NBC News Twitter account hacked with fake news of 9/11 Ground Zero attack

Sick-minded hackers have broken into the Twitter account of NBC News and posted messages claiming that there has been a terrorist attack at Ground Zero in New York.

The bogus messages claimed that Flight 4782 has been hijacked and another plane crashed into the site where the Twin Towers collapsed ten years ago.

Tweets from the NBCNews Twitter account

NBCNews’s Digital Officer Vivian Schiller tweeted confirming that their official account had been hacked, and asked followers not to retweet any of the offending messages:

Tweet from Vivian Schiller

In a subsequent message, Schiller confirmed that NBCNews was “working with Twitter to correct the problem and sincerely apologize for the scare that could have been caused by a such a reckless and irresponsible act.”

A group calling themselves the Script Kiddies have claimed responsibility for the hack. The same group previously hijacked and defaced Pfizer’s Facebook page and broke into the Fox News Politics Twitter account to post a bogus announcement about the death of Barack Obama.

Of course it’s very serious when such a popular Twitter account has its security breached. In theory, malicious hackers could have posted a link to malware or a phishing site – rather than what appears to be sick fake news headlines about a terrorist atrocity at such a sensitive time, with the 9/11 anniversary this weekend.

It’s unclear on this occasion whether NBCNews’s Twitter password was phished, whether it was cracked through a dictionary attack or spyware, or whether the persons who run the NBCNews account made the mistake of using the same password on multiple websites.

Computer users should always choose a hard-to-guess non-dictionary word as a Twitter password, and never use the same password on multiple websites.

Twitter appears to have now suspended the @NBCNews account, presumably to stop other users from retweeting the fake news and starting a scare.

Twitter should be applauded for taking such quick action, but isn’t it time that there was better security available to accounts which have a large number of followers, or who (like media organisations) may cause public panics if someone breaks in and starts tweeting false news stories about terrorist attacks?

Twitter login username and password

Just a username/password combination isn’t enough when a social media account is an important part of your business or public image.

I, for one, would like to see Twitter and other social media sites offer an additional level of authentication for those who want to better defend their accounts. I fear that, unless that happens, we will continue to see high profile accounts hacked and brands damaged as hackers run rings around them.

Update: Christmas tree Trojan blamed for NBC News Twitter hack.

Spammers Mark 10th Anniversary of 9/11

Thanks to Vivek Krishnamurthi for contributing to this blog.

Every sensitive event is an opportunity to exploit. With this motive in the background, it is not surprising to see spammers exploit 9/11.  With the 10th anniversary of the tragedy just a day away, spammers want to make the best use of this emotionally charged environment. 

Here are two examples of scams that Symantec has noticed in recent days that attempt to exploit the emotional scars left by 9/11:
First email example exploiting 9/11
Figure 1: First email example exploiting 9/11
Second email example exploiting 9/11
Figure 2: Second email example exploiting 9/11
The first sample tries to entice users to click a link in order to get more information about a new Justice Coin minted to commemorate the success of operation Geronimo, in which Osama bin Laden was killed by Navy seals. The subject reads “September 11, 2001 remembrance.” The second sample is a survey scam that promises a $250 gift card for taking a "September 11 Survey."
Both examples are email harvesters that want to check the validity of the recipient's email account (which would occur if the recipient clicked any of the links) and to extract more information from the victim. For example, if the victim fell for the scam, clicked a link, and offered any further personal data in the survey or filled out the order form for the commemorative coin (figure 3).
Example of "order form" for commemorative 9/11 coin
Figure 3: Example of "order form" for commemorative 9/11 coin
Symantec advises users to be vigilant, especially if they are tempted to respond to unsolicited or anonymous emails related to 9/11. Don’t let scammers play with your emotions and entice you to become trapped in their net. Remember: updating antispam signatures regularly helps prevent personal information from being compromised.

Apple releases update to remove DigiNotar from trusted list

Patched Apple laptopSlightly less than two weeks after the first public signs of DigiNotar being compromised, Apple has revoked their certificates.

The Apple update is available for users of Snow Leopard (10.6) and Lion (10.7), but mysteriously not offered to users of Leopard or earlier versions.

Apple software updateAfter applying the update Mac users should no longer see DigiNotar as a trusted root certificate in the Keychain Access application.

You can check for updates by clicking the Apple logo in the upper-left corner of the screen and choosing Software Update.

If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.

Apple (along with Microsoft, Google and RIM) have not released any updates for their mobile platforms.

This is an opportunity for Apple to get ahead of the competition.

It is much easier for Apple to patch iDevices then Google to fix Androids, get the handset makers to apply the fixes and then convince the carriers to deploy the updates.

Apple users should apply this update as soon as they can and hope that the other CAs the hacker is claiming he hacked won’t end up in a similar situation to DigiNotar.

Nicole’s baby kicking video is a Facebook scam

A video of baby kicking inside his mother’s pregnant belly is the latest lure being used by Facebook scammers – and judging by the number of readers from Naked Security who have reported it to us, it’s spreading like wildfire.

AWESOME Video Nicole's Baby Kicking - The Belly View - Unbelievable

AWESOME Video "Nicole's Baby Kicking - The Belly View - Unbelievable"
An amazing view of a baby kicking and moving his way out of the belly while at the beach.

There is, indeed, a real YouTube video of a heavily pregnant woman called Nicole, sunbathing on a beach. It was posted in May 2009 and has had over 3.5 million views so far.

The thing is, however, if you really want to watch the video: go to YouTube.

Don’t click on the link being spread across Facebook. Because if you do, you are taken to a third-party website which insists you have to share the link with your Facebook friends before you can watch the video clip.

Scam webpage

Bizarrely, when I visited the page from my test Facebook account it was advertising the controversial Scientology organisation. One wonders if the scammers are earning revenue by driving traffic to the page.

You should always be suspicious of links like this being shared by your Facebook friends. The safest place to watch “viral” videos is on YouTube itself (and other established video websites such as Vimeo), or you could find yourself being asked to complete money-making surveys or imparting your personal information.

If you’re a Facebook user, and want to keep up-to-date on the latest scams and threats, join the Sophos Facebook page where we have a community of more than 100,000 users discussing the issues.