Vulnerabilities exposed in Hotmail

A couple of days ago, Trend Micro reported an attack that appeared to be targeted and that involved email messages sent through a Webmail service. Upon further investigation, Trend Micro was able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.

“The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user’s personal contacts. The stolen email messages may contain sensitive information that cybercriminals can use for various malicious routines,” Karl Dominguez, Trend Micro’s Threat Response Engineer said in a blog post.

The script connects to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.

“The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field,” Dominguez opined.

The URL leads to another script detected by Trend Micro as JS_AGENT.SMJ. The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user’s email messages to a certain email address. The email message forwarding, however, will only work during the session wherein the script was executed and will stop once the user logs off.

The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail. Microsoft has already taken action and has updated Hotmail to fix the said bug.

Dominguez said, “We analyzed the embedded crafted code before the actual email message’s content and discovered that onceHotmail’s filtering mechanism works on the code, it ironically helps inject a character into the CSS parameters to convert the script into two separate lines for further rendering in the Web browser’s CSS engine. This allows the cybercriminals to turn the script into something that allows them to run arbitrary commands in the current Hotmaillogin session.”

Microsoft has already acknowledged the presence of the vulnerability and has released a security update to address the issue.

Cybercriminals targeting consumers through social network viruses and data theft

The next time you are prompted to enter your facebook or twitter password after clicking on some nice ad, make sure the location bar of the browser says ‘facebook.com’ or ‘twitter.com.’ Moving beyond their favorite targets, the corporates, cybercriminals are now targeting the least secure users of all, the end consumers, notes the latest Microsoft Security Intelligence Report.

Gone are the days of alluring emails asking you to part with your bank account details to claim your million dollar prize, cyber criminals now prefer to ‘hang out’ at your favorite social networking site. According to the Security Intelligence Report — a quarterly security-related update from the World’s biggest software firm Microsoft — social networks accounted for 84.5 percent of all attempts to steal personal data from users in December 2010.

In comparison, only 8.3 percent of all such attempts — known as phishing — occurred through Social Networks in January 2010. There has been an increase of 1200 percent in phishing through social networking sites, as these venues have become lucrative hot beds for criminal activity, the report warns.

The attacks take the form of advertisements and links on Facebook and other social networks — legitimate marketing campaigns and product promotions, but are actual just traps to steal your data. They take the form of pay-per-click schemes, false advertisements, or fake security software sale.

“Social networking is on a high and cybercriminals and these sites have creates new opportunities for cybercriminals to not only directly impact users, but also friends, colleagues and family through impersonation,” says Sanjay Bahl, Chief Security Officer, Microsoft India.

The ultimate aim is to get users to download and install their programs, which will then make use of their computer to spread itself as well as to steal all kinds of data entered through the computer. Social networking viruses, Microsoft points out, is especially risky in India since the country has some 50 million (5 crore or 4% of the population) social networking users.

Interestingly, Microsoft owns 5% of Facebook — a site whose revenues may be hit if people stopped clicking on its ads.

According to the report, the most common category of unwanted software in India was Worms, which affected 42.5 percent of all infected computers, down from 45.4 percent in the last quarter. Worms are self-replicating programs.

The second most common category in India was Misc. Trojans, which affected 33.9 percent of all infected computers, down from 34.5 percent from the last quarter. Trojans, which may also be worms, also have the additional characteristic of being harmful to the user and are often used to steal data.

Royal wedding scams surface ahead of Prince William and Kate Middleton’s Wedding

One of the most common ways to propagate malware through social engineering is to piggyback it on some attention-catching news event. Millions of people these days are scouting the web to get the latest updates as there just 8 days to go for the big day, the royal wedding of Prince William and Kate Middleton and that’s what scamsters are targeting.

The royal wedding is fast becoming a major international event. As modern technology enables people worldwide to follow the young couple and impending wedding festivities closer than ever before, this is truly an “e- Royal Wedding!”

A new study from Norton (Symantec) shows people are flocking to follow news of the royal wedding all over the world.

In fact, 62percent of Americans surveyed said they are likely to follow the British royal wedding, with32 percent of those already keeping up with the royal wedding news at least every few days (some as often as once a day, or even multiple times aday!).

As the big day nears and media attention increases, people will look to online searches and outlets to keep up on all-things “Will & Kate.”

Of respondents,38 percent will be going online for their royal wedding news; more than a quarter will be watching the wedding on a computer, laptop or mobile device live or after the fact, and 53% will potentially share their thoughts about thewedding online.

Online wedding-followers and well-wishers need to be cautioned that this global event is –as other major global events have done previously – attract cybercriminals looking to capitalize on the deluge of online activity.

When searching keywords relating to this event (e.g., “middleton wedding dress idea”) in your search engine, malicious links are among the top results. And the category of malware which sits behind them hardly comes as a surprise – rogue anti-virus apps.

Here is a quick check-list for those royal wedding fans to help them steer clear of cybercriminals:

• Think before you click – Beware of emails or links that promise “leaked” footage, offer “scandalous” pictures, or purport to have “secret” information. Cybercriminals take advantage of sensational and shocking headlines to get you to click on links that could infect your computer.
• Go with what you know – While any site could potentially be risky, it’s best to avoid clicking on sitesyou’ve never heard of that show up in your search results. Stick to theofficial royal wedding website or go directly to reputable news sites to getthe latest news and videos of the wedding.
• Protect your computer– Use trusted security software on your computer to block threats and make sureyou’re keeping it up-to-date.

Malware attack poses as official warning from Facebook

Cybercriminals are adopting a new disguise, following last week’s “Facebook password changed” malware attack, Sophos Labs has reported.

“Computer users are discovering malicious code has been sent to their email inboxes, pretending to be a notification from Facebook that their social networking account has been used to send out spam,” said Graham Cluley, senior technology consultant at Sophos in a blog post.

A typical message reads:

Dear client

Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.

Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it’s automatic mail notification!

Thank you.

FaceBook Service.

The attack would, perhaps, be a little more successful at fooling more people if it had gone through a grammar check and if the perpetrators had paid more attention to the fact that it’s spelt “Facebook” not “FaceBook”.

Nevertheless, there are doubtless some computer users who might be tempted to open the attached ZIP file and infect their computers with malware.

“We’ve seen similar attacks before, of course – and I imagine that cybercriminals will continue to use ruses like this when spreading their malware. Plenty of people are hooked on Facebook, and a message telling them that their password has been reset is likely to send them into palpitations and they may open the unsolicited attachment without thinking, ” Cluley said.

After all, it’s not as though spam being sent from Facebook accounts is unusual.

If only more people realised that they cannot trust the “from:” address in an email, as it is so easily forged. In this case it presents itself as being from “Facebook Help” <official@facebook.com>, but in reality it could just as easily be a Hungarian hacker, a Finnish fraudster or a Serbian scammer who initiated the widespread spam attack.