Fresh Phish disguised as a PayPal Urgent Account Review Notification

While browsing the web this evening waiting for thotcon 0x3 general admission tickets to go on sale, my wife's spidey senses were tingling when she asked me, "Is this a scam?"

Turning towards her monitor I see she has an email open inside her webmail account. The email has a pretty good sense of urgency written into it that compels the reader to follow the instructions provided and protect their information.

It begins:

"As of the 3rd of November 2011, our security system has blocked unusual charges to a credit card linked to your account."

And concludes:

"Sincerely, PayPal Account Review Team"

Unfortunately, the average person who does not read Naked Security might easily be duped of their PII (Personally Identifiable Information).

Phishing scams are nothing new. Hopefully, if people stopped falling for them, then perhaps the phishing scams might stop?
It really comes down to education and great protection (for when education fails).
The home use version of Sophos Endpoint Security and Control did a fantastic job of catching the attack as Mal/Phish-A.

The home use version is available to Sophos customer's employees. Check with your employer if the home use program is available at your organization before installing Sophos software willy nilly.

I spoke earlier in the week with a security professional who sent 500 spear phishing attacks internally to his colleagues. Of the 500 emails sent, 25 people responded by completing the form and surrendering their information.
While a 5% rate may seem small, he felt even 1% was too high. Education helped a lot, but not completely. Do you agree?
When read, this fresh phish posing as PayPal immediately puts the recipient into an emotional state that their account was compromised and their funds are in jeopardy which then clouds their judgement.

Since PayPal is a trusted name in the electronic payments industry, they of course have controls to prevent fraudulent transactions (but no one is perfect). This phish takes advantage of that trust by explaining that the breached account has been locked for your protection.

Now to regain access to your funds it's imperative to download the attachment and complete the form.

After downloading and opening the attachment it will open your web browser. As you can see, this web page looks very genuine and might lower your guard into believing it really came from PayPal.


There are a few mistakes in this poorly executed phish which caused education to prevail over emotion.

The most basic one is that there isn't a PayPal email address associated with the inbox which received this phish.

Another one to point out is that the (From: "PayPal") is really not from PayPal.
The phisher used a domain name pp-redacted-.com which based on a whois look up doesn't have anything to do with PayPal. It belongs to an instrumentation company out of Massachusetts that happens to have similar initials as PayPal.
While my wife isn't a security professional or an expert with computers, her education to not trust every email in her inbox (beyond spam) triggered a gut feeling to think more clearly.

If it doesn't feel right, then it's not. Go with your gut!
Until next time, stay safe and secure online.

Read More...

Facebook Attachment Uploader Owned By A Space

Oh look – another vulnerability in Facebook! It wasn’t long ago we reported New Research Shows Facebook’s URL Scanner Is Vulnerable To Cloaking.

Well this time the private messaging function has been compromised, you can attach an executable and send it to anyone as long as you put a space after the filename.

It’s not the first time I’ve seen a mime/file/etc parser be owned by a space, but I expected better from Facebook to be honest.

A security penetration tester discovered a major flaw in Facebook that could allow a person to send anyone on the social-networking site malicious applications.

Nathan Power, a senior security penetration tester at technology consultancy CDW, discovered the vulnerability and publicly disclosed it Thursday on his blog. The flaw was reported to Facebook on Sept. 30, which acknowledged the issue on Wednesday, he wrote.

Power, who could not immediately be reached, wrote that Facebook does not normally allow a person to send an executable attachment using the “Message” tab. If you try to do that, it returns the message “Error Uploading: You cannot attach files of that type.”

Facebook has acknowledged the bug (which is a pretty serious one) but it’s unknown if they’ve actually fixed it yet or not.

You can see the original blog post outlining the vulnerability here:

Facebook Attach EXE Vulnerability

Good job Nathan Power!


Power wrote that an analysis of the browser’s “POST” request sent to Facebook’s servers showed that a variable called “filename” is parsed to see if a file should be allowed. But by simply by modifying the POST request with a space just after the file name, an executable could be attached to the message.

“This was enough to trick the parser and allow our executable file to be attached and sent in a message,” Power wrote.

A person would not have to be an approved friend of the sender, as Facebook allows people to send those who are not their friends messages. The danger is that a hacker could use social engineering techniques to coax someone to launched the attachment, which could potentially infect their computer with malicious software.

Facebook representatives contacted in London did not have an immediate response on Thursday afternoon.

The dangerous part I can see here is that Facebook allows users to send messages to anyone (with attachments) even if they are not friends. Which makes me wonder, how many random guys are sending girls they don’t know pictures of their junk as attachments on Faceobok messages…

I don’t want to know really.

Anyway this should be a fairly simple fix for Facebook and I’d imagine they have probably already fixed this or will be doing so fairly soon. Read More...

Phishers Promote Indonesian Rock Star

In the month of January 2011 Symantec reported adult scams that targeted Indonesian Facebook users. These scams claimed to have an application in which users could view adult videos of Indonesian celebrities, taken from hidden cameras.

It seems that phishers are now using specific celebrities as bait for their phishing sites. This is unlike the previous Indonesian adult scams whose phishing pages gave the impression that the adult video would be of a random celebrity. In October 2011 phishers continued their adult scams on Facebook, but this time they chose the Indonesian rock star Ahmad Dhani in particular. Dhani is the frontman of the rock bands “Dewa 19” and “Ahmad Band”. The phishing site contained a photograph of Ahmad Dhani and Indonesian singer Dewi Persik. The Indonesian caption of the photograph translated: “To view videos of Ahmad Dhani recorded from CCTV cameras, please login below”. After users entered their Facebook login credentials, the phishing page redirected to a pornographic website. Of course, if users gave away their login credentials to the phishing site, phishers would have successully stolen their information for identity theft. The phishing site was hosted on a free Web hosting site.



Celebrities have been a common target in phishing attacks. In the past, we have seen Aishwarya Rai and Katrina Kaif used as phishing bait. Phishers are choosing celebrities with a large fan following because they perceive a larger audience will mean more duped users.

Internet users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages.
• Avoid providing any personal information when answering an email.
• Never enter personal information in a pop-up page or screen.
• When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
• Frequently update your security software, such as Norton Internet Security 2011, to protect you from online phishing.

Read More...

Horrible blog going around about you? Or a Twitter phishing attack?

You may not realise it, but your Twitter account is worth money.

Cybercriminals are keen to compromise your Twitter account, so they can spam out messages (either as public tweets, or less obvious direct messages to your online friends) in the hope that some recipients will click on the links.

What lies at the end of the links can vary. It might be a webpage offering you a new wonder diet, or a pornographic website, or a link to a download designed to infect your computer.

But first they need to commandeer your Twitter account, and the simplest way for them to do this is just to ask you for your Twitter username and password.
Here's an example of the latest attack that has been seen on Twitter. The message arrives in the form of a direct message (DM), and has a pretty enticing reason for you to click on the link:

Read this yet? horrible blog going around about you [LINK]

In the example above, the DM has come from an account that has already fallen victim to the scammers. Ironically in this example, shared with us by Naked Security reader @basexperience, the owner of the account which has been taken over by cybercriminals is a division of the UK's Sussex Police Force. Whoops.
So, what happens if you click on the link?
Well, you'll be taken - via some redirects - to a website which looks like this.



At this point, you think that your Twitter session has timed out - and you may well be tempted to enter your userid and password.

Stop. Right. There.

Let's take a closer look.



Did you notice? This site isn't the real twitter.com - it's a lookalike phishing site called "twittelr", designed to steal your login credentials so cybercriminals can use your account to spew out spams, scams and other nasty links. They could even read your private DMs if they wanted.

If your Twitter account has been sending out messages that you didn't authorise, change your password immediately (make sure it's unique, and you're not using it anywhere else on the web), and visit Settings/Connections to double-check that you have only allowed applications you are comfortable with to integrate with your account.

Read More...

Don't fight cybercrime on your own - do it with Synergy!

Project Synergy is the name of an ongoing annual series of conferences organised by the Queensland Police Service.

Sophos has been sponsoring, attending and speaking at these events for several years; we've also written about them numerous times on Naked Security.

We've written about Romanian card-skimming gangs, recounted the pain suffered by the victims of hi-tech crime, presented talks on the risk posed by apparently-innocent file formats, and warned about the growing tendency of cybercriminals to target those who can least afford to get scammed.

The Project Synergy events aren't just for cops or law enforcement agents. Quite the opposite - the events are intended to bring together all of us who have an interest in helping to protect our economy from cybercrime.

If you're an anti-virus researcher, a computer security consultant, a penetration tester, a fraud investigator or an auditor; if you're from the financial sector, an ISP, a community group, a social media company, an online store (or, of course, from any branch of law enforcement), these events could be just the thing for you.
Both the size and scale of internet-enabled crime are vast, from the peddlers of fake anti-virus software who can suck in $72,000,000 by conducting nearly one million fraudulent transactions for just $75 each, to the financial scammers who spend months convincing targeted individuals to invest their entire retirement income in fraudulent schemes.

So, if you've got any interest in disrupting and preventing cybercriminality then you'll know how big a task it sometimes seems.

You probably keep asking yourself, "How can I possibly make a difference on my own?"

At the Project Synergy events, you get to meet a whole bunch of people - many of whom will become good contacts, probably even good friends - who will remind you that you aren't on your own.

You become part of a virtual global team of people who share your goals. People who can help you, and whom you can help.

I'll be heading up to the Gold Coast in Queensland, Australia, on Monday next week (03 October 2011) for the final event in this year's Project Synergy series: the Identity and Hi-Tech Crime Symposium 2011.

I'm going to be giving a live demonstration of how Search Engine Poisoning works, and how to combat it.
By the way, there are still seats left at the event, rooms at the hotel where it's being held (I just checked!), and a special delegate rate at the hotel.

So, if you're in this part of the world, why not give some thought to a last-minute registration?

It's at the Royal Pines Resort on Queensland's Gold Coast, and runs from Monday evening (03 Oct 2011) to Thursday early afternoon (06 Oct 2011). The fee is AU$1800, which includes a welcome party, a gala dinner, and luncheon plus morning/afternoon tea each day.

You also get an all-important Fiscal the Fraud Fighting Ferret laptop bag :-)
Hope to see you there!

Read More...

Gleeonsky - first UK Promoted Tweets exploited by spammers

Surprise surprise. Within minutes of Twitter announcing that UK brands can now target British Twitter users with promoted tweets and trends, spammers are also jumping on the bandwagon.

Twitter UK says that Sky is using its entire suite of promoted products to advertise that the TV show "Glee" returns to British TV screens tonight.

To increase awareness, Sky is using the twitter account @gleeonsky and paying for the hashtag #gleeonsky to be promoted to British Twitter users.

Of course, they're not the only ones taking advantage of the hashtag. Spammers are using it too.



I suspect that when Sky paid for the #gleeonsky hashtag to be promoted on Twitter, this isn't the kind of response they were hoping for. They wanted people to watch the TV show on Sky tonight, not to go hunting for hot photographs of Natalie Portman, Jessica Alba, Selena Gomez and others..

These aren't mischievous Twitter users, these are spam accounts set up specifically for the purposes of blurting out a message using a popular hashtag. In this case, #gleeonsky.

The spammers don't care that their accounts get reported and shut down by Twitter security, because they just create another one. And remember, they don't have to do this by hand - the whole process can be automated.

The danger is that unsuspecting users curious about a hot trend like the promoted #gleeonsky might click on one of the dodgy links above.

By the way, if they do click, Twitter users may find that they are taken to a website like this:

Of course, the spammers can choose to redirect you to any webpage they like once you have clicked on the link. It could be a phishing site designed to steal your Twitter credentials, it could be a fake pharmacy, it could be a porn site or it could be a website harbouring malware.

Exploiting trending Twitter hashtags is nothing new. But as the company's business model relies more and more heavily upon convincing companies to pay big money to promote their brands in this way, there will be more pressure on Twitter to police abuse on their site and clean-up offending tweets.

nb : nakedsecurity.sophos

Read More...

Bank of Melbourne Twitter account hacked, spreading phishing links

Summary: The Twitter account of Bank of Melbourne was compromised last Wednesday, and was used to spread phishing links as direct messages to the account followers.

The Twitter account of Bank of Melbourne was compromised last Wednesday, and was used to spread phishing links as direct messages to the account followers, according to reports coming in from affected users.
In a tweet, the bank said that:

ATTN: Unauthorised DMs sent bw 4-5pm today, do not click link. No customer/personal data compromised. Apologies for the inconvenience. ^TT

Followed by another one, once the incident was resolved:

Thanks for all your support. We take security very seriously & will be strengthening our policies to further protect our social channels ^TT

It’s worth discussing how Bank of Melbourne got is social channel hacked in the first place. Moreover, what contributed to the ease of obtaining the login credentials for their Twitter account?

For starters, it would have been highly impractical to brute force the password for their Twitter account, no matter the fact that the CAPTCHA-solving process could be outsourced to vendors offering CAPTCHA-solving services to assist in brute forcing attacks.

Judging by the fact that the malicious attackers didn’t just spread a prank or hacktivist message using the stolen credentials, it is highly likely that the attacker has a relatively advanced understanding of how the cybercrime ecosystem works.
By spamvertising the phishing link using direct messages as an evasive element of the campaign, the attacker is attempting to take advantage of the trust factor established by the nature of direct messages.

Was Bank of Melbourne a victim of phishing attack, is there any chance that a malware-infected host within their network was successfully data mined for stolen Twitter credentials.

What do you think?

nb : zdnet Read More...

Protect Yourself From Phishing

Most of us are familiar with the word Phishing.For those who are new to this term Phishing,i am going to first explain to you the concept of word phishing.

PHISHING:

Phishing is a technique that is used by some malicious hackers to acquire some sensitive information like Passwords,Bank Id’s and some very important login details of various accounts. This word sounds like the word “Fishing” and is quite similar to the technique of fishing,as in fishing the fisherman hooks a bait pretending to be a real food so that he can fool the fishes in the pond and as soon as the fish comes for the bait it gets hooked and gets caught.Same is the case with phishing that is used over internet by the users to trap people through fake login pages that are designed by them or are available on net.The attackers creates a fake or duplicate page of a genuine website like any social site or any bank account page,and then he will set the trap by sending a mail to the prey(user) and waits for the user to fall in that trap and as soon as the user enters his/her details they are caught i.e the login details are send to the attacker and he know has the access of their sensitive information,it may be an account of social networking site or any bank account details.

Phishing technique is basically done through Email spoofing(means sending anonymous mail) and also through instant messaging.Phishing requires social engineering skills i.e how you can pretend to be a genuine person to the user whom you want to attack.This technique has caused a lot of problem for users who are easily trapped in these types of Phishing attacks,it has caused real big damages to the user’s.

After all the problems that were caused by the Phishing attacks,came the concept of Anti-Phishing i.e how you can protect yourself from getting caught in these types of attacks.These are some simple techniques that you can easily remember and save yourself from getting attacked by the malicious users.

ANTI-PHISHING TECHNIQUES:

1.Social Awareness:

One of the important technique is to create social awareness among the people about these types of phishing techniques so that the users browsing the internet can know about these types of attacks that are being carried by some users and thus they will become more cautious while browsing.This is quite necessary because most of the users do not even know about these types of attacks and thus they can easily fell into the traps set by the malicious users.

2.Technical awareness:

Technical awareness includes the ability to identify between the fake website pages from the legit websites.If you are smart enough than you can easily differentiate between a legit and a fake website.The user can easily pick up the fake website page from the url itself,as most the urls that are used for phishing are different from the original url of a website,if you can recognize the legit page url ,than you will be easily able to differentiate between fake and legit pages.

But these days attackers have developed some new techniques through which they make the url so much complicated that it’s quite difficult to differentiate between the fake an legit site,but nowadays many browsers like internet explorer has developed a new technique in which the domain name is highlighted with black color and all other details with light brown color so that the user will be easily able to look into the domain name of the page and identify the page.

3. E-mail authentication:

This is quite an important technique if you want to save yourself from phishing.Most of the phishing technique rely on email systems i.e  the attacker will send you an email pretending to be a genuine company or a site administrator which will contain a link that will redirect you to a page that would look legit to you.Now how will you come to know that whether the email is secure or it’s fake.Some companies or websites have some special notations or signs that are not available to phishers and thus if you feel any difference in the email language then do not trust the email.There is always a contact information given in the email you can use it to authenticate the email,whether it’s legit or not.

Now most of you might be thinking that the fake Email’s are automatically send into the spam folder in your mail system,but this is not true.Today the users have developed so many new techniques that email the best email system will not be able to differentiate between the spam and regular email.So do not get fooled by this thing that fake email’s are send to the Spam folder. I am telling this you from my own personal experience and it’s 100% true.

If you follow these techniques then there is no chance of you falling in such traps.Do tell me about your views on this topic.

nb : techbugs Read More...