Fake Firefox warnings lead to scareware

Nuclear Firefox logoPurveyors of fake security software don’t let much grass grow under their feet and continually make improvements to their social engineering lures.

While most of the talk for the past month has been their move to Mac with fake Finder pop-ups that appear to scan your computer, they haven’t stopped innovating on Windows either.

Their latest scam? They detect your user-agent string from your web browser and display a fake Firefox security alert if you are using the Mozilla Firefox web browser.

Fake Firefox security alert

Internet Explorer users get the standard “My Computer” dialog that appears to do a system scan inside their browser window.

Taking advantage of detailed information about the person’s computer and software allows for a much more specific, believable social engineering attempt.

We are likely to continue to see these criminals targeting each operating system, browser and any other details that can be gleaned from HTTP requests sent from our devices.

If you click the “Start Protection” button you will download the latest, greatest fake anti-virus program which will perform exactly the way you would expect a fake anti-virus program to.

It will faithfully detect fake viruses on your computer until you register it for $80 or more.

If you are a Firefox user and see a warning about viruses on your computer, you will know it is fake. Firefox does not include a virus scanner inside of it and it will only warn you about visiting malicious pages.

If you get a warning about a dangerous website from Firefox you can always play it safe… Close the browser.

Nuclear Firefox image credit: iPholio on DeviantArt

A 419 scam via snail mail

One of the researchers in SophosLabs waltzed up to my desk the other day and said:

"Would you like to see the latest 419 scam?"

“Sure!” I replied, and out of his back pocket he plucked an envelope and a neatly printed letter.

419 scam via snail mail

Yep, it’s a 419 scam via snail mail – sent via the postal service to land on your doormat rather than emailed into your inbox.

The gentleman who contacted my colleague calls himself Tim Wu, and claims to be a private investment manager based in Hong Kong.

It seems that a former client of his (who had the first name “Anderson” and came to a sticky end in a hiking accident in mainland China) didn’t leave a will, and because there is no next of kin some of his $21 million fortune could be coming to my colleague here at Sophos instead!

Snail mailSpeaking as someone who is still waiting for the three million euros that Bill Gates awarded me earlier this year, I have to admit to some skepticism.

Tim Wu is offering to split the money 50:50 with my colleague – claiming “this practice is not unusual in the banking sector here in my Country China”.

He continues:

"The other option is that the funds will revert back to the state, where it may be shared by State officials for their personal use and enrichment, I worked for that money and telling you the fact Anderson still owes me my percentage for service and naturally I deserve to have that money but cannot do it alone so me need your help."

Scams being sent out via the regular post are nothing new, of course, but they have perhaps been overshadowed by the avalanche of nuisance emails many of us receive in our email inboxes each day.

Maybe we should be encouraged that scammers are using the postal service (and presumably costing themselves some cash in the process) rather than using the more cost-effective method of spamming out the scams?

Could it be that some scammers are turning to fraud via the postal service because users have learnt to treat unsolicited emails with greater suspicion?

PBS.org hacked… LulzSec targets Sesame Street?

Update: LulzSec has made a post to pastebin.com stating they did not use SQL injection to compromise the PBS website. They claim they used a zero day exploit in Movable Type 4 and were able to compromise Linux servers running outdated kernels. They were able to further penetrate the systems by compromising administrative user accounts that used the same passwords on multiple systems within PBS.

PBS logoIn the latest politically motivated attack related to the Wikileaks saga, a group that calls themselves LulzSec has hacked the Public Broadcast Service (PBS). PBS is the American public television network most famous for the creation of Sesame Street.

PBS lulz hack

In addition to dumping numerous SQL databases through a SQL injection attack, LulzSec injected a new page into PBS’s website as seen above.

Their motive? Mayhem. They took offense to the portrayal of Bradley Manning in a segment on PBS’s Frontline news magazine program and decided to attack the broadcaster.

LulzSec posted usernames and hashed passwords for the database administrators and users. Worse, they also posted the logins of all PBS local affiliates, including their plain text passwords.

PBS affiliate database

While PBS is the victim here, the passwords disclosed for most affiliates are embarrassingly predictable.

There was absolutely no skill involved in this attack, as it used freely available tools to exploit the databases. The attackers represent nothing more than what many historically thought of as hackers: people creating chaos with no other purpose than gaining fame, irrespective of the damage caused.

The attack is nearly identical to the recent attack against SonyMusic.co.jp. LulzSec used the same tool to attack the Sony website, although far less sensitive information was disclosed in the Sony attack.

Several other databases were disclosed, some including plain text passwords, others using hashes. It is unfortunate that PBS was vulnerable to this kind of attack and even worse that so many passwords were stored in clear text. Revealing this information is criminal and there are certainly more respectable ways of disclosing flaws than exposing so many users’ passwords.

The media may have the perception that the real risk from hackers is related to cyberwar and uber-secret defense contractors, but the reality is that we all have a role to play in securing ourselves, our partners and our customers.

It appears the fallout from Wikileaks’ disclosure of diplomatic cables has not yet reached its climax, and anyone and everyone may be targeted by the vigilante justice dished out by their fans.

Whether you are related to political causes or not, an easy way to ensure you aren’t the next victim is to make sure that you protect the information you are entrusted with. Data stored insecurely is a bomb waiting to detonate. Security must be a proactive attitude because reacting is simply too dangerous.