MySpace Scams

As companies move to restrict Web surfing at work, more of them are blocking access to MySpace than to Facebook, according to a survey released Wednesday by Web security company Barracuda Networks Inc.

While 44% of companies using Barracuda’s Web filtering technology block access to MySpace, only 26% are doing the same to Facebook, according to an analysis of data contributed by several thousand customers, Barracuda said. While 19% of companies blocked both the sites, half said they block one or the other or both, the analysis showed.

Barracuda also conducted a separate survey of 228 IT security workers. It showed that 53% of businesses restrict Web surfing with automated Web filtering systems and almost two-thirds (65%) expect to enforce Web surfing restrictions in 2008. That would represent a 23% increase in the number of companies doing so. The top two reasons companies cited for enforcing Web surfing restrictions were virus or spyware protection (70%) and employee productivity drain (52%).

More than a third of the companies (36%) pointed to bandwidth concerns, while 28% cited liability issues as prompting them to restrict employee Internet access, the survey noted.

The analysis of the data from the Web filters shows that companies consistently block Web sites with content related to hacking, illegal drugs, intolerance and hate, phishing and fraud, offensive content, terrorism, violence, weapons and spam.

Companies had varying approaches to Web surfing, with 21% actively monitoring employee Internet activity and 6% enforcing time restrictions on employee use of the Internet.

“Businesses are increasingly applying content-control mechanisms to protect their networks and maintain maximum organization productivity,” Dean Drako, president and CEO of Barracuda Networks, said in a statement. “With the changing face of the Internet, companies need the flexibility to continuously monitor and customize Internet policy enforcement while providing their employees optimum use of the Web.”

The week that Skype has announced its big deal with MySpace, the world’s largest social network, it has been hit by a major Trojan virus, the second in just over a month.

Researchers at McAfee have found the Trojan PWS-Pykse, which advertises itself to users as “Skype Defender”. It works by tricking users into executing the malware.

The “Skype Defender” Trojan is classified as an infostealer, according to Skype Security. It appears as a plug-in confirmation window, saying “Skype-Defender(TM) Installed! Please login to your account to apply new plugins”.

If users click “OK”, it beings up what looks like the Skype login screen, although apparently the button design is slightly different.

If a user enters their name and password, they are informed that they have not been recognised, but the malware has collected them by that point ? along with all their other usernames and passwords stored in Internet Explorer.

Skype has issued information about the problem: “To remove the malware, please update your anti-virus software. At this time, we have notified F-Secure, TrendMicro, Symantec, WebSense, and FaceTime Security Labs. For manual removal it is enough to delete the 65404-SkypeDefenderSetup.exe file.”

This is in stark contrast to the bold claims on Skype’s website, that states that “Skype is free of Adware, Spyware and Malware” and goes on to boast: “We will not display unwanted and intrusive advertising, or allow any malware or spyware to operate”.

A technology lawyer says that Facebook has paid a high price for making a basic Web 2.0 mistake that sites like MySpace, Flickr and YouTube avoid.

Investigators working for New York Attorney General Andrew Cuomo posed as young teenagers and set up profiles on Facebook. According to a statement from Cuomo’s office, “they received online sexual advances from adults within days and found widespread pornographic and obscene content.”

The investigators also accused Facebook of failing to respond, and at other times being slow to respond, to complaints lodged by investigators posing as parents of underage users, asking the site to take action against predators that had harassed their children.

Cuomo issued a subpoena to Facebook less than a month ago, demanding sight of certain documents. It was accompanied by a letter warning the company that “it could potentially face consumer fraud charges for failing to live up to its claims that youngsters on the website were safer from sexual predators than at most sites and that it promptly responds to concerns.” Facebook had also represented itself as a “trusted environment for people to interact safely,” according to Cuomo.

Facebook’s settlement of the complaint was announced at a press conference on Tuesday.

Under the terms of the settlement, Facebook agrees “to respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.” It must also report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been emailed to abuse@facebook.com.

Hyperlinks must be placed “throughout Facebook’s website” for accepting complaints about nudity or pornography, harassment or unwelcome contact. An Independent Safety and Security Examiner will be appointed to report on Facebook’s compliance.

Facebook must also provide “a prominent and easily accessible hyperlink” to allow a Facebook user or their parent to give feedback direct to the Examiner.

“I applaud Facebook for addressing my office’s concerns about the site’s representation that they provided a safe environment and an expeditious complaint review process,” said Cuomo. “I believe our agreement will provide additional confidence to young people and parents alike and give Facebook a competitive advantage in the marketplace for setting a new standard for safety.”

The Attorney General’s statement also quoted Facebook’s founder and CEO. “Privacy and safety have been a priority since we first built Facebook,” said Mark Zuckerberg. “Our agreement with Attorney General Cuomo will set new industry standards to stop abuse online.”

“We applaud the Attorney General’s leadership and are committed to working together to keep Facebook safe,” added Zuckerberg.

Struan Robertson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said that Facebook’s failure to take some of these steps of its own volition was a surprise.

“Any site that relies on user-generated content, whether it’s a small blog or a social networking giant, needs a prominent complaint mechanism. That doesn’t just help users, it also helps to channel complaints in a way that make them manageable. I’m amazed that Facebook didn’t have that already,” he said. “It’s even more important for a site that’s targeting children as well as adults.”

Facebook claims to have 47 million users. Its terms and conditions state that the site is “intended solely for users who are thirteen (13) years of age or older”. The company’s Chief Privacy Officer, Chris Kelly, told reporters this week that it believes 80% of users are over 18 but that it has no firm data.

“If Facebook had had obvious complaint systems like YouTube, Flickr and MySpace it might have avoided the Attorney General’s action. It’s now stuck with onerous demands to address complaints within 24 hours and to report on steps taken within 72 hours. Other sites will surely fear these time limits becoming the industry standard.”

In the UK, the general rule is that website operators must deal with complaints about unlawful third party material ‘expeditiously’. Robertson said that there is no case law that defines how fast that should be, though. “The only legislative reference we have to a specific time limit for the removal online material is in the Terrorism Act,” he said. Where police officers order a site to remove material that encourages acts of terrorism, the operator must comply within two days, according to that legislation.

With an increase in the number of phishing-related Web sites popping up on the Internet, protecting personal and financial information is becoming more of a challenge.

The scam occurs when an e-mail is sent by a hacker pretending to be from a business or bank and instructs the reader to click on a link that leads to a counterfeit Web site of the business. Upon clicking that link, the reader is asked to provide sensitive information, such as account or Social Security numbers.

The scam continues to evolve and improve. One of the more recent developments is the inadvertent downloading of information-stealing “crime-ware” onto your computer once the link in the phishing e-mail has been clicked, according to the Anti-Phishing Working Group, which includes hundreds of banks, online retailers, technology companies and government agencies and works to spread the word against phishing.

Other recent phishing attempts have involved the Internal Revenue Service. In some of those scams, an e-mail was sent during tax season and instructed the reader to click on a link to receive a refund. The link sent readers to a Web site that looked identical to the IRS site, where they were instructed to provide their Social Security number and credit and bank account numbers.

A computer worm in 2006 took over pages on the social networking Web site MySpace. The worm altered links to direct surfers to sites that were designed to steal login information.

According to computer security company McAfee, the top brand that is exploited by phishing scams is PayPal, at 45 percent, followed by eBay at 27 percent. The most common phishing subject line, according to McAfee, is “Question from eBay Member regarding Item.”

While the number of phishing Web sites has increased, there is a silver lining to this scam: The United States is actually now second in the world in the number of phishing scams reported, slightly behind China — by 1 percent. In addition, the number of days phishing Web sites are up and illicitly collecting information has decreased from nearly a week in October 2004 to 3.6 days by July 2007, according to the Anti-Phishing Working Group.

There is a Sandman impersonator roaming MySpace. Please do not sent this person money for bookings, because he is not associated with the former ECW champion. Sandman is being exclusively booked by Tod Gordon. If you are interested in booking him go to www.myspace.com/pwuczar.

Online ads infected with a Trojan virus have been delivered to users of numerous high profile sites participating in Yahoo-owned Right Media’s online ad exchange, according to Web security firm ScanSafe.

ScanSafe reported that during a period beginning August 8th and lasting until early September, it saw a surge in the number of a Trojan-Downloader.VBS.Agent it was blocking. The virus was being unknowingly distributed by over 70 Right Media ad servers, which Scansafe estimates delivered up to 12 million infected ads in recent weeks. Myspace, Bebo, Photobucket and The Sun were among the sites carrying virus-laden ads.

Although declining an interview, a Right Media spokesperson issued a statement saying, “We became aware of a Trojan [advertisement] introduced into the Right Media Exchange by a member network. The ad has been identified as a high risk creative and banned from the exchange”.

The Trojan itself required no interaction from the user to infect their machine, meaning that insufficiently patched operating systems were vulnerable simply by browsing to a page containing the ads. The adverts were being delivered to Right Media’s network from a third-party ad server, which was rotating both legitimate and infected ads. The infected placements delivered a Flash file generating an invisible ‘iFrame’, which prompted the download of a Trojan executable file.

In a recent press release, Dan Nadir, vice president for product strategy at Scansafe said “this is another example of how legitimate ‘trusted’ Web sites can unknowingly host malware. Online ads have become a primary target for malware authors because they offer a stealthy way to distribute malware to a wide audience”.

On its Web site, Right Media describes how each newly uploaded creative is run through a series of 10 tests in order to detect malicious activity. ScanSafe suggested the infected ads were designed to distinguish between scanning servers and regular site servers, and to deliver to the former ads with no malicious code to avoid detection.

Right Media’s spokesperson did not discuss future plans to prevent future incidents of this nature, but said the ad exchange is “committed to finding ways of keeping this type of activity away from consumers and publishers”.

The use of online advertising as a delivery mechanism for malware appears to be a rising menace. A report released earlier this summer by the Finjan Malicious Code Research Center found a rise in the use of affiliate ad networks to infect computers with keystroke loggers and other malicious code.

A million US victims lost “billions of dollars” to email phishing scams in the past two years, new research has warned.

According to Consumer Reports’s latest State of the Net survey, American consumers lost more than $7 billion over the last two years to viruses, spyware, and phishing scams.

Additionally, the survey shows that consumers face a one in four chance of succumbing to an online threat, a number that has slightly decreased since last year.

The number of consumers responding to email phishing scams has remained constant at eight per cent. The research projects that one million US consumers lost billions of dollars over the past two years to such scams.

The study went on to warn that many underage youngsters are at risk on social networks such as MySpace and Facebook. In households surveyed with minors online, 13 per cent of the children registered on MySpace were younger than 14, the minimum age the site officially allows, and three per cent were under 10. And those were just the ones the parents knew about.

Based on the survey, Consumer Reports projects that problems caused by viruses and spyware resulted in damages of at least $5 billion over the past two years.

The poll was conducted by the Consumer Reports National Research Center among a nationally representative sample of more than US 2,000 households with internet access.

Based on survey projections, computer virus infections prompted an estimated 1.8 million households to replace their computers in the past two years and 850,000 households to replace computers due to spyware infections in the past six months.

Additionally, 33 per cent of survey respondents did not use software to block or remove spyware. And the study projects that 3.7 million US households with broadband remain unprotected by a firewall.

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections.

Screen snapshot of ‘timberlinebombinfo’ MySpace account The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges.

While there’s been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn’t said much about it since. The two other cases in which federal investigators were known to have used spyware–the Scarfo and Forrester cases–involved agents actually sneaking into offices to implant key loggers.

An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.

“The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique,” Sanders wrote. A reference to the operating system’s registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was “previously connected to.”

News.com has posted Sanders’ affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue.

There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an “Internet Protocol Address Verifier” that was sent to a suspect via e-mail.

But bloggers at the time dismissed it–in hindsight, perhaps erroneously–as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.

Finding out who’s behind a MySpace account
An interesting twist in the current case is that the county sheriff’s office learned about the MySpace profile–timberlinebombinfo–when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff’s office reported that 33 students received a request to post the link to “timberlinebombinfo” on their own MySpace pages.

In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including dougbrigs@gmail.com) the week of June 4. A representative excerpt: “There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am.”

The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 80.76.80.103, which turned out to be a compromised computer in Italy.

That’s when the FBI decided to roll out the heavy artillery: CIPAV. “I have concluded that using a CIPAV on the target MySpace ‘Timberlinebombinfo’ account may assist the FBI to determine the identities of the individual(s) using the activating computer,” Sanders’ affidavit says.

CIPAV was going to be installed “through an electronic messaging program from an account controlled by the FBI,” which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)

After CIPAV is installed, the FBI said, it will immediately report back to the government the computer’s Internet Protocol address, Ethernet MAC address, “other variables, and certain registry-type information.” And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.

Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There’s no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers — which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)

One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.

Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI’s perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV. Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order. The verbatim results of our survey are here.

Written by: Declan McCullagh