Security | The Barracuda Labs Internet Security Blog

Posts Tagged ‘Security’

Facebook like-jacking trades in celebrities for T&A

Monday, March 28th, 2011

by David Michmerhuizen – Security Researcher

Two weeks ago Facebook saw a wave of celebrity like-jacking attacks which Barracuda Labs detailed in a post describing their Open Graph underpinnings. Those attacks used teen celebrities as their bait – Justin Bieber and Miley Cyrus were prominent themes.

After a slight hiatus, the scammers are back with the same software but a different approach. They’re targeting a tried and true Internet meme – T & A.

like-jack posts in friends feed

Clicking on one of these links in a friend feed takes you away from Facebook to another site. In the previous campaign, these throw-away sites were registered with names like girl-gets-caught.info or daddy-bustedonline.info, and the scam pages were formatted to look like YouTube videos.

Now that they’ve added more salacious come-ons, at least some of the pages are formatted to look like gossip sites.

Like-jack attack page

Just as before, this Web page uses the Open Graph API to construct a large ‘like’ button that appears to be a movie preview pane. Clicking on the preview pane does two things: it posts a ‘like’ message to your own news feed and then serves up a set of scammy surveys and questionable product offerings under the guise of a ‘security check’.

Survey delivery dialog

If you click all the way through any of these offerings, the like-jack page creators are paid a fee. Entering personal information into any of these ‘surveys’ is a great way to get on spam lists. Many of them solicit your cell phone number and then sign you up for unwanted premium SMS services which are placed on your cell phone bill each month.

Barracuda Networks recommends you exercise special care when visiting links posted in your friends’ news feeds. Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.

Tags: Facebook, Internet Security, Security, social networking security, Web Security
Posted in Security, Social Networking, Uncategorized, Web Security | No Comments »

Gawker Compromise, Password Lessons

Tuesday, December 14th, 2010

by Daniel Peck, Research Scientist

Today any news/blog site remotely technical most likely has a blurb about about the recent Gawker media compromise. Most people are making a big deal out of the release of the password files, but honestly, there’s not a lot to that part. These were clearly very low priority passwords for almost everyone using them. While there was probably some amount of password reuse between Gawker sites and the users’ email addresses, the overlap is still relatively small.

But everyone loves a few stats, so here we go… Out of 188,281 passwords (this is from the parsed_db.txt file in the torrent floating around) the top passwords used are:

3057 – 123456
1955 – password
1119 – 12345678
661 – lifehack
418 – qwerty
333 – abc123
311 – 111111
300 – monkey
273 – consumer
253 – 12345
247 – letmein
241 – trustno1
233 – dragon
213 – baseball
208 – superman
202 – iloveyou
202 – 1234567

Additionally,

~50k of the accounts had a Gmail address, ~45k had a Yahoo address, and ~29k had a Hotmail account.

855 of the passwords contained one of George Carlin’s 7 Dirty Words.

930 contained Love.

And honestly, I’m a bit surprised that that many people who comment on blog sites are into baseball enough to have it as a password.

The bigger story should be about how complete the compromise appears to be. All of the source code Gawker owns appears to have been released, and that is a very large piece of intellectual property out there for anyone to take apart. Not only does it allow others to find problems in the source code, but it also allows them to see what Gawker is planning for in the future, what capabilities they have but haven’t unlocked, and of course allows any hacker worth his salt to find vulnerabilities in the code for future attacks. All around, this is not a good situation for any company to be in and will likely lead to a major code rewrite/audit in order to deal with this effectively.

So in light of recent events, now is as good of a time as any to share some good password advice:

1. Developers – Hash your passwords using salt. It seems (though, I haven’t verified this yet) that this database was simply DESing the passwords without doing any sort of salt using a username/etc. This is bad since it means that a simple rainbow table can be looked up, and that collisions are much easier to come by.

2. Users – Don’t use easy-to-guess passwords (if your password is in the Gawker list, that’s bad.) An easy way to make a strong password is to start with an easy-to-remember phrase, like “The quick brown Fox jumped over the lazy Dog.” Then take the first letter from each word, like so – “TqbFjotlD”. Add in a number such as your age and you have a fairly strong password that’s still easy for you to recall.

3. Users – Don’t share passwords between sites. Instead, use the technique in item 2 to create a strong password “root” which you can reuse on sites by appending a special character such as @ and a two or three letter mnemonic for the site. For example, the above password root could be “TqbFjotlD32@GM” for Gmail, “TqbFjotlD32@HM” for a home computer, and even “TqbFjotlD32@GK” for Gawker media.

I’m sure we will be hearing more about the Gawker compromise over the next few days, and will keep you updated if anything interesting pops up.

Tags: #Gawker, ID Theft, Internet Security, Security, Web Security
Posted in ID Theft, Internet Security Tips, Research, Security, Uncategorized, Web Security | No Comments »

Malicious Microsoft Imposter Locks Your Desktop

Tuesday, October 19th, 2010

By Dave Michmerhuizen, Security Researcher

Barracuda Labs researchers have recently seen a particularly nasty variant of Trojan.FakeAV spreading in the wild. We have seen this fake antivirus malware delivered both by way of drive-by exploits and by way of direct links embedded in enticing spam emails. The first sign of infection is the display of a very convincing copy of a Microsoft Security Essentials alert. The malware then prevents the victim from running most programs on their desktop.

When the real Microsoft Security Essentials antivirus program encounters malware on a computer it displays an alert such as this one:

Valid Microsoft Security Essentials alert

A computer that has been attacked by this strain of Trojan.FakAV immediately displays the following very similar alert:

Fake alert

The difference is that the second alert will continue to reappear even if the user closes it. Any attempt to run Outlook or Internet Explorer, open a command window or even run the Task Manager will be intercepted and the alert will re-display. The inability to run most common programs on the computer leaves the uninformed user with no alternative but to explore the alert. Choosing “Clean Computer” or “Apply Actions” brings up an interesting scan dialog:

"Online Scan" results

A large list of antivirus product trademarks is displayed. Unfortunately, none of the well-known products seem to be able to find any problems. Cleverly interspersed with the reputable programs are images for five bogus antivirus ‘products’ including:

AntiSpy Safeguard
Major Defense Kit
Peak Protection
Pest Detector
Red Cross

Of course, no scanning ever happened, and the programs listed above are all built directly into the malware. They all appear identical except for a name change. If the user installs the first one, this is displayed:

Fake AV "Install" dialog

We were particularly amused by the wholesale theft of the GNU “free software” license agreement. Behind the scenes, the installation of any of these bogus ‘products’ sends messages across the Internet to IPs 85.234.191.174 and 85.234.191.180, both of which are located in Latvia. The first is the home of a malicious fake porn site and the second hosts a site whose main page simply reads “There is nothing here”.

Once ‘installed’ the program goes right to work fixing ‘problems’. Unfortunately some of those problems require a missing “heuristic module”.

Fake AV "scan"

Ignoring this requirement results in an error message. Outlook, Internet Explorer, Task Manager – the most basic Windows programs still will not run. Eventually the user might be tempted to click the purchase button for that module:

FakeAV "money screen"

Fixing the Problem

While it is not possible to open many programs, it is possible to open the file explorer. The malware file is found in the users Application Data folder, which is hidden by default. Once the file is renamed it will no longer be loaded on reboot, and the machine can be cleaned using a reputable antivirus program.

Barracuda Web Filters and the Barracuda Web Filtering Service stop the download of this threat.

Tags: Anti-Spam, Internet Security, Security, spam, Web Security
Posted in Internet Security Tips, Security, Uncategorized, Web Security | No Comments »

HTML is Not Harmless – Email Security Update

Thursday, September 23rd, 2010

By Dave Michmerhuizen, Security Researcher

Barracuda Labs has seen an enormous increase – in fact, well over one million instances a day – of spam containing malicious HTML attachments. The attackers are trying every trick in the book, from using trending news topics to sending deliberately vague messages, with the hope that users will be curious enough to open the HTML. After all, what harm can an HTML file do?

The answer is - plenty.

For years computer professionals have been telling email users to be particularly careful with emails from sources they do not recognize, and to even be careful with unusual looking email from sources that they do trust. Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email. But many people assume that an HTML file is just a webpage and that webpages are safe. This assumption is misleading, and the examples below show why HTML attachments are just as serious of a threat as other attachment types.

On September 16, this particular campaign started with spams tied to current Google trending topics:

Attracting attention by latching on to the latest breaking news is a technique that attackers have been using for quite some time. In fact, several examples of SEO poisoning and search malware are explored throughout barracudalabs.com and this blog. Google hot topic search results frequently are littered with links to hacked sites that serve up malicious JavaScript. Now, the attackers are taking that a step further and not requiring the user to come to their hacked sites but rather simply emailing the same malicious JavaScript sites straight to an inbox.

These campaigns evolved slightly over the following days, with the subject lines changing from trend topics to more nonspecific email subjects that one might receive from a business associate:

With messages to match:

These emails are presented as something just innocent enough that a user might allow curiosity to overrule caution and click “open”. However, once that happens, the HTMLs suddenly don’t seem so harmless.

The attachments include 100% obfuscated JavaScript – JavaScript deliberately made confusing to read or scan in order to make it harder for anti-virus products to identify it.

When opened in a browser window, this JavaScript sends the browser to a variety of destinations depending on the spam flavor of the moment. In some instances, that is fake pharmacy sites which are harmless:

In others, it may be fake codec sites which are harmless as long as the fake codec is not downloaded (note: a codec should never be downloaded in this manner):

And finally, some instances lead to fake anti-virus sites which can carry a variety of problems:

Consider the HTML behind the fake anti-virus site redirect:

The HTML that serves this redirect also contains an IFRAME element that attacks the browser and installs a backdoor, as seen below:

What makes this a real problem is that although the fake anti-virus site can be defeated by simply terminating the browser, the backdoor has already quietly been installed.

After several days, the spammers then shifted gears and started embedding the malicious JavaScript directly in otherwise innocent looking HTML files:

This is what the email attachment looks like when viewed with JavaScript disabled. This inclusion strategy helps disguise the JavaScript from email scanners and reassure users whose email clients preview HTML content without evaluating JavaScript.

But there is malicious JavaScript inside, just waiting for the attachment to be opened in a browser:

In a browser, this displays the seemingly legitimate attachment very briefly and then blanks out the screen. Once the screen is blank, the malicious code is busy exploiting the browser and downloading malware culminating in the installation of a Trojan from the Zeus family.

The absence of any significant visual feedback means the user typically has no idea what has just happened or that they have contracted one of the most dangerous pieces of malware on the Internet. Zeus Trojans are a stealthy family of malware that steal online credentials, particularly those used for online banking.

So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless.

Barracuda Spam & Virus Firewalls block these emails, and Barracuda Web Filters and the Barracuda Web Filtering Service stop the malicious traffic.

Tags: Anti-Spam, Email Security, ID Theft, Internet Security, phishing, Rogue AV, search engine malware, Security, spam
Posted in Email Security, ID Theft, phishing, Security | 7 Comments »

Phishing Spam Targets Netflix Users

Tuesday, September 14th, 2010

By Dave Michmerhuizen, Security Researcher

Just yesterday, Barracuda Labs intercepted thousands of copies of a spammed phishing attack aimed at customers of the popular online video rental service Netflix. While phishing attacks are nothing new, especially against financial institutions, this attack is particularly well done.

Below we present the details of the attack, showing how the unsuspecting Netflix member might fall victim, as well as what to look for to avoid it.

The email is simple enough and looks convincing:

Taking a deeper look, the recipient will noitice that the email was not sent to anyone by name. Also, mousing over the link shows that it does not go to Netflix.com. Instead, it goes to a deceptively similar domain, netflixus.com. This could be easily confused by the recipient since it is so similar, and also could be perceived as a geographical notation (US).

Netflixus.com was registered on the same day that the phishing attack began, September 13:

Clicking on the “update” link sends the user to a login page that looks like what one would expect from Netflix:

One exception is the domain in the address bar: still netflixus.com. Additionally, the protocol used is not HTTPS, which reputable sites always use when asking for login names and passwords or for credit card information. All of the other links on this page and on the following pages point to netflix.com, so if the user mouses over this form it is extremely deceptive. The ‘Continue’ button takes the user to another part of the phishing site.

As part of this experiment, we signed in with a fake username and password:

Once signed in, there is a landslide of warnings. The first is that the user is immediately asked for credit card information:

This page is very well designed, right down to an image of the back of a credit card to help identify the security code. Netflixus.com still displays in the address bar, and although credit card information is being requested, the HTTPS protocol is not being used.

We responded with a dummy credit card number as indicated below:

Once that happens the site obligingly sends the user’s browser to the real netflix.com home page:

This final step is one last step to make the user feel comfortable with the just completed transaction.

This attack serves as a great reminder to always pay attention online. Regardless of how “real” an email or site looks, users should be especially wary of those requesting the user to click on links to enter credit card information, passwords and so forth. There are several tell-all signs to check legitimacy, many of which we have outlined above.

Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.

Tags: Anti-Spam, Email Security, ID Theft, Internet Security, phishing, Security, spam
Posted in Email Security, ID Theft, phishing, Security, Web Security | No Comments »

“Here You Have” Spam Teaches an Old Worm a New Trick

Thursday, September 9th, 2010

On September 9, Barracuda Labs witnessed an outbreak of a spammed Trojan dubbed “Here You Have” as the subject line of the emails that are sent. According to Luis Chapetti, lead security analyst at Barracuda Networks, the spam first appeared at 8:44AM PDT and over 200,000 were seen by our email monitoring systems over the following six-hour period. Volume dropped off rapidly once the account hosting the malware was shut down. This volume does not include spams sent within enterprises, which could be a substantial number.

Email worms are nothing new, but in the past they sent their executable program as an attachment to the outgoing email. Computer users have mostly absorbed the lesson that you should be very careful with any file that comes to you via email, especially any .exe and .zip files.

This “Here You Have” email worm was just different enough to persuade many users to download and run the payload. The emails offered up a type of file that people trust – an Adobe PDF – and then delivered a file type that most people are unfamiliar with – a .scr file. The .scr file type is commonly used for Windows screen savers, which are executable programs themselves. What’s more, the payload file was not directly attached to the email. A small HTML file containing a link to the payload is included instead, making it more difficult to see what was actually being offered. And making it more enticing to click.

The campaign included several different messages, with the most common one titled “Here You Have” that presented a vague “document I told you about” theme.

Careful examination of the email shows that what is being offered is not what is being delivered. Saving the file offers further evidence.

What the malware authors are hoping will happen is that the user will simply click on the link. Doing so does display a Windows Security Warning dialog, and this dialog does indicate that the file is not a PDF – it is a Screen Saver.

The mere presence of this dialog is a dead giveaway that something is wrong. The action for a PDF file is ‘Open’ and not ‘Run’.

If ‘Run’ is clicked, the malware – named VBMania – proceeds to spam itself to everyone in that user’s address book. This can be a particular problem in large enterprises because as a rule, emails passing between users in the same organization are trusted. One infected user spams everyone in the corporate address book, and once only a few more coworkers click on those emails the spam attack snowballs exponentially.

So while email worms are nothing new and most users understand not to click on an attachment that is an .exe or .zip, the payload included here is an .html leaving unsuspecting users vulnerable.

“This outbreak was actually kind of simple,” says Chapetti. “All it did was spam itself out. They could have just as easily added a password stealer to the download list, and with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time.”

Bottom line? The attack itself is simple and could have been much more severe than it was. It is yet another example of spam containing potentially malicious content and a significant reminder to all users to not run anything received via email if the source is not trusted and the content known.

Barracuda Spam & Virus Firewalls blocked these messages throughout the attack.

By Dave Michmerhuizen, Research Scientist

Tags: Anti-Spam, Email Security, Internet Security, phishing, Security, spam
Posted in Email Security, phishing, Security | 1 Comment »

Wedding Bells Ringing in Malware

Wednesday, August 18th, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down. The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

: Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal. In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all. Nothing displays. However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords. The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

Tags: Anti-Spam, Email Security, Internet Security, Rogue AV, Security, spam
Posted in Email Security, phishing, Security | No Comments »

Kanye’s First Week on Twitter: An Infographic Review

Tuesday, August 10th, 2010

By Barracuda Labs

For the past year, we have released analysis on user behavior and malicious activity on Twitter. Just last week, Barracuda Labs released our 2010 Midyear Security Report that focuses on The Dark Side of Twitter and Search Engine Malware. On the same day, Kanye West joined Twitter. In March we explored the effect of celebrities joining Twitter in what we called the Twitter Red Carpet Era. We showed that during that six-month period, more than half of the top 100 users joined Twitter, causing a spike in overall usage and a subsequent spike in the Twitter Crime Rate (the number of accounts created and later suspended by Twitter because of suspicious or malicious use).

Kanye joined Twitter with a splash. First of all, he visited the Twitter offices that morning, but what’s more interesting is the rate at which he attracted followers. Since we have access to this data and machines constantly analyzing it, we decided to have a little fun. This week, Barracuda Labs will present a series of infographics that illustrate Kanye’s first week on Twitter.

Today, we show the first view. The first question that we wanted to answer was what kind of people are attracted to follow Kanye? For example, do they follow other musicians or other types of people? We looked into several notable users to examine the overlap between Kanye’s followers and their followers.

Let’s review:

Taylor Swift: Taylor Swift and Kanye shared a moment on stage at last year’s MTV Awards when he interrupted her speech. He has since apologized to her and she accepted. Their followers seem to have followed suit as a substantial amount of people follow both Kanye West and Taylor Swift. In fact, 20% of Kanye’s followers also follow Taylor Swift. By the way, Taylor Swift joined Twitter 20 months ago during the Red Carpet Era and has since attracted 3.8 million followers.

Amber Rose: Amber Rose and Kanye West dated for several years, frequently an item at photoshoots and fashion shows. They recently moved on; however, their followers still appreciate both of them. In Kanye’s first week, more than half of Amber’s followers already follow Kanye. Further, Kanye has seven times more followers than Amber who joined two months ago.

Power: Kanye’s new song is called “Power” but let’s compare him to the most powerful person on Earth: the President of the United States. Kanye was a vocal supporter of Obama during his campaign. More than 190,000 of Obama’s followers already follow Kanye, showing that over one-third of Kanye’s followers also follow the President.

Perhaps Kanye’s followers are into political leaders of all parties. How about Newt Gingrich? Less than 5,000 of Newt Gingrich’s followers have decided to follow Kanye. This means that less than 1% of Kanye’s followers also follow Newt.

Stay tuned for more analysis on Kanye’s first week on Twitter – and on the overall Red Carpet effect. We think you’ll find the next few days very interesting… and possibly worth a Retweet of your own.

Meanwhile, follow us on Twitter at @barracudalabs for ongoing updates!

Tags: Security, social networking security, twitter
Posted in Research, Social Networking, Statistics | No Comments »

The Barracuda Labs Internet Security Blog

Posts Tagged ‘Security’

Gawker Compromise, Password Lessons

Malicious Microsoft Imposter Locks Your Desktop

Fixing the Problem

HTML is Not Harmless – Email Security Update

Phishing Spam Targets Netflix Users

“Here You Have” Spam Teaches an Old Worm a New Trick

Wedding Bells Ringing in Malware

Search

Links

Connect with us!

Recent Posts

Categories

Blog Roll

Archives