A new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, security firm MX Labs is reporting.
Some users are receiving the e-mail from "The Facebook Team," according to the security firm. The sender's e-mail address displays "service@facebook.com." In reality, the address and sender were spoofed.
MX Labs found that the e-mail was accompanied by an attachment named, "Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe" that, the e-mail claims, contains the user's new Facebook password. The security firm said that the element between the underscore and .zip are randomly chosen letters and numbers for each recipient.
When a user downloads the file, it could wreak havoc on their computer. MX Labs said in a blog post that the Trojan horse Bredolab "executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions)." In other words, it's nasty.
Once it makes its way to the user's PC, Bredolab creates "%AppData%\wiaservg.log" and "%Programs%\Startup\isqsys32.exe" in the user's system files. MX Labs said that it also creates two new processes, called "isqsys32.exe" and "svchost.exe."
Another security watchdog, M86 Security, wrote that there's more to the outbreak than Bredolab. After it sneaks its way onto the user's computer, M86 said, Bredolab downloads a bot called Pushdo. The company found that Pushdo immediately starts "spamming out more of these Facebook password reset e-mails."
For its part, Facebook was quick to point out that the e-mail containing the virus wasn't coming from the social network.
"This virus is being distributed through email, not on Facebook," a Facebook spokesperson wrote. "The email is disguised as a Facebook password reset e-mail with an attachment that purportedly contains the new password, but is actually the virus. We're educating users on how to detect this through the Facebook Security Page."
Facebook said that users should be "suspicious of unexpected emails claiming to be from Facebook." The company also said that it will never send users a new password as an attachment.
Those users that have downloaded the file should use anti-malware software to remove it. Click here for a list of security software available from CNET's Download database.
Updated at 1:03 p.m. PDT to include new details from M86 Security.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
Well, here's an innovative way to get some buzz: FBHive, a new blog devoted to the discussion of all things Facebook, has debuted with the revelation that its creators have discovered a hack that can expose some crucial profile data.
No, it won't expose your personal photos or wall posts. But, FBHive says, it can bring up all the "basic information" that you have entered into your profile, even if you've elected to keep that information private. This is the section that includes location, gender, relationship status, relationships (significant other, parents, siblings), political views, religious views, birthday, and hometown. That's enough to be a problem in the identity theft department, as it could easily expose frequent password hints like dates of birth and mothers' maiden names.
Security holes are nothing new to social networks: last year, Facebook plugged a leak that exposed members' protected photos via the Facebook mobile site, and another hole was discovered about a year ago that exposed members' birth dates.
Admirably, FBHive has not shared the details of the newly discovered hack; more disconcertingly, it said Facebook has done nothing since it alerted the social network to the issue earlier this month.
"We are not malicious hackers, by any means, and our skills are far from advanced," the post read. "We here at FBHive are fans of Facebook, but when a security hole as big as this is discovered and brought to (Facebook's) attention, it shouldn't take 15 days to fix."
A Facebook representative said the company is currently "looking into" the matter and will have more information soon.
UPDATE at 11:14 a.m. PT: "We have identified this bug and closed the loophole," an e-mailed statement from Facebook read. "We don't have any evidence to suggest that it was ever exploited for malicious purposes."
Azim Poonawala, aka QuakerDoomer, author of FBController.
(Credit: Azim Poonawala)A computer security enthusiast in India has released a tool designed to allow people to take complete control of strangers' Facebook accounts if they can get hold of the targets' session cookies. It also could be used to manage large quantities of hijacked accounts.
FBController analyzes the communications that Facebook has with computers when they interact with the site and uses that information, along with the cookie data, to allow for accounts to be hijacked, said 26-year-old Azim Poonawala, who wrote the tool and provides details on his blog.
Cookies, meanwhile, can be obtained using network sniffing, cross-site scripting exploits, social engineering, and via open proxies where cookies are logged, he said in a recent interview over chat.
Poonawala, who goes by the alias "Quaker Doomer," said he wrote the tool as a proof of concept and because "writing network-related gray hat tools has always been an adrenalin rush."
Jeremiah Grossman, chief technology officer of WhiteHat Security, said he believed the purpose of the tool is to manage control over large numbers of accounts rather than merely hijack accounts one at a time.
"This is much easier than using a browser to log in and modify accounts individually," Grossman said in an e-mail. "The mere existence of such a tool leads me to believe that huge numbers of FB accounts are and continue to be compromised and the bad guys need to scale their access."
Facebook spokesman Barry Schnitt said the company is aware of the tool and that it does not impact the firm's ability to detect potentially malicious behavior.
"We have systems to detect phished or fake accounts on many different points, including at point of compromise, point of creation, point of login, and point of a spam send, among others," Schnitt said. "Multiple accounts taking the same action, at the same time, as this tool enables, can actually make this detection easier." Poonawala said his intention in creating FBController was not to allow control of multiple accounts, although "it can definitely be misused by bad guys to achieve that since it is free."
This is a shot of an FBController screen.
(Credit: Azim Poonawala)In an ironic twist, Kevin Mitnick, a social engineering master who went to jail for impersonating others to get information to access computer networks without authorization, couldn't access his own Facebook account for weeks because administrators at the social networking site didn't believe he was who he said he was.
"It has frustrated me to no end. I used to be very influential at proving I was someone else. And now I can't even prove I'm the real Kevin Mitnick. It's kind of sad," Mitnick said, chuckling in a telephone interview on Monday.
Shortly after the interview, Facebook fixed the problem after being notified by CNET News.
Mitnick, who has been using Facebook for about two years, said he realized there was a problem February 22 when he couldn't access his account. He sent them an e-mail asking what the problem was and was informed that he had violated the site's terms of use by registering with a fake name.
So Mitnick sent them an e-mail from his corporate e-mail account at Mitnick Security Consulting to help prove he was the real Mitnick and not any of the imposters behind the six dozen or so other "Kevin Mitnick" accounts on Facebook.
Facebook's response? They don't accept e-mail from an account other than the one that was used to register at Facebook, which they had already rejected as authentication when they disabled his account. Since then, they had refused to respond to his pleas until Monday.
"I've been going around in circles," Mitnick said. "It's really pissing me off."
Asked for comment, Facebook spokesman Barry Schnitt said: "We are very aggressive in fostering and enforcing our real name culture and sometimes we make mistakes. But it's rare, and it's been fixed."
At least his last name isn't Yoda, Christmas, or Batman.
There are dozens of Facebook accounts with the name "Kevin Mitnick."
(Credit: Facebook)To my friends on Facebook:
If you get a message from me asking for money because I've been robbed while on vacation somewhere, please don't send cash.
First off, I can't afford any big vacations for the foreseeable future. Secondly, if I encountered some trouble I definitely wouldn't blast a plea for help out to my hundreds of Facebook friends.
A relatively new Facebook scam has been surfacing in which a user's account is hacked and then used to send messages of alarm to get the user's friends to send money.
Hacking into Web accounts and stealing passwords aren't new. But combining those techniques with the trusted network of friends and acquaintances and broad distribution that the most popular online social network provides is causing some concern.
Colorado Facebook user Donna Lu Gamberg told CBS station KCNC-TV that after refusing to get on Facebook she eventually joined only to have her account stolen by someone who tried to get money out of her friends. "It was a creepy feeling, and that's the first time that kind of incident happened to me," Gamberg said.
Fortunately, Gamberg figured it out and notified Facebook before any friends got duped out of money. But others have not been so lucky.
One Facebook user published a chat he had recently with a supposed Facebook friend in trouble, but which turned out to be an impostor trying to get money.
A Facebook representative told the Inside Facebook blog: "This is a very low volume attack, affecting only a small number of users, but the potential impact to an individual user is high so we're taking it very seriously. Our team has already detected various trends in the accounts of users who have been compromised. We're using this data to quickly surface compromised accounts, ideally before the spammers have gotten very far."
The company advises users to confirm via telephone or e-mail that a friend is truly in trouble before sending money, to use antivirus software, and not to publish information like addresses or telephone numbers.
Updated Sept. 8 with National Geographic saying the app is not sanctioned by them.
Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a botnet that in a demonstration launched denial-of-service attacks on a victim server.
"Social Network Web sites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the Institute for Infocomm Research in Singapore.
The demo application, called "Photo of the Day," displays a new photo from National Geographic every day. However, every time someone views the photo, the host computer is forced "to serve a request of 600 Kbytes," according to the paper.
A National Geographic spokeswoman said the app is not sanctioned by her company.
Such a botnet could be used for other types of attacks, such as spreading malware, scanning computers for open ports, and overriding authentication mechanisms that are based on cookies, the paper warned.
The researchers suggested that Facebook and other social networks be careful in designing their platform and application programming interfaces (APIs) so that there are few interactions between the "social utilities they operate and the rest of the Internet."
"More precisely, social network providers should be careful with the use of client side technologies, like JavaScript, etc," the paper says. "A social network operator should provide developers with a strict API, which is capable of giving access to resources only related to the system. Also, every application should run in an isolated environment imposing constraints to prevent the application from interacting with other Internet hosts, which are not participants of the social network. Finally, operators of social networks should invest resources in verifying the applications they host."
In addition, the apps pose privacy risks as well because of the access they have to the data of the people who add the apps to their pages, the paper says.
Similar privacy and security concerns have been raised by others after previous third-party apps have been found to have security holes in Facebook.
Facebook representatives did not return e-mails seeking comment.
(Via ZDNet's Zero Day blog and the Dark Reading blog.)
Updated 6:50 p.m. PT with Facebook saying no hole in Free Gifts app.
MySpace was working to fix a security hole on Monday that allows people to see private comments friends have written on members' pages.
"MySpace is committed to keeping all users as safe and secure as possible. Today, MySpace was alerted to an issue within the MySpace Mobile WAP site and is working to roll out an immediate fix," a MySpace spokesperson wrote in an e-mail.
With the MySpace hole, people have to go through the company's mobile page and know the user ID of a member to read their private comments, said Canadian computer technician Byron Ng, who alerted CNET News to the issue and said he had previously contacted MySpace as well.
Getting someone's user ID is easy; just hover over the name and the user ID is the first group of numbers buried in the coding at the bottom of the page.
In addition, security vulnerabilities publicized by Ng in June that allow MySpace users to delete bulletins from groups they don't control, to pin and unpin topics in groups they aren't members of, and to post messages to a group they are banned from remained unfixed. Those issues are expected to be fixed within the week, MySpace said.
Meanwhile, Facebook was investigating possible security issues of its own, including a third-party app that lets people see comments written on member pages, even if they aren't their friends.
"We're still checking on Advanced Wall but we've confirmed that there is not a hole in Free Gifts," a Facebook spokesman wrote in an e-mail. "It's only public gifts that can be seen in the manner you propose below, which is how they are meant to be seen.... Private gifts are not shown on this page."
Facebook users should remember that photos and videos are public unless the person who posts them sets the privacy setting to private.
Beyond these security issues, people can use a method called "social engineering" to get access to a stranger's profile by being accepted as a friend in their network, Ng said.
For instance, someone could create a profile that looks like a party promoter that many members will become friends with just to hear about events. Or, someone could create a profile with the same name as someone who is already in a target's friend list with the hopes that the target will be confused and accept the imposter, Ng said.
"If the average citizen is worried about people spying, never add anyone, even a 'friend,' without telephone or e-mail confirmation that it is legitimate," Ng writes in an e-mail.
For people who want to keep an eye on who is viewing their MySpace pages, there are two sites that offer tracking services: ProfileSnitch.com and WhoVisited.com.
Those sites allow MySpace members to embed HTML code in their profile pages that reports back to the tracking sites so members can see who was viewing their pages. This only works with MySpace and not Facebook, however, because MySpace allows members to use HTML in their profiles and Facebook does not, NG said.
- prev
- 1
- next
