Do we really want better spam detection on social networks?

by Daniel Peck, Research Scientist The question sounds crazy, especially for someone who’s spent a fair amount of the last year working on making spam and other malicious message detection on social networks better.  But we do a disservice to tools geared for protection when we don’t think long term about the consequences of them.  Does better spam detection on say twitter for example reduce the total amount of spam that users see, or does it just change the signal to noise ratio? Websites who’s only content is related to spam didn’t get many hits.  This led spammers to move to Search Engine Optimization techniques, which have had a good run are still fairly effective, but more often than not spam sites are full of legitimate content harvested from other sites. I suspect, and have seen several examples, that the same trend is taking place in social media.  We build systems that force spammers to put more “real” content into the stream, so that they don’t immediately out themselves. These fake accounts contain plenty of retweets of popular stories, and shared links on facebook with a bit of “hey, what a great deal on shoes” or “click here to see my naked” thrown in here and there. Times are changing here too, sharing too many popular things also indicates than an account is a spammer, or at the very least a much less valuable node in the network.  So the next step is wholesale copying of real peoples profiles, complete with pictures of their cat, a bizzaro you with everything from your facebook account duplicated on another network, such as tumblr or google+, with an occasional spam or malicious link thrown in.  The kind of place where friends will eagerly add you, because everyone needs to be connected to every one of their friends through every medium possible of course, and not think twice about clicking on the malicious link that bizzaro you just shared out. Besides being quite a blow to the privacy...

read more

Fake AntiVirus Scams Add MacOS Support

May 19, 11 Fake AntiVirus Scams Add MacOS Support

Posted by in Security, SEO Poisoning, Web Security

by Luis Chapetti & Dave Michmerhuizen – Security Researchers Fake antivirus scams are designed to scare innocent computer users with exaggerated displays of virus activity in the hope that they will hand over their credit card numbers to make it go away.   They’ve been around for years and the most prevalent ones use a freely available JavaScript design that mimics the Windows user interface, as seen here:   When these pages pop up on Macintosh computers, it’s immediately obvious that something isn’t right. Last quarter, Apple set a new record (3.47 million sold in the quarter) with a growth rate of 33% over the prior year’s quarter.  Apple has about 10% of the computer market in the United States, and that doesn’t even include iPads. That market share has been noticed by the fake antivirus scammers, and this week they have added a new JavaScript design that mimics the Macintosh interface, as seen here:   Drive-by download sites now serve up this page if they detect access from a MacOS computer while Windows users still see a Windows style page.   The example above is called “Apple Security Center” but similar templates have been seen named MacDefender. Since this is just JavaScript, the correct move at this point is to refuse the download and browse elsewhere.  Accepting the download and running it installs “Mac Protector” which displays pornographic images and promises to remove them for a credit card payment. The initial infection vector is poisoned entries in Google search results.  We’ve talked extensively about poisoned search results and this represents another example of where otherwise normal Web sites are compromised and made to serve up bogus pages that are well ranked by Google. When one of these links is clicked, the compromised Web site detects a visit from Google search results and sends the visitor to a server that presents the fake antivirus. The recent change in Google content ranking has not stymied these attacks – the malicious link we tested was on page...

read more

Cyber criminals continue to capitalize on current events – Osama Bin Laden dead!

by  Nidhi Shah, Security Researcher Along with media, homeland security and Al-Qaeda supporters, another group of people got to work immediately after Osama Bin Laden was killed: malware authors. This is not surprising given malware writers propensity to take advantage of the day’s current events as a way to reach the largest number of eyeballs and victims. This news is no different. We noticed multiple campaigns taking advantage of the news within hours of its announcement. One such campaign showed up on Facebook offering a video of the killing: Clicking on the link leads the user to a fake blog with video, which in turn requires the user to “Like” it in order to get to the video. However in doing so (“liking”), the user is authorizing the malware to post on his/her wall and fill it up with other “Like” messages that were never authorized. “Like” messages are shared automatically via the Facebook newsfeed on a user’s network; therefore, these messages quickly become viral and spread via trusted channels.   There are multiple other campaigns taking advantage of this news and also creating new related headlines to get more attention. Like this campaign (again on facebook):   Clicking on that link will lead you to the blog full of such fake headlines.   While this one did not directly lead to any malicious impact, clearly the headlines are fake. That leads us to believe that we might have encountered it while malware authors were still in the process of preparing their next malicious campaign. Or that they could be taking advantage of current events and user curiosity for increasing search engine ranking for these pages. Our advice to readers is to be cautious while browsing the Web to look for more details related to this event and any other major news in general. We recommend visiting the major news channels directly to get more information rather than click on links in Facebook or Twitter, even if they are seemingly posted by friends or...

read more

Email Spam Drops by Half While Search Engine Malware Increases 50 Percent and Twitter Crime Rate Rises 20 Percent During 2010

From: Barracuda Labs [PRESS RELEASE] Barracuda Labs Issues 2010 Annual Security Report; Launches New, Free Profile Protector to Protect Users against Malicious Threats on Facebook and Twitter Campbell, Calif., March 3, 2011 – Barracuda Networks Inc., a leading provider of content security, data protection and application delivery solutions, today released findings from its 2010 Annual Security Report which indicates attackers are making a shift from using email spam to more aggressively targeting the Internet. Email spam dropped by half during 2010, while search engine malware doubled and the Twitter Crime Rate increased 20 percent, signifying a concentrated focus on the more lucrative social networks and search engines as attack vectors. To help combat this, Barracuda Networks today announced the availability of its new Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter. Profile Protector is available at http://profileprotector.com/. “Attackers focus on where they can get the most eyeballs and profit, and today that means social networks and search engines,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “As a community we often point to the need for user education as the missing component; however, the levels of social engineering involved in today’s attacks suggest that we must continue to elevate our technological approaches. The research community must continue to build innovative defenses and the industry must make efforts to increase the deployment rates of those defenses.” Searching for Malware Barracuda Labs conducts periodic studies across Bing, Google, Twitter and Yahoo!, analyzing trending topics on popular search engines in order to understand the scope of the problem and to identify the types of topics used by malware distributors. The most recent study was conducted over 153 days. The analysis reviews more than 157,000 trending topics and nearly 37 million search results. Overall, the research found that attackers have increased the amount of search engine malware as well as expanded targeted efforts beyond Google. Key highlights from the search result analysis include: In June 2010, Google...

read more

Barracuda Labs 2010 Midyear Security Report

 Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate. Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage. Searching for Malware We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights: Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent. The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo! Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT. The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard. The Dark Side of Twitter As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and...

read more

Watch Out for Fake Adobe Flash Updates

by Barracuda Labs Barracuda Labs has found compromised sites in the wild which present unwary visitors with an official-looking Adobe Flash update page. Even though this page looks convincing, downloading this ‘update’ only provides the user with a nasty piece of malware that McAfee currently classifies as Downloader-CEW.f. We recommend getting Adobe Flash updates directly from the source – http://get.adobe.com/flashplayer. How it happens Performing a quick search for a breaking news topic, such as LeBron James opening his own Twitter account, starts the process. Searching for “LeBron James Twitter” gives the highlighted result a rank of 62. Clicking on the highlighted result  sends the user directly to the fake upgrade page. Note that the actual domain is registered in the Cocos Islands.  Also note that the dialog offers Adobe Flash Player 11, while (at this writing) the current version of Flash is 10.1. Another sign that this dialog box is bad news is that none of the buttons close the dialog.  Clicking both “Cancel” and “Details” implores the user to click “Ok”  (which is not a button name).   Only “Continue” offers the user a path forward, to a Windows Security Warning dialog. If the user does run the file, it will download a background clicker that uses the Internet connection to generate fake Internet traffic.  While this activity goes on unseen, additional scamware and spyware programs are downloaded, as seen below. The unsuspecting user can be compromised in no time, which is why it is recommended to get Adobe Flash updates directly from the source. Barracuda Web Filter and Barracuda Purewire Web Security Service customers are protected from these...

read more