Graham Cluley’s blog

Twitter: Britney, Barack, Rick and Fox News weren’t phished - they were hacked

The guys at Twitter have posted more information on their website about the high profile accounts (belonging to the likes of Britney Spears, Barack Obama, Fox News, CNN’s Rick Sanchez and others) that were compromised on their website today.

Fascinatingly, Twitter claims that these accounts were not broken into as a result of the widespread phishing attack that has taken place on Twitter over the last couple of days, but instead were the result of Twitter’s own systems being compromised by hackers.

As a result, tools that normally only Twitter’s technical support team can use to help locked-out members reset their email address were accessed by hackers, enabling them to steal control of the high profile accounts from their rightful owners.

As a result, Britney Spears’s Twitter stream made claims about a sensitive part of her anatomy, Rick Sanchez’s Twitter entry declared that he was high on crack, and Fox News appeared to published breaking news that Bill O’Reilly was gay.

This is actually much more serious than these people and organisations falling for a simple phishing attack. It appears that Twitter’s systems were potentially exposing everybody’s account to the danger of being taken over by hackers - it’s just that they chose some 33 high profile accounts to abuse with their defacements.

Here’s part of the statement from Twitter co-founder Biz Stone:

These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.

What is still unclear is whether the person who hacked the accounts was an external hacker, or someone inside the Twitter organisation.

Twitter seem convinced that it was an individual rather than a gang of criminals, so it may be that they have identified the person responsible. If so, they may choose to involve the authorities to see justice done for what was both a cruel and criminal act.

Whether the full details of what actually happened are ever revealed remains to be seen. But one thing is for certain: Twitter has had an appalling start to 2009 from the security point of view.

So what of Britney herself? Well, there’s been no word from the singing sensation - but someone who claims to be her Social Media Director did post a message on the Rolling Stone website apologising for any offence caused by the vulgar message:

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Identity Theft, Web 2.0

                                      

Has Britney Spears had her Twitter account phished?

(Read the update to this story: Twitter: Britney, Barack, Rick and Fox News weren’t phished - they were hacked).

Could Britney Spears, the troubled pop princess, have become the victim of the phishing scams that have shaken Twitter users in the last few days?

I just visited her page on Twitter and saw the following update, which I find unlikely to have been approved by her management team who are taking care to control her public image as she rebuilds her career:

At approximately 17:30 UK time the message was removed - but clearly this is a sign that someone broke into her account. Whether this was a result of the current Twitter phishing attacks or not is hard to prove, but it seems a strange coincidence if not.

Other Twitter accounts which have had bizarre messages posted to them include ones belonging to Barack Obama’s election campaign, Fox News and CNN anchorman Rick Sanchez.

In a Twitter update which has since been deleted, Sanchez’s account - which is followed by some 40,000 people - displayed the message:

i am high on crack right now might not be coming into work today

The message is clear. Whether you are world famous, a business organisation, or a general member of the public, you have to be much more careful about securing your online presence.

Hackers may have hooted with joy at realising they had the power to post messages under the names of Britney Spears or Fox News, but normally their intentions are to hurt people in the pocket through scams and identity theft.

If you believe you may have clicked on a link to a possible phishing site, and think it is possible that you may have given your password to someone else or that account may have been compromised, change your password now.

Twitter confirms multiple accounts hacked

At about 18.30 UK time, Twitter posted an update on one of its blogs in an attempt to reassure users, confirming that multiple accounts had been hacked and advising members that it may be prudent to reset their passwords.

Hopefully Ms Spears and Mr Sanchez are amongst those doing that right now.

(Read the update to this story: Twitter: Britney, Barack, Rick and Fox News weren’t phished - they were hacked).

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Identity Theft, Scam, Spam, Web 2.0

                                      

Sophos versus police spyware in “legal hacking” debate

In a rather disturbing development it is being reported in the British press that police have been given the power to hack into computers without a court warrant.

Naturally this news has resulted in massive consternation amongst those concerned with civil liberties, who contend that the move signifies a continuing shift towards a surveillance society in Britain. Already the country is believed to have the highest density of CCTV cameras in the world (one camera for every 14 people is the last figure I heard).

The Association of Chief Police Officers has said that in 2007-2008, British police carried out 194 remote hacking operations, including 133 in private homes, 37 in company offices and 24 in hotel rooms. It isn’t clear how many of these attacks used spyware software or keylogging hardware to examine information held on a suspect computer.

There is no doubt that high-tech criminals are able to use sophisticated technology such as encryption to help them commit their offences, and that this does bring enormous challenges to investigators which may make the use of spyware and keylogging devices attractive.

However, that doesn’t mean that there shouldn’t be strict guidelines and independent approval before this kind of police surveillance can take place. Law enforcement agencies should be forced to seek approval from a court, who would have to be convinced that there was sufficient reasons to surreptitiously break into a computer belonging to a member of the public.

One thing I can promise you though: If Sophos encounters any malware written by the police, we won’t turn a blind eye. We will add detection for it.

And if you think about it, we don’t have any other sensible choice.

For anti-virus vendors to know which spyware Trojan horse to ignore, the British police would need to provide us with a sample of their code. For security reasons, it seems unlikely that this would happen. As a result, how will we (and other security vendors) know which code is written by the cops and which originates from traditional hackers? After all, it’s not likely to say

Copyright (c) New Scotland Yard

is it?

In order to properly protect customers, Sophos continues to protect against all the malicious code that we see.

Even if security vendors were made aware of the code, how would we know that our customer was the intended target of police surveillance? You see, by planting spyware on the PCs of those under suspicion, the police could essentially be placing a weapon directly into the hands of their enemies.

Spying and remote-hacking code could easily be adapted and new variants created with far more sinister intentions in mind. Once the Trojan was released, there would be no way of knowing who would use it to spy on whom, and with what consequences. In an ironic twist of fate, the police could even find itself to be the victim of its own code.

So we will continue to defend computer users against malware and spyware, regardless of who might have written or installed the code.

And if that puts us at loggerheads with our friends in the police, so be it.

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Law and Order, Malware

                                      

Twitter users hit by more phishing and spam attacks

The phishing campaign which spread over the weekend via Twitter, stealing users account details has evolved into a series of new campaigns.

Many Twitter users are reporting that they have been struck this morning with a barrage of new direct messages such as:

hey. i won an iphone! come see how here [url removed]

and

Wanna win the new iPhone? It’s so easy and cool, I love this thing! Visit: [url removed]

Clicking on the links can take users to a website that claims that they might win an Apple iPhone if they hand over their credentials including their cell phone number. It is possible the spammers are earning a commission via affiliate links by directing traffic to these websites.

Even Twitter celebrities such as Stephen Fry (perhaps not surprising considering how many followers he has) have reported clicking on links from the earlier phishing campaigns without thinking of the possible consequences.

With typical wit the self-confessed gadget freak Fry admits that another Apple iPhone is the last thing he needs.

The good news is that because Twitter celebs like Stephen Fry have so many followers they can help spread warnings to other members of the Twitter community about phishing campaigns very quickly. On the other side of the coin, however, if their accounts were ever compromised the spammers would believe that they have hit the mother lode. After all, a link in a message from someone famous might be very hard for many people to resist..

Twitter is obviously concerned about the phishing and spam problem, and has added a warning on its site.

However, the constant stream of reports suggests that there are still a sizeable number of Twitter users who do not realise that their accounts have been compromised.

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Apple, Identity Theft, Scam, Spam, Web 2.0

                                      

Phishing scam spreads on Twitter

Twitter users are reporting that they have received direct messages from their online followers enticing them to visit a phishing website which attempts to steal their username and password.

Users have been receiving messages such as:

hey! check out this funny blog about you… [url removed]

and

Hey, i found a website with your pic on it… LOL check it out here [url removed]

which led - sometimes leapfrogging via a Blogspot page - to a website which posed to be the regular Twitter login page, but is actually stealing usernames and passwords from the unwary.

Having hacked into some Twitter accounts it appears that the criminals then used the Twitter identities of their victims to pass on the message to even more Twitter users.

It would be bad enough to hand your Twitter username and password over to a criminal, as they could pose as you online and spread malware and spam to your friends and followers. However, as so many internet users foolishly use the same username and password for every website they access, the potential for abuse is even greater.

Twitter co-founder Biz Stone alerted followers to the danger as his team worked on the problem, and later advised members who may feel “weirded out” by the incident to change their passwords.

Twitter has published information on its blog about the security incident and advised users to exercise caution when they reach web pages which ask them to log in to Twitter.

The phishing webpage has also masqueraded as the login page for Facebook - so users of all social networking websites should be on their guard.

Posted on January 4th, 2009 by Graham Cluley, Sophos
Filed under: Scam, Web 2.0

                                      

Internet Explorer loses ground to Firefox and Safari

Web analytics firm Net Applications is reporting that Microsoft Internet Explorer continued to stumble in its position as the world’s most popular web browser during December 2008.

Although Internet Explorer is by far the most widely used program for accessing websites, it has slipped from a 75% marketshare at the start of 2008 to 68.15% during December 2008.

Mozilla Firefox (21.34%), Apple Safari (7.93%), and Google Chrome (1.04%) all appear to be benefiting as users either choose alternative web browsers or run an operating system not supported by Internet Explorer (in other words, anything other than Windows).

What I always find interesting is to compare these usage figures, which are collated across a very wide spectrum of web usage, with what I see myself when I look at details of how people are viewing this blog. You could argue that the typical profile of someone reading this blog and accessing the Sophos website is rather more security conscious than the typical Joe User.

Browsers accessing Graham Cluley’s blog in December 2008

What’s clear from this is that Clu-blog readers are much less likely to be using Internet Explorer than their non-technical friends and family. Firefox, meanwhile, is teetering on the brink of being responsible for one in four of all visits to this blog.

We’re also seeing Chrome being more widely used by this audience, and we can expect to see Chrome make further inroads as versions for Unix and Mac OS X arrive during 2009.

Fascinatingly, Safari on the Apple iPhone is also making a small but beautifully formed impression on the chart, outgunning its Windows cousin.

Have IT teams tasked with security managed to convince their bosses to fork out for Apple’s lusted-for gadget? Perhaps blogs carrying security news are more likely to be viewed “on-the-move” outside of regular working hours, and so gizmos like the iPhone make a justifiable expense.

Why does any of this matter? Well, Sophos’s recently published Security Threat Report 2009 revealed the enormous role that web browsing plays in the successful spreading of malware today. As the web browser market shifts we can expect the cybercriminals to increasingly follow.

Of course, this already happens to some extent. In the past we’ve seen malware attacks embedded into websites that determine what web browser you are running - for instance, if it’s Internet Explorer they’ll serve you some Windows .EXE malware, if you’re running Safari they’ll give you a malicious Mac OS X .DMG file. Additionally, if an Internet Explorer exploit fails to find a successful playground the dangerous website may try a Firefox attack instead.

And in 2009, we’ll expect to see more hackers exploiting vulnerabilities in code which runs alongside your browser - whatever your browser should be. So, expect to see more attacks trying to exploit loopholes in Adobe Flash and PDF reader plugins etc.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, WWW

                                      

Classmates malware attack poses as school reunion invite

Remember the days of the old school yard? You may prefer to forget them, but many people are nostalgic for the days of grazed knees, poor food and double geography.

A new malware campaign seen in the last few days plays on the popularity of websites like Classmates.com and FriendsReunited, by posing as an invitation to an imminent school reunion.

Part of the email reads:

Subject lines used in the malware campaign have included:

Clicking on the link doesn’t of course take you to the real Classmates website, but a bogus site which tries to fool you into installing an update to Adobe Flash to view a video invitation to your school reunion. Of course, the update is really a malicious Trojan horse designed to compromise your computer.

With many people returning to the office after the holiday break there is a danger that some will click on the link without thinking as they plough through their inboxes.

As ever, be wary of unsolicited emails, and if you are going to update software and plugins on your computer make sure you are getting those updates from the real, legitimate producer of the code, not a third party website that a hacker could have set up.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                      

Zune Leap Year bug under the microscope

More information about the non-virus problem which hung 30GB Zune MP3 players on New Year’s Eve has been uncovered.

It turns out that the problem is actually on the clock chip from Freescale embedded inside Microsoft’s music device.

As you can see in this post from the Zune Boards message forum, there is a flaw in the programming logic which means that when the Zune accesses its clock as it finishes booting up, it tries to convert the time from its internal count (the number of days since 1st January 1980) into a more human readable form.

And there’s nothing wrong with that, of course, unless the logic of the code is wrong and it enters into an infinite loop if it happens to be the 366th day of the year.

By now, everyone’s Zune should be working properly again and have shaken off its brain freeze. But unless this problem gets fixed, owners of Zune 30 MP3 players will be frozen out of their music collections again on December 31 2012.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Oddball

                                      

The five most popular Clu-blog posts of 2008

(You may want to read the first half of this countdown first)

Well, the tension is building as we get ever closer to revealing the most popular posting I made on this blog during 2008.

Fill your glasses, as I now reveal the final countdown and our winner..

5th. Stop viewing porn in Internet Explorer - for now

A vulnerability in the world’s most popular web browser is always going to be news amongst us techies. But when that vulnerability is being actively exploited by hackers, and Microsoft doesn’t have a fix for the problem, well.. that begins to be mainstream news for the great unwashed public too.

Sophos experts saw many in-the-wild examples of websites struck by SQL injection attacks that then served up the exploit to vulnerable Internet Explorer users, and defended our customers against the threat.

Which lead us nicely on to the fourth most popular article on the Clu-blog during 2008…

4th. Microsoft to release emergency patch for zero-day flaw

Thankfully, Microsoft was able to produce a patch for the critical problem with Internet Explorer described above, but not before many internet users were potentially put in peril.

I can’t help worrying that there will be more examples of hackers exploiting zero day vulnerabilities in the 12 months ahead.

And so we’ve made it to the top three blog posts of 2008. And there’s one thing they all share in common - a video. So grab your popcorn and we’ll begin.

3rd. Bono’s private bikini party photos exposed by Facebook privacy issue

He may be no stranger to being top of the pops, but Bono’s brush with computer security only managed to get him into third place when it came to the most read Clu-blog posts of the year.

The Cuban-heeled crooner and anti-poverty campaigner was revealed to have been up to hijinks in St Tropez with a couple of bikini-clad teenage girls after they posted their private photos to Facebook.

We’re not sure that Mrs Bono’s wife was that impressed, and the general public hopefully learnt a lesson about the danger of sharing private data online.

2nd. Free Norton AntiVirus? Hackers disguise fake product to spread Trojan

As our recently published Security Threat Report revealed, scareware (also known as fake anti-virus software) has been one of the big trends of the last twelve months, with hackers attempting to frighten people into purchasing bogus products.

As this video and blog post revealed, the hackers have no qualms about using the names of legitimate security products to try and make their fortune.

Will we see more scareware in 2009? It seems inevitable.

And so, we’ve made it. Well done on getting this far.

With a fanfare of trumpets I can now reveal the most widely read story on the Clu-blog during 2008..

1st. Barack Obama Sex Video malware campaign

Well, when you think about it perhaps there isn’t that much surprise about Barack Obama malware coming top of our list of most-read stories on the Clu-blog. After all, he won that other popularity competition late last year.

Sleazy hackers tried to take advantage of interest in the US presidential race by claiming in a widely distributed email that Barack Obama had been captured in sex video with a bunch of Ukranian girls.

Clicking on the link did actually show you an excerpt from a homemade X-rated video, but it didn’t star Barack Obama.

Instead, curious election-followers had the Mal/Hupig-D Trojan horse insidiously installed onto their Windows computers.

Of course, the idea that a man putting himself forward for the post of president would be cheating on his wife is ridiculous, but that’s not likely to have stopped many users from clicking on the link out of curiousity.

In the days that followed we saw more attempts by hackers to infect computers by exploiting Barack Obama’s name, and no doubt we will see many more in the four years to come.

So, that’s it. You now know the most popular Clu-blog posts of 2008.

Since the Clu-blog started on 23 April 2008, I have made 319 postings (including this one). That means, there were a stonking 315 posts during the year.

2009 is likely to be even busier, so keep tuned and thank you all for reading.

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Clu-blog, Data leakage, Malware, Round-up, Scam, Spam, Video, Web 2.0

                                      

The top ten Clu-blogs of 2008

So that was 2008. Roll on 2009.

I thought some of you might be interested in what the most popular blog entries on the Clu-blog were during 2008.

(Caveat: The blog wasn’t running for the whole of the year and stats weren’t collected for all of the time it was live to the public, so this may well be nonsense. But hey, it’s interesting nonsense. It will be better next year, I promise.)

So without further ado, lets kick off proceedings in true beauty contestant style in reverse order, starting with positions 10 to 6.

10th. Do you really need anti-virus on your Apple Mac?

Oh, the furore that resulted as Apple wobbled back and forth over whether it should or shouldn’t advise Mac users to run anti-virus software.

I wouldn’t be surprised if we saw more rumbles around Apple Mac security during 2009.

9th. Results of McAfee-sponsored West Coast Labs anti-virus test

I try and keep self-puffery and the marketroids out of the Clu-blog as much as possible, although a few shameless plugs slip through the net.

However, this story proved popular enough to make it into our top ten articles of the year, presumably because it’s somewhat different than the typical good review.

What makes this test interesting is that the West Coast Labs tests were paid for by McAfee, one of our largest competitors. They make the review available for download from their website, but they didn’t come top according to West Coast Labs’ research.

Kudos to the guys at McAfee for not sweeping it under the carpet, and actually they didn’t perform badly in the tests.

8th. BNP membership list posted on the internet

When it was discovered that the membership list of the highly controversial British National Party, complete with names and addresses, had been published on the internet the resulting stampede of Googlers hunting for it came as no surprise.

This blog entry received a large amount of traffic although - as you can see in the blog post - we were careful to disguise the personal names and addresses of BNP members in the snapshot we published.

7th. London hospitals hit by computer virus

St Bartholomew’s (Barts) in the City, the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green had their networks shut down after being struck hard by a variant of the Mytob worm.

Concerns were raised about patient confidentiality and the quality of care as some workers had to resort to using paper and pen.

Eventually the hospitals announced that they had remedied their security problem and were on the road to recovery.

6th. Your internet access is going to get suspended - NOT

Judging by the large number of page views that this blog post received, an awful lot of people received emails in the last third of 2008, claiming that they had committed “illegal activities” such as pirating software, movies or music. The emails went on to warn that recipient’s internet access would be suspended.

Opening the attached report was definitely not a good idea, however, as it contained malicious code designed to compromise your Windows PC, and hand control over to remote hackers.

When they’re not tempting you with nude pictures of Nicole Kidman or Angelina Jolie, they’re threatening to cut off your net access..

Now learn about the top five stories on the Clu-blog during 2008.

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Apple, Clu-blog, Data leakage, Identity Theft, Malware, Round-up