“This is a new tactic we haven’t really seen before,” said Paul Wood, senior intelligence analyst for Symantec.cloud, the company’s Web-based security and email branch.
The emails invariably contain some kind of Trojan downloader, which can be used to download other malware or steal documents from the computer.
Symantec published examples of the emails collected recently in its latest monthly Symantec Intelligence Report, released on Tuesday. The emails at first glance look quite convincing, with a subject line “Fwd: Scan from a HP Officejet.” The email reads “Attached document was scanned and sent to you using a Hewlett-Packard HP Officejet 05701J” and then “Sent by Morton.”
Wood said it is common for the scammmers to spoof the sender’s name and make it appear the email came from the same domain as the one that belongs to the recipient. Some of the messages captured by Symantec appear to be at a cursory glance internal company email, which makes it more likely that the person who receives the message will open the attachment.
The attachment is a “.zip” file, which is odd. Wood said it is unlikely that most printers with the email sending ability can actually send a “.zip” file; those printers mostly send image file, he said.
U.S. prosecutors have launched a criminal inquiry into whether eBay Inc employees took confidential information from classified ad website Craigslist as eBay sought to build a rival service, a copy of a grand jury subpoena obtained by Reuters shows.
The two companies have been feuding for years in civil court over allegations that online giant eBay took a stake in Craigslist and then misappropriated confidential information while it covertly planned its own classifieds site.
The subpoena seeks information regarding several eBay personalities, including founder and Chairman Pierre Omidyar and Joshua Silverman, the former Skype chief executive who served as eBay’s representative on Craigslist’s board.
An eBay spokeswoman, Amanda Miller, said the company would cooperate in any inquiry related to the disputes with Craigslist.
“EBay believes that Craigslist’s allegations against eBay are without merit,” Miller said in an email on Tuesday. “We will continue to vigorously defend ourselves, and we will aggressively pursue our claims against Craigslist.”
Last year, a Delaware’s Chancery Court judge ruled that Craigslist properly removed an eBay representative from its board. The judge also ruled that Craigslist could not dilute eBay’s 28.4 percent stake in the company.
Miller said allegations of misconduct were leveled by Craigslist as a defense in the Delaware case, and the court did not rule in Craigslist’s favor on the defense.
Craigslist representatives did not respond to an email seeking comment.
Dubbed BMW by 360 and Mebromi by other security vendors, the threat has separate components for the operating system, the master boot record (MBR) and the system BIOS.
A computer’s BIOS holds a set of low-level instructions that execute before the boot loader to detect and initialise the computer’s hardware components.
There are various types of BIOS, depending on motherboard and manufacturer, but according to 360, BMW only infects Award BIOS versions produced by Phoenix Technologies.
The malware adds a BIOS module called HOOK.ROM, which determines if malicious code has been erased from the MBR and restores it if necessary.
The MBR instructions serve a similar purpose. They check to see if certain Windows files are still infected before the operating system starts and reinfects them if they’re not.
Thus, the BIOS hook and MBR code restore the rootkit at every reboot. Ultimately malicious code is added to winlogon.exe on Windows XP and Windows Server 2003, and to wininit.exe on Windows Vista and Windows 7.
BIOS malware is very rare, which makes BMW an interesting find, however hooking BIOS for malicious purposes is not a new concept. One of the first attempts to put it into practice was in 1999 with the CIH virus that ended up damaging infected systems.
Fortunately, because of hardware diversity users don’t need to worry about this type of malware becoming widespread. BIOS flashing is so different from one motherboard manufacturer to another that it is almost impossible to develop code that does it reliably on the majority of systems.
It’s worth pointing out that motherboards are not the only devices whose firmware can be infected by malware. Certain home routers have also been targeted by trojans in the past and have even been joined together in botnets.
The company’s assertion came after a massive theft of more than 500 SSL (secure socket layer) certificates, including several that could be used to impersonate Microsoft’s update services, was revealed by Dutch authorities and several other affected developers.
“Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers,” said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. “The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued
and secured by Microsoft.”
Seven of the 531 certificates now known to have been fraudulently obtained by hackers in July were for the domains update.microsoft.com and windowsupdate.com, while another six were for *.microsoft.com.
According to Microsoft, the certificates issued for windowsupdate.com couldn’t be used by attackers because the company no longer uses that domain. (Windows Update is now at windowsupdate.microsoft.com..) However, those for update.microsoft.com — the domain for Microsoft Update — and the wildcard *.microsoft.com could be.
As Ness said, updates delivered via Microsoft’s services are signed with a separate certificate that’s closely held by the company.
The part of the site has been taken down, and instead delivers a statement from the company about the intrusion.
Nokia said that during its ongoing investigation of the incident, it discovered that a database table containing e-mail addresses of developer forum members was accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL injection attack.
“Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger,” the statement said.
Nokia did not specify when the site was hacked, though it is likely to have happened last week, according to some reports.
The database table records includes members’ e-mail addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL (uniform resource locator) or usernames for AIM, ICQ, MSN, Skype or Yahoo services. Sensitive information such as passwords and credit cards details were not compromised, and the potential fallout of the hack is likely to be limited to unsolicited mail, Nokia said.
After addressing the initial vulnerability, Nokia said it took the developer community website offline as a precautionary measure, while it conducts further investigations and security assessments. The developer community section was still down on Tuesday.
Soon after the hack, visitors to the community pages were taken to a third-party web page containing an image of Homer Simpson, the character from the TV series The Simpsons, and a message, warning the company to patch its security holes, according to reports.
A list of 27 user names and encrypted passwords allegedly for an Apple website was posted to the Internet over this past weekend along with a warning from hacker group Anonymous that the Cupertino-based computer maker could be a target of its attacks.
The list was posted to the Pastebin website, a hosting site for text files, by an unknown user under the title “Not Yet Serious.” It wasn’t immediately clear if the user is a member of the Anonymous hacking group, but the existence of the file became widely known after Anonymous linked to it in a Twitter message.
“Not being so serious, but well,” the message read before linking to the PasteBin page. “Apple could be target, too. But don’t worry, we are busy elsewhere,” the message said.
The data appears to be a set of user names and encrypted passwords from an SQL database for an online survey at the Apple Business Intelligence website. The site is currently offline.
Apple did not immediately respond to a request for comment.
In an apparently unrelated posting, a Lebanese grey-hat hacker called idahc_hacker said he had found vulnerabilities on another Apple website. The SQL injection and iFrame code attacks can be used by hackers to gain unauthorized access to data.
Grey hat hackers do not normally hack for malicious purposes and the Lebanese hacker did not post and data obtained from the site.
In pointing out the hacks, he said he was not part of Anonymous or LulzSec, an allied group that disbanded recently.
A flaw in Skype for Android could let criminals collect private information from mobile devices, including the user’s name and email address, contacts and chat logs, the Internet calling software maker confirmed Friday.
One security researcher called it “sloppy coding” and a “disrespect for your privacy.”
Last week, Justin Case, a regular contributor to the Android Police blog, disclosed that Skype on Android does not block access to a number of sensitive data files stored on the cellular phone.
The files contain an abundance of information about the Skype account and the smartphone’s owner, ranging from full name and date of birth to alternate phone numbers and account balance. Also accessible, said Case, are instant chat logs and all Skype contacts.
“Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them,” said Case. “Not only are they accessible, but [they're] completely unencrypted.”
Case created an Android application that demonstrated retrieving the unsecured data, and warned that hackers could do the same.
“A rogue developer could modify an existing application with code from our proof of concept, distribute that application on the [Android] Market, and just watch as all that private user information pours in,” Case said.
Case’s concern is well-founded. Last month Google yanked more than 50 malware-infected apps from its Android Market, while three weeks ago Czech security company AVAST said a different rogue designed to shame software pirates sent personal information to the maker of the “Walk and Text” app.
On Friday, Skype acknowledged what it called a “privacy vulnerability” in its Android client. Although it promised to address the problem, it did not spell out a timetable.
“We are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application,” said Adrian Asher, Skype’s chief information security officer, in an entry on a company blog.
As of late Sunday, the Skype app for Android had not been updated.
Although the Hamburglar is known for attempting to steal from McDonald’s, he is probably not the culprit in this latest,more serious theft. McDonald’s reported that they are working with law enforcement authorities after hackers broke into another company’s databases and stole information about an undetermined number of the fast food chain’s customers.
McDonald’s has also alerted potentially affected customers via email and through a message on its Web site.
“We have been informed by one of our long-time business partners, Arc Worldwide, that limited customer information collected in connection with certain McDonald’s websites and promotions was obtained by an unauthorized third party,” a McDonald’s spokeswoman said via email on Saturday.
McDonald’s hired Arc to develop and coordinate the distribution of promotional email messages, and Arc in turn relied on an unidentified email company to manage the customer information database. This email company’s systems were hacked into.
The data, which customers had provided voluntarily, doesn’t include Social Security Numbers, credit card numbers, nor any sensitive financial information, she said.
“Rather, the limited information includes what was required to confirm the customer’s age, methods to contact the customer, and other general preference information,” the spokeswoman added.
This means that customer data likely includes full names, phone numbers, postal addresses and e-mail addresses. The spokeswoman didn’t say what information was required for age confirmation, so it’s not clear if customers simply checked a box saying they were adults or if they had to provide their date of birth.
“In the event that you are contacted by someone claiming to be from McDonald’s asking for personal or financial information, do not respond and instead immediately contact us,” reads the McDonald’s note to customers. The number to call is 1-800-244-6227.
In addition to working with law enforcement agencies, McDonald’s is probing the security breakdown at the company hired by Arc, which is the marketing services division of ad agency Leo Burnett. Arc’s specialities include digital communications, direct marketing, promotions and shopper marketing, according to its website.
The Federal Communications Commission (FCC) confirmed on Wednesday that it is investigating whether Google broke any federal eavesdropping laws when collecting data for its increasingly unpopular Street View mapping service.
The investigation stems from Google’s disclosure recently that its Street View cars collected passwords, e-mails and other personal information from unprotected residential wireless networks, the FCC said in a statement.
In light of Google’s disclosure, “we can now confirm that the Enforcement Bureau is looking into whether these actions violate the Communications Act,” Michele Ellison, chief of the FCC’s Enforcement Bureau, said in the statement.
“As the agency charged with overseeing the public airwaves, we are committed to ensuring that the consumers affected by this breach of privacy receive a full and fair accounting,” the FCC statement said.
The FCC’s investigation adds to the growing list of organizations that are looking into whether Google broke any laws when collecting data for Street View. In May, Google disclosed that the accidental inclusion of code written for an experimental Wi-Fi project was causing its Street View vehicles to inadvertently collect “payload” data from unprotected Wi-Fi networks along the routes.
Google said that it has since removed the code and stopped collecting any Wi-Fi data. The company’s disclosure has prompted regulators in several countries, including the United Kingdom, Germany, Canada and South Korea, to launch investigations into the matter.
In the U.S. in June, Connecticut attorney general Richard Blumenthal announced that he was launching a multistate investigation into “Google’s deeply disturbing invasion of personal privacy.”
The Federal Trade Commission also launched a similar investigation earlier this year but closed it last month as a result of what it said was Google’s assurances that it would delete any data that it had collected and not use it in any manner.
The Electronic Privacy Information Center (EPIC), which in May had asked the FCC for an investigation into Google’s Street View data collection, today welcomed the investigation.
EPIC president Marc Rotenberg said by e-mail that none of Google’s Wi-Fi collection activities would have to light if European data protection officials hadn’t opened an investigation. “The public also does not understand that while the interception of communications traffic may have been accidental, the collection of Wi-Fi device name and location information was not,” Rotenberg said.
Google reiterated what it has been saying since the controversy first began. “We are profoundly sorry for having mistakenly collected payload data from unencrypted networks,” the company said in a statement.
As soon as Google realized what was happening it stopped collecting all Wi-Fi data from its Street View cars and informed appropriate authorities, the company said. “We assured the FTC, which has closed its inquiry, we did not want and have never used the payload data in any of our products and services,” the company said, adding that it will delete the data as “soon as possible.”
“As we examined the circumstances of inadvertent UID transfers, we discovered some instances where a data broker was paying developers for UIDs,” Facebook engineer Mike Vernal wrote in a blog post.
Private user data was not sold, Vernal said. Facebook has since suspended the developers for six months. If they wish to return to the Facebook developer community, they will have “to submit their data practices to an audit in the future to confirm that they are in compliance with our policies,” he wrote.
Facebook did not reveal the names of the developers in question except to say that they are about a “dozen, mostly smaller” developers that are not among the top 10 applications on the site. Facebook also reached a deal with data broker Rapleaf whereby the company will delete all Facebook UIDs and stop conducting any activities on Facebook Platform going forward.
“In taking these steps, we believe we are taking the appropriate measures to ensure people stay in control of their information, while providing developers the tools they need to create engaging social experiences,” Vernal wrote.
The issue over Facebook UIDs made headlines several weeks ago when the Wall Street Journalpublished a story that said Facebook apps share users’ personal information with advertising networks and other Internet-tracking companies. That, apparently, did include the top 10 apps on Facebook, as well as Rapleaf. Facebook later said it would encrypt UIDs going forward.
Services like Akamai, Amazon Web Services, and other analytics options are allowed “as long as those services keep UIDs confidential to your application.” This week, Facebook will also release a way to share identifiers anonymously with third parties like content partners, advertisers, or other service providers. Developers will be required to use this mechanism by January 1.
Some Facebook applications have been leaking user information to third party companies, the Wall Street Journal reports. The apps in question have a huge combined userbase; according to the WSJ, all of the 10 most popular Facebook apps are guilty of giving away user IDs to third parties, specifically Internet research and advertising companies.
These include Zynga’s FarmVille, Texas HoldEm Poker and FrontierVille; according to AppData, FarmVille alone had more than 80 million users in February 2010. Facebook confirmed some of the issues in a blog post, claiming most of the apps in question shared the user IDs inadvertently, due to “technical details.”
“Our policy is very clear about protecting user data, ensuring that no one can access private user information without explicit user consent… Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work,” the post said.
This past weekend, Facebook blocked LOLapps, one of the biggest social games providers on the Facebook platform, due to “violations of Facebook’s terms.” The WSJclaims that some of the apps created by LOLapps were also transmitting user info to third parties. LOLapps (whose apps have now been reinstated on Facebook) has confirmed this was the case in a blog post, claiming it shared the info inadvertently. Facebook also said that “knowledge of a UID does not enable anyone to access private user information without explicit user consent.”
This is true, but Facebook UID can be very revealing, depending on the user’s privacy settings. Knowing the ID of a Facebook user who shares information with “Everyone” can potentially give you access to his/her name, phone number, e-mail, photos and other personal info. Even if a user has set the strictest possible privacy settings on his/her account on Facebook, the ID may still reveal his/her name and Facebook friends.
And then there’s the issue of scale. If an application with tens of millions of users shares Facebook UIDs with an advertising company, that’s a lot of data. Depending on your privacy settings on Facebook, this particular advertising company now may only know your name and the names of your friends, or much more. But the real question is one of trust: have you agreed to any of this, and do you want to be in this company’s database?
This is another in a long line of Facebook’s privacy missteps. Although Facebook claimed time and time again it’s doing everything it can to preserve its users’ privacy, this latest incident won’t do much to convince its users that this is really the case.