The Dangers of Shared Devices and Exec Lounges

One of the perks of travel is access to Executive Lounges. One of the perks of Executive Lounges is that they often have VERY cool devices on display for the weary traveler to use. In one particular lounge I am currently in resides a very nifty Motorola XOOM:

As I am in Korea at the moment the first thing I had to do was change the default language to English (which I admit took more than a few minutes) and then I decided that I would try to take a LONG stroll through the inner workings of this ‘droid. I had figured the device would be locked down to some extent and that I would have to get a bit creative….

Talk about being wrong.

I am kinda torn on the idea of shared devices. It’s great to have access to cool technology in a lounge or a store but you would kind of hope there would be SOME kind of protection or device management/lockdown going on. Who in their right mind would log into a wide open device and use it for their private email, twitter or Facebook use right? I think you guessed…. quite a few people.

This particular XOOM (and there were several in this lounge as well as at least one Motorola ATRIX) had what you would expect: Twitter, YouTube, FaceBook and such. All of these has multiple logins with the account data saved (which I will NOT show for obvious reasons) but in truth this was not what surprised me. Poking around I quickly noticed that I had full access to the main account that the device used:

Accessing the account settings I could have easily reset the password:

I also, however had access to the Marketplace account billing information:

Now remember that as I also had access to the main gmail account (the same the Marketplace used) I could have changed the password and began using this account on any Android device I wanted. Marketplace app 0wnage awaits! I should also note that all the devices in this lounge used the same account.

It would have been easy to lay waste to these devices and the pilfer the account used but I am a hacker and I have ethics. Think of the the flip side.

Let this be a lesson to you road warrior travelers out there – be VERY careful when using shared devices in lounges. They are wide open. In many cases they save account information (this one did): email, social media, website logins, etc… So it might be better to avoid using them at all and waiting to use your own devices. If you are going to let others use your device, lock it down!! There are quite a few apps and guides that can walk users of all levels through at least deploying these devices with some level of control.

Time to change language from Korean to English – 5 minutes. Time to get device main account access and full info – less than 1 minute. Advice? Spend MORE than 5 minutes and learn how to manage your devices and its settings. The identity you save just might be your own.

Hottest & Funniest Golf Course Video scam spreads virally on Facebook – beware!

Yet another scam is spreading virally across Facebook, posing as a video in a scheme to make money for the confidence tricksters behind it.

The messages show what appears to be a thumbnail of a video showing a man standing closely behind a scantily clad woman to give her golfing advice.

The Hottest & Funniest Golf Course Video - LOL. Watch the Hottest & Funniest Golf Course Video Don\

The Hottest & Funniest Golf Course Video - LOL
Watch the Hottest & Funniest Golf Course Video Don\

Another version of the scam uses football rather than golf as the lure:

The Most Funniest & Hottest Footbal Video - Must Watch!

The Most Funniest & Hottest Footbal Video - Must Watch!
Watch the Funniest & Hottest Footbal Video - Must Watch!

The links in the messages we have seen so far have pointed to a webpage at, although this could – of course – be changed by the scammers in future variations.

If you make the mistake of clicking on the link in the hope that you might see a funny saucy video you will find that you have fallen straight into the scammers’ trap – as your Facebook page has been updated to say that you also “Like” the page, thus sharing it virally with all of your friends.

You will also be encouraged to complete an online survey for “verification” purposes, which in reality only earns commission for the bad guys who kicked off the money-making scheme in the first place.

The Hottest & Funniest Golf Course Video survey

Unfortunately, when I tested the scam I found no evidence that Facebook’s newly introduced security measures to intercept scams and warn of dangerous links had been effective.

How to clean-up the scam from your Facebook page

If you have been unfortunate enough to have been hit by this scam, here’s how you clean-up.

However, your mouse above the offending entry on your Facebook page and you should see an “X” appear in the top right hand corner of the post. You should now be able to mark the post as spam (which will remove it from your page).

Remove the post by marking it as spam

Unfortunately, this hasn’t also removed the page from the list of pages you like, so you will need to edit your profile to manually remove it. You should find it listed under “Activities and Interests”.

Unlike the offending webpage

Be sure to remove any other pages you don’t recognise in that list also.

If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Hat-tip: Thanks to Naked Security reader Lars for first alerting us to this attack.

Microsoft study asserts social engineering more common than exploitation

OK buttonEarlier this week Microsoft posted a blog entry showing statistics from their SmartScreen technology built into Internet Explorer (IE) 7, 8 and 9.

Their conclusions? One in every 14 downloads is malicious (of the malicious files that Microsoft is aware of) and this represents between two and five million malware attacks per day against IE users. Microsoft uses this to assert that users are falling prey to malicious downloads far more often than drive-by exploits.

While these statistics are fascinating, and very useful for those of us without the ability to collect this type of information, Microsoft is comparing apples to. . . nothing.

SmartScreen itself is unable to prevent exploits from convincing Adobe Reader, iTunes, Real Player, Adobe Flash, Java and other technologies from downloading malicious content, and Microsoft hasn’t presented any data on how often exploits are actually being used.

The purpose of their post is to point out the success of Microsoft’s reputation filtering they added in IE 9. While it is an interesting step forward, Microsoft’s own statistics raise more questions than they answer.

Microsoft states that 90% of downloads do not trigger a warning, which implies that 1 in every 10 times I try to grab something I get a scary warning message. When I receive this scary warning message, there is a 30% to 75% chance that it is a false positive.

This reminds me of an article I wrote for Virus Bulletin last year about browser SSL certificate warnings. Considering the scary warning messages that browsers display to users and the frequency with which they are confronted with these warnings, we end up training our users to simply click through.

Users think, “If this were truly dangerous, it would have simply been blocked, right?” Microsoft’s statistics show that in a real world attack 99% of users did delete the file, but this warning message is still a new phenomenon. It will be interesting to see how many click through over the long run.

Even worse, if up to 75% of the time you get the warning you are downloading a legitimate file, will you continue to pay attention to the warning when it really matters?

Later in their post they claim that a typical user is presented this warning only two times per year. If that is true, that means users are only downloading 20 files per year and won’t see this too often. I don’t know anyone who only downloads 20 files per year.

These numbers just don’t really add up.

Microsoft also points out that applications triggering the warning are not Authenticode signed most of the time. While the concept of digital signatures representing trustworthiness is at the heart of many security solutions, its implementation is often flawed.

As we saw with the Stuxnet worm last year, legitimate signing certificates that were “trusted” were stolen and used by malware authors to increase their chances of bypassing security technologies.

I do not believe most computer users are equipped with the knowledge necessary to make good decisions regarding deeply technical problems. When they are confronted with a question attempting to stop them from making a mistake it is often viewed as an annoying roadblock.

Earlier this month we saw a large number of Apple Mac users falling victim to a fake anti-virus attack that required them to type their administrative password. Clearly users will jump through hoops when presented with the opportunity if they are being tricked into doing something they think they want to do.

As security experts we need to make safety online as black and white as possible. While SmartScreen is doing a great job at stopping known badware, I’m not convinced that reputation technologies that require users to make technological decisions are the right answer to the problem.

Phishers Return For Tax Returns

The Income Tax Department of India recently announced that the last date for sending income tax returns for AY 2010-2011 has been extended to July 31, 2011. During 2010, phishers had plotted their phishing scams based on the tax return deadline. As the deadline for tax returns of the current financial year approaches, phishers have returned with their stream of phishing sites.

This time, phishers have spoofed the Reserve Bank of India’s Web site as a ploy for a tax refund scam. The phishing site attempts to lure users by stating that the bank would take full responsibility for depositing the tax refund to the user’s personal bank account. The user is prompted to select the name of the bank and enter their customer ID and password. There is a list of eight banks to choose from. In this way, phishers intend to steal the confidential information of customers of several banks from a single phishing site. The following page asked for credit/debit card number and PIN number. After these details are entered, the phishing sitedisplays a message acknowledging that the request for the tax refund has been submitted successfully. The user is then redirected to the legitimate Web site of Reserve Bank of India. If users fall victim to the phishing site, phishers will have stolen their information for financial gain.

Symantec has been in contact with the Reserve Bank of India. The bank has stated that emails sent in its name to customers have been observed asking for bank account details. The Reserve Bank has clarified that it has not sent any such email and that the Reserve Bank (or any bank) never issues communication asking for bank account details for any purpose. The Reserve Bank has also appealed to members of public to not respond to such email and to not share their bank account details with anyone for any purpose.

The phishing site used a numbered IP domain (for example, domains like hxxp:// hosted on servers based in St Louis, USA. The same IP was used for hosting phishing sites of several other Indian banks. The IP belongs to a Web site of a company that provides roofing for houses. The IP of the company’s Web site was compromised to host the phishing sites.

Internet users are advised to follow best practices to avoid phishing attacks:
•    Do not click on suspicious links in email messages.
•    Avoid providing any personal information when answering an email.
•    Never enter personal information in a pop-up screen.
•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.