Cybercriminals Catch the Olympic Fever Early On

There is no doubt that athletes all around the world are training hard to compete at the London Olympics in 2012, but cyber criminals seem to be gearing up for the event as well. Even with over 400 days still to go until the Olympics, we have already started seeing search terms related to this event returning a large number of poisoned links. As we have observed with search engine optimization (SEO) poisoning in the past, these poisoned links redirect to rogue antivirus sites.

The following are the top 10 poisoned search terms:

We have also found dozens of other poisoned search terms related to Olympics tickets, mascots, offers, and so on. Below is a screenshot of the search results for the term “london 2012 stadium diagram”; Norton Safe Web indicates that all of the first 10 links are malicious:


These URLs redirect to malicious content only when you click on the link from the search engine result page—a benign page is presented when you navigate to these links directly. We found the fake pages created by scammers to contain Olympic-related text, images, and links to other fake pages. These pages are presented to the search engine bots for indexing, and all of these images are hot-linked from reputable news sites. The presence of images on these pages suggests that these sites are being used to poison image searches as well.

Below is a sample page presented to the search engine bot for indexing:

Once a user clicks on the search result link, he or she is redirected to a fake online scanner that asks the user to download rogue antivirus software:

In this case, the user is tricked into installing the rogue antivirus XP Total Security 2011, which pretends to scan the system and shows a huge list of threats to be "fixed":

During the course of the year leading up to the big event, we expect to see many more Olympics-related search terms being used by cybercriminals to push rogue antivirus software. We have already found over 300 compromised sites used in this campaign over the past week. We recommend that users stick to legitimate news sites, and keep a look out for domain names that appear to be unrelated to the news being searched for. Symantec customers are already protected from this attack with IPS, AV, and Safe Web technologies.

Bug bounties vs. black (& grey) markets

I'm just back from the fun that was HiTB Amsterdam 2011. (Plug: you should check out one of the HiTB series if you haven't yet; Dhillon and crew invariably put a good, intimate conf together).

I sat on the day 2 keynote panel on "The economics of vulnerabilities". As usual, talking about this topic was great fun and the audience asked some great questions. Predictably, the topic strayed on to black market sales as an interesting sub-discussion. With 6 people on the panel, it was hard to cover this in the detail it deserves, and I think a few important subtleties were missed. I'll try to cover some of them here.

Vulnerability reward programs do not "buy" bugs, nor do they aim to compete with the black market
Remember that the black (or grey) markets buy exploits, not vulnerabilities. The latter are just the first step towards exploits, which are hard to write on modern software. Also remember that reward programs are not buying even vulnerabilities. Typically, they are a "thank you" mechanism for talented researchers who used their skills to make things better.
Also, there's often a separation of which researchers participate where, along ethics lines; see below.

A vulnerability reward program will indirectly compete with black market sales
It's interesting to note that a reward program doesn't have to outbid dubious markets in order to have a benefit in this area. These days, there's a lot of independent rediscovery of the same vulnerabilities -- ZDI quoted 22 "collisions" for the most recent year.
So any motivation you can provide for white hats to discover vulnerabilities will inevitably kill the occasional black market vulnerability.
A quick story in support: the WebKit vulnerability used by VUPEN to pwn Safari at this years' pwn2own competition was independently reported to the Chromium project by researcher Martin Barbella. Thanks to Inferno's lightning quick fix, Chrome entered pwn2own without that bug. Martin, of course, received a $1000 Chromium Security Reward (on top of all his others).

Black / grey market sales are a dangerous alternative to consider
Each researcher has to set their own ethics, of course. Hopefully, most of us get into this industry to make users safer and software more secure. Aside from reward programs and ZDI, there's also a large number of well-paid security jobs sponsored by corporations, so no need to start selling exploits to feed the family.
If you sell an exploit to someone, it's basically going to be used to exploit end users of the software. This could harm a lot of people if the target is mass malware for financial gain. Or it could seriously harm some targeted individuals if a government of dubious human rights commitment gets their hands on it.

"Credit", whilst important, is not a full replacement for a monetary reward
To be clear about it: if you launch a vulnerability reward program, you will receive more vulnerability reports from a wider range of researchers. The power of credit and prestige is often cited as an argument to not launch a reward program, but the fact remains that you will get more reports if you have a program in place. And as long as you have a culture of fixing security bugs promptly, your users will be safer thanks to having a reward program.

Dear Apple: Welcome to team anti-malware

TrojanIt was brought to my attention today that you’ve now published a knowledge base article explaining how to remove the prolific MacDefender fake security software and it’s various iterations.

While I cannot speak on behalf of an entire industry, I think all of us welcome you with open arms to the team tasked with helping the computer using community stay safe online.

I have to admit though, I am a bit confused by your terminology.

You state in your article:

“A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus.”

In our business phishing has a very specific definition. According to Wikipedia the agreed upon definition of phishing is:

phish·ing /ˈfiSHiNG/
Noun: The fraudulent practice of sending e-mails purporting to be from legitimate companies in order to induce individuals to reveal personal information, such as credit-card numbers, online.

We have observed that most users are being infected through malicious web pages that are turning up in Google Image searches. The malicious web pages display a fake security scanner convincing the victim to load a program that is in fact malware.

While I can see how you might consider this to be a phishing attack, we usually use that term when the attack is purely social and is trying to acquire your credentials. If it involves social engineering and malicious code we call it a Trojan.

Wikipedia defines a Trojan as:

“A Trojan horse, or Trojan, is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but (perhaps in addition to the expected function) steals information or harms the system.”

It is also a bit strange that you don’t recommend people to run an anti-virus program when they have been infected or attacked by malicious code. Perhaps it might be prudent to refer people encountering malware on their Macs to your documentation?

It’s great to have you as a partner in our fight against cybercrime, and we hope you continue your commitment to keeping your customers safe online.

Be cautious, question everything and enjoy your internet experience.

Update: As happens, I didn’t consider that Wikipedia is a moving target, so choosing them for definitions wasn’t the smartest thing I’ve done. The quotes above were true at the time of writing.

Jason Allen / Amy Allen virus hoax spreads on Facebook

A new virus hoax is spreading on Facebook, shared by well-intentioned users who believe they are warning their friends and family about a threat – but, in reality, are just adding to the noise.

Messages being shared across Facebook warn users not to add as a Facebook friend people called “Jason Allen” or “Amy Allen”.

IF SOMEONE WITH THE NAME JASON ALLEN OR AMY ALLEN TRIES TO ADD YOU..DO NOT ACCEPT.IT IS A VIRUS.

Here are some of the versions of the chain letter message we have seen:

ATTENTION ALL FACEBOOK USERS;IF SOMEONE WITH THE NAME JASON ALLEN OR AMY ALLEN TRIES TO ADD YOU..DO NOT ACCEPT.IT IS A VIRUS.TELL EVEYBODY BECAUSE IF SOMEONE ON YOUR LIST ADDS THEM YOU WILL GET THE VIRUS TOO.COPY PASTE AND RE-POST THIS.THIS HAS BEEN CONFIRMED BY FACEBOOK SNOPES..

HEADS UP EVERYONE
ATTENTION !!!ATTENTION !!! ATTENTION !!! ATTENTION ALL FACEBOOK USERS**... DO NOT ADD *JASON ALLEN*, ALSO IF SOMEBODY CALLED *AMY ALLEN* ADDS YOU, DON'T ACCEPT... IT IS A VIRUS. TELL EVERYBODY, BECAUSE IF SOMEBODY ON YOUR LIST ADDS THEM, YOU GET THE VIRUS TOO. **COPY AND PASTE AND PLEASE RE POST* THIS HAS BEEN CONFIRMED BY FACEBOOK AND SNOPES

The truth is that this is a hoax. You’re not really doing others a favour at all if you post or forward the warning to other Facebook users. It’s just the latest example of the many hoaxes we have seen spreading over the internet for some years. Just last month we saw a very similar virus hoax spreading on Facebook, but using the names Jason Lee and Linda Smith rather than Jason and Amy Allen.

If you think about it, a warning about Facebook users called “Amy Allen” and “Jason Allen” isn’t actually that helpful. After all, just imagine how many people have names like that! And if users called that weren’t up to no good, and saw the warning being spread about them, wouldn’t they just change their online names?

Furthermore, according to the warning, Facebook is said to have confirmed the threat. If that’s true, then precisely where has Facebook confirmed it? Why is there no link in the warning where people can discover more about the threat?

Remember to always get your computer security advice from a computer security company. Friends may be well-intentioned in passing on warnings, but it’s always good to check your facts before forwarding them any further.

If you want to learn about the real threats on Facebook you should join the Sophos Facebook page, where we’ll keep you up-to-date on the latest rogue applications, scams and malware attacks threatening social network users.