code from a specified web site or told to wait for commands, for example.

The Trojan spreads via booby-trapped email attachments that take advantage of well-known PDF or Office flaws to infect unpatched systems. These messages pose as email from courier firms and the like.

This has become a very common strategy for targeted attacks, which have replaced mass mailing worms as the main malware danger to business. What distinguishes this Trojan from run of the mill malware is its (experimental) use of Facebook to receive commands instead of traditional botnet control channels such as Internet Relay Chat (IRC). Most of the heavy lifting - such as uploading stolen data - is still done through a web server, however, Symantec researcher Andrea Lelli explains.

“The Trojan is using a Facebook account to receive URLs to contact, and it may post some timedate stamps back to the account, but nothing more than that,” Lelli writes. “The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere.”

“It [the Trojan] simply uses the standard Facebook functionalities, which in no way are malicious, dangerous or faulty. This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C [command and control] server.”

Symantec found the mobile Facebook account associated with the Trojan, established 16 October, showed very little signs of activity. Either hackers have deleted handshakes from compromised boxes that ought to have been exchanged or else the malware is yet to infect anything.

Virus writers have begun experimenting with varied means of controlling botnet clients over recent months. In August, for example, security researchers at Arbor Networks discovered a botnet that used Twitter to relay commands to compromised hosts.

Credit: The Register

Miscreants have recently begun peppering Facebook with a variety of new phishing scams with sex, sex, sex and more sex featuring prominently.

One example involves a fake customer dispute application page, since pulled, that appeared to have a valid Facebook URL.

The content was actually hosted by Ripway hosting, a service that’s often used and abused by script kiddies, according to Chris Boyd of IM security firm FaceTime.

Boyd said that no Facebook application was involved in the scam, just a valid Facebook app URL and the Ripway hosted scam page.

“It seems someone set up an application developer account with Facebook, placed a fake ‘customer dispute page’ onto their Ripway hosting, which they were somehow able to post onto their Application page and start directing Facebook users to it,” Boyd added.

Another Facebook phishing threat discovered over the weekend involves messages and a rogue Facebook application. The ’sex sex sex and more sex!!!’ app is sending out notifications that attempt to direct prospective marks to a credential harvesting site.

Ne’er-do-wells have taken steps to disguise the location users are directed towards, explains Rik Ferguson, a security researcher at Trend Micro.

“The hyperlinks in the notification both lead to a malicious website hosted on the fucabook.com domain,” Ferguson explains. “The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refreshtags to pull up the real Facebook website and prompting the victim for their login credentials.”

Harvesting credentials is not entirely new and often not an end in itself. Compromised accounts can be used to send spam or distribute perhaps more pernicious scams. The fact that many people use the same credentials on multiple websites opens up the means for hackers to break into webmail accounts. From there, they can find out what online banking or ecommerce accounts a prospective mark holds, before attempting to break into those accounts.

Credit: The Register

The Koobface worm, which previously infected users of Facebook and MySpace, is spreading among users of micro-blogging website Twitter.

The scale of the attack is unclear but serious enough for Twitter to issue a warning on Friday morning, via the service’s status page:

Some users’ PCs have been infected with a variant of the Koobface malware. This malware sends bogus tweets when the user logs into Twitter.

We are currently suspending all accounts that we detect sending such bogus tweets. If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC.

Koobface-related activity has been detected on Twitter before, but the latest assault has provoked a more concerted response from the micro-blogging service, including plans to temporarily suspend compromised accounts.

Accounts accessed from compromised PCs inject rogue updates into a Twitter stream, supposedly containing a link to a video but actually pointing towards one of around 20 sites loaded with exploit code that poses as a video codec. Windows users who follow this links and install the “codec” wind up getting infected with Koobface, re-starting the whole infection cycle.

Some messages that point to exploit sites promise “michaeljackson’ testament on youtube” while others refer to “My home video :)”, Sophos reports, adding that users should avoid following malvertised links.

Panda Security reports that attempts to install rogue anti-virus (scareware) packages onto compromised machines are made, strongly suggesting that the attack is financially motivated.

Credit: The Register

The Iranian opposition coordinated a cyber attack yesterday that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there’s no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people’s information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return “server is too busy” error messages:

Ahmadinejad.ir - Mahmoud Ahmadinejad’s Official Blog - under attack
Leader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attack
President.ir - Presidency of The Islamic Republic - under attack
Farsnnews.com - Fars News Agency - under attack
Irib.ir - Islamic Republic of Iran Broadcasting - under attack
Kayhannews.ir - News Portal - “Service Unavailable”
Irna.ir - Islamic Republic News Agency - “service unavailable”
Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attack
Moi.ir - Ministry of Interior - under attack
Police.ir - National Police - under attack
Justice.ir - Ministry of Justice - under attack
Presstv.ir - Iranian Press TV - “server is too busy”

Among the first web-based denial of service attack used, is a tool called “Page Rebooter” which is basically allowing everyone to set an interval for refreshing a particular page, in this case it’s 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

“Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei.”

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com, irna.ir and rajanews.com. The script has since changed its location and is advertised under a new domain.

The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.

The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors. The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it.

SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously - khamenei.ir; presstv.ir; irna.ir; president.ir; mfa.gov.ir; moi.ir; police.ir; justice.ir; live.irib.ir.

There have already been speculations that the magnitude of these local attacks — Iranian users targeting Iranian web sites – is contributing to the “strange changes in Iranian traffic transit” reported during the last couple of days. The attacks are still ongoing.

Credit: ZDNet.com Security Blogs

Twitter users over the weekend were the target of a scam that tried to infect them with rogue anti-virus software and other malware, in what is one of the first times the micro-blogging site has been hit by a known for-profit attack, a security researcher said.

The problem started after a flurry of tweets directed users to a website promising “Best Video.” The site appeared to offer content from YouTube, but behind the scenes, the site delivered a PDF document designed to infect those using vulnerable versions of Adobe’s Reader program. Victims then received an urgent warning that their systems were infected and needed to cleaned using fraudulent security software. The scam promoted a piece of rogue anti-virus software dubbed “System Security.”

“This attack is very significant,” Kaspersky researcher Roel Schouwenberg says. “It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we’ve seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks.”

Twitter representatives said Saturday they had contained the problem after temporarily suspending accounts that had been compromised. No confidential information was intercepted, they added.

The high volume of posts on Twitter that encourage readers to follow obscured links to audio, video, and other content has created a click-first-ask-questions-later culture on the micro-blogging site that’s ideal for drive-by attacks. And yet, this weekend’s attack is one of the few to target Twitter users with exploits that install malware.

That’s not to say Twitter hasn’t been targeted in the past. The vast majority of the attacks, though, have been worms that repeat a phrase or link over and over by tricking users to click on links that automatically leave a post. As more posts are generated, more and more Twitter users are bombarded with the malicious links, giving the attacks the ability to spread virally.

Credit: The Register

Facebook users are facing a new wave of phishing attacks following a previous barrage in April.

Fraudulent messages from already compromised accounts on the social networking website attempt to trick users into handing over their login details to one of a series of fake sites. The assault follows the pattern of a previous similarly-focused attack last month.

The sites associated with the attack this time around include www.151.im, www.121.im and www.123.im.

Staff at the social networking website are removing messages that link to dangerous sites as well as helping to turn over control of compromised accounts to their rightful owners.

Security watchers speculate that cybercrooks are interested in getting their hands on Facebook login details because many consumers share the same password across multiple sites. The theory runs that access to a profile on a medium-sensitivity site, such as Facebook, could be a stepping stone on the way to owning a more sensitive online banking account or similar tasty miscreant treat.

In other social networking security attack news, the Twitter profile of the New York Times fashion blog (The Moment) was briefly taken over on Thursday to punt links to a webcam smut site to its 510,000 followers. Control of the profile was quickly restored to its rightful owners, who have since apologized for the cock-up.

Credit: The Register

A cross-site scripting worm was spreading in Twitter profiles for several hours during April 12. People started reporting that their profile had sent Twitter messages without their knowledge. Messages looked like this:

Later on the messages morphed several times:

Many people followed the links to promoted website, as they believed the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages.

It is unclear if the spammed site was actually associated with the worm.

According to an explanation on DCortesi blog:

What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.

It looked like Twitter fixed the issue but another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. Here’s of the current variants:

Besides the “original” worm that was supposedly written by a teenager, there are some copycats out. The code had also been run through an obfuscator. The copycat Twitter XSS worms exploit the same vulnerability and actually most of the code remains the same. The new version got obfuscated to make analysis a bit harder.

It looks like the folks from Twitter are still fixing all the vulnerabilities so seems that there’s going to be quite a few modified Twitter worms for a day or two. Twitter stats blog said that they are currently addressing a new manifestation of the worm attack.

No passwords, phone numbers, or other sensitive information were compromised as part of this renewed attack, according to Twitter.

All these attacks are Javascript-based so it is possible to turn Javascript off if you’re worried or use a NoScript Firefox add-on.

F-Secure detects the script file as Worm:JS/Twettir.A.

Credit and screenshots: Mikko, F-Secure Weblog
Credit: DCortesi.com Blog
Credit: SANS Internet Storm Center

Match.com, an online dating service with reportedly more than 15 million members from 37 countries, is being used by miscreants to infect users with malware. Websense Security Labs has noticed that this new spam campaign aimed at Match.com is being used to spread a trojan called Papras.

On April 7 2009, Websense received thousands of malicious emails in their email Honey Pot system. The emails claim that someone wants to show the user her pictures and videos, and lures the user into visiting the Web site set up by the attacker. When the user starts the video on the Web site, they are asked to install a streaming video player (a malicious file called ADOBE_PlayerInstallation.exe) which is actually a trojan with relatively low AV detection, according to VirusTotal:

BitDefender     7.2     2009.04.08     Trojan.PWS.Papras.V
eSafe     7.0.17.0     2009.04.07     Suspicious File
F-Secure     8.0.14470.0     2009.04.08     Trojan-PSW:W32/Papras.DS
GData     19     2009.04.08     Trojan.PWS.Papras.V
McAfee+Artemis     5577     2009.04.07     Generic!Artemis
Prevx1     V2     2009.04.08     High Risk System Back Door
Sophos     4.40.0     2009.04.08     Mal/EncPk-HJ
Symantec     1.4.4.12     2009.04.08     Infostealer
VBA32     3.12.10.2     2009.04.08     suspected of Malware-Cryptor.Win32.General.3

Micro-blogging site Twitter suffers from a potentially devastating vulnerability that forces logged-in users to post messages of an attacker’s choice simply by clicking on a link. It could be used to spawn a self-replicating worm.

The XSS, or cross-site scripting, error was discovered by Secure Sciences Corp researchers Lance James and Eric Wastl, who have fashioned this link to demonstrate their finding. Clicking on it while logged in to Twitter causes users to immediately broadcast an innocuous message to all of their followers, as this dummy account shows.

Of course, it would be just as easy to craft links that do considerably more damage. Tweets are limited to just 140 characters, making it almost mandatory to use shortened URLs that obscure their final destination. While it’s possible to preview the link before visiting, many Twitter users have grown so accustomed to them they click on them directly.

As the user base of Twitter has skyrocketed, so too have attempts to exploit the site. Hackers have waged cat-and-mouse attacks on the site using so-called clickjacking exploits that, like the XSS vulnerability exposed by James and Wastl, forced logged-in users to tweet simply by clicking on an innocent-looking button. Twitter has been quick to patch the vulnerabilities, but the hackers have been known to launch new attacks that work around the countermeasures.

More than 15 hours after this story was first published, the gaping hole remained.

Credit: The Register