Spyware, viruses, & security forum: NEWS - August 07, 2012

From the BarracudaLabs Internet Security Blog:

"A study on Dealers, Abusers and fake Twitter Accounts"

Many people dream of becoming popular or famous, and Twitter provides an outlet to make this possible. Most Twitter users try the standard way to get popular and gain followers: constantly tweet funny quotes or comments, discuss breaking events, or disclose information that many people want (like Guy Adams did). However, some Twitter users look for unusual ways to make themselves appear more desirable and become popular faster. One of these ways is buying Twitter followers, which right or wrong, is a significantly growing trend.

At Barracuda Labs, we consistently find and study fake profiles on social media platforms (reference our study on Facebook Fake Profiles at http://barracudalabs.com/fbinfographic/) in order to better protect our 150,000 customers from being phished or harmed. For the past 75 days, we have been investigating the business of trading Twitter followers on eBay and other websites searched from Google. As it turns out, this underground economy on Twitter is blooming! The results show that this Twitter business is growing very fast to form a series of underground markets.

For quick snapshot, please refer to our most recent infographic, The Underground Economy of Buying Twitter Followers at http://barracudalabs.com/underground/.

Continued : http://www.barracudalabs.com/wordpress/?p=2989

Related:
Report says 15 percent of Mitt Romney Twitter followers are paid fakes
Study Looks Inside the Fake Twitter, Facebook Account Marketplace
New Study Shows Surge in Fake Twitter Users
Study shows 15% of Mitt Romney's Twitter followers are fake

The bogus tech support boiler rooms must be working overtime lately. I've recently been inundated with horror stories from readers who reported being harassed by unsolicited phone calls from people with Indian accents posing as Microsoft employees and pushing dodgy PC security services.

These telemarketing scams are nothing new, of course, but they seem to come and go in waves, and right now it's definitely high tide. One reader's story in particular really creeped me out. "Ron" wrote in to say his friend's young daughter was the latest target.

"A friend called me to tell me that someone called his house, and using some ruse, convinced his 11 year-old daughter to 'type in some numbers' into the Run window," Ron wrote. "When he got home, he turned the computer off, and we assume that it's compromised and will need to be reformatted."

Ron said that not long after that incident, he received a similar call. The woman on the phone told him that she was "the authorized security monitoring service for Microsoft Windows," and that they had detected that his computer was infected with malware, which naturally he needed to have removed.

Continued : https://krebsonsecurity.com/2012/08/tech-support-phone-scams-surge/

Related :
"Microsoft support" scammers still cold calling users
Report: Fraudulent Calls Up 29 Percent in 2012

Last month's post examining the top email-based malware attacks received so much attention and provocative feedback that I thought it was worth revisiting. I assembled it because victims of cyberheists rarely discover or disclose how they got infected with the Trojan that helped thieves siphon their money, and I wanted to test conventional wisdom about the source of these attacks.

[Screenshot: Top malware attacks and their antivirus detection rates, past 30 days]

While the data from the past month again shows why that wisdom remains conventional, I believe the subject is worth periodically revisiting because it serves as a reminder that these attacks can be stealthier than they appear at first glance.

The threat data draws from daily reports compiled by the computer forensics and security management students at the University of Alabama at Birmingham. The UAB reports track the top email-based threats from each day, and include information about the spoofed brand or lure, the method of delivering the malware, and links to Virustotal.com, which show the number of antivirus products that detected the malware as hostile (virustotal.com scans any submitted file or link using about 40 different antivirus and security tools, and then provides a report showing each tool's opinion).

As the chart I compiled above indicates, attackers are switching the lure or spoofed brand quite often, but popular choices include such household names as American Airlines, Ameritrade, Craigslist, Facebook, FedEx, Hewlett-Packard (HP), Kraft, UPS and Xerox. In most of the emails, the senders spoofed the brand name in the "from:" field, and used embedded images stolen from the brands being spoofed.

Continued : http://krebsonsecurity.com/2012/07/email-based-malware-attacks-july-2012/

Apple co-founder and Fusion.io chief scientist Steve Wozniak said last night during a Q&A that dependence on the cloud is setting us up for "horrible problems."

The cloud, if you haven't been paying attention, is a metaphor for using the web to access applications, data, or services that are stored or running on remote servers. Consumers and businesses are making the major shift of relying on third-party cloud providers for storage and services. (Read our cloud explainer here.)

Wozniak, as reported by AFP, was speaking to an audience after a performance of the controversial show "The Agony and the Ecstasy of Steve Jobs" by monologist Mike Daisey. The tech celeb took questions about being on reality TV and public education, but when asked about cloud computing, he slammed the trend.

"I really worry about everything going to the cloud," he told the audience. "I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years."

One big problem, said Wozniak, is ownership and uploading files to a third-party service. "With the cloud, you don't own anything. You already signed it away" by agreeing to the provider's terms of service, he said.

Continued : http://venturebeat.com/2012/08/06/wozniak-cloud-problems/

Also: Steve Wozniak predicts 'horrible problems' with cloud computing

From Websense Security:

Websense ThreatSeeker Network detected a massive phishing campaign targeting AT&T customers. More than 200,000 fake emails are masquerading as billing information from the giant American communication services provider. Each message claims that there is a bill of a few hundreds US dollars.

In itself, the amount of money could be big enough to raise suspicion in most of us. Also, it is easy to see when the mouse cursor hovers over the link that the target Web address is different from the one displayed in the text of the message. Websense Security Labs highly recommends that you not click links in emails. Instead, manually type the legitimate domain name into your favorite browser and access the website that way. [Screenshot]

Clicking on the link in the bogus message sends the user to a compromised Web server that redirects the browser to a Blackhole exploit kit. As a result, malware is downloaded onto the computer that is currently not detected by most antivirus products, according to VirusTotal.

ThreatScope analysis, part of our CSI service, shows that the malware is part of the Cridex family. It drops files into the Application Data and Temp folders, and then injects code into other processes running on the computer, for example Internet Explorer and Adobe Reader. After this, it accesses a Bot network where the attacker can instruct the malware to take further actions. You can see the full report in our AceInsight portal.

Continued : http://community.websense.com/blogs/securitylabs/archive/2012/08/02/fake-att-email-installs-malware.aspx

Two weeks ago, many Dropbox users began suspecting a data breach at the online file-sharing service after they started receiving spam at email addresses they'd created specifically for use at Dropbox. Today, the company confirmed that suspicion, blaming the incident on a Dropbox employee who had re-used his or her Dropbox password at another site that got hacked.

In a statement released on its blog this evening, DropBox's Aditya Agarwal wrote:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again.

A Dropbox spokeswoman said the company is not ready to disclose just how many user account credentials may have been compromised by this password oops, noting that the investigation is still ongoing.

Continued : http://krebsonsecurity.com/2012/07/dropbox-password-breach-led-to-spam/

Researchers have found several samples of a new version of the mobile version of the Zeus malware, with these newest ones targeting the BlackBerry platform. BlackBerry has not been a common target for attackers, despite the high-value user base of corporate executives and government officials, but that may be changing now with this new version of Zitmo targeting RIM's devices.

Zitmo (Zeus in the mobile) is the name given to the mobile versions of Zeus, and it's been around for a couple of years already, mostly infecting Android phones. In the past, Zitmo variants have masqueraded as banking security applications or security add-ons. In the case of the new version targeting BlackBerrys, the app shows up on an infected phone as "Zertifikat". When the victim runs the app, it displays a message in German telling her that the installation was successful and showing an activation code for the app.

There also is a new version of Zitmo for Android making the rounds, and, like the new BlackBerry variant, it is targeting users in a handful of European countries: Spain, Germany and Italy. Zitmo, like its older brother, Zeus, is designed mainly to steal online banking credentials from users. The original versions of Zitmo did this by monitoring incoming SMS messages and picking off the ones that come from a bank and then sending those off to the command-and-control device controlled by the attacker.

Continued : https://threatpost.com/en_us/blogs/zeus-comes-blackberry-080712

NVIDIA has fixed the vulnerability in its proprietary graphics driver for Unix systems that was publicly disclosed by Linux kernel and X.org developer Dave Airlie a few days ago; apparently, NVIDIA had already known about the hole for a month. To close it, the company has, along with other drivers, released driver version 304.32, which is being deployed via NVIDIA's knowledge base.

The new driver version is available for Linux as well as FreeBSD and Solaris, because earlier versions of the drivers for these systems are also affected. NVIDIA explained that the new version prevents attackers from using the same trickery to obtain root privileges that was used by the exploit Airlie released a few days ago; the new drivers also block user-space access to certain GPU registers which could be compromised in a similar way.

On its main driver page, NVIDIA continues to offer drivers that still contain the vulnerability; the company plans to close the hole in driver series 295, which is to be released this week. A source code patch for driver series 195, and 256 to 304, is available for those who are unable or unwilling to update to the new version. The patch fixes the hole by applying changes to the open source kernel module code; together with a proprietary driver component, this module is then compiled to create a kernel module that is suitable for the user's Linux kernel.

http://www.h-online.com/security/news/item/NVIDIA-closes-hole-in-proprietary-Unix-driver-1660471.html

Also: Nvidia releases new Unix driver to fix high-risk Linux vulnerability

See Vulnerabilities & Fixes: NVIDIA Graphics Drivers for Linux GPU Device Node Access Privilege Escalation Vulnerability