Category Archives: SEO

Mac malware: Same shizzle, different dizzle.

You may have read in the press recently about the Mac Defender scareware that is affecting many OSX users, to the extent that Apple have even promised to deliver a removal tool and a fix to their customers. Trend Micro’s Smart Surfing  for Mac has been protecting against this threat from the outset, both by detecting and blocking the malicious files, but also importantly by blocking access to the criminal websites being used to propagate this threat. You may be surprised to hear though that Mac Defender is not the first “scareware” application targeting Mac users and trying to trick them into parting with their cash and their credit card details.
 
Malware for Mac OSX is nothing new, and the increasing popularity of the platform is driving criminal interest. In addition to Mac Defender (May 2011), there are already several threats in the wild that affect Mac OS X, the Leap worm (Feb 2006) that propagates through iChat , the RSPlug Trojan (Oct 2007), that drops DNS changing malware,  the MacSweeper & IMunizator (Jan & Mar 2008) scareware, Jahlav (Dec 2008) another DNS changing malware, Krowi (Jan 2009) responsible for the first Mac OS botnet and HellRTS (April 2010) another Trojanised installer, this time for iPhoto which gives attackers remote control over the infected computer.
 
MacSweeper, IMunizator and now Mac Defender are typical scareware Trojans. In 2008 they were delivered by malicious advertisements and in 2011 criminals have adopted the tried and tested tactics so successful in the world of Windows, Blackhat Search Engine Optimisation. Booby trapped web pages are created, designed to show up in the first page of search results for popular terms. Simply clicking the link to one of these pages is enough to start the infection process. The latest version has even worked out a method to bypass the requirement for the user to type an admin password in order to install. Affected users are presented with a professional look application and informed that multiple security issues have been discovered on their computer. Subsequently they are duped into buying a completely bogus piece of software to “fix” those issues, a tactic with which Windows users will be only too familiar. RSPlug and Jahlav have both been known to pose as video codec installers, another tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business that is now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign.  Also important is the fact that these malware examples are not single discrete files, they represent entire families of malware, where new variants are continually being released to defeat signature based detection.
 
These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple themselves may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.
 
For many years now Mac users have believed themselves to be invulnerable to malware, and have been encouraged in this belief by Apple themselves on more than one occasion, or ”Safeguard your data by doing nothing“. This complacency leaves many Mac users with the mistaken belief that either Macs are not vulnerable to malware, or that none exists for their platform or both, impacting their ability to make informed decisions when downloading or installing new software, opening attachments or visiting questionable sites.
 
Cybercrime and malware in today’s world is big business, and one that ever more closely resembles the world of legitimate business, including outsourcing, R&D budgets, Malware as a Service platforms, SLAs and even EULAs. In this shady world of business it would defintely be fair to say that as the Mac market share expands and the user base grows, so does its perceived potential to the cybercriminal. It’s all about Return on Investment, and the fact that that user base is largely unprepared and the computers themselves largely unprotected only increases the attractiveness.
 

Twitter.Grader.com hacked?

Twitter Grader home page

Twitter Grader home page

  
UPDATE: You will see in the comments on this post an update from HubSpot with a link to their blog explaining the incident, I know a lot of folks don’t read the comments, so here it is in full.

“We are very sorry for the mistake. It is completely our fault. As your article mentions, we have contained the situation and stopped the malicious tweets.

We do want to make clear that by design, the HubSpot software applications are on different servers and systems from our free Grader.com tools. This attack did NOT affect the HubSpot software used by our 2,100 customers. Again, there is no impact on our paid product or paying customers.

We have posted an article on our company blog with more information:
http://www.hubspot.com/blog/bid/5594/One-Lesson-From-The-Twitter-Grader-Screw-up-OAuth-Rocks

– Mike Volpe
HubSpot (makers of Twitter Grader)”

…and that, ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot.

 
__________________________________________________________________________________________

In what looks like another compromise related to Twitter services, a large number of Twitter users who have granted access to their accounts to the web service Twitter.Grader.com have all begun tweeting a bizarre and unauthorised message.
 

Example of affected accounts
Example of affected accounts (search by Twitscoop)

 
Fortunately the link that has been endlessly tweeted by grader users does not appear to host any malicious content. It points to a blog with an embedded YouTube video of Biz Stone back in 2006 promoting Twitter.

 

The domain name of the destination site however might give us a clue to the motivation behind the attack. Seonix presumably refers to Search Engine Optimisation and perhaps that is the real purpose of this attack. Forcing large numbers of Twitter users to tweet a link to the site may well be an effective method of pushing it up the search engine rankings. The domain seonix.org was created on the 11th February 2010 and the details of the owner have been anonymised.

 

Embarassingly the victims of this attack also include Dharmesh Shah, the founder of Grader
 

Dharmesh Shah on Twitter
Dharmesh Shah on Twitter

 
UPDATE: Hubspot, the parent company have tweeted that they are aware of the hack and working on a solution. In the meantime, if you are a Grader user, you may want to consider temporarily revoking Access to Grader in your Twitter profile via Settings -> Connections.

Facebook “Un Named App” scare leads to malware

A few minutes ago I noticed that a friend of mine had posted the following status to her Facebook profile:
 

Facebook status
Facebook status
 
Of course this got my bat senses tingling and I smelled a panic-inducing spiral of insanity brewing, so I thought I’d have a bit of a look around.

 

Nothing to worry about here as far as your Facebook is concerned, this does not appear to be a genuine malicious app. In fact a thread on Yahoo answers appears to demonstrate in a reproducible fashion that “Un named App” is nothing more than your “Boxes” tab on your Facebook profile page.

 

Beware though, there is still real risk attached to this Chinese whisper. Criminals have picked up on the concern among Facebook users (or possibly they were responsible for starting the rumour?) and they have already started to poison Google search results.

 

Google search result

Google search result

 
I queried Google for “facebook unnamed app” and the third result on the first page pointed to a malicious website set up for the purposes of distributing fake anti-virus software, this time called “Security Tool”. If you are unwary enough to click the link you will be presented with a dialogue box informing you that you have a huge number of infected files on your machine and prompting you to use Security Tool to clean them up. The software of course is no real security solution and is designed to fool the victim into parting with hard-earned cash.
 
Security Tool Rogue AV

Security Tool Rogue AV


 
 Always search with caution, especially when searching for terms of high current popularity. Using search trends and conversation trends to target malicious software is now a firmly established criminal modus operandi.
 
If you are worried about computer security and not sure where to click, you can always contact me directly. If you feel you may have been affected by this or any other scam, then I would advise you to go and scan your PC with a real security solution, our own free HouseCall service.