Archive for March, 2011

Facebook like-jacking trades in celebrities for T&A

Monday, March 28th, 2011

by David Michmerhuizen – Security Researcher

Two weeks ago Facebook saw a wave of celebrity like-jacking attacks which Barracuda Labs detailed in a post describing their Open Graph underpinnings.  Those attacks used teen celebrities as their bait – Justin Bieber and Miley Cyrus were prominent themes.

After a slight hiatus, the scammers are back with the same software but a different approach.  They’re targeting a tried and true Internet meme – T & A.

like-jack posts in friends feed

like-jack posts in friends feed

Clicking on one of these links in a friend feed takes you away from Facebook to another site.  In the previous campaign, these throw-away sites were registered with names like girl-gets-caught.info or daddy-bustedonline.info, and the scam pages were formatted to look like YouTube videos.

Now that they’ve added more salacious come-ons, at least some of the pages are formatted to look like gossip sites.

Like-jack attack page

Just as before, this Web page uses the Open Graph API to construct a large ‘like’ button that appears to be a movie preview pane.   Clicking on the preview pane does two things: it posts a ‘like’ message to your own news feed and then serves up a set of scammy surveys and questionable product offerings under the guise of a ‘security check’.

Survey delivery dialog

Survey delivery dialog

If you click all the way through any of these offerings, the like-jack page creators are paid a fee.   Entering personal information into any of these ‘surveys’ is a great way to get on spam lists.   Many of them solicit your cell phone number and then sign you up for unwanted premium SMS services which are placed on your cell phone bill each month.

Barracuda Networks recommends you exercise special care when visiting links posted in your friends’ news feeds.    Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.


Share

Tags: , , , ,
Posted in Security, Social Networking, Uncategorized, Web Security | No Comments »

New Japan tsunami relief spam impersonates Red Cross

Friday, March 25th, 2011

David Michmerhuizen & Luis Chapetti – Security Researchers, Barracuda Labs

As we wrote last week, scam artists were quick to take advantage of the recent disaster in Japan.

Since then they’ve been hard at work making their appeals even more sophisticated.   Within the last few days the spam traps at Barracuda Labs have detected a very large campaign that carefully impersonates the British Red Cross.

Tsunami relief spam

Tsunami relief spam

There are many small clues in the email that flag it as suspicious.  The use of a free webmail host and the desire for payment via Western Union are two, but what is most damning is that the ‘donate now’ button takes you to a small otherwise unused website rather than to the official Red Cross website.

Tsunami relief scam website

Tsunami relief scam website

This web page is very convincing, but it still isn’t the Red Cross.

Links in emails are very easy to hide or spoof.  Barracuda Networks advises that you not click on such links to go to external sites.  Instead, determine the actual website of the organization you want to visit, whether it be a charity or a bank or even your phone company,  and then enter that website name directly into your web browser.

We have not yet seen similar spam targeting other national Red Cross organizations but these sorts of scams are very easy to set up.   The British Red Cross is aware of the problem.

British Red Cross warning

British Red Cross warning

The British Red Cross does have a website that accepts donations at redcross.org.uk, as does the American Red Cross at www.redcross.org.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall protected from these spam mailings.

Share

Posted in Email Security, Internet Security Tips, phishing | No Comments »

Fake resumes spread malware to human resource departments

Wednesday, March 23rd, 2011

By Dave Michmerhuizen, Security Researcher

Barracuda Labs spam monitoring systems have detected a targeted blended attack against human resources professionals.  The attack is carried out via spam messages that are presented as a resume from a job applicant.

While we’ve written about resume spam before, these messages are particularly well written and the attachments very well engineered such that they do not appear suspicious.   All of the samples received so far have all been deliberately addressed only to personnel agencies and human resource departments.

Resume spam

Resume spam, with attachment

Opening the ‘resume’ brings up a cunningly crafted word document.

Resume document appears to have 'crashed' word

There is no text in this document at all.  The only content is an embedded spyware executable with a caption.  The caption tries to convince you that Microsoft Word has crashed.  It explicitly instructs you to double-click on the icon to reload and restart msword.

Caption on embedded binary

Caption on embedded binary

If you do double-click anywhere on this icon or its caption you are actually extracting the spyware from the document and running it.   You do get a security warning, but since the “error message” warned you that you would be restarting Word it might be easy to overlook that.

Security Warning from Windows

Click ‘Run’ and you’ve just installed Trojan.SpyEye on your computer.  This nasty program hides in the background and monitors your Internet traffic looking for usernames and passwords.  Every few minutes it sends what it has to a command and control server, in this case a computer hosted in Israel.

Information Stealer Network Traffic

Information Stealer Network Traffic


Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these spam emails.  The  Barracuda Web Filter, and/or the Barracuda Web Filtering Service block the traffic involved in this attack.

Share

Posted in Email Security, Internet Security Tips, Security | No Comments »

Internet scammers take advantage of Japanese disaster

Wednesday, March 16th, 2011

David Michmerhuizen & Luis Chapetti – Security Researchers, Barracuda Labs


The whole world is watching the aftermath of the Japanese earthquake and tsunami with sadness and concern.

Unfortunately, Internet scammers will take try to take advantage of that concern any way they can.  The spam traps at Barracuda Labs have already started to receive emails that trade on the disaster.

A few purveyors of 419 spam have reworded their standard pitch

These deals wind up with you sending money to the scammers, not receiving it.   Everyone should recognize these by now.


More common are false requests for charitable donations.   One poses as a plea from Humanitarian Care Japan, a real organization

However, if you reply to this email you’ll be responding to a free webmail account.

A reputable charity will have their own email domain and website.


Another of these emails poses as a plea from the Salvation Army.

Unfortunately,  the reply-to address is just another free webmail account

The email address in the text is also a free webmail account.   A valid solicitation from the Salvation Army would send mail to their own domain.  Even more likely it would invite you to visit their own website and make the donation there.


We recommend that you never make charitable donations on the spur of the moment in response to mass emailings.   Research the charity you intend to donate to and be sure to use a safe and protected donation method.


Barracuda Networks customers using the Barracuda Spam & Virus Firewall protected from these spam mailings.

Share

Posted in Email Security, Internet Security Tips, phishing, Uncategorized | 1 Comment »

How to use Facebook’s OpenGraph API to spread Malware

Friday, March 11th, 2011

by David Michmerhuizen – Security Researcher


If you’re a regular Facebook user, you’re used to questionable links in your friend feed.  Links to apps you don’t want to run.  Links to quizzes you don’t want to take.  Links to cause pages you don’t care about.  Links to videos you probably shouldn’t look at.  They spread by tricking you to press ‘like’ or ‘add’ before they show you what they offer.

All typical stuff, except that Barracuda Labs has seen something unusual in the first week of March – a huge “likejacking” campaign that has fooled many otherwise careful Facebook users and illustrated  just how a truly serious malware attack could leverage the Open Graph API to spread virally through Facebook.


While likejacking is not new, this campaign is particularly well done.  It succeeds because clicking on video links on your friend feed is a very natural thing to do.   More than a few of our otherwise tech-savvy friends (who should know better) were taken in by this scam.  It starts with a link in your friend feed from someone you trust…

Malicious post in Friend Feed

Malicious post in Friend Feed

The post appears to be a link to a video, nothing unusual.  Clicking on it takes you off from Facebook onto a domain that presents a page very similar to a YouTube video, except with a logo that reads “FouTube”…

Fake "FouTube" page

Fake "FouTube" page

The site combines HTML and Javascript with special Facebook-specific markup to create a large ‘like’ button that looks like a video playback window.   The markup is Facebook’s Open Graph API, and it is used to tell Facebook that the scam site (girl-gets-caught.info) should be added to Facebook’s “social graph” just as if it were a page from the Facebook site.

Open Graph API Markup

Open Graph API Markup

It bears repeating – a ‘like’ button is implemented in code.  The only thing that makes one look like the usual Facebook ‘like’ button is Facebook’s Terms of Service, which state that a ‘like’ button must use an approved style.

The code you see here has two functions.

First, as shown below, is to ‘like’ the page so that a link to it appears on your wall and in the friend feed of all of your friends. This spreads the campaign virally and with if the subject videos are appealing enough the links to the scam page can spread to many thousands of users in a very short time.

Malicious HTML and JavaScript

Malicious HTML and JavaScript

Indeed, clicking on the video posts a link to the scam page on Renee’s wall

The scam posted to your Facebook wall

The scam posted to your Facebook wall

The second function of the code is the true aim of the campaign, which is to direct visitors to a series of ‘surveys’ which indiscriminately pitch products, harvest personal information and attempt to subscribe the unwary to premium-rate SMS services.  This is where the scammers make their money.

The start of the scam surveys

The start of the scam surveys

(More survey scam pictures here, here, and here. )   If you wait for 60 seconds the underlying page continues on to display a relevant YouTube video.

A partial list of domains involved (careful, some may still be active) shows the effort that went into the social engineering aspects of the campaign.

domains used

Partial list of domains used


This sort of likejacking has been going on for quite a while, and the campaigns are almost always used to deliver users to ‘survey’ sites.  In the case of the fake video page described above the survey poses as a hurdle to pass to be allowed to see the video.  The survey itself is generally harmless provided that you don’t answer it, and the Facebook ‘like’ is embarrassing but easy enough to fix.  Facebook removes these posts after the fact, usually within hours.


The example above shows that Open Graph gives survey distributors easy access to Facebook, turning a low-level scam spread via email and forum spam into a huge viral success for the scammers.

What is especially troubling about this is what could have happened.  Rather than deliver a scammy survey, malware distributors could easily attempt a series of silent exploits against the browser and its plug-ins, followed by a quick redirect to a real video.    That sort of attack could spread real malware such as the Zeus or SpyEye password-stealing trojans to thousands of Facebook users in a very short period of time compared to other methods.    Even worse, many of those backdoors and password stealers would be installed inside of business networks who allow their employees to use Facebook in their ‘free time’.


Barracuda Networks recommends you take particular care when using facebook.  If friends post links, make sure you trust the destination domain before following the link.  Barracuda Web Filters also allow the selective blocking of Facebook within the organization.

Share

Posted in Internet Security Tips, Security, Social Networking | No Comments »

Email Spam Drops by Half While Search Engine Malware Increases 50 Percent and Twitter Crime Rate Rises 20 Percent During 2010

Thursday, March 3rd, 2011

From: Barracuda Labs [PRESS RELEASE]

Barracuda Labs Issues 2010 Annual Security Report; Launches New, Free Profile Protector to Protect Users against Malicious Threats on Facebook and Twitter

Campbell, Calif., March 3, 2011 – Barracuda Networks Inc., a leading provider of content security, data protection and application delivery solutions, today released findings from its 2010 Annual Security Report which indicates attackers are making a shift from using email spam to more aggressively targeting the Internet. Email spam dropped by half during 2010, while search engine malware doubled and the Twitter Crime Rate increased 20 percent, signifying a concentrated focus on the more lucrative social networks and search engines as attack vectors. To help combat this, Barracuda Networks today announced the availability of its new Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter. Profile Protector is available at http://profileprotector.com/.

“Attackers focus on where they can get the most eyeballs and profit, and today that means social networks and search engines,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “As a community we often point to the need for user education as the missing component; however, the levels of social engineering involved in today’s attacks suggest that we must continue to elevate our technological approaches. The research community must continue to build innovative defenses and the industry must make efforts to increase the deployment rates of those defenses.”

Searching for Malware
Barracuda Labs conducts periodic studies across Bing, Google, Twitter and Yahoo!, analyzing trending topics on popular search engines in order to understand the scope of the problem and to identify the types of topics used by malware distributors. The most recent study was conducted over 153 days. The analysis reviews more than 157,000 trending topics and nearly 37 million search results. Overall, the research found that attackers have increased the amount of search engine malware as well as expanded targeted efforts beyond Google.

Key highlights from the search result analysis include:

  • In June 2010, Google was crowned as “King” of malware, turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. As malware spread across the other search engines, the ratios were distributed more evenly by December 2010, with Google producing 38 percent of overall malware; Yahoo! at 30 percent; Bing at 24 percent and Twitter at eight percent.
  • The amount of malware found daily across the search engines increased 55 percent from 145.7 in June 2010 to 226.3 in December 2010.
  • One in five search topics lead to malware, while one in 1,000 search results lead to malware.
  • The top 10 terms used by malware distributors include the name of a Jersey Shore actress, the president, the NFL and credit score.

The Dark Side of Twitter
Barracuda Labs analyzed more than 26 million Twitter accounts in order to measure and analyze account behavior. The analysis enabled researchers to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.

Key highlights from the Twitter research include:

  • In general, activity continues to increase on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • The number of True Twitter Users increased to 43 percent, up from only 29 percent in June 2010.
  • For every 100 Twitter users, 39 have between one and nine followers, while 50 percent of Twitter users have more than 10 followers.
  • Approximately 79 percent of Twitter users tweet less than once per day.
  • After decreasing at the end of 2009, the Twitter Crime Rate increased 20 percent from the first half of 2010 to the second half of 2010, going from 1.6 percent to 2 percent.
  • Attackers are distributing malware and exploiting vulnerabilities to achieve their malicious goals.

To view the complete Barracuda Labs 2010 Annual Security Report and the company’s security portal, please visit http://barracudalabs.com.

Protecting Profiles on Facebook and Twitter
Barracuda Labs also announced the availability of its new Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter and is available at http://profileprotector.com/. The application analyzes user-generated content posted to profiles and is able to block or remove malicious or suspicious content. This includes malicious URLs, embedded photos and/or videos on Facebook and Twitter pages and news feeds.

About Barracuda Networks Inc.
Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions.  The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 130,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions.  Barracuda Networks is privately held with its International headquarters in Campbell, Calif.  For more information, please visit www.barracudanetworks.com.

Resources:
•    Download the Barracuda Labs 2010 Annual Security Report at http://www.barracudalabs.com/research_resources.html.
•    View the Barracuda Labs security research portal at http://BarracudaLabs.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs.

Footnotes:
1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.
2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.
3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

#  #  #

Share

Posted in Research, Security, SEO Poisoning, Social Networking, Statistics, Web Security | 1 Comment »