'LOL Is This You?' Spam Spreading Via Facebook Chat

Facebook on Friday afternoon was investigating what appeared to be a new spam scheme that results in users getting messages from friends over Facebook chat that have malicious links.

The messages say "LOL is this you?" and are accompanied by a link that looks like it leads to a video on Facebook, one victim told CNET. In his case, clicking the link directed to a Web page with a "404-Page Not Found" error message and his account sent the spam out to at least one of his friends, he said.

The spam was also reported on Twitter, but at this point the outbreak seems to be minor..

A Facebook spokesman said the company is looking into the matter.

The spam message is similar to ones used in several phishing attacks on Twitter in February.

Update 10:07 a.m. PDT August 30: A Facebook spokesman provided this comment over the weekend:

"The Chat messages were being sent from compromised accounts and included a link to an application on Facebook that has now been disabled. We disable spam applications as soon as they're reported to us or surfaced by our automated systems and before the scammers can get very far. We also quickly delete malicious links across the Facebook site, and when we detect that an account may be compromised, we block access to it and put the owner through a series of remediation steps."


Read more: http://news.cnet.com/8301-27080_3-20014977-245.html?tag=mncol;title#ixzz0yDnPv6yt

Rustock Botnet Responsible For 39 Percent Of All Spam

Botnets are now responsible for sending 95 percent of all spam, up from 84 percent in April, and almost half of that spam comes from a single botnet, Rustock.

Rustock sent 41 percent of the world's botnet spam in August, up from 32 percent in April. This is despite the network actually shrinking in size from 2.5 million to 1.3 million bots over the same period, security company Symantec said on Tuesday. This means Rustock is currently responsible for 39 percent of all the world's spam e-mails.

"Overall, the total amount of spam in circulation is down slightly from the previous quarters as most botnets have reduced their number of bots, [but] one exception is Rustock, which has decreased its number of bots, but increased its [spam] volume," according to Paul Wood, a MessageLabs Intelligence senior analyst for Symantec Hosted Services. Rustock has been responsible for a 6-percent increase in spam e-mails per day, he said in a statement.

Sophos Flags Facebook 'Dislike Button' Scam

Security firm Sophos has highlighted yet another scam that's zipping around Facebook in the form of a third-party application, this one spreading in the form of links claiming to be from friends that encourage members to install a Facebook "dislike button."

Sophos wrote about the scam in a blog post Monday, pointing out that a link to it tends to appear in wall posts that appear to be from the user's friends ("I just got the Dislike button, so now I can dislike all of your dumb posts lol!!") but which are actually automated messages from friends who have already been duped. The scam's purpose is to force users to complete a survey contained in the application, a bit of trickery that has already been known to be perpetuated through scam links like "Justin Bieber trying to flirt" and "Anaconda coughs up a hippo," the two of which presumably would be enticing to rather different demographics of Facebook users.

As Facebook's surging membership numbers have blazed past 500 million around the world, its channels of fast social connection and messaging have become a prime target for scammers and viruses. This one's particularly nasty because a "dislike button," offering some kind of counterpoint to Facebook's own "like" button, is something that many members have been clamoring for.

Beyond tricking a user into completing a survey, and hence gaining access to your profile and the ability to spam your friends, there doesn't appear to be much about the scam that's dangerous. Eventually, after the user completes the survey, it does redirect to FaceMod, the maker of a Facebook-based "dislike" button that takes the form of a Firefox browser plug-in. Sophos points out that the scam does not appear to have any direct connection to FaceMod.

"If you really want to try out FaceMod's add-on (and note - we're not endorsing it, and haven't verified if it works or not), get it direct from the Firefox Add-ons Web page, not by giving a rogue application permission to access your Facebook profile," the Sophos post by analyst Graham Cluley read.

iPhone Jailbreak Could Double As Security Hole

The jailbreak for the iPhone released over the weekend may have exposed a flaw in the iPhone's mobile Safari browser.

Unlike previous jailbreaks, which required the iPhone to be connected to a computer to run the software update, the latest jailbreak, posted by the iPhone Dev Team at Jailbreakme.com, is accomplished via the Safari browser loaded on the device.

But the fact that it can be performed just through Safari, and the way it's done, points to a larger problem, as several CNET readers and listeners wrote to us to point out Tuesday. It means potentially anyone could control your iPhone (or iPod Touch or iPad) just by visiting a certain Web page. A site can present the exploit as a simple PDF link, which requires no explicit user action short of clicking a link. It can then launch an exploit that takes advantage of the way the PDF viewer loads fonts.

The end result is that the program can then have unrestricted access to your iPhone or iPad or iPod Touch on virtually all versions of iPhone firmware, short of the iOS 4.1 beta, currently in the hands of developers for testing.

When reached for comment, an Apple representative said Apple is "aware of the reports and is investigating." We'll update if we hear more.

"It's really serious," said Charlie Miller, a principal analyst at Independent Security Evaluators, who was the first person with a public remote exploit for the iPhone.

There are two distinct vulnerabilities and two distinct exploits, he told CNET. One flaw is in the way the browser parses PDF files, enabling the code to get inside a protective sandbox, and the other hole allows code to break out of the sandbox and get root, or control, privileges on the device, he said.

"Basically, the way the iPhone is made to be secure is through several layers of defense, so even if someone were to compromise your Web browser, it limits what they can do," Miller said.

"There are a lot of people known for doing iPhone research, but I've never heard of this guy," Miller said, referring to whoever created the iPhone 4 jailbreak. "It goes to show you that for every researcher who is known, there are a bunch of others who know the same stuff and probably more"--and whose intentions might not be honorable, he said.

While this exploit is not malicious, other hackers could take the software, reverse-engineer it, and then release an exploit that takes control of the device for nefarious purposes.

"Vulnerabilities with reliable exploit code tend to get reused and repurposed for other attacks/malware/uses," David Marcus, security research and communications manager at McAfee, wrote in a blog post.

"This should serve as a wake-up call for anyone with a mobile device: remote exploitation is real and here to stay," he wrote. "For now, these vulnerabilities are being used only (as far as we know) to jailbreak iPhones, but they could be used to do many other things to iPhones and their owners around the world."

Microsoft Plugs Windows Shortcut Hole

As planned, Microsoft released a fix on Monday for a critical Windows vulnerability that was being exploited by a fast-spreading virus and other malware.

The software patch fixes the way Windows Shell handles shortcut files, which are links to a file represented by an icon and implemented with the .lnk extension. Attackers exploiting the hole could take complete control of the computer, the security advisory said.

An attacker could disseminate a USB or other removable drive with a malicious shortcut file on it and when the target victim opens the drive in Windows Explorer or any other application that parses the icon of the shortcut, the malicious code would execute on the victim's computer. An attacker could also embed malware in a malicious Web site, a remote network share, or in a Microsoft Word document, Microsoft said.

Originally, the Windows flaw was used to spread the Stuxnet worm via USB drives and it was stealing information from systems running Siemens software used in critical infrastructure companies. Late last week, Microsoft issued a blog post that said there were copycat attacks exploiting the hole, including one involving the Sality.AT virus, which was spreading fast.

The situation was serious enough to prompt Microsoft to release an "out of band" patch instead of wait a week to fix the hole with its next scheduled Patch Tuesday security update, on August 10.

"Symantec is aware of multiple threats leveraging the vulnerability, and attempted exploitations have steadily increased since the security hole first came to light," said Ben Greenbaum, senior research manager for Symantec Security Response. "One such threat is a new variant of Changeup," a highly destructive threat.

The hole affects all versions of Windows including Windows 2000 and Windows XP service pack 2, which are not supported by Microsoft anymore. Customers using those versions need to upgrade to be protected from the attacks.

"So far, most of the exploits using this vulnerability have been targeting SCADA (supervisory control and data acquisition) systems, and these systems typically run on older operating system versions. These older systems are not being patched today," said Andrew Storms, director of security operations for nCircle. "Utility companies that know they cannot upgrade are fully aware their systems contain a public vulnerability that is being exploited. Utility companies and SCADA vendors are probably scrambling to find a resolution to this problem as quickly as possible."