Category: Social Engineering Attacks

Sep 25 2011

Doppelganger Domain Attack

Doppelganger Domain AttackDomain typo-squatting is commonly used to spread malware to users whom accidentally misspell a legitimate domain in their web browser. A new type of domain typo-squatting takes advantage of an omission instead of a misspelling.

A Doppelganger Domain is a domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.

Each company in the Fortune 500 was profiled for susceptibility to Doppelganger Domains and 151 companies (or 30%) were found to be susceptible. In large corporations, email usage is extremely high and the likelihood of some email being mis-sent is high which could result in data leakage.

Security researcher Peter Kim and Garrett Gee who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

WhitePaper : Doppelganger.Domains.pdf

Apr 26 2011

UK Firm Offered Custom Malware to Egyptian Security Services

MalwareDocuments spilled into public by the political unrest in Egypt in recent months has shone a spotlight on the shadowy world of for-profit, custom malware creation for governments around the world.

The anti malware firm F-Secure first called attention to documents uncovered by protesting Egyptians back in March. They included a proposal to sell a product dubbed “Finfisher” to the Mubarak regime.

That “Governmental IT Intrusion” product is targeted at the law enforcement community, but Gamma apparently had no qualms about offering it to the Egyptian government, according to 12 page proposal, dated June 29, 2010. A scanned copy of the proposal is available from the F-Secure Web site.

The documents were reportedly obtained by Egyptian psychiatrist and protester Mostafa Hussein during a takeover of the headquarters of Egypt’s State Security in Nasr City on March 5.

Written in Arabic, the proposal is addressed to the State Security Investigation Department in Cairo, Egypt and purports to offer a wide range of Gamma’s products to the country’s security apparatus, including a “remote intrusion solution,” the FinSpy management software and agent. The total deal was projected to cost the government just over 287,000 Euros.

An attorney for the company, speaking to The Washington Times, denied that Gamma completed its sale to the Egyptian regime and claims that the firm broke no laws in pursuing the sale of the FinFisher technology.

Still, the spectre of state sponsored hacking has come to the fore in recent months, as leaked diplomatic cables from Wikileaks, the Stuxnet worm outbreak targeting Iran and plans uncovered with the compromise at security firm HB Gary Federal raised the spectre of state-sponsored hacking and malware distribution.

The Obama Administration issued guidance in March clarifying the use of the term “cyberspace” to describe a domain analogous to air, land, space and maritime operations.

Feb 22 2011

Facebook ClickJacking : Malware takes on new Italian disguises

Facebook users have been subjected to clickjacking attacks that force them to authorize actions they had no intention of approving.

The latest few campaigns seen by SophosLabs, for instance, target Italian users of the social network.
Facebook clickjacking

COCA COLA: Dopo aver visto questo video non berrò più coca cola. Svelata la ricetta segreta. Guarda il video verita

Which translates as: “COCA COLA: After watching this video you won’t drink Coca Cola. The secret recipe revealed. Watch the video truth.”
Facebook clickjacking

LO SCHERZO DI SAN VALENTINO CHE STA FACENDO IL GIRO DEL MONDO! TE RETO A VER ESTA PAGINA PARA 5 SEGUNDOS SIN REIRTE

Which translates as: “THE VALENTINE’S DAY JOKE THAT IS GOING AROUND THE WORLD! I CHALLENGE YOU TO VIEW THIS PAGE FOR 5 SECONDS WITHOUT LAUGHING.”

All of these Facebook scams use clickjacking techniques to trick the user into “liking” them.

SophosLabs is intercepting the suspicious pages as Mal/FBJack-A.

Facebook users can protect themselves from clickjacking threats like this by using browser plugins such as NoScript for Firefox.

NoScript

Source: NakedSecurity | Sophos

Feb 08 2011

Viral and Malicious Facebook Application Toolkit

During last weekend a viral rogue app campaign hit Facebook again. This time the application was called “Profile Creeps” which, like many other rogue applications before it, promises to do what Facebook simply doesn’t allow *ANY* app to do – let us know who looks at our profile. But users are still tricked into installing apps that promise to do just this. And just like most others, the latest one leads to a survey that in the end generates money for the people behind the app.

Facebook Profile Creeps

let’s look at a very similar fraudulent application that “can” allow Facebook users to know who “creeps” at their profile, called “Facebook Profile Creeper Tracker Pro”. The application asks for some permissions, shows an online survey/advertisements and tells the user at the end of the process that he/she is the one that looks at his/her own profile the most. In other words, this application should be revoked according to the terms and conditions of Facebook.

“Facebook Profile Creeper Tracker Pro” and similar fraudulent applications
Facebook Profile Creeper Tracker

This application was built with a pre-defined toolkit called “Tinie app” which is a Facebook viral application template available in some variations for only $25 or even less. The next image is one of the template images in the toolkit that aims to give some directions to the buyer, besides the full-blown step-by-step guide that comes with the kit itself:

Tinie Viral App

The buyer doesn’t have to have development experience with Facebook, he/she just needs to follow the accompanying instructions and a working viral Facebook application is at their disposal.

Source: Websense Security Labs Blog

Jan 09 2011

Facebook virus spreads via photo album chat messages

A new social networking worm in the vein of Koobface is currently doing the rounds.

Unlike the majority of Facebook scams, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users.

The link in his Facebook chat from a friend pointed to an app.facebook.com/CENSORED link. Typically when you go to a Facebook app page it prompts you to add the application and grant it permission to post on your behalf or read your profile data. The scary part about this one is that it immediately prompts you to download a “FacebookPhotos#####.exe” file with no prompting or clicking required.

Facebook Photo Virus

The screen reads “Photo has been moved. This photo has been moved to other location. To view this photo click View Photo.” If your computer has not already downloaded the malware, the “View Photo” button will download the virus for you.

It is really unfortunate that Facebook scams are moving back towards spreading malware. Fortunately, users of Sophos Anti-Virus had proactive protection from this threat with both our HIPS and suspicious file detection technologies; this particular strain is now identified by Sophos as W32/Palevo-BB.

The good news is that, Facebook removed the malicious application from its service. But there are probably many more applications like this one making the rounds, so, as always, beware of unusual messages from friends whether they are in email, on their walls, or in an instant message.