Latest Malicious Websites Identified by Norton Safe Web
Posted on by Zuly GonzalezCategories Computer Security, Fun Friday, Web SecurityLeave a comment on Latest Malicious Websites Identified by Norton Safe Web

Norton Safe Web LogoIn this Fun Friday post, I’m going to share the 10 latest malicious websites, as identified by Norton Safe Web. Norton Safe Web analyzes websites for safety and security problems.

  1. thebizblueprint.com: 22 computer threats identified by Norton Safe Web.
  2. gtr2.com: 17 computer threats identified by Norton Safe Web.
  3. zabukym.co.cc: 6 computer threats identified by Norton Safe Web.
  4. yahoochas.info: 2 computer threats identified by Norton Safe Web.
  5. facebook-surprise4mf.tk: 2 computer threats identified by Norton Safe Web.
  6. maalliso.strefa.pl: 942 computer threats identified by Norton Safe Web.
  7. bosladen.strefa.pl: 1425 computer threats identified by Norton Safe Web.
  8. wiehldesigns.com: 36 computer threats identified by Norton Safe Web.
  9. itemcreator.tk: 2 identity threats identified by Norton Safe Web.
  10. yabigson.fileave.com: 3 computer threats identified by Norton Safe Web.

What Is Norton Safe Web?

Norton Safe Web is a reputation service from Symantec. Their servers analyze websites to see how they will affect your computer, and let you know if a particular website is safe to visit before you view it.

This service is not guaranteed to be 100% accurate, so as always, please use caution when browsing the web. If Norton Safe Web identifies a site as malicious, you can be confident in those results. However, it not finding any threats on a site, does not guarantee that the site is safe to browse.

What Is Fun Friday?

I created the Fun Friday category to be a collection of very short, and easy to read, posts. The intention is to provide useful information in a compact form factor. These posts will showcase short videos, graphs, top 10 lists, and anything else that can be digested quickly.

In this Fun Friday [/content/category/fun-friday] post, I’m going to share the 10 latest malicious websites, as identified by Norton Safe Web. Norton Safe Web analyzes websites for safety and security problems.

  1. thebizblueprint.com: 22 computer threats identified [http://safeweb.norton.com/report/show?name=thebizblueprint.com] by Norton Safe Web.
  2. gtr2.com: 17 computer threats identified [http://safeweb.norton.com/report/show?name=gtr2.com] by Norton Safe Web.
  3. zabukym.co.cc: 6 computer threats identified [http://safeweb.norton.com/report/show?name=zabukym.co.cc] by Norton Safe Web.
  4. yahoochas.info: 2 computer threats identified [http://safeweb.norton.com/report/show?name=yahoochas.info]by Norton Safe Web.
  5. facebook-surprise4mf.tk: 2 computer threats identified [http://safeweb.norton.com/report/show?name=facebook-surprise4mf.tk]by Norton Safe Web.
  6. maalliso.strefa.pl: 942 computer threats identified [http://safeweb.norton.com/report/show?name=maalliso.strefa.pl]by Norton Safe Web.
  7. bosladen.strefa.pl: 1425 computer threats identified [http://safeweb.norton.com/report/show?name=bosladen.strefa.pl]by Norton Safe Web.
  8. wiehldesigns.com: 36 computer threats identified [http://safeweb.norton.com/report/show?name=wiehldesigns.com]by Norton Safe Web.
  9. itemcreator.tk: 2 identity threats identified [http://safeweb.norton.com/report/show?name=itemcreator.tk]by Norton Safe Web.
  10. yabigson.fileave.com: 3 computer threats identified [http://safeweb.norton.com/report/show?name=yabigson.fileave.com]by Norton Safe Web.

What is Norton Safe Web?

Norton Safe Web is a reputation service from Symantec. Their servers analyze websites to see how they will affect your computer, and let you if a particular website is safe to visit before you view it.

What is Fun Friday?

I created the Fun Friday category to be a collection of very short, and easy to read, posts. The intention is to provide useful information in a compact form factor. These posts will showcase short videos, graphs, top 10 lists, and anything else that can be digested quickly.

Free Black Hat Webcast: Attacking With HTML5
Posted on by Zuly GonzalezCategories Computer Security, Events, Resources, Security, Web Security1 Comment on Free Black Hat Webcast: Attacking With HTML5

Black Hat LogoThe founders of the Black Hat conference, the best computer security conference in the world, will be hosting a free webcast. The webcast, Attacking with HTML5, will be held on December 16, 2010 at 2:00 PM EST. You can register for the Black Hat webcast here.

Black Hat has been hosting security webcasts since July 2008. The Black Hat webcasts are a regular series of live web events focusing on what’s hot in Information Security. Each month, they bring together Black Hat speakers, independent researchers and leading experts to discuss relevant topics in security, and give you a chance to ask questions live. You can see a list of all the previously recorded Black Hat webcasts here.

Attacking With HTML5 Description

HTML5 is a set of powerful features aimed at moving the web applications closer to existing desktop applications in terms of user experience and features. HTML5 is not the technology of the future as many believe; it is available right now in almost all modern browsers. Though the widespread use of HTML5 by websites is still a few years away, the abuse of these features is already possible.

Web developers and users assume that just because their site does not implement any HTML5 features that they are unaffected. A large section of the internet community believes that HTML5 is only about stunning graphics and video streaming. This talk will show how these assumptions are completely contrary to reality.

This presentation will show how existing ‘HTML4’ sites can be attacked using HTML5 features in a number of interesting ways. Then we look at how it is possible to use the browser to perform attacks that were once thought to require code execution outside the sandbox. Finally, they will look at an attack where the attacker is not interested in the victim’s data or a shell on the machine, but is instead after something that might perhaps even be legal to steal.

Special Offer for Black Hat DC 2011

If you register for the free webcast, you will receive $250 off of a new registration to the Black Hat DC 2011 Briefings (Training classes are excluded). When you register for the webcast you will receive a discount code in your confirmation email to use when registering for the Black Hat DC 2011 Briefings.

Do you know of any other security webcasts? Share with us in the comments.

Black Hat DC 2011 Conference
Posted on by Zuly GonzalezCategories Events, Security, Web Security2 Comments on Black Hat DC 2011 Conference

The Black Hat conference is the biggest, and most important security conference in the world. Black Hat has become a premiere venue for elite security researchers, and serves the information security community by delivering timely, and actionable, security information. The Black Hat conference series is now held four times a year

  • Black Hat DC: January 16-19, 2011 in Arlington, VA
  • Black Hat Europe: March 15-18, 2011 in Barcelona, Spain
  • Black Hat USA: July 30 – August 4, 2011 in Las Vegas, NV
  • Black Hat Abu Dhabi: November 2011 in United Arab Emirates

and is separated into a training portion and a briefings portion.

Black Hat DC 2011 Conference

The Black Hat Briefings are a series of highly technical information security presentations that bring together leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and knowledge.

Black Hat also provides hands-on, high-intensity, multi-day Trainings. The training sessions are provided by some of the most respected experts in the world and many also provide formal certifications to qualifying attendees.

The 2011 Black Hat DC conference will be held January 16 – 19 at the Hyatt Regency in Arlington, VA. The training portion of the conference will be from January 16 to 17, and the briefings portion will be from January 18 to 19.

Black Hat DC 2011 Registration Fees

Registration is now open for the 2011 Black Hat DC conference, and the registration fee schedule is as follows:

  • Briefings
    • Regular: $1395 (ends Dec 15)
    • Late: $1595 (ends Jan 15)
    • Onsite: $1895 (Jan 16 – Jan 19)
    • Academic: $600 (ends Dec 15)
    • Group: 10% – 15% discount (ends Dec 15)
    • Press: $0
  • Training
    • $1800 – $3800 per course

Group Registration: There is a 10% discount for groups of 6 or more. Groups of 12 or more receive a 15% discount. This discount rate applies to the Briefings portion only. If there are 4 or more people from your group attending the same training class and session, you can also qualify for a discount on the Training portion. The discount will be based on the rate at the time that you submit your group registration agreement form. Group registrations must be paid by Dec 15.

Academic Registration: The Academic registration is available to those who are either full-time students or full-time professors at an accredited university. The academic registration rate is $600, but gives you access to the Briefings portion only. Registration for the Academic pass ends on December 15, 2010.

Press Registration: Any media member that works for a publication that covers computer security on a regular basis can apply for a free press pass. Be prepared to show copies of your articles, a business card, and your assignment editor’s contact information. The press pass is normally only granted for the Briefings portion, but in very rare cases may be granted for the Training portion as well. During the conference a press room with internet access will be provided, and a separate room for filming interviews may also be available.

Briefings for Black Hat DC 2011

The 14 briefings that will be presented at the 2011 Black Hat DC are as follows:

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications
Speaker: David Perez

In this presentation they will show a practical attack against GPRS, EDGE, UMTS and HSPA (2G/3G) mobile data communications. They will demonstrate that an attacker with a budget of less than $10,000 can set up a rogue BTS, make the victim devices connect to such BTS, and gain full control over the victim’s data communications. Two vulnerabilities make the attack possible: first, the absence of mutual authentication in GPRS and EDGE (2G), which makes GPRS and EDGE devices completely vulnerable to this attack, and second, the mechanism implemented on most UMTS and HSPA (3G) devices that makes them fall back to GPRS and EDGE when UMTS or HSPA are not available, which makes it possible to extend the attack to these 3G devices.

Counterattack: Turning the tables on exploitation attempts from tools like Metasploit
Speaker: Matthew Weeks

In hostile networks, most people hope their con kung-fu is good enough to avoid getting owned. But for everyone who has ever wanted to reverse the attack, not getting owned is not enough. We will see how it is often possible for the intended victim to not only confuse and frustrate the attacker, but actually trade places and own the attacker. This talk will detail vulnerabilities in security tools, how these vulnerabilities were discovered, factors increasing the number of vulnerable systems, how the exploits work, creating cross-platform payloads, and how to defend yourself whether attacking or counterattacking. The audience will be invited to participate as complete exploit code will be released and demonstrated against the Metasploit Framework itself.

Checkmate with Denial of Service
Speaker: Tom Brennan

Denial-Of-Service is an attempt to make a computer resource unavailable to its intended users. A new and very lethal form of Layer 7 attack technique, which uses slow HTTP POST connections, was discovered. An attacker will send properly crafted HTTP POST headers, which contains a legitimate “Content-Length” field to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up precious server resources.

They will demonstrate how an “agentless” DDOS botnet can be created via malicious online games and how a victim website can be brought down in matter of minutes using the HTTP POST DDOS attack.

The Getaway: Methods and Defenses for Data Exfiltration
Speaker: Sean Coyne

There are several stages to a successful cyber attack. The most crucial of which is also the least discussed: data theft. Whether it be financial information, intellectual property, or personally identifiable information; the most valuable thing on your network is the data. Intruders may get in, but until they get out with what they came for, the game’s not over. During this presentation they will take a look at some of the advanced methods of stealing data they have recently encountered in the field, including: preparing and cleaning staging areas, avoiding DLP/traffic scanning products, and how attackers use a victim’s own infrastructure and architecture against them.

De-Anonymizing Live CDs through Physical Memory Analysis
Speaker: Andrew Case

Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations. In order to solve this problem, they present a number of techniques that allow for complete recovery of a live CD’s in-memory filesystem and partial recovery of its previously deleted contents. They also present memory analysis of the popular Tor application as it is used by a number of live CDs in an attempt to keep network communications encrypted and anonymous.

Beyond AutoRun: Exploiting software vulnerabilities with removable storage
Speaker: Jon Larimer

Malware has been using the AutoRun functionality in Windows for years to spread through removable storage devices. That feature is easy to disable, but the Stuxnet worm was able to spread through USB drives by exploiting a vulnerability in Windows. In this talk, they will examine different ways that attackers can abuse operating system functionality to execute malicious payloads from USB mass storage devices without relying on AutoRun. There’s a lot of code that runs between the USB drivers themselves and the desktop software that renders icons and thumbnails for documents, providing security researchers and hackers with a rich set of targets to exploit. Since the normal exploit payloads of remote shells aren’t totally useful when performing an attack locally from a USB drive, they will look at alternative payloads that can give attackers immediate access to the system. To show that these vulnerabilities aren’t just limited Windows systems, they will provide a demonstration showing how they can unlock a locked Linux desktop system just by inserting a USB thumb drive into the PC.

Malware Distribution via Widgetization of the Web
Speaker: Neil Daswani

The Web 2.0 transformation has in part involved many sites using third-party widgets. They present the “widgetized web graph” showing the structure of high traffic web sites from the standpoint of widgets, show how web-based malware and scareware is propagated via such widgets, and provide data on how a mass web-based malware attack can take place against the Quantcast 1000 web sites via widgets.

Attacking Oracle Web Applications With Metasploit
Speaker: Chris Gates

In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code, lets see what can be done with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. They will also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.

Inglourious Hackerds: Targeting Web Clients
Speaker: Laurent Oudot

This talk will look at technical security issues related to multiple internet web clients. While such tools are used to crawl the internet and retrieve information, there might exist many scenarios where evil attackers can abuse them. By studying the protocols, and by doing some kind of fuzzing operations, they will show how TEHTRI-Security was able to find multiple security issues on many handled devices and workstations.

Hacking the Fast Lane: security issues with 802.11p, DSRC, and WAVE
Speaker: Rob Havelt

The new 802.11p standard aims to provide reliable wireless communication for vehicular environments. The P802.11p specification defines functions and services required by Wireless Access in Vehicular Environments (WAVE) conformant stations to operate in varying environments and exchange messages, either without having to join a BSS or within a BSS, and defines the WAVE signaling technique and interface functions that are controlled by the 802.11 MAC.

Wireless telecommunications and information exchange between roadside and vehicle systems present some interesting security implications. This talk will present an analysis of the 802.11p 5.9 GHz band Wireless Access in Vehicular Environments (WAVE) / Dedicated Short Range Communications (DSRC), Medium Access Control (MAC), and Physical Layer (PHY) Specifications of this protocol. They will present methods of analyzing network communications (GNU Radio/USRP, firmware modifications, etc.), and potential security issues in the implementation of the protocol in practical environments such as in toll road implementations, telematics systems, and other implementations.

Your crown jewels online: Attacks to SAP Web Applications
Speaker: Mariano NUNEZ Di Croce

“SAP platforms are only accessible internally”. You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization’s SAP platform in order to perform espionage, sabotage and fraud attacks.

Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations will be detailed.

Kernel Pool Exploitation on Windows 7
Speaker: Tarjei Mandt

In Windows 7, Microsoft introduced safe unlinking to the kernel pool to address the growing number of vulnerabilities affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic “write 4” techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this talk, they show that in spite of the efforts made to remove generic exploit vectors, Windows 7 is still susceptible to generic kernel pool attacks. In particular, they show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, they conclusively propose ways to further harden and enhance the security of the kernel pool.

Identifying the true IP/Network identity of I2P service hosts
Speaker: Adrian Crenshaw

They will present research into services hosted internally on the I2P anonymity network, especially I2P hosted websites known as eepSites, and how the true identity of the internet host providing the service may be identified via information leaks on the application layer. By knowing the identity of the internet host providing the service, the anonymity set of the person that administrates the service can be greatly reduced. The core of this presentation will be to test the anonymity provided by I2P for hosting eepSites, focusing primarily on the application layer and mistakes administrators may make that could expose a service provider’s identity or reduce the anonymity set they are part of. They will show attacks based on the intersection of I2P users hosting eepSites on public IPs with virtual hosting, the use of common web application vulnerabilities to reveal the IP of an eepSite, as well as general information that can be collected concerning the nodes participating in the I2P anonymity network.

Responsibility for the Harm and Risk of Software Security Flaws
Speaker: Cassio Goldschmidt

Who is responsible for the harm and risk of security flaws? The advent of worldwide networks, such as the internet, made software security an international problem. There are no mathematical risk models available today to assess networked systems with interdependent failures. Experience suggests that no party is solely responsible for the harm and risk of software security flaws, but a model of partial responsibility can only emerge once the duties and motivations of all parties are examine and understood.

This presentation describes the role of each player involved in the software lifecycle and the incentives (and disincentives) they have to perform the task, the network effects of their actions, and the results on the state of software security.

Black Hat DC 2011 Conference

Training Courses for Black Hat DC 2011

There will be 11 courses offered at the 2011 Black Hat DC conference, ranging in price from $1800 to $3800 per course. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered for each class. The 11 courses are as follows:

Cyber Network Defense Bootcamp
Trainer: Adam Meyers

A two day workshop focusing on the progression from incident identification, investigation and malware analysis to explaining to management why it matters. In other words, how to go from geek to sleek.

Real World Security: Attack, Defend, Repel
Trainer: Peak Security

An intensive two day course for security professionals that want to up the ante on their current skill sets in offensive and defensive security. Learn new tactics and receive guidance from expert instructors while you test yourself in a team vs team environment.

Designing Secure Protocols and Intercepting Secure Communication
Trainer: Moxie Marlinspike

This training covers both designing and attacking secure protocols. Attendees will learn the fundamentals of how to design a secure protocol, and be armed with the knowledge of how to evaluate the security of and discover weaknesses in existing protocols.

CISSP Boot Camp (Four Day Course – Jan 16-19)
Trainer: Shon Harris

This Logical Security course trains students in all areas of the security Common Body of Knowledge (CBK). Using this course, students prepare for the exam, while at the same time obtaining essential security knowledge that can be immediately used to improve organizational security.

Information Assurance Officer (IAO) Course (CNSS-4014E) Certified
Trainer: Information Assurance Associates (IA2)

Very intense, highly concentrated, non-technical professional training necessary to achieve the fundamental knowledge needed to define, design, integrate and manage information system security policies, processes, practices, and procedures within federal interest information systems and networks.

Tactical Exploitation
Trainer: Val Smith

Using a combination of new tools and lesser-known techniques, attendees will learn how hackers compromise systems without depending on standard exploits.

Virtualization for Incident Responders
Trainer: Eric Fiterman, Methodvue

Principles and techniques for recovering evidence from virtualized systems and cloud environments – this course is intended for information security personnel who are responsible for handling incidents involving virtual infrastructure, cloud service providers, or desktop virtualization platforms.

Digital Intelligence Gathering Using Maltego
Trainer: Paterva

Unlock the true potential and raw power of Maltego. Learn how to navigate and map the internet’s darkest rivers.

TCP/IP Weapons School 3.0
Trainer: Richard Bejtlich, TaoSecurity

Use the network to your advantage while building incident detection and response skills to counter advanced and targeted threats.

Database Breach Investigations: Oracle Edition
Trainer: David Litchfield

This training course will teach students the tricks and techniques hackers use to break into Oracle database servers and then how to peform a database security breach investigation covering evidence collection, collation and analysis using V3RITY for Oracle, the world’s first database specific forensics and breach investigation tool.

Windows Physical Memory Acquisition and Analysis
Trainer: Matthieu Suiche

Learn all about memory dumps, including how they work and deep analysis using Windbg.

Black Hat DC 2011 Conference

More on Black Hat

You can follow Black Hat on Twitter, Facebook, and LinkedIn.

Twitter: Black Hat has two accounts on Twitter. For security research and updates on Black Hat events, follow @blackhatevents. For behind the scenes information from Black Hat HQ staff members, follow @blackhathq.

Facebook: Black Hat maintains an active Facebook page to communicate with members of the security community and provide information updates.

LinkedIn: Black Hat also maintains a LinkedIn group to reach out to professional security experts and provide information updates.

Will you be attending Black Hat DC 2011? Have you attended past Black Hat events? If so, what did you like the best?

Citibank Email Phishing Scam Targets Federal Government Employees
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on Citibank Email Phishing Scam Targets Federal Government Employees

I received the below email phishing scam spoofing Citibank. Along with running Light Point Security, I’m also a government employee.

Citibank Phishing Email Scam Linking to Malicious digikad.ro

The subject of the Citibank email scam is “Message ID: 72195”. As soon as I saw that subject line, I knew it was a scam, because it’s too generic. I wanted to get more information about this phishing scam, so I opened the email using Light Point Web to avoid downloading any malware.

The email says it is from “Citibank – Service” and the email address associated with that account is citibank.service@serviceemail.citibank.com. The body of the email message says, “You have received an urgent system message from the Citibank Department. To read your message, please, go to your account immediately.” You’d think that for such an urgent message they would have taken the time to provide a more descriptive subject line.

The link in the scam email points to the Romanian domain online.citibankcom.US.JPS.portal.Index.do.jTgFfNULSY.digikad.ro.

Citibank Email Phishing Scam Malicious Domain digikad.ro

The Norton site rating for digikad.ro identified 4 identity threats on the phishing site. Norton defines identity threats as items such as spyware or keyloggers that attempt to steal personal information from your computer.

Norton Rating For Malicious digikad.ro Domain of the Citibank Phishing Email Scam

How to Protect Yourself From Phishing Scams

Here are 4 things you can do to protect your identity, and personal information, from malicious phishing email scams.

  • If you receive an email message claiming to be from Citi, or Citibank, with the subject line Message ID: [set of two numbers here], do not open it, and delete it right away.
  • If you receive an email message from Citi, or Citibank, and are not sure if it’s a legitimate message, call Citi to confirm the email. Your account has a log of the email messages Citi has sent you. The Citi representative can tell you if they’ve sent you any recent emails. Citi’s 24 hour customer service number is 1-866-670-6462.
  • If you mistakenly open the email message, and it states that you need to check your Citi messages, or inbox, open up a new browser window and login directly to your Citi account. Never click on a link in these email messages. If after logging in to your online account, you don’t have any recent messages from Citi, you can be sure the email you received is a phishing scam. Delete it immediately.
  • If there is a link in an email message you are unsure about, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting, it’s likely a phishing scam. In this Citibank scam email the link points to the digikad.ro website, not a legitimate Citi website. Note that the scammers tried to make it look like a legitimate Citi website by including citibankcom as part of the URL. Also notice the strange http-like characters at the beginning of the URL.

Malicious Citibank Email Phishing Scam Expanded Domain With Explanation

Citi will never ask you for your password, or to update personal information via email. If you receive a suspicious email claiming to be from Citi, or Citbank, forward it to submitphishing@citi.com.

Have you received similar phishing emails claiming to be from Citi? Let us know.

The Facebook Will Start Charging Scam
Posted on by Zuly GonzalezCategories Web SecurityLeave a comment on The Facebook Will Start Charging Scam

With over 400 million users, Facebook is a constant target of online criminals and scam artists. The “Facebook will start charging” scam has been around since last year, yet people are still falling for it. Even worse, there’s been an increase in these types of scams over the last couple of months.

How the Facebook Will Start Charging Scam Works

Online criminals create Facebook pages claiming that Facebook will begin charging some monthly fee. For example, the page “I won’t pay $3.99 to use Facebook starting in July” is a scam. And the page “I will not pay to use Facebook as of Sept 7th 2010” is also a scam.

In fact, Facebook spokesman Larry Yu stated, “We have absolutely no plans to charge for the basic service of using Facebook.”

Facebook Will Start Charging Scam Page

There are many variations on this theme, and they’re all scams. I searched on Facebook for “Facebook pay” and got 287 page results (see below). And every single one of these pages is a scam! The top result had 7661 fans.

Just out of curiosity, I searched for “Facebook pay” again the following day and noticed that the pages are growing. The top result went from 7661 fans to 7844 fans and the second result went from 6877 fans to 6899 fans. So it looks like things are going in the wrong direction.

Facebook Will Start Charging Scam Search Results Facebook Will Start Charging Scam Search Results

Online scammers create Facebook pages (and groups) in an attempt to trick people into divulging their personal information, downloading malicious content, or inviting their friends to join the page. In the case of the “Facebook will start charging” scam, it seems the most common method is to get people to invite their friends to the page in an attempt to amass a large number of fans they can then sell to unsuspecting businesses.

Just take a look at the information on the “I will not pay to use Facebook as of Sept 7th 2010” page:

I Will Not Pay for Facebook Scam Page Description

And if you look at the information on some of the other Facebook Pay pages, you will notice that they don’t ask you for any personal information, or ask you to download something, or ask you to go to another website. The main thing these pages are asking people to do is to invite all of their friends. But that doesn’t mean there aren’t malicious links showing up on these pages, so be careful, and don’t click on any links in these pages.

So now that you know the truth, don’t join any Facebook pages claiming that Facebook will start charging.

How to Protect Yourself on Facebook

For the most part, these Facebook Pay pages weren’t setup to steal your personal information – although I didn’t look at every single page. And even if they were setup for that purpose, you usually have to take some action for this to occur.

But joining not only encourages criminals to keep coming up with these scams, it also puts your friends at risk. How? Well, as soon as you join, it’s displayed on your friends’ news feeds. A friend could see it and then join the group.

So, other than the obvious don’t join advice, here are a few other tips to help keep you and your friends secure while on Facebook:

  • If you see your friends joining these Facebook Pay pages, warn them about the scam and tell them to remove themselves from the page.
  • Spread the word. Scammers take advantage of the fact that people aren’t aware of these scams to do their dirty work. If people are informed of the risks, then it becomes a lot harder to get away with it. So tell your Facebook friends, and send them a link to this post, or any other post on the topic.
  • Be suspicious of any Facebook page that makes it easy for you to invite your friends, asks you to download something, or asks for your personal information in return for something else.
  • Always check the page’s wall before joining. There are legitimate reasons why you may be asked to download and install something from Facebook pages. However, there are also plenty of malicious programs out there. The legitimate stuff will, for the most part, work as advertised. On the other hand, the malicious stuff usually won’t work at all. So if you go to the page’s wall and see a lot of people complaining about the fact that it doesn’t work, stay away! Odds are it’s malware. And I’m not talking about a couple of bad reviews, because even the legitimate programs will get bad reviews every now and then. But if you see mostly complaints, then it’s likely to be malware. And even if it’s not, why waste your time, it obviously doesn’t work!
  • Join the Facebook Security page to get the latest security updates from Facebook, or visit Facebook’s Safety Center.
  • Read and follow the 5 most important steps for internet security to protect your computer from online criminals.

Have you come across this scam? Have you come across any other Facebook scams lately? What other ways of staying safe on Facebook do you recommend?

 

As Strong As Your Weakest Link
Posted on by Beau AdkinsCategories Web SecurityLeave a comment on As Strong As Your Weakest Link

The weakest linkWhen trying to evaluate your own security, remember the old addage: “A chain is only as strong as its weakest link.” Here is story of some recent experiences I had which reinforced this for me.

About a month ago, I started seeing all kinds of articles online related to a massive amount of websites being hacked. Most of these hacks were WordPress sites hosted with a large hosting company such as GoDaddy. This site is WordPress hosted by GoDaddy, so when I saw this, I was very interested.

I read the articles to find out how to know if your site had fallen victim to this. The main goal of this attack was to place a bit of php code into every WordPress file on your server. When WordPress would serve up a page, this code would be executed. The result would be a redirect placed in each page that a user of your site would see. This would redirect the user to a malicious website which would attempt to exploit your site’s visitors.

I immediately checked the content of my site and was relieved to find that my site appeared unhacked. But I was not out of the woods yet. No one yet had figured out how the hack was able to infiltrate all these systems. Many people were blaming it on a flaw in WordPress. Others were blaming it on a flaw with GoDaddy’s hosting. Until I figured out where the flaw was, I was still at risk.

This hack was showing up on web platforms other than WordPress. This makes it seem like it couldn’t be a problem with WordPress that was allowing this to happen. But, it was also happening on hosting providers other than GoDaddy. On top of that, if it were a flaw in WordPress or GoDaddy, this hack would be capable of showing up on many more high-traffic pages. You would think that a hacker armed with an unknown exploit with such power would hit the biggest targets available, instead of just a few tiny blogs.

GoDaddy was blaming it on people using out of date WordPress installations. However, I read many articles reporting about people who got hacked, rebuilt their sites with the newest version of everything, and then immediately being hacked again.

The root cause of this hack still hasn’t been figured out as far as I know. I have read that a large number of the affected sites had some weak passwords. At this point, I believe this to be it, but there is no way for me to know for sure. I use very strong passwords. Maybe this is what saved me. Or maybe the hackers just hadn’t found this site.

The moral of the story is to remember you are only as secure as your weakest link. You can build a house out of solid steel with a vault door and barred windows, but if you leave a spare key under your doormat, how much more secure are you? WordPress and GoDaddy can be completely secure, but a guessable password makes it irrelevant.

Latest Twitter Email Phishing Scam
Posted on by Zuly GonzalezCategories Web SecurityLeave a comment on Latest Twitter Email Phishing Scam

The latest phishing scam targeting Twitter users is in the form of an email message claiming to be from Twitter Support. The subject line of the fake email message starts off with the word Twit and is followed by a set of numbers. These numbers will vary from email to email. The email message claims that you have some number of “unreaded” or delayed messages from Twitter, and provides a link to supposedly check your “unreaded” messages. How nice of them! But instead the link takes you to a malicious phishing website.

There are actually two links in the fake email message, both linking back to malicious phishing websites. Don’t click on either of them! Here’s what the email looks like:

Twitter unreaded email phishing scam

According to Twitter Safety, Twitter Support doesn’t send emails about unread messages.

Twitter safety email phishing scam alert

What Can You Do?

Here are 7 things you can do to protect yourself, and avoid becoming a victim of email phishing scams.

  • If you receive an email message claiming to be from Twitter or Twitter Support with the subject line Twit [set of two numbers here], do not open it and delete it right away.
  • If you receive an email with bad English or misspellings, most likely it’s a scam. For example using the word unreaded instead of unread. Don’t click on any links in the email or download any attachments.
  • Don’t click on links in email messages. Always go to the site directly and log in to your account to check it out.
  • If you must click on a link in an email, for example it’s not a check your account status type of email, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting to go to, don’t click on the link. In the case of this recent Twitter scam, the URL in the status bar doesn’t link to twitter.com. Instead it links to dev.somedomainname.com.

Twitter email phishing scam domain name on status bar

  • Note that the only domain name used by Twitter is twitter.com. Any URL that doesn’t start with http://twitter.com/ is not an official Twitter page. That’s not to say it’s a malicious site, it’s just not an official Twitter page, so use caution when going to these sites.
  • If you have a Twitter account, follow Twitter Safety or Twitter Spam to get the latest news about known Twitter scams.
  • Read and follow the 5 most important steps for internet security to protect your computer from these cyber crimes.

Image credits: Fake Twitter email, Twitter Safety tweets

Why You Are Not “Good Enough” to Avoid Malware
Posted on by Beau AdkinsCategories Web SecurityLeave a comment on Why You Are Not “Good Enough” to Avoid Malware

Compiling CodeIn my line of work, most of my colleagues are very technically savvy. Sometimes I will ask them about their views on different computer security products. More often than I would expect, I receive this response: “Oh, I think that is really important, but I don’t need it because I know what I’m doing.” When I press more on what it is they are doing that makes them immune, here are some of the possible responses, and my thoughts on each.

I’m careful where I click

Hmm, thats good. How are they careful. Maybe they don’t go to any site they haven’t heard of? So googling something, and clicking that perfect result is out of bounds for this person? Never clicking any link that has been run through a URL shortener like is so common on twitter? Staying away from sites that show ads? Never going to a site which doesn’t have perfect server security? If they did all these things then they really aren’t browsing at all. ANY site can be bad.  There are just too many ways that even the most trustworthy site can be turned malicious –  I will save that for another post.

I don’t use Windows

First off, I love Windows. It is my OS of choice, but it saddens me to say that this tactic does help. But why? Because Windows sucks? Not really, it is just a matter of targeting. When a hacker writes an exploit, he wants it to work on as many people as possible. Since most of the world uses Windows, he writes his exploit for Windows. It doesn’t mean he couldn’t have written it for any other OS, and there are times when hackers do write the exploits for the other OS’s. So while using a different OS will get you by most of the malware on the web, you are still counting on luck.

I’ve never gotten a virus before…

This one is classic on so many levels. So you’ve never been infected with malware before, therefore you must be immune… Hmmm, ok, lets assume that to be true, even though a child could tell you that it’s NOT. If you never use anti-malware products, and you have never been infected by anything, that tells me that you have never been infected by a poorly-written, or relatively harmless piece of malware. Those are the ones that you would be aware of if you were infected. A relatively harmless piece of malware would have a juvenile purpose: changing your desktop wallpaper, or showing you popups for porn sites. Not so bad. If the malware were more sinister, they want to make sure you don’t know they are there. They want to steal things from you without your knowledge. But if they are poorly written, they can crash your computer or other applications. But if it’s a well-written sinister piece of malware, that’s bad. You will not know it is there just by using your computer normally. Software specifically designed to find this stuff is the only way to know if it is there. You know, like anti-virus products.

Don’t fall into the trap in thinking you are just too smart to get infected online. It is a dangerous place out there, and it’s actually getting worse. In the old days, hackers wrote malware just to mess with people. Now they make money off of it. They are smart, and persistent. Do everything that you can to protect yourself. Here is a good starting point.

Spammers Create Fake Facebook Profiles
Posted on by Zuly GonzalezCategories Web SecurityLeave a comment on Spammers Create Fake Facebook Profiles

Have you received a friend request on Facebook from a hot girl you don’t recognize? You say what the heck, I don’t know her, but she’s hot, so yeah I’ll be your friend. Bad move! Take a look at the profile below, see anything strange?

Fake Facebook User Profile Maybe you received a friend request from someone you don’t recognize with a lot of mutual friends. So you accept the request thinking, well I probably met this person at some point. Wrong again.

Facebook spammers are now creating fake user profiles to amass a large number of “friends” they can then sell to unsuspecting businesses. These businesses may have seen an ad similar to this one:

Spammer Advertising

Soon after you accept requests from these fake users, you start getting invitations to join Facebook fan pages. This is how spammers create artificial word of mouth marketing.

Worse yet, now these spammers have access to personal information you’ve marked as viewable by friends only. This includes two very important pieces of information, your birthdate and location. This can possibly lead to identity theft!

What Can You Do?

  • Avoid friending anyone you don’t recognize. Hot girls aren’t the only threat, it could be a hot guy, or a normal looking person.
  • Ask a real friend. If you get a friend request from someone with mutual friends, send your real friends a message and ask them about this person you don’t recognize. If several of your real friends tell you they don’t actually know this person, stay away!
  • Look through your current friend list. Remove anyone you don’t recognize, especially if they’re constantly inviting you to join Facebook pages.
  • Spread the word. Spammers get away with this because most people aren’t aware of these threats. So tell your friends.

Have you seen any other suspicious Facebook activity? Let us know.

Beware, Facebook Password Email Scam
Posted on by Zuly GonzalezCategories Web SecurityLeave a comment on Beware, Facebook Password Email Scam

There is yet another Facebook email scam going around. This time victims receive an email with the subject line “Facebook Password Reset Confirmation! Customer Support”. The email instructs the victim to click on an attachment in order to retrieve the password. The attachment is really a password stealer, and once installed it can potentially access any username and password combination utilized on that computer – not just for the user’s Facebook account. Here is an example of what the Facebook password reset scam email looks like.

Facebook Password Reset Email Scam Example

Facebook never sends emails alerting a user that they changed his or her password. If you receive this email, delete it right away and do not click on the attachment. To protect your computer from this type of cybercrime, follow The 5 Most Important Steps for Internet Security. Also, visit the Facebook Security page for tips on protecting yourself from scams on Facebook.

To get more details on this Facebook email scam, read the McAfee Labs Blog.

Categories
Archives