Monday, 23 May 2011

Microsoft study asserts social engineering more common than exploitation

Microsoft study asserts social engineering more common than exploitation: "

OK buttonEarlier this week Microsoft posted a blog entry showing statistics from their SmartScreen technology built into Internet Explorer (IE) 7, 8 and 9.


Their conclusions? One in every 14 downloads is malicious (of the malicious files that Microsoft is aware of) and this represents between two and five million malware attacks per day against IE users. Microsoft uses this to assert that users are falling prey to malicious downloads far more often than drive-by exploits.


While these statistics are fascinating, and very useful for those of us without the ability to collect this type of information, Microsoft is comparing apples to. . . nothing.


SmartScreen itself is unable to prevent exploits from convincing Adobe Reader, iTunes, Real Player, Adobe Flash, Java and other technologies from downloading malicious content, and Microsoft hasn't presented any data on how often exploits are actually being used.


The purpose of their post is to point out the success of Microsoft's reputation filtering they added in IE 9. While it is an interesting step forward, Microsoft's own statistics raise more questions than they answer.


Microsoft states that 90% of downloads do not trigger a warning, which implies that 1 in every 10 times I try to grab something I get a scary warning message. When I receive this scary warning message, there is a 30% to 75% chance that it is a false positive.


This reminds me of an article I wrote for Virus Bulletin last year about browser SSL certificate warnings. Considering the scary warning messages that browsers display to users and the frequency with which they are confronted with these warnings, we end up training our users to simply click through.


Users think, 'If this were truly dangerous, it would have simply been blocked, right?' Microsoft's statistics show that in a real world attack 99% of users did delete the file, but this warning message is still a new phenomenon. It will be interesting to see how many click through over the long run.


Even worse, if up to 75% of the time you get the warning you are downloading a legitimate file, will you continue to pay attention to the warning when it really matters?


Later in their post they claim that a typical user is presented this warning only two times per year. If that is true, that means users are only downloading 20 files per year and won't see this too often. I don't know anyone who only downloads 20 files per year.


These numbers just don't really add up.


Microsoft also points out that applications triggering the warning are not Authenticode signed most of the time. While the concept of digital signatures representing trustworthiness is at the heart of many security solutions, its implementation is often flawed.


As we saw with the Stuxnet worm last year, legitimate signing certificates that were 'trusted' were stolen and used by malware authors to increase their chances of bypassing security technologies.


I do not believe most computer users are equipped with the knowledge necessary to make good decisions regarding deeply technical problems. When they are confronted with a question attempting to stop them from making a mistake it is often viewed as an annoying roadblock.


Earlier this month we saw a large number of Apple Mac users falling victim to a fake anti-virus attack that required them to type their administrative password. Clearly users will jump through hoops when presented with the opportunity if they are being tricked into doing something they think they want to do.


As security experts we need to make safety online as black and white as possible. While SmartScreen is doing a great job at stopping known badware, I'm not convinced that reputation technologies that require users to make technological decisions are the right answer to the problem.





"

" The Roving Giraffe News Report " provided by Ace News

Hottest & Funniest Golf Course Video scam spreads virally on Facebook - beware!

Hottest & Funniest Golf Course Video scam spreads virally on Facebook - beware!: "

Yet another scam is spreading virally across Facebook, posing as a video in a scheme to make money for the confidence tricksters behind it.


The messages show what appears to be a thumbnail of a video showing a man standing closely behind a scantily clad woman to give her golfing advice.


The Hottest & Funniest Golf Course Video - LOL. Watch the Hottest & Funniest Golf Course Video Don\



The Hottest & Funniest Golf Course Video - LOL

[LINK]

Watch the Hottest & Funniest Golf Course Video Don\


Another version of the scam uses football rather than golf as the lure:


The Most Funniest & Hottest Footbal Video - Must Watch!


The Most Funniest & Hottest Footbal Video - Must Watch!

[LINK]

Watch the Funniest & Hottest Footbal Video - Must Watch!


The links in the messages we have seen so far have pointed to a webpage at blogspot.com, although this could - of course - be changed by the scammers in future variations.


If you make the mistake of clicking on the link in the hope that you might see a funny saucy video you will find that you have fallen straight into the scammers' trap - as your Facebook page has been updated to say that you also 'Like' the page, thus sharing it virally with all of your friends.


You will also be encouraged to complete an online survey for 'verification' purposes, which in reality only earns commission for the bad guys who kicked off the money-making scheme in the first place.


The Hottest & Funniest Golf Course Video survey


Unfortunately, when I tested the scam I found no evidence that Facebook's newly introduced security measures to intercept scams and warn of dangerous links had been effective.


How to clean-up the scam from your Facebook page


If you have been unfortunate enough to have been hit by this scam, here's how you clean-up.


Move your mouse above the offending entry on your Facebook page and you should see an 'X' appear in the top right hand corner of the post. You should now be able to mark the post as spam (which will remove it from your page).


Remove the post by marking it as spam


Unfortunately, this hasn't also removed the page from the list of pages you like, so you will need to edit your profile to manually remove it. You should find it listed under 'Activities and Interests'.


Unlike the offending webpage


Be sure to remove any other pages you don't recognise in that list also.


If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.


Hat-tip: Thanks to Naked Security reader Lars for first alerting us to this attack.





"

" The Roving Giraffe News Report " provided by Ace News

Converting currency on Google can lead to malware attack

Converting currency on Google can lead to malware attack: "

Euro and dollarOne of the guys at the North American branch of SophosLabs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.


So he did what any of us would probably do. He Googled it.



215 euro to usd


Google very cleverly and kindly tells you what it believes the conversion rate to be, but you're also given a number of search results:


Euro to USD currency conversion search results


It's that final search result which is of interest to us. A quick search finds a number of other webpages which don't just use keywords related to currency conversion, but also other terms - 'dirty sexist jokes', for instance.


Euro to USD currency conversion search results


What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.


The good news is that Sophos can offer a layered defence against this attack.


The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.


The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.


Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.


Neat!


We see online criminals poisoning search engine results using blackhat SEO techniques a lot.


Fraser and Onur in our labs have written an excellent technical paper (PDF) which discusses the problem, and lifts the lid on how the bad guys are using automated kits to do their dirty work for them.


SEO poisoning technical paper



It's a great read. Check it out now.





"

" The Roving Giraffe News Report " provided by Ace News

Profile Stalkers on Facebook? Check out the viral scam that's spreading

Profile Stalkers on Facebook? Check out the viral scam that's spreading: "

Profile stalkers on FacebookAnother scam is being spammed out across Facebook, tricking users into helping its spread by fooling them into believing they will discover who is secretly viewing their profile.


Using a cartoon image of what appears to be a chimpanzee looking through binoculars,

the messages are being sent from other Facebook users who have already fallen into the trap of clicking on the link and following the scammers' instructions.


Clicking on the link contained inside the message (which I have obscured in the screen grab below) is a big mistake, as it takes you one step further into the criminals' trap.


Checkout your Profile Stalkers on Facebook


WICKED! Now you can see who views your facebook profile.. i saw my top profile stalkers and my EX is still creeping my profile every day


Checkout your PROFILE stalkers

[LINK]

Now you can see who stalks your profile daily


If you do click on the link you are taken to a third-party webpage which urges you to cut-and-paste some JavaScript code into your web browser's address bar. The page claims that it is your unique code to view your Top 10 Profile Spys - but it's not true at all.


Checkout your Profile Stalkers on Facebook


This is a trick being commonly used by scammers at the moment. If you paste their code into your address bar, it will typically pass the message onto other Facebook users - including your online friends. We recently saw it deployed in a Facebook scam offering a 'Dislike' button for instance.


Ultimately scams this typically end up with you being taken to a webpage which asks you to complete a survey - and the scammers earn commission for each survey completed.


Don't let the scammers make a monkey of you, and don't risk spreading a scam like this to your online friends.


If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.


Update: I'm reliably informed that the cartoon chimp is Curious George.





"

" The Roving Giraffe News Report " provided by Ace News