Hacked

Another day, another phishing trip: Graham Cluley reports on the Sophos blog that direct messages on Twitter that read, "hi. this you on here? http://blogger.djh****.com" (characters intentionally obscured by Cluley), link to what appears to be a legitimate Twitter log-in page and, when users "log in," the Twitter fail whale "over capacity" message appears.

Cluley wrote:

However, this is a phishing page, designed to grab your Twitter user name and password as soon as you enter them. In this case, the cybercriminals don't even seem to have made much effort to hide the fact that the site is dodgy—the domain name they have chosen doesn't look anything like twitter.com and should stick out like a sore thumb to anyone who cares to take a moment to see where they've ended up.

When I visited the page, I was then slingshot to another webpage on Blogspot.com claiming to belong to a blogger called NetMeg99. It's not clear if NetMeg99 is involved in the phishing scam, but there is a suggestion that her Webpage did also try to phish for credentials at one point.

Sophos suggested that victims immediately change their passwords for Twitter and any other sites where the same log-ins are used.

Beware any emails from The Facebook Team and email address service@facebook.com, as security firm MX Labs reported that a new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, and the Facebook information is spoofed, according to CNET.

The email contains an attachment, Facebook_Password_4cf91.zip, which includes the file Facebook_Password_4cf91.exe (according to MX Labs, the element between the underscore and .zip is made up of randomly chosen letters and numbers for each recipient), and when users download the file, Trojan horse Bredolab executes Internet files such as bogus anti-spyware software, CNET reported.

M86 Security added that Bredolab also downloads a bot called Pushdo, which immediately starts "spamming out more of these Facebook password reset e-mails," according to CNET.

A Facebook spokesman told CNET:

This virus is being distributed through email, not on Facebook. The email is disguised as a Facebook password-reset email with an attachment that purportedly contains the new password, but is actually the virus. We're educating users on how to detect this through the Facebook Security Page.

Facebook advised users to be suspicious of unexpected emails supposedly originating from the social-networking site and said it would never send a new password as an attachment, CNET reported.

Even the old gray lady of journalism, The New York Times, isn't immune from malware. NYTimes.com was a victim this past weekend, AllThingsD pointed out.

According to AllThingsD, the site was likely hijacked by a malware scammer trying to bait users into installing fake anti-virus software. To its credit, the Times quickly posted a warning on its site.

MediaMemo reader Tim Minter told AllThingsD:

The ad hijacked my computer. Say I'm reading an article (the Clean Water Act was the one that caught me). It then redirects my browser involuntarily to sex-and-the-city.cn. That site then redirects to the ad I screen-captured. At no time did I click anything. That's what is so nefarious about this malware. Thankfully, since I run OS X, I knew immediately it was malware (seeing Windows XP on a Mac where that's not installed is suspicious).

The warning from the Times:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.

Twitter Operations' John Adams claimed that the social-networking site patched a bug that allowed U.K.-based search-engine-optimization expert Dave Naylor to insert JavaScript code into tweets where application developers would normally link to product Websites, but TechCrunch and Naylor both say: Not so fast.

Naylor apparently duplicated his feat from Tuesday, creating a dummy Twitter account and inserting code that prompts a dialog box to pop up when accessed through the Twitter Website. TechCrunch reports that Twitter never got in touch with Naylor after he reported the issue, instead attempting to repair it on its own.

Naylor wrote on his blog:

With a few minutes' work, someone with a bit of technical expertise could make a Twitter "application" and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets and they are logged in to Twitter, their account could be taken over.

Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic Website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another Website for someone to use at their leisure.

A boxing-promotion company owned by Roy Jones Jr., Square Ring Promotions, is looking to score a technical knockout against live-video-streaming service Ustream, alleging in a copyright-infringement lawsuit that Ustream is guilty of "massive and blatant copyright infringement" for permitting 2,377 users to view a broadcast of the March 21 fight between Jones and Omar Sheika without paying, TechCrunch reported.

The suit also claimed that Ustream ignored repeated requests by Square Ring to gather more information and detailed Square Ring's attempts to protect the event from piracy.

From the lawsuit:

Following the illegal exhibition of Plaintiff's Copyrighted Broadcast on USTREAM's website on March 21, 2009, notifying Defendants of the copyright and trademark infringements and, in a good faith effort to avoid litigation, requested information pursuant to Rules 26 and 34 of the Federal Rules of Civil Procedure. Plaintiff's letter further advised Defendants that, to Plaintiff's knowledge, they permitted approximately 2,377 users to view Plaintiff's pay-per-view program completely free of charge, in violation of Plaintiff's rights. To date, Defendants have neither complied with Plaintiff's request nor responded to Plaintiff's letter.

Ustream told TechCrunch:

Ustream is serious about complying with the copyright laws and the Digital Millennium Copyright Act and we're aggressively taking short- and long-term steps to work with the content industry to meet their needs. We believe the Square Ring lawsuit does not have merit and that we're fully protected by the Digital Millennium Copyright Act Safe Harbor provisions.

According to a post by Twitter co-founder Biz Stone on the Twitter blog, the social-networking site's issues with this week's denial-of-service attacks aren't quite over yet.

TechCrunch reported on a post from the mailing list for Twitter's application-program-interface team, which read, in part:

As you know all too well, Twitter, among other services, has been getting hit pretty hard with a DDoS attack over the past 24+ hours. Yesterday (Thursday) we saw the attack come in a number of waves and from a number of different vectors, increasing in intensity along the way. We were able to stabilize our own service for a bit, hence Biz's post saying all was well, but that didn't mean the attacks had ceased. In fact, at around 3 a.m. PT today (Friday), the attacks intensified to almost 10x of what it was yesterday. In order for us to defend from the attack, we have had to put a number of services in place, and we know that some of you have gotten caught in the crossfire. Please know we are as frustrated as you are and wish there was more we could have communicated along the way.

continued...

A blogger from the republic of Georgia who uses the account name Cyxymu, a town in Georgia, was the apparent target of the denial-of-service attack that virtually crippled Twitter Thursday and affected Facebook and LiveJournal, Facebook chief security officer Max Kelly told CNET News.

Cyxymu has accounts on Twitter, Facebook, LiveJournal and Google's Blogger and YouTube, CNET reported.

A cached version of Cyxymu's LiveJournal page contained a message about the DoS attacks and said in Russian, "Now it's obvious it's a special attack against me and Georgians," according to CNET.

Packet Clearing House research director Bill Woodcock told The New York Times millions of spam messages were sent at about 10:30 a.m. ET Thursday containing links to Twitter and other sites, and when recipients clicked on the links, those sites were overwhelmed with requests to access their servers, adding, "It's a vast increase in traffic that creates the denial of service."

And Kaspersky Lab malware researcher Stefan Tanase told the Times:

It's unusual to see an attack on a site lasting that long. Generally there are procedures in place in case of such an attack, but unfortunately, Twitter has a long history of security-related issues, and this really shows that they are not very mature in this area yet.

continued...

The widespread outage across Gawker Media's Websites Monday was caused by a distributed denial-of-service (DDOS) attack launched by hackers, the company wrote in a blog post Tuesday morning.

CNET reported that the attacks appear to have been launched at Consumerist, which Gawker sold to Consumer Reports last year but still hosts.

Sister blog AgencySpy was able to narrow down Monday's issues at Gawker Media to three possibilities.

The first possibility was a server crash, as Gawker's Nick Denton recently said traffic was higher than ever, so the likelihood of one server being taken down for maintenance and another crashing exists.

The second possibility was a massive traffic spurt to one story, but the issues surfaced Sunday, and traffic tends to be far lighter during weekends, especially during the summer.

The third possibility was a Distributed Denial of Service attack, which is roughly equivalent to "two or 10 people hitting refresh on Gawker millions of times per minute," as AgencySpy put it.

MediaChannel.org apparently experienced some issues Monday morning, as an attack by a hacker temporarily shut the site down following an appearance by editor Danny Schechter on TV show Democracy Now!.

An email from Schechter Wednesday read:

AND THAT'S THE WAY IT IS FOR US

On Monday morning, I was pleased to be a guest on Democracy Now! talking about Walter Cronkite's support for MediaChannel.org and playing clips of his criticism of the demise of journalism. It was great that Amy Goodman plugged MediaChannel and showed the Website. Unfortunately, if you have been trying to visit the site since then, you have found that our server is down.

We have, in effect, vanished.

It appears that a hacker was able to get into our database and temporarily shut us down. We are in the process of restoring our sites, upgrading security and server software, but at a cost we cannot afford. Will you help us offset some of these costs by making a tax deductible donation to keep MediaChannel going and growing, and help us improve our technical capabilities to fight off hostile hackers, before we are permanently shut down!

The site was up and running Wednesday morning.