Hacked

It;s getting to the point where botnets are smarter than people: TrendLabs Malware Blog reports that a new component of the Koobface botnet automated the tasks of registering a Facebook account, confirming a Gmail email address to activate the account, joining random groups, adding friends and posting messages to friends' walls. When it learns how to blog, this blogger intends to raise the white flag.

The profiles are complete with details including photos, birth dates, favorite music and favorite books, and every false account generated is unique, according to TrendLabs. Messages posted through Facebook's wall contain links that lead to the usual fake Facebook or YouTube page hosting the Koobface loader component.

The moral of the story: If you don't know them, don't friend them.

Hello, we hereby announce that we have officially hijacked your Facebook group. This means we control a certain part of the information about you on Facebook. If we wanted, we could make you appear in a bad way, which could damage your image severely.

If a Facebook group you belong to displayed that message, your group was hijacked by an organization that calls itself Control Your Info, which claims that it will do no harm and only wants to point out a flaw in Facebook's group-administration policies, CNET reported.

According to Control Your Info, if a group administrator steps down, anyone can take over, view members' personal information and change group information, CNET reported.

Control Your Info representative Janis Roukkos wrote that his organization wants to get social-networking users to "think about the safety in your social-media life to the same extent you do in your real life," adding that Control Your Info will restore the group name (which it changed) and leave the group "by the end of next week" and promising not to "mess anything up," according to CNET.

Not surprisingly, Facebook users were not amused. A post on one hijacked group read:

I was just reading your Website. So this is your way of educating us about the dangers of social media? Hijacking a dead person's Facebook group is your idea of a public service? Bullshit.

I have an idea: What if I teach you about traffic safety by running you over with my car? Is that how this works?

Another day, another phishing trip: Graham Cluley reports on the Sophos blog that direct messages on Twitter that read, "hi. this you on here? http://blogger.djh****.com" (characters intentionally obscured by Cluley), link to what appears to be a legitimate Twitter log-in page and, when users "log in," the Twitter fail whale "over capacity" message appears.

Cluley wrote:

However, this is a phishing page, designed to grab your Twitter user name and password as soon as you enter them. In this case, the cybercriminals don't even seem to have made much effort to hide the fact that the site is dodgy—the domain name they have chosen doesn't look anything like twitter.com and should stick out like a sore thumb to anyone who cares to take a moment to see where they've ended up.

When I visited the page, I was then slingshot to another webpage on Blogspot.com claiming to belong to a blogger called NetMeg99. It's not clear if NetMeg99 is involved in the phishing scam, but there is a suggestion that her Webpage did also try to phish for credentials at one point.

Sophos suggested that victims immediately change their passwords for Twitter and any other sites where the same log-ins are used.

Beware any emails from The Facebook Team and email address service@facebook.com, as security firm MX Labs reported that a new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, and the Facebook information is spoofed, according to CNET.

The email contains an attachment, Facebook_Password_4cf91.zip, which includes the file Facebook_Password_4cf91.exe (according to MX Labs, the element between the underscore and .zip is made up of randomly chosen letters and numbers for each recipient), and when users download the file, Trojan horse Bredolab executes Internet files such as bogus anti-spyware software, CNET reported.

M86 Security added that Bredolab also downloads a bot called Pushdo, which immediately starts "spamming out more of these Facebook password reset e-mails," according to CNET.

A Facebook spokesman told CNET:

This virus is being distributed through email, not on Facebook. The email is disguised as a Facebook password-reset email with an attachment that purportedly contains the new password, but is actually the virus. We're educating users on how to detect this through the Facebook Security Page.

Facebook advised users to be suspicious of unexpected emails supposedly originating from the social-networking site and said it would never send a new password as an attachment, CNET reported.

Even the old gray lady of journalism, The New York Times, isn't immune from malware. NYTimes.com was a victim this past weekend, AllThingsD pointed out.

According to AllThingsD, the site was likely hijacked by a malware scammer trying to bait users into installing fake anti-virus software. To its credit, the Times quickly posted a warning on its site.

MediaMemo reader Tim Minter told AllThingsD:

The ad hijacked my computer. Say I'm reading an article (the Clean Water Act was the one that caught me). It then redirects my browser involuntarily to sex-and-the-city.cn. That site then redirects to the ad I screen-captured. At no time did I click anything. That's what is so nefarious about this malware. Thankfully, since I run OS X, I knew immediately it was malware (seeing Windows XP on a Mac where that's not installed is suspicious).

The warning from the Times:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.

Twitter Operations' John Adams claimed that the social-networking site patched a bug that allowed U.K.-based search-engine-optimization expert Dave Naylor to insert JavaScript code into tweets where application developers would normally link to product Websites, but TechCrunch and Naylor both say: Not so fast.

Naylor apparently duplicated his feat from Tuesday, creating a dummy Twitter account and inserting code that prompts a dialog box to pop up when accessed through the Twitter Website. TechCrunch reports that Twitter never got in touch with Naylor after he reported the issue, instead attempting to repair it on its own.

Naylor wrote on his blog:

With a few minutes' work, someone with a bit of technical expertise could make a Twitter "application" and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets and they are logged in to Twitter, their account could be taken over.

Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic Website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another Website for someone to use at their leisure.

A boxing-promotion company owned by Roy Jones Jr., Square Ring Promotions, is looking to score a technical knockout against live-video-streaming service Ustream, alleging in a copyright-infringement lawsuit that Ustream is guilty of "massive and blatant copyright infringement" for permitting 2,377 users to view a broadcast of the March 21 fight between Jones and Omar Sheika without paying, TechCrunch reported.

The suit also claimed that Ustream ignored repeated requests by Square Ring to gather more information and detailed Square Ring's attempts to protect the event from piracy.

From the lawsuit:

Following the illegal exhibition of Plaintiff's Copyrighted Broadcast on USTREAM's website on March 21, 2009, notifying Defendants of the copyright and trademark infringements and, in a good faith effort to avoid litigation, requested information pursuant to Rules 26 and 34 of the Federal Rules of Civil Procedure. Plaintiff's letter further advised Defendants that, to Plaintiff's knowledge, they permitted approximately 2,377 users to view Plaintiff's pay-per-view program completely free of charge, in violation of Plaintiff's rights. To date, Defendants have neither complied with Plaintiff's request nor responded to Plaintiff's letter.

Ustream told TechCrunch:

Ustream is serious about complying with the copyright laws and the Digital Millennium Copyright Act and we're aggressively taking short- and long-term steps to work with the content industry to meet their needs. We believe the Square Ring lawsuit does not have merit and that we're fully protected by the Digital Millennium Copyright Act Safe Harbor provisions.

According to a post by Twitter co-founder Biz Stone on the Twitter blog, the social-networking site's issues with this week's denial-of-service attacks aren't quite over yet.

TechCrunch reported on a post from the mailing list for Twitter's application-program-interface team, which read, in part:

As you know all too well, Twitter, among other services, has been getting hit pretty hard with a DDoS attack over the past 24+ hours. Yesterday (Thursday) we saw the attack come in a number of waves and from a number of different vectors, increasing in intensity along the way. We were able to stabilize our own service for a bit, hence Biz's post saying all was well, but that didn't mean the attacks had ceased. In fact, at around 3 a.m. PT today (Friday), the attacks intensified to almost 10x of what it was yesterday. In order for us to defend from the attack, we have had to put a number of services in place, and we know that some of you have gotten caught in the crossfire. Please know we are as frustrated as you are and wish there was more we could have communicated along the way.

continued...

A blogger from the republic of Georgia who uses the account name Cyxymu, a town in Georgia, was the apparent target of the denial-of-service attack that virtually crippled Twitter Thursday and affected Facebook and LiveJournal, Facebook chief security officer Max Kelly told CNET News.

Cyxymu has accounts on Twitter, Facebook, LiveJournal and Google's Blogger and YouTube, CNET reported.

A cached version of Cyxymu's LiveJournal page contained a message about the DoS attacks and said in Russian, "Now it's obvious it's a special attack against me and Georgians," according to CNET.

Packet Clearing House research director Bill Woodcock told The New York Times millions of spam messages were sent at about 10:30 a.m. ET Thursday containing links to Twitter and other sites, and when recipients clicked on the links, those sites were overwhelmed with requests to access their servers, adding, "It's a vast increase in traffic that creates the denial of service."

And Kaspersky Lab malware researcher Stefan Tanase told the Times:

It's unusual to see an attack on a site lasting that long. Generally there are procedures in place in case of such an attack, but unfortunately, Twitter has a long history of security-related issues, and this really shows that they are not very mature in this area yet.

continued...

The widespread outage across Gawker Media's Websites Monday was caused by a distributed denial-of-service (DDOS) attack launched by hackers, the company wrote in a blog post Tuesday morning.

CNET reported that the attacks appear to have been launched at Consumerist, which Gawker sold to Consumer Reports last year but still hosts.