Image via Wikipedia

According to local media reports, hackers were able to snoop upon emails and steal passwords from computers belonging to lawmakers at the Japanese parliament for over a month.

A report in the Asahi Shimbun claims that PCs and servers were infected after a Trojan horse was emailed to a a Lower House member in July.

The Trojan horse then downloaded malware from a server based in China – allowing remote hackers to secretly spy on email communications and steal usernames and passwords from lawmakers.

Inevitably there will be suspicions that the attack was sponsored by the Chinese, because of the involvement of a server based in China. But that fact alone is not a convincing reason to blame China for the attack.

For one thing, it’s perfectly possibly that the attack was the work of a lone Chinese hacker – without the backing of his government or military. And even more relevantly, computer hackers can plant their malware on servers all around the world – so it’s just as possible that a hacker in, say, New Zealand placed his malware on a compromised Chinese server.

I’m not saying it wasn’t China, of course. Just that you need more evidence than the role of a Chinese server in the attack. Everyone would be wise to remember that there’s a need to collect real evidence before the finger pointing begins.

Source :- http://nakedsecurity.sophos.com

Related articles

• Japanese parliament hit by cyber-attack (nakedsecurity.sophos.com)
• Hackers Attacked The Japanese Parliament Network (socyberty.com)

The death of Libyan dictator Colonel Gaddafi has almost inevitably resulted in cybercriminals taking advantage of the news story, and the general public’s seeming interest in viewing ghoulish photos and videos of his last moments.

Malicious hackers have spammed out an attack posing as pictures of Gaddafi’s death, tricking users into believing that they came from the AFP news agency and are being forwarded by a fellow internet user.

A typical message looks like this:

Subject: Fw: AFP Photo News: Bloody Photos: Libya dictator Moammar Gadhafi's Death

Message body:

Libya dictator Moammar Gadhafi's Death

Libyan dictator Moammar Gadhafi, the most wanted man in the world, has been killed, the country's rebel government claimed Oct. 20. The flamboyant tyrant who terrorized his country and much of the world during his 42 years of despotic rule was cornered by insurgents in the town of Sirte, where Gadhafi had been born and a stronghold of his supporters.

Attached file: Bloody Photos_Gadhafi_Death.rar

Windows computer users who decompress the attached file are putting their PCs at risk of infection. The RAR archive file creates a malicious file called:

Bloody Photos_Gadhafi_DeathGadhafi?rar.scr

Sophos anti-virus products detect the malware proactively as Mal/Behav-103.

Although there has been much speculation in the media about the possibility of Gaddafi-related malware attacks and scams, this is the first one that I’ve seen since the death of Gaddafi made news headlines around the world yesterday.

Internet users would be wise to remember to be very careful about the links they click on, and to be suspicious of unsolicited attachments.

Source :- http://nakedsecurity.sophos.com

Related articles

• Moammar Gadhafi Dead: Libya Prime Minister Says Gadhafi Has Been Killed [Video] (inquisitr.com)
• Gaddafi’s Body On Display In A Morgue (buzzfeed.com)

Image via Wikipedia

One of the topics I frequently get asked about by customers when they visit SophosLabs, is what do we do about the hoards of legitimate web sites that we see getting hit with malware? How do we go about alerting them to the problem? How can we help to get things cleaned up quickly thereby reducing risk for users?

Sophos customers can take advantage of our WebAlert service, but this is not relevant to non-customers.

Web security is a topic that affects us all. The web has become the predominant way in which malware is delivered nowadays. Thanks to techniques such as black hat search engine optimisation (SEO) or drive-by download attacks, failings in the security of a single site or hosting provider can expose many innocent users to malware. Improving the process by which the bad stuff gets reported and cleaned up is in all of our interests.

I am pleased to have been involved in a great initiative over the last few months, coordinated by the folks at StopBadware. They put together a working group in order to thrash out a process for reporting malicious URLs. I am happy to say that a few days ago the final version of Best Practices for Reporting Badware URLs was published.

Hopefully the initiative will facilitate communication between the parties that discover the bad stuff, and those in a position to do something about it, mitigating the effects of malicious URLs.

More information about the initiative can be found on the StopBadware blog, in their press release, or you can dive straight into the report here.

Source:- http://nakedsecurity.sophos.com

Related articles

• Best practices for reporting malicious URLs (nakedsecurity.sophos.com)
• Stopping Badware (blacknight.com)
• Sophos: New malicious URLs appear every half-second (thetechherald.com)
• Google warns on ‘unsafe’ websites (firstrate.co.nz)

Image via Wikipedia

As many North Americans return to their offices after a long Labor Day weekend, they may find something unpleasant in their email inboxes.

A malware campaign has been widely distributed over the last couple of days, using a wide variety of different subject lines and attachment names.

There’s one thing in common between all the emails, however. All of the emails use sleazy slutty language to trick red-blooded men (we assume) into open the attached file.

The many different messages claim to come from what some would euphemistically describe as online “dating” websites. Typically the emails will claim to contain photos of a young woman in her twenties, who isn’t fussy about what kind of man she would like to hook up with (some say ages “between 21-99″ are fine).

As mentioned above, the subject lines and attached filenames can vary widely – but there’s definitely a theme..

Sophos detects the earlier attacks as malware designed to infect Windows computers: Mal/BredoZp-B, Troj/Agent-TFW and Mal/BredoZp-ET.

And here are some examples of the latest instances we have seen, which Sophos detects proactively as Mal/Zbot-CX.

If you make the mistake of opening the attached ZIP file, and running the files within, and you’re *not* protected by Sophos, you could be infecting your computer with a Trojan horse.

Once infected, your computer could allow a remote hacker to stealing information from your PC – all because you thought some sleazy slutty photographs of a young woman had fallen in your lap.

Social engineering tricks continue to fool users into making poor decisions – remember to always think with your head, not with your trousers.

Source :- http://nakedsecurity.sophos.com

Related articles

• Sleazy slutty emails bombard inboxes, carrying malware (nakedsecurity.sophos.com)
• Inter-company invoice emails carry malware (nakedsecurity.sophos.com)
• Malware Watch: FDIC and Western Union themed emails lead to malware (zdnet.com)
• FDIC notification malware attack spammed out (nakedsecurity.sophos.com)
• Western Union money transfer email disguises Trojan attack (nakedsecurity.sophos.com)
• How a free breakfast day at McDonalds can lead to malware danger (blogoholic.in)

Facebook users are sending scary warnings to each other regarding a supposed new piece of malware spreading across the social network.

Attention!!!If you see anyone post out an application written "May God always bless this kind person below with peace, love and happiness", with your profile picture attached below, and send by your friend via Bold Text. Please DONT click "like" or "SHARE", is a spyware, and all your info at FB will be copy and reuse for other purpose. Please share this info out. Thanks......;)

The warnings are being spread rapidly by well-intentioned Facebook users, but the truth is that we have seen no evidence of any such spyware.

Our friends at Facecrooks believe they have got to the bottom of the mystery.

They have determined that rather than a genuine virus, the warning was kicked off by a Facebook application called Bold Text making over-exuberant, if not downright spammy, wall postings.

Over one million people are reported to have used the application, so clearly its self-promoting tactics are working.

If you see one of your friends reposting the warning about the ‘May God always bless..’ message then please tell them that it isn’t true that it’s a virus, and point them to this article or the information on Facecrooks.

And if you installed the Bold Text application, and aren’t enjoying the messages it is posting, you should revoke its access to your Facebook account.

It’s not the first time, of course, that Facebook users have been misled of the full facts by virus hoaxes. Most recently we have seen a bogus warning message about an Olympic Torch virus that could “burn the whole hard disc.. C of your computer”

Source :- http://nakedsecurity.sophos.com

Related articles

• ‘May God always bless..’ Facebook virus hoax spreads (nakedsecurity.sophos.com)
• Invitation Facebook warning spreads Olympic torch virus hoax (nakedsecurity.sophos.com)
• May God always bless this kind person below with peace, love and happiness (Facebook hoax) (zdnet.com)
• Son shot himself in the chest with a nail gun? It’s another Facebook chain letter (nakedsecurity.sophos.com)
• Virus Coming ! (samhindu.wordpress.com)
• eMail Etiquette-2 (graciesguide.wordpress.com)

Image via CrunchBase

The first half of 2011 was the busiest period of malware to date as increasingly sophisticated hackers set their sights on mobile devices, particularly those using Google‘s Android operating system, according to a new report.

In a report released Tuesday, the cyber-security firm McAfee said malware jumped 22 percent in the first half of this year compared with the same period last year. Google’s Android operating system was the most popular target for mobile malware developers during the second quarter, according to the report.

Hackers are setting their sights on Android, the report found, by disguising malware as legitimate apps. For example, a fake update of the popular game Angry Birds sends sensitive information about the user to the hacker who gains access to the user’s phone and downloads more malicious software, the report found.

In early March, after several malicious apps were published to the Android Market, Google said it was taking measures to help prevent additional malicious applications from being distributed and working to fix the underlying security issues. It said the malware did not affect Android versions 2.2.2 or higher.

But in a white paper released in June, the security firm Symantec noted that Google’s model for vetting apps on Android devices was “less rigorous and consequently, less secure” than Apple’s iOS platform.

Namely, Google allows attackers to anonymously create and distribute malware in the Android market and relies on Android users to make important security decisions they are often not capable of making, Symantec found.

The findings come as Americans are now buying more smart phones with the Android operating system than those running Apple’s iOS.

McAfee’s report also found an increase in fake anti-virus software for Mac operating systems, suggesting that such malware could start appearing on other Apple products, including iPhones and iPads.

The report also said cybercriminals are continuing to buy and sell bulk email address lists to send spam. For example, one million email addresses in the United States now sells for just $25, according to the report.

Source:- http://www.huffingtonpost.com

Related articles

• McAfee: Android increasingly targeted by malware authors (digitaltrends.com)
• Android now most attacked mobile OS (infoworld.com)
• McAfee says Android plagued by the most malware (news.cnet.com)
• McAfee: Android malware surges 76%, iPhone untouched (electronista.com)
• Google’s Number One! In Malware! (blogs.wsj.com)
• McAfee to Security Industry: “Are We Really Protecting Users and Companies?” (readwriteweb.com)

Google may have started to roll out verification badges for celebrities and public figures who have Google+ accounts. But, unfortunately, it’s not going to close the door to fraud on the fledgling social network.

The idea is to make it easier for members of the public to tell if they’re the person you’ve added to a Google+ circle is the real Dolly Parton, the real Britney Spears or the real Alyssa Milano.

According to a Google+ post by Googler Wen-Ai Yu about the initiative, verified accounts have a grey checkmark next to their name. Rolling your mouse over the tick, shows that it is a “verified name”.

So, for instance, Britney Spears now has a verified account on Google+ :

Whereas this unofficial Britney Spears account doesn’t:

What is far from clear is how the verification system works, and what hoops celebrities and public figures need to jump through to convince Google+ they are who they say they are. Furthermore, there are no signs yet that the system is going to be rolled out to the general public anytime soon.

It looks like it’s going to be a case of “If you are a Google employee or if you’ve got enough celebrity or social media clout, then you may be able to get verified – otherwise.. tough”.

But there’s a bigger problem.

Google+ is following in Twitter’s footsteps regarding a way to verify the accounts of public figures and celebrities.

A “Verified Account” badge only tells you that it’s the official Google+ page for that person. Importantly, it doesn’t tell you that it really was that individual that wrote the message you just read.

It won’t stop celebrity Twitter users from choosing dumb passwords, or being careless with their credentials.

Poor Britney Spears and Lady Gaga, for instance, are just a handful of the celebrities who have had their verified Twitter accounts compromised in the past.

And if Google+ does eventually roll out verified accounts to the great unwashed public, remember this. If it’s your (non-celeb) friend or family member who has their Google+ account comandeered by hackers you’ll be just as susceptible as ever to believing their posts to be true and in danger of clicking on their (potentially malicious) links.

None of this is to say that Google+’s verified account facility is a bad idea. It’s just not as much of a security fix as some folks might hope.

All it does is tell you who the account belongs to, not who posted the messages to it.

Source :- http://nakedsecurity.sophos.com

Related articles

• Why you shouldn’t trust Google+ Verified Accounts (nakedsecurity.sophos.com)
• Google+ begins verifying celebrity accounts (venturebeat.com)
• Google+ account verification begins, may be required for all (arstechnica.com)
• Google Plus Adds “Verified Accounts” (techie-buzz.com)
• Celebrity Google+rs do need steenkin’ badges (go.theregister.com)
• Google+ now verifying accounts of the famous (digitaltrends.com)

Another scam to steal Twitter users credentials is making the rounds today. The tweets being sent out read “Twitter might start to charge in October, sign this petition to keep the service free! -URL-.”

The official Twitter account, @safety, has warned people about the threat and it appears that the Twitter team is having partial success extinguishing this one. Here is an example block page I received when attempting to visit one of the URLs.

Unfortunately it did not take me long to find the original destination dressed up with several different URL shorteners. This one seems to still be making the rounds to some extent.

Remember folks, rather than click those short URLs, you can always check them over at longurl.org. If you expanded this one you would see that it eventually takes you to ltittier -dot- com, which was registered on a Chinese DNS server at three past midnight this morning.

The site is a near perfect duplicate of the real Twitter login site, and it masquerades as a message that your session has timed out. You will need to “reauthenticate” and hand over your identity to the criminals immediately.

At least one Twitter user seems to be having some fun with this and has produced her own copy of the scam… Earlier this morning @trojankitten posted “Twitter might start charging in October, a petition is picking up speed to keep it free.-URL-.”

If you click the short link, you are redirected a bit and end up on a pastie.org page that reads:

“Hi,
This is Trojan Kitten. Twitter won’t “start charging in October,” but there’s yet-another-twitter-malware, which will send tweets like these from your account, once you’re affected:

“Twitter might start to charge in October, sign this petition to keep the service free! link.here/to-malware” “Twitter is going to charge now? read this article on twitter link.here/to-malware”

And since you see the text you’re currently reading, you could’ve been affected: you clicked the link. I don’t actually blame the users. So let’s blame Twitter for its loose control on apps (in terms of security).

If you have been hit with this scam, be sure to change your Twitter password immediately and it would be prudent to log in and revoke all application API access as well.

You will need to reauthorize each Twitter enabled program as you use them, but your account will be safer for it.

Source :- http://nakedsecurity.sophos.com

Related articles

• Twitter is not charging in October, there is no petition, you’re being phished (nakedsecurity.sophos.com)
• Pictures of Osama Bin Laden phishing attack hits Twitter users (nakedsecurity.sophos.com)
• Look like you lost weight in this video? It’s a Twitter phishing attack (nakedsecurity.sophos.com)
• Avoiding Identity Theft from Phishing Scams (turbotax.intuit.com)
• Pics of Osama Bin Laden Are Finally Released – Twitter Phishing Attack (techie-buzz.com)
• Twitter finally released a “Stalkers” app? No, it’s a phishing scam (blogoholic.in)

It’s only been a few weeks since the world’s web users woke up to discover a big black bar at the top of their Google search results (introduced when Google+ was launched).

Now, some users of Google search might start seeing something else close to the top of the world’s most famous home page.

The warning message reads:

Your computer appears to be infected.
It appears that your computer is infected with software that intercepts your connection to Google and other sites. Learn how to fix this.

At first glance, you might be worried when you see this message and think you could be on the receiving end of a fake anti-virus attack.

After all, haven’t you been warned hundreds of times in the past to trust the anti-virus software you installed on your computer, not unexpected messages that pop up on websites you visit?

All is explained in a Google blog post, however.

Damian Menscher, a security engineer at Google, describes how he identified that infected computers were sending search traffic through proxies to the search engine. The intention of the cybercriminals behind the scheme was to modify the search results served up by Google to point to money-making pay-per-click sites instead.

In all, Google estimates that a couple of million Windows PCs may be affected around the world by the strain of malware they are hoping to warn users about. The firm says that it’s already been able to successfully warn “hundreds of thousands of users”.

Fortunately, although Google does not scan your hard drive when you search for things via google.com, it can detect the unique traffic signature from visiting infected PCs and make a pretty informed guess about your computer’s health in regard to this malware strain.

Google is hoping that the warning message will encourage users to update their anti-virus software, scan their computers and become more conscious of security issues.

I think what Google is doing should be applauded – anything which warns computer users about genuine malware threats has to be a good thing.

But, sadly and inevitably, there is the potential for cybercriminals to mimic the Google warning and direct users to dangerous downloads and scams. Of course, that isn’t a reason why Google shouldn’t warn their users, when it believes it has identified a security problem.

The danger is that many people may know what their own anti-virus software looks like when it displays a warning, but may be less familiar with how the Google warning presents itself, and where it links to.

Furthermore, Google points users to visit one of its webpages for further advice on how to fix the problem.

So, always be careful about what you search for, and the links you click on when trying to find anti-virus software.

No-one should be fooled into believing that Google’s initiative is any substitute for regular anti-virus software and sensible security practices. Google is attempting to alleviate a very specific malware issue that communicates with its infrastructure.

Google, you get my thumbs up for an imaginative idea that could help with a small part of the malware problem.

Source :- http://nakedsecurity.sophos.com

Related articles

• Google: ‘Your computer appears to be infected’ (nakedsecurity.sophos.com)
• Google senses proxy requests to warn users of malware infestation (arstechnica.com)
• Malware Affecting Google Search in Windows OS (shoutmeloud.com)
• Your Computer Appears To Be Infected, On Google Search (ghacks.net)
• Google Warns Searchers Of Windows Malware Infection (informationweek.com)
• Google Warning Virus Victims (newser.com)

Image via CrunchBase

Google has taken down over 11 million sites it has deemed “spammy.”

According to The Register, the .co.cc subdomain, owned independently by a Korean company, is not an authorized second-level domain (such as .co.uk). Google classified it as a “freehost,” meaning that it allows users to register single sites for free.

Oliver Fisher, a member of the Google Anti-Malware Team, wrote a post on the search engine‘s Online Security Blog to explain the massive take-down.

“Google’s automated malware scanning systems detect sites that distribute malware,” said Fisher. “To help protect users we recently modified those systems to identify bulk subdomain services which are being abused. In some severe cases our systems may now flag the whole bulk domain.”

The Register notes that a recent report showed that .cc had twice as many phishing attacks as any other domain extension, especially because of the .co.cc subdomain. The company that owns .co.cc says it has 11,383,746 registered domains.

As Search Engine Land points out, Google wiped out content from a freehost before. For example, the search engine banned a Polish freehost due to a large volume of spam.

Google’s been vigilant about cutting down on spam since its early days, when employees had to manually search for porn sites to filter them out of results. Recently, the site introduced a series of changes to further cut down on spam and content farms.

Source :- http://www.huffingtonpost.com

Related articles

• Google Removes More Than 11 Million .co.cc Domains From Search Results (digitizor.com)
• Google Search police strike again, send ‘cc.co’ domains into oblivion (digitaltrends.com)
• Google dumps all 11+ million .co.cc sites from its results (go.theregister.com)
• Google Delists All CO.CC Domains From Index (searchengineland.com)
• Google blocks .co.cc, attackers are now using .co.tv (sucuri.net)
• Google Removes All Sites Under .CO.CC Over Security Concerns (circleid.com)