By

Pinterest being used by cybercriminals

Pinterest interesting to cybercriminals
Pinterest interesting to cybercriminals

It didn’t take long for hackers to take advantage of the social networking site: pinterest.com.

If you’re not familiar with Pinterest, it’s a site where you can create a “board” and you then “pin” video or graphic image files of anything that interests you.

Friends, family, acquaintances, can re-pin your pinned interests and so on…

Recently, cybercriminals have been posting images of Starbuck’s gift cards and free Coach wallets and purses (handbags as my wife prefers).

The potential victim will have to visit a particular site to claim their “prize”.

The scam begins when you visit that site, you’re redirected to a website that first requires you to re-pin the image, so they can spread their “generosity” further, then clicking on a link to a survey site – which is a scam.

Cybercriminals are very adept at scams like these. They know that by asking you to re-pin their pin, they believe that people you know will help spread their scam.

Some of the redirects are to CPA (cost-per-action) sites where the cybercriminals are paid to drive traffic to these sites. Other sites the unsuspecting victim is redirected to asks them to install toolbars, backgrounds and other seemingly “harmless” utilities. Cybercriminals also get paid for these installations as pay-per-installs.

Some redirects we followed actually asked for personal information. We believe this could eventually be used to steal identities which are then sold to other cybercriminals.

People always ask us why hackers hack. This is one method they have of making money. While this method may not directly infect or attempt to infect your computer, it feeds the cybercriminals with more income.

If you’ve followed any of these, please share your experience below. If you know someone who is using Pinterest.com, please let them know about this scam.

Thank you.

By

“you need to pay for this crypt” infection

We’ve been seeing a lot of this lately, infected websites that have the wording,

you need to pay for this crypt

over and over a few times across the top of the webpages.

This is usually accompanied by some script tags that try to infect the visitor with the Blackhole Kit. (The Blackhole Kit is an exploit used by hackers to try and infect the visitor’s browser with a variety of viruses, trojans and other malware)

On WordPress websites we’ve seen this in the index.php files all over the website. It’s an indication that your website has been infected and needs to be cleaned and hardened.

You can begin by removing the malscript immediately preceeding this text. You can look in the wp-content/index.php which is normally about 30 bytes. With anything malicious in there it will be much larger in file size.

Then, make certain that your WordPress is updated and all plugins too.

We’ve also been seeing many WordPress sites infected due to hackers logging into their wp-admin.

Why?

Because there are still many people who believe that having admin as a user and admin as a password is acceptable. Too many people believe that, “Hackers only want the bigger, more heavily visited websites. They won’t bother with mine.”

People. Hackers want all websites. The amount of “low-hanging fruit” needs to be drastically reduced – or better yet, eliminated.

Change your passwords immediately. Make them strong. Make them at least 10 characters and use upper case, lower case, numbers and some punctuation. Take some phrase and convert to a combination of the above.

Take for instance the movie Oceans 11. That can be converted into:

0c3@n$_elEv3N_+h3_MoV1E

Yes, it’s more difficult to remember. But what’s worse? Remembering your password, or having your website constantly infected?

If you need help cleaning up from an infection, please email me at traef@wewatchyourwebsite.com.

Thank you.

By

Proper use and configuration of timthumb.php

With many themes using the timthumb.php and thumb.php files, we thought we should update our readers with the latest on timthumb.php.

First, make certain you have the latest:
http://timthumb.googlecode.com/svn/trunk/timthumb.php

As of this post, the current version is 2.8.9.

Open that file and inside you’ll this line to verify you have the correct version:

define (‘VERSION’, ‘2.8.9’);

Scroll down a few lines and you’ll:

if(! defined(‘ALLOW_EXTERNAL’) ) define (‘ALLOW_EXTERNAL’, TRUE); // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false

This means that if the ALLOW_EXTERNAL parameter is set to TRUE, like it is here, and the parameter ALL_ALL_EXTERNAL_SITES is false, then timthumb.php will check the included link to see if it’s in the list of ALLOW_SITES.

If you at the next line down in this file you’ll see:

if(! defined(‘ALLOW_ALL_EXTERNAL_SITES’) ) define (‘ALLOW_ALL_EXTERNAL_SITES’, false); // Less secure

With these 2 parameters set the way they are, timthumb.php will only show files from the list of ALLOWED_SITES. Next we need to examine the sites listed in ALLOWED_SITES.

Scroll down a few more lines and you’ll see:

// If ALLOW_EXTERNAL is true and ALLOW_ALL_EXTERNAL_SITES is false, then external images will only be fetched from these domains and their subdomains.
if(! isset($ALLOWED_SITES)){
$ALLOWED_SITES = array (
'flickr.com',
'staticflickr.com',
'picasa.com',
'img.youtube.com',
'upload.wikimedia.org',
'photobucket.com',
'imgur.com',
'imageshack.us',
'tinypic.com',
'yourdomainhere',
);
}

Now in the line where we have: ‘yourdomainhere’ you would replace that with your website domain. For us, it would be ‘wewatchyourwebsite.com’. A few things to note here. If you don’t ever expect to load images from the other sites, then delete them as well while you’re in here.

What we’ve done is to allow timthumb.php to show files that are stored on your website and the locations above that. Any other domain will not be accepted and will not show. If you don’t do this, then hackers could include files from their websites and infect your website with their malicious code.

This version of timthumb.php does use a non-web folder for cache, so it is more secure, but configuring it this way adds another layer of protection to your site, and we do believe in defense in layers.

If you have questions about this information or you’re having trouble configuring it properly for your site, please post a comment and we’ll help you.

Thank you for reading.