Cybercriminals are using cleverly crafted SPAM messages to get you to click on a link that supposedly takes you to a Reuter’s video of bomb blasts in your area.

I say cleverly crafted because the email will change based on where your IP address is. For instance, I received one with a subject line of, “Are you and your friends okay?”.

When I clicked on the link (yes as part of my research), I saw a webpage that showed the Reuter’s logo with, “Powerful explosion burst in Chicago this morning”. There’s a graphic to see the video with text below that reads, “At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Chicago. Authorities suggested that explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables.”

Scanning through our logs of SPAM for our clients using The Box, we’ve been able to see how the message refers to a different major nearby city depending on where the client receives their email.

The video will install some malware via a download. We’ve identified the trojan as a strain of Waled or Waledac depending on your AV.

Other subject lines we’ve seen are: “Take Care!”, “At least 18 killed in your city” (which is interesting as all the emails we’ve seen state that 12 have been killed), “I hope you are not in the city now”, “Bomb blast near you” and a host of others.

We’ve reported before on how clever cybercriminals are to use hype and fear as examples of social engineering to get people to want to click on their links. When clicked, systems become infected.

Cyber threats such as these will continue as long as they’re successful at hooking at least a few million people. Hackers are making good money through their craft and will not stop. Using extreme fear and directing visitors to infectious websites will always be a tactic they pull out every once in awhile. This will die down and then in another few months they’ll use some other alarmist strategy and infect some more computers.

That’s what they do.

Continuing on from Round 1, I decided to take a step further and show you exactly how susceptible you are to a socially engineered infection through Twitter. Actually it’s more an attack through TinyURL.com, but since Twitter automatically converts URLs in your Tweets (ugh!), it is an attack via Twitter.

For this example, let’s say that a hacker wants to construct a website that references some research on Harvard’s website. It would be on a topic that is of high interest at the moment.

First the hacker (cybercriminal) would use Google Trends (www.google.com/trends) to see what’s hot. As of today (03/02/2009) the list is as follows:

• granville waiters
• nyc doe
• wavy tv 10
• new york city department of education
• dr. seuss birthday
• opm.gov
• wvec
• nyc public school closings
• nyc board of education
• newport news public schools

These are the top 10.

Nothing in there that is really eye catching that covers a broad scope of people. I’ll use dr. seuss birthday.

Our cybercriminal would construct some basic information about how Harvard University has created this research paper detailing the events behind Dr. Seuss stories. Our cybercriminal needs to have something that already indicates some legitimacy and some validation. For this scenario I’m using Harvard University for 2 reasons; they already carry a huge credibility factor and they have a cross-site scripting (XSS) vulnerability that let’s me use their URL for redirection.

The cybercriminal would take the XSS URL and instead of redirecting the reader to another page inside of Harvard’s website, use it to redirect the unsuspecting reader to their malicious website.

Here is the original URL: http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=

By appending any URL we want to the end of the above string, it will look like we’re sending you to harvard.edu, however, this vulnerability will actually take you somewhere else.

For instance, if I wanted to send you to my website I would use:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=http://www.wewatchyourwebsite.com

Go ahead and click on that and you’ll see what I mean.

Now, that’s not too bad. I if showed you that link in an email or on my Twitter account, you might not see the end of the URL and just click on it to see what Harvard has to say about Dr. Seuss.

But remember that Twitter uses TinyURL.com which converts any long URLs into “tiny” URLs. Plugging that long URL into TinyURL.com’s website it gives me:

http://www.tinyurl.com/av46js

With TinyURL.com’s preview function I could see the exact URL of the above TinyURL. Maybe you’d see the redirection at the end and maybe not.

Now, our crafty cybercriminal knows that TinyURL.com has this preview function, so he (we’ll assume a male hacker) converts the URL of his malicious website to one you can’t recognize. This is called URL obfuscation (I love using that word).

This would take my URL of http://www.wewatchyourwebsite.com and convert it to: %68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

If you saw this by itself, hopefully you’d be suspicious and avoid the urge to click on it. However, when used at the backend of an already long URL, you might just throw caution into the wind and click away.

Our Harvard URL would become:

http://hms.harvard.edu/lshell/WhitePagesdefault.asp?task=staffandfaculty&theurl=%68%74%74%70%3a%2f%2f%77%77%77%2e%77%65%77%61%74%63%68%79%6f%75%72%77%65%62%73%69%74%65%2e%63%6f%6d

Which when converted to a TinyURL.com would result in: http://tinyurl.com/bnq5ej

Go ahead and click on that to see what I mean. As of today, that XSS on Harvard’s site has not been fixed so it will load their frame, but inside will be our home page. Keep in mind that even with TinyURL.com’s preview function, you would only see the obfuscated URL with all the percent signs. This might give you a false sense of security and decide to trust your “gut” and go for it. That’s what the cybercriminal is hoping for.

Obviously our website isn’t going to infect your computer, however, if the redirection URL were to take you to the cybercriminals infectious webpage, you’d be infected and not even know it.

To recap, the purpose of this information is to show you the steps a cybercriminal would follow to use social engineering to spread their malware. They would use Google Trends to find a hot topic, they would use the credibility of some other site, Harvard in this example, they would use obfuscation to hide their work from people who know what to look for and they would use Twitter or some other social networking site to find as many people as they could.

As stated earlier, this isn’t so much a vulnerability of Twitter as it is with TinyURL.com, but since Twitter uses TinyURL.com, it does reflect back on them.

Any comments, questions or remarks? Please post them (unless it’s SPAM).

My first review will be Twitter. I selected Twitter because it’s widely used and even easier for social engineering than some of the others.

First a little background on Twitter. Many people categorize Twitter as a “micro” blog. This means you can post short (140 character) messages that communicate your current thoughts, actions, wants or needs.

From their website Nicholas Carr describes it as “the telegraph system of Web 2.0″ while the New York Times states, “It’s one of the fastest growing phenomena on the Internet.”

The first thing I noticed about Twitter is that most links posted by members are the shortened version of a full URL. Some of the more populare sites for these services are:

• TinyURL.com
• bit.ly
• get-shorty.com
• SnipURL.com

These services take a URL like: http://www.wewatchyourwebsite.com/defacements/HackedByAL-GaRNi-sample-2.jpg and convert it to something like: www.tinyurl.com/88888

Using these shortened URLs on Twitter allows members to include some description with their link.

I’ve always had a problem with these shortened URLs. Having seen numerous SPAM messages with embedded shortened URLs in order to evade detection, I set out to investigate further.

You never know what the ultimate destination is when clicking on these links. You could easily be led to an infectious webpage. Infectious websites are one of the most popular tactics of cybercriminals to deliver their malware.

I scanned our SPAM traps for messages that included these shortened URLs. I used one of our secured systems to see where these links ultimately delivered my browser.

Much to my surprise, all of the links that used TinyURL.com delivered the following message:

“The TinyURL (shows link) you visited was used by it’s creator in violation of our terms of use. TinyURL has a strict no abuse policy and we apologize for the intrusion this user has caused you. Such violation of our terms of use include:

• Spam – Unsolicited Bulk E-mail
• Fraud or Money Making scams
• Malware
• or any other use that is illegal”

This tells me that they’re either policing their links or that they actually take action on misuse of their service – this is awesome. I suggest that before clicking on any TinyURL, replace tinyurl.com with preview.tinyurl.com. For instance if you see a link like: http://www.tinyurl.com/8888, before clicking on it, change the URL to: http://preview.tinyurl.com/8888. The resulting webpage will show you exactly where the link will take you with a link that says, “Proceed to this site.”

I know this is somewhat of an inconvenience, but so is having your PC sending millions of SPAM messages after you’ve been added to a huge botnet.

You see, with any security situation, you always have to consider the risk involved when the potentially weakest link is the responsibility of someone else.

With these shortened URLs, you’re depending on the URL shortening service to provide you with some level of protection.

One other service I investigated, SnipURL.com clearly states on their website:

“SnipURL has a number of operational functions in place to protect the confidentiality of information. However, perfect security on the Internet does not exist, and SnipURL does not warrant that its site is impenetrable or invulnerable to hackers.”

At least they admit that perfect security does not exist, but don’t think that you’re safe clicking on a shortened URL link.

I believe that any free service is going to be exploited by cybercriminals. I’ve seen many times where even fee based services are abused by cybercriminals.

You had better fully trust the person or organization behind the Twitter posting before you blindly click on a shortened link on their site – because you’re either relying on the poster or Twitter. If that little bird in your head is telling you to be careful, you shouldn’t be clicking on it no matter how important you think it might be.

Have you had situations of a security breach on Twitter? If so, let us know by posting a comment.

When we started this service we knew that one of our main goals was to “get the word out” on how websites have been in the line of fire for cybercriminals. We published a report, “How Cybercriminals Use Your Website to Distribute their Malware”, but found not many people were interested in what we had to say. We blamed on it “head in the sand” mentality.

We looked to the Internet Marketing world to see how they do it. Some of them have actually sold thousands of e-books for as much as $27 a piece. They must know some secret that we didn’t.

Our studying introduced us to the works of some big name Internet Marketers (IMers). Names like Frank Kern, Jeff Walker, Brian Clark, Yanik Silver and many others all seemed to resonate one key strategy – build community. On of their favorite strategies is using social networks to build this community of loyal followers.

I shouldn’t say it’s one of their strategies, it’s one of their tactics. Their strategy is to always provide something of value. The social networks is just one way they suggest you use to distribute your valuable message.

Using social networks seemed like a great idea so I set out to explore this value distribution tactic. I did this with my ever present security guard on – that’s how I roll.

My exploration included sites like: Twitter, MySpace, Facebook, LinkedIn and FastPitch.

Over the next few weeks I’ll be revealing my findings and then suggest ways (tactics) you can protect your informational assets while taking advantage of social networks.

I titled this posting “Social Networks & Social Engineering – What a Pair” because many of the tactics of cybercriminals revolve around social engineering which is the art of deceiving others into clicking on a link that you think is safe.

As I write this, I’ve been bombarded with emails about people who received errors while trying to view your profile on Facebook. What happens is when someone clicks on your profile they get an error saying that they could find out the problem by installing the “Error Check System”. You’ll get notifications that “X” number of people have been getting errors while viewing your profile and this “application” will help you determine the cause.

If you Google “Error Check System” Facebook, at least one of the links takes you to an infectious website that will display a message telling you you’re infected with a virus and offers to scan your system. Of course, this is a social engineering attempt. If you agree to the scan, you’ll be downloading a virus. This has been a very popular tactic of cybercriminals lately. They have even started creating websites that offer reviews of anti-virus software – more social engineering, to earn your trust.

I thought the timing of this Facebook “Error Check System” scam was perfect for me to start this series.

Come on back and read the follow-ups.

If you’ve had any experiences with one of the social networking sites, post a comment and let us know.

Everyone knows that in order to be successful online you have to have visitors and buyers – makes sense right?

In working toward getting this site more visitors and thus more buyers (clients) I’ve studied many of the methods that some of the top Internet Marketing people have promoted. Building a community of readers is one way of getting and keeping visitors.

People like Frank Kern, Jeff Walker and many others promote using Web 2.0 to promote your site. They recommend and use sites like Twitter and Facebook. I’ll admit to having an account on both sites and I try to make some worthy posts on both, however, the security gnome inside me keeps wondering how safe are these sites. Okay, there’s no wondering, I know how safe they aren’t.

I personally know of many people who have been burned by fake emails purporting to be from someone they know, or someone who found them on Facebook, telling them to view a video online or view a document online only to fall victim to this social engineering tactic and become infected. When you see the amount of infected websites that I see everyday, you might be less likely to just click on any website.

For instance, Twitter has a message size limit of 141 characters. Many people will post a link on when they “Tweet” (ugh!). Often times, I’ve seen postings that use tinyurls. This is a service that allows you to place a very long URL into a shortened version that links directly to www.tinyurl.com, which then redirects you to the original link. Any cybercriminal could use this same service (and has) to masquerade their intended infectious website.

You see cybercriminals are extremely intelligent and crafty. They go where the masses go. If everyone’s going to Facebook, cybercriminals will be all over that site trying to find ways to use Facebook’s strengths to exploit the weakest link in any security strategy – human curiosity.  I’ve seen emails with wording like, “Unless you really need to (fill-in the blank) , please don’t click on this link as we can only handle a certain amount of traffic.” And I’m sure they get a lot of people clicking on that link just because they want to know what’s on the other side.

I can’t emphasize it enough. You have to be wary of every email you get that looks like it’s from some social networking site. Every email.

While I agree with Frank Kern and Jeff Walker about using Web2.0 tools to promote your site, I also worry about all those unsuspecting Internet Marketing rookies that will undoubtedly fall victim to some scam running on one of those sites.

Back in December 2008, Facebook users were subjected to the Koobface worm. This worm infected many by sending bogus emails to Facebook users taunting them with subject lines like; “Check you out in this video”. When the user clicks on the link in the email, they’re either redirected to a malware delivery site, or told they need to download a file in order to view the video. The file downloaded is the infection.

Many Facebook walls had these same malicious links posted so anyone who visited that persons profile would at least be presented with the infectious offering.

In January of 2009, users of the social networking site LinkedIn were subjected to bogus profiles of some top name celebrities. Names such as: Beyonce Knowles, Victoria Beckham, Christina Ricci, Kirsten Dunst, Salma Hayek and Kate Hudson were among the list of stars with bogus profiles. People clicking on these sites were offered various temptations – each one an infectious present.

Anyone else have any stories about someone falling victim to a social networking, socially engineered attack?

Leave a comment if you have one.

Not to be left out of the upcoming festivities, hackers are using SEO to infect more people with their fake Anti-virus programs.

For the past week we’ve been monitoring 2 current events – Halloween and the financial crisis.

What we’ve seen is that hackers are infecting legitimate websites that show up in the SERPs when “halloween costume” is the the search term. Their infection includes some javascript that does a silent redirect to one of their websites which falsely shows the visitor that their computer might be infected and they should download “their” anti-virus software to improve the speed of the visitor’s computer.

The thing is, the infection of the legitimate website is a silent redirect that actually includes the keywords optimized for high SE rankings. So the hacker is actually making the infected webpage rank higher in the search engines. They actually use common SEO techniques to attract more people to their infectious webpages.

Another thing we’ve seen and has been confirmed by Panda Labs is the correlation between down days in the stock market and the amount of new malware released. As the market dips, the number of infectious files increases. We’ve been noticing this on our honeypots (computers we leave open on the Internet hoping they’ll get infected so we can further analyze the infection)

This kind of runs parallel with the halloween costume scenario. What the hackers are doing during the dips in the market are making “available” their rogue (read fake) anti-malware software via various infected webpages.

Instead of going after banking logins and other such useful information they’re (the hackers) interested in “legitimitizing” their business by selling their rogue anti-malware. First they have to convince the visitor that their computer is infected, then they offer an immediate solution.

Ingenious!

Following standard marketing strategies, the hackers are actually making the visitor aware of a need and then offering a quick solution – for $60.

According to Panda Labs, they estimate that this marketing strategy has made the hackers approximately $14 million a month. I’m not sure I follow their math, but regardless, the hackers are making money.

I believe that the financial crisis is creating more fear about identity theft and therefore making this strategy more effective during the down cycles in the market.

Just so you know, our honeypots are fed popular keywords based on current events and then they visit the resulting webpages, record the activity and that’s what we base our information on.

It’s a fun way of spying on the hackers and it’s what we use in our securitiy appliance “The Box” to blacklist websites and malicious code. It’s what we use in WeWatchYourWebsite to find malicious code. We then search all of our clients websites looking for this malicious code. If any is found, we alert them immediately.

Be careful out there. It’s getting real nasty.

According to a recent report by McAfee, here are some extremely interesting statistics:

• 92% of users surveyed believed their anti-virus software was up to date, but only 51% had updated their anti-virus software within the past week
• 73% of users surveyed believed they had a firewall installed and enabled, yet only 64% actually did
• About 70 % of PC users believed they had anti-spyware software, but only 55% actually had it installed
• 25% of users surveyed believed they had anti-phishing software, but only 12% actually had the software
• 42% of businesses surveyed dedicate just one hour a week to proactive IT security management, despite the fact that 21% acknowledged an attack could put them out of business
• 44% of businesses surveyed think cybercrime is only an issue for larger organizations and does not affect them
• 52% of businesses surveyed believe that because they are not well-known, cybercriminals will not target them
• 45% of businesses surveyed do not think they are a “valuable target” for cybercriminals
• 46% of businesses surveyed do not think they can be a source of profit for cybercriminals

Interesting aren’t they?

If you’re a member of the 51% who had updated their anti-virus software within the past week, then you should read Secunia’s information after they tested 12 security suites. In their report it states that after testing 12 major security suites with 300 different exploits one suite blocked more than 10 times more than the next closest competitor – and it only blocked 64 out of the 300!

Here’s their report: http://secunia.com/gfx/Secunia_Exploit-vs-AV_test-Oct-2008.pdf

Do a Google search using “evading anti-virus”. In the SERPs you’ll see tutorials on how to make a virus, trojan or worm undetectable by current anti-virus software. There are specific steps.

Here’s an article about how one strain of worm was undetectable: http://arstechnica.com/news.ars/post/20080408-new-kraken-worm-evading-harpoons-of-antivirus-programs.html

In the darker forums where we lurk as part of our security research, we’ve seen numerous “how to’s” on evading detection. Many of them are so simple that anyone with just a little computer knowledge could create their own undetectable virus.

Many of the cybercriminal “mobs” offer to recreate their malware if you buy it and then find that it’s detectable by anti-virus software.

If you’re one of the 64% that actually had a firewall installed, how was it configured? If you’re like most people, you have the default firewall settings and you never, ever read the logs to see how people are trying to get in. Most of the people we’ve talked with reply by saying, “My firewall has logs?”

Has you firewall ever been tested? I guarantee it has been by a hacker, but have you ever had it tested? Have you had a security scan performed on your firewall? In the security world, we believe that an untested firewall is no security at all.

If you’re one of the 21% that acknowledged an attack could put you out of business and you only spend 1 hour a week in proactive security management, I’d like to say you’ll get what you deserve but that would be rude and a little – “in your face”.

The fact is, you could be “hacked” right now and you wouldn’t even know it. Maybe an attack wouldn’t put you out of business, but I’m sure it will cost you a lot more than preventative security management would have cost you.

In risk management, isn’t it true that if prevention costs you less than the potential problem, it becomes a no-brainer to move forward with the prevention?

If you’re one of the 44% of businesses that think cybercrime is only an issue for larger organizations, I have to ask you this, “Where do you think most of the attacks on larger organizations is launched from?” The answer: hacked systems in smaller organizations.

If you’re one of the 52% of businesses that believe since you’re not well-known cybercriminals will not target you, I will tell you to Google the term, “security through obscurity”, or “security by obscurity”. Read everything you can about your adopted security strategy.

Cybercriminals find “hackable” computers by scanning IP addresses. Yes, sometimes, they will target a specific site, but generally, they just look for computers that have openings.

If you’re one of the 45% or 46% who think you’re not valuable to a cybercriminal, answer me this, “Do you turn your back on smaller sources of income?”

Hackers hack for money. Gone are the days when they would hack strictly to create havoc. They now make money from their craft. In some cybergangs, it’s believed that the money they make from one income stream is $150,000,000 (that’s right million).

Just as you might find every email address on your list valuable, they too find every computer that they control valuable. To you, the money is in the list. To cybercriminals, the money is in their botnet (their network of remotely controlled computers). Every controlled computer, whether a server or a PC, is important to them.

I still find that one of the easiest ways for hackers to deface or hack a website is by logging in as you. They infect as many computers as possible. Then when you login to your website, they record your credentials and then just login as you. It’s that simple. How do they find your computer to infect it in the first place?

They don’t know who you are or where you live. They just hack as many computers as they can and the odds are, with so many people starting web based businesses, that some of the computers they infect will belong to people who own one or more websites.

It really is that simple.

If you still think you’re safe online, then keep doing what you’ve always done and you’ll keep getting what you’ve always gotten – whether you know it or not.

That’s a fact.

If you disagree, please tell me your comments.