Loading....

Bad Apple

Over half a million infected Macs.  A week later and the only sign of removal tools were coming from independent developers.  At least Apple finally spoke up and admitted they have a malware problem.  That was only 3 days before a second threat (SabPab) was announced and as of today, there are still over 140,000 Macs out there infected with Flashback.

“But I thought Macs can’t get viruses?”

Technically speaking, the Flashback infection hitting Mac users is actually a Trojan.  This infection takes advantage of a security hole in third party software (Java).  If you’re reading this on your Mac, please make sure you’ve installed the latest security updates from Apple.

Macs can in fact get viruses, it’s just that there hasn’t been much need to do so.  It all comes down to the biggest bang for their buck and 10 years ago, everyone was still running Windows 98, browsing the web with Internet Explorer, running no antivirus software.  That crowd of users has since migrated on over to Macs and now everyone and their grandmother has a Mac.  It seems everyone has a Facebook page too.  So you have a huge segment of users who never learned the basics about staying safe on the web, all using systems that “can’t get infected,” all using a common web page that anyone can post virtually anything to.  Hey, sounds like a crowd perfectly suited to point new infections at!

The approach to security I’ve seen many Mac users take is, well, no approach.  The common theme I see amongst many Mac users, is they were former Windows users.  They got tired of all the blue screens, viruses, and pop-ups.  They moved on to their new system that “can’t get viruses.”  What they didn’t know, was their problems would only follow them, no matter which system they used.

So now that you’re using a Mac and have a virus/Trojan/malware, what’s the plan?  Ditch your Mac and move to another platform?  Time to switch to Ubuntu?  See how silly of an idea it was to think that by simply buying a Mac, you wouldn’t have issues?  It’s almost as if the things we’ve been talking about for years @ anti-virus and best practices @ web safety, were right on target all along.  😉

Sitting back and waiting simply isn’t the best approach to security.  Security should be a mesh or layered approach.  We recommend the following for every day PC users, whether it be for home or business use:

[checklist]

  • A current, updated/patched operating system
  • Effective, yet user-/resource-friendly antivirus
  • Anti-malware protection
  • A safer internet browser, such as Firefox or Chrome
  • An ad-blocker for your internet browser (for added security, we recommend NoScript in addition to ad-blocking)
  • Common sense
  • Keep your computer(s) behind a hardware firewall

[/checklist]

There simply isn’t a silver-bullet when it comes to security.  Much like with cars, safety improves every year.  New features are added to keep drivers safe.  It’s not just one piece of the car that helps keep its passengers safe.  It’s everything from safety belts to air bags; new tires and anti-lock brakes to crumple zones.  No matter which safety features a vehicle has though, none of them trump a safe, alert driver.  Strap on all the safety belts you want, it’s not going to do much to help you if you intentionally drive your car off a cliff (please, don’t do that).

So Mac users, it’s time to make sure you’re running a proper antivirus program.  We recommend ESET CyberSecurity for Mac.  And try not to get too mad at me for talking down about your shiny Mac.  This isn’t about ad hominem attacks.  There’s a reality here that many have been ignoring and avoiding for years.  While it’s upsetting to realize you were wrong all those years, all we can do is learn from our mistakes and move forward.

Adobe Adds Auto-Update for Flash Player

It looks like Adobe has introduced a new auto-update feature in the latest version (11.2) of Flash.

Click to Enlarge

Outdated versions of 3rd party applications such as Flash, Acrobat Reader, Java, etc. create security holes which can be exploited.  In recent months, a Java exploit has led to over half a million infected Macs.

The new auto-update feature for Flash Player is an overdue, but much welcomed addition.  This is one of the little pop-up/nags many just close out of and rightfully so.  It’s nice to see the software finally reinforce this itself, instead of relying on the end-user to install new updates.

[Warning] Virus via Fake Justin Bieber Facebook Post

The Biebs.  The Biebs.  We all love her.  This latest social engineering attack comes by way of Justin Bieber and a “video that ends his career for good.”  I guess these sorts of links are irresistible too.  It’s the guys clicking this one!  😀

Justin Bieber Facebook Malware Removal
Fake Justin Bieber Post | Click to Enlarge

We’re *all adults, so I’m not going to blur out the middle finger.  😀  Ok, so I have to give *them* some credit on this one.  In Facebook posts, they always show the domain name – e.g. in this case, linkedin.com.  If you hover your cursor above the link though, it reveals the following:

Linkedin Redirect URL
Linkedin Redirect URL | Click to Enlarge

The LinkedIn domain name is completely legitimate!  There’s actually a *flaw* of sorts in LinkedIn’s code.  The redirect?url= variable accepts any URL, as long as it begins with www.  So I’m able to enter http://www.linkedin.com/redirect?url=www.thecomputerpeeps.com and it will take you to our website.

Someone noticed this and realized, “hey, Facebook only shows the domain name.”  They take you off to their site and launch a screen shot of a Justin Bieber video, re-post to your Facebook wall and write a virus to your hard disk…

Fake Justin Bieber Video
Fake Justin Bieber Video | Click to Enlarge

Well, since LinkedIn is a legit site, Facebook is going to let it slide.  Yikes!  So really, this issue begins with LinkedIn’s system.

When you see this post, mark it as SPAM…

Report scam Facebook posts as SPAM
Report scam Facebook posts as SPAM | Click to Enlarge

Not even a week from our Social Media Frenzy workshop in Dallas and we see a new, smarter malware post.  I was discussing this with Kate Holmes and a good way to explain this, is to equate it to the flu shot.  Without people poking around and finding all of these flaws, systems would remain insecure and vulnerable to attack.

If you or anyone you know clicked on that link out there in the Facebook Feed, your system is infected (if it didn’t pop-up a quarantine notification right away).  You know the drill -> http://mycp.biz/thecomputerpeeps_eset.

Don’t forget to read our other posts that show other types of Facebook social engineering attacks.

[Warning] ANOTHER Bogus Facebook Link

This one just popped-up in the Feed a few minutes ago.  Its title is “Yeahh!! It happens on Live Television!”  Ironically enough, it’s women that are clicking on this post too, not men.  😀

Fake video post on Facebook | Click to Enlarge

This one redirects you to a fake Facebook page…

Fake Facebook Page
Fake Facebook Page | Click to Enlarge

It then asks you to “Click Jaa twice to confirm”…

Click Jaa twice
"Click Jaa twice" - Are you kidding me? 😀 | Click to Enlarge

I mean, you should’ve already been able to tell this was a bogus post right away.  The website weebly[.]com lets anyone create a website, so someone signed up for videovideo1[.]weebly[.]com.  It’ just like anyone can sign up at BlogSpot or WordPress.  Asking people to click ‘Jaa’ not once, but twice – are you joking?  Is that some form of new security measure – click twice?  Sadly enough, it works for X amount of people.

You know the story…install Firefox, install NoScript, use ESET Nod32 Antivirus, blah, blah, blah.  😀

I must sound like a broken record!

========================================================================

UPDATE 6/23/2011

It looks like they’ve moved their crappy little pages over to a different site.  The same scam post from yesterday, is showing up with a new URL…

Bogus Facebook Link
Bogus Facebook Link | Click to Enlarge

Same virus as yesterday, same bogus picture, just a new URL and a new title.

[Warning] Latest Facebook Malware Link – “r0ller c0aster”

Shocker.  The ‘0rgasm’ post on Facebook leads to a virus (Trojan).  Funny enough, it hasn’t been men that have been clicking on the link in the feed.  🙂

Here’s what the latest scam/virus/fake link looks like…

Facebook malware virus trojan scam social engineering

They’re trying to circumvent Facebook’s detection algorithm by tossing in zeros (0) for the O’s…

Trying to trick Facebook's algorithms

I don’t really feel too bad for those who clicked this (come on, isn’t this one just obvious?), but we still have to bring it to everyone’s attention.  The very nature of Facebook’s “social – proof” feedback leads to people almost unconsciously clicking random links in the Facebook feed.  “Oh, I bet this is funny, it can’t be too bad.”  All it takes is one click and your system is infected.

Well, this one is a Javascript loader that pushes a Trojan onto your PC…

ESET Nod32 Blocks Javascript Loader Trojan

If you clicked the ‘r0ller c0aster’ link in the Facebook Feed and you didn’t see a notification from your antivirus software instantly, then you are infected, 100%, no doubt.  You should be running ESET Nod32.  What if an employee clicked on that link while at your store?  Your consignment software would be rendered useless until the infection was removed.  How many minutes can you go without your systems?  How many hours?  What if your backups stopped working two days ago, but you didn’t know?  Now your systems are down and you might’ve lost the last few days’ worth of data.  See how quickly one little *click* could turn into a disaster?

The interesting thing is, ESET’s database knew about this threat and Facebook didn’t.  Now, Facebook isn’t security software (not primarily), but it does perform security tasks.  They do parse new posts for known-bad URLs and will either toss up a CAPTCHA or if it’s a known-threat (according to Facebook, that is), then they’ll block the post altogether.  Maybe Facebook could/will eventually get to the point where they utilize a global threat database.

This is one of the topics we’ll be discussing this Saturday at the 2011 NARTS Conference in Dallas, TX.  There is no silver bullet.  Sure, this is technology and security programs exist, but social engineering and people trying to scam you isn’t unique to technology.  We’ll continue to show the types of posts used to dupe you into installing malware.  Just stop and look at the URL before you click.  Make sure it’s a trusted URL.  And no matter what, just start using ESET Nod32, please?  How many times are you going to see someone get infected or you yourself, end up with an infected system?

[Warning] Another Facebook Scam

This one seems to come and go, but I’ve seen a handful of people click this latest Facebook scam link.  This one is called This Guy Took A Picture Of His Face Every Day For 8 Years.  Here’s a screen shot of the bogus post:

Fake Facebook Post

This link takes you to a *questionable* URL – pastehtml dot com.  I am intentionally not including a direct-link there and please do not try to visit that URL.

Ok, here are some pointers on how to spot a bogus post on Facebook.  Let’s take a closer look at the actual post.  Notice the actual URL/website is visible right there on the post, before you even click anything?

Read before you click!

Right off the bat, I see pastehtml . com and I realize that is clearly a shady URL.  Does that seem like a legit website to you?  Is ‘pastehtml’ a company you do business with, a news organization, etc?  That is how this stuff “slips by” people – clicking without reading.  When you see a a post like this, you should mark it as spam.  This will help Facebook to prevent this sort of post in the future.

Facebook Post - "Mark as Spam"

This fake link will install malware on your system, so if you’ve clicked a post like this on Facebook or if you’ve seen friends/family members that have, it’s time to scan your system.  Your security program would pop-up right away, detecting this malware; if it didn’t, your security software isn’t good enough.  Also make sure you switch to Firefox so you can start using NoScript to block malicious scripts from running in the first place.

Just please stop clicking these bogus links though!  Let us know if you have any questions and don’t forget to come see us at the NARTS Conference 2011!!!  We’ll be going over topics just like this in our Online Safety class!  More info on the NARTS website.  -> http://mycp.biz/narts2011 <-

Yeah, cute pic of a puppy? It’s a virus…

Here’s another one.Puppies ARE cute! Another bogus link that entices people to click it.  I mean, that is a really cute puppy!  Facebook is a great resource for businesses.  That being said, it can be a breeding ground for viruses.

Facebook is social by its very nature.  Information is shared quickly, which is good and bad.  In this case, one <click> leads to a virus post sitting out there in a feed.  Then someone else sees it and goes, “Oh, well if Bill liked it, it MUST be good! <click>

ESET Nod32 Actually WorksWham, that’s when you get hit with a virus or Trojan.  Most people aren’t running ESET NOD32 though.  With ESET, it’s at least going to catch the Trojan that was downloaded to your hard drive.  It’s better just to not click links like that to begin with.  Why tempt fate?

A virus can bring down your entire business in a matter of seconds.  Once a virus (or in this case, a Trojan Downloader) is installed, your system is no longer in your control.  Networking can be rendered useless, preventing your computers from talking to one another.  Software won’t run, meaning your consignment software is dead in the water.

The extent of damage a virus can do is vast.  The damage can be so bad that at the end of the day, it’s simply not worth it to try and fix up the rest of the damage.  It ends up being quicker and more cost-effective to backup your data, erase the hard drive and reinstall Windows.  That’s not exactly fun either, so while it’s possible to recover, it comes at a cost.

It’s really easy to avoid all of this.  Here’s the checklist:

  • Use ESET Nod32 Antivirus, period.
  • Install Firefox 4 and the NoScript Add-on
  • Talk to your employees and co-workers about these silly, fake scams that float through Facebook – awareness is everything!

If you clicked on the puppy and didn’t get a prompt from your antivirus software that the threat was blocked, chances are you are infected.  I’m not saying you shouldn’t use Facebook – no need to throw the baby out with the bathwater.  I am trying to encourage and spread awareness.  We use awareness in our everyday lives to avoid pyramid schemes and sales tactics.  Let’s bring that same power to the virtual world.

Sure it’s just 0s and 1s, but this virtual stuff can end up costing you real money.

Latest Facebook Scam Link – “Tsunami/Whirlpool”

I just saw a new scam link floating through the Facebook feed.  One of my friends clicked it and it shared itself into his Feed…

Facebook Tsunami Scam Link
Facebook Tsunami Scam Link

This is a malicious link that downloads a Trojan (virus) to your hard drive.  If you’re fortunate enough to be running ESET Nod32, you won’t feel a thing.  🙂  ESET is nice enough to keep track of known-malicious URLs so when you click one, nothing happens and you get a nice little notification…

ESET Nod32 blocks malicious URLs
ESET Nod32 blocks malicious URLs

For a split second, a fake video player is displayed…just before the Trojan is downloaded…

Fake Video
Fake Video actually downloads Trojan (virus/malware)

A few key signs reveal this is a bogus site, before you even click it.  First, there is no Title info in the post, just a glimpse of the URL.  Typically, you’ll see additional content from a news site, blog, etc.  That’s not enough though.  It’s really the domain name itself.  If you’re looking for the latest, breaking news, chances are it isn’t going to come from a “.info” site named “japan earthquake update.”  For Pete’s sake, the domain was just created yesterday…

Domain Registration Date
Domain Registration Date

The point is, there are a lot of bogus sites out there.  Think before you click.  Switching to a Mac isn’t going to enhance your awareness and increase your experience.  If you’re going to use Facebook, avoid links, period.  Go directly to news sites if you need legitimate news.  If you’re a consignment store and rely on your consignment software, clicking a link on Facebook could bring that to a screeching halt.  We’re trying to help consignment store owners navigate the Facebook terrain.

If you were one of the unfortunate people that did click that link, please contact The Computer Peeps immediately.  The first thing is to change your passwords, but once you have a Trojan that has infected the system, keyloggers are typically involved.  The virus/Trojan will have to be eradicated before you can even think about using the system again.

======================================================

I did some digging via DomainTools and found some handy bits of info.  First, it appears the owner of this site runs his/her own name servers…

Domain Tools - Name Server Info
Domain Tools - Name Server Info

Do not visit the domain for the Name Servers above.  As of 3/15/2011, the domain is still active and if you access that URL, it attempts to run a JS exploit and then re-post the URL back to the Facebook Feed via Facebook Connect…

JS Exploit + Facebook Connect
JS Exploit + Facebook Connect

Ultimately, the site’s IP appears to stem from a host out of Dallas, TX…

Reverse IP / IP Info
Reverse IP / IP Info

For what it’s worth, I’ve reported the offending domains + the malicious activity to the host.

Facebook & Twitter Spam

Facebook spamAccording to thinq UK, Facebook was recently hit by the biggest wave of spam in its history.  What is Facebook spam?  You’ve probably clicked on one of the links that show up in the Feed.  You’ve seen them before – e.g. “OMG!  Look at what this babysitter did to this baby!” or “Guy takes a pic of his face everyday for 8 years!”  It grows exponentially.  One person clicks it, another person sees their friend clicked it (it shows up in the Feed) and so on and so on.

The thing with Facebook is, it’s a Website.  It makes no difference if you’re running a Mac, Windows or Ubuntu.  You could have the best, most-expensive antivirus software – it doesn’t matter.  With Websites, it’s all about trickery and deception.

The only defense against it is user awareness and thinking before clicking.

The bad guys know the keywords you’re searching for.  Take for example the recent Charlie Sheen activity.  Users click links to what appear to be stores about Charlie Sheen.  They’re then greeted with pop-ups asking them to install a malware remover.  This is actually malware trying to trick you into letting you install it.

Everyone should be aware that malware writers have become very adept at search engine optimization to ensure their malicious links get placed on top image results returned from Google searches.

With Facebook and Twitter, it’s so easy to quickly spread a link.  If someone isn’t paying attention or is “lured” in by a thrilling tag line, they end up getting scammed.  Just the other day, an inconspicuous link started appearing in the feed.  It was supposedly an article about how a guy took a picture of his face once per day for 8 years.  Seemingly harmless, right?  Well the link led to a fake YouTube site…

Fake YouTube

The most important point for consumers is to not agree to download or run any software they do not intend to install on their machines — and to not be scared or intimidated into doing so.

The one that everyone seems to fall for is the, “see who’s viewing your profile” scam.  That’s just it, it’s a scam.  Here’s a great article on TechCrunch that details the scam.  These used to show-up on MySpace and now they’re all over Twitter and Facebook.

So how do you stop it?  The Computer Peeps recommend Firefox with NoScript.  This will prevent any malicious Javascript (such as the ones launched in the Facebook feed) from being launched.

This isn’t something software absolutely prevent.  The key is, awareness.  Be aware that the bad guys know what you’re searching for.  Be aware that people spread links unintentionally.  Unless it’s a trusted news site or authority on the topic, watch what you click.  I’m sure it would be more exciting to have some geeky way around this but honestly, it really does come down to awareness.

To recap:

  • Think before you click.  Is that enticing headline truly what it appears to be?  Is it worth clicking on to find out?
  • Know that no software can protect you from social engineering.  Much like in life, it’s all about experience an knowledge.
  • Make sure Windows is up to date and getting the security patches that come out on an almost-daily basis.
  • Make sure you’re running ESET Nod32 antivirus.

Sources:

Back To Top