Situations like this illustrate once again the dangers of using weak passwords not only for home users but in corporate environments as well. Today, social networking sites are very often the first point of contact between users and companies, and special care should be taken to strengthen the security of social media accounts.

When a Twitter account is hacked, the public normally thinks it has been the result of some highly sophisticated attack perpetrated with complex programs and all sorts of stealth systems only accessible to some privileged minds… Well, in reality, things are usually much simpler. In most cases, the so-called “hacker” simply guess their victim‘s password. The most complex attacks are actually those where the attacker tricks the user into re-entering their credentials in some system unaware of the fact that, in reality, they are submitting their data to a cyber-criminal (which, by the way, was exactly what happened in the AP Twitter hack).

Two months ago, Burger King’s Twitter account was also hacked. Its background picture was changed to a McDonald’s image, and a message was posted announcing that the company had been sold to their rivals. It is not known what password Burger King used, but I would say “whopper” is one of the safest bets… The AP attack might look like an isolated incident, but unfortunately these attacks are far more common than it seems. In fact, the group behind the hack, the self-proclaimed “Syrian Electronic Army”, also hacked the Twitter accounts of watchdog organization Human Rights Watch, French news service France 24 and the BBC’s weather service.

But it is not only Twitter accounts that are at risk. Many of us still remember the theft of a series of compromising photos from Scarlett Johansson’s cell phone for example. Preliminary investigation seemed to indicate that a hacker had been able to launch a cyber-attack on the American actress’s cell phone, accessing her personal information. Later, however, it was found out that the ‘hacker’  was simply a man with a penchant for hacking into celebrities’ accounts who had been able to guess the star’s email address password.

Let me finish by offering you a series of simple tips about social media passwords that will help you protect yourselves from this type of attack:

• Size matters: The longer the password, the safer it will be.
• Do not use personal information (your name, your phone number, etc.) to create passwords.
• NEVER use the same password for multiple accounts.
• Use passwords that are a combination of numbers, letters and special characters. The more complex the password, the safer it will be.
• Change your passwords frequently.

Do not reveal your passwords or send them via email.

The first one was Twitter. On February 1st Twitter published an article in their blog, “Keeping our users secure“. They explained they had been victims of an attack, and that information from 250,000 users had been accessed.

A couple of weeks later, Facebook published an article in their blog, titled “Protecting People On Facebook“. It looks like no customer data was compromised in this attack.

The next victim was Apple, just a few days after Facebook announcement, they told Reuters they had also been targeted using the same attack.

And last, but not least, Microsoft recognized they also had been victims of the same attack.

Not a bad list of companies, isnt’t it? Maybe we will see some more (Google is in the same target level, for example, or Amazon, or IBM…) but that’s not the point of this article. What can we learn? Of course there is a lot of information we don’t know yet, however we can see some positive outcome and 1very important task to do:

- Companies are not afraid of recognizing being targets of this kind of attacks.

- They have good security teams which have been able to identify the attacks as they were taking place.

Task to do:  We all should stop using Java in the browser. All these attacks were successful thanks to yet another 0-day vulnerability in Java. Disable it now.

People involved in computer security know that there is not a 100% safe place. You can take a number of preventive measures, and they will work well most of the times. But there is always some weak point, some new vulnerability, some human error, and out of the thousands of attacks that such big companies receive on a daily basis, one could succeed.

And being able to identify a current attack is critical. And Twitter, Facebook, Apple and Microsoft were able. They all are gathering information about the attack. They all are working with law enforcement to find out who is behind this attack.

If you are responsible for a medium / small company, you may think you do not have to worry as much as those biggies as you are not such a sexy target. That is partially true, you probably will get a small number of targeted attacks (if any), however you will be hit constantly with the usual cybercrime attacks that infect millions of computers.

According to PandaLabs 2012 Anual Report, 1/3 of all computers were infected at some point last year. And cybercriminals love low-hanging fruit. If you have computers without protection, without updated software, without a serious security plan, you will be the next.

Most computer infections nowadays come from exploit kits, which will infect the user’s computer without his knowledge through some software vulnerability. More than a 90% of these cases are Java vulnerabilites through the browser, so the best way to avoid these infections is simple: DISABLE JAVA IN YOUR BROWSER. NOW. WHAT ARE YOU WAITING FOR?

If for any reason you need Java in the browser to run some application, then use it in a secondary browser.

I talked about different evidences that indicated this fact: different techniques within the malware that were not used anymore suddenly appear again (encription of files in the infected computers, for example), how to perform the same actions (like showing the fake police warning screen) were performed in completely different ways, showing that they were different projects, or how we are still seeing new attacks performed on a daily basis.

Anyway I decided to pull the thread and look for some figures to see if they are coherent with the previously described evidences. In most of the cases, computers get infected via the infamous “exploit kits”, tools used by cybercriminals to install different malware just visiting a compromised web site without user intervention. To achieve this, exploit kits use different security holes in software installed in the computer, most of them based on Java or Adobe, as this is very popular software with hundreds of millions of users and with -sadly- many security holes. To make it worst, many users do not bother updating that software, which is like having an open door in your computer with a big sign saying “please infect me”. In short: infecting computers is child’s play in many cases.

This is why some months ago we deployed a new technology in Panda Cloud Antivirus that allows to stop infection attempts that try to use this kind of vulnerabilities (even when it is an unknown vulnerability) and furthermore it sends information to our cloud with data of the malware file that was trying to infect the system.

Out of all the data,  I have extracted a couple of different families that belong to the police virus to see how many infections have we stopped since December 2012 until mid February 2013. In other words, we are talking about Panda Cloud Antivirus users that while on the Internet were attacked with an exploit they had no protection for (his software wasn’t updated, most of them Java related) and which aim was to infect them with any of these particular 2 families of the police virus.

The Russian head of the cybercriminal gang was arrested in Dubai last December. If this was really the only gang behind these attacks, as we have seen in some media, the number should have dropped considerably. However, this is the result:

As we can see, the number of blocked infections is not going down, it has increased by 2! This is a proof that shows how we will have to deal with this police virus for a long time, war is not over yet (as usual )

These 2 families, as well as many others, are detected by Panda with the name Trj/Ransom.AB. If you have been already infected and need some help, our Technical Support team have the following instructions that work really well to solve all your problems.

Finally, some advices to avoid becoming a victim of these cybercriminal gangs:

- Update. All installed software. From the operating system to any other software you have in your computer. Don’t be lazy, it is worth it

- Uninstall any Java plugin in the browser. You don’t need it and you get rid of a HUGE risk. Not only this, unless you need Java to run some local application in your computer, remove it completely. I did this long time ago. An ounce of prevention is worth a pound of cure.

The head of the gang –a citizen of Russian origin – was also arrested in the operation. Oddly enough, and despite his origin, he was arrested in Dubai while on vacation, and awaits extradition to Spain. The operation remains open and more arrests could be forthcoming.

In any event, and before we all start celebrating, it must be said that in our opinion, based on our research of the Police Virus, there is more than one group behind the attacks. We’ve reached this conclusion after having studied multiple variants of this malware over time and having detected numerous striking differences among them.

Here on this blog we have posted several reports on the Police Virus and its evolution over time. This evolution is absolutely normal and it doesn’t necessarily mean that there are various teams behind the attacks, as it is quite normal for cyber-criminals to try different techniques to infect as many people as possible.

However, there is other evidence to the contrary: We saw how certain techniques that had apparently been abandoned (like the encryption of files on the victim’s computer) were suddenly put to use again; or how different variants used completely different techniques to achieve the same results (display a fake police warning on screen). All the evidence seems to indicate that we are dealing with different projects.

This wouldn’t be too surprising after all. If you analyze the situation from a purely commercial point of view, it would be something like this: someone comes up with a money-making idea, and others copy it quickly to get the same results. It happens all the time. In this particular case, it seems that there are different gangs ‘in the same line of business’.

Another clear evidence of this is the fact that the attacks keep repeating, even at this very minute: There are new Police Virus infections asking for their €100 fine. Here are a couple of screenshots of two new variants we have detected a couple of minutes ago as I was typing these lines:

Anyway, this is still good news for everyone: another cyber-crime ring has been dismantled, and law enforcement agencies around the world keep making progress towards defeating the cyber threat.

-       Do not run attached files that come from unknown sources. Stay on alert for files that claim to be Valentine Day’s greeting cards, romantic videos, etc.

-       Do not open emails or messages received on social networks from unknown senders.

-       Do not click any links included in email messages, even though they may come from reliable sources. It is better to type the URL directly in the browser. This rule applies to messages received through any mail client, as well as those in Facebook, Twitter, or other social networks or messaging applications, etc. If you do click on any such links, take a close look at the page you arrive at and if you don’t recognize it, close your browser.

-       Even if the page seems legitimate, but asks you to download something, you should be suspicious and don’t accept the download. If you download and install any type of executable file and you begin to see unusual messages on your computer, you have likely been infected with malware.

-       If you are making any purchases online, type the address of the store in the browser, rather than going through any links that have been sent to you. Only buy online from sites that have a solid reputation and offer secure transactions, encrypting all information that is entered in the page.

-       Do not use shared or public computers, or an unsecured WiFi connection, for making transactions or operations that require you to enter passwords or other personal details.

-       Have an effective security solution installed, capable of detecting both known and new malware strains.

We cover also the security trends for 2013, as well as some of the main figures related to malware:

-       27 million new malware strains found in 2012, at an average of 74,000 new samples per day.

-       Three out of every four malware infections were caused by Trojans.

-       China, South Korea and Taiwan are the world’s most infected countries.

The full report is available here.

We’ll take a small peek at those tactics. We received the following email:

Hi ,

You have disabled your Facebook account. You can restore your account at any moment by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in usual way.

Thanks,
The Facebook Team

Obviously, Facebook didn’t disable your account at all. There are some factors to easily determine this email is fake:

• The ‘From’ field says it’s from “Facebook”, however, the sender is clearly ‘nondrinker@iztzg.hr’.
• Have you disabled your account? If not, then there’s no reason to receive this mail.
• The subject and the content of the email do not match.
• Hovering over the links in the email reveals the real URL, which are not Facebook URLs.

When clicking on any of the links, you are presented (after several redirects) with the Blackhole Exploit Kit (aka BH EK). It tries to load a Java exploit on the machine by firstly detecting which plugin and Java version you are using:

The payload? Probably ransomware or a Banker Trojan.

Prevention

Use the NoScript add-on in Firefox or NotScripts in Chrome to prevent this.

Use the WOT add-on to check on the status of a website.

Use your common sense and ask yourself the proper questions (see below).

Use a URL scanner if you’re unsure about a URL. Some examples are VirusTotal, URLvoid and URLquery.

Conclusion

As usual with this kind of emails, be alerted and always ask yourself the proper questions:

• Why did this get in my Unwanted Email or Spam folder if I normally get Facebook mails in my normal Inbox?
• Why would Facebook send me this when my account isn’t disabled at all?
• Why are those links not pointing to Facebook websites?
• Why is the sender not from Facebook itself? What can I see in the headers?

Use your common sense, update your 3d-party applications as well as Windows, and use a decent antimalware and antivirus product, like Panda Cloud Antivirus free.

Author: Bart Parys

Source: http://bartblaze.blogspot.be/2013/01/facebook-spam-leads-to-exploit-kit.html

1.- You get a Direct Message (DM) from one of your contacts, with a shortened link.

2.- You click on the link.

3.- Any (or even all) of the following options will take place:

• A) You are taken to a Twitter like website and asked to enter your Twitter credentials.
• B) You are taken to a spam website (which also could try to infect you through some drive-by-download trick)
• C) You are asked to download a file which will be some kind of Trojan.

Usually this is how it works, although some days ago it caught my attention a slightly different approach. This one, instead of sending you a DM it mentions you with some funny comment and a link.

These are some of the message that were being sent out from a compromised user account:

If the mentioned Twitter user clicks on the link, he will get to the following web:

Of course if you download and run the file, your computer will be infected, a nice Trojan for the collection.

The reason for using mentions is that you can mention anyone, while you can only send DMs to your followers, so potentially it could spread faster. However, people tend to trust more on DMs as they come from a “trusted” source (at least it is someone you are actively following) so the infection ratio per tweet sent will be higher using DMs.

Another option (we haven’t seen it yet, but I guess it is just a matter of time) is a mix of both techniques, sending DMs to your followers and mentions to the rest of the Twitter users.

Remember, do not trust anyone you don’t know, and beware of your friends as their accounts could have been compromised

And finally, if even after following my advice your Twitter account is hacked, do the following:

A) If you can still log into your account, change your password IMMEDIATELY.

B) If your password has been changed and you cannot access your account anymore, follow these instructions from the Twitter team.

We’ve seen it before: Warnings claiming that Messenger is closing down (although this has turned out to be true ), users can switch the blue color of their Facebook profiles by clicking a link, Twitter will become a paid-by-users service… Normally, these messages are nothing but harmless hoaxes, but sometimes they can have serious consequences.

One of the hottest topics lately has been the fragile health of Venezuelan President Hugo Chavez. In the rush to be first, the news media sometimes reports incorrect information or make blatant mistakes, as happened this week with Spain’s leading newspaper El País, which published a phony picture of President Hugo Chavez in his hospital bed. If such a prestigious newspaper as El País falls victim to a deception, just imagine what can happen to the rest of us, humble Internet users exposed to tons and tons of information and links we sometimes click without even thinking about it…

An email message purportedly containing a photo of Hugo Chavez. One link. One click. One Trojan. One infection. A massive infection of your company’s network. This is more common than you may think.

Remember when Steve Jobs passed away? Just a few hours after his death, a group of scammers had created a Facebook page called “R.I.P. Steve Jobs” which amassed more than 90,000 fans in just a few hours. The page contained a malicious URL and a text claiming that 50 free iPads were being given away ‘in memory of Steve Jobs’. However, to participate in the drawing, users were asked to enter personal details such as their name, phone number, email address, etc.

Another notorious scam, which affected a large number of Internet users, involved a supposed sex tape of Katy Perry and Russell Brand used to spread malware via Facebook at the beginning of the year 2012. Victims received the following message on their Facebook walls:

If the user clicked the link, they were taken to a fake Facebook page where they were invited to download a plug-in to watch the video. The plug-in, however, was designed to post the scam to the victims’ friends’ pages and take them to a typical scam site where they were asked to enter their phone numbers in order to send them unwanted premium rate text messages.

These are just a couple of examples of Internet scams preying on users’ curiosity.  Actually, this is one of cyber-criminals’ favorite ways to spread infections. And I am pretty sure it won’t be long before President Chavez is used as bait to distribute malware.

PandaLabs offers users tips on how to avoid falling victim to this type of scam:

• Be wary of websites or messages offering sensational videos or unusual stories.
• Before you click on a link sent by one of your contacts, make sure it has been intentionally sent by your friend and it is not the result of a massive scam.
• Don’t accept friend requests from people you don’t know. This will help keep your privacy safe.
• Always keep your computer’s operating system and Web browsers up to date, and make sure you have an up-to-date antivirus solution installed.