Amnesty International’s UK website has been compromised and is serving drive-by downloads. Historical data indicates the website AIUK was compromised on or before Friday, December 16.

Details:

Visiting hxxp://www[.]amnesty[.]org[.]uk loads hxxp://3max[.]com[.]br/cgi-bin/ai/ai.html via an iframe. 3max.com.br, which itself is a legitimate but compromised Brazilian automotive website, loads malicious Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system.

Details of Vulnerability Targeted by the Exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
VirusTotal Detections for Exploit
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
VirusTotal Detections for Exploit Payload
http://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324067892

The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

Amnesty International UK has been notified about the compromise.

The question sounds crazy, especially for someone who’s spent a fair amount of the last year working on making spam and other malicious message detection on social networks better.  But we do a disservice to tools geared for protection when we don’t think long term about the consequences of them.  Does better spam detection on say twitter for example reduce the total amount of spam that users see, or does it just change the signal to noise ratio?

Websites who’s only content is related to spam didn’t get many hits.  This led spammers to move to Search Engine Optimization techniques, which have had a good run are still fairly effective, but more often than not spam sites are full of legitimate content harvested from other sites.

I suspect, and have seen several examples, that the same trend is taking place in social media.  We build systems that force spammers to put more “real” content into the stream, so that they don’t immediately out themselves. These fake accounts contain plenty of retweets of popular stories, and shared links on facebook with a bit of “hey, what a great deal on shoes” or “click here to see my naked” thrown in here and there.

Times are changing here too, sharing too many popular things also indicates than an account is a spammer, or at the very least a much less valuable node in the network.  So the next step is wholesale copying of real peoples profiles, complete with pictures of their cat, a bizzaro you with everything from your facebook account duplicated on another network, such as tumblr or google+, with an occasional spam or malicious link thrown in.  The kind of place where friends will eagerly add you, because everyone needs to be connected to every one of their friends through every medium possible of course, and not think twice about clicking on the malicious link that bizzaro you just shared out.

Besides being quite a blow to the privacy of the accounts being copied, this also reduces the trust that anyone can put into a user, which may not necessarily be a bad thing from a security point of view, are we making a problem that’s cosmically easy to spot for end users, such as the endless number of Nigerian prince scams, morph into something that is much more difficult for the end user to distinguish from real content?  Are we moving towards an advertorial world where the signal and the noise are nearly impossible to separate?

When it comes to advanced vulnerability discovery and exploitation techniques I am all for raising the level of discourse and seeing talented researchers raise the bar for attack and defense alike, but with something like this I’m not so sure.  Maybe it’s best to keep the bar low with regards to detection/blocking on social media and focus on securing APIs and the data they access, understanding that its better for those with less benevolent intent to pull out a few weak individuals from the herd than to give them incentive to find methods to take the whole.

Have you ever encountered  people selling designer shoes on Facebook for prices that are too good to be true?  Check out these links if you have not (here, here, and here…).  The interesting things about these links is that the profile owner almost always is a hot chick with lots of male friends with regular posts about expensive shoes for sale.   The order links mentioned on the shoe photo go to many different domains which   ultimately lead to one store, kicksbay.com.

e.g.

The above three are just an example.  We searched Facebook for similar shoe products and found it smothered with such links.

http://www.facebook.com/photo.php?fbid=126073080809309&set=p.126073080809309&type=1

http://www.facebook.com/photo.php?fbid=126073527475931&set=p.126073527475931&type=1

http://www.facebook.com/photo.php?fbid=126159517467316&set=p.126159517467316&type=1

http://www.facebook.com/photo.php?fbid=126217434128151&set=p.126217434128151&type=1

http://www.facebook.com/photo.php?fbid=126300230786487&set=p.126300230786487&type=1

http://www.facebook.com/photo.php?fbid=126408794109113&set=p.126408794109113&type=1

http://www.facebook.com/photo.php?fbid=126460707436911&set=p.126460707436911&type=1

http://www.facebook.com/photo.php?fbid=126460854103563&set=p.126460854103563&type=1

http://www.facebook.com/photo.php?fbid=126804947401822&set=p.126804947401822&type=1

http://www.facebook.com/photo.php?fbid=126940920719740&set=p.126940920719740&type=1

http://www.facebook.com/photo.php?fbid=127046007377110&set=p.127046007377110&type=1

http://www.facebook.com/photo.php?fbid=127894873957922&set=p.127894873957922&type=1

http://www.facebook.com/photo.php?fbid=128218357259011&set=p.128218357259011&type=1

http://www.facebook.com/photo.php?fbid=128361313909783&set=p.128361313909783&type=1

http://www.facebook.com/photo.php?fbid=129208183824889&set=p.129208183824889&type=1

http://www.facebook.com/photo.php?fbid=129476437132948&set=p.129476437132948&type=1

http://www.facebook.com/photo.php?fbid=129489630463165&set=p.129489630463165&type=1

http://www.facebook.com/photo.php?fbid=129981733747345&set=p.129981733747345&type=1

http://www.facebook.com/photo.php?fbid=130090707069591&set=p.130090707069591&type=1

http://www.facebook.com/photo.php?fbid=130204773726573&set=p.130204773726573&type=1

http://www.facebook.com/photo.php?fbid=131154313629317&set=p.131154313629317&type=1

http://www.facebook.com/photo.php?fbid=133529226726132&set=p.133529226726132&type=1

Most of these profiles are similar enough in execution to raise suspicion.  Each one of them is pointing to a site that leads you to either kicksbay.com or similar site.

How many kicksbay.com site copycats are out there?   Well, here is just a snapshot

one-sweet-pair.info
only-authentic.info
only-designer-goods.info
only-heels.info
only-jordans.info
only-louisvuitton.info
only-lv-heels.info
only-nike.info
pair-time.info
player-jordans.info
player-nike.info
player-pair.info
postjordan.info
postnike.info
postshoes.info
power-time.info
priceless-heels.info
rare-jordans.info
rarejordans.info
reallygoodjordandeal.info
right-jordans.info
right-kicks.info
right-nike.info
rightnike.info
runjordan.info
runnike.info
save-heels.info
sell-jordans.info
sell-nike.info
share-jordans.info
share-nike.info
share-pairs.info
share-sole.info
star-effect.info
star-feel.info
star-hoops.info
star-pairs.info
star-skills.info
thejordan.info
wholesale-jordans.info
wholesale-nike.info
wholesale-pairs.info

Clearly these profiles are fake and shoes they are selling are fake, and real people are getting scammed by it.

So why is this scam so widespread and successful? How are fake profiles able to acquire 1000s of real people as friends to whom they can market these shoes?

This is where Facebook’s “people you might know” suggestion comes into play. We all know that Facebook will suggest you list of people who went to same school, worked with same employer,  lived in same area or are friends of friends.  What about people with whom you do not have any such common ground?

As a test, on one of my profiles I had information about a school that I went to.  So far all the suggestions were for profiles with common school in common class. However on one of the fake profiles I encountered an ad for the “Miss Interenet” Facebook app. As soon as I added that app to my account all of my friend suggestions were for profiles similar to the fake profiles we encountered in shoe scam, girls with suggestive  photos and wall postings. None of them had anything in common with my profile except they might be related to “Miss Interent” app some way (as a user or liker).

Why is Facebook suggesting that? My hypothesis is that everything in Facebook world is identified as an object  with id. That means you, area that you live in, employer that you work for or school you went to are objects and so  is apps you are using, photos you are uploading and websites you are liking. If two people have any common object ID – they can be friends!

The spam honeypots at Barracuda Labs have detected new spam that takes social engineering – and chutzpah – to new heights.

Google Pharmacy Email

While Google announces new products and services regularly, the skeptical email recipient will determine that this announcement fails to make the grade.

We do give the spammers an A for their eye-catching addition of Viagra and Cialis to the Google logo.

However, we mark them down with a D for their fractured English, (“pharmaceutical interfaces”) and a resounding F both for their choice of a domain in Russia and for landing on a run-of-the-mill  rogue Canadian Pharmacy website, as shown here

Canadian Pharmacy website

Spammers have long traded on the cachet of the Google name when sending out lottery spam, but presenting Google as a purveyor of Viagra is a whole new level of impersonation.  It has to be especially galling to Google because the company has recently been accused of knowingly accepting advertisements from rogue online pharmacies.  For their part, Google recently went to court to sue some of those same advertisers.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Many Facebook users have long waited for a Dislike button and this post is  to inform them that their wait is *not* yet over. The latest scam making rounds on Facebook is offering to add a “Dislike Button” to your profile.

However, clicking on the link to Activate or Enable the feature will only lead you to various, and typical, malicious offerings such as likejacking, RogueAV, drive-by downloads or survey scams.

The most interesting thing we noticed with this one is how creative the bad guys are getting about the distribution of their malicious apps. They are no longer simply exploiting a user’s inherent trust on Facebook via an app most likely since that means is getting some attention and risks being taken down. Instead, they are using other venues that have a user’s trust and also  allows them to distribute their apps. e.g. Mozilla add on or Chrome plugin.

Once installed these plugins have the ability to intercept and add code to a user’s Facebook profile and any other website he or she may browse.  One such plugin inserts rotating ads whenever the victim browses Facebook. While these ads may sound benign, ad networks in the past have been compromised and suffer from what is known as malvertisement.

The bottom line? As much as we might like to have it, there is no Dislike button just yet. Facebook users, and those browsing the Web in general, should remain extra careful before giving access to any apps on your browsing machine.

The iPhone 5 isn’t due to be released until fall, or even Christmas, but the spam honeypots at Barracuda Labs are already detecting malicious messages targeting anxious Apple acolytes.

Fake Phone

The image of a beautiful see-through phone is actually a concept photo that is over two years old.

All of the links in the email lead to a copy of Trojan.Zapchast, an IRC-controlled backdoor.

Fake iPhone spam

Naturally the apple.com from: address is spoofed.

If you do click on one of the links and run the offered executable, another old iPhone concept photo is displayed in order to distract you from the installation of the backdoor.

Photo distracts you from backdoor installation

In this case, if you’re curious about iPhone products, visit the Apple iPhone pages at http://www.apple.com/iphone. And never click on links in emails, especially from unknown sources.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Fake antivirus scams are designed to scare innocent computer users with exaggerated displays of virus activity in the hope that they will hand over their credit card numbers to make it go away.   They’ve been around for years and the most prevalent ones use a freely available JavaScript design that mimics the Windows user interface, as seen here:

Fake Antivirus that mimics Windows

When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right.

Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter.  Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads.

That market share has been noticed by the fake antivirus scammers, and this week they have added a new JavaScript design that mimics the Macintosh interface, as seen here:

Fake antivirus that mimics Macintosh

Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page.   The example above is called “Apple Security Center” but similar templates have been seen named MacDefender.

Since this is just JavaScript, the correct move at this point is to refuse the download and browse elsewhere.  Accepting the download and running it installs “Mac Protector” which displays pornographic images and promises to remove them for a credit card payment.

The initial infection vector is poisoned entries in Google search results.  We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page 1 of our search results:

Malicious link in Google results

Past Search Engine Optimization campaigns targeted very popular search terms such as celebrity sightings or breaking news events.  The poisoned links mentioned in this post are more likely to show up in the results for more mundane search terms so as to attract less attention, but they’re still getting plenty of traffic.

This is turning out to be a big problem for Apple. It has been conventional wisdom for years that one of the simplest Internet security solutions is to “just buy a Mac” and stop worrying.  Now that the most common drive-by attack vectors are serving up malware, unwary Mac users are being exposed to the harsh world that Windows users have dealt with for years, and are going to have to learn the same lessons.  Don’t believe everything that pops up on your screen, and don’t run any software unless you know where it came from and what it will do.

Barracuda Networks Barracuda Web Filters and the Barracuda Web Security Flex stop the download of this threat.

Facebook survey scammers who had recent success with JavaScript cut and paste pages have changed their approach and turned loose a fast-spreading “Please verify your account”  campaign that appears as a wall post from a friend…

Barracuda Labs recently reported on versions of this scam that required you to cut and past a bit of JavaScript into your URL bar.  The attack above uses the same JavaScript but embeds it in a link attached to the wall post.

There is another version that we have no sample of which posts  an obscene message to your wall which then claims that the only way to remove the obscenity is to press a “Remove this app” button that is part of the post.

As was the case in the cut and past attack, if the link is pressed the JavaScript executes in the context of your Facebook page and has access to all of the APIs and credentials of your Facebook page.  The attacking JavaScript takes advantage of that context to post the same scam to the walls of all of your friends.

The end result is the same as our previous report – a sham survey that attempts to sign you up for some unwanted service or get your cell phone number in order to send premium SMS messages to it.

Eliminating the convoluted cut and paste instructions makes this version of the JavaScript attack much simpler and more convincing and it has been spreading across Facebook like wildfire.   We can only assume that at some point Facebook will sanitize links in wall posts and not allow use of the “javascript:” scheme.   Until then, expect to see waves of these scams using every social engineering attack in the book.

In the meantime, don’t click on links that are part of unusual items posted to your wall – delete them instead.   Visit the Facebook account settings pages to take care of account related issues.

As always, Barracuda Networks recommends you exercise special care when visiting links posted in your social network feeds.    Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.

The spam honeypots at Barracuda Labs have detected the first of what we suspect will be a wave of spam that takes advantage of the curiosity surrounding the death of Osama Bin Laden.  Not so long ago spam emails would have been the first to exploit such a current event.   However, as we posted recently, Facebook now has that distinction.

The spam offers up some pretty gruesome photos:

Spam

The Portuguese text reveals that these spams target residents of Brazil.  A rough translation says that the photos visible in the email are not real, (they are indeed fake) but that real photographs are available from the attached link.

Following the attached link leads the user to malware, not photos, as shown here:

Malware, not photos

This should certainly ring all sorts of alarm bells.  Users do not “Run” photos; however, this file is a version of Trojan.Banload, downloader which installs additional malware. As shown below, it downloads another file, a variant of Trojan.PWS.Banker, that settles onto the user’s PC and intercepts online banking usernames and passwords.

Malware traffic

Once the banking Trojan is successfully installed, a message is sent back to the malware authors:

There are similar families of malware optimized for stealing online banking credentials from American and European computer users, and appealing social engineering strategies for delivering them, Osama Bin Laden’s death being only one of many.   Do not open or run email attachments.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

Barracuda Labs researchers have recently seen emails from PayPal Inc. that initally seem to be phish but ultimately appear to be a security fail by a company that surely should know better.

It is a well-accepted email security best practice to never click on links in emails.  Most businesses, particularly ones that are phishing targets, explicitly advise their users not to click on emails.  As you would expect, PayPal does so on their website.

Warning on PayPal website

Consider that warning and then take a look at this email from Paypal, via servers at responsys.net, a software service that allows marketers to manage email campaigns…

PayPal "enhanced account statement" email

The email contains ELEVEN hyperlinks, all pointing to an email response servelet which records your click and then transfers the browser to the PayPal login screen.   “At first I was sure it was a phishing email,” commented a Labs researcher who received one of the emails.   Although PayPal has declined to comment on the email,  close examination shows no malicious content.    Instead, this appears to be a case of a Marketing department in need of a little security education.

It’s unfortunate that this is the case, because security professionals have been trying to teach good email security practices for years.  An email from a bank or online service should be considered suspect by default.   PayPal’s own advice is the safest advice, always open your web browser and type in the URL you intend to visit – never click on a link embedded in an email.

Given that email is still the primary vector for identity theft and that PayPal is one of the most phished brands on the Internet, we would expect them to be particularly sensitive to this issue.   Phishing emails like this one are so common that only a blanket rule against clicking on embedded links can be effective.   When PayPal sends out their own emails containing links they confound customers who have been long been told not to click on those very links.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from phishing emails.