Graham Cluley’s blog

Internet Explorer loses ground to Firefox and Safari

Web analytics firm Net Applications is reporting that Microsoft Internet Explorer continued to stumble in its position as the world’s most popular web browser during December 2008.

Although Internet Explorer is by far the most widely used program for accessing websites, it has slipped from a 75% marketshare at the start of 2008 to 68.15% during December 2008.

Mozilla Firefox (21.34%), Apple Safari (7.93%), and Google Chrome (1.04%) all appear to be benefiting as users either choose alternative web browsers or run an operating system not supported by Internet Explorer (in other words, anything other than Windows).

What I always find interesting is to compare these usage figures, which are collated across a very wide spectrum of web usage, with what I see myself when I look at details of how people are viewing this blog. You could argue that the typical profile of someone reading this blog and accessing the Sophos website is rather more security conscious than the typical Joe User.

Browsers accessing Graham Cluley’s blog in December 2008

What’s clear from this is that Clu-blog readers are much less likely to be using Internet Explorer than their non-technical friends and family. Firefox, meanwhile, is teetering on the brink of being responsible for one in four of all visits to this blog.

We’re also seeing Chrome being more widely used by this audience, and we can expect to see Chrome make further inroads as versions for Unix and Mac OS X arrive during 2009.

Fascinatingly, Safari on the Apple iPhone is also making a small but beautifully formed impression on the chart, outgunning its Windows cousin.

Have IT teams tasked with security managed to convince their bosses to fork out for Apple’s lusted-for gadget? Perhaps blogs carrying security news are more likely to be viewed “on-the-move” outside of regular working hours, and so gizmos like the iPhone make a justifiable expense.

Why does any of this matter? Well, Sophos’s recently published Security Threat Report 2009 revealed the enormous role that web browsing plays in the successful spreading of malware today. As the web browser market shifts we can expect the cybercriminals to increasingly follow.

Of course, this already happens to some extent. In the past we’ve seen malware attacks embedded into websites that determine what web browser you are running - for instance, if it’s Internet Explorer they’ll serve you some Windows .EXE malware, if you’re running Safari they’ll give you a malicious Mac OS X .DMG file. Additionally, if an Internet Explorer exploit fails to find a successful playground the dangerous website may try a Firefox attack instead.

And in 2009, we’ll expect to see more hackers exploiting vulnerabilities in code which runs alongside your browser - whatever your browser should be. So, expect to see more attacks trying to exploit loopholes in Adobe Flash and PDF reader plugins etc.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Apple, Malware, WWW

                                      

Classmates malware attack poses as school reunion invite

Remember the days of the old school yard? You may prefer to forget them, but many people are nostalgic for the days of grazed knees, poor food and double geography.

A new malware campaign seen in the last few days plays on the popularity of websites like Classmates.com and FriendsReunited, by posing as an invitation to an imminent school reunion.

Part of the email reads:

Subject lines used in the malware campaign have included:

Clicking on the link doesn’t of course take you to the real Classmates website, but a bogus site which tries to fool you into installing an update to Adobe Flash to view a video invitation to your school reunion. Of course, the update is really a malicious Trojan horse designed to compromise your computer.

With many people returning to the office after the holiday break there is a danger that some will click on the link without thinking as they plough through their inboxes.

As ever, be wary of unsolicited emails, and if you are going to update software and plugins on your computer make sure you are getting those updates from the real, legitimate producer of the code, not a third party website that a hacker could have set up.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

                                      

Zune Leap Year bug under the microscope

More information about the non-virus problem which hung 30GB Zune MP3 players on New Year’s Eve has been uncovered.

It turns out that the problem is actually on the clock chip from Freescale embedded inside Microsoft’s music device.

As you can see in this post from the Zune Boards message forum, there is a flaw in the programming logic which means that when the Zune accesses its clock as it finishes booting up, it tries to convert the time from its internal count (the number of days since 1st January 1980) into a more human readable form.

And there’s nothing wrong with that, of course, unless the logic of the code is wrong and it enters into an infinite loop if it happens to be the 366th day of the year.

By now, everyone’s Zune should be working properly again and have shaken off its brain freeze. But unless this problem gets fixed, owners of Zune 30 MP3 players will be frozen out of their music collections again on December 31 2012.

Posted on January 2nd, 2009 by Graham Cluley, Sophos
Filed under: Oddball

                                      

The five most popular Clu-blog posts of 2008

(You may want to read the first half of this countdown first)

Well, the tension is building as we get ever closer to revealing the most popular posting I made on this blog during 2008.

Fill your glasses, as I now reveal the final countdown and our winner..

5th. Stop viewing porn in Internet Explorer - for now

A vulnerability in the world’s most popular web browser is always going to be news amongst us techies. But when that vulnerability is being actively exploited by hackers, and Microsoft doesn’t have a fix for the problem, well.. that begins to be mainstream news for the great unwashed public too.

Sophos experts saw many in-the-wild examples of websites struck by SQL injection attacks that then served up the exploit to vulnerable Internet Explorer users, and defended our customers against the threat.

Which lead us nicely on to the fourth most popular article on the Clu-blog during 2008…

4th. Microsoft to release emergency patch for zero-day flaw

Thankfully, Microsoft was able to produce a patch for the critical problem with Internet Explorer described above, but not before many internet users were potentially put in peril.

I can’t help worrying that there will be more examples of hackers exploiting zero day vulnerabilities in the 12 months ahead.

And so we’ve made it to the top three blog posts of 2008. And there’s one thing they all share in common - a video. So grab your popcorn and we’ll begin.

3rd. Bono’s private bikini party photos exposed by Facebook privacy issue

He may be no stranger to being top of the pops, but Bono’s brush with computer security only managed to get him into third place when it came to the most read Clu-blog posts of the year.

The Cuban-heeled crooner and anti-poverty campaigner was revealed to have been up to hijinks in St Tropez with a couple of bikini-clad teenage girls after they posted their private photos to Facebook.

We’re not sure that Mrs Bono’s wife was that impressed, and the general public hopefully learnt a lesson about the danger of sharing private data online.

2nd. Free Norton AntiVirus? Hackers disguise fake product to spread Trojan

As our recently published Security Threat Report revealed, scareware (also known as fake anti-virus software) has been one of the big trends of the last twelve months, with hackers attempting to frighten people into purchasing bogus products.

As this video and blog post revealed, the hackers have no qualms about using the names of legitimate security products to try and make their fortune.

Will we see more scareware in 2009? It seems inevitable.

And so, we’ve made it. Well done on getting this far.

With a fanfare of trumpets I can now reveal the most widely read story on the Clu-blog during 2008..

1st. Barack Obama Sex Video malware campaign

Well, when you think about it perhaps there isn’t that much surprise about Barack Obama malware coming top of our list of most-read stories on the Clu-blog. After all, he won that other popularity competition late last year.

Sleazy hackers tried to take advantage of interest in the US presidential race by claiming in a widely distributed email that Barack Obama had been captured in sex video with a bunch of Ukranian girls.

Clicking on the link did actually show you an excerpt from a homemade X-rated video, but it didn’t star Barack Obama.

Instead, curious election-followers had the Mal/Hupig-D Trojan horse insidiously installed onto their Windows computers.

Of course, the idea that a man putting himself forward for the post of president would be cheating on his wife is ridiculous, but that’s not likely to have stopped many users from clicking on the link out of curiousity.

In the days that followed we saw more attempts by hackers to infect computers by exploiting Barack Obama’s name, and no doubt we will see many more in the four years to come.

So, that’s it. You now know the most popular Clu-blog posts of 2008.

Since the Clu-blog started on 23 April 2008, I have made 319 postings (including this one). That means, there were a stonking 315 posts during the year.

2009 is likely to be even busier, so keep tuned and thank you all for reading.

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Clu-blog, Data leakage, Malware, Round-up, Scam, Spam, Video, Web 2.0

                                      

The top ten Clu-blogs of 2008

So that was 2008. Roll on 2009.

I thought some of you might be interested in what the most popular blog entries on the Clu-blog were during 2008.

(Caveat: The blog wasn’t running for the whole of the year and stats weren’t collected for all of the time it was live to the public, so this may well be nonsense. But hey, it’s interesting nonsense. It will be better next year, I promise.)

So without further ado, lets kick off proceedings in true beauty contestant style in reverse order, starting with positions 10 to 6.

10th. Do you really need anti-virus on your Apple Mac?

Oh, the furore that resulted as Apple wobbled back and forth over whether it should or shouldn’t advise Mac users to run anti-virus software.

I wouldn’t be surprised if we saw more rumbles around Apple Mac security during 2009.

9th. Results of McAfee-sponsored West Coast Labs anti-virus test

I try and keep self-puffery and the marketroids out of the Clu-blog as much as possible, although a few shameless plugs slip through the net.

However, this story proved popular enough to make it into our top ten articles of the year, presumably because it’s somewhat different than the typical good review.

What makes this test interesting is that the West Coast Labs tests were paid for by McAfee, one of our largest competitors. They make the review available for download from their website, but they didn’t come top according to West Coast Labs’ research.

Kudos to the guys at McAfee for not sweeping it under the carpet, and actually they didn’t perform badly in the tests.

8th. BNP membership list posted on the internet

When it was discovered that the membership list of the highly controversial British National Party, complete with names and addresses, had been published on the internet the resulting stampede of Googlers hunting for it came as no surprise.

This blog entry received a large amount of traffic although - as you can see in the blog post - we were careful to disguise the personal names and addresses of BNP members in the snapshot we published.

7th. London hospitals hit by computer virus

St Bartholomew’s (Barts) in the City, the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green had their networks shut down after being struck hard by a variant of the Mytob worm.

Concerns were raised about patient confidentiality and the quality of care as some workers had to resort to using paper and pen.

Eventually the hospitals announced that they had remedied their security problem and were on the road to recovery.

6th. Your internet access is going to get suspended - NOT

Judging by the large number of page views that this blog post received, an awful lot of people received emails in the last third of 2008, claiming that they had committed “illegal activities” such as pirating software, movies or music. The emails went on to warn that recipient’s internet access would be suspended.

Opening the attached report was definitely not a good idea, however, as it contained malicious code designed to compromise your Windows PC, and hand control over to remote hackers.

When they’re not tempting you with nude pictures of Nicole Kidman or Angelina Jolie, they’re threatening to cut off your net access..

Now learn about the top five stories on the Clu-blog during 2008.

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Apple, Clu-blog, Data leakage, Identity Theft, Malware, Round-up

                                      

Phishing scam money mule claims he was threatened by bank and police officials

An unemployed Indian man who claims he became unwittingly involved in a phishing scam says he was threatened by bank officials and beaten up by police investigators.

D Sakthi Kumar, a resident of Nanmangalam in Chennai, alleges that pressure has been put on him to pay the 50,000 Indian Rupees (just over US $1000) that authorities have accused him of stealing.

According to reports, Kumar claims that he received an email from a company called Rose Textiles, offering him the job of ‘payment officer’ out of the blue, if he allowed them to put money into his account which he would then (after skimming off a 5% payment) move to another account.

Seasoned readers of the Clu-blog will, of course, recognise that this is the classic story of the money mule. A phishing gang breaks into bank accounts and transfers money into an “innocent” third party account. They then request the third party, who may have no notiion of what they are mixed up in, to move the money elsewhere - often making it much harder for the authorities to determine its ultimate destination.

No doubt the authorities are now investigating Kumar’s claims of intimidation and brutality, as well as whether he was an innocent party caught in the midst of a phishing scam or simply someone who saw an opportunity to make easy money.

But the message for the rest of us is to be extremely suspicious of unsolicited job offer that arrive in your inbox. You may find yourself an accomplice in a cybercrime ring, and the police may not be sympathetic when they come knocking on your door.

* Image source: The Untrained Eye’s Flickr photostream (Creative Commons 2.0)

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Banking, Law and Order, Scam

                                      

Zunes crash - but it’s a bug, not a virus

Yesterday, December 31st 2008, owners of Microsoft’s Zune MP3 player found that their devices were freezing at start-up.

The internet was bombarded by reports from 30GB Zune owners, concerned that their MP3 player may have been stricken by an astonishingly delayed variant of the Y2K bug or something more sinister.

Grunfloz summarised the issue pretty neatly on the Zune.net forum:

From what I can tell it looks like every Zune 30 on the planet has suddenly crashed. Is this a virus? A glitch? A time bomb? A disgruntled Microsoft employee? Planned obsolescence to make us buy a new one? Or just a terrorist plot to drive the free world crazy?

The reality was, as normal, rather more down-to-earth. It seems when the boffins at Microsoft created the Zune in 2006, they didn’t tell it how to handle leap years properly. So when the last day of the next leap year came around in 2008 it got its knickers in a twist.

Microsoft says the problem will resolve itself as the date clicks around to January 1st in your part of the world. For more information read Microsoft’s FAQ.

By the way, happy new year everyone!

Posted on January 1st, 2009 by Graham Cluley, Sophos
Filed under: Malware, Oddball

                                      

Don’t be dumb in internet cafes in 2009

I was fortunate enough to spend the last couple of days wandering the chilly streets of Prague. It’s a beautiful city, and if you ever get the chance to visit I’d recommend it.

It was pretty strange though flying out of the Czech Republic as the last hours of 2008 ticked away. All the shops at the airport seemed to be shutting up by 4pm, presumably so the workers could get themselves uttery banjoed in readiness for the midnight New Year’s celebrations.

And this left the passengers on a delayed flight to Leeds kicking their heels with nothing to do but throng around the one remaining coffee bar that was still open.

Mattoni Bar at Terminal One of Prague Airport runs a neat little “buy a drink and use one of our internet-connected computers for free” deal. Naturally with hours to waste until their flight to Leeds, and with no retail therapy opportunities to distract people, the computers were all constantly in use.

With my BlackBerry out of juice, I quite fancied using one of the cafe’s PCs myself to check out the news online, but the most I could manage was some shoulder-surfing, and that - of course - is when I began to see some dangerous behaviour.

From my position in the cafe, I could see that one woman was booking a holiday through a well-known travel website, another was checking her HSBC bank account, and one chap was checking his Windows Live Hotmail account (before also checking his HSBC bank balance).

That was just what I noticed in less than 10 minutes. Who can tell how much sensitive information is entered onto these computers in a typical day? And. by the way, I’m not picking on this particular internet cafe, as similar scenes are probably playing out at every cybercafe in the world.

Computers in internet cafes can be tremendously useful and even entertaining if you need to while away some hours, but I would never use them to log in to my personal email account or check my bank balance. The fact is that you simply cannot be confident that an internet cafe’s computer, which may have been used by scores of different people during the course of the day, hasn’t been compromised and might not contain malware that is grabbing your details as you surf the web.

Fortunately for me I wasn’t flying back to Leeds, so I was able to catch my flight home without delay. But it also means I never did find out if those computers were compromised or not.

Don’t take the risk in 2009 - start acting more sensibly with public access computers.

Posted on December 31st, 2008 by Graham Cluley, Sophos
Filed under: Malware

                                      

Phishing with Google Calendar

As you know, one of the challenges that phishers face in defrauding you out of your username, passwords and - ultimately - cash, is how can they convince you that they are legitimate?

I’m indebted to Clu-blog reader Pete who sent me details of an unusual phishing email he received earlier this week, which goes further than many in attempting to pull the wool over your eyes.

Pete, who uses Google Calendar, received the following in his email inbox.

Unlike many phishing emails it included his real name alongside his email address, and looked identical to a genuine Google Calendar invite.

And that’s because it is a genuine Google Calendar invitation to an event (just like you might receive one to a friend’s barbecue or New Year’s Eve cocktail party). And sure enough clicking on the link in the email takes you to a “real event” in your Google Calendar, which it appears a number of other people have been invited to as well.

Part of the event invitation reads as follows:

THIS Email is from Gmail Customer Care and we are sending it to every Gmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted.We are sending you this email so that you can verify and let us know if you still want to use this account.

The Calendar invite then encourages you to respond with your Google username, password and date of birth.

Remember, you really are on Google’s Calendar website. You haven’t been taken to a fake site posing as Google, but alarm bells should definitely be ringing in your head at this point.

It should be obvious to everyone that Google is very unlikely to send out an email of this nature, and that it wouldn’t ask you to confirm whether you wanted your account to continue by accepting an invitation on your Google Calendar.

Furthermore, is it really likely that Google customer service would have an email address like customerserviceXXXX@gmail.com (where XXXX is a four digit number)?

What’s happened here is that a scammer has created a Gmail account with the name “Customer Varifaction” (another spelling mistake which should have raised suspicion) and added these people as guests to an event designed to steal their credentials. Google itself has then sent the event invitation email automatically on their behalf, helpfully inserting the recipients’ real names.

As with any phishing email you receive on Gmail, you should report it as an attempt to phish information from you, which will help warn the security team at Google and help others.

Fortunately Pete has his wits about him, and didn’t fall for this phishing attempt.

Thanks to Fraser in SophosLabs who had a good enough memory to recall that the problem of phishing via Google Calendar was also encountered earlier this year, as this blog post by Philipp Lenssen describes.

Posted on December 29th, 2008 by Graham Cluley, Sophos
Filed under: Scam, Spam

                                      

Who needs spammers when you have the CIA pushing Viagra?

We’ve grown to think of spammers and other internet bad guys as finely-honed organised criminals, quick to use new avenues to make a quick buck, and rapid in their exploitation of breaking news stories and emerging trends.

It’s therefore surprising to me that we have seen spammers doing such a poor job at profiteering from an apparent virgin market for Viagra. Afghan chieftains.

According to a report in the Washington Post, the CIA has discovered a novel way to extract information from ageing Afghan warlords - supplying them with the sex-enhancing drug Viagra.

The report describes how, in one case, a warlord in his sixties with four younger wives was given four pills of the anti-impotence drug. Four days later he returned for more in exchange for detailed information on Taliban movements. The news story explains that often the CIA operatives need to explain the benefits of Viagra to their informants.

The CIA has historically often bought information with cash, but can backfire if the informant is then seen surrounded by expensive goods or acts ostentatiously. On the other hand, Viagra - as the Washington Post so delicately puts it - “leaves little or no visible trace”.

So it seems to me that while much of the rest of the world is under near constant bombardment from spammers trying to tout Viagra and other sex-enhancement pharmaceutical drugs to us, the Aghan people have been largely left alone. I knew there had to be some silver lining to living in that troubled country.

Posted on December 27th, 2008 by Graham Cluley, Sophos
Filed under: Spam