Hottest & Funniest Golf Course Video scam spreads virally on Facebook – beware!

Yet another scam is spreading virally across Facebook, posing as a video in a scheme to make money for the confidence tricksters behind it.

The messages show what appears to be a thumbnail of a video showing a man standing closely behind a scantily clad woman to give her golfing advice.

The Hottest & Funniest Golf Course Video - LOL. Watch the Hottest & Funniest Golf Course Video Don\

The Hottest & Funniest Golf Course Video - LOL
Watch the Hottest & Funniest Golf Course Video Don\

Another version of the scam uses football rather than golf as the lure:

The Most Funniest & Hottest Footbal Video - Must Watch!

The Most Funniest & Hottest Footbal Video - Must Watch!
Watch the Funniest & Hottest Footbal Video - Must Watch!

The links in the messages we have seen so far have pointed to a webpage at, although this could – of course – be changed by the scammers in future variations.

If you make the mistake of clicking on the link in the hope that you might see a funny saucy video you will find that you have fallen straight into the scammers’ trap – as your Facebook page has been updated to say that you also “Like” the page, thus sharing it virally with all of your friends.

You will also be encouraged to complete an online survey for “verification” purposes, which in reality only earns commission for the bad guys who kicked off the money-making scheme in the first place.

The Hottest & Funniest Golf Course Video survey

Unfortunately, when I tested the scam I found no evidence that Facebook’s newly introduced security measures to intercept scams and warn of dangerous links had been effective.

How to clean-up the scam from your Facebook page

If you have been unfortunate enough to have been hit by this scam, here’s how you clean-up.

However, your mouse above the offending entry on your Facebook page and you should see an “X” appear in the top right hand corner of the post. You should now be able to mark the post as spam (which will remove it from your page).

Remove the post by marking it as spam

Unfortunately, this hasn’t also removed the page from the list of pages you like, so you will need to edit your profile to manually remove it. You should find it listed under “Activities and Interests”.

Unlike the offending webpage

Be sure to remove any other pages you don’t recognise in that list also.

If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Hat-tip: Thanks to Naked Security reader Lars for first alerting us to this attack.

Microsoft study asserts social engineering more common than exploitation

OK buttonEarlier this week Microsoft posted a blog entry showing statistics from their SmartScreen technology built into Internet Explorer (IE) 7, 8 and 9.

Their conclusions? One in every 14 downloads is malicious (of the malicious files that Microsoft is aware of) and this represents between two and five million malware attacks per day against IE users. Microsoft uses this to assert that users are falling prey to malicious downloads far more often than drive-by exploits.

While these statistics are fascinating, and very useful for those of us without the ability to collect this type of information, Microsoft is comparing apples to. . . nothing.

SmartScreen itself is unable to prevent exploits from convincing Adobe Reader, iTunes, Real Player, Adobe Flash, Java and other technologies from downloading malicious content, and Microsoft hasn’t presented any data on how often exploits are actually being used.

The purpose of their post is to point out the success of Microsoft’s reputation filtering they added in IE 9. While it is an interesting step forward, Microsoft’s own statistics raise more questions than they answer.

Microsoft states that 90% of downloads do not trigger a warning, which implies that 1 in every 10 times I try to grab something I get a scary warning message. When I receive this scary warning message, there is a 30% to 75% chance that it is a false positive.

This reminds me of an article I wrote for Virus Bulletin last year about browser SSL certificate warnings. Considering the scary warning messages that browsers display to users and the frequency with which they are confronted with these warnings, we end up training our users to simply click through.

Users think, “If this were truly dangerous, it would have simply been blocked, right?” Microsoft’s statistics show that in a real world attack 99% of users did delete the file, but this warning message is still a new phenomenon. It will be interesting to see how many click through over the long run.

Even worse, if up to 75% of the time you get the warning you are downloading a legitimate file, will you continue to pay attention to the warning when it really matters?

Later in their post they claim that a typical user is presented this warning only two times per year. If that is true, that means users are only downloading 20 files per year and won’t see this too often. I don’t know anyone who only downloads 20 files per year.

These numbers just don’t really add up.

Microsoft also points out that applications triggering the warning are not Authenticode signed most of the time. While the concept of digital signatures representing trustworthiness is at the heart of many security solutions, its implementation is often flawed.

As we saw with the Stuxnet worm last year, legitimate signing certificates that were “trusted” were stolen and used by malware authors to increase their chances of bypassing security technologies.

I do not believe most computer users are equipped with the knowledge necessary to make good decisions regarding deeply technical problems. When they are confronted with a question attempting to stop them from making a mistake it is often viewed as an annoying roadblock.

Earlier this month we saw a large number of Apple Mac users falling victim to a fake anti-virus attack that required them to type their administrative password. Clearly users will jump through hoops when presented with the opportunity if they are being tricked into doing something they think they want to do.

As security experts we need to make safety online as black and white as possible. While SmartScreen is doing a great job at stopping known badware, I’m not convinced that reputation technologies that require users to make technological decisions are the right answer to the problem.

Phishers Return For Tax Returns

The Income Tax Department of India recently announced that the last date for sending income tax returns for AY 2010-2011 has been extended to July 31, 2011. During 2010, phishers had plotted their phishing scams based on the tax return deadline. As the deadline for tax returns of the current financial year approaches, phishers have returned with their stream of phishing sites.

This time, phishers have spoofed the Reserve Bank of India’s Web site as a ploy for a tax refund scam. The phishing site attempts to lure users by stating that the bank would take full responsibility for depositing the tax refund to the user’s personal bank account. The user is prompted to select the name of the bank and enter their customer ID and password. There is a list of eight banks to choose from. In this way, phishers intend to steal the confidential information of customers of several banks from a single phishing site. The following page asked for credit/debit card number and PIN number. After these details are entered, the phishing sitedisplays a message acknowledging that the request for the tax refund has been submitted successfully. The user is then redirected to the legitimate Web site of Reserve Bank of India. If users fall victim to the phishing site, phishers will have stolen their information for financial gain.

Symantec has been in contact with the Reserve Bank of India. The bank has stated that emails sent in its name to customers have been observed asking for bank account details. The Reserve Bank has clarified that it has not sent any such email and that the Reserve Bank (or any bank) never issues communication asking for bank account details for any purpose. The Reserve Bank has also appealed to members of public to not respond to such email and to not share their bank account details with anyone for any purpose.

The phishing site used a numbered IP domain (for example, domains like hxxp:// hosted on servers based in St Louis, USA. The same IP was used for hosting phishing sites of several other Indian banks. The IP belongs to a Web site of a company that provides roofing for houses. The IP of the company’s Web site was compromised to host the phishing sites.

Internet users are advised to follow best practices to avoid phishing attacks:
•    Do not click on suspicious links in email messages.
•    Avoid providing any personal information when answering an email.
•    Never enter personal information in a pop-up screen.
•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

TinKode hacks into NASA servers, posts evidence of breach online

NASA Goddard centerA hacker with a history of breaking into high profile websites to expose poor security has claimed to have broken into an FTP site belonging to NASA’s Goddard Space Flight Center, based in Greenbelt, Maryland.

The serial hacker, who calls himself TinKode and is believed to hail from Romania, posted images on the web as supporting evidence of the hack.

Previous targets to have fallen at the hands of TinKode include the Royal Navy website and which succumbed (oh, the irony!) to an SQL injection attack.

Evidence of NASA hack

TinKode is one of a new breed of hacker, courting the media and announcing his successful hacks via web postings and announcements on his Twitter account.

The good news is that the mysterious TinKode appears to be spurred on more by the desire to embarrass organisations into tightening their web security than financial motivation.

In an interview with Network World, TinKode compared his work to a free security audit:

Until now, no. I don't do bad things. I only find and make public the info. Afterwards I send an email to them to fix the holes. It's like an security audit, but for free.

Nevertheless, his actions are still against the law and he could face prosecution if brought to court. Others would be unwise to follow in TinKode’s footsteps.

Of course, prevention is always better than cure – and less embarrassing too. If you haven’t already done so, check out our free technical paper about “Securing websites”, which discusses common ways web servers are attacked and the various ways they can be protected.