Gee Thanks! I’ve been working out! …..oh wait a minute! What video??? CLICK!!!!

That was probably the script the culprit had in mind …and who knows how many times it played out.

I received the following message in my email inbox earlier from a cousin on Facebook.

It was so obviously malicious. Never mind the spelling issues. That is a trick typically used to get by email filters. My first reaction was to log in to Facebook and verify that it was indeed the source. I was reminded of an article I read about a similar fake LinkedIN email attack. In this case, the message was right there with a slight difference. The link now was more obvious.

One of those shortened bit.ly links that could lead you anyway. Without clicking the link, I clicked “reply” asking ” Did you send this?” . I already knew the answer but hey!  I immediately got the following response from one of the sender’s friends.

The plot thickens…

I sent the cousin a message advising a change of Facebook credentials. The message was apparently sent to many other users.  I’ve read and blogged about compromised Facebook account being used to spread malware and/or lure users to malicious sites but this is my first such experience. I’m not the average Facebook user though, since I only use it to cross-post blog updates.  I didn’t have to time to investigate what’s on the other side of that bit.ly link but just thought I’d share the experience.

Beware fellow Facebook users!

Here’s an interesting story. Who didn’t see this coming?

“Police say a hacking investigation in Fairfax County, Virginia started with a Facebook pregnancy announcement. But, it turns out the woman is not expecting a baby.

According to police, someone hacked into her Facebook account and posted the fake status update. The victim, who is from Springfield, also claims someone accessed her Hotmail account and sent out nasty emails.

All of the victim’s classes at Northern Virginia Community College were canceled by the hacker.

Police are investigating the Facebook and Hotmail hacking claims, but so far no charges have been filed.”

Source: http://www.myfoxdc.com/dpp/news/local/woman-says-facebook-account-was-hacked

Email is a very common vector for attack nowadays. Security folks always scream ” Don’t download the attachment. Don’t download the attachment!” Here are some examples of a targeted email attack taken from a blog called  Contagio Malware Dump .

More at contagiodump.blogspot.com

Twitter has added a new service that detects malicious URLs in an effort to quell the rise in spam and phishing on the microblogging social network. I previously did a post about the risk posed by url shorteners.

The new security feature ultimately will scan all URLs before they hit the Twitter feed, but initially is only doing so for URLs sent via Twitter direct messages [DMs] and email notifications about DMs. Twitter is using its own URL shortener for these links: “For the most part, you will not notice this feature because it works behind the scenes but you may notice links shortened to twt.tl in Direct Messages and email notifications,” said Del Harvey, Twitter’s director of trust and safety, in a blog post last night.

Twitter’s security feature comes amid new data revealing the level of abuse on the social network: One in eight Twitter accounts last year was malicious, suspicious, or suspended, according to a report issued today by Barracuda Networks. The surge in celebrities joining Twitter in 2009 resulted in a major jump in spam, phishing, and other abuse on the site, according to the report.

Read more: http://www.darkreading.com/securityservices/security/attacks

Is your banking practices putting your business at risk? Protect your small business accounts from cybercriminals. The Wall Street Journal offers the following suggestions for small businesses seeking to ward off an attack:

Defend your Computer

Hackers often take aim at small firms’ computers because they are easier to infiltrate than banks’ systems. One common mode of attack is to send a “spear phishing” email containing an infected file or a link to a malicious Web site to employees with access to the firm’s financial accounts. Once the employee opens the attachment or goes to the Web site, malware is installed on the computer that allows criminals to access banking logins and passwords. While up-to-date antivirus software offers substantial protection against malware, it isn’t 100% effective.

Accessing your bank account through a computer that isn’t used for anything else—no email or Web surfing—and isn’t connected to the local network offers strong protection, says William Nelson, president of the Financial Services Information Sharing and Analysis Center, an industry group that collects and shares threat data.

Another option is to use an obscure computer operating system such as Ubuntu or Web browser such as Opera because attackers rarely create malware for them, security experts say.

If you use Microsoft Corp.’s Internet Explorer browser, make sure you have the latest version, IE 8, which includes security features to help prevent attacks. Consider using Explorer in “protected mode,” which restricts files that try to install on a computer without the user’s consent, and set your “Internet zone security” to “high,” which disables some of Explorer’s less-secure features, according to Microsoft.

Protect your Accounts

Ask your bank to set up “dual controls” on your account so that each transaction requires the approval of two people—a good guard against fraud, security experts say. Establish a daily limit on how much money can be transferred out of your account, and require that all transfers be prescheduled by phone or confirmed via phone call or text message. If possible, impose restrictions on adding new payees, security experts say.

Check bank balances and scheduled payments at the end of every workday, rather than the beginning, and immediately contact your bank if anything is amiss. Banks use the Automated Clearing House system to transfer funds to payees’ banks. These transfers usually aren’t paid until the next morning, so timely action could halt the completion of a fraudulent transaction, Mr. Nelson says.

Shop for a Bank

Review your agreement with your bank and know what rights you may be waiving by not using certain security measures. While agreements between banks and commercial customers typically absolve banks of responsibility for fraud losses, the bank down the street may offer better protections, so shop around. Also, consider adding insurance coverage for fraud losses.

Many banks, concerned about damage to customer relationships, have stepped up their defenses against cyberattacks, rolled out new protections for customers and begun sharing more threat information with each other and law enforcement, Mr. Nelson says.

An emerging motivator may be a growing number of lawsuits by small companies claiming their banks didn’t have “commercially reasonable” security.

A judge in a closely watched case involving a self-employed couple’s personal and commercial accounts said in refusing to grant a summary judgment that a jury might find fault with the adequacy of the bank’s defenses, which the plaintiffs argued weren’t state of the art at the time of the theft. The case—Shames-Yeakel vs. Citizens Financial Bank—was settled in late December under confidential terms. The plaintiff’s lawyer, John Soumilas of Francis & Mailman PC in Philadelphia, says he pursued the case as one of consumer-identify theft, where protections are ample.

Still, David D. Johnson, a digital-media lawyer at Jeffer, Mangels, Butler & Marmaro LLP in Los Angeles who wasn’t involved in the case, says the judge’s action suggests that “a bank can’t simply rest on its laurels, on its security measures that worked last year,” and avoid liability. The judge declined to comment, and Citizens Financial didn’t return a call for comment.

Reach Out

Connect with law-enforcement agencies before an incident occurs, suggests Mr. Henry. He says small businesses should consider joining the FBI’s InfraGard, a group of businesses, academic institutions and state and local law-enforcement agencies that seek to ward off cyberattacks and other threats by sharing information and intelligence.

He also urges companies to report all computer crimes immediately to the FBI. The agency has relationships with law-enforcement organizations around the world that are starting to bear fruit, he says, pointing to the recent arrest of 120 people tied to Romanian groups that allegedly stole money from U.S. companies and citizens.

“In the cases where we have put hands on somebody, it was the result of a victim company raising their hand and saying this happened,” Mr. Henry says. “If they hit you today, they’re hitting the guy down the street tomorrow.”

From Trend Micro Countermeasures Blog:

I just received an email from some guy called Willie Hickey. Aside form having an extremely amusing name, Mr. Hickey was offering me some very urgent advice[..]

The message reads…

“Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:”.

This little piece of social engineering is obviously designed to arouse fear and doubt in the recipient; “Oh no, not those photos, the zookeeper promised he would destroy the negatives.
Don’t be tempted though to click the link. There are no photos, there is no Willie Hickey.
The link leads to a malicious JavaScript which redirects the browser to a Russian IP address where multiple PDF exploits and an ActiveX exploit are used to push out a variant of the ZeuS crimeware. The sample itself has very low detection rates with only 9 out of 40 detections on VirusTotal.

http://countermeasures.trendmicro.eu/your-guilty-conscience-could-get-you-pwned/