Wednesday, August 7, 2013

"Hack Facebook" Site Hacks You Instead! On Blog Spam and SMS Scams

Spammers will do anything to drive traffic to their sites, from sending unsolicited e-mail to posting links on Facebook, Twitter, or Pinterest. They even try to leave spammy comments on popular news sites and blogs.

I find it somewhat amusing when spammers attempt to leave comments on my articles here at the JoshMeister on Security. Usually these attempted spam comments aren't noteworthy enough to merit any mention on this site, for example most diet drug spam or other run-of-the-mill unsolicited advertisements. But this time, someone attempted to link to a site that supposedly allows you to "hack a Facebook account."

pirater-face(dot)com, translated from French; click to enlarge

I've written an article (published at The Mac Security Blog on antivirus firm Intego's site) about my investigation into the various ways this site tries to scam you:

"Facebook Hacking Site" Leads to Costly SMS Scam 

In short, the site tricks wannabe hackers into sending texts to a premium SMS number (81073), which leads to charges on their next phone bill. The site may also collect login details that could later be used to try to hack into the would-be hacker's various online accounts (Facebook or otherwise), and of course once the spammers have your phone number they might also send you text message spam (or sell your number to other spammers). Be sure to read the full article for all the juicy details.

If you don't wish to ever fall victim to a premium text messaging scam, some of the most important things you can do are to avoid visiting sketchy sites, be extremely careful about giving out your mobile phone number, and don't send text messages or replies to spammers.

Some mobile phone service providers like Verizon allow you to opt out of premium text messages, or if nothing else you can dispute charges that you have received. Here are instructions for the most popular providers in the United States; please post a comment to share opt-out instructions or billing contact info for major mobile phone service providers outside the U.S.:
  • AT&T: Forward spam messages to 7726 (SPAM); call 1-800-331-0500 to dispute any charges; more info
     
  • Sprint: Individual short codes can be added to a block list; see the "Blocking text messages" section toward the bottom at sprint.com/premiummessaging; presumably to dispute any charges you would have to call 1-888-211-4727 to speak with a representative
     
  • T-Mobile (U.S.): Forward spam messages to 7726 (SPAM); more info; presumably to dispute any charges you would have to call 1-877-746-0909 to speak with a representative
     
  • Verizon Wireless: Premium SMS can be blocked, and this must be done for each device on your account; see the list of instructions for opting out of Premium Messaging; presumably to dispute any charges you would have to call 1-800-922-0204, or 1-888-294-6804 if you're a prepaid customer
     
  • Regardless of your cell phone provider, you may want to add your phone number to the National Do Not Call Registry at donotcall.gov

If you own or operate a blog or news site, what can you do to prevent spammers from leaving comments on your site? Depending on the site, you may have any of a variety of options.

The most foolproof, assuming you're good at recognizing spam and that you don't get an overwhelming volume of comments, is to enable comment moderation. This usually means that you or another site administrator, editor, or moderator will have to manually approve all new comments before they appear on your site. (In the case of the Facebook-hacking spam, the attempt to post the comment was blocked thanks to moderation being enabled. I saw the contents of the comment and was able to mark it as spam and prevent it from ever appearing on this site.)

You can also implement features such as requiring commenters to log in to a blog/comment platform, or with an OpenID. Put another way, you can disable anonymous commenting. This may not necessarily be the best option for your site or blog, depending on your content and the type of people who might be interested in posting legitimate comments. Requiring commenters to log in may deter some spammers, but it could also inadvertently scare off some privacy-conscious humans as well. (Incidentally, the Facebook-hacking spam attempt came from a logged-in Blogger/Google+ account; read the next section below for details.)

Another option is to require commenters to type the words from a CAPTCHA or a similar test to try to prove that the commenter is a human rather than an automated program (a spam bot). One potential problem with CAPTCHA-like systems is accessibility; regardless of whether you try to decipher the default visual code or listen to an audio variation for the visually impaired, some humans find the task tedious or frustrating and may avoid posting legitimate comments because of it. Furthermore, some spammers would be willing to type in a CAPTCHA to spread their spam instead of (or in addition to) using a spam bot to spray comments all over the Web.

If your blog or news site uses WordPress and you get a high volume of spam, you may consider using a WP add-on like Akismet or Bad Behavior; see also this article by F-Secure's Sean Sullivan (@5ean5ullivan) for more WordPress security and anti-spam tips.


So what about this particular spam and the person who posted it? The spammer was signed in with a Google account registered to an "Elizabeth J. Neal" (most likely not the spammer's real name). The Blogger profile URL (http://www.blogger.com/profile/01824134730760179008) redirects to a Google+ account (https://plus.google.com/117406979534609059211). The account has been submitting spammy posts linking to various dubious-looking sites since May 1, 2013 (mistakenly assuming in every post that links on Google+ are made using HTML "a href" tags, when it should have been clear after the first post that Google+ creates a link automatically whenever there's a URL in a post; this leads me to wonder whether the Google+ account is operated by a bot rather than a human).

The same account has successfully left spam comments on various blog sites in May, June, July, and August. In some cases, the spammer returned to previously spammed blogs and posted a second comment at a later date.

I blocked the Google+ profile and reported it to Google as a spam account, but so far Google does not appear to have taken any action.

The user's Google+ profile picture is in reality a photograph of Mary Killman, an American synchronized swimmer who competed in the 2012 Summer Olympics in London. (I've also reported the account to Google for celebrity impersonation, but given that the account name doesn't match the celebrity photo, I'm not sure whether Google's spam team will recognize this as a celebrity impostor.)

It's not uncommon for spammers and scammers to use photographs of other people, including celebrities; see the comments posted by "Yip Man" and myself on this Sophos article written by Graham Cluley (@gcluley) in November 2012.

Incidentally, there's a Facebook account (https://www.facebook.com/profile.php?id=100005859514726) with exactly the same name and profile photo as the Google+ account. The account was created on May 4, 2013, just a few days after the Google+ account started posting spam.

The site to which this particular spam comment attempted to link was pirater-face .com (see the Web of Trust report). This site already had a "red" rating on WOT because hpHosts blacklisted it on July 20th in its "fraudulent software and websites" category. According to URLVoid, only one other blacklist currently seems to be blocking this domain, namely Spamhaus DBL (Domain Block List).

Stay safe out there, and avoid visiting sites to which spam links!


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Friday, June 28, 2013

"Garcinia Cambogia" Spam on Twitter, Facebook, Pinterest, and Tumblr

Janne Ahlberg and Graham Cluley have reported on the latest round of diet drug spam being advertised on sites like Twitter, Facebook, Pinterest, and Tumblr.

Sites involved with this spam campaign purport to be Women's Health Magazine's site and use deceptive subdomains. The sites falsely imply endorsement by Dr. Oz by auto-playing a video segment from his television show about "garcinia cambogia extract."

The following domains have been advertised via spam bots and hacked accounts. Note that these links lead to the Web of Trust report for each site, and that some of these domains have been blacklisted by SURBL.

https://www.mywot.com/en/scorecard/com-10.us
https://www.mywot.com/en/scorecard/com-11.us
https://www.mywot.com/en/scorecard/com-14.us
https://www.mywot.com/en/scorecard/com-15.us
https://www.mywot.com/en/scorecard/com-16.us
https://www.mywot.com/en/scorecard/com-17.us
https://www.mywot.com/en/scorecard/msnbc.msn.com-april.us
https://www.mywot.com/en/scorecard/msn.com-april.us
https://www.mywot.com/en/scorecard/com-april.us
https://www.mywot.com/en/scorecard/womenshealthmag.com-may.us
https://www.mywot.com/en/scorecard/com-may.us
https://www.mywot.com/en/scorecard/com-june.us
https://www.mywot.com/en/scorecard/womenshealth.com-ar1.info
https://www.mywot.com/en/scorecard/com-ar1.info
https://www.mywot.com/en/scorecard/com-ar2.info
https://www.mywot.com/en/scorecard/com-ar3.info
https://www.mywot.com/en/scorecard/com-article-diet.net
https://www.mywot.com/en/scorecard/com-articles-diet.net
https://www.mywot.com/en/scorecard/com-expo.in
https://www.mywot.com/en/scorecard/healthywomen.com-garcinia-diet.net
https://www.mywot.com/en/scorecard/com-garcinia-diet.net
https://www.mywot.com/en/scorecard/com-gc.net
https://www.mywot.com/en/scorecard/com-lifestyle-article.net
https://www.mywot.com/en/scorecard/com-mgc.pw
https://www.mywot.com/en/scorecard/com-mgc1.pw
https://www.mywot.com/en/scorecard/com-wen.pw
https://www.mywot.com/en/scorecard/net-10.us
https://www.mywot.com/en/scorecard/net-11.us
https://www.mywot.com/en/scorecard/net-12.us
https://www.mywot.com/en/scorecard/net-13.us
https://www.mywot.com/en/scorecard/net-14.us
https://www.mywot.com/en/scorecard/net-15.us
https://www.mywot.com/en/scorecard/net-16.us
https://www.mywot.com/en/scorecard/net-17.us
https://www.mywot.com/en/scorecard/net-18.us
https://www.mywot.com/en/scorecard/org-10.us
https://www.mywot.com/en/scorecard/org-11.us
https://www.mywot.com/en/scorecard/org-12.us
https://www.mywot.com/en/scorecard/org-13.us
https://www.mywot.com/en/scorecard/org-14.us
https://www.mywot.com/en/scorecard/org-15.us
https://www.mywot.com/en/scorecard/org-16.us
https://www.mywot.com/en/scorecard/org-17.us
https://www.mywot.com/en/scorecard/org-18.us
https://www.mywot.com/en/scorecard/miraclegarciniacambogia.com
https://www.mywot.com/en/scorecard/womenshealth.com-c.pw
https://www.mywot.com/en/scorecard/twitter.com-c.pw
https://www.mywot.com/en/scorecard/com-c.pw
https://www.mywot.com/en/scorecard/womenshealth.com-lot.pw
https://www.mywot.com/en/scorecard/com-lot.pw
https://www.mywot.com/en/scorecard/loseweight.com-06-24-12.net
https://www.mywot.com/en/scorecard/com-06-24-12.net
https://www.mywot.com/en/scorecard/weightloss.com-0624.net
https://www.mywot.com/en/scorecard/com-0624.net
https://www.mywot.com/en/scorecard/net-2.us
https://www.mywot.com/en/scorecard/cnbc.com-ar2.info (added 29 June 2013)
https://www.mywot.com/en/scorecard/com-indexrx.us (added 29 June 2013)
https://www.mywot.com/en/scorecard/com-mo.com (added 29 June 2013)


Never attempt to buy products from spam-advertised sites. You wouldn't entrust your credit card information to a shady drug dealer on the street; spam sites are the online equivalent.

You may notice this spam campaign's use of the uncommon ".pw" top-level domain. Registration of .pw domains opened to the general public three months ago. According to Wikipedia, .pw was originally intended for sites from the island nation of Palau, and it is currently being branded as short for "Professional Web."

Please refer to Janne's article for further updates as this spam campaign continues.

Janne has also written a separate article about how he believes user accounts may have been hijacked (through phishing sites hosted on the same domains).

See also other articles I've written on the topic of spam, including an article about weight loss drug spam e-mails and an article about fake CNBC news sites spamvertized on Twitter.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Monday, June 3, 2013

Camino Canceled: Mac Browser Calls It Quits

The developers of Camino, a Mac-exclusive Web browser that has been around since 2002, have announced that the browser has reached its end of life.

Camino was the last relatively popular browser to support Mac OS X v10.4 Tiger and v10.5 Leopard, operating systems which Apple is no longer patching. The current versions of Chrome, Firefox, and Safari do not support Tiger or Leopard.

The relatively obscure TenFourFox browser, designed specifically to run on now-unsupported PowerPC-based (G3, G4, and G5) Macs, is the last remaining browser that's being actively updated for unsupported versions of Mac OS X.

Meanwhile, online ad network Chitika reported in March that Leopard and Tiger are installed on approximately 10% of Macs used online in North America. Mac OS X v10.6 Snow Leopard had the largest share at roughly 35%, trumping the newer Lion and Mountain Lion operating systems at approximately 28% and 27% respectively:



At this time it is unknown whether Apple will continue to issue security patches for Snow Leopard after the upcoming release of OS X v10.9.

For more details, please read my full article at The Mac Security Blog on Intego's site.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Tuesday, April 9, 2013

Windows XP Death Watch: 365 Days Remaining

The XPocalypse cometh? Let's hope not, but be prepared just in case.

There's just one year left until Microsoft pulls the plug on Windows XP security updates.

Microsoft has announced no plans to change course, in spite of the fact that the now three-generations-old desktop OS is still number two in terms of active installed base, commanding nearly 39% of the market while Windows 7 holds the top spot at just under 45%.

Image credit: Net Applications

For more on this subject, see my full article at the award-winning Sophos Naked Security blog:

Windows XP death watch: 365 days remaining


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Monday, March 18, 2013

Apple Shocks Security World with Safari 5.1.8 for Snow Leopard

In my latest article for The Mac Security Blog, I wrote about the surprise release of Safari 5.1.8 for Snow Leopard.

Apple silently included the Safari update as part of Security Update 2003-001. Prior to this update, Safari had remained at version 5.1.7 for 10 months while only Safari 6.0 (available exclusively for Lion and Mountain Lion) had been updated.

Apple has not made any mention of Safari 5.1.8 anywhere on its site, so it's unclear whether the new version patches the same 201 vulnerabilities that have been patched from Safari 6.0 to 6.0.3.

Meanwhile, Apple continues to leave Safari for Windows languishing at version 5.1.7.

For more information and screenshots, see the full article:

Apple Shocks Security World with Safari 5.1.8 for Snow Leopard

It's worthy of mention that I was the first journalist to notice and write about Safari 5.1.8.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Monday, February 4, 2013

Apple Releases Java 6u39 (and 41, and 43) for Snow Leopard; Still No Safari Patches

On February 1, Apple released Java 6 Update 39 for Snow Leopard users as "Java for Mac OS X v10.6 Update 12."

Ironically, even though Apple continues to update this third-party component, Apple continues to be negligent in releasing any security updates for its own Safari browser that shipped with Snow Leopard.

Snow Leopard's version of Safari has been stuck at version 5.1.7 since May 9, 2012. This version has been publicly known to be insecure since the release of Safari 6.0 for Lion and Mountain Lion in July 2012.

For more details, see my latest article at The Mac Security Blog:

Apple Releases Java 6u39 for Snow Leopard; Still No Safari Patches

UPDATE 1: On February 19, Apple released Java 6 Update 41 as "Java for Mac OS X v10.6 Update 13." Still no Safari update for Snow Leopard.

UPDATE 2: On March 4, Apple has released Java 6 Update 43 as "Java for Mac OS X v10.6 Update 14." Still no Safari update for Snow Leopard.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Saturday, January 19, 2013

Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam, Round 2

Six months ago, in July 2012, I wrote about "Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam."

Now in January 2013, hackers and scammers are up to the same tricks.

(If you believe you may have been victimized, you can skip to the bottom for suggestions.)

I've recently received three e-mails from two hacked Yahoo! accounts owned by people I know. Each e-mail contained only a link and no explanatory text, and the subject line was blank.

In each case, the link address contained a directory called "wp-content" which indicates that all these spammed pages were hosted on hacked WordPress blogs (although I later discovered other hacked sites without wp-content in the URL).

At least one of these hacked blogs was using an outdated version of WordPress (3.3.1). One site didn't display the version number. Surprisingly, the third hacked site was actually running the current version of WordPress (3.5). Most often when I've seen hacked WordPress sites they've been running an old version of WordPress for which there are publicly disclosed vulnerabilities.

If a victim clicks on the link in one of these e-mails that appears to be from someone they know, they are redirected to a page that either says "You see this page because one of your friends have invited you. Page loading, please wait...." or else it automatically redirects right away or in 1 to 5 seconds.

The victim is then redirected to one of three types of sites:
  1. a fake Fox news site advertising a "Raspberry Ultra Drops" weight loss drug, which the site implies is endorsed by television host Dr. Oz (see screenshot below)
  2. a fake CNBC news site advertising a "work from your home" scam; see my June 2012 article about related fake news sites at Sophos' Naked Security blog for lots of details and screenshots
  3. a site specifically for those who clicked on the e-mail link on an Android device (which reportedly attempts to install Android malware; see below)
A fraudulent site purporting to be Fox News

Based on an article at Lookout Mobile Security and one of the comments there, apparently the Android-specific redirection leads to (or at one time led to) a file named "Update.apk", a malicious Android app. It appears that as of the last time this file was uploaded to VirusTotal, 32 out of 46 antivirus engines detected it as malware and identified it as one of the following:

Andr/Notcom-A, Android_dc.MK, Android:NotCom-A [Trj], Android.Notcompatible, Android.Notcompatible.A4ad, Android.Proxy.1.origin, Android.Troj.Undef.(kcloud), Android.Trojan.NotCompatible.A, Android.Trojan.NotCompatible.A (B), Android/NoComA.A, Android/NotCompatible.A!tr.bdr, Android/NotCompatible.A.2, AndroidOS_FAKEUPDATES.VL, AndroidOS/GenBl.0B2E9A9E!Olympus, AndroidOS/MalAndroid, Backdoor.AndroidOS.Nisev.a, Backdoor/AndroidOS.bqz, Backdoor/AndroidOS.Nisev, HEUR:Backdoor.AndroidOS.Nisev.a, NotComp.A, TROJ_GEN.F47V1211, Trojan, Trojan:AndroidOS/NoCom.A, Trojan.AndroidOS.NoCom, Trojan.AndroidOS.NoCom.a (v), Trojan.Nisev.bdokyh, UnclassifiedMalware

Following are some various file names that may be found in a directory on one of the hacked sites. Based on my investigation into the similar hack/spam/fraud campaign last July, I am certain that this is not an exhaustive list of file names. (In fact, I observed that additional files with different names appeared within just the past few hours on one hacked site while I was writing this article.) Note that the links below lead to VirusTotal scan reports, NOT the files themselves.

111a.php, addht.php, avmdkg.php, bhesp.php, biokrls.html, bjsdvs.php, bonuspack.php, casualwor.php, cizxusod.php, colsdj.php, conneng.php, creatives.php, curioso.html, dgjdgs.php, dsfv.php, dspvs.php, duna.php, dwncst.php, ebolsg.php, enjslol.html, eopikal.html, etheha.php, fbgogos.php, firstfight.php, fkbmns.php, fogjlop.html, foglsd.php, fpbs.php, frnds.php, fusion.php, fvcagex.php, fvjsvg.php, gbdlg.php, gdkedns.php, geopic.php, gfobnd.php, ghsakl.html, gjuk.php, gnslfs.php, gsm.php, hamiltons.php, hellodear.php, helpsx.php, hposvds.php, ikhkjskl.php, j.php, jhikdba.php, kawabagga.html, kawabangas.php, kllem.php, mainats.php, maincl.php, mainx.php, makoler.html, ndold.php, newinform.php, newsts.php, nextgt.php, nmklsi.php, nwmslck.php, odnhgls.html, ofneg.php, ornvls.php, pdklsa.php, pmcntr.php, privsek.html, rcccy.php, rcctm.php, ronnd.php, rtebcsw.php, SanFrancisco.htm, saweg.php, stesa.php, stndrt.php, unitds.php, upmlc.php, vghjdk.php, vozivapso.php, wmnhl.php, wrvfsfd.php, xdll.php, xhjg.php, xxxxjs.php, yahmlc.php, yepyep.php, yiTUdso.html, youranswerrr.php, zjgfnwe.php

These files have rather low detection rates by major antivirus engines; a few redirection files are currently not detected at all, while some are only detected by as many as 14 out of 46 engines. Thus there's a pretty good chance that your antivirus software won't detect these Web pages as malicious. The files are identified as any of the following types of malware (or similar names):

HTML:Redirector-AI, HTML:Redirector-AI [Trj], HTML:RedirME-inf, HTML:RedirME-inf [Trj], HTML:Refresher-A, HTML:Refresher-A [Trj], HTML.Redirector, HTML.RedirME, HTML.Refresher, JS:Redirector-AAC [Trj], JS.A.Redirector.336, JS.A.Redirector.340.A, JS.A.Redirector.341, JS.A.Redirector.412.A, JS/Redirector.PN, JS/Redirector.WB!tr, TROJ_GEN.F47V0108, TROJ_GEN.F47V0109, TROJ_GEN.F47V0114, TROJ_GEN.F47V0115, TROJ_GEN.F47V0116, TROJ_GEN.F47V0118, TROJ_GEN.F47V1228, TROJ_GEN.F47V1229, TROJ_GEN.RCBH1I4, TROJ_GEN.RCBH1I5, TROJ_GEN.RCBH1IA, TROJ_GEN.RCBH1IK, TROJ_GEN.RCBH1J8, TROJ_GEN.RCBH1JN, Trojan.JS.Redirector, Trojan.JS.Redirector (A), Trojan.JS.Redirector.ASR, Trojan.JS.Redirector.ASR (B), Trojan.JS.Redirector.wb, UnclassifiedMalware

One file was rather different from the rest: gsm.php. This file had an 18/46 detection rate on VirusTotal, and it was identified as a PHP shell backdoor by the antivirus engines that detected it:

Backdoor, Backdoor:PHP/C99shell.R, Backdoor.HTML.EMO.D, Backdoor.HTML.PHPShell-Interface (v), Backdoor.PHP.C99Shell, C99Shell.CX, EXP/C99Shell.W, Exploit.C99Shell.Gen, HTML:Shellface-D, HTML:Shellface-D [Trj], HTML/Shellnine.A, PHP/BackDoor.AO, PHP/C99Shell.A, PHP/C99shell.R, PHP/CShell.Y, Trojan.Html.C99Shell.dwlsk, Trojan/PHP.Shell

Following is a list of some of the domains to which these pages attempt to redirect. Note that the links below lead to the Web of Trust reports for each domain, NOT the domains themselves.

194.60.242.54 (the site hosting Android malware), allnewsjob.ru, foxfoxnws.com, foxfxnws.com, foxnews.top10.super.fxpublication.com (a subdomain of fxpublication.com), fx-nwstop.com, fxnew12.com, fxs-news.com, fxsclocks.com, fxsnws24.com, fxsyounews.com, fxx-news.com, fxxnws24.com, greatlifechance.net, homeincomenow10.com, homeincomenow6.com, hot-foxnws.com, journals26.com, life-news1241.ru, lifenews241.ru, msnb21.com, msnb24c.com, mynewstop.com, news1241.ru, newsfoxs.com, newsonlinework.com, njournal24.com, nws5fxs.com, nwsfxs.com, online18work.com, onlinebestnews.ru, raspberryhots.com (purchasing site), raspbuyberry.com (purchasing site), rasptrims.com (purchasing site), slimsfox.com, story29.com, story76.com, topfox24.com, toplastnews.ru, workfromyourhome15.com, workfromyourhome8.com, workinghome31.com, workinghome46.com, workinghome47.com, xtranws.com

What To Do If Your E-mail Account Has Been Hacked

If your e-mail account has been hacked and you can still log into it, change your password immediately, and be sure to use a good, strong, long, and unique password; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages. Keep your new password exclusive to this e-mail account; don't reuse your password on any other site. Send an e-mail to your contacts (please use BCC rather than To or CC) asking them to delete any recent e-mails from your account that just contained a link (and if you want, you can suggest that they read this article if they clicked on the link). If you used your old password on any other sites, change your passwords at those sites as well (and be sure to use different passwords than the new one you just created for your e-mail account). If your e-mail provider has security questions as a backdoor if you forget your password (e.g. Yahoo!), change your security questions and answers, and be sure to not choose answers that other people might know or be able to find out about you. It wouldn't hurt to scan your computer for malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc, or Sophos' Virus Removal Tool which can be run alongside your existing antivirus software). If your e-mail provider has an option to enable two-factor authentication (for example, sending you a code via SMS text message whenever someone tries to log in), enable this option for better security. Never log into your e-mail from a public computer (for example at a hotel or library) or while connected to a public Wi-Fi network (for example at a restaurant, coffee shop, or airport). See also this Sophos article for additional tips on how to protect your e-mail accounts.

What To Do If Your Web Site Has Been Hacked

If your Web site has been hacked, don't merely delete the files listed above. If possible, restore your server from a clean backup. Scan for rootkits and other malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc). Change all passwords on the server, and be sure to use good, strong, long, and unique passwords; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages. Disable any services you don't use on your server. Make sure all the software on the server (WordPress, Apache, etc.) is up to date and has all the latest security patches. See also this Sophos article for additional tips on how to protect your Web servers.

What To Do If You Clicked On a Link

If you clicked on a link in one of these e-mails, don't panic. If you entered your credit card number on one of the sites, call your credit card provider to report the fraudulent transaction and follow their instructions and advice; you may need to cancel that card number and get a new card. If you visited a link on your Android device, you probably only need to worry about infection if you installed the Update.apk file. If you installed it, you can try restoring your Android device from a backup (assuming you have one) and/or install antivirus software such as Sophos Mobile Security (which is free) onto your device to clean up the infection. If you visited a link on your PC, for your own peace of mind you may wish to scan your computer for malware (and get a second opinion from a trusted free scanner, for example Windows Defender Offline or another antivirus boot disc, or Sophos' Virus Removal Tool which can be run alongside your existing antivirus software). If you visited a link on your Mac, for your own peace of mind you may wish to scan your computer for malware (if you don't have antivirus software, you can get free Mac antivirus software from Sophos for home use, or get a free trial of a security suite from Intego). If you visited a link on your iPhone or iPad, you probably don't have anything to worry about as long as you didn't enter your credit card information on one of the sites.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Monday, January 7, 2013

Basic Computer and Mobile Security Tips

by Kylene Long

Whether you are a Mac or Windows user, iOS or Android user, your computer or device is potentially vulnerable to infection. You should be cautious about where you go on the Web, what links you click on, and what apps you install.

One way to avoid visiting potentially harmful sites is to use Web of Trust (WOT), a plug-in for desktop browsers that can help you decide whether or not a site might be safe to visit. It uses simple stoplight colors (red, yellow, and green, with an alternative setting for colorblind users) to indicate potentially harmful and likely safe sites. With the WOT plug-in installed, when you search the Web with sites like Google and Bing you'll see colored circles next to each search result so you can have some idea of how trustworthy the site is before you click. If you ever accidentally visit a page that has a poor rating, the plug-in will display a warning. WOT's browser add-on is useful for computer experts and novices alike.

Also, don't always trust that you are typing in a Web address (URL) correctly. Look in the address bar to verify that what you've typed is correct before you press a button to go there. When you're not sure about the spelling of a site or whether it ends in .com or .org for example, or if you make frequent typos, you can alternatively do a Google search for the site's name instead of trying to type it from memory; normally the site you want is within the top few hits. Once you've found the site, you can bookmark it to make it easier to return to later.

Visiting links isn't the only thing to be cautious about.  It's also wise to be careful when installing software on your computer or mobile device, including apps from popular app stores like Apple's iOS or Mac App Store, Google Play Store, or Amazon Appstore.

Just because Apple and Google have a vetting process for apps doesn't mean that nothing undesirable ever slips past their app review processes (it happens—and more often than you might think). Always check the ratings on an app before downloading it. If an app has hundreds of reviews and an overall positive rating, it's probably safe. Be aware that there are some look-alike apps out there that at first glance may appear to be popular apps, or affiliated with popular app makers. Checking customer reviews can sometimes help you avoid the more shady apps.

Consider this: If you met a random stranger on the street, would you hand them your phone and let them do whatever they want with it, unsupervised? Whenever you visit a site you've never been to before, or install an app that you've never heard of, you should be aware that you're taking a risk. Obviously there's some risk inherent in doing anything; even legitimate sites can be hacked, for example. But it's still a good idea to keep your guard up, even if you use a Mac or an iPhone, iPad, or other smartphone or tablet.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow Josh on Twitter or .

Wednesday, January 2, 2013

Get Windows 8 Pro for $39.99 by January 31

Do you still have Windows XP on your computer? Unless you have plans to replace that computer within the next 15 months, now's a good time to upgrade your operating system.

Until January 31, 2013, Microsoft is offering upgrades to Windows 8 Pro for only $39.99 for all users of Windows XP SP3, Windows Vista, and Windows 7.

Given that Windows XP will only get security updates until April 2014 (only a year and 3 months from now), and given that the cost of the upgrade after this month will reportedly jump to $199, this is a great opportunity for PC users to move to a newer and more secure operating system without having to spend a lot of money.

And if you're a Mac user with an old version of Windows on a Boot Camp partition or in a virtual machine like Parallels Desktop, VMWare Fusion, or Oracle VirtualBox, Microsoft is offering the same upgrade pricing for you as well.

Before you make the jump to Windows 8, you'll have to ensure your system can handle it (in particular, you may need to buy a RAM upgrade first), and there are other considerations to keep in mind as well. Read more details in my article at The Mac Security Blog:

Upgrade to Windows 8 Pro on Your Mac

Then read the system requirements and download the upgrade from Microsoft:

http://windows.microsoft.com/en-US/windows/buy


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Friday, November 16, 2012

Apple Updates XProtect Functionality

Without any fanfare, Apple added new functionality to the Safe Downloads List (XProtect) feature of Mac OS X in late September. The new feature allows Apple to block certain known-vulnerable versions of browser plug-ins such as Oracle Java and Adobe Flash Player.

Apple is currently only blocking certain very old versions of Flash Player and one particular version of the Java plug-in. More recent versions of these plug-ins with numerous publicly exploited vulnerabilities are not currently blocked by Apple, so in practice this feature does not currently provide a lot of protection.

More details about recent XProtect updates can be found in my article at The Mac Security Blog:

Apple Updates XProtect Malware Definitions for Latest Imuler Variant


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Friday, September 7, 2012

Is Apple Still Releasing Snow Leopard Updates?


Is Apple still releasing security updates for Mac OS X v10.6 Snow Leopard? Oddly, the answer isn't a simple yes or no.

In the past, Apple typically released security updates only for the current and one previous version of OS X.  However, Apple recently switched from a roughly two-year OS cycle to a yearly cycle, and this may or many not have changed how long Apple will continue releasing security updates for previous versions of its desktop operating system.

So far, Apple has been releasing Java security updates for Snow Leopard since the release of OS X v10.8 Mountain Lion (which was released approximately one year after OS X v10.7 Lion and three years after Snow Leopard). However, Apple has NOT been releasing updates for the Snow Leopard version of Safari, the browser that comes bundled with Mac OS X.

While Microsoft makes known to the public exactly how long its operating systems and software will be patched, Apple makes no such public disclosure.

Read my article at The Mac Security Blog for more information:

Apple's Java Update Surprise for Snow Leopard

UPDATE, 7 Jan 2013: Net Applications has released its Web traffic analytics for December 2012, which indicate that Snow Leopard accounts for just over 29% of Web traffic from Macs—slightly higher than Lion which accounts for just over 28%. Both are only slightly behind Mountain Lion at just over 32%. The percentages are roughly the same when filtering for Macs browsing with Safari.

Given the apparently high percentage of Mac users still browsing Web sites on Snow Leopard, in my opinion it is inexcusable for Apple to no longer release security updates for the Snow Leopard version of Safari. At the very least, Apple should warn these users (and Windows Safari users) that their browser is no longer being updated and is no longer safe to use online.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Wednesday, August 1, 2012

What to Do if Your Mac Can't Run Mountain Lion

With each successive version of Apple's Mac OS X operating system, more Mac hardware gets left behind. The recent release of OS X Mountain Lion (v10.8) is no exception.

There are some good reasons why Apple might drop support for older hardware. For example, Apple might want to clear our legacy code to make its software run more efficiently on newer computers, and some brand new or updated features of the OS may run much better on newer hardware.

On the other hand, one could argue that it's also in Apple's best interest to enforce scheduled hardware obsolescence so the company can generate revenue from new hardware sales.

Whereas Microsoft makes the operating system but not the hardware—and thus generates more profits by continuing to support very old PCs with each new version of Windows—Apple makes both the hardware and the operating system. At $29.99 per OS upgrade (or apparently $19.99 annually beginning with Mountain Lion), it's clear that Apple stands to make a lot more money by getting customers to buy a $1000+ Mac every 5 or 6 years (and perhaps a few OS upgrades in between) rather than merely sell them $100 worth of OS upgrades over the same time period.

And so with Mountain Lion, Apple has dropped a lot more hardware.  Every Mac made before mid-2007—and even some 2008 models—are no longer supported by Apple's latest desktop operating system.

So what can you do if your Mac is no longer supported?  I've written an in-depth article covering which models are supported by Mountain Lion, which Macs max out at Lion, and why Snow Leopard may no longer be completely safe to use—and what you can do if you're stuck with an unsupported Mac. Read the full article on The Mac Security Blog:

What to Do if Your Mac Can't Run Mountain Lion


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Monday, July 30, 2012

Windows and Snow Leopard: No More Safari Security Updates

To coincide with the release of Mac OS X v10.8 Mountain Lion, Apple also released the new Safari 6 Web browser (which comes with Mountain Lion) for OS X v10.7 Lion.

Not surprisingly, Apple did not release the new browser for Mac OS X v10.6 Snow Leopard, which was released 3 years prior to Mountain Lion and is now two major OS versions old.

However, what is surprising is that Apple did not release the Safari update for Windows, either. Nor did Apple release a security-only patch for the Windows or Snow Leopard versions of Safari 5.1 to close the 121 security vulnerabilities fixed in Safari 6.0.

This means that anyone still using Safari on Windows or Snow Leopard is unknowingly leaving their system vulnerable to exploitation and infection.

Read the detailed article I wrote for Sophos Naked Security for more information:

Where are the Safari security updates for Windows and Snow Leopard? Users left exposed

UPDATE, 7 Jan 2013: Apple has since released Safari 6.0.1 and 6.0.2, patching an additional 63 vulnerabilities. No corresponding security updates have been released for the Windows or Snow Leopard versions of Safari.

See also Is Apple Still Releasing Snow Leopard Updates?


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

Wednesday, July 25, 2012

Windows Malware Found in iOS App Store

Yes, you read that headline correctly.

Yesterday it was discovered that a Windows worm was embedded inside an iOS application. The app, called "Instaquotes-Quotes Cards for Instagram," was available in the iOS App Store from July 19 through July 24. It contained two infected files:

Instaqoutes 1.0.ipa:Payload:Instaqoutes.app:FBDialog.bundle:FBDialog.bundle.exe
Instaqoutes 1.0.ipa:Payload:Instaqoutes.app:FBDialog.bundle:images:images.exe

This is unlikely to have caused any actual harm to anyone's systems given that iPhones and iPads can't run Windows programs, and any Windows user who may have downloaded the infected iOS app would have had to manually extract an .exe file and consciously decide to run it on his or her PC.

The most interesting part of this discovery is that it seems to indicate that Apple may not be scanning apps for viruses as part of its vetting process. Let's hope Apple adds this to the app approval checklist right away.

Please see my article at Sophos Naked Security for more details.

Meanwhile, Mac antivirus firm Intego reported yesterday that it had discovered new Mac malware, which the company dubbed OSX/Crisis (Sophos identifies it as OSX/Morcut-A). Intego said that as of yesterday, the malware had not yet been found in the wild.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .