Security

A new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, security firm MX Labs is reporting.

Some users are receiving the e-mail from "The Facebook Team," according to the security firm. The sender's e-mail address displays "service@facebook.com." In reality, the address and sender were spoofed.

MX Labs found that the e-mail was accompanied by an attachment named, "Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe" that, the e-mail claims, contains the user's new Facebook password. The security firm said that the element between the underscore and .zip are randomly chosen letters and numbers for each recipient.

When a user downloads the file, it could wreak havoc on their computer. MX Labs said in a blog post that the Trojan horse Bredolab "executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions)." In other words, it's nasty.

Once it makes its way to the user's PC, Bredolab creates "%AppData%\wiaservg.log" and "%Programs%\Startup\isqsys32.exe" in the user's system files. MX Labs said that it also creates two new processes, called "isqsys32.exe" and "svchost.exe."

Another security watchdog, M86 Security, wrote that there's more to the outbreak than Bredolab. After it sneaks its way onto the user's computer, M86 said, Bredolab downloads a bot called Pushdo. The company found that Pushdo immediately starts "spamming out more of these Facebook password reset e-mails."

For its part, Facebook was quick to point out that the e-mail containing the virus wasn't coming from the social network.

"This virus is being distributed through email, not on Facebook," a Facebook spokesperson wrote. "The email is disguised as a Facebook password reset e-mail with an attachment that purportedly contains the new password, but is actually the virus. We're educating users on how to detect this through the Facebook Security Page."

Facebook said that users should be "suspicious of unexpected emails claiming to be from Facebook." The company also said that it will never send users a new password as an attachment.

Those users that have downloaded the file should use anti-malware software to remove it. Click here for a list of security software available from CNET's Download database.

Updated at 1:03 p.m. PDT to include new details from M86 Security.

As of 2:15 p.m. Tuesday e-mail delivery had started to return to normal for some Postini customers, although problems remained.

(Credit: Screenshot by Tom Krazit/CNET)

Some customers of Google's Postini e-mail security product experienced significant problems Tuesday, with reports of hours-long delays in e-mail delivery that are still affecting some customers.

Threads throughout Google's Postini forums spread involving the issue, which seemed to begin overnight on System 7--one of several systems used by the service--and was still affecting some customers as of Tuesday afternoon, although e-mail delivery had resumed for others. Users also reported problems accessing the management consoles used to log into the Postini service, preventing them from understanding exactly what was happening.

Postini, acquired by Google in 2007, offers e-mail security services to businesses. Postini scans all e-mails directed to the networks of its customers for viruses, malware, and spam, passing along the genuine messages to the network once they have been cleared. However, Tuesday it appeared that for a significant portion of the morning, all messages for customers using System 7 were blocked before they reached their destination, and customers could not log into their accounts to see what was going wrong.

A Google representative acknowledged the e-mail delivery delays in a statement. "We're aware of an issue that's causing a delay in mail delivery for some Postini customers in the US, and are working to fix it as quickly as possible. We know how important mail is to our users, so we take issues like this very seriously, and apologize for the inconvenience. We encourage anyone having technical difficulty to visit the Postini support portal at https://www.postini.com/support/support_login.php."

It has not been a good week for the cloud. Hosted applications and services such as Postini were sure to get a second look following the debacle at Microsoft involving the Sidekick and possible data loss.

It's also another example of Google's growing pains with customer support. Google Checkout customers reported significant issues for over a month without any resolution, and angry e-mail administrators on Postini's message boards complained that Google support personnel were very difficult to reach during Tuesday's issues.

Google support technicians promised some Postini customers--who pay between $12 per user per year and $25 per user per year--that their e-mails were not lost, which is at least some good news for customers affected by the problems. But running a business without e-mail in the 21st century is a very difficult thing to do.

There has been a marked increase in the amount of spam e-mails being sent from Yahoo, Gmail, and Hotmail accounts, according to analysts at Websense Security Labs.

Websense said on Thursday that personalized spam e-mails had been sent from the compromised accounts to all of each user's contacts. The e-mails contain links to fake shopping sites, intended to capture sensitive information from the reader.

Earlier this week, Microsoft acknowledged that 30,000 Hotmail accounts had breached, and suggested the passwords for the accounts had been obtained in a phishing scam.

However, some security experts believe that the password breach cannot be attributed to phishing. Amichai Shulman, chief technology officer for security firm Imperva, told ZDNet UK on Friday that the information was likely to have been obtained through key logging.

"The quantity of people hit makes me think that it was key logging--the success rate for phishing is only about one in 1,000," said Shulman. "Secondly, when I went through the list of email account credentials...

Read more of "Hacked Web mail accounts used to send spam" on ZDNet UK.

I'm not an employee of MySpace, but I was able to join its Facebook network.

(Credit: Facebook)

I do not work for MySpace. But my Facebook profile now says I do, thanks to what appears to be a sneaky little flaw in MySpace's recently launched e-mail client.

Professional networks on Facebook are intended to be limited to employees, and require a corporate e-mail address to which Facebook sends a confirmation e-mail to verify accuracy. But when MySpace launched MySpace Mail this summer, it made e-mail addresses with the myspace.com domain--which is also used internally for corporate e-mail--available to any members of the News Corp.-owned social network.

A reader tipped off CNET News to the hack, which requires a little bit of HTML know-how. We're not going to give detailed instructions out of the interest of MySpace employees' own security--and it looks like Facebook has put a fix in place, because when a CNET colleague used a MySpace Mail address to register around 2:40 p.m. PT on Wednesday, he was informed that the address was invalid.

See what happens?

(Credit: Facebook)

In vague terms, it looks like MySpace was aware of the fact that members might try to register for its network on Facebook, because the confirmation link to Facebook does not work in MySpace Mail, nor does copy-pasting it. Basically, it's mangled somehow. But, the tipster explained, the real link is still in the page's HTML source. And indeed, I was able to join MySpace's network on Facebook.

This does have security implications, because many Facebook members limit some of their profile data to people who went to their schools or work for the same company--Facebook first launched corporate networks in the spring of 2005. Many may display their cell phone numbers, photo albums, or home addresses only to college alumni or co-workers.

It's an issue for Facebook as well because the massive social site does have an obligation to make sure that its restricted networks don't lie fallow. If there's a change in corporate e-mail structure at a company with a Facebook network, particularly a big one, that can mean something big with regard to potentially thousands of Facebook members' security.

A MySpace representative told CNET News that the company was looking into the matter and would be able to comment soon.

This post was updated at 2:44 p.m. PT on Wednesday to note that the problem appears to have been corrected by Facebook.

Hotmail users aren't the only ones who've been hit by a phishing scheme over the past week. Google told BBC News on Tuesday that Gmail users have also been affected by the hackers who posted passwords online.

The problem is far more widespread than was disclosed on Monday, possibly affecting Yahoo and AOL e-mail accounts as well, according to BBC News.

Google described the issue as an "industrywide phishing scheme." BBC News said it has seen two lists posted online with "more than 30,000 names and passwords" from Gmail, Yahoo, AOL, Microsoft's Windows Live Hotmail, and other service providers.

"We recently became aware of an industrywide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google representative told me in an e-mail.

The representative said that Google immediately "forced passwords resets on the affected accounts."

In an e-mail to CNET, a Google representative said that the company had to reset the passwords on fewer than 500 Gmail accounts so far. However, that figure could change.

Despite Google's and Microsoft's awareness of the problem, it doesn't seem that users are out of the woods just yet. Google's representative told CNET that it will continue to force password resets on any newly affected user accounts.

Like Microsoft, Google was quick to point out to the BBC that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.

Google's admission that Gmail users were affected by the phishing scheme comes on the heels of Microsoft acknowledging that over 10,000 Live Hotmail accounts were compromised by the scam. The passwords apparently first hit the Internet on October 1.

Updated at 9:10 a.m. PDT to include Google's comments.

As a result of a bug in a Google Apps e-mail migration tool, some students at Brown University found other students' e-mail in their in-box over the weekend as Google was moving their e-mail from Exchange to Gmail, Google confirmed on Friday.

The problem affected a "handful" of organizations that use Google Apps, a spokesman said. He declined to specify how many were affected or how many individual users were affected.

Brown University newspaper the Brown Daily Herald reported that e-mail for 22 students was misdirected starting on Friday, that the university notified Google about it on Saturday, and it was fixed on Tuesday.

However, the Google spokesman said the company found out about the problem on Monday, disabled the affected accounts within hours, and then restored the accounts within a day.

"A very small number of Google Apps domains using the IMAP migration tool last weekend encountered a bug that caused a handful of their users' mail to be migrated to the wrong accounts," the spokesman said in a statement. "We quickly identified and fixed the issue, which affected less than 0.002% of users, and worked with the organizations to restore the affected accounts to their original state. We have extensive safeguards in place to ensure that users' mail is safe, and we're confident this was an isolated incident."

Donald Tom, director of IT support services at the school, complained to the newspaper that the school was not notified before the affected e-mail accounts were suspended. However, he did praise Google for moving swiftly to fix the problem.

Asked to respond to that criticism, the Google spokesman said: "In this case we made the judgment call that the safest and most expedient course of action for the affected users was to suspend affected accounts as soon as possible. In our conversations with our customers, they've appreciated our prompt actions and have been satisfied with the outcome."

Organizations are finding it difficult to prioritize defense strategies against cyberattacks because most of them do not have an Internet-wide view of the attacks, according to a report from SANS Institute, the security training organization.

As a result, two security risks--Web applications and phishing--carry the greatest potential for damage, even though users instead tend to concentrate on less-critical risks.

The report, published by security training organization SANS Institute, amalgamates global data from security attacks on computers from March to August.

It identifies two main defense priorities for enterprise users. The first is targeted e-mail attacks, or spear phishing, that exploit client-side vulnerabilities in programs such as Adobe Systems' PDF Reader and Flash, Apple's QuickTime, and Microsoft's Office. These applications are described as the "primary initial infection vector used to compromise computers that have Internet access" and are the result of attackers taking advantage of "programming errors that are not being picked up by common vulnerability scanners."

The second priority is vulnerable sites. More than 60 percent of attacks are against Web applications and "convert trusted Web sites into malicious Web sites serving content that contains client-side exploits" by exploiting the most common vulnerabilities such as SQL injection and cross-site scripting flaws, in both open-source and custom-built applications. Such vulnerabilities make up more than 80 percent of attack opportunities.

A further finding is that applications are now more vulnerable and see more exploitation attacks than operating systems. There were no new major operating system worms seen in the wild during the reporting period.

Additionally, the report found there has been a "significant increase" over the past three years in the number of people discovering zero-day vulnerabilities: flaws that become known to attackers before they are discovered by security researchers, opening the chance of an attack against which no preparation has been made.

"This report is different from anything we have done before," a SANS spokesman said, "because it reflects massive amounts of data on the actual attacks (millions of them) and on the speed with which the underlying vulnerabilities are being patched (actual data from thousands of companies)."

The report sources includes attack data from 6,000 organizations, compiled by security hardware vendor TippingPoint, vulnerability data from 9 million computers compiled by security software vendor Qualys, and additional analysis and tutorial by the Internet Storm Center and SANS faculty members.

Manek Dubash of ZDNet UK reported from London.

The list of PC security products never ends. For every name that drops off, two more jump on. In fact, determining the best security hardware and software is a full-time job. Sometimes, you just want to throw up your hands and take your chances.

Maybe I'm just a cockeyed optimist, but I think you can stay safe without spending all your spare time doing research, installing updates, and generally becoming a PC-security expert. Here are five relatively easy ways to improve your security.

Use the firewall that's closest at hand
In the computer industry, the reputation of a product, service, or Web site is just about worthless. Yesterday's best firewall, ad blocker, spam buster, virus spotter, or spyware cleaner is today's bust.

Maybe the product got bought and the new owners aren't as conscientious about updates as the previous ones. Or the service's management team decides to go for profits and skimp on support, updates, and enhancements. There are lots of reasons why a good product goes sour, and the computer industry has seen nearly all of them.

So if you can't go by reputation, how do you choose a security product? One way is to go with the tools you've already got. Windows' security is roundly criticized, but the fact is, it's better than it used to be, and third-party security products have their own shortcomings.

Last February, I recommended that you use a third-party firewall rather than the one built into Windows. Six months earlier, I suggested that you pass on the third-party tools and stick with the Windows Firewall despite its shortcomings.

So which side of the fence am I on now? The simple side. The fact is, any third-party security tool complicates your setup. It's not difficult to find weaknesses in the Windows Firewall, but it's safe enough for most PC users, and it's much better than using no software firewall at all.

My previous post included links to information on Microsoft's TechNet site providing technical details of the Windows Firewall, tips for customizing the Windows Firewall, and help troubleshooting the firewall in XP and Vista.

Don't hesitate to try another free antivirus program
Just last week, I switched antivirus programs on my XP test system--for the umpteenth time. Something was slowing the system down, and after defragging the hard drive and doing other standard maintenance tasks, the machine's performance didn't improve as I expected it to.

Rather than go through a bunch of diagnostic tests, I simply uninstalled the system's antivirus tool and downloaded a competing package. The old and new programs were both free, and the switch didn't take much time to complete. The topper? The XP machine's performance perked up immediately.

Two antivirus programs that are free for home use and that are currently highly rated are Avast Home Edition and Avira AntiVir. You'll find a list of dozens of antivirus programs for Windows on this Download.com page.

Change your password...again
I hate those "your password will expire in x days" warnings as much as you do, but one of the simplest ways to protect yourself is by keeping your passwords fresh. Last year, I described the Ten Password Commandments, one of which was to devise a password-creation strategy that's all your own.

Just two months ago, I complained about the shortcomings of passwords as our primary security option, though I concluded that there's nothing better, for now. Lots of people swear by password managers such as RoboForm, but then you have yet another third-party app complicating matters.

For me, it's simpler just to devise a new password based on my unique, inimitable password-creation system, which I share with no one. No need to write it down, enter it in an online form, or encrypt it in a master-password file. Temporary amnesia, well, that's another matter.

For secure e-mail, use encryption
You would think that encrypting e-mail would be a breeze, but doing so is anything but. You and the recipient have to deal with digital certificates, public and private keys, and any number of other time-eating preparations and precautions.

The simplest way I know of to encrypt your e-mail is by using the Mozilla Foundation's Thunderbird with the Enigmail extension. Jason Thomas provides step-by-step instructions in this tutorial on the Lifehacker site.

Gmail users can secure their e-mail communications by enabling the service's built-in encryption. To do so, click the Settings button at the top-right of the main Gmail screen, scroll to the bottom of the General tab, select "Always use https," and click Save Changes.

Select "Always use https" under the General tab in Gmail's Settings to encrypt your messages.

(Credit: Google)

Keep your browser up-to-date
Most people will tell you that the Mozilla Foundation's Firefox browser is the safest way to surf, but a recent report from Google Switzerland and the Swiss Federal Institute of Technology found that "(u)sing the most recent version of a browser will lower the risk associated with drive-by-downloads and other Web-based attacks, which start by targeting the browser."

The report cites Google Chrome's silent updates as the best way to ensure that your browser is protected. The researchers also laud Chrome's lack of a way for users to disable its silent-update feature. Some people will object to software being downloaded to and installed on their system without their knowledge, but the fact is, these behind-the-scenes updates are the best way to keep you safe from the Internet bad guys.

Personally, I'm starting to rethink my choice of default browser. But as I mentioned earlier, you can't put any faith in a computer security product's reputation. And you can't be afraid to switch.

As the economy worsens and more people get laid off, online fraud and financial scams are rising, security experts say.

Many of the scams lure people in with promises of quick and easy money. For instance, there has been a marked increase in money mule recruitment scams for people to transfer funds online between countries, and other illegal work-related spam in recent months, security firm Panda said on Thursday. Such offers promise $225 or more a day for what they call "rebate processing" work at home.

"The schemes are aimed at people who are desperate in rough times and who are likely to respond as they lose jobs," Ryan Sherstobitoff, chief corporate evangelist at Panda.

While the U.S. unemployment rate increased by over 6 percent between August and October, reaching a 14-year high of 6.5 percent, dubious work recruitment scams rose 514 percent over that same period, according to statistics from the Honeypot Project, a security-focused research group.

Those types of recruitment spam hit an all-time high as a percentage of total spam, topping 0.31 percent, up from 0.23 percent the previous month and 0.13 percent in August, according to PandaLabs, the malware analysis laboratory of Panda.

Meanwhile, the success rate for the money mule operations in North America was on average 66 percent higher than the success rates of such scams in other regions, said PandaLabs, which analyzed a sample population of seven large mule networks around the world. Recipients respond to about one in three of the money mule e-mails, Sherstobitoff said.

This is an example of a money mule laundering e-mail, the type of which has risen along with the U.S. unemployment rate, PandaLabs says.

(Credit: PandaLabs)

In the money mule scams, e-mails offer jobs as independent contractors and commissions for processing rebates that are supposedly from purchases made at legitimate companies. "Applicants" are asked to provide their bank account information and are then instructed to wire money that is deposited into their accounts to drop boxes via Western Union, said Sherstobitoff.

Rather than processing actual rebates, the operation is designed to launder stolen money from one country into another through legitimate bank accounts, he said. The "contractor" may or may not receive a small sum in exchange, but it won't be enough to make up for the risk posed by participating in an illegal scheme, he said.

Also believed to be related to the economic downturn is a spike in phishing attempts, whereby fraudsters lure people into providing sensitive bank and personal information on malicious Web sites that appear to be legitimate bank sites. The phishing e-mails lately have been made to look like they come from banks that have been involved in mergers, such as Chase and Washington Mutual, and are preying on bank customers who may be confused.

Over the last month there has been a significant increase in phishing attacks, or malicious Web sites discovered that victims are directed to via e-mail, according to security firm Cyveillance.

The daily average number of phishing attacks detected has risen from 400 or fewer in the first quarter of 2008 to more than 1,750 in the past month, the firm said. On one day the number of attacks spiked to greater than 13,000, said Cyveillance, which helps commercial customers get phishing sites taken down.

It is unknown how many people are actually falling for the phishing scams and losing money, said James Brooks, director of product management at Cyveillance.

The attacks are easy to do once e-mail addresses are obtained, and the risk of getting caught is incredibly small while the payoff can be huge, he said.

"Phishers are getting rich and are very organized," Brooks said. Meanwhile, "no one is going to jail over it."

Firefox and Internet Explorer have built-in features that warn Web surfers when a site they are visiting is potentially harmful, and Google has a Firefox extension that alerts people when a page appears to be requesting personal or financial information under false pretenses.

"None of these (technologies) is foolproof, but they're a step in the right direction," Brooks said.