Fake-Alert Scams Growing Again

Fake-alert Trojans, also known as scareware, fool consumers by claiming imaginary threats, and insisting its victims purchase a product to repair the “infected” systems. They exist in Windows and Macintosh environments.
In my recent report explaining this threat, I included a table showing the approximate number of scareware products with their known release dates:

After receiving some requests to update this table, I created a new chart by compiling data from the web. This chart shows a significant increase for the first quarter of 2011, after a drop-off in 2010.

Curious to explain this spike, I discovered its origin: fake-alert products from South Korea. Next, a quick search showed most of the associated websites were rated in red by SiteAdvisor.

Looking into the McAfee Labs web threats databases, I discovered that many of these “new” products, at least as seen in Europe and the United States, were not necessarily new. They included products that appeared between 2009 and today (72 in 2010, and only 31 during the first quarter of this year). Among them, a family I named the boan was the most widespread.

Using these dates, we now have a more accurate chart–showing the number of scareware products with known release dates.

Although the latest numbers are less alarming, these figures demonstrate that scareware are still a major threat on the Net.

Square Enix confirms website hack, email addresses and resumes stolen

Deus Ex Human RevolutionResumes of job hunters and email addresses of video game fans have been stolen by hackers in an attack on the Eidos and “Deus Ex: Human Revolution” websites.

Square Enix, the parent company of Eidos, confirmed the hack in a PDF press release. (Why do companies publish their press releases as PDFs, anyway? That’s just daft.)

Here’s part of the statement from Square Enix:

Square Enix can confirm a group of hackers gained access to parts of our Eidosmontreal.com website as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again.

Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation. In addition, we have also discovered that up to 25,000 email addresses were obtained as a result of this breach. These email addresses are not linked to any additional personal information. They were site registration email addresses provided to us for users to receive product information updates.

There are two main risks here.

One threat is that if your email address is one of the 25,000 that has been stolen, you could receive a scam email (perhaps containing a malicious link or attached Trojan horse) that pretends to come from a video game company. After all, the hackers know that you’re interested enough in video games to give your email address to Eidos.

Secondly, the resumes from job hunters. This is a more serious problem. Just think of all the personal information you include on your CV: full name, date of birth, email and home address, telephone number, job history. This kind of information is a god-send to identity thieves interested in defrauding internet users.

So, it seems Sony is not the only video game company to be having problems with its computer security.

Lets hope the continuing stream of stories of companies having customer data stolen from them makes them take security more seriously in the future.

More information about the hack can be found on the KrebsOnSecurity blog.

Android market affected by SMS Trojans

According to a report by AegisLab, Android Market has been hit by another malware incident, with a number of SMS-sending Trojans published by unknown attackers. The incident was not as serious as the one in March when over 50 apps were affected by the Droid Dream malware, although any attack affecting Android Market should be regarded as very serious.

The latest batch of malicious applications are purported to be developed by a legitimate Android developer Zsone. However, it seems that the legitimate applications from the same developer have a version number different than the malicious versions.

When one of the malicious applications is installed on the device, an SMS message will be sent to one of a range of premium rate numbers. The numbers are different depending on the application. The attack targets mobile devices in China since the SMS subscription service numbers used are only available from Chinese mobile network providers.

Sophos has received several applications with the SMS sending functionality, including iCalendar, iMine and iMatch. The malicious versions of the applications I have seen come with the version number 1.1.0.

The most interesting characteristic of the latest set of Trojanized applications is the fact that a special Broadcast receiver is used to inspect all new SMS messages received on the device.

If the application receives an SMS message from the number which was previously used to register the phone for services the Broadcast receiver attempts to abort the broadcast using the AbortBroadcast function. This method could prevent other SMS applications from processing the message.

The obvious intention of the code is to hide the fact that the device is receiving messages from subscription based services and make the user unaware that they have been losing money.

The latest Android incident shows that applications installed directly from the Google market could still be affected by malware.

In an ideal world, Android apps should not be allowed to be self-signed and only allowed keys certified by trusted authorities. Although this measure would not prevent malicious applications it would help with tracing the originators of rogue apps.

Having two classes of applications, signed by certified keys and self-signed, would allow developers of Android OS to limit the capabilities available to self-signed applications. For example, self-signed apps should not be able to send SMS messages. Perhaps this measure would not be a silver bullet but it would certainly be a welcome sign that Google is taking Android security more seriously.

Sophos products are detecting malicious SMS sending Android applications as Andr/AdSMS.

Internet security and privacy startup has its fan page shut down by Facebook.. again

CocoonAn internet startup, which develops a security and privacy tool and regularly comments on Facebook safety issues, says its own Facebook fan page has been shut down, for a second time.

The Cocoon service is a plugin for the Firefox web browser that aims to force an encrypted connection to the internet, preventing sites from tracking your movements and shielding your computer from internet threats.

But today it’s Facebook fan page reportedly disappeared.

Cocoon blog

That’s pretty frustrating for a firm trying to build awareness about its products. What must be especially galling is that something similar happened a month ago.

It’s just a few weeks since Scam Sniper and The Bulldog Estate, two other Facebook fan pages, with a focus on raising awareness on security issues were removed without a good explanation from the social network.

Understandably, firms and organisations don’t feel too great about having the rug pulled from beneath their feet without at the very least being informed as to why the decision was made, and the folks behind Cocoon have been using Twitter to encourage others to ask Facebook what’s going on.

Get Cocoon

@ @ They just removed our fan page for the second time… I assume they can do this at whim. Good business model…

Hopefully it’s an innocent mistake by Facebook, and they didn’t deliberately shut down a page which puts lots of effort into sharing information with other users about scams and attacks spreading across the network.

As a rule, I believe much more in cock-ups than conspiracies.

If you’re a regular user of Facebook, be sure to join the Sophos Facebook page to be kept informed of the latest security threats.

Update: Good news! The GetCocoon Facebook fan page has been restored.

Get Cocoon

@ Thank you Graham! Our page is back up now! It is great that we can count on #security peeps like you 🙂