Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google's Chrome OS will "create another opportunity for malware writers to prey on users."
The company also anticipates smarter and more dangerous Trojans that "follow the money," as well as a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies."
In a recorded interview (scroll down for audio) David Marcus, McAfee Labs' director of security research and communications, said that he expects "an explosion of Facebook and other services targeted by cybercriminals." In addition to malware like Koobface that spreads among Facebook users' friends list, Marcus expects an increase in rogue Facebook applications.
"When you click yes to 'do you want to allow this application to access your Facebook account,' you're giving that application access to all the data in your Facebook account," he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.
"A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he said. Marcus recommends that you only install apps from within Facebook by clicking "browse more applications" in the Facebook application installer."
Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There's nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you're going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is "also serving as a control vehicle for botnets."
Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of "GhostNet," which McAfee Labs describes as a "network of at least 1,295 compromised computers in 103 countries" that "primarily belonged to government, aid groups, and activists." The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.
The report also sites "a very targeted wave of attacks against the management of major companies," as well as attacks carried out against "journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China."
Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It's nothing they've (Adobe) done wrong," Marcus said. "The bad guys go where the masses go" and because of the increasingly widespread use of Adobe products, "that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that."
Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.
"Instead of viewing a PDF you're actually taken to a website that downloads some type of malware to your machine." Adobe plans to patch a critical hole in Reader and Acrobat on January 12.
There is also concern about Google's Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5--the newest version of the hyper-text markup language that, says the report, "holds all the promises that today's Web community seeks--primarily blurring and removing the lines between a Web application and a desktop application."
McAfee also warned of banking Trojans with "new tactics that went well beyond the rather simple keylogging-with-screenshots" that were used earlier. Trojans now use rootkit techniques to hide on a victim's system to disable antivirus software.
"Often the victim's computer becomes part of a botnet and receives malware configuration updates," the report said.
For more on the threats on Facebook and Twitter read "Using Facebook and Twitter safely" on CNET.
Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals "from Russia, Moldova, and Estonia who were allegedly responsible
for $9 million in customer payroll data compromises at RBS WorldPay."
The year also "saw the conviction of the infamous "Godfather of Spam," Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world's unsolicited e-mail," McAfee said.
"You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time," Marcus said. He said he thinks "the bad guys will learn from that and build in some redundancy," but he remains optimistic. "The good guys and regular users are getting tired of getting exploited and we're finally starting to see more offensive and aggressive take downs of botnets...we're starting to see people wanting to take back the Internet."
Listen to Larry's interview with David Marcus.
Listen now: Download today's podcast
Internet attacks came from 201 different countries in the second quarter, up from 68 countries in the first quarter, according to a report released Thursday.
Akamai Technologies' quarterly "State of the Internet" report compiles data about the online world, from Internet attacks to average connection speeds across the globe.
Among the 201 countries now seen as the source of malware and other Internet threats, the U.S., China, and South Korea accounted for more than half of the attacks in the second quarter.
(Credit:
Akamai)
Blaming the Conficker worm on the majority of the assaults, Akamai discovered attacks on 4,100 unique ports, with 10 specific ports hit in about 90 percent of the cases. One specific port, 445, used for Microsoft Directory Services, has proven especially vulnerable and was compromised in 68 percent of the attacks, allowing hackers to invade computers with this port open, Akamai said.
The report also examined connection speeds.
Several countries saw their connection speeds drop from the previous quarter, with the overall global average falling 11 percent to 1.5Mbps. Only 19 percent of the connections throughout the globe managed speeds greater than 5Mbps, a slight decline from the prior quarter.
(Credit:
Akamai)
Among all countries, South Korea came in first place with an average speed of 11Mbps, while Eritrea was last at 42Kbps. The U.S. was 18th on the global list, reaching average connection speeds of 4.2Mbps.
Akamai found that within the U.S., many states also saw connection speeds fall. Arizona's average speed dropped 27 percent from the first quarter. New Hampshire enjoyed the fastest connection in the country at 6.4Mbps, while Delaware fell to second place at 6.3Mbps, down from 7.2Mbps in the prior quarter. Overall, the East Coast led the nation with the fastest speeds of any region.
(Credit:
Akamai)
Akamai caches Internet content for its customers, allowing it to monitor traffic through the Net. The company uses the data from its Internet monitoring to compile its quarterly reports.
Organizations are finding it difficult to prioritize defense strategies against cyberattacks because most of them do not have an Internet-wide view of the attacks, according to a report from SANS Institute, the security training organization.
As a result, two security risks--Web applications and phishing--carry the greatest potential for damage, even though users instead tend to concentrate on less-critical risks.
The report, published by security training organization SANS Institute, amalgamates global data from security attacks on computers from March to August.
It identifies two main defense priorities for enterprise users. The first is targeted e-mail attacks, or spear phishing, that exploit client-side vulnerabilities in programs such as Adobe Systems' PDF Reader and Flash, Apple's QuickTime, and Microsoft's Office. These applications are described as the "primary initial infection vector used to compromise computers that have Internet access" and are the result of attackers taking advantage of "programming errors that are not being picked up by common vulnerability scanners."
The second priority is vulnerable sites. More than 60 percent of attacks are against Web applications and "convert trusted Web sites into malicious Web sites serving content that contains client-side exploits" by exploiting the most common vulnerabilities such as SQL injection and cross-site scripting flaws, in both open-source and custom-built applications. Such vulnerabilities make up more than 80 percent of attack opportunities.
A further finding is that applications are now more vulnerable and see more exploitation attacks than operating systems. There were no new major operating system worms seen in the wild during the reporting period.
Additionally, the report found there has been a "significant increase" over the past three years in the number of people discovering zero-day vulnerabilities: flaws that become known to attackers before they are discovered by security researchers, opening the chance of an attack against which no preparation has been made.
"This report is different from anything we have done before," a SANS spokesman said, "because it reflects massive amounts of data on the actual attacks (millions of them) and on the speed with which the underlying vulnerabilities are being patched (actual data from thousands of companies)."
The report sources includes attack data from 6,000 organizations, compiled by security hardware vendor TippingPoint, vulnerability data from 9 million computers compiled by security software vendor Qualys, and additional analysis and tutorial by the Internet Storm Center and SANS faculty members.
Manek Dubash of ZDNet UK reported from London.
Thursday's denial-of-service attack that knocked Twitter offline for a few hours and affected Facebook, LiveJournal, and Google Sites and Blogger wasn't your average attack.
Typically, someone who has a bone to pick with a specific Web site will round up some hijacked PCs and use them to try to shut the site down. In this case, whoever was responsible was trying to block access to a specific user's accounts and not the sites themselves.
Denial-of-service attacks aren't always straight forward and this one has its own unique twist. Let's take a look at what happened and why.
What's a denial-of-service attack?
A denial-of-service (DoS) attack is any effort designed to interfere with access to a Web site or Internet service. A common method of attack involves flooding a target server with so many communications requests that legitimate traffic can not get through. This can shut down or slow down the site temporarily.
Web sites aren't the only things that can be targeted in DoS attacks. Unplugging someone's computer is a very basic type of DoS attack.
What's a distributed-denial-of-service (DDoS) attack?
Because Web sites are built to handle a lot of traffic, it can take millions of simultaneous communications requests to have enough affect on the performance of the server for an attack. In a DDoS attack, tens of thousands or even millions of computers are used to send traffic to the target site all at the same time and repeatedly. As Sophos' Graham Cluley wrote on his blog: "It's a bit like 15 fat men trying to get through a revolving door at the same time--nothing can move."
What's a botnet?
The hijacked PCs that are used in a DDoS attack comprise a botnet. The individual computers are called "bots," "zombies" or "slaves" and are controlled remotely by the "master" attacker. The attacker relays instructions to the bots via a command-and-control server, typically using IRC (Internet Relay Chat). Botnets are also used to distribute spam. Some newer botnets, like one created by a version of Conficker, relay instructions via peer-to-peer.
How does an innocent PC become a bot?
There are different ways a criminal can get programs onto computers in order to turn them into bots that they can control. Often, criminals send spam with attachments containing malware or links to Web sites hosting malware. The malware--typically a worm, Trojan horse, or backdoor--is installed on the computer when the attachment is opened or the URL link is clicked. Many computers are compromised by drive-by downloads in which hidden malware on Web sites exploits Web browser vulnerabilities and is downloaded onto the visitors' computer without their knowledge.
Computer users usually have no idea that their computer has been compromised and botnet operators like it that way so they can keep using the bots indefinitely. Now, criminals who don't want to bother with do the grunt work necessary to compromise an army of machines can just lease one. A recent study by Finjan found that an underground network was offering to let criminals rent a botnet for as little as 5 cents to 10 cents per bot.
What happened in the DDoS that caused the Twitter outage this week?
While most DoS attacks are designed to take down a specific Web site, Thursday's DDoS attack targeted someone who has accounts on the different sites--a Georgian blogger, who uses the account name "Cyxymu" and who has accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube.The affected companies worked together to investigate the attacks and discovered that Cyxymu was the common thread linking the sites. An investigation is pending into who launched the attack and why.
In a clear and simple way, this Cisco graphic shows the relationship of the parties in a DDOS attack.
(Credit: Cisco) How many bots are needed to take down a Web site?
The number depends on how much resources, servers and bandwidth, the target site has. It can take 25,000 to 50,000 bots to cripple a typical site and as few as 10,000 or less for a small Web site, according to Kevin Stevens, a security researcher for SecureWorks' Counter Threat Unit.
It's difficult to know exactly how big any particular botnet is and guesses vary widely. For example, estimates of the Conficker botnet ranged from 500,000 PCs to 10 million.
Who launches a DoS and why?
Unless someone takes credit, it's nearly impossible to find out who is responsible for a DoS attack. Often attackers will send traffic through proxies so there is no direct link to the source, even if investigators can get a hold of a bot used in an attack to dissect the code. Bots also may be located in another country.
The first big DDoS attack, in February 2000 took down some of the Web's most popular sites for hours, including Yahoo, CNN, eBay, Amazon.com, Buy.com, and E*Trade. The U.S. Federal Bureau of Investigation promptly held a news conference to discuss the disruption to the Internet and eventually tracked down the perpetrator, 15-year-old "Mafiaboy," after he bragged about it to friends online.
Mafiaboy was most likely trying to get attention, like script kiddie hackers do when they deface Web sites. Other attackers have different agendas. For instance, there are politically motivated DDoS attacks, such as those involving Russian and Georgian sites last year. Estonia sites were attacked in 2007. Meanwhile, the origin of recent DDoS attacks targeting U.S. government sites and sites in South Korea remain a mystery.
What kind of damage can a DoS attack do?
A DoS can make a Web site completely inaccessible to anyone for a period of time, like the most recent attack did with Twitter. Or it can be equivalent to a hiccup, slowing down page loads or affecting only part of the site.
Sites that aren't in the direct line of fire can also be affected. For example, if a company that is attacked is hosting images or content that is fed to other sites, those other sites may have trouble. So many sites feature Twitter updates that it's likely some of those associated sites were impacted when Twitter was down and the ancillary site's requests to get updates were ignored.
How can a DDoS be prevented or stopped?
There is no surefire way to prevent a DDoS attack. However, a company can reduce its risk by buying plenty of servers and bandwidth, and hosting content on backup servers. Companies can also limit the number of connections that the Web server allows at any one time and set the firewall to block certain types of data that are used in DDoS attacks, said SecureWorks' Stevens.
In addition, companies can ask the ISP to impose bandwidth limits and to block the IP addresses serving up the attack. Some companies offer DoS detection software, and sites can configure their Web server to monitor traffic patterns and automatically ban IP addresses that could be associated with an attack.
In 2001, the White House was able to thwart a DDoS attack that was programmed into the code of the Code Red virus by moving the site away from the targeted IP address. And in 2005, Microsoft sidestepped a DDoS that was going to be triggered by PCs infected with the Blaster virus by killing the targeted IP address.
Once an attack has been launched a company can try to redirect the attack traffic to a null IP address, or a black hole, according to Trend Micro's David Perry.
More information on prevention and mitigation can be found on the SANS Web site and on the US-CERT site.
What can individuals do to prevent their computers from being used in a DDoS attack?
To keep malware off a computer, people should install the latest operating system and application patches, update their antivirus and other security software, consider using auto-updates for browsers and be careful about opening up attachments and visiting Web sites.
Larry Magid of CBSNews.com has more information for consumers on his Safe and Secure blog.
A Georgian blogger with accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube was targeted in a denial-of-service attack that led to the sitewide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.
The blogger, who uses the account name "Cyxymu," (the name of a town in the Republic of Georgia) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.
"It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard," Kelly said. "We're actively investigating the source of the attacks, and we hope to be able to find out the individuals involved in the back end and to take action against them, if we can."
Cyxymu LiveJournal account on cached version of Google.
(Credit: LiveJournal)Kelly declined to speculate on who was behind the attack, but he said: "You have to ask who would benefit the most from doing this and think about what those people are doing and the disregard for the rest of the users and the Internet."
Twitter was down for several hours beginning early Thursday morning, and it suffered periodic slowness and time-outs throughout the day.
Cyxymu's LiveJournal page wasn't accessible, but a cached version showed that it was updated on Thursday with a message about the denial-of-service, or DoS, attacks on his accounts on the United States-based sites. "Now it's obvious it's a special attack against me and Georgians," said the message, in Russian.
The site also apologized for a spam e-mail attack in which the sender was spoofed and made to look like the e-mails were sent by him. Screenshots are shown. It's unclear whether or how the spam attack is related to the DoS attacks.
In the distributed denial-of-service (DDoS) attack on the sites, computers that have been compromised by viruses or other malware are instructed by the attacker's computer to visit the specific Web sites all at the same time and repeatedly. The barrage of connection requests overwhelms the target sites, making it so that legitimate Web traffic can't get through.
Such coordinated attacks require the efforts of tens of thousands or more of hijacked computers, which together form a botnet. Spammers send e-mails with malicious attachments or URLs to millions of people to create botnets. Criminals also can lease existing botnets for specific campaigns for as little as 5 cents to 10 cents per bot.
A Facebook representative dismissed a theory that the attack was triggered by a spam campaign in which e-mails had links to the sites. It's unlikely that there would be enough recipients--all clicking on the URLs at the same time--to bring a site down, he said. There was a spam campaign that directed people to Cyxymu's accounts, but it wasn't the cause of the DoS, he said.
"The people who are coordinating this attack, the criminals, are definitely determined and using a lot of resources," Kelly said. "If they're asking our infrastructure to generate hundreds of pages a second, that's a lot of pages our users can't see."
Facebook and Google were able to minimize any impact to their sites, including Blogger, YouTube, and Google Sites, a free Web site service. Facebook even managed to keep the Cyxymu account accessible to Web surfers from that region, Kelly said, though it was inaccessible to people in other geographic areas, including San Francisco.
This was the first coordinated attack on the sites, and all the companies involved were working closely on the investigation, he said. "My team and the teams that are working together at all these companies are doing a really good job very quickly, and I'm proud and happy," he said.
Twitter and LiveJournal did not immediately return e-mails and calls seeking comment.
A Google representative offered this statement: "We are aware that a handful of non-Google sites were impacted by a DoS attack this morning and are in contact with some affected companies to help investigate this attack. Google systems prevented substantive impact to our services."
Political conflicts between Russia and its former republic spilled online last year with DoS attacks and Web site defacements going in both directions.
For more information, listen to Larry Magid's podcast interview with Elinor Mills.
Updated at 7:39 p.m. PDT, with Facebook saying a spam campaign did not cause the DoS, and at 6:35 p.m., with information from Cyxymu's site, more about the spam attack, how DDoS attacks work, and background on the Russia-Georgia conflict.
Itzik Kotler and Tomer Bitton of Radware
(Credit: Elinor Mills/CNET News)LAS VEGAS--Two researchers from Israeli security firm Radware have figured out a way to trick computers into downloading malware or take over a computer by hijacking the communications during the update process for Skype and other applications.
About 100 applications, many among the most popular on CNET's Download.com, can be targeted, said Itzik Kotler, team leader of Radware's security operations center, before his presentation here at the Defcon conference.
Kotler and colleague Tomer Bitton are releasing a tool called Ippon (which means "game over" in Judo) that enables the attack and offers a 3D view of potential victims on a network.
With the tool, an attacker can scan a Wi-Fi network for computers checking for new updates via HTTP (Hyper Text Transport Protocol). If the system detects a computer sending a software update request, the tool replies before the app update server can respond, Kotler said.
Ippon customizes messages for the particular application and sends a message indicating that there is an update available even when the system already has the most recent legitimate update, he said. A malicious file is then downloaded from the attacker's server onto the victim's computer.
The researchers said they had not tested whether Firefox or other major browsers are vulnerable. Microsoft software is not vulnerable because it uses digital signatures in its update process, which all software updates should, Kotler said. People should be careful when using public Wi-Fi networks and avoid doing software updates on them, he said.
"You have to assume when on a public infrastructure that the infrastructure can be attacked," he added.
There is also the possibility that someone could spread an "airborne virus" via software updates that uses victim machines to attack and infect other machines on a network, according to Kotler.
John Hering and Kevin Mahaffey of Flexilis demonstrate an SMS attack targeting a Windows Mobile phone.
(Credit: Elinor Mills/CNET News)LAS VEGAS--In one of a handful of SMS-related presentations here at the Black Hat security show, researchers demonstrated on Thursday how they can force certain types of smartphones to visit a malicious URL or install an app without user approval.
The vulnerability only affects phones that have been misconfigured by the original equipment manufacturer so that they accept any message sent through WAP Push (Wireless Application Protocol), a service that runs on top of SMS, said researcher John Hering.
WAP Push messages should only be accepted when sent by a trusted party such as the mobile operator, said Hering, chief executive of Flexilis, which provides software for protecting mobile phones from attack.
The vulnerability spans all Windows Mobile devices including HTC, Motorola, and Samsung, he said. The phones that are vulnerable have been misconfigured and it's random which ones have the weakness.
Phone owners can test their phone to determine if they are affected by the issue. Hering and Kevin Mahaffey, Chief Technology Officer at Flexilis, are releasing a free tool that can be used to test whether a mobile phone is vulnerable, and if so fix the issue.
The researchers said they had not yet determined whether the iPhone or other devices were vulnerable. They said they have notified carriers, or Microsoft, and fixes are being worked on.
The attack works on GSM networks, the men said, adding that they had not yet tested it on CDMA networks.
The researchers built this device for testing for the vulnerability on multiple phones at once.
(Credit: Elinor Mills/CNET News)The researchers have developed free, open-source software called "Fuzzit," which is designed to test the security of mobile devices and is geared towards mobile manufacturers, operators, and software developers. It will be released shortly. They also built a device that allows for the testing of multiple phones on different platforms at once for internal research and development.
Their session was just one of a handful that dealt with vulnerabilities on mobile phones and SMS, in particular.
In a presentation earlier in the day, Zane Lackey of ISEC Partners and independent researcher Luis Miras demonstrated how an attacker could spoof an MMS (multimedia messaging service) type of SMS message that appears to be sent from a trusted source and trick the recipient into visiting a malicious Web site.
Also on Thursday, Charlie Miller of Independent Security Evaluators and independent researcher Collin Mulliner demonstrated another type of attack in which they can take complete control over an iPhone merely by sending special SMS messages. They proved the attack the night before with a denial of service attack on my non-jailbroken iPhone, which runs OS 3.0.
Since SMS is available on so many devices and is always on--as long as the phone is turned on--it makes for an attractive target for attackers, according to researchers.
The denial-of-service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.
There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn't mean it wasn't happening or won't in the future, said Gerry Egan, a product manager in Symantec's Security Technology Response group. (Click here for Larry Magid's related podcast with Symantec expert.)
There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.
The attacks started over the July 4 weekend launching distributed DOS attacks on dozens of government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service, and The Washington Post.
One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. "Basically, your system is in trouble if this executes," Egan said.
Botnet expert Joe Stewart of SecureWorks told The Washington Post that he tested the self-destruct Trojan and found it capable of erasing the hard drive on an infected system, but that that function wasn't being triggered. He speculated that either there is a bug in the code or that the feature is set to activate at a later date.
Researchers are finding that the botnets launching the attacks are infected with several types of malware. The MyDoom worm is being used to spread infections between computers via e-mail, Symantec and other antivirus vendors have reported.
A dropper program called W32.Dozer that contains the other components is sent by W32.Mytob!gen to e-mail addresses it gathers from the compromised computer, the Symantec Response Blog says. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the system.
The Dozer Trojan serves as a backdoor and connects to IPs through certain ports, allowing it to update itself and to receive instructions on sites to attack, according to Symantec. It's unclear if the DOS attacks will happen again because the infected PCs can receive new instructions at any time, Egan said.
"There is nothing new or novel in the technology," he said. Judging by the high-profile sites attacked it's likely the attackers are just trying to get attention, he added.
South Korea officials told reporters on Friday that the DOS attacks used 86 IP addresses in 16 countries, including South Korea, the U.S., Japan, and Guatemala, but not North Korea, according to an Associated Press report.
For more information listen to CNET blogger Larry Magid's podcast on the subject.
This graphic shows how the different malware components on the denial of service botnets interact.
(Credit: Symantec)
Updated at 4:20 p.m. PDT with Twitter phishing attack, at 4:10 p.m. with Facebook comment and 2:30 p.m. with attack also downloading malware onto computers.
Phishers were having a field day with Facebook and Twitter on Thursday.
A new phishing scam hit Facebook users that, like others in recent weeks, sends them to a Web site which steals their log-in information and also secretly downloads malware onto computers when they visit the malicious Web site in what is known as a "drive-by download."
Meanwhile, Twitter users were getting messages from new followers that were posting links to a fake Twitter site with "tvvitter" in the tiny URL, Graham Cluley of Sophos wrote in his blog. His blog has a video of the phishing attack in action. Twitter representatives did not immediately respond to e-mails seeking comment.
In the Facebook attack, messages circulated with a subject line of "Hello" and a prompt to check out "areps.at" or other URLs ending in ".at".
The URLS, before being blocked, directed the visitor to a fake Facebook page. If you logged in to the site, it would steal your e-mail and password, log you into Facebook, automatically change your password, and send the same message to all your Facebook friends, according to the All Facebook blog.
The malicious Web sites also spread the Koobface worm and install the Trojan.BHO, among other malware, onto unsuspecting computers, according to a CNET News test using Internet Explorer. But the URLs were blocked by Firefox and flagged as a "Web Forgery" as of 9:50 a.m. PDT.
"Whoever is behind the scam has been steadily amassing a large number of e-mail addresses and passwords over the past few weeks," the blog says. "Some days as much as three scams will spread throughout the site (possibly even more). Facebook rapidly shuts down all references to the site but by then the scam has spread to thousands of users."
Facebook spokesman Barry Schnitt said: "The impact of this attack or the previous ones are not widespread and only impacted a tiny fraction of a percent of users. We've been updating our monitoring systems with information gleaned from the previous attacks so that each new attack is detected more quickly."
The site has blocked links to the new phishing sites from being shared on Facebook, added them to the block lists of the major browsers, and is working with partners to have the sites taken down completely, he said. Facebook also is cleaning up phony messages and wall posts and resetting the passwords of affected users.
Other safe computing tips from Facebook:
--Use an up-to-date browser that features an anti-phishing black list. Some examples include Internet Explorer 8 or Firefox 3.0.10.
--Use unique logins and passwords for each of the Web sites you use.
--Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.
--Be cautious of any message, post, or link you find on Facebook that looks suspicious or requires an additional login.
--It is important that impacted users reset all accounts (not just Facebook) that use the same credentials. We believe the bad guys here are phishing an account and then trying those credentials on webmail providers. So, for example, if a user is compromised on Facebook and has the same login and password for their Gmail, the attacker may be able to intercept the Facebook password reset and compromise the account again in the future. This is one of the reasons why people need unique passwords for their online accounts.
--Become a fan of the Facebook Security Page (www.facebook.com/security) for more updates on new threats as well as helpful information on how to protect yourself online.
Separately, some Facebook users reported difficulty accessing the site on Thursday morning. It was unclear whether the connectivity issues were related to the phishing scam.
The attackers behind a series of rapidly spreading Web site compromises have begun using a new domain to deliver their malicious code, security experts say.
The attacks, collectively referred to as "Gumblar" by ScanSafe and "Troj/JSRedir-R" by Sophos, grew 188 percent over the course of a week, ScanSafe said late last week. The Gumblar infections accounted for 42 percent of all infections found on Web sites last week, Sophos said.
Over the weekend, the Chinese Web domain used to deliver the malicious code--gumblar.cn--stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in Web pages. The attacks' malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an advisory.
"They have slightly modified the script and now inject a new version that loads malicious content from a new domain," Unmask Parasites said.
Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.
Gumblar was first detected in March and has spread more quickly since then, against the expectations of security experts.
"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," ScanSafe senior security researcher Mary Landesman, said late last week in an advisory.
In the Gumblar attacks, the opposite is occurring, partly because Web site administrators themselves are affected by the attacks as they try to address the problem, ScanSafe said.
Sites affected include Tennis.com, Variety.com, and Coldwellbanker.com, according to ScanSafe.
The attacks were carried out in multiple stages, beginning in March, when a number of Web sites were compromised and attack code embedded within them, ScanSafe said.
Then, in early May, as Web site operators began to clean up their sites, the attackers replaced the original malicious code with dynamically generated and heavily obfuscated JavaScript, meaning that the scripts change from page to page and are difficult for security tools to spot.
The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.
They also search the victim's system for FTP credentials that can be used to compromise further Web sites, the company said.
The malicious code embedded on a user's system was previously downloaded from gumblar.cn, a Chinese domain associated with Russian and Latvian IP addresses, delivering code from servers based in the U.K., according to ScanSafe. That domain has now changed to martuz.cn.
Matthew Broersma of ZDNet UK reported from London.
