Graham Cluley’s blog

It’s the last day of the month, it’s a Friday, and I’m off to see the new James Bond film in a couple of hours.

I’ve got a spare couple of minutes before slipping on the tuxedo and putting the Walther PPK into its trusty holder, to give you a quick round-up of the blog posts I made this month. Maybe you missed a story or two - if so, here’s a handy place where you can catch up with them all.

Oh, and don’t forget that there are also easy ways to add the contents of this blog to your own website or homepage.

October 2008 Clu-blog round-up

Protecting against things that go bump in the night..
Network Solutions and eNom targeted by phishing attack
Six arrested following Sarkozy bank account hack
Bono’s private bikini party photos exposed by Facebook privacy issue
Jaw jaw at RSA Europe and AMTSO

Who said email-based malware was dead?
Woman accused of hacking her virtual husband to death
Internet Watch Foundation Awareness Day
More information about critical Microsoft security vulnerability
IT staff await critical security update from Microsoft

Safari not-so-goody
AKILL’s hacker accomplice served with three month sentence
Ohio Secretary of State’s website hacked
Miley Cyrus hacker gets a visit from the FBI
Results of McAfee-sponsored West Coast Labs anti-virus test

Two minutes of spam with Google Earth
Korean sex spy jailed for five years
Nicolas Sarkozy et le poisson
Breaking news: Tom Cruise isn’t dead
Teen who brought down anti-virus website let off the hook

Teenage hacker admits Scientology DDoS attack
Mobile malware sends premium rate SMS messages
Who creates email hoaxes and why?
Adding this blog to your website, iGoogle, MyYahoo, MSN, etc
Sexy spammers are stalking me on Twitter

You have NOT received an eCard
Guest blog: Demanding money with menaces?
FTC shuts down major international spam operation
Student arrested for Vietnamese denial-of-service attack
NASA hacker’s Asperger’s gambit fails to convince UK authorities

Nigerian 419 scams: some fun with Wordle
Malicious Microsoft Security Update spammed out before Patch Tuesday
Marks & Spencer email hoax resurgence
Chip-and-pin fraud hits European supermarkets
Yahoo engineer arrested in Indian terror case

Hackers break into World Bank network, reports claim
$700,000 Romanian phisher pleads guilty
Behind the scenes of the VB2008 ponytail video
US Presidential Race makes the security headlines
Asus Eee Box PC ships with virus

Stop using WEP encryption!
Agobot malware case redux
VB2008: Lipstick, pigs, anti-virus and ponytails
VB2008: The first day
Trout appears in court in council spyware case
VB2008: John Hawes of Virus Bulletin interviewed

Uh-oh. It’s October 31st. And you know what that means.

Halloween.

Yes, it’s time for all of us without children to turn all the lights off in the house and hide under the bed in case teenagers come knocking on our door demanding treats with menaces.

There’s something cute about it when it’s six-year-olds ringing your doorbell, covered in bedsheets or wearing false vampire fangs, but when they’re happy-slappy ringtone-downloading ASBO-carrying hoodies loitering on your doorstep this particular annual ritual loses some of its sparkle.

Of course, some adults like to dress up for Halloween in fancy dress for a spooky party . You may well have chosen to do something like that and gone to an online store to book your costume.

Lets hope you didn’t pick up more than a Frankenstein costume - here are just a handful of the Halloween-related websites that we have discovered are carrying a malware infection at the moment:

Visiting these websites puts your Windows computer at risk of infection by a hacker, and have your PC compromised and perhaps even your identity stolen. You can find more information about these infected websites in a blog post that Pob of SophosLabs made earlier today.

We thought about making a little video about what viruses get up to on Halloween. Perhaps it’s the one night of the year when malware can creep out of the back of computers and run amok inside our virus labs. We were even trying to convince Vinny, one of our security guards, to be filmed at midnight coming across the rampaging viruses with just his torch and a sturdy baguette for protection.

But it’s been a hectic week, and there just hasn’t been time to fit it in. And anyway, when we saw this video comedy gorefest about an Apple Mac virus outbreak on Halloween we knew we couldn’t do any better:

Maybe I sounded too much like a kill-joy about Halloween above, and you might be disappointed we didn’t make our own video this time. Sophos did play its little part in adding to the seasonal fun though, by protecting Groupe César (link to translated version of article), a company that has been making masks since the 1800s.

With over 1300 employees and bases around the world, César has a vast catalog of masks and disguises - so you can imagine that this is a very busy time of year for them. But just because they are in the business of fun and dressing-up, doesn’t mean they take a the defence of their computers any less seriously.

• Download a PDF case study all about how Groupe César defended themselves with Sophos (sorry, it’s only available in French)

It’s important to remember, of course, that computer security is a problem all year round, not just on Halloween.

So, you’re probably all familiar with the concept of hackers and identity thieves trying to steal your bank account details, your eBay login details or even passwords for your online games, but what about criminals trying to steal the login for your domain registration service?

The discovery of this new form of phishing attack, documented on the SophosLabs blog by my colleague Savio Lau, has generated some interest in the media with the likes of Dark Reading and ZDNet commenting on it.

Owners of legitimate website domains may be at risk if they receive emails like the following, which claim to come from domain registration services such as Network Solutions or eNom:

In the case of the Network Solutions phishing email, part of the message body reads as follows:

We recently notified you that the registration period for your Network Solutions domain name has expired. As a benefit of having previously registered a domain name(s) with Network Solutions, you are eligible to receive a percentage of the net proceeds that were generated from the renewal and transfer of the domain name you chose not to renew. Since you have chosen not to renew the domain name listed below during the applicable grace period, we were successful in securing a backorder for this domain name on your behalf and it has been transferred to another party in accordance with the Service Agreement.

The other domain name registrar targeted by a similar attack, eNom, has taken the laudable step of warning its customers of the phishing campaign by displaying a warning on the front page of its website:

What is most fascinating perhaps about these phishing campaigns is their timing. They appear to have appeared simultaneously with the increasingly hot water that domain registrar EstDomains has found itself in, as allegations spiral that the company has been too friendly to cybercriminals. The ICANN (Internet Corporation for Assigned Names and Numbers) notified EstDomains earlier this week that it was intending to terminate its status as a domain registrar.

If the computer underground feels that EstDomains won’t be a safe harbour for its websites any longer, could they be looking to steal domain registration accounts from innocent parties?

ICANN’s records indicate that EstDomains has approximately 281,000 domain names under its management.

If you do believe you may have mistakenly fallen for one of these scams and handed over your account details to scammers, be sure to attempt to log into your account as soon as possible and immediately change your login details. You should also contact your domain registration company immediately and inform them of the security breach.

When you have a victim of banking fraud as high profile as the President of France, it’s not surprising that the authorities will put a lot of resources and effort into getting to the bottom of who might be responsible.

According to media reports, French police have now arrested a total of six people in connection with the breach of President Nicolas Sarkozy’s bank account.

President Sarkozy filed a complaint with police last month following withdrawals of “small amounts of money” from his personal Parisian bank account. It is alleged that the money was used to set up mobile phone subscriptions - and some of the people arrested are said to be employees of a cellphone store in Rouen.

Of course, it should be remembered that identity theft isn’t just a problem for famous people like Sarah Palin, Paris Hilton or Nicolas Sarkozy. It can - and does - potentially impact all of us, and we must all do what we can to properly defend ourselves.

Are you a member of a geographic network on Facebook?

We’ve raised the privacy challenges on Facebook, and specifically the issue of geographic networks you might have joined, before - and now rock star Bono of U2 has had private photos exposed to the media because of it.

Check out the video we have made for more information:

The 48-year-old Cuban-heeled crooner and anti-poverty campaigner was revealed to have been up to hijinks in St Tropez with a couple of bikini-clad girls after they posted their private photos to the social networking site.

The only problem was that American fashion student Andrea Feick was a member of the New York geographic network on Facebook, meaning that her profile was open for over a million people to view. Of course, this could all be very innocent and the girls could be family friends - but that didn’t stop the newspapers making hay about what Bono might be up to away from his wife Ali.

Facebook is made up of thousands of networks worldwide, and users are encouraged to join them in order to meet and make friends with people in their area.

Even if you have previously set up your privacy settings to ensure that only friends can view your personal information and photos, joining a geographic network (such as New York or London) automatically opens your profile to every other member of the network.

Facebook automatically changes your privacy settings when you join a geographic network - potentially opening up your private information to identity thieves - so you have to be careful to reset your security on the site to keep strangers away from your holiday snaps. Facebook’s privacy features are more
sophisticated than some competing social networking sites, but the fact that it changes these without asking when you join a geographic network is not good at all.

Last year, Sophos research revealed that 75 percent of the London network, the largest geographic network on the site, were allowing their profiles to be viewed by any other member of the network. Worryingly, 54 percent were revealing their full date of birth - vital information for hackers wishing to commit identity fraud.

If you revolve in security circles then you may well know that this week is “RSA week”. The European version of the well-known stateside security conference is taking place over the next few days at the ExCeL Conference Centre centre in London’s rejuvenated docklands.

(By the way, am I the only one to get annoyed by the overuse of camel-case in the ExCeL Centre’s name? It’s like a convention of dromedaries..)

If you’re going to the conference, please feel free to drop in on a roundtable discussion I am participating in tomorrow morning at 10.15am. I, and luminous peers such as David Perry from Trend Micro, Larry Bridwell from AVG and Andreas Marx of independent testing labs AV-Test, will be discussing “The Need To Adopt Standards-Based Anti-Malware Testing Methodologies”.

And if you’re in the market for encryption (and lets face it, with the barrage of stories of data leakage foul-ups, you probably should be) you could do a lot worse than have a chat with those lovely chaps from Utimaco on stand 46.

RSA Europe week serendipitously coincides with the next meeting of AMTSO (the Anti-Malware Testing Standards Organisation), a cross-industry group designed to improve the quality of anti-virus tests.

A motley crew of anti-virus researchers and other interested parties from companies such as Trend Micro, AV-Test, ICSA Labs, Eset, McAfee, Norman, Symantec, Virus Bulletin, AVG, MessageLabs (aren’t they now Symantec? Sounds like someone is after extra drinks..), F-Secure, Panda, Bit 9, Alwil, Kaspersky, Microsoft, and others I’ve probably forgotten.. are descending on Oxford, as Sophos HQ will be the venue on Thursday and Friday this week.

This horde is planning to have a night out amid the dreaming spires of Oxford on Thursday night. I imagine this will be an evening of high art, classical music and witty repartee. I’ll report back on who ends up spending the night in jail.

Today SophosLabs has published its latest report into the state of spam - focusing on how the problem has become increasingly malicious.

• Read the latest Sophos Spam Report

It makes for pretty interesting reading - particularly the revelation that there are eight times as many emails containing malware file attachments as there were earlier in the year.

The report also includes some stats on the dirty dozen spam-relaying countries, with - you guessed it - America still in the lead. As you can see in this video, my colleague Carole thinks that’s pretty boring and predictable:

You can also listen to a podcast all about the spam report. I don’t know what was going through podcast producer Yogi’s mind when she named it “The Spam Surge Unzipped”. Search engine rankings I expect…

• Download and listen to a Sophos podcast about the latest trends in malicious spam

My guess is that many of you are still working hard on rolling that critical Microsoft security patch across your business - so here’s a quirky story for you to cheer you up this Friday.

A Japanese player of the online interactive game “MapleStory” has been arrested by police after allegedly breaking into her virtual husband’s account and killing his avatar.

According to media reports, the woman is suspected of carrying out the virtual murder after her fellow player and online love “divorced” her in the game without warning.

It sounds as though her 33-year-old Sapporo-based office worker victim (who no doubt was 6 foot 4, and rippling with muscles in the online game) was careless and shared too much information with his one-time internet lover, which helped her break into his account and kill his character when the relationship turned sour. He subsequently complained to police, who arrested the woman on Wednesday at her home in southern Miyazaki.

We’ve seen hackers break into virtual games before of course - sometimes to cause mischief, but other times to steal virtual goods that they then sell for profit. Indeed, it’s surprising how much money can be made by selling “virtual gold” online to fellow games players.

I’d never heard of “MapleStory” before (I’m so unhip..) but apparently it’s a lot like other MMORPGs, albeit in 2D rather than the 3D world of “World of Warcraft” or “Second Life”. Judging by the screenshot of its Japanese homepage above, though, it’s also a fair bit cuter.

Anyway, a useful reminder to all us chaps that hell has no fury like a woman scorned. And doubly so, it seems, if the internet is involved. So make sure that you choose your passwords sensibly, and always keep them secure, unless you want to end up as the murder victim on a virtual crime scene.

The Internet Watch Foundation (IWF) is the UK’s internet “hotline” for the public to report online child sexual abuse content they find on the internet, hosted anywhere in the world. The public can also go through the IWF to report criminally obscene material and content which incites racial hatred if it’s hosted in the UK.

Today is Internet Watch Foundation Awareness Day, and Sophos is pleased to support the initiative to make more people aware of the extremely valuable service that the IWF provides. We support the IWF’s aims and work with them to protect internet users from inadvertent exposure to child sexual abuse images.

New research published by the IWF today indicates that over three quarters (77%) of UK adult internet users who have stumbled across images of children being sexually abused are unsure about how to report them. That’s the reason why awareness campaigns like today are so important - everyone in Britain should know about the IWF (or the equivalent agency in their country) so that correct action can be taken when illegal content is found.

There’s no doubt about the importance of combatting online child sexual abuse images. Another statistic from the IWF’s research shows that 71% ranked the availability of such child abuse material was their top concern about the internet.

As Pob in our virus lab describes today in a blog post, some of the images we see included in spam or the content at the end of weblinks which are carried by spam can be extremely disturbing, and where appropriate we report these to the IWF.

But other people should know how to report these things too. And now you do: http://www.iwf.org.uk/

Founded by the internet industry in 1996, the IWF works in partnership with the police, government, the wider online sector and the public to combat the availability of potentially illegal online content. As a result, less than 1% of online child sexual abuse content has apparently been hosted in the UK since 2003, down from 18% in 1997.

As anticipated in the blog entry I made earlier today, Microsoft has published a highly critical patch (known as MS08-067) for Windows users.

Vanja in our labs has described the issue in greater detail on the SophosLabs blog and there is a more detailed analysis, including Sophos’s own take on the vulnerability, in a technical advisory.

Of course, you should also read Microsoft’s own official advisory on their website and download the patch. (Did I mention that? Get patched.)

This is a very serious vulnerability - you are advised to patch any potentially affected systems as a matter of priority in case hackers decide to exploit it with a fast-spreading internet worm.

If you’re in any doubt about the importance of rolling out the patch - just remember that in the past, hackers have released attacks exploiting security vulnerabilities within hours of Microsoft publishing a fix. Cybercriminals have a window of opportunity to infect computers, and have shown themselves historically not to waste any time.

Finally, it’s less than ideal if the first you heard about this Microsoft security patch was on this blog. Every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.

PS. In case I forgot to say - roll out the patch. Thanks.