Webware

Microsoft is bringing out the big guns to combat instant message spam and phishing attacks done to users of its Live Messenger network. The Redmond, Wash.-based software giant filed a civil lawsuit Thursday in King County Superior Court in Seattle against Funmobile, Mobilefunster, and several individuals, who Microsoft says is responsible for the intentional misuse of the service to gain the personal information of its users.

In the suit (which is embedded below), Microsoft cites a multitude of attacks including IMs that appear to be coming from users they know, as well as phishing attacks that mimic the look and feel of an outside service, or an official Microsoft support page.

Microsoft says that the successful use of these tactics has let third parties obtain these users' personal account information, then exploit it by sending mass spam and phishing messages to the contacts of users whose accounts have been breached.

In a post on Microsoft's security blog Microsoft on the Issues, Tim Cranton who is Microsoft's associate general counsel of Internet safety enforcement, said the company hopes the suit will accomplish three things. One is to stop companies and individuals from continuing the attacks through injunction. Microsoft also intends to "recover monetary damages," as well as send a message to other parties who would try similar tactics.

Microsoft counts the number of its Windows Live Messenger users at more than 320 million, although the suit makes no mention of how many of those users have been affected by the privacy attacks. However, it does say that the attacks have put a strain on the servers that run the service, as well as its security teams, which have to monitor and combat incoming attacks. In the meantime, the company is urging users of its Live Messenger service and other Live services not to give other people their log-in information.

CNN anchor Rick Sanchez wasn't really high on crack this morning, and the reason his Twitter feed said so wasn't the phishing scam that's been going around--it was a lone hacker, the microblogging service said later on Monday.

"The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend," a post on the Twitter blog explained. "These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the e-mail address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure."

The same hacker was responsible for compromising a number of Twitter's most popular accounts, including those belonging to pop singer Britney Spears, media outlet Fox News, and President-elect Barack Obama.

Twitter has said, meanwhile, that the phishing scam--which used messages from Twitter friends to trick users into entering their user names and passwords into a bogus log-in screen--is under control. "Our on-call team was able to attend to the matter quickly and prevent too many people from being affected," Twitter's blog post read. "Our support team is definitely going to have a busy week because we reset a bunch of passwords just to be on the safe side."

(Credit: Twitter, screengrab by Ian Schafer (ianschafer.com))

Clarification: Twitter has clarified that this incident was the work of a hacker and separate from the phishing scheme.

CNN anchor Rick Sanchez is one of the most popular users on microblogging service Twitter, with nearly 40,000 followers and a Twitterholic rank in the top 20. Unfortunately for Sanchez, it looks like he fell victim to the phishing scam that has been plaguing the popular service for several days now.

In a "tweet" that has since been deleted, Sanchez's account displayed the message "i am high on crack right now might not be coming into work today"--and we're pretty sure that did not come from Sanchez himself. He has now posted a response tweet explaining that his account was hacked.

Over the weekend, reports began to surface that there was a password-stealing phishing scam making the rounds on Twitter. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members' home pages alerting them of the issue.

Why did so many people fall for it? Well, the fake Twitter log-in screen looked pretty darn authentic. And because there are so many third-party applications based on Twitter's application program interface (API), tons of avid users are used to throwing their Twitter passwords around left and right. That is, it goes without saying, probably not the safest habit to get into.

It looks as if the aim of the phishing scam may have been to take over the accounts of some of the service's most popular users: the account for Fox News, as well as pop singer Britney Spears, also had their passwords stolen and offensive tweets sent out. The Fox News tweet, for the record, concerned the sexual orientation of pundit Bill O'Reilly; the Spears tweet made some tawdry allegations about her naughty bits.

UPDATE: Twitter has posted an official blog entry explaining that this is different from the phishing issue. Rather, it was a hacker's doing:

The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure.

Props to marketing blogger Ian Schafer for grabbing this screenshot.

There's a scam spreading through Twitter. Direct messages (DMs) are showing up in Twitter accounts with appealing come-ons to visit a site on blogspot.com. The text is, "hey! check out this funny blog about you..." The URL in the message then redirects to a page that looks like the Twitter login page, but is actually not on Twitter--it's a site, twitter.access-logins.com, that masquerades as Twitter to steal your login credentials instead.

If you need to log in to Twitter, do it on Twitter.com itself. And to play it safe, double-check your browser address bar to make sure that's where you are.

The phishing site in question also appears to support the theft of Facebook IDs.

I have not received this bogus Twitter message, but the Twittersphere is abuzz over this scam.

This is not Twitter.

Read more on the Twitter Status blog, Chris Pirillo's blog, VentureBeat, or Mashable. Related: Koobface virus hits Facebook

Update: If you are logged in to the real Twitter.com, you'll now see an update about this scam on the page. No warning appears if you use another Twitter client, like Twhirl.

Update 2: The effect of getting taken in by this scam seems to be that affected accounts send messages to their followers with the original phishing message. To date, no other effect of falling victim to the scam has been reported. However, since many people use the same user ID and password for multiple online services, it's possible that credentials collected from this scam could be used to log in to other services, including financial sites.

As Twitter recommends on its blog: "If this has you feeling a bit weirded out, feel free to change your Twitter password."

Google on Tuesday said it is now using an e-mail authentication technology to keep phishers from luring Gmail users to fake eBay and PayPal Web pages in order to steal usernames and passwords.

The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail. It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains.

Last October, Yahoo announced that it was protecting Yahoo Mail users with eBay and PayPal accounts from phishing attempts using the same technology.

The DomainKeys technology is covered by a patent assigned to Yahoo. The company released it under a dual-license scheme that allows the companies to use it royalty-free under the GNU General Public License (GPL 2.0), which enabled the Internet Engineering Task Force to approve it as a proposed Internet standard.

Updated Tuesday at 9:10 a.m. with Google comment.

A few months ago, spam came to Google Calendar. Now phishing has arrived.

Intrepid Google watcher Philipp Lenssen wrote late last week about being the target of a phishing attempt via Google Calendar.

He received an e-mail to his Gmail account with a reference to a legitimate event from his calendar. The sender was listed as "customer care," and it asked him to verify his account by supplying his username and password.

"We are having congestions (sic) due to the anonymous registration of Gmail accounts, so we are shutting down some Gmail accounts, and your account was among those to be deleted. We are sending you this email to so that you can verify and let us know if you still want to use this account," the e-mail said, complete with grammatical and spelling mistakes that can tip people off to phishing attempts.

On May 28, a Google Talk Guide addressed the issue in a Google Groups thread, urging users to click the "Report Phishing" link if they receive suspicious e-mails and not to click on links within the e-mails or open attachments.

Late on Monday, a Google representative e-mailed this statement: "Spam is an issue for all Internet users, and we work very hard to fight it. Using Google Calendar, or any Google product, to send spam is a violation of our product policies. We are actively identifying Calendar accounts that send spam and disabling them."

Philipp Lenssen of Google Blogoscope writes about how phishers targeted him via Google Calendar. This is a screenshot of the e-mail he received.

(Credit: Blogoscoped)

Malicious attackers are increasingly setting their sights on targeted phishing attacks, or "spear" phishing, and custom-built applications, pushing these two areas into Sans' Top 20 Internet Security Risks of 2007.

The report, released Tuesday, provides a glimpse into the nefarious activities of online attackers and the issues faced by security firms.

"Spear phishing has had its most critical and damaging impact in military and civilian government organizations and military contractors who build weapons and more," said Alan Paller, Sans Institute research director.

He estimated that 90 percent of the attacks that caused the greatest damage over the past 18 months targeted the military and government entities, as well as defense contractors. Corporate executives are also increasingly finding themselves as targets of spear phishing.

"It's done as an act of espionage, and not so much for economic gain," Paller said during a press conference with other security experts to release the report.

A chief information officer at a midsize federal agency, for example, discovered his own computer was sending out data to China, unbeknownst to him, according to a composite cited in the report.

And in an effort to tackle the the weakest security link in an organization, one federal agency has taken the unusual step of sending out a benign version of a phishing attack to its employees and further educating those who bite on security measures they should be taking.

Phishing is used for economic gain, as a means to lure users into giving up their log-on and passwords, as well as such sensitive information as Social Security numbers and bank accounts.

Custom-built applications have also gained favor with malicious attackers, due to developers' lackadaisical approach in designing security into the software. Previously, attackers used to concentrate their efforts on widespread software.

Other frequent attack targets cited on the list include Web browsers, Office software, e-mail clients and media players on the client side, while Windows services, Unix and Mac OS services and database software were listed on the server side of the equation.

Unencrypted laptops and removable media, as well as VoIP servers and phones, also made it on the list.

Do you consider yourself to be a privacy aware Internet user? Are you concerned about your security online?

You've installed antivirus and spyware software, which you also keep updated. You regularly update your operating system for any security patches. You have a firewall on your home computer and have locked down your home wireless network with a WPA2 password. Most importantly, you've ditched Internet Explorer and jumped on the Firefox bandwagon.

Your job is done, right? Think again.

While installing Firefox (and not using IE) is one of the most important steps users can take towards a safe online experience, Firefox is (alas) not totally safe out of the box. Luckily, Firefox provides a very flexible framework for open-source programmers and commercial vendors to create their own software add-ons for the browser. A number of these software extensions fix critical design flaws in Firefox--or simply improve transparency so that users have a better idea of where they are and which sites they're interacting with. I've selected a few of the best ones, which I highlight below.

... Read more

I am not looking forward to the day that my son goes online, because then I'll have to have The Talk with him. About safe surfing. Sites he can and cannot view. Or I'll have to somehow rig the family computer or our home network's router so he can't view the sites I don't want him to. More likely, I'll do both.

There are products that can help: Filtering systems (like Naomi) that work on PCs, and services that work with popular routers, which attempt to block your computers from viewing entire classes of sites (porn, shopping, gambling, you name it) that you don't want them to access.

There's also a new solution, ScrubIt, which is a replacement DNS (domain name system) service. Once you configure your computers to use it instead of the DNS that your ISP directs you to by default, all sites must pass through the ScrubIt filter before the content can make it onto your network.

It's a good solution in many ways, especially since the filtering technology and "black list" database of blocked sites is maintained centrally; there's no updating needed at your home. But like any filtering and blocking technology, it can likely be easily routed around by a well-motivated 12-year-old.

I've only seen one other similar service: OpenDNS, which we use at my house. This product is pitched as a high-performance and antiphishing DNS, not a parental-control solution. Like ScrubIt, it's free to use: OpenDNS makes money by serving up its own keyword-based advertisements when you type a Web address incorrectly. ScrubIt will eventually offer customized filtering, for a fee.

The launch of ScrubIt reminded me of the likely growth of DNS-delivered security solutions. I would not be surprised to see security software vendors like Symantec begin to offer antispam and antiphishing services through DNS. Separating some security functions from the PC is a good idea--it takes the load off of PCs and reduces management headaches.

But once people start changing their DNS servers around, we're also going to have bad guys using the trend for their own purposes. They'll try to set up nearly the worst possible security hack: Getting unsuspecting users to switch to a compromised DNS server. Such a service could collect a staggering amount of confidential information from users.

Just something to watch out for. Don't go changing DNS services on a whim.

Found on: LifeHacker (see the discussion thread; it's interesting).

More security info: CNET's Security Center.