Inter-company invoice emails carry malware

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

Have you received an unexpected "inter-company invoice" from a company for the period January 2010 - December 2010?

If so, chances are that your computer is being targeted by cybercriminals who are using the disguise as a method to infect your computer with a Trojan horse.

Companies such as Beazer Homes, KPMG, Miltek, Kraft Foods, and Safeco are named in different incarnations of the malware campaign, that is designed to trick you into opening the attached ZIP file.

Even if you haven't done business with the company referenced in the email, you might be tempted to open the attachment (which have names like Inv._08.8_D7.zip, Corpinvoice_08.10_N47.zip, and Invoice_08.4_D6.zip) out of curiousity.

Of course, the emails have not really been sent by the companies that are named in them, and the sender's address has been forged.

Sophos products intercept the malware as the Troj/Agent-TBO Trojan horse, and the ZIP files themselves as Troj/Invo-Zip.

Remember, once malicious code has run on your computer, it's up to an unknown hacker what happens next. They can open a backdoor onto your computer to steal information, display fake anti-virus alerts, or compromise your PC to make it part of a botnet.

The best defence is not to fall for such attacks in the first place, by keeping your anti-virus protection up-to-date and keeping your wits about you.

Follow @gcluley

View the original article here

Vanguard Defense Industries suffers Anonymous hack attack

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

Anonymous hackers working under the flag of AntiSec have targeted a US defense contractor, stealing and publishing thousands of emails and documents.

Vanguard Defense Industries (VDI) works closely with government agencies such as the Department of Homeland Security and FBI, developing the unmanned remote-controlled ShadowHawk helicopter which can be used for aerial surveillance and fly at up to 70mph, shooting grenades and shotgun rounds in combat situations.

Of course, real life battlefield technology like that is no protection against cybercriminals, who appear to have published emails and documents containing VDI meeting notes, contracts, schematics and other confidential information as part of the hackers' ongoing "F**k FBI Friday" campaign.

A statement from the hackers will remind readers of past hack attacks on Monsanto and Infragard, and makes clear that VDI's senior vice president Richard T. Garcia was being singled out for particular attention:

The emails belong to Senior Vice President of VDI Richard T. Garcia, who has previously worked as Assistant Director to the Los Angeles FBI office as well as the Global Security Manager for Shell Oil Corporation. This leak contains internal meeting notes and contracts, schematics, non-disclosure agreements, personal information about other VDI employees, and several dozen "counter-terrorism" documents classified as "law enforcement sensitive" and "for official use only".

Richard T. Garcia is also an executive board member of InfraGard, a sinister alliance of law enforcement, military, and private security contractors dedicated to protecting the infrastructure of the very systems we aim to destroy. It is our pleasure to make a mockery of InfraGard for the third time, once again dumping their internal meeting notes, membership rosters, and other private business matters.

The hackers seemed keen to underline that they weren't planning to cease their activities anytime soon:

We are doing this not only to cause embarrassment and disruption to Vanguard Defense Industries, but to send a strong message to the hacker community. White hat sellouts, law enforcement collaborators, and military contractors beware: we're coming for your mail spools, bash history files, and confidential documents.

Operation AntiSec is the name that has been given to a series of hacking attacks, born out of the activities of Anonymous and the burning embers (or should that be watery grave?) of LulzSec.

Past victims have included US government security contractor ManTech and DHS contractor Booz Allen Hamilton.

Once again, a defense contractor is learning a lesson the hard way about the importance of strong computer security.

View the original article here

Do you know enough about ATM skimming? Learn more from Fiscal the Fraud Fighting Ferret!

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

Long-term readers of Naked Security will know that the techies at Sophos Australia are big fans of the Queensland Police Service (QPS).

Over the past few years, QPS has engaged strongly with the community and with industry to take on cybercrime and cybercriminals, both in Australia and around the globe, winning national awards in the process.

They've made a real effort on a number of issues that go well beyond simple law enforcement, trying to try to raise awareness of cybercrime, to improve security practices amongst consumers, and to bring vendors, service providers and investigators together at regular seminars to work out how to cooperate productively against the Bad Guys.

The Queensland cybercops have also come up with a cute educational mascot, Fiscal the Fraud Fighting Ferret, who appears in a range of straight-talking animated cybercrime awareness videos made by the team.

The latest Fiscal video is particularly timely for Naked Security, as it deals with ATM skimming, a topic about which my colleague Chester Wisniewski wrote just the other day.

What surprised me about Chester's article was the number of people who wrote to us afterwards, convinced that ATM skimmers could catch your PIN on camera but would need to rob you face-to-face to get your card.

But they don't need to be near the cash machine whilst they're harvesting your data. Copying the data off the magstripe on your card is surprisingly easy, using a miniaturised card reader called a skimmer fitted over the front of the card slot. Clearly, ATM skimming is not well-enough understood.

So here's an explanation of why and how to be on your guard when you're using a cash machine. It doesn't assume you're a computer expert, it doesn't talk down to you, it's easy to understand, and it's narrated by a Fraud Fighting Ferret!

-

As Fiscal the Fraud Fighting Ferret concludes, "Education and awareness are the best fraud prevention weapons we have."

Follow @duckblog

View the original article here

BART Police database hacked - names and addresses posted online

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

A database belonging to the BART Police Officers Association appears to have been hacked, and the names, postal and email addresses of officers posted online.

Just over 100 officers are listed in the document, in what is clearly a serious security breach.

The reason why BART is the focus for so much attention by hackers? Last week, in a highly controversial move, several BART stations in San Francisco halted their cellphone service for a few hours. It was believed that people protesting about the fatal shooting of a homeless man by BART police, might be co-ordinating their protest via mobile phone.

Of course, what's happened now is that over 100 innocent police officers have had their safety put at risk by hackers revealing their private information.

Earlier this week the Anonymous were blamed for hacking the myBART.org website - belonging to San Francisco's BART (Bay Area Rapid Transit) system, and there has been speculation online that hackers affiliated with Anonymous may also be responsible for this latest attack.

But it seems even "official" Anonymous mouthpieces for the movement, aren't sure as to whether it's Anonymous's work or not.

I guess one of the problems of being a decentralised hacktivist group, with no leadership structure and no way of identifying members, is that anyone can claim to have done something under the Anonymous banner and no-one can credibly argue that it wasn't an Anonymous action.

After all, if it's truly anonymous how is anyone to know what they have done and what they haven't done?

Many Anonymous supporters may see this as an advantage. Me? I'm not so sure.

One thing is for certain - the BART Police Officers Association has been caught with its pants down. Its website is currently offline (replaced with a holding page) and it seems likely that a vulnerability on their site will have let the hackers access the police officer's database.

Clearly the information had not been properly secured. In the current climate of high profile hacks that's not excusable. Other forces would be wise to look at their own sites and make sure that they are not similarly vulnerable to attack.

Follow @gcluley

View the original article here

Trojans spammed out in malicious wave of fake DHL emails

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

There is a significant wave of malicious emails being spammed out presently, posing as notification messages from DHL.

If you make the mistake of opening the attached ZIP file you will be putting your computer at risk of infection by a Trojan horse.

There's nothing new, of course, about cybercriminals disguising their attacks as notifications from DHL.

This attack, though, is particularly aggressive and - as you can see in the examples below - uses a variety of different DHL-related subject lines, attachment names and message bodies:

HELLO!

Dear Client, Recipient's address is wrong

Print out the invoice copy attached and collect the package at our department

Best wishes , DHL Customer Services

ATTENTION!
DEAR CLIENT , We were not able to deliver the postal package

Please print out the invoice copy attached and collect the package at our department

Pack it. Ship ip. No calculating, Your DHL .com Customer Services

Good afternoon!

DEAR CUSTOMER, Recipient's address is wrong
PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT

Pack it. Ship ip. No calculating, Your DHL .com Customer Services

Good afternoon!

Dear User , Delivery Confirmation: FAILED
Please print out the invoice copy attached and collect the package at our department
With respect to you, DHL Team

Here are just some of the different disguises we saw in a snapshot of less than one minute in a small selection of our spam traps:

Sophos products intercept the attack, detecting the ZIP file as Troj/Invo-Zip and the Trojan horse contained within as Mac/EncPk-NS.

Dangerous emails claiming to come from courier companies are nothing new - it has become one of the most commonly-used methods by which hackers socially engineer unsuspecting users into opening a malicious attachment or clicking on a dangerous link.

Make sure that you and your friends are wise to the trick - and think before you click.

Follow @gcluley

View the original article here

Bikini-clad women and photo tags aid Facebook scammers

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

If you're a Facebook user, please repeat after me:

Facebook doesn't let you track who is viewing your profile.

Third-party Facebook apps aren't allowed to do it either, and if they claim to offer the ability they are banned from Facebook.

Don't believe me? Here is the official word on the issue from Facebook itself:

And yet, we continue to see scams spread far and wide across Facebook claiming to offer the functionality.

See this example, for instance, which tags a photograph of a woman sunbathing in her bikini with the names of Facebook users.

Because the photograph has been tagged with the names of Facebook users, they will see it appear in their newsfeed and will - no doubt - be curious to find out more.

A comment on the photograph claims to point to a way for Facebook users to see who has been viewing their profile. The girl in the bikini was being used as tempting bait, just to bring traffic towards that link.

(You're probably thinking by now - wouldn't it be nice if Facebook gave its users the ability to opt-out of all photo tagging? Of choosing to never want to be tagged in a photo without their permission? And yes, it would be a very good idea - but Facebook seems less than keen to implement it).

If you're foolhardy enough to click on the link, you are taken through the process of adding a third party application - handing it the keys, effectively, to your profile and authorising it to post messages, photos and notes to your Facebook wall.

Of course, if you give it such permission it will simply perpetuate the scam - spreading it onto your friends using your and their names.

The purpose of all this subterfuge? To trick you into taking an online survey - which earns commission for the scammers.

Remember - you should always think twice (and maybe three times!) before allowing an application to access your Facebook profile, as there are many rogue apps designed purely to make money for the scammers and spread their viral schemes to as many users as possible.

Photo tagging pictures of women wearing bikinis isn't the only way that the scammers bring traffic to their campaigns, of course. They still find old faithfuls, such as viral status messages, an effective means to spread enticing news of a way to view who has been viewing your profile.

Here's just such a scam spreading on Facebook as I write:

WOW l cant believe that u can see who ls viewing your profile! l just checked my TOP profile visitors and l am SHOCKED at who ls still checking my profile! You can also see WHO VIEWED YOUR PROFILE here: [LINK]

Make sure that you stay informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 100,000 people regularly share information on threats and discuss the latest security news.

You could also do a lot worse than check out our best practices for better privacy and security on Facebook guide.

Follow @gcluley

Hat-tip: Thanks to Naked Security reader Heidi for first alerting us to the bikini photo-tagging scam by sending us a tip

View the original article here

Australian bomb hoax suspect tracked across internet and arrested in Kentucky, USA

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

For the last two weeks, the media in Sydney, Australia, have been fascinated with a police investigation into a most peculiar crime committed in one of Sydney's most prestigious suburbs.

If you've heard the name of the victim, Madeleine Pulver, you've probably heard the story behind the crime.

Imagine the scene.

Pulver is a final-year school student who will sit her school-leaving exams at the end of the year. She's studying at her parents' home in top-of-the-market Mosman in Sydney's Lower North Shore on the afternoon of 03 August.

A man clad in a balaclava and carrying a baseball bat bursts into her room and chains a plastic box to her neck. He puts a lanyard round her neck with some printed documentation and a USB key attached to it. Then he vanishes.

Pulver looks at the printout. She reads these words: "Powerful new technology plastic explosives are located inside the small black combination case delivered to you. The case is booby trapped. It can ONLY be opened safely, if you follow the instructions and comply with its terms and conditions."

The printout continues by saying, "You will be provided with detailed Remittance Instructions to transfer a Defined Sum once you acknowledge and confirm receipt of this message." A Gmail address is provided for future communications.

In the curious grammar used these days by New South Wales (NSW) Police on charge sheets, a whole battery of crimes have just taken place: aggravated break and enter with intent to commit a serious indictable offence; demand property by force with intent to steal; kidnap.

Hats off to the NSW cops. They've put in the investigative work on this one, identified a suspect, tracked him to Kentucky, and had him arrested in the USA. Now they'll apply to have him extradicted back to their jurisdiction.

The investigation makes a great story, too, and you can read it online thanks to documents tendered in court to prepare for the suspect's arrest in Kentucky.

Here's the brief version of what's claimed so far.

* Trace the PC used to create the Gmail account mentioned in the extortion message to Chicago airport.

* Trace all subsequent uses of that email account to a small town on the NSW Central Coast. Get CCTV footage from the vicinity.

* Identify a Range Rover of an identifiable vintage arriving and leaving at the right time. Check NSW vehicle registrations for vehicles which fit the age and the location.

* Cross-check the name of the closest registered owner againt recent border control records.

'Ello, 'ello! The owner of the perfectly-placed Range Rover flew to Chicago shortly after the crime. Then he flew to Kentucky.

* Move on to credit card records. The owner of the Range Rover also made purchases at an office supply store and a sports shop on the Central Coast about a month before the crime.

* Check with the shops to see what he bought in those transactions. Hmmm. A USB key. A baseball bat. [Note: baseball is a minority sport in Australia, like cricket in the USA.]

* Check whom he'd remitted money to in recent years. Ha! A woman with the same surname living in La Grange, Kentucky. Find that house up for sale.

* Get the Kentucky cops to drive by. Spot a bloke hanging out behind the house looking at least somewhat similar to the guy who boarded that Chicago flight, owned the Range Rover on the Central Coast, and bought the baseball bat.

And that was enough for the Kentucky court. The suspect was arrested and taken into custody.

In today's society, most of us leave digital breadcrumbs wherever we go. When the cops can use this information appropriately, as they have done in this case, most us us agree that this amounts to a good result.

But there are three important issues this brings to the fore:

* This isn't a cybercrime case. It's a case of person-on-person crime involving intimidation, extortion and a bomb threat. Yet much of the investigation has required cyberskills by the investigators.

So when you read that the cops are being given more money "for cybercrime", don't expect them to start busting pure-play cybercrooks such as spammers and scammers immediately. Almost every modern crime has a cyber-element.

* This didn't play out like it does on CSI or Hawaii-Five-O. There, the cops get results in seconds, where satellites orbiting directly overhead can mysteriously get clear images of vehicle registration plates from low angles, and where warrants magically appear at all hours of day and night.

There are many hoops which the cops have to jump through to be able to pursue an enquiry of this sort - a due process which means they can't always and immediately get access to anything they want.

And that is exactly as it should be. Most of us are law-abiding, and our privacy and security is too important to be eroded merely to make the Orwellian nonsense of Hawaii-Five-O into a reality.

* Pure-play cybercrooks don't play by the rules. They don't have to show due cause to retrieve information from immigration. They don't bother with a warrant before they install surveillance software on your PC. And they don't leave an obvious trail like the apparently inept suspect in the Pulver case.

Of course, there's a fourth matter, too:

* All the evidence so far is circumstantial, and the suspect is innocent until proved guilty beyond reasonable doubt.

In a case which is as perplexing, and which has provoked as much media commentary and as much speculation as this one, it's important to keep that in mind.

Now you've heard the story, stop and think how much this suspect gave away without intending to.

Think about how much you give away - for example on social networking sites - entirely willingly.

Having just the tiniest amount less fun online can make you enormously more secure.

Follow @duckblog

Tags: arrest, bom hoax, Cybercrime, kentucky, law enforcement, madeleine pulver, mosman, nsw, pulver, sydney, usb

View the original article here

Twitter is not charging in October, there is no petition, you're being phished

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

Another scam to steal Twitter users credentials is making the rounds today. The tweets being sent out read "Twitter might start to charge in October, sign this petition to keep the service free! -URL-."

The official Twitter account, @safety, has warned people about the threat and it appears that the Twitter team is having partial success extinguishing this one. Here is an example block page I received when attempting to visit one of the URLs.

Unfortunately it did not take me long to find the original destination dressed up with several different URL shorteners. This one seems to still be making the rounds to some extent.

Remember folks, rather than click those short URLs, you can always check them over at longurl.org. If you expanded this one you would see that it eventually takes you to ltittier -dot- com, which was registered on a Chinese DNS server at three past midnight this morning.

The site is a near perfect duplicate of the real Twitter login site, and it masquerades as a message that your session has timed out. You will need to "reauthenticate" and hand over your identity to the criminals immediately.

At least one Twitter user seems to be having some fun with this and has produced her own copy of the scam... Earlier this morning @trojankitten posted "Twitter might start charging in October, a petition is picking up speed to keep it free.-URL-."

If you click the short link, you are redirected a bit and end up on a pastie.org page that reads:

"Hi,
This is Trojan Kitten. Twitter won't "start charging in October," but there's yet-another-twitter-malware, which will send tweets like these from your account, once you're affected:

"Twitter might start to charge in October, sign this petition to keep the service free! link.here/to-malware" "Twitter is going to charge now? read this article on twitter :( link.here/to-malware"

And since you see the text you're currently reading, you could've been affected: you clicked the link. I don't actually blame the users. So let's blame Twitter for its loose control on apps (in terms of security).

If you have been hit with this scam, be sure to change your Twitter password immediately and it would be prudent to log in and revoke all application API access as well.

You will need to reauthorize each Twitter enabled program as you use them, but your account will be safer for it.

Follow @chetwisniewski

View the original article here

Canada mulls warrantless internet info-gathering powers for police

Over 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

Yesterday, I wrote up my take on the recent Australian bomb-hoax story, in which a suspect was tracked from Sydney to Kentucky through a mixture of old-fashioned detective legwork and cyberinvestigation.

I suggested that making this sort of investigation as easy as it seems on crass TV cop shows would be a bad idea:

There are many hoops which the cops have to jump through to be able to pursue an enquiry of this sort - a due process which means they can't always and immediately get access to anything they want.

And that is exactly as it should be. Most of us are law-abiding, and our privacy and security is too important to be eroded merely to make the Orwellian nonsense of Hawaii-Five-O into a reality.

Today, someone pointed out to me the text of Bill C-52, currently under consideration by the Canadian federal parliament.

Amongst the many proposals in this Bill are two specific clauses to reduce the 'due process' imposed upon Canadian law enforcers when they wish to acquire information about internet subscribers from Canadian ISPs.

This information includes:

any information in the service provider's possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider's telecommunications services and the Internet protocol (IP) address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber's service and equipment.

The first sort of investigator authorised to acquire this information merely by asking (actually, the second listed in the Bill, as it is a special exception to the main proposal) is, broadly speaking, any police officer.

But there are restrictions on this power which make it much less unreasonable than it sounds. It is for "exceptional circumstances only", and it applies only if:

(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;

(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and

(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.

You can probably quickly think up a number of scenarios in which this regulation might be a lifesaver. And the Bill requires any police officer who takes advantage of these special powers to declare that he has done so to a superior, who is, in turn, required to re-confirm the request with the service provider. So there is at least some bilateral oversight involved.

Of greater interest to privacy advocates, however, is the proposal in the Bill that each law enforcement agency would be able to designate up to five percent of its staff to request precisely the same information pretty much at will, about any subscriber.

This makes 'fishing expeditions' possible. The Bill doesn't appear to place any limit, other than perhaps common sense, on the number of subscribers whose data can be sucked from an ISP at any time.

The Bill doesn't even seem to propose that the requests be based on any sort of specific identifier, such as a name or an email address.

This suggests, in the worst case, that an ISP might be compelled simply to hand over information about all subscribers. No warrant needed, and thus no proactive oversight by the judiciary.

I'll leave it to the Canadian legislature to debate whether this is really a change which Canada needs; to Canadian privacy advocates to argue the pros and cons as visibly as they can (I'm OK with legal street protests, but no Anonymous-style 'hacking', please!); and to the voters to make amends next time if the Bill passes but is deemed a step too far.

My concerns go beyond just those about our right to be free, as far as possible, from surveillance and intrusion by law enforcement. I'm just as worried about the safety of having information about our internet identities routinely duplicated into multiple databases.

If you are Canadian, I urge you to oppose Bill C-52 as a matter of public safety, at least until you can be sure that every agency and every officer who might request information about your internet identity will protect it at least as well as your ISP.

Recent data breaches and data leakages haven't just been happening to commercial organisations, but to law enforcement, too.

(Global examples of law enforcement security lapses include San Francisco, Arizona and Manchester, UK.)

The more people who acquire and store your Personally Identifiable Information (PII), the more points of security failure, and thus the more likely it will end up in the hands of cybercriminals.

So if law enforcement in your country wants to become more aggressive at acquiring your PII, I think it ought first to show you that it sets unstinting standards for protecting it. For example, any police force which lets its officers use unencrypted laptops in the field ought, ipso facto, to be disqualified from collecting information about you other than in the most exceptional circumstances.

And please note that I didn't make that last remark because I work for a company that has a range of encryption products to sell. Actually, it's the other way around. I work for such a company because I believe that privacy and security are incredibly important.

Follow @duckblog

Tags: bill, c-52, Canada, data leakage, due process, IT, legislature, parliament, Privacy, regulation, Security, surveillance

View the original article here